EU DPAs issue GDPR guidance on data portability, DPOs and lead authority

The EU Article 29 Data Protection Working Party adopted, during its 12-13 December meeting:

• Guidelines and FAQs on the right to Data Portability,

• Guidelines and FAQs on Data Protection Officers (DPOs) and

• Guidelines and FAQs on the Lead Supervisory Authority.

The main establishment, for the purpose of choosing the Lead Authority under the GDPR, would normally be the Member State where an organisation has its central administration. However, the DPAs say that there may be cases where an establishment other than the central administration makes autonomous decisions concerning the purposes and means of a specific processing activity. It is the location where these processing decisions are made which would determine the ‘main establishment’. There can be situations where more than one lead authority can be identified.

The DPAs do not specify the professional qualifications for a DPO, but say that the required level of expertise must be commensurate with the sensitivity, complexity and amount of the data an organisation processes. Significantly, they clarify that DPOs are not personally responsible for non-compliance with the GDPR.

Data controllers must inform individuals about the new right to data portability, and deliver their data in the most appropriate format - this will differ across sectors and adequate formats may already exist, the DPAs say. They encourage cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats.

The guidelinesGuidelines on Data Protection Impact Assessments and Certification are promised for 2017. The DPAs invite comments on these documents by the end of January 2017 by e-mailing and

Read more about this topic in the next issues of PL&B UK and International Reports.