• DIGITALEUROPE submits feedback ahead of Article 29 Working Party Conference

    18 April 2017On 5 April, ahead of the start of the second Article 29 Working Party (“WP 29”) FabLab conference (“FabLab II”) on the implementation of the General Data Protection Regulation (“GDPR”), DIGITALEUROPE published its preliminary views on the topics of automated decision making, including profiling, and data breach notification.

    In its paper, DIGITALEUROPE noted that in light of being restricted to the ‘consent’ workshop of the FabLab II, we wanted to provide our preliminary views on the topics of ‘automated decision making’ and ‘data breach notification’, which were discussed in separate workshops. We stressed that we fully understand the increased risks faced by data subjects by the potential misuse of profiling. We highlighted that we believe that the drafting of Article 22 and other related provisions within the GDPR have successfully found the fine balance between stricter rules on the types of profiling that carry high risk for individuals and workable rules for all other types of profiling that do not negatively impact data subjects.
    On data breach notification, we emphasised that the text of the GDPR presents several critical areas where further clarification would be welcomed. The precise timing and means to notify a personal data breach should not be used as a means to punish organisations or dis-incentivise responsible investigation and incident response. Data protection authorities should instead encourage entities to make partial, phased notifications, where that is the appropriate and obvious course, without regulatory penalties so as to ensure the
    protection of data subjects. If a proper balance is struck, we strongly believes that the data breach provisions of the GDPR should incentivise organisations to invest in a high degree of data protection
    In the paper, DIGITALEUROPE structured its comments in the following manner:
    Automated Decision Making

    • cope of Article 22;
    • The right not to be subject to a decision;
    • A decision based solely on automated processing;
    • The right to obtain human intervention on the part of the data controller, to express his or her point of view and to contest the decision;
    • Additional rights to information;
    • Profiling related to direct marketing;
    • Profiling and data protection impact assessment

    Data Breach Notification

    • Practical implications for organisations;
    • Interpretation of ‘risk to the rights and freedoms of natural persons’;
    • Interpretation of ‘high risk to the rights and freedoms of natural persons’;
    • Circumstances in which a data controller should be considered to have ‘become aware’ of a data breach;
    • Circumstances in which it is not feasible to report a data breach within 72 hours;
    • Interpretation of provisioning notification information ‘in phases without further delay’;
    • Interpretation of measures considered sufficient to mitigate adverse effects arising from a data breach;
    • Interpretation of measures considered sufficient to ensure that a high risk to the rights and freedoms of the individuals affected will not materialise;
    • Interpretation of ‘disproportionate effort’ in notifying individuals;
    • Interpretation of what form of public communication to inform individuals would constitute an equally effective manner when notifying the individuals concerned would involve a disproportionate effort;
    • For how long should a data controller be required to retain documentation relating to data breaches;
    • What level of detail needs to be provided when notifying a data breach


    You can find DIGITALEUROPE’s position paper here


    For more information please contact: 

    Damir Filipovic Photo Damir Filipovic
    Alexander Whalen Photo Alexander Whalen
    Senior Policy Manager
< Back