The Hitchhiker’s Guide to Regulation 2018/1725

Wojciech Wiewiórowski

The last time our network of DPOs from the EU institutions and bodies met, on 12 December 2018, the GDPR for EUI was only one day old. While the new Regulation is still in its infancy, it is growing up fast, and at the EDPS we are determined to ensure that this process occurs with as few teething problems as possible!

With the Regulation now just over five months old, it is the perfect time to come together and take stock of the challenges faced by DPOs in applying the new rules, and how to overcome them. It was therefore with great pleasure that we gathered today at the European Insurance and Occupational Pensions Authority (EIOPA) in Frankfurt for the 45th EDPS-DPO meeting.

To kick off proceedings, the EDPS Supervision and Enforcement Unit presented us with their vision. This manifesto will guide them in monitoring the application of the GDPR for EUI, but its much broader aim is to ensure that EU institutions and bodies respect the fundamental right to data protection.

We also introduced DPOs to the new Head of the IT Policy Unit at the EDPS, who updated them in particular on our new approach to the important area of technology monitoring, as a further step to bring data protection supervision into the digital age.

With the new Regulation as a guide, we took inspiration from Douglas Adams’ comedy science fiction series The Hitchhiker’s Guide to the Galaxy (well known to those of us who were young in the 80s!) and invited all participants to take their seat at the Restaurant at the End of the Universe to explore the dos and don’ts of event organisation. As most EU institutions and bodies regularly engage in this activity, we made sure to address issues relating to consent and the retention of contact details, but also to outsourcing and dealing with erasure requests from participants.  

We reviewed the state of play of a Mostly Harmless new obligation for controllers under Regulation 2018/1725: the personal data breach notification. When dealing with personal data breaches the question is not if, but when they will happen. Our case study on data breach notifications took DPOs through challenging scenarios with the aim of “always knowing where your towel is” when faced with a personal data breach, and improving the prevention and reaction capacities of EU institutions and bodies.

My own contribution to our guided tour followed, focused on the different roles of the DPO, before we moved on to the topic of joint controllership.

Joint controllership is not a new concept. However, it is a topic that is attracting increasing attention, in particular following the European Court of Justice’s recent case law on the subject. As more and more cases of joint controllership are now being identified, it seemed only fair to devote our session on Life, the Universe and Everything to this complex idea. The issues raised included identification of the different players involved (joint or single controllers and processors), the form and content of the arrangement between the joint controllers, and the division of responsibility.

Young Zaphod Plays it Safe, a case study on procurement, brought us back down to earth, and a little closer to most DPOs’ comfort zone! DPOs were invited to reflect on the specific data protection requirements they should put in place when selecting an external contractor, providing us with a good opportunity to review once again the obligations of the controller and the processor outlined in Article 29 of the new Regulation.

Case studies are a great way of helping DPOs to put what they have learned in theory into practice. Once again, they proved to be a very efficient way of communicating our message to DPOs, as our Director himself proudly concluded after an intellectually exhausting, but rewarding, day.

As we continue our journey through the data protection galaxy, there will undoubtedly be some growing pains that our young Regulation – and in particular those of us responsible for applying and enforcing it – will have to endure. This is why our cooperation with the DPOs of all 67 EU institutions and bodies is so important and will continue in advance of our next meeting, in the autumn. Until then, So Long, and Thanks for All the Fish!