The Article 29 Working Party has issued a press release and three sets of guidelines and FAQs on implementation of some key issues under the GDPR:


It welcomes any comments from stakeholders on the guidelines until end January 2017. Guidelines on Data Privacy Impact Assessments and Certification are promised for 2017.

The guidance provides some interesting insights and should help organisations to comply with their new obligations under the GDPR.  The guidelines on the Lead Supervisory Authority highlight that there will be more than one lead supervisory authority, where a company carries out several cross-border activities and the decisions on the means and purposes of processing are taken in different establishments. This means that companies will have to consider organising decision-making powers in respect of personal data processing activities in a single location, in order to avail of the “one-stop shop” mechanism.

The guidelines on DPOs consider the meaning, and gives practical examples, of the notions of “core activities“, “large scale” and “regular and systematic monitoring”. It is essential to understand these notions in order to assess whether the appointment of a DPO is legally necessary. The WP29 also encourages the voluntary appointment of a DPO. The guidelines warn that a DPO should not hold a position within the organisation that leads him/her to determine the purpose of means of processing, which may include senior management positions, such as CEO, head of HR or IT etc., as such a position would result in a conflict of interests. It also highlights that DPOs will not be personally responsible for non-compliance with the GDPR.

The guidelines on data portability note that the GDPR does not impose specific recommendations on the format of the personal data to be provided. It states that the most appropriate format will differ across sectors, and encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability.