WP29 issues guidelines on data portability, DPO, and lead authority (and lays foundation for much more)


On December 13, 2016, EU Article 29 Data Protection Working Party “(WP29”) dealt with several critical matters with regards to the implementation of the General Data Protection Regulation (GDPR) and the Privacy Shield. It also dealt with the enforcement measures on cases having a cross-border effect.

  1. As for the GDPR’s implementation, the WP29 importantly adopted:
  • Guidelines on the right to “data portability”. Data portability  allows data subjects to receive the personal data provided to a controller, “in a structured, commonly used and machine-readable format, and to transmit them to another data controller”. Data controllers shall develop “means that will contribute to answer data portability requests” and should guarantee that “personal data are transmitted in a structured, commonly used and machine-readable format, and they should be encouraged to ensure the interoperability of the data format provided in the exercise of a data portability request”. The guidelines help data controllers to clearly understand their obligations and recommend best practices to comply with the right to data portability;
  • Guidelines on Data Protection Officers (‘DPOs’). The WP29 highlights the importance of the DPO’s role in the new data governance system and lays down conditions for her appointment, position and tasks. These guidelines aim at assisting the DPOs in their role. The guidelines also provide best practice recommendations;
  • Guidelines for identifying a controller or processor’s lead supervisory authority, which has the primary responsibility to deal with cross-border data processing activities. The guidelines help identify such authority.

The WP29 welcomes additional comments that stakeholders may have on the guidelines until the end of January 2017.

In addition to issuing the above guidelines, the WP29 discussed the modalities for future internal cooperation among European DPAs: agreed that position papers on mutual assistance, one stop shop and joint operations will be tested in practice by DPAs in 2017.

In addition, the WP29 is working on the administrative and procedural aspects of its new legal body, the European Data Protection Board (EDBP).

  1. As for the Privacy Shield, WP29 adopted specific communication tools for both individuals and companies. These tools will be published on the WP29 website and can be used by each national DPA as a basis for their own communication.
  1. As for the enforcement measures on cases having a cross-border effect, the WP29 confirmed the re-establishment of the enforcement subgroup in charge of coordinating enforcement actions of DPAs on cross-border cases. The Dutch DPA Vice-Chair and the Spanish DPA Chair will work as coordinators of this subgroup. The enforcement subgroup adopted the letter to be sent to WhatsApp following the relevant enquiry procedure initiated in October 2016.


More information about the WP29 is available at http://ec.europa.eu…


For more information, Francesca Giannoni-Crystal  and Federica Romanelli. 

Follow us on& Like us on