Position paper - AmCham EU‘s Recommendations on GDPR Implementation

Executive summary

AmCham EU’s recommendations for the implementation of the General Data Protection Regulation (GDPR) address seven specific aspects with the aim of ensuring a consistent and balanced application across Europe:

• The one-stop shop: To add clarity, where an organisation designates a location as its main establishment, this should presumptively decide how the “main establishment” is determined.    
• High-risk processing and Data Protection Impact Assessments (DPIAs): Additional context needs to be provided regarding what constitutes “high risk processing”.
• Personal data breaches and notification: Guidance is needed regarding the types of breaches that create a “risk” requiring notice to Data Protection Authorities (DPAs), and what additional factors create a “high risk” requiring notice to data subjects. 
• Approved codes of conduct and certification: They must be pragmatic and should never be less flexible than the basic rules of the GDPR.
• Data portability: Guidance should clarify that the right covers only data provided by data subjects but not data generated by the service.
• Sanctions: A balanced use of full spectrum of powers and dialogue with industry should be endorsed by the European Data Protection Board (EDPB).
• Data protection officers (DPOs): Guidance should clarify, in particular, the meaning of the terms “core activities” and “large-scale processing”.