Article 29 Working Party, and GDPR Article 29

In the run up to the General Data Protection Regulation going live, a lot of attention was given to the Article 29 data protection working party. Made up of representatives from the data protection authority of each EU Member State, the European Data Protection Supervisor and the European Commission, the Article 29 working party was tasked with providing data protection advice to member states.

It is important to note that the name of the group – the Article 29 Data Protection Working Party – relates to Article 29 of the 1996 Data Protection Directive. It is not directly related to GDPR Article 29.

What did the Article 29 Data Protection Working Party do?

Article 29 of the Data Protection Directive specified the creation of a “Working Party on the Protection of Individuals with regard to the Processing of Personal Data.” The party would “have advisory status and act independently”, and operate on a democratic basis with decisions taken by majority vote.
Between 1996 and 2018, the Working Party helped national information commissioners understand their obligations under the Data Protection Directive. Members were responsible for interpreting legislation and forming opinions so that it could be understood and applied consistently by businesses across the EU.
The overall aims of the working party were to:

  • Provide expert advice to member States regarding data protection.
  • Promote the consistent application of the Data Protection Directive in all full EU state members, and affiliate nations Norway, Liechtenstein and Iceland.
  • Give to the Commission an opinion on community laws (first pillar) affecting the right to protection of personal data.
  • Make recommendations to the public on matters relating to the protection of persons with regard to the processing of personal data and privacy in the European Community.

Most of the Working Party’s activities were conducted behind the scenes – indeed few people would have known of its existence despite being in operation for more than 20 years. This is because, although published publicly, their opinions and recommendations were fed back to national information commissioners.
It then became the role of the information commissioners’ offices to promote personal data protection to businesses and residents within their own jurisdiction.

What happened to the Article 29 Data Protection Working Party?

Before the General Data Protection Regulation came into force, the Working Party was instrumental in helping make sense of the new legislation. A number of draft guidance documents were prepared and published between the making of GDPR and its eventual implementation.
The Working Party also helped to provide an explanation of “personal data’ as specified in GDPR Article 4.
Following the introduction of GDPR, the working party was replaced by a new European Data Protection Board (EDPB). The EDPB has since assumed full responsibility for advising member states and each local GDPR supervisory authority about data protection issues.
As their old homepage now shows, the Article 29 Working Party has been completely replaced by the EDPB. The new European Data Protection Board held their first plenary meeting on Friday 25th May 2018, the same day that the GDPR finally came into effect.

What about GDPR Article 29?

Article 29 of the GDPR is one of the shortest in the legislation. The text reads:
Processing under the authority of the controller or processor
The processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process those data except on instructions from the controller, unless required to do so by Union or Member State law.
Here’s an example. Your business uses Microsoft Dynamics 365 for account management and customer relationship management (CRM) purposes, including storage of personal information belonging to your clients. In this scenario, the GDPR classifies Microsoft as your processor, because you have authorised them to perform data analytics operations on your behalf.
Under Article 29, Microsoft cannot perform any additional processing of the data you have entrusted to them. This means they are forbidden from using your data for their own purposes or processing it outside the parameters of your agreement.

Article 29 is a big deal

Breaching Article 29 carries the same stiff penalties for processors as controllers – fines of up to €20m or 4% of global turnover, whichever is greater. So, if your business acts as a processor for another party you must ensure that Article 29 is being respected and adhered to at all times – and that you do not overstep the boundaries specified by the controller.
Although GDPR Article 29 applies to processors, controllers have a part to play too. In the same way that controllers demand assurances that their data is properly secured, processors will demand explicit instructions about how to handle the personal information shared with them. Controllers should expect this to become an increasingly important element of contract specifications.

Think GDPR, not working party

Every element of the General Data Protection Regulation is important – including those that do not seem to apply directly. Every party, controller or processor alike, must factor Article 29 into their outsourced/delegated data processing activities.
But as you do, remember that when it comes to personal data protection in the age of GDPR, EU Article 29 is nothing to do with working parties any more.
To learn more about strengthening personal data safeguards to comply with GDPR Article 29, please get in touch.