A29WP Issues Guidance Addressing GDPR Woes: The Data Protection Officer
In December 2016, the EU’s Article 29 Working Party (A29WP)—a group comprised of EU national data protection authorities (DPAs) that advises the EU Commission on EU data protection law—issued a number of GDPR guidance documents, including explanations for the mandatory DPO role, new individual right to data portability, and how to identify a “lead authority” for the GDPR’s one-stop shop enforcement mechanism.
Why Should You Care?
Organizations that are subject to the GDPR’s broad scope and grappling with how to comply with the regulation finally have some guidance to refer to in implementing the GDPR’s provisions on data portability, the DPO’s role, and identifying the lead supervisory authority.
The Data Protection Officer (DPO)
The DPO Guidelines cover the designation of the DPO, the position of the DPO, and the DPO’s role/tasks. The GDPR requires the designation of a DPO in three cases: (1) where the processing is carried out by a public authority or body; (2) where the core activities of the organization consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale; or (3) where the organization’s core activities consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences.
*This alert was originally posted on Arent Fox's Behind the Scenes blog. To read this alert in its entirety, please click here.