The General Data Protection Regulation (“GDPR”), due to come into force in May 2018, provides for a new framework in data privacy matters in the European Union, which will have a wide-ranging impact on business around the world. (For previous coverage, please see our December 2015 Legal Update.)

During its December plenary meeting, the Article 29 Working Party (“WP29”), the working group composed of the 28 data protection authorities and EU officials, adopted guidelines in the following areas:

They were publicly released on December 16, 2016.

Expected by most businesses, the guidelines on DPOs should shed some light on (i) the need for controllers and processors to appoint DPOs, (ii) positions of the DPOs and (iii) their roles and responsibilities within their organizations. Although the guidelines do not offer clear-cut answers on some open items (such as the interpretation of large-scale processing), they do provide very valuable input on DPOs’ future roles and responsibilities. The guidelines should assist companies in scoping their needs and starting their recruitment processes.

Guidelines are not yet fully set in stone, as the WP29 welcomes comments that stakeholders may have on the adopted guidelines. Comments are due by January 31, 2017, and can be sent to either of the following email addresses: and Final guidance is expected in the course of 2017, along with guidance on Data Protection Impact Assessments and Certification.

The December plenary meeting is also bringing some news on other fronts, such as the implementation of the Privacy Shield and enforcement actions (the WhatsApp inquiry). The WP29 confirmed that it will take on the role of the "EU centralized body” under the Privacy Shield mechanism, i.e., the EU body set up to address individual complaints regarding data transferred to the United States for commercial purposes and further accessed for national security purposes.