The Article 29 Working Party has issued new guidance on Personal
data breach notification under Regulation 2016/679 (WP 250) and on Automated
individual decision-making and Profiling for the purposes of Regulation
2016/679 (WP 251). They can be downloaded from the link below or via http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083
(see under Guidelines). They are available for comment until 28 November and are thus technically draft guidelines.
The new Guidelines on breach explain the mandatory breach
notification and communication requirements of the GDPR and some of the steps
controllers and processors can take to meet these new obligations. They also
give examples of various types of breaches and who would need to be notified in
different scenarios.
The new document on automated decision-making and profiling
has chapters covering:
- Definitions of profiling and automated decision-making
and the GDPR approach to these in general - Specific provisions on automated decision-making
as defined in Article 22 - General provisions on profiling and automated
decision-making - Children and profiling
- Data protection impact assessments
The Annexes provide ‘best practice recommendations’.