Europe | GDPR

Guidance Documents

Working Party 29, Data Protection Authories such as ICO and the DMA in the UK have put together guidance documents to assits with the interpretation of GDPR in real world situations. Although Working Party 29 are the "official guidance documents" the others have proven to be solid sources as well. In Alphabetical order:

Adminstration Fines - "This document is intended for use by the supervisory authorities to ensure better application and enforcement of the Regulation and expresses their common understanding of the provisions of article 83 of the Regulation as well as its interplay with articles 58 and 70 and their corresponding recitals."

Binding Corporate Rules - "In order to facilitate the use of Binding Corporate Rules for Controllers (BCR-C) by a corporate group or a group of enterprises engaged in a joint economic activity for international transfers from organisations established in the EU to organisations within the same group established outside the EU"

Breach Reporting - "The General Data Protection Regulation (the GDPR) introduces the requirement for a personal data breach (henceforth “breach”) to be notified to the competent national supervisory authority1 and, in certain cases, communicate the breach to the individuals whose personal data have been affected by the breach."

Consent - "The GDPR provides further clarification and specification of the requirements for obtaining and demonstrating valid consent. These Guidelines focus on these changes, providing practical guidance to ensure compliance with the GDPR and building upon Opinion 15/2011 on consent."

Data Portability - "Article 20 of the GDPR creates a new right to data portability, which is closely related to but differs from the right of access in many ways. It allows for data subjects to receive the personal data, which they have provided to a controller, in a structured, commonly used and machine-readable format, and to transmit them to another data controller."

Data Protection Impact Assessment - "A DPIA is a process designed to describe the processing, assess the necessity and proportionality of a processing and to help manage the risks to the rights and freedoms of natural persons resulting from the processing of personal data3 (by assessing them and determining the measures to address them)."

Data Protection Officers - "The General Data Protection Regulation (‘GDPR’),1 due to come into effect on 25 May 2018, will provide a modernised, accountability-based compliance framework for data protection in Europe. Data Protection Officers (‘DPO’s) will be at the heart of this new legal framework for many organisations, facilitating compliance with the provisions of the GDPR."

Lead Supervisory Authority - "Identifying a lead supervisory authority is only relevant where a controller or processor is carrying out the cross-border processing of personal data."

Profiling - "The General Data Protection Regulation (the GDPR), specifically addresses profiling and automated individual decision-making, including profiling.1"

Legitimate Interest - "The GDPR sets out six lawful grounds for processing, one of which is processing under the Legitimate Interests of a Controller, including those of a Controller to which the Personal Data may be disclosed, or of a Third Party."

Necessity Limitations - "Fundamental rights, enshrined in the Charter of Fundamental Rights of the European Union (hereinafter, ‘the Charter’), constitute the core values of the European Union1. These rights must be respected whenever the EU institutions and bodies design and implement new policies or adopt any new legislative measure."

Transparency - "These guidelines provide practical guidance and interpretative assistance on the new obligation of transparency concerning the processing of personal data under the General Data Protection Regulation1 (the “GDPR”)."