AmCham EU’s recommendations for the implementation of the General Data Protection Regulation (GDPR) address seven specific aspects with the aim of ensuring a consistent and balanced application across Europe:
- The one-stop shop: To add clarity, where an organisation designates a location as its main establishment, this should presumptively decide how the “main establishment” is determined.
- High-risk processing and Data Protection Impact Assessments (DPIAs): Additional context needs to be provided regarding what constitutes “high risk processing”.
- Personal data breaches and notification: Guidance is needed regarding the types of breaches that create a “risk” requiring notice to Data Protection Authorities (DPAs), and what additional factors create a “high risk” requiring notice to data subjects.
- Approved codes of conduct and certification: They must be pragmatic and should never be less flexible than the basic rules of the GDPR.
- Data portability: Guidance should clarify that the right covers only data provided by data subjects but not data generated by the service.
- Sanctions: A balanced use of full spectrum of powers and dialogue with industry should be endorsed by the European Data Protection Board (EDPB).
- Data protection officers (DPOs): Guidance should clarify, in particular, the meaning of the terms “core activities” and “large-scale processing”.