Data Protection: New GDPR Guidelines from the Article 29 Working Party

Author: Erkko Korhonen

October 2017 has been a busy month for the Article 29 Working Party (the “WP29”), a group that consists of EU data protection authorities. The WP29 has recently published three new guidelines and revised some earlier guidelines on the implementation of the General Data Protection Regulation (the “GDPR”).

The recent guidance includes proposed guidelines on automated individual decision-making and profiling as well as on personal data breach notification. The guidelines are meant to provide more accurate information on the articles of the GDPR that regulate these topics and examples of when and how it is possible or required to use these measures. The most highly charged topic, though, must be the adoption of the final guidelines on the application and setting of administrative fines under the GDPR. Even though every organisation wants to know how to avoid the much-feared fines, the guidelines do not outline specific scenarios for these kinds of situations. They do, however, present some assessment criteria. The main purpose of the guidelines is to provide a consistent approach to fines across the EU once the competent authorities enforce the GDPR. The WP29 has expressly stated that the companies “cannot legitimise breaches of data protection law by claiming a shortage of resources”. This underlines the importance of assessing company processing operations and risks related thereto as well as allocation of adequate resources (whether they be technical, business, or legal) for addressing the risks.

In addition, the WP29 just adopted a final, revised version of the guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is "likely to result in a high risk”. The revisions of the final version are based on the comments received through the spring 2017 public consultation.

The new draft guidelines on automated decision-making and profiling as well as on data breach notification will be open for public comments until 28 November 2017. Before their final adoption, the guidelines will be updated on the basis of the received feedback. In the near future, the WP29 also aims to publish guidelines concerning consent, transparency, and certification along with an update of international data transfer tools.

As always, we will keep you posted on all the latest news around this area. Please do not hesitate to contact out IP & TMT team for any further questions; we will be happy to help you.