Business Risk Services

Article 29 Working Party’s GDPR consultation

Sheila Duignan Sheila Duignan

The Data Protection Commissioner (DPC) has published notification of the EU Article 29 Working Party’s consultation on elements of the GDPR.

The Art. 29 Working Party intends to provide guidance on Consent, Profiling, Breach Notifications and Certification in the first half of 2017. To inform this guidance the office of the DPC has opened a consultation period and is seeking submissions from interested parties on these particular topics. These submissions will be directed to the presidency team of the Art. 29 Working Party.

The consultation period will run until 28th March 2017 and submissions should be emailed to


Article 4 of the GDPR defines consent as meaning “freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.

A number of requirements are required to satisfy the conditions for consent: 

  • consent must be demonstrable;
  • written consent must be in a manner that is clearly distinguishable from other matters; and
  • consent may be withdrawn at any time and it must be as easy to withdraw consent as to give it.

The Art. 29 Working Party are seeing stakeholder views on specific questions including:

  • how can organisations demonstrate that consent has been obtained to the standard required by the GDPR?
  • what organisational systems and procedures will be required to prove consent was obtained?
  • for how long should organisations retain proof that consent was lawfully obtained?


Article 4 of the GDPR defines profiling as “any form of automated processing of personal data consisting of using those data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements”.

Article 22 goes on to state that an individual has the right not to be subject to a decision based solely on automated processing, including profiling which produces legal effects or similarly significantly affects (see GDPR for exemptions to this).

Stakeholders’ views are sought on the following questions:

  • how will profiling activities currently undertaken in your industry be impacted by the requirements of the GDPR?
  • how should the individual’s right to give their point of view and contest a decision as regards profiling be given effect by a data controller?
  • what types of public interest reasons would justify profiling?

Personal Data Breach Notification:

The GDPR introduces a mandatory obligation for data controllers to notify data breaches to the relevant supervisory authority without undue delay and where feasible, not later than 72 hours after becoming aware of it. Notification is not required where the breach is unlikely to result in a risk to the rights and freedoms of natural persons but should be made without undue delay where the risk is a high one.

Data processors must notify data controllers without undue delay after becoming aware of a data breach.

Examples of questions on which stakeholders’ views are sought are:

  • what are anticipated to be the practical implications for organisations in complying with the personal data breach notification provisions of the GDPR?
  • what are the circumstances in which a data controller should be considered to have “become aware” of the data breach?
  • in what circumstances would it not be feasible for a data controller to report a data breach to a data protection authority within 72 hours?


The GDPR provides for certification actions to be undertaken by EU supervisory authorities in conjunction with certification and accreditation bodies. This is not limited to national level. Where cross-border processing can be approved at an EU level this may lead to a ‘European Data Protection Seal’. Certification bodies will need to be independent, be able to perform testing and handle complaints and have data protection expertise.

Views are sought on the following questions (amongst others):

  • what criteria should a supervisory authority approve to support data protection certification?
  • how can certification be made relevant for micro, small, medium-sized and large-scale enterprises?
  • under what circumstances would it be appropriate for a certification to be withdrawn from an organisation?

Grant Thornton will post an update on the Art. 29 Working Party’s guidance as it is published.