Common borders. Common solutions.










ALTHERA - Alternative Therapies in Maramureș and Ivano-Frankivsk
1HARD/4.1/37

This project is funded by the European Union

REGULATION (EU) 2016/679 OF THE UROPEAN PARLIAMENT AND OF THE COUNCIL

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016

on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation)

(Text with EE relevance)

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 16 thereof, having regard to the proposal from the European Commission, after the transmission of the draft legislative act to the national parliaments, having regard to the opinion of the European Economic and Social Committee (1), having regard to the opinion of the Committee of the Regions (2), acting in accordance with the ordinary legislative procedure (3),

(1) The protection of natural persons with regard to the processing of personal data is a fundamental right. Article 8(1) of the Charter of Fundamental Rights of the European Union (‘the Charter’) and Article 16(1) of the Treaty on the Functioning of the European Union (TFEU) provide for the right of any person to the protection of personal data concerning him or her.

(2) The principles and rules relating to the protection of natural persons with regard to the processing of their personal data should, irrespective of the nationality or place of residence of natural persons, respect their fundamental rights and freedoms, in particular the right to the protection of personal data. This Regulation aims to contribute to the achievement of an area of freedom, security and justice and an economic union, economic and social progress, the strengthening and convergence of economies within the internal market and the well-being of individuals.

(3) Directive 95/46/EC of the European Parliament and of the Council (4) aims to harmonise the level of protection of the fundamental rights and freedoms of natural persons with regard to processing activities and to ensure the free movement of personal data between Member States.

(4) The processing of personal data should be at the service of citizens. The right to the protection of personal data is not an absolute right; it must be taken into account in relation to its function in society and balanced with other fundamental rights, in accordance with the principle of proportionality. This Regulation respects all fundamental rights and freedoms and principles recognised in the Charter as enshrined in the Treaties, in particular respect for private and family life, residence and communications, the protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, freedom to conduct a business , the right to an effective remedy and a fair trial, as well as cultural, religious and linguistic diversity.

(5) The economic and social integration resulting from the functioning of the internal market has led to a substantial increase in cross-border flows of personal data. The exchange of personal data between public and private actors, including individuals, associations and businesses, has intensified throughout the Union. Under Union law, the national authorities of the Member States are called upon to cooperate and exchange personal data in order to be able to carry out their duties or perform tasks on behalf of an authority in another Member State.

(6) Rapid technological developments and globalisation have created new challenges for the protection of personal data. The extent of the collection and exchange of personal data has increased significantly. Technology allows both private companies and public authorities to use personal data at an unprecedented level in their activities. Increasingly, individuals are making personal information public worldwide. Technology has transformed both the economy and social life and should further facilitate the free movement of personal data within the Union and the transfer to third countries and international organisations, while ensuring a high level of protection of personal data.

(7) These developments require a strong and more coherent data protection framework in the Union, accompanied by a rigorous application of the rules, taking into account the importance of creating a climate of trust that will allow the digital economy to develop in the internal market. Individuals should have control over their personal data and legal and practical certainty for natural persons, economic operators and public authorities should be strengthened.

  1. Where this Regulation provides for the specification or restriction of its rules by national law, Member States may, to the extent necessary for consistency and to ensure that national provisions are understood by the persons to whom they apply, incorporate elements of this Regulation into their national law.

(9) The objectives and principles of Directive 95/46/EC remain sound, but this has not prevented fragmentation of the way data protection is implemented in the Union, legal uncertainty or widespread public perception that there are significant risks to the protection of individuals, in particular in relation to online activity. Differences in the levels of protection of the rights and freedoms of natural persons, in particular the right to the protection of personal data, with regard to the processing of personal data in the Member States may hinder the free movement of personal data throughout the Union. These differences may therefore constitute an obstacle to the pursuit of economic activities at Union level, distort competition and prevent the authorities from fulfilling their responsibilities under Union law. This difference between levels of protection is due to differences in the transposition and application of Directive 95/46/EC.

(10) In order to ensure a consistent and high level of protection of natural persons and to remove obstacles to the movement of personal data within the Union, the level of protection of the rights and freedoms of natural persons with regard to the processing of such data should be equivalent in all Member States. Consistent and homogeneous application of the rules on the protection of the fundamental rights and freedoms of natural persons with regard to the processing of personal data should be ensured throughout the Union. With regard to the processing of personal data with a view to complying with a legal obligation, the performance of a task which serves a public interest or which results from the exercise of the public authority vested in the controller, Member States should be allowed to maintain or introduce provisions of national law which further clarify the application of the rules of this Regulation. In conjunction with the general and horizontal data protection legislation implementing Directive 95/46/EC, Member States have several specific sectoral laws in areas requiring more precise provisions. This Regulation also gives Member States leeway in specifying its rules, including with regard to the processing of special categories of personal data (‘sensitive data’). To this end, this Regulation does not exclude the right of Member States to determine the circumstances relating to specific processing situations, including the more accurate determination of the conditions under which the processing of personal data is lawful.

(11) Effective protection of personal data throughout the Union requires not only strengthening and establishing in detail the rights of data subjects and the obligations of those who process and decide the processing of personal data, but also equivalent powers for monitoring and ensuring compliance with the rules for the protection of personal data and equivalent penalties for offences in the Member States.

(12) Article 16(2) TFEU mandates the European Parliament and the Council to lay down rules on the protection of individuals with regard to the processing of personal data and rules on the free movement of such data.

(13) In order to ensure a uniform level of protection for natural persons throughout the Union and to prevent discrepancies which hinder the free movement of data within the internal market, a regulation is needed in order to provide legal certainty and transparency for economic operators, including micro and small and medium-sized enterprises, and to provide individuals in all Member States with the same legally enforceable level of rights, obligations and responsibilities for operators and their processors, in order to ensure consistent monitoring of the processing of personal data, equivalent penalties in all Member States, and effective cooperation of the supervisory authorities of the various Member States. For the proper functioning of the internal market it is necessary that the free movement of personal data within the Union should not be restricted or prohibited on grounds relating to the protection of natural persons with regard to the processing of personal data. In order to take account of the specific situation of micro and small and medium-sized enterprises, this Regulation shall include a derogation for organisations with fewer than 250 employees as regards record-keeping. In addition, the institutions and bodies of the Union and the Member States and their supervisory authorities are encouraged to take into account the specific needs of micro and small and medium-sized enterprises in the application of this Regulation. The concept of micro and small and medium-sized enterprises should be based on Article 2 of the Annex to Commission Recommendation 2003/361/EC (5).

(14) The protection conferred by this Regulation should cover natural persons, irrespective of their nationality or place of residence, with regard to the processing of their personal data. This Regulation shall not apply to the processing of personal data concerning legal persons and, in particular, undertakings with legal personality, including the name and type of legal person and the contact details of the legal person.

(15) In order to prevent a major risk of circumvention, the protection of natural persons should be technologically neutral and not dependent on the technologies used. The protection of natural persons should apply to the processing of personal data by automated means, as well as to manual processing, where personal data are contained or intended to be contained in a filing system. Dossiers or sets of dossiers and their covers which are not structured in accordance with specific criteria should not fall within the scope of this Regulation.

(16) This Regulation does not apply to matters of protection of fundamental rights and freedoms or to the free movement of personal data relating to activities outside the scope of Union law, for example activities relating to national security. This Regulation shall not apply to the processing of personal data by Member States when they carry out activities related to the Union’s foreign policy and common security.

(17) Regulation (EC) No 1493/1999 should therefore be amended as last amended by Regulation (EC Article 45/2001 of the European Parliament and of the Council (6) shall apply to the processing of personal data by the institutions, bodies, offices and agencies of the Union. Commission Regulation (EC) No 1493/1999(3), as last In the case of such processing of personal data, the principles and rules laid down in this Regulation and applied in accordance with this Regulation should be adapted to the principles and rules laid down in this Regulation. In order to ensure a sound and coherent data protection framework in the Union, Regulation (EC) No 1493/1999 should be established after the adoption of this Regulation. The necessary adaptations may be applied with this Regulation.

(18) This Regulation does not apply to the processing of personal data by a natural person in the course of an exclusively personal or domestic activity and is therefore unrelated to a professional or commercial activity. Personal or domestic activities could include correspondence and address repertoire or social networking activities and online activities carried out in the context of those activities. However, this Regulation shall apply to operators or processors providing the means of processing personal data for such personal or domestic activities.

(19) The protection of natural persons with regard to the processing of personal data by competent authorities for the purpose of preventing, investigating, detecting or prosecuting criminal offences or the execution of penalties, including protection against threats to and preventing public safety, and the free movement of such data, is the subject of a specific Union legal act. This Regulation should therefore not apply to processing activities for these purposes. However, personal data processed by public authorities under this Regulation, when used for these purposes, should be regulated by a more specific Union legal act, namely Directive (EU) 2016/680 of the European Parliament and of the Council (7). Member States may entrust to the competent authorities within the meaning of Directive (EU) 2016/680 tasks which are not necessarily carried out for the purpose of preventing, investigating, detecting or prosecuting criminal offences or executing penalties, including protecting against threats to public safety and preventing them, so that the processing of personal data for other purposes, in so far as it falls within the scope of Union law, falls within the scope of this Regulation.

With regard to the processing of personal data by these competent authorities for purposes falling within the scope of this Regulation, Member States should be able to maintain or introduce more detailed provisions to adapt the application of the rules of this Regulation. These provisions may lay down more precisely specific requirements for the processing of personal data by those competent authorities for those other purposes, taking into account the constitutional, organisational and administrative structure of the Member State concerned. Where the processing of personal data by private bodies is the subject of this Regulation, this Regulation should provide for the possibility for Member States, under certain conditions, to impose restrictions on certain obligations and rights by law where such restrictions constitute a necessary and proportionate measure in a democratic society in order to guarantee important specific interests , including public safety and the prevention, investigation, detection and prosecution of criminal offences or the execution of punishments, including protection against and prevention of threats to public safety. This is relevant, for example, in the fight against money laundering or the activities of forensic laboratories.

(20) Although this Regulation applies, inter alia, to the activities of courts and other judicial authorities, Union or Member State law could specify processing operations and procedures with regard to the processing of personal data by courts and other judicial authorities. The processing of personal data should not be the responsibility of supervisory authorities where the courts exercise their judicial powers in order to guarantee the independence of the judicial system in the performance of its judicial tasks, including decision-making. The supervision of such data processing operations should be able to be entrusted to specific bodies within the judicial system of the Member State, which should ensure in particular compliance with the rules laid down in this Regulation, to raise awareness among members of the judiciary of their obligations under this Regulation and to deal with complaints relating to such data processing operations.

(21) This Regulation is without prejudice to the application of Directive 2000/31/EC of the European Parliament and of the Council (8), in particular the rules on the liability of intermediate service providers referred to in Articles 12 to 15 of that Directive. That Directive aims to contribute to the smooth functioning of the internal market by ensuring the free movement of information society services between Member States.

(22) Any processing of personal data in the course of the activities of an operator or processor in the Union should be carried out in accordance with this Regulation, whether or not the processing takes place within the Union. The establishment involves the effective and actual exercise of an activity within the framework of stable arrangements. The legal form of such cartels, through a branch or subsidiary with legal personality, is not the determining factor in that regard.

(23) In order to ensure that natural persons are not deprived of the protection to which they are entitled under this Regulation, the processing of the personal data of data subjects who are in the territory of the Union by an operator or a person empowered by him who is not established in the Union should be the subject of this Regulation where the processing activities relate to the supply of goods or services to such data subjects whether or not they are related to a payment. In order to determine whether such an operator or processor provides goods or services to data subjects located in the territory of the Union, it should be established whether it is apparent that the controller or processor intends to provide services to data subjects in one or more Member States of the Union. Since the mere fact that there is access to a website of the controller, processor or intermediary in the Union, that an email address and other contact details are available, or that a language generally used in the third country in which the controller is established is insufficient to confirm such an intention , factors such as the use of a language or currency generally used in one or more Member States with the possibility of ordering goods and services in that language or the mention of customers or users within the Union may lead to the conclusion that the operator intends to provide goods or services to data subjects in the Union.

(24) The processing of the personal data of data subjects who are in the territory of the Union by an controller or a person empowered by him who is not established in the Union should also be the subject of this Regulation where it is linked to the monitoring of the conduct of such data subjects, in so far as such conduct occurs in the territory of the Union. In order to determine whether a processing activity can be considered as a ‘behaviour monitoring’ of data subjects, it should be established whether natural persons are being followed on the internet, including the possible subsequent use of techniques for processing personal data consisting of the creation of a profile of a natural person, in particular for the purpose of making decisions on it or of analysing or making predictions about personal preferences , its behaviours and attitudes.

(25) Where the law of a Member State applies under public international law, this Regulation should also apply to an operator who is not established in the Union but, for example, in a diplomatic mission or consular post of a Member State.

(26) The principles of data protection should apply to any information relating to an identified or identifiable natural person. Personal data that have been subject to pseudonymisation, which could be attributed to a natural person through the use of additional information, should be considered as information relating to an identifiable natural person. In determining whether a natural person is identifiable, all means, such as individualisation, which are reasonably likely to be used by either the operator or another person should be taken into account for the purpose of identifying, directly or indirectly, that natural person. In order to determine whether means for identifying the natural person are reasonably likely to be used, all objective factors, such as costs and time frame required for identification, should be taken into account, taking into account both the technology available at the time of processing and technological development. The principles of data protection should therefore not apply to anonymous information, i.e. information not related to an identified or identifiable natural person, or personal data that is anonymised in such a way that the data subject is not or is no longer identifiable. Therefore, this Regulation does not apply to the processing of such anonymous information, including where it is used for statistical or research purposes.

(27) This Regulation does not apply to personal data relating to deceased persons. Member States may lay down rules on the processing of personal data relating to deceased persons.

(28) The application of pseudonymisation of personal data may reduce risks to data subjects and help controllers and their processors to fulfil their data protection obligations. The explicit introduction of the concept of ‘pseudonimisation’ in this Regulation is not intended to prevent any other possible data protection measures.

(29) In order to create incentives for the application of pseudonymisation when processing personal data, pseudonymisation measures should be possible, while allowing general analysis, within the same controller when the controller has taken the necessary technical and organisational measures to ensure that this Regulation is implemented with regard to that data processing and that additional information for the attribution of personal data to a particular data subject is kept separate. The controller processing the personal data should indicate the authorised persons within the same controller.

(30) Individuals may be associated with online identifiers provided by their devices, applications, tools and protocols, such as IP addresses, cookie identifiers or other identifiers such as radio frequency identification tags. They may leave traces which, in particular when combined with unique identifiers and other information received by servers, may be used to create profiles of individuals and to identify them.

(31) Public authorities to which personal data are disclosed in accordance with a legal obligation to perform their official function, such as tax and customs authorities, financial investigation units, independent administrative authorities or financial market authorities responsible for the regulation and supervision of securities markets, should not be considered recipients if they receive personal data which are necessary for carrying out a particular investigation of general interest , in accordance with Union or Member State law. Requests for disclosure sent by public authorities should always be submitted in writing, reasoned and occasional and should not relate to a full record-keeping system or lead to the interconnection of filing systems. The processing of personal data by those public authorities should comply with the applicable data protection rules in accordance with the purposes of the processing.

(32) Consent should be given by means of an unequivocal action constituting a freely expressed, specific, informed and clear expression of the data subject’s agreement for the processing of his personal data, such as a written statement, including in electronic or verbal form. This could include ticking a box when the person visits a website, choosing technical parameters for information society services or any other statement or action which clearly indicates in this context the data subject’s acceptance of the proposed processing of his personal data. Therefore, the absence of an answer, the boxes ticked in advance or the absence of an action should not constitute consent. Consent should cover all processing activities carried out for the same purpose or for the same purposes. If the processing of data is for more than one purpose, consent should be given for all purposes of the processing. Where the consent of the data subject is to be given following an electronic request, that request must be clear and concise and not unnecessarily disrupt the use of the service for which consent is given.

(33) It is often not possible, at the time of the collection of personal data, to fully identify the purpose of data processing for scientific research purposes. For this reason, data subjects should be allowed to consent to certain areas of scientific research when the ethical standards recognised for scientific research are met. Data subjects should be able to express their consent only for certain areas of research or parts of research projects to the extent permitted by the intended purpose.

(34) Genetic data should be defined as personal data relating to the inherited or acquired genetic characteristics of a natural person resulting from an analysis of a sample of the biological material of the natural person concerned, in particular a chromosomal analysis, an analysis of deoxyribonucleic acid (DNA) or ribonucleic acid (RNA) or an analysis of any other element enabling equivalent information to be obtained.

(35) Personal health data should include all data relating to the health status of the data subject revealing information about the past, present or future physical or mental health status of the data subject. This includes information about the natural person collected as part of his or her enrolment in the healthcare services or in the provision of those services to the natural person concerned, as referred to in Directive 2011/24/EU of the European Parliament and of the Council (9); a number, symbol or distinguishing mark assigned to a natural person for his singular identification for medical purposes; information resulting from the testing or examination of a part of the body or a body substance, including genetic data and samples of biological material; as well as any information concerning, for example, a disease, disability, risk of illness, medical history, clinical treatment or the physiological or biomedical condition of the data subject, regardless of their source, such as a doctor or other medical professional, hospital, medical device or in vitro diagnostic test.

(36) The head office of an operator in the Union should be the location of its central administration in the Union, unless decisions on the purposes and means of processing personal data are taken at another operator’s premises in the Union. In that case, the latter should be regarded as the head office. The head office of an operator in the Union should be determined according to objective criteria and should involve the effective and actual exercise of management activities which determine the main decisions on the purposes and means of processing within the framework of stable arrangements. This criterion should not depend on the processing of personal data in that place. The presence and use of technical means and technologies for the processing of personal data or processing activities is not a head office and is therefore not the determining criterion for this purpose. , the place where the main processing activities are carried out in the Union. In cases involving both the controller and the processor, the competent primary supervisory authority should remain the supervisory authority of the Member State in which the operator has its head office, but the supervisory authority of the processor should be considered as a supervisory authority concerned and that supervisory authority should participate in the cooperation procedure provided for in this Regulation. In any event, the supervisory authorities of the Member State or Member States in which the processor has one or more premises should not be regarded as the supervisory authorities concerned where the draft decision relates only to the controller. Where the processing is carried out by a group of undertakings, the head office of the controlling undertaking should be regarded as the principal place of business, unless the purposes and means of the processing are determined by another undertaking.

(37) A group of undertakings should comprise a controlling undertaking and the undertakings controlled by it, in which the controlling undertaking should be the undertaking which can exercise a dominant influence over the other undertakings, for example by virtue of ownership, financial participation or the rules governing it or the power to implement rules on the protection of personal data. An undertaking controlling the processing of personal data in its affiliated undertakings should be regarded, together with the latter, as a ‘group of undertakings’.

(38) Children need specific protection of their personal data, as they may be less aware of the risks, consequences, safeguards in question and their rights with regard to the processing of personal data. This specific protection should apply in particular to the use of children’s personal data for marketing purposes or for the creation of personality or user profiles and to the collection of personal data on children when using services offered directly to children. The consent of the holder of parental responsibility should not be necessary in the context of prevention or counselling services offered directly to children.

(39) Any processing of personal data should be legal and fair. It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent personal data are or will be processed. The principle of transparency provides that any information and communication relating to the processing of such personal data is easily accessible and understandable and that simple and clear language is used. This principle concerns, in particular, the information given persons on the identity of the controller and the purposes of the processing, as well as the provision of additional information, in order to ensure fair and transparent processing of the natural persons concerned and their right to be confirmed and communicated to them personal data concerning them which are being processed. Individuals should be informed of the risks, rules, safeguards and rights relating to the processing of personal data and of how to exercise their rights in connection with the processing. In particular, the specific purposes for which personal data are processed should be explicit and legitimate and be determined at the time of collection of that data. Personal data should be appropriate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in particular, ensuring that the period for which personal data is stored is strictly limited to a minimum. Personal data should only be processed if the purpose of the processing cannot reasonably be achieved by other means. In order to ensure that personal data are not kept longer than necessary, deadlines should be set by the operator for deletion or periodic review. All reasonable steps should be taken to ensure that personal data that are inaccurate are rectified or deleted. Personal data should be processed in a manner that adequately ensures their security and confidentiality, including for the purpose of preventing unauthorised access to it or the unauthorised use of personal data and equipment used for processing.

(40) In order for the processing of personal data to be lawful, it should be carried out on the basis of the consent of the data subject or on the basis of another legitimate reason provided for by law, either in this Regulation or in another act of Union or national law, as provided for in this Regulation, including the need to comply with the legal obligations to which the controller is subject or the need to perform a contract to which the data subject is a party or to complete the steps prior to the conclusion of a contract, at the request of the data subject.

(41) Whenever this Regulation refers to a legal basis or legislative measure, it does not necessarily require a legislative act adopted by a parliament, without prejudice to the requirements arising from the constitutional order of the Member State concerned. However, such a legal basis or legislative measure should be clear and precise and its application should be foreseeable for the persons concerned, in accordance with the case-law of the Court of Justice of the European Union (‘the Court of Justice’) and the European Court of Human Rights.

(42) Where the processing is based on the consent of the data subject, the controller should be able to demonstrate that the data subject has given his consent to the processing operation. In particular, in the context of a written statement on another point, the safeguards should ensure that the data subject is aware that he has given his consent and to what extent he has done so. In accordance with Council Directive 93/13/EEC (10), a prior declaration of consent made by the operator in an intelligible and easily accessible form using clear and simple language should be provided and that declaration should not contain unfair terms. In order for the consent to be made aware, the data subject should be at least aware of the identity of the controller and the purposes of the processing for which the personal data are intended. Consent should not be regarded as freely granted if the data subject does not really have the freedom of choice or is unable to refuse or withdraw his consent without prejudice.

(43) In order to ensure that it has been freely granted, consent should not constitute a valid legal basis for the processing of personal data in the particular case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority, and this makes it unlikely that consent is free in all circumstances relating to that particular situation. Consent shall be deemed not to be granted freely if it does not permit separate consent to be given for the various processing of personal data, although this is appropriate in the particular case, or if the performance of a contract, including the provision of a service, is subject to consent, despite the fact that the consent in question is not necessary for the performance of the contract.

(44) Processing should be considered lawful where it is necessary under a contract or for the conclusion of a contract.

(45) Where the processing is carried out in accordance with a legal obligation of the operator or where the processing is necessary for the performance of a task which serves a public interest or which is part of the exercise of public authority, the processing should have a basis in Union or national law. This Regulation does not require the existence of a specific law for each individual processing. A single law may be sufficient as a basis for several processing operations carried out in accordance with a legal obligation of the operator or where the processing is necessary for the performance of a task which serves a public interest or which is part of the exercise of public authority. The purpose of the processing should also be established in Union or national law. Moreover, that right could specify the general conditions of this Regulation governing the legality of the processing of personal data, determine the specifications for determining the controller, the type of personal data subject to processing, the data subjects, the entities to which personal data may be disclosed, the limitations on the basis of purpose, the storage period and other measures to ensure legal and fair processing. It should also be established in Union or national law whether the operator performing a task serving a public interest or forming part of the exercise of public authority should be a public authority or another natural or legal person governed by public law or, where reasons of public interest so warrant , including for medical purposes, such as public health and social protection, as well as the management of healthcare services, under private law, such as a professional association.

(46) The processing of personal data should also be considered lawful where it is necessary in order to ensure the protection of an interest which is essential for the life of the data subject or for the life of another natural person. The processing of personal data based on the vital interests of another natural person should be carried out only if the processing cannot clearly be based on another legal basis. Some types of processing may serve both important reasons of public interest and the vital interests of the data subject, for example where processing is necessary for humanitarian purposes, including for the purpose of monitoring an epidemic and its spread, or in humanitarian emergencies, in particular in situations of natural or man-made disasters.

(47) The legitimate interests of an operator, including those of an operator to whom personal data may be disclosed or of a third party, may constitute a legal basis for processing, provided that the interests or fundamental rights and freedoms of the data subject do not prevail, taking into account the reasonable expectations of data subjects based on their relationship with the controller. This legitimate interest could exist, for example, where there is a relevant and appropriate relationship between the data subject and the controller, such as where the data subject is a customer of the controller or is in his service. In any event, the existence of a legitimate interest would require a careful assessment, including whether a data subject can reasonably presit, at the time and in the context of the collection of personal data, for the possibility of processing for that purpose. The interests and fundamental rights of the data subject could prevail in particular in relation to the interest of the data controller when personal data are processed in circumstances where data subjects do not reasonably foresee further processing. Since the legislature must provide the legal basis for the processing of personal data by public authorities, that legal basis should not apply to processing by public authorities in the performance of their tasks. The processing of personal data strictly necessary for the purpose of preventing fraud is also a legitimate interest of the data controller concerned. The processing of personal data aimed at direct marketing may be regarded as being carried out for a legitimate interest.

(48) Operators belonging to a group of undertakings or institutions affiliated with a central body may have a legitimate interest in transmitting personal data within the group of undertakings for internal administrative purposes, including for the purpose of processing the personal data of customers or employees. The general principles of the transfer of personal data, within a group of undertakings, to an undertaking located in a third country remain unchanged.

(49) Processing of personal data to the extent strictly necessary and proportionate for the purpose of ensuring the security of networks and information, i.e. the ability of a network or information system to cope, at a certain level of trust, with accidental events or illegal or malicious actions that compromise the availability, authenticity, integrity and confidentiality of personal data stored or transmitted , as well as the security of related services provided by or accessible through such networks and systems by public authorities, computer emergency response teams, incident response teams affecting computer security, providers of electronic communications networks and services, and security providers and technologies, constitute a legitimate interest of the data controller concerned. This could include, for example, preventing unauthorised access to electronic communications networks and the dissemination of harmful codes and stopping ‘service-blocking’ attacks, as well as preventing damage to computers and electronic communications systems.

(50) The processing of personal data for purposes other than the purposes for which the personal data was originally collected should be permitted only where the processing is compatible with those purposes for which the personal data were originally collected. In this case, a separate legal basis is not necessary from that on which the collection of personal data was permitted. Where processing is necessary for the performance of a task which serves a public interest or which results from the exercise of the public authority vested in the operator, Union or national law may lay down and specify the tasks and purposes for which further processing should be considered compatible and lawful. Further processing for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes should be considered as compatible legal processing operations. The legal basis laid down in Union or national law for the processing of personal data may also constitute a legal basis for further processing. In order to determine whether the purpose of further processing is compatible with the purpose for which the personal data were originally collected, the controller, having fulfilled all the requirements relating to the legality of the initial processing, should take into account, inter alia, any link between those purposes and the purposes of the subsequent processing envisaged, the context in which the personal data were collected , in particular the reasonable expectations of data subjects, based on their relationship with the controller, as regards the subsequent use of data, the nature of the personal data, the consequences of the expected subsequent processing on the data subjects, and the existence of appropriate safeguards both in the initial processing operations and in the expected subsequent processing operations.

Where the data subject has given his consent or processing is based on Union or national law, which constitutes a necessary and proportionate measure in a democratic society to protect, in particular, important objectives of general public interest, the controller should be able to further process personal data, irrespective of the compatibility of the purposes. In any event, the application of the principles laid down in this Regulation and, in particular, the information of the data subject on those other purposes and of his rights, including the right to object, should be guaranteed. The indication of possible offences or threats to public safety by the controller and the transmission to a competent authority of relevant personal data in individual cases or in several cases relating to the same offence or threats to public safety should be considered to be in the legitimate interest pursued by the controller. However, such transmission in the legitimate interest of the controller or the subsequent processing of personal data should be prohibited where the processing is not compatible with a legal, professional or other obligation of confidentiality.

(51) Personal data which are, by their nature, particularly sensitive with regard to fundamental rights and freedoms require specific protection, since the context of their processing could give rise to considerable risks to fundamental rights and freedoms. Such personal data should include personal data revealing racial or ethnic origin, the use of the term ‘racial origin’ in this Regulation not involving an acceptance by the Union of theories aimed at establishing the existence of separate human races. The processing of photographs should not be systematically regarded as a processing of special categories of personal data, as photographs fall within the definition of biometric data only in cases where they are processed by specific technical means enabling the unique identification or authentication of a natural person. Such personal data should not be processed, unless processing is permitted in specific cases provided for in this Regulation, taking into account that the law of the Member States may lay down specific provisions on data protection with a view to adapting the application of the rules of this Regulation in order to comply with a legal obligation or to perform a task which serves a public interest or which results from the exercise of the public authority vested in the controller. In addition to the specific requirements for such processing, the general principles and other rules laid down in this Regulation should apply, in particular as regards the conditions for legal processing. Exemptions from the general prohibition on the processing of these special categories of personal data should be expressly provided for, inter alia where the data subject gives explicit consent or with regard to specific needs in particular where the processing is carried out in the course of legitimate activities by certain associations or foundations whose purpose is to enable the exercise of fundamental freedoms.

(52) Derogation from the prohibition on the processing of special categories of personal data should also be allowed where Union or national law so provides and should be subject to appropriate safeguards so as to protect personal data and other fundamental rights where justified on grounds of public interest , in particular in the case of the processing of personal data in the field of employment legislation, social protection, including pensions, as well as for safety, surveillance and health alert purposes, for the prevention or control of communicable diseases and other serious health threats. This derogation may be granted for medical purposes, including public health and the management of healthcare services, in particular with a view to ensuring the quality and cost-effectiveness of the procedures used to deal with claims for services and services under the health insurance system, or for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes. The processing of such personal data should also be permitted, by way of derogation, where necessary for the establishment, exercise or defence of a legal right, whether it takes place in proceedings before a court or in administrative proceedings or out-of-court proceedings.

(53) Special categories of personal data requiring a higher level of protection should only be processed for health-related purposes where necessary to achieve these purposes for the benefit of natural persons and society at large, in particular in the context of the management of health or social care services and systems, including the processing of such data by managing authorities and national central health authorities for the purpose of quality control , the provision of management information and general supervision of the health or social assistance system at national and local level, as well as in the context of ensuring the continuity of health or social care and cross-border healthcare, or for health security, surveillance and alert purposes or for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes under Union or national law , which must pursue an objective in the public interest, as well as in the case of public interest studies in the field of public health. This Regulation should therefore provide for harmonised conditions for the processing of special categories of personal health data with regard to specific needs, in particular where the processing of such data is carried out for certain health-related purposes by persons subject to a legal obligation to maintain professional secrecy. Union law or national law should provide for specific and appropriate measures to protect the fundamental rights and personal data of natural persons. Member States should be able to maintain or introduce additional conditions, including restrictions, with regard to the processing of genetic data, biometric data or health data. However, this should not hinder the free movement of personal data within the Union where these conditions apply to the cross-border processing of such data.

(54) The processing of special categories of personal data may be necessary for reasons of public interest in the areas of public health without the consent of the data subject. Such processing should be subject to appropriate and specific measures designed to protect the rights and freedoms of natural persons. In this context, the concept of ‘public health’ should be interpreted as defined in Regulation (EC) No 1493/1999. 1338/2008 of the European Parliament and of the Council (11), i.e. all elements relating to health, namely health status, including morbidity or disability, determinants affecting health status, health care needs, resources allocated to healthcare, the provision of healthcare and ensuring universal access to it, as well as expenditure and sources of health funding and the causes of mortality. Such processing of health data for reasons of public interest should not lead to the processing of such data for other purposes by third parties, such as employers or insurance companies and banks.

(55) In addition, the processing of personal data by public authorities with a view to achieving the objectives laid down by constitutional law or public international law of officially recognised religious associations shall be carried out on grounds of public interest.

(56) Where, in the context of electoral activities, the functioning of the democratic system requires political parties in a Member State to collect personal data on the political views of individuals, the processing of such data may be permitted for reasons of public interest, provided that appropriate safeguards are provided.

(57) If the personal data processed by an controller do not enable the controller to identify a natural person, the data controller should not be required to obtain additional information with a view to identifying the data subject, for the sole purpose of complying with any of the provisions of this Regulation. However, the controller should not refuse to take over the additional information provided by the data subject in order to support the exercise of his rights. Identification should include the digital identification of a data subject, for example through authentication mechanisms such as the same credentials used by the data subject to access the online services offered by the data controller.

(58) The principle of transparency provides that any information addressed to the public or data subject is concise, easily accessible and easy to understand and that simple and clear language is used, as well as viewing where appropriate. This information could be provided electronically, for example when addressed to the public through a website. This is particularly important in situations where, due to the multiplicity of actors and the technological complexity of the practice, it is difficult for the data subject to know and understand whether the personal data concerning him or her are collected, by whom and for what purpose, as is the case with online advertising. Since children require specific protection, any information and any communication, if the processing concerns a child, should be expressed in simple and clear language so that the child can easily understand it.

(59) Arrangements should be laid down to facilitate the exercise by the data subject of the rights conferred on him by this Regulation, including the mechanisms by which he may request and, where appropriate, obtain, free of charge, in particular, access to personal data, as well as their rectification or deletion, and the exercise of the right to object. The controller should also provide ways of submitting applications electronically, in particular where personal data are processed by electronic means. The controller should be required to respond to the requests of the data subjects without undue delay and at the latest within one month and, if he does not intend to comply with those requests, to give reasons for such refusal.

(60) In accordance with the principles of fair and transparent processing, the data subject shall be informed of the existence of a processing operation and its purposes. The controller should provide the data subject with any additional information necessary to ensure fair and transparent processing, taking into account the specific circumstances and context in which the personal data are processed. In addition, the data subject should be informed of the creation of profiles and its consequences. Where personal data are collected from the data subject, he should also be informed whether he is required to provide personal data and what the consequences are in the event of a refusal. This information may be provided in combination with standardised icons in order to provide in a easily visible, comprehensible and clearly legible manner a significant overview of the processing envisaged. If the icons are presented electronically, they should be readable automatically.

(61) Information relating to the processing of personal data relating to the data subject should be provided to the data subject at the time of collection from the data subject or, where personal data are obtained from another source, within a reasonable period, depending on the circumstances of the case. Where personal data can be legitimately disclosed to another recipient, the data subject should be informed when personal data are first disclosed to the recipient. Where the controller intends to process the personal data for a purpose other than that for which it was collected, the controller should provide the data subject, before such further processing, with information on that secondary purpose and other necessary information. Where the origin of the personal data could not be communicated to the data subject because various sources were used, the general information should be provided.

(62) However, it is not necessary to impose the obligation to provide information where the data subject already has the information, where the recording or disclosure of personal data is expressly provided for by law or where the information of the data subject proves impossible or would involve disproportionate efforts. The latter could be the case in particular where processing is carried out for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes. In this respect, the number of data subjects, the age of the data and any appropriate safeguards adopted should be taken into account.

(63) A data subject should have the right of access to the personal data collected concerning him or her and should exercise that right easily and at reasonable intervals in order to be informed of the processing and to verify its legality. This includes the right of data subjects to have access to their health data, for example data from their medical records containing information such as diagnoses, results of examinations, assessments of attending physicians and any treatment or intervention carried out. Any data subject should therefore have the right to know and be informed in particular of the purposes for which the data are processed, if possible the period for which personal data are processed, the recipients of personal data, the logic of automatic processing of personal data and, at least if it is based on the creation of profiles , the consequences of such processing. If possible, the data controller should be able to provide remote access to a secure system that provides the data subject with direct access to his or her personal data. This right should be without prejudice to the rights or freedoms of others, including commercial secrecy or intellectual property and, in particular, copyrights that ensure the protection of software. However, the above considerations should not result in the refusal to provide all the information to the data subject. When the controller processes a large amount of information on the data subject, the controller should be able to request that, before the information is provided, the data subject specify the information or processing activities to which his request relates.

(64) The controller should take all reasonable steps to verify the identity of a data subject requesting access to the data, in particular in the context of online services and online identifiers. An operator should not retain personal data for the sole purpose of being able to react to potential requests.

(65) A data subject should be entitled to the rectification of personal data concerning him and the ‘right to be forgotten’ if the retention of such data infringes this Regulation or Union law or national law to which the controller is subject. In particular, data subjects should have the right to have their personal data deleted and no longer processed, where personal data are no longer necessary for the purposes for which they are collected or processed, where data subjects have withdrawn their consent for processing or if they are opposed to the processing of personal data concerning them, or where the processing of data with their personal rights does not comply with this Regulation. This right is particularly relevant where the data subject gave his consent as a child and was not fully aware of the risks involved in processing and subsequently wishes to remove such personal data, in particular from the internet. The data subject should be able to exercise this right despite the fact that he is no longer a child. However, the continued retention of personal data should be lawful where it is necessary for the exercise of the right to freedom of expression and information, for the fulfilment of a legal obligation, for the performance of a task which serves a public interest or which results from the exercise of the public authority vested in the controller, on grounds of public interest in the field of public health , for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes, or for the establishment, exercise or defence of a right in court.

(66) In order to strengthen the ‘right to be forgotten’ in the online environment, the right of deletion should be extended so that an operator who has made personal data public should be required to inform the controllers processing that personal data to delete any links to that data or copies or reproductions thereof. To that end, the controller concerned should take reasonable steps, taking into account the technology available and the means at his disposal, including technical measures, to inform the controllers processing the personal data with regard to the data subject’s request.

(67) Methods of restricting the processing of personal data could include, inter alia, the temporary relocation of selected personal data to another processing system, or the cancellation of users’ access to the selected data or the temporary removal of published data from a website. As regards automated data-recording systems, the restriction of processing should, in principle, be ensured by technical means in such a way that personal data are not subject to further processing and cannot be changed. The fact that the processing of personal data is restricted should be clearly indicated in the system.

(68) In order to further increase control over their data, the data subject should, where personal data are processed by automatic means, be able to receive personal data concerning him and provided to an controller in a structured, commonly used, machine-processable and interoperable format and be able to transmit it to another controller. Data controllers should be encouraged to develop interoperable formats that enable data portability. This right should apply where the data subject has provided the personal data on the basis of his own consent or where the processing of the data is necessary for the performance of a contract. This right should not apply where the processing is based on a legal basis other than consent or contract. By its very nature, that right should not be exercised against operators who process personal data in the exercise of their public functions. It should not apply in particular where the processing of personal data is necessary in order to comply with a legal obligation to which the controller is subject or where a task which serves a public interest or results from the exercise of a public authority vested in the controller. The right of the data subject to transmit or receive personal data concerning him should not create an obligation for operators to adopt or maintain processing systems which are technically compatible. Where more than one person is involved in a given set of personal data, the right to receive personal data should be without prejudice to the rights and freedoms of other data subjects in accordance with this Regulation. Furthermore, that right should not prejudice the right of the data subject to obtain the deletion of personal data and the limitations of that right as provided for in this Regulation, and should not, in particular, involve the deletion of those personal data relating to the data subject which have been provided by that person for the performance of a contract , to the extent and for as long as such data are necessary for the performance of the contract. The data subject should have the right to have personal data transmitted directly from one controller to another, if technically feasible.

(69) In cases where personal data could be legally processed because processing is necessary for the performance of a task which serves a public interest or which results from the exercise of the public authority vested in the controller or on the basis of the legitimate interests of an operator or a third party, a data subject should nevertheless have the right to object to the processing of any personal data relating to his or her particular situation. It should be for the controller to demonstrate that his legitimate and compelling interests prevail over the interests or fundamental rights and freedoms of the data subject.

(70) Where personal data are processed for direct marketing purposes, the data subject should have the right to object to such processing, including profiling in so far as it relates to direct marketing, whether the processing in question is the initial or subsequent processing, at any time and free of charge. This right should be explicitly brought to the attention of the data subject and presented clearly and separately from any other information.

(71) The data subject should have the right not to be the subject of a decision, which may include a measure, which assesses personal aspects relating to the data subject, which are based solely on automatic processing and which produces legal effects which concern or similarly affect the data subject to a significant extent, such as the automatic refusal of an online credit application or electronic recruitment practices without human intervention. Such processing shall include ‘profile creation’, consisting of any form of automatic processing of personal data by assessing personal aspects relating to a natural person, in particular with a view to analysing or predicting certain aspects of the data subject’s performance at work, economic situation, health status, personal preferences or interests, reliability or behaviour, location or movements , where it has legal effects concerning the data subject or similarly affects him to a significant extent. However, decision-making on the basis of such processing, including profiling, should be permitted where expressly authorised in Union or national law applicable to the controller, including for the purpose of monitoring and preventing tax fraud and evasion, carried out in accordance with the rules, standards and recommendations of union institutions or national supervisory bodies , and for the purpose of ensuring the security and reliability of a service provided by the operator or where it is necessary for the conclusion or performance of a contract between the data subject and an operator, or where the data subject has explicitly given his consent. In any event, such processing should be subject to appropriate safeguards, which should include specific information of the data subject and his right to obtain human intervention, to express his or her views, to receive an explanation of the decision taken following such an assessment, and the right to challenge the decision. Such a measure should not relate to a child.

In order to ensure fair and transparent processing of the data subject, in view of the specific circumstances and the context in which personal data are processed, the controller should use appropriate mathematical or statistical procedures for profiling, implement appropriate technical and organisational measures to ensure in particular that the factors leading to inaccuracies in personal data are corrected and that the risk of errors is minimised to a minimum , as well as to secure personal data in a way that takes into account potential dangers to the interests and rights of the data subject and prevents, inter alia, discriminatory effects against persons on grounds of race or ethnic origin, political opinions, religion or belief, trade union membership, genetic characteristics, health status or sexual orientation or leading to measures having such effects. Automated decision-making and profiling based on special categories of personal data should only be allowed under specific conditions.

(72) Profile-building is subject to the rules of this Regulation governing the processing of personal data, such as the legal bases of processing or the principles of data protection. The European Data Protection Committee set up by this Regulation (the “Committee”) should be able to issue guidance in this context.

(73) Union law or national law may impose restrictions on specific principles, with regard to the right of information, the right of access to and deletion of personal data, the right to data portability, the right to object, decisions based on profiling, and the disclosure of a breach of the personal data of the data subject and certain related obligations of controllers , to the extent necessary and proportionate in a democratic society in order to ensure public safety, including the protection of human life, in particular in response to natural or man-made disasters, the prevention, investigation and prosecution of criminal offences or the execution of penalties, including protection against threats to public safety or ethical violations in the case of regulated professions and their prevention , other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, the maintenance of public registers for reasons of general public interest, the subsequent processing of personal data archived in order to transmit specific information relating to political behaviour during the regimes of the former totalitarian States , the protection of the data subject or the rights and freedoms of third parties, including social protection, public health and humanitarian purposes. These restrictions should comply with the requirements of the Charter and the European Convention for the Protection of Human Rights and Fundamental Freedoms.

 

(74) The responsibility and liability of the controller for any processing of personal data by or on his behalf should be established. In particular, the operator should be obliged to implement appropriate and effective measures and be able to demonstrate the conformity of processing activities with this Regulation, including the effectiveness of the measures. Such measures should take into account the nature, scope, context and purposes of the processing, as well as the risk to the rights and freedoms of natural persons.

(75) The risk to the rights and freedoms of natural persons, with varying degrees of likelihood of materialisation and seriousness, may be the result of the processing of personal data which could give rise to physical, material or moral damage, in particular in cases where: processing may lead to discrimination, identity theft or fraud, financial loss, reputational damage, loss of confidentiality of personal data protected by professional secrecy , unauthorised reversal of pseudonymisation or any other significant disadvantage of an economic or social nature; data subjects could be deprived of their rights and freedoms or prevented from exercising control over their personal data; processed personal data are data revealing racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership; genetic data, health data or data on sexual life or criminal convictions and related offences or security measures are processed; aspects of a personal nature are assessed, in particular the analysis or forecasting of aspects of performance at work, economic situation, health status, personal preferences or interests, reliability or behaviour, location or travel, in order to create or use personal profiles; personal data of vulnerable persons, in particular children, are processed; or processing involves a large amount of personal data and affects a large number of data subjects.

(76) The likelihood of materialising and the seriousness of the risk to the rights and freedoms of the data subject should be determined on the basis of the nature, scope, context and purposes of the processing of personal data. The risk should be assessed on the basis of an objective assessment of whether data processing operations pose a high risk or risk.

(77) Guidelines for the implementation of appropriate measures and for the demonstration of compliance by the controller or processor, in particular as regards the identification of the risk related to processing, its assessment in terms of origin, nature, likelihood of materiality and severity, and the identification of good practices for mitigating risk could be provided in particular by approved codes of conduct , approved certifications, committee guidelines or by guidance provided by a data protection officer. The Committee may also issue guidance on processing operations which are considered unlikely to give rise to a high risk to the rights and freedoms of natural persons and indicate measures which may prove sufficient in such cases to address such a risk.

(78) The protection of the rights and freedoms of natural persons with regard to the processing of personal data requires the adoption of appropriate technical and organisational measures to ensure that the requirements of this Regulation are met. In order to be able to demonstrate compliance with this Regulation, the controller should adopt internal policies and implement measures that comply in particular with the principle of data protection from the time of conception and that of implicit data protection. Such measures could consist, inter alia, in minimising the processing of personal data, pseudonymising such data as soon as possible, transparency in the functions and processing of personal data, empowering the data subject to monitor the processing of data, empowering the controller to create and improve safety features. When developing, designing, selecting and using applications, services and products that rely on the processing of personal data or that process personal data to fulfil their role, the producers of these products and the suppliers of these services and applications should be encouraged to consider the right to data protection when developing and designing such products , services and applications and, taking into account the current state of development, ensure that operators and processors are able to fulfil their data protection obligations. The principle of data protection from the time of conception and the principle of implicit data protection should also be taken into account in the context of public tenders.

(79) The protection of the rights and freedoms of data subjects and the responsibility and liability of controllers and processors, including with regard to monitoring by supervisory authorities and the measures taken by them, require a clear attribution of responsibilities under this Regulation, including where an operator determines the purposes and means of processing with other controllers or where a processing operation is carried out on behalf of an operator.

(80) Where an operator or processor who is not established in the Union processes the personal data of data subjects who are in the territory of the Union and its processing activities are related to the provision of goods or services to such data subjects in the Union, whether or not a payment is requested by the data subject , or with the monitoring of the behaviour of data subjects if it occurs within the Union, the controller or processor should appoint a representative, unless the processing is of an occasional nature, does not include the widespread processing of special categories of personal data or the processing of data relating to criminal convictions and criminal offences , and is unlikely to give rise to a risk to the rights and freedoms of natural persons, given the nature, context, scope and purposes of the processing, as well as where the operator is a public authority or a public body. The representative should act on behalf of the controller or processor and may be contacted by any supervisory authority. The representative should be explicitly appointed, by a written mandate of the controller or processor, to act on his/her behalf with regard to their obligations under this Regulation. The appointment of such a representative shall be without prejudice to the responsibility or liability of the controller or processor under this Regulation. Such a representative should carry out his duties in accordance with the mandate received from the controller or processor, including cooperate with the competent supervisory authorities in any action taken to ensure compliance with this Regulation. The designated representative should be subject to enforcement procedures in the event of non-compliance with this Regulation by the controller or processor.

(81) In order to ensure compliance with the requirements of this Regulation with regard to the processing to be carried out on behalf of the controller by the processor, when assigning processing activities to a processor, the latter should use only processors who provide sufficient guarantees, in particular as regards expert knowledge , reliability and resources, to implement technical and organisational measures meeting the requirements of this Regulation, including for the security of processing. Membership by the processor to an approved code of conduct or an approved certification mechanism may be used as an element demonstrating compliance by the controller. Processing by a processor should be governed by a contract or other type of legal act, under Union or national law, which creates obligations for the processor in relation to the controller and which determines the subject matter and duration of the processing, the nature and purposes of the processing, the type of personal data and the categories of data subjects , and should take into account the specific tasks and responsibilities of the processor in the context of the processing to be carried out, as well as the risk to the rights and freedoms of the data subject. The controller and the processor may choose to use an individual contract or standard contractual clauses which are adopted either directly by the Commission or by a supervisory authority in accordance with the consistency mechanism and then adopted by the Commission. After completion of the processing on behalf of the controller, the processor should return or delete, depending on the operator’s option, personal data, unless there is a requirement to store personal data under Union or national law imposing obligations on the processor.

(82) In order to demonstrate compliance with this Regulation, the controller or processor should keep records of the processing activities under his responsibility. Each controller and processor should be required to cooperate with the supervisory authority and to make such records available to it, on request, so that they can be used for the purpose of monitoring the processing operations concerned.

(83) In order to maintain security and prevent processing in breach of this Regulation, the controller or processor should assess the risks inherent in processing and implement measures to mitigate those risks, such as encryption. Those measures should ensure an appropriate level of security, including confidentiality, taking into account the current state of development and the costs of implementation in relation to the risks and nature of the personal data to be protected. In assessing the risk to the security of personal data, attention should be paid to the risks posed by the processing of data, such as destruction, loss, modification, unauthorised disclosure or unauthorised access to personal data transmitted, stored or otherwise processed, by accident or illegally, which may in particular lead to physical, material or moral harm.

(84) In order to promote compliance with the provisions of this Regulation in cases where processing operations are likely to give rise to a high risk to the rights and freedoms of natural persons, the controller should be responsible for carrying out a data protection impact assessment, estimating in particular the origin, nature, specificity and seriousness of that risk. The outcome of the evaluation should be taken into account when determining the appropriate measures to be taken to demonstrate that the processing of personal data complies with this Regulation. Where a data protection impact assessment shows that processing operations involve a high risk, which the operator cannot mitigate by appropriate measures in terms of available technology and implementation costs, a consultation of the supervisory authority should take place before processing.

(85) If not resolved in a timely and appropriate manner, a breach of personal data security may result in physical, material or moral harm to natural persons, such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, reputational compromise, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage the natural person concerned. Therefore, as soon as it becomes aware of a personal data breach, the controller should notify the supervisory authority without undue delay and, if possible, no later than 72 hours after becoming aware of its existence, unless the controller is able to demonstrate , in accordance with the principle of responsibility, that breach of the security of personal data is not likely to create a risk to the rights and freedoms of natural persons. Where notification cannot be made within 72 hours, it should include the reasons for the delay and the information may be provided gradually without further delay.

(86) The controller should communicate to the data subject a breach of personal data security, without undue delay, where the breach is likely to give rise to a high risk to the rights and freedoms of the natural person, in order to enable him to take the necessary precautions. The Communication should describe the nature of the personal data breach and include recommendations for the natural person concerned in order to assuage any negative effects. Communications to data subjects should be made as soon as reasonably practicable and in close cooperation with the supervisory authority, in accordance with the guidelines provided by it or other competent authorities, such as law enforcement authorities. For example, the need to mitigate an immediate risk of injury would entail prompt communication to data subjects, while the need to implement appropriate measures against further breach of personal data security or similar breaches of personal data security could justify a longer period for communication.

(87) It should be determined whether all appropriate technological protection and organisational measures have been implemented in order to establish immediately whether a personal data breach has occurred and to promptly inform the supervisory authority and the data subject. The fact that the notification was made without undue delay should be established taking into account, in particular, the nature and seriousness of the personal data breach and its adverse consequences and effects on the data subject. Such notification may lead to intervention by the supervisory authority in accordance with the tasks and powers specified in this Regulation.

(88) In establishing detailed rules on the format and procedures applicable to notification of personal data breaches, due consideration should be given to the circumstances in which the breach occurred, including whether or not the protection of personal data has been ensured by appropriate technical safeguards, effectively limiting the likelihood of identity fraud or other forms of misuse. In addition, such rules and procedures should take into account the legitimate interests of law enforcement authorities in cases where early disclosure could unnecessarily make it difficult to investigate the circumstances in which a breach of personal data has occurred.

(89) Directive 95/46/EC provided for a general obligation to notify the processing of personal data to supervisory authorities. Although that obligation creates administrative and financial burdens, it has not always contributed to improving the protection of personal data. Therefore, such non-differentiated general notification obligations should be repealed and replaced by effective procedures and mechanisms that focus, instead, on those types of processing operations likely to create a high risk to the rights and freedoms of natural persons by their very nature, scope, context and purposes. Such types of processing operations may be those involving, in particular, the use of new technologies or representing a new type of operations, for which no data protection impact assessment has been previously carried out by the controller or which become necessary given the period of time since the initial processing.

(90) In such cases, the controller should carry out, before processing, a data protection impact assessment in order to assess the specific likelihood of the materialisation of the high risk and its severity, taking into account the nature, scope, context and purposes of the processing, as well as the sources of the risk. That impact assessment should include, in particular, the measures, safeguards and mechanisms envisaged to mitigate that risk, to ensure the protection of personal data and to demonstrate compliance with this Regulation.

(91) This should apply, in particular, to large-scale processing operations, which aim at the processing of a considerable amount of personal data at regional, national or supranational level, which could affect a large number of data subjects and which are likely to give rise to a high risk, for example, because of their sensitivity, if they are , in accordance with the achieved level of technological knowledge, new technology and other processing operations which pose a high risk to the rights and freedoms of data subjects shall be widely used, in particular where those operations limit the ability of data subjects to exercise their rights. A data protection impact assessment should also be carried out in situations where personal data are processed for the purpose of making decisions targeting specific natural persons following a systematic and comprehensive assessment of personal aspects relating to natural persons, on the basis of profiling for that data, or following the processing of special categories of personal data , biometric data or data on criminal convictions and related offences or security measures. A data protection impact assessment is equally necessary for the large-scale monitoring of publicly available areas, in particular in the case of the use of optoelectronic devices or for any other operationwhere the competent supervisory authority considers that the processing is likely to give rise to a high risk to the rights and freedoms of data subjects, in particular because they prevent data subjects from exercising a right or using a service or contract , or because they are carried out systematically on a large scale. The processing of personal data should not be considered to be widespread if the processing relates to personal data from patients or clients by a particular doctor, other healthcare professional or lawyer. In such cases, a data protection impact assessment should not be mandatory.

(92) In some circumstances it may be reasonable and economically useful for a data protection impact assessment to have a broader perspective than that of a single project, for example where public authorities or bodies intend to set up a common application or processing platform or where more than one operator intends to introduce a common application or processing environment within a sector or industrial segment or for a widely used horizontal activity.

(93) In the context of the adoption of the national legislation on which the tasks of the public authority or public body are based and which govern the processing operation or series in question, Member States may consider it necessary to carry out such an assessment before processing activities are carried out.

(94) Where a data protection impact assessment shows that processing would, in the absence of safeguards, security measures and risk mitigation mechanisms, result in a high risk to the rights and freedoms of natural persons and the controller considers that the risk cannot be mitigated by reasonable means in terms of available technologies and implementation costs, the supervisory authority should be consulted before the start of processing activities. Such a high risk is likely to be generated by certain types of processing, as well as by the extent and frequency of processing, which may also lead to damage or affect the rights and freedoms of natural persons. The supervisory authority should respond to the request for consultation within a certain period of time. However, the lack of a reaction from the supervisory authority within that period should be without prejudice to any intervention by the supervisory authority in accordance with its tasks and powers under this Regulation, including the power to prohibit processing operations. As part of this consultation process, the outcome of a data protection impact assessment carried out on the processing in question may be forwarded to the supervisory authority, in particular the measures envisaged to mitigate the risk to the rights and freedoms of natural persons.

 

(95) The processor should assist the controller, if necessary and on request, in ensuring compliance with the obligations arising from the carrying out of data protection impact assessments and the prior consultation of the supervisory authority.

(96) A consultation of the supervisory authority should also take place during the preparation of a legislative or regulatory measure providing for the processing of personal data in order to ensure compliance of the processing envisaged with this Regulation and, in particular, to mitigate the risk to which the data subject is exposed.

(97) Where the processing is carried out by a public authority, with the exception of courts or independent judicial authorities when acting in their judicial capacity, where, in the private sector, the processing is carried out by an operator whose main activity consists of processing operations requiring regular and systematic monitoring of data subjects on a large scale , or where the principal activity of the controller or processor consists in the widespread processing of special categories of personal data and data on criminal convictions and offences, a person with expertise in data protection legislation and practices should assist the controller or processor in monitoring compliance , internally, with this Regulation. In the private sector, an operator’s main activities relate to its core activities and not to the processing of personal data as ancillary activities. The necessary level of expertise should be determined in particular on the basis of the data processing operations carried out and the level of protection required for personal data processed by the controller or processor. These data protection officers, whether or not they are employees of the controller, should be able to carry out their duties and tasks independently.

(98) Associations or other bodies representing categories of operators or processors should be encouraged to draw up codes of conduct within the limits of this Regulation so as to facilitate the effective application of this Regulation, taking into account the specific characteristics of the processing carried out in certain sectors and the specific needs of micro, small and medium-sized enterprises. In particular, such codes of conduct could adjust the obligations of operators and processors, taking into account the risk associated with processing which is likely to be generated for the rights and freedoms of natural persons.

(99) When drawing up a code of conduct or amending or extending such a code, associations and other bodies representing categories of operators or processors should consult the relevant stakeholders, including data subjects, where feasible, and take into account the contributions submitted and the opinions expressed in such consultations.

(100) In order to improve transparency and compliance with this Regulation, the establishment of certification mechanisms, as well as data protection seals and marks, should be encouraged to enable data subjects to rapidly assess the level of data protection of the relevant products and services.

(101) Flows of personal data to and from countries outside the Union and international organisations are necessary for the development of international trade and international cooperation. The growth of these flows has created new challenges and concerns about the protection of personal data. However, where personal data from the Union are transferred to controllers, processors or other recipients from third countries or international organisations, the level of protection of natural persons provided in the Union by this Regulation should not be reduced, including in cases of subsequent transfers of personal data from the third country or international organisation to operators , processors of operators from the same or another third country or international organisation. In any event, transfers to third countries and international organisations may be carried out only in full compliance with this Regulation. A transfer could take place only if, subject to compliance with the other provisions of this Regulation, the controller or processor satisfies the conditions laid down in the provisions of this Regulation on the transfer of personal data to third countries or international organisations.

(102) This Regulation is without prejudice to international agreements concluded between the Union and third countries with a view to regulating the transfer of personal data, including adequate safeguards for data subjects. Member States may conclude international agreements involving the transfer of personal data to third countries or international organisations, in so far as such agreements do not affect this Regulation or other provisions of Union law and include an appropriate level of protection of the fundamental rights of data subjects.

(103) The Commission may decide, with effect throughout the Union, that a third country, territory or sector of a third country or an international organisation provides an adequate level of data protection, thereby ensuring legal certainty and uniformity in the Union as regards the third country or international organisation which is considered to provide such a level of protection. In such cases, transfers of personal data to the third country or international organisation concerned may take place without the need for further authorisation. The Commission may also decide, after sending a full notification and justification to the third country or international organisation, to annul such a decision.

(104) In accordance with the fundamental values on which the Union is founded, in particular the protection of human rights, the Commission should, in its assessment of the third country or a specified territory or sector of a third country, take into account the way in which it respects the rule of law, access to justice, as well as international human rights rules and standards and its general and sectoral legislation , including legislation on public security, defence and national security, as well as public order and criminal law. The adoption of a decision on the adequacy of the level of protection for a specified territory or sector in a third country should take into account clear and objective criteria, such as specific processing activities and the scope of applicable legal standards and the legislation in force in that third country. The third country should provide guarantees to ensure an adequate level of protection, essentially equivalent to that provided within the Union, in particular when personal data are processed in one or more specific sectors. In particular, the third country should ensure effective independent data protection surveillance and provide for mechanisms for cooperation with Member States’ data protection authorities, and data subjects should enjoy effective and enforceable rights and effective administrative and judicial redress.

(105) In addition to international commitments made by the third country or the international organisation, the Commission should take into account the obligations arising from the participation of the third country or the international organisation in multilateral or regional systems, in particular as regards the protection of personal data, and the implementation of such obligations. In particular, consideration should be given to the accession of the third country to the Council of Europe Convention of 28 January 1981 for the protection of individuals from the automated processing of personal data and the Additional Protocol thereto. The Commission should consult the Committee when assessing the level of protection in third countries or international organisations.

(106) The Commission should monitor the functioning of decisions on the level of protection in a third country or a particular territory or sector of a third country or an international organisation and monitor the functioning of decisions taken pursuant to Article 25(6) or Article 26(4) of Directive 95/46/EC. In its decisions on the adequacy of the level of protection, the Commission should provide for a mechanism for regular review of their functioning. This periodic review should be carried out in consultation with the third country or international organisation concerned and should take into account all relevant developments in the third country or international organisation. For the purpose of monitoring and carrying out regular reviews, the Commission should take into account the views and findings of the European Parliament and the Council, as well as other relevant bodies and sources. The Commission should assess, within a reasonable time, the functioning of the latter decisions and report all relevant findings to the Committee within the meaning of Regulation (EU) No 1493/1999. 182/2011 of the European Parliament and of the Council (12), as established under this Regulation, the European Parliament and the Council.

(107) The Commission may recognise that a third country, a specified territory or sector in a third country or an international organisation no longer provides an adequate level of data protection. Therefore, the transfer of personal data to the third country or international organisation concerned should be prohibited, unless the requirements of this Regulation on transfers on the basis of appropriate safeguards, including binding corporate rules and derogations from specific situations, are met. In this case, provision should be made for consultations between the Commission and such third countries or international organisations. The Commission should, in due course, inform the third country or international organisation of these reasons and initiate consultations with it to remedy the situation.

(108) In the absence of a decision on the adequacy of the level of protection, the controller or processor should take measures to compensate for the lack of data protection in a third country by means of appropriate safeguards for the data subject. Such appropriate safeguards may consist of the use of binding corporate rules, standard data protection clauses adopted by the Commission, standard data protection clauses adopted by a supervisory authority or contractual clauses authorised by a supervisory authority. Those safeguards should ensure compliance with data protection requirements and data subjects’ rights corresponding to processing within the Union, including the availability of enforceable rights of data subjects and effective remedies, including the right of access to effective administrative or judicial redress and the right to seek compensation, in the Union or in a third country. They should relate in particular to compliance with the general principles on the processing of personal data: the principle of data protection from the moment of conception and the principle of implicit data protection. Transfers may also be made by public authorities or bodies with public authorities or bodies in third countries or with international organisations with appropriate powers and functions, including on the basis of provisions providing for enforceable and effective rights for data subjects, to be introduced into administrative agreements, such as a Memorandum of Understanding. Authorisation from the competent supervisory authority should be obtained where guarantees are provided under non-legally binding administrative agreements.

(109) The possibility for the controller or processor to use standard data protection clauses adopted by the Commission or a supervisory authority should not prevent controllers or processors from including standard data protection clauses in a broader contract, such as a contract between the processor and another processor , nor to add other additional clauses or guarantees, as long as they do not directly or indirectly contravene the standard contractual clauses adopted by the Commission or a supervisory authority or do not prejudice the fundamental rights or freedoms of the data subjects. Operators and processors should be encouraged to provide additional guarantees through contractual commitments that complement standard protection clauses.

(110) A group of undertakings or a group of undertakings engaged in a common economic activity should be able to use the binding corporate rules approved for its international transfers from the Union to organisations within the same group of undertakings or group of undertakings involved in a common economic activity, provided that such corporate rules include all essential principles and enforceable rights in order to ensure adequate safeguards for transfers or categories of personal data transfers.

(111) Provision should be made for the possibility of making transfers in certain circumstances in which the data subject has given explicit consent, where the transfer is occasional and necessary in connection with a contract or legal action, whether in the context of judicial proceedings or in the context of administrative or extrajudicial proceedings, including in proceedings before regulatory bodies. Provision should also be made for the possibility of making transfers where important reasons of public interest established by Union or national law so require, or where the transfer is made from a register established by law and intended to be consulted by the public or by persons having a legitimate interest. In the latter case, such a transfer should not involve all personal data or all categories of data contained in the register, and where the register is intended to be consulted by persons having a legitimate interest, the transfer should be made only at the request of those persons or if they are the recipients, taking full account of the interests and fundamental rights of the data subject.

(112) These derogations should apply, in particular, to transfers of data requested and necessary for important reasons of public interest, for example in the case of international exchange of data between competition authorities, tax or customs administrations, between financial supervisory authorities, between the health security or public health services, for example in the case of the detection of contact points for contagious diseases or for the reduction and/or elimination of doping in sport. A transfer of personal data should also be considered legal where necessary for the purpose of protecting an interest which is essential in the vital interests of the data subject or another person, including his or her physical integrity or life, where the data subject is unable to give consent. In the absence of a decision on the adequacy of the level of protection, Union or national law may, for important reasons of public interest, expressly set limits on the transfer of specific categories of data to a third country or an international organisation. Member States should notify the Commission of these provisions. Any transfer to an international humanitarian organisation of the personal data of a data subject who is physically or legally unable to give consent, in order to carry out a task arising from the Geneva Conventions or in order to comply with the international humanitarian law applicable in armed conflicts, may be considered necessary for an important reason of public interest or because it is in the vital interest of the data subject.

(113) Transfers which may be regarded as not being repetitive and which relate only to a limited number of data subjects could also be made for the purpose of achieving the legitimate interests pursued by the controller, where those interests do not take precedence over the interests or rights and freedoms of the data subject and where the controller has assessed all the circumstances of the data transfer. The controller should pay particular attention to the nature of the personal data, the purpose and duration of the proposed processing operation or operations, as well as the situation in the country of origin, third country and country of final destination and should provide adequate safeguards for the protection of the fundamental rights and freedoms of natural persons with regard to the processing of their personal data. Such transfers should only be possible in residual cases where none of the other reasons for transfer can be applied. As regards scientific or historical research purposes or statistical purposes, account should be taken of society’s legitimate expectations of increasing the level of knowledge. The controller should inform the supervisory authority and the data subject of the transfer.

(114) In any event, where the Commission has not taken a decision on the appropriate level of data protection in a third country, the controller or processor should use solutions that give data subjects enforceable and effective rights with regard to the processing of their data in the Union once that data has been transferred, so that the data subjects continue to enjoy fundamental rights and guarantees.

(115) Some third countries have adopted laws, regulations and other legal acts aimed at directly regulating the data processing activities of natural and legal persons under the jurisdiction of the Member States. This may include judgments of courts or decisions of administrative authorities of third countries which require an operator or processor to transfer or disclose personal data and which are not based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State. The extraterritorial application of these laws, regulations and other legal acts may infringe international law and prevent the protection of natural persons provided in the Union by this Regulation. Transfers should be allowed only if the conditions laid down in this Regulation are met for a transfer to third countries. This could be the case, inter alia, where disclosure is necessary for an important public interest reason recognised in Union or national law applicable to the operator.

(116) The cross-border flow of personal data outside the Union may put the ability of individuals to exercise their data protection rights at increased risk, in particular in order to ensure their protection against the unlawful use or disclosure of such information. At the same time, supervisory authorities may find that they are unable to deal with complaints or carry out investigations relating to activities carried out outside their borders. Their efforts to work together in a cross-border context may also be hampered by the lack of prevention or remedial powers, the heterogeneous nature of legal regimes and the existence of practical obstacles, such as resource constraints. It is therefore necessary to promote closer cooperation between data protection supervisory authorities in order to be able to exchange information and conduct investigations with their international counterparts. In order to develop mechanisms for international cooperation to facilitate and provide mutual international assistance in ensuring the application of legislation in the field of personal data protection, the Commission and supervisory authorities should exchange information and cooperate in activities related to the exercise of their powers with the competent authorities of third countries on a reciprocal basis and in accordance with this Regulation.

(117) The establishment in the Member States of supervisory authorities, empowered to carry out their tasks and exercise their powers in complete independence, is an essential element of the protection of natural persons with regard to the processing of their personal data. Member States should be able to set up more supervisory authorities to reflect their constitutional, organisational and administrative structure.

(118) The independence of supervisory authorities should not mean that supervisory authorities cannot be subject to control or monitoring mechanisms with regard to their expenditure or judicial review.

(119) Where a Member State establishes more than one supervisory authority, it should establish by law mechanisms to ensure the effective participation of those supervisory authorities in the mechanism for ensuring coherence. The Member State concerned should, in particular, designate the supervisory authority which performs the function of a single point of contact for the effective participation of those authorities in the mechanism, with a view to ensuring swift and harmonious cooperation with other supervisory authorities, the Committee and the Commission.

(120) Each supervisory authority should benefit from the financial and human resources, the premises and infrastructure necessary for the effective performance of their tasks, including those related to mutual assistance and cooperation with other supervisory authorities throughout the Union. Each supervisory authority should have a separate annual public budget, which may be part of the general state or national budget.

(121) The general conditions for the member or members of the supervisory authority should be laid down by law in each Member State and should, in particular, provide that those members are appointed by a transparent procedure either by the parliament, the government or the head of state of the Member State on the basis of a proposal from the government, a member of the government, parliament or a chamber of parliament , or by an independent body empowered by national law. In order to ensure the independence of the supervisory authority, the member or its members should act with integrity, not take actions incompatible with their duties and, during their term of office, should not carry out incompatible activities, whether remunerated or not. The supervisory authority should have its own staff, chosen by the supervisory authority or by an independent body established under national law, which should be subordinated exclusively to the member or members of the supervisory authority.

(122) Each supervisory authority should have, in the territory of the Member State to which it belongs, the power to exercise its powers and to carry out the tasks vested in it in accordance with this Regulation. This should include in particular processing in the context of the activities of an operator’s premises or processor in the territory of its own Member State, processing of personal data by public authorities or private bodies acting in the public interest, processing affecting data subjects in its territory or processing carried out by an operator or processor not established in the Union where it concerns persons who reside in its territory. This should include the handling of complaints lodged by a data subject, investigations into the application of this Regulation and the promotion of information to the public on risks, rules, safeguards and rights relating to the processing of personal data.

(123) Supervisory authorities should monitor the application of the provisions of this Regulation and contribute to its consistent application throughout the Union in order to ensure the protection of natural persons with regard to the processing of their personal data and to facilitate the free movement of personal data within the internal market. In this respect, supervisory authorities should cooperate with each other and with the Commission, without any agreement between Member States on the granting of mutual assistance or on that cooperation.

(124) Where the processing of personal data takes place in the course of the activities of an establishment of an operator or processor in the Union, and the controller or processor has premises in several Member States, or where the processing carried out in the context of the activities of a single establishment of an operator or a processor in the Union affects or is likely to significantly affect data subjects from several Member States, the supervisory authority of the head office of the controller or processor or of the sole seat of the controller or processor should act as the primary authority. It should cooperate with the other authorities concerned, because the controller or processor has an establishment in the territory of their Member State, because the data subjects residing in their territory are significantly affected or because a complaint has been lodged with them. In addition, where a data subject who is not resident in that Member State has lodged a complaint, the supervisory authority to which the complaint was lodged should also be a supervisory authority concerned. In its tasks of issuing guidance on any matter relating to the implementation of this Regulation, the Committee should be able to issue guidelines on, in particular, the criteria to be taken into account in determining whether the processing in question significantly affects data subjects in several Member States and on the content of a relevant and reasoned objection.

(125) The lead authority should have the power to adopt binding decisions on measures for the application of powers conferred on it under this Regulation. As the lead authority, the supervisory authority should closely involve and coordinate the activities of the supervisory authorities concerned in the decision-making process. In cases where the decision is partially or totally rejected by the data subject, such a decision should be taken by the supervisory authority to which the complaint was lodged.

(126) The Decision should be agreed jointly by the lead supervisory authority and the supervisory authorities concerned and should cover the head office or sole place of business of the controller or processor and be binding on the controller and the processor. The controller or processor should take the necessary measures to ensure compliance with this Regulation and the implementation of the decision notified by the main supervisory authority to the head office of the controller or processor with regard to processing activities in the Union.

(127) Each supervisory authority which does not act as the primary supervisory authority should have the power to deal with local cases, in which the controller or processor has premises in several Member States, but the subject-matter of that processing concerns only the processing carried out in a single Member State and involving only data subjects from that single Member State, for example where the object is the processing of employees’ personal data in the specific context linked labour force in a Member State. In such cases, the supervisory authority should inform the main supervisory authority without delay of this matter. Once informed, the lead supervisory authority should decide whether it will itself deal with the case under the provision on cooperation between the lead supervisory authority and the other supervisory authorities concerned (the ‘one-stop-shop mechanism’), or whether the supervisory authority which informed it should deal with the case at local level. When deciding whether to deal with the case, the primary supervisory authority should consider whether there is an establishment of the controller or processor in the Member State of the supervisory authority which informed it, with a view to ensuring that a decision is effectively complied with with regard to the controller or processor. Where the lead supervisory authority decides to deal with the case, the supervisory authority which informed it should be given the opportunity to submit a draft decision, which the main supervisory authority should take into account to the greatest extent when preparing its draft decision under that one-stop shop mechanism.

(128) The rules on the main supervisory authority and the one-stop-shop mechanism should not apply where the processing is carried out by public authorities or private bodies in the public interest. In such cases, the only supervisory authority competent to exercise the powers assigned to it in accordance with this Regulation should be the supervisory authority of the Member State in which the public authority or private body is established.

(129) In order to ensure consistency in the monitoring and application of this Regulation throughout the Union, supervisory authorities should have in each Member State the same effective tasks and powers, including investigative powers, corrective powers and sanctions, as well as powers of authorisation and advice, in particular in the case of complaints lodged by natural persons, and without prejudice to the powers of the prosecuting authorities under national law , to bring to the attention of the judicial authorities cases of infringement of this Regulation and to engage in judicial proceedings. Those powers should also include the power to impose a temporary or definitive limitation, including a prohibition, on processing. Member States may lay down other tasks relating to the protection of personal data under this Regulation. The powers of supervisory authorities should be exercised in accordance with appropriate procedural safeguards provided for in Union and national law, impartially, fairly and within a reasonable time. In particular, each measure should be appropriate, necessary and proportionate in order to ensure compliance with the provisions of this Regulation, taking into account the circumstances of each individual case, to respect the right of any person to be heard before taking any individual measure likely to harm him or her and avoiding unnecessary costs and excessive inconvenience to the persons concerned. Investigative powers with regard to access to premises should be exercised in accordance with the specific requirements of national procedural law, such as the obligation to obtain judicial authorisation in advance. Each legally binding measure taken by the supervisory authority should be presented in writing, clear and unambiguous, indicate the supervisory authority which issued the measure, the date of issue of the measure, bear the signature of the head or a member of the supervisory authority authorised by it, provide the reasons for the action and refer to the right to an effective remedy. This should not exclude additional requirements in accordance with national procedural law. The adoption of such legally binding decisions implies that judicial review may be given in the Member State of the supervisory authority which adopted the decision.

(130) Where the supervisory authority to which the complaint was lodged is not the primary supervisory authority, the lead supervisory authority should cooperate closely with the supervisory authority to which the complaint was lodged, in accordance with the provisions on cooperation and consistency laid down in this Regulation. In such cases, the lead supervisory authority should, when taking measures intended to produce legal effects, including the imposition of administrative fines, take as much account as possible into the opinion of the supervisory authority to which the complaint was lodged and which should retain its competence to conduct any investigation in the territory of its own Member State, in cooperation with the main supervisory authority.

(131) In cases where another supervisory authority should act as the primary supervisory authority for the processing activities of the controller or processor, but the specific subject matter of a complaint or possible infringement concerns only the processing activities of the controller or processor in the Member State in which the complaint was lodged or the possible infringement was detected , and the matter does not substantially affect or is not likely to substantially affect data subjects from other Member States, the supervisory authority which has received a complaint or detected or has otherwise been informed of situations of possible infringements of this Regulation should seek an amicable settlement with the operator, and , if it fails, to exercise the fullness of its competences. This should include specific processing activities carried out in the territory of the Member State of the supervisory authority or in respect of data subjects in the territory of that Member State, processing activities which take place in the context of an offer of goods or services specifically intended for data subjects in the territory of the Member State of the supervisory authority or processing activities to be assessed taking into account the relevant legal obligations under national law.

(132) Awareness-raising activities organised for the public by supervisory authorities should include specific measures targeting operators and processors, including micro, small and medium-sized enterprises, as well as individuals, in particular in the educational context.

(133) Supervisory authorities should assist each other in the performance of their tasks in order to ensure consistency in the application of this Regulation in the internal market. A supervisory authority requesting mutual assistance may adopt a provisional measure if it does not receive a reply to a request for mutual assistance within one month of receipt of the request by the other supervisory authority.

(134) Each supervisory authority should participate, as appropriate, in joint operations between supervisory authorities. The supervisory authority to which the request has been addressed should be required to respond to the request within a certain period.

(135) In order to ensure the consistent application of this Regulation throughout the Union, a mechanism should be established to ensure consistency in which supervisory authorities cooperate. This mechanism should apply, in particular, where a supervisory authority intends to adopt a measure intended to have legal effects with regard to processing operations which substantially affect a significant number of data subjects in several Member States. The mechanism should also apply where a supervisory authority concerned or the Commission requests that the issue be dealt with under the consistency mechanism. This mechanism should be without prejudice to the measures which the Commission may adopt in the exercise of its powers under the Treaties.

(136) In applying the consistency mechanism, the Committee should, within a certain period of time, deliver an opinion if a majority of its members so decide or if any supervisory authority concerned or the Commission so requests. The Committee should also be empowered to adopt legally binding decisions in the event of disputes between supervisory authorities. To this end, it should, in principle, by a two-thirds majority of its members, issue legally binding decisions, in well-defined cases, where there are divergent views between supervisory authorities, in particular within the framework of the cooperation mechanism between the lead supervisory authority and the supervisory authorities concerned on the merits of the case , in particular the existence or otherwise of an infringement of this Regulation.

(137) There may be an urgent need to act to ensure the protection of the rights and freedoms of data subjects, in particular where there is a danger that the exercise of a data subject’s right will be significantly impeded. A supervisory authority should therefore be able to adopt provisional measures in its territory, duly justified, with a fixed period of validity which should not exceed three months.

(138) The application of such a mechanism should be a condition for the legality of a measure intended to produce legal effects, taken by a supervisory authority, in cases where its application is mandatory. In other cases of cross-border relevance, the cooperation mechanism between the main supervisory authority and the supervisory authorities concerned should be implemented, and mutual assistance could be provided between the supervisory authorities concerned and joint operations could be carried out on a bilateral or multilateral basis without triggering the coherence mechanism.

(139) In order to promote the coherent application of this Regulation, the Committee should be established as an independent body of the Union. In order to achieve its objectives, the Committee should have legal personality. The Committee should be represented by its chairman. It should replace the Working Party on the Protection of Persons with regard to the Processing of Personal Data established by Directive 95/46/EC. It should be made up of the heads of supervisory authorities in each Member State and of the European Data Protection Supervisor or their representatives. The Commission should participate in the committee’s activities without the right to vote, and the European Data Protection Supervisor should have special voting rights. The Committee should contribute to the coherent application of this Regulation throughout the Union, including by providing advice to the Commission, in particular on the level of protection in third countries and in international organisations, and by promoting the cooperation of supervisory authorities throughout the Union. The Committee should act independently in the performance of its tasks.

(140) The Committee should be assisted by a secretariat provided by the European Data Protection Supervisor. The staff of the European Data Protection Supervisor involved in the performance of the tasks conferred on the Committee under this Regulation should carry out their tasks exclusively in accordance with the instructions of the Chairman of the Committee and report to him.

(141) Any data subject should have the right to lodge a complaint with a single supervisory authority, in particular in the Member State in which he is habitually resident, and the right to an effective remedy in accordance with Article 47 of the Charter, where the data subject considers that his rights under this Regulation are infringed or if the supervisory authority does not react to a complaint , reject or refuse a complaint in whole or in part or act where such action is necessary to ensure the protection of the rights of the data subject. The investigation following a complaint should be carried out, under judicial supervision, to the extent necessary, as appropriate, as appropriate. The supervisory authority should inform the data subject of the progress and resolution of the complaint within a reasonable time. In the event that the case requires further investigation or coordination with another supervisory authority, interim information should be provided to the data subject. In order to facilitate the submission of complaints, each supervisory authority should take measures such as the provision of a complaint form, which can also be completed in electronic form, without excluding other means of communication.

(142) Where the data subject considers that his rights under this Regulation are being infringed, he should have the right to mandate a non-profit-making body, organisation or association which is established in accordance with national law, whose statutory objectives are in the public interest and which is active in the field of personal data protection , lodge a complaint on its behalf with a supervisory authority, exercise the right to appeal on behalf of the data subjects or, where provided for in national law, exercise the right to receive compensation on behalf of the data subjects. A Member State may provide that such a body, organisation or association shall have the right to lodge a complaint in that Member State, irrespective of the mandate given by a data subject, and shall be entitled to an effective remedy if it has reason to believe that the rights of a data subject have been infringed as a result of the processing of personal data in breach of this Regulation. The body, organisation or association in question may not claim compensation on behalf of a data subject, irrespective of the mandate granted by the data subject.

(143) Any natural or legal person has the right to bring an action for annulment against the decisions of the Committee before the Court of Justice in accordance with the conditions laid down in Article 263 TFEU. As addressees of those decisions, the supervisory authorities concerned wishing to challenge them must bring an action against those decisions within two months of the date on which they were notified, in accordance with Article 263 TFEU. Where the decisions of the Committee concern a controller, processor or applicant directly and individually, the latter may bring an action for the annulment of those decisions within two months of their publication on the Committee’s website in accordance with Article 263 TFEU. Without prejudice to that right under Article 263 TFEU, any natural or legal person should be entitled to an effective judicial remedy before the competent national court against a decision of a supervisory authority having legal effects on that person. Such a decision shall relate in particular to the exercise of powers of investigation, corrective and authorisation by the supervisory authority or to the refusal or rejection of complaints. However, the right to an effective judicial remedy does not include measures by supervisory authorities which are not legally binding, such as opinions issued by the supervisory authority or advice provided by it. Actions against a supervisory authority should be brought before the courts of the Member State in which the supervisory authority is established and should be carried out in accordance with the procedural law of that Member State. Those courts should exercise full jurisdiction, which should include the power to examine all matters of fact or law relevant to the dispute before them.

Where a complaint has been rejected or refused by a supervisory authority, the applicant may bring an action before the courts of the same Member State. In the context of judicial remedies for the application of this Regulation, national courts which consider a decision on the matter necessary in order to enable them to take a decision may or, in the case provided for in Article 267 TFEU, should request the Court of Justice to give a preliminary ruling on the interpretation of Union law, including this Regulation. Furthermore, where a decision of a supervisory authority implementing a committee decision is challenged before a national court and the validity of the Committee’s decision is at issue, that national court does not have the power to declare the Committee’s decision null and clear, but must bring the question of validity before the Court of Justice in accordance with Article 267 TFEU , as interpreted by the Court of Justice, whenever the national court considers the decision null and last. However, a national court may not refer a matter to the validity of the Committee’s decision at the request of a natural or legal person who has had the opportunity to bring an action for annulment against that decision, in particular if it was directly and individually concerned by the decision in question, but did not do so within the time limit laid down in Article 263 TFEU.

(144) Where a court seised of proceedings against a decision of a supervisory authority has reason to believe that proceedings have been brought before a competent court in another Member State concerning the same processing, such as the same object of processing, by the same controller or processor, or the same case, that court should contact the second court to confirm the existence of such related proceedings. Where such related proceedings are before a court of another Member State, any court, with the exception of the one originally seised, may suspend its proceedings or, at the request of one of the parties, decline jurisdiction in favour of the court initially seised, provided that the court has jurisdiction to deal with the proceedings in question and that the right applicable to it may enable it to consolidate those related proceedings. Proceedings shall be considered to be related where they are so closely linked that it is appropriate to investigate and prosecute them at the same time in order to avoid the risk of irreconcilable judgments being given in the event of their separate trial.

(145) As regards actions brought against an operator or processor, the applicant should be able to bring proceedings before the courts of the Member States in which the controller or processor has an establishment or in which the data subject resides, unless the controller is a public authority of a Member State acting in the exercise of his or her public powers.

(146) The controller or processor should pay compensation for any damage a person may suffer as a result of processing in breach of this Regulation. The controller or processor should be exempted from liability if they prove that they are not in any way liable for the damage. The concept of injury should be interpreted broadly, in the light of the case-law of the Court of Justice, in a way that fully reflects the objectives of this Regulation. This provision shall be without prejudice to any claim for compensation arising from infringement of other rules of Union or national law. Processing in breach of this Regulation shall also include processing in breach of delegated and implementing acts adopted in accordance with this Regulation and with national law specifying rules of this Regulation. Data subjects should receive full and effective compensation for the damage they have suffered. Where operators or processors are involved in the same processing, each controller or processor should be held liable for all damage. However, where the legal proceedings relating to them are linked, in accordance with national law, compensation may be divided according to the responsibility of each controller or processor, provided that full and effective compensation is ensured by the data subject who suffered the damage. Any controller or processor who has paid full compensation may subsequently bring a regression action against other controllers or processors involved in the same processing.

(147) Where this Regulation contains specific rules on jurisdiction, in particular as regards judicial remedies, including actions for damages, against an operator or processor, general rules on jurisdiction such as those of Regulation (EU) No 1493/1999 shall apply. 1215/2012 of the European Parliament and of the Council (13) should be without prejudice to the application of such specific rules.

(148) In order to strengthen compliance with the rules laid down in this Regulation, penalties, including administrative fines, should be imposed for any infringement of this Regulation, in addition to or in place of appropriate measures imposed by the supervisory authority under this Regulation. In the case of a minor infringement or where the fine likely to be imposed would constitute a disproportionate burden on a natural person, a warning may be issued instead of a fine. However, due account should be taken of the nature, gravity and duration of the infringement, the deliberate nature of the infringement, the actions taken to reduce the damage caused, the degree of liability or any relevant previous infringements, the manner in which the infringement was brought to the attention of the supervisory authority, compliance with the measures taken against the controller or processor , adherence to a code of conduct and any other aggravating or mitigating factor. The imposition of sanctions, including administrative fines, should be subject to appropriate procedural safeguards, in accordance with the general principles of Union law and the Charter, including effective judicial protection and fair trial.

(149) Member States should be able to lay down rules on criminal penalties for infringements of this Regulation, including infringements of national rules adopted under and within the limits of this Regulation. Those criminal penalties may also allow the deprivation of profits obtained in breach of this Regulation. However, the imposition of criminal penalties for infringements of such rules of national law and administrative penalties should not lead to infringement of the ne bis in idem principle, as interpreted by the Court of Justice.

(150) In order to strengthen and harmonise administrative penalties in the event of infringement of this Regulation, each supervisory authority should have the power to impose administrative fines. This Regulation should indicate the infringements, and the maximum limit and criteria for determining the related administrative fines, which should be determined by the competent supervisory authority in each individual case, taking into account all the relevant circumstances of the specific situation, taking due account, in particular, of the nature, gravity and duration of the infringement, and its consequences and the measures taken to ensure compliance with obligations under this Regulation and to prevent or mitigate the consequences Infringement. Where administrative fines are imposed on an undertaking, an undertaking should be understood as an undertaking in accordance with Articles 101 and 102 TFEU for those purposes. Where administrative fines are imposed on persons who are not undertakings, the supervisory authority should take into account the general level of income in the Member State concerned and the economic situation of the person when estimating the appropriate amount of the fine. The consistency mechanism can also be used to promote the consistent application of administrative fines. The power to determine whether and to what extent public authorities should be subject to administrative fines should lie with the Member States. The imposition of an administrative fine or the transmission of an alert shall not affect the application of other powers of supervisory authorities or other penalties under this Regulation.

(151) The legal systems of Denmark and Estonia do not allow administrative fines as provided for in this Regulation. The rules on administrative fines may be applied in such a way that, in Denmark, the fine is imposed by the competent national courts as a criminal penalty and in Estonia the fine is imposed by the supervisory authority in the context of a criminal proceedings, provided that such application of the rules in those Member States has an effect equivalent to that of administrative fines imposed by the supervisory authorities. The competent national courts should therefore take into account the recommendation of the supervisory authority which initiated the fine. In any event, the fines imposed should be effective, proportionate and dissuasive.

(152) Where this Regulation does not harmonise administrative penalties or in other cases where necessary, for example in the case of serious infringements of this Regulation, Member States should implement a system providing for effective, proportionate and dissuasive sanctions. The nature of such penalties, criminal or administrative, should be laid down in national law.

(153) The law of the Member States should strike a balance between the rules governing freedom of expression and information, including journalistic, academic, artistic and/or literary expression, and the right to the protection of personal data under this Regulation. The processing of personal data solely for journalistic purposes or for the purpose of academic, artistic or literary expression should be subject to derogations or exceptions to certain provisions of this Regulation where it is necessary to strike a balance between the right to the protection of personal data and the right to freedom of expression and information as provided for in Article 11 of the Charter. This should apply in particular to the processing of personal data in the audiovisual field, as well as in news archives and newspaper libraries. Member States should therefore adopt legislative measures providing for the necessary exceptions and derogations to ensure the balance between these fundamental rights. Member States should adopt such exceptions and derogations as regards the general principles, the rights of data subjects, the controller and the processor, the transfer of personal data to third countries or international organisations, independent supervisory authorities, cooperation and coherence, as well as with regard to specific data processing situations. Where such exceptions or derogations differ from one Member State to another, the law of the Member State to which the operator is subject should apply. In order to take account of the importance of the right to freedom of expression in every democratic society, it is necessary that notions of such freedom, such as journalism, be interpreted broadly.

(154) This Regulation allows the principle of public access to official documents to be taken into account in the application of this Regulation. Public access to official documents may be considered to be in the public interest. Personal data from documents held by a public authority or public body should be able to be disclosed by that authority or body where Union law or national law covered by the public authority or public body so provides. Union and national law should strike a balance between public access to official documents and the reuse of public sector information, on the one hand, and the right to the protection of personal data, on the other, and could therefore provide for the necessary balance with the right to the protection of personal data under this Regulation. The reference to public authorities and bodies should, in this context, include all authorities or other bodies governed by national law on public access to documents. Directive 2003/98/EC of the European Parliament and of the Council (14) leaves intact and in no way affects the level of protection of natural persons with regard to the processing of personal data in accordance with Union and national law and, in particular, does not alter the rights and obligations laid down in this Regulation. In particular, that Directive does not apply to documents to which access is excluded or restricted under access regimes on grounds relating to the protection of personal data, nor to parts of documents accessible under those regimes containing personal data the re-use of which has been established by law as incompatible with the right to protect natural persons with regard to the processing of personal data.

(155) National law or collective agreements, including ’employment agreements’, may lay down specific rules governing the processing of employees’ personal data in the context of employment, in particular the conditions under which personal data in the context of employment may be processed on the basis of the employee’s consent, for the purpose of recruitment, compliance with the terms of the employment contract , including the discharge of obligations laid down by law or collective agreements, the management, planning and organisation of work, equality and diversity at work, ensuring health and safety at work, and for the purpose of exercising and benefiting, individually or collectively, from employment rights and benefits and for the purpose of termination of employment.

(156) The processing of personal data for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes should be subject to adequate safeguards for the rights and freedoms of the data subject under this Regulation. Those guarantees should ensure that the necessary technical and organisational measures have been put in place to ensure, in particular, the principle of data minimisation. Further processing of personal data for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes shall be carried out when the controller has assessed the feasibility of achieving these objectives by processing personal data which do not allow or no longer permit the identification of data subjects, provided that adequate safeguards are in place (such as pseudonymisation of personal data). Member States should provide adequate safeguards for the processing of personal data for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes. Member States should be authorised to provide, under certain conditions and subject to adequate safeguards for data subjects, particulars and derogations with regard to requests for information and the right to rectification, the right to erasure, the right to be forgotten, the right to restrict processing, the right to data portability, and the right to object in the case of the processing of personal data for archiving purposes in the public interest , for scientific or historical research purposes or for statistical purposes. Those conditions and safeguards may give rise to specific procedures so that data subjects exercise those rights if this is appropriate in the context of the purposes of the specific processing, as well as technical and organisational measures aimed at minimising the processing of personal data, in accordance with the principles of proportionality and necessity. The processing of personal data for scientific purposes should also be consistent with other relevant legislation, such as those relating to clinical trials.

(157) By combining information from the registers, researchers can gain valuable new knowledge of widely spread diseases such as cardiovascular disease, cancer and depression. On the basis of the registers, the results of the research can be strengthened, as they are based on a larger population. In the field of social sciences, register-based research enables researchers to obtain essential information about the long-term correlation of a range of social conditions, such as unemployment or education, with other living conditions. The results of research based on the registers provide solid, high-quality knowledge that can form the basis for the development and implementation of knowledge-based policies and which can improve the quality of life for a number of people, the efficiency of social services. In order to facilitate scientific research, personal data may be processed for scientific research purposes, subject to the appropriate conditions and safeguards laid down in Union or national law.

(158) Where personal data are processed for archiving purposes, this Regulation should also apply to that processing, bearing in mind that this Regulation should not apply to deceased persons. Public authorities or public or private bodies holding records of public interest should, under Union or national law, have a legal obligation to acquire, retain, assess, prepare, describe, communicate, promote, disseminate and ensure access to records of sustainable value of the general public interest. Member States should also be able to provide for the further processing of personal data for archiving purposes, for example with the aim of providing specific information on political behaviour during the period of former totalitarian state regimes, genocides, crimes against humanity, in particular the Holocaust, or war crimes.

(159) Where personal data are processed for scientific research purposes, this Regulation should also apply to that processing. For the purposes of this Regulation, the processing of personal data for scientific research purposes should be interpreted broadly, including for example technological development and demonstration activities, fundamental research, applied research and privately funded research. Furthermore, the Union’s objective of creating a European Research Area as referred to in Article 179(1) TFEU should be taken into account. The purposes of scientific research should also include studies carried out in the public interest in the field of public health. In order to fulfil the specific characteristics of the processing of personal data for scientific research purposes, specific conditions should apply, in particular as regards the publication or otherwise disclosure of personal data in the context of scientific research purposes. Where the outcome of scientific research, in particular in the context of health, constitutes a reason for further measures in the interests of the data subject, the general rules of this Regulation should apply in the light of those measures. (160)

Where personal data are processed for historical research purposes, this Regulation should also apply to that processing. This should also include historical research and genealogical research, bearing in mind that this Regulation should not apply to deceased persons.

(161) For the purpose of giving consent to participate in scientific research activities in clinical trials, the relevant provisions of Regulation (EU) No 1493/1999 should apply. 536/2014 of the European Parliament and of the Council (15).

(162) Where personal data are processed for statistical purposes, this Regulation should apply to that processing. Union law or national law should, within the limits of this Regulation, determine statistical content, access control, specifications for the processing of personal data for statistical purposes and appropriate measures to protect the rights and freedoms of data subjects and to ensure the confidentiality of statistical data. These statistical results may subsequently be used for various purposes, including for scientific research purposes. Statistical purposes shall mean any operation for the collection and processing of personal data necessary for statistical surveys or for the production of statistical results. Statistical purposes assume that the result of processing for statistical purposes does not constitute personal data but aggregated data and that this result or personal data are not used in support of measures or decisions concerning a particular natural person.

(163) Confidential information that statistical authorities at Union and national level collect for the purpose of compiling official European and national statistics should be protected. European statistics should be designed, developed and disseminated in accordance with the statistical principles laid down in Article 338(2) TFEU, while national statistics should also be in accordance with national law. Commission Regulation (EC) No 1493/1999(3), as last 223/2009 of the European Parliament and of the Council (16) provides for additional specifications on the confidentiality of statistical data for European statistics.

(164) With regard to the powers of supervisory authorities to obtain access to personal data and access to personal data in their buildings from the controller or processor, Member States may adopt, by law and within the limits laid down in this Regulation, specific rules for the protection of professional secrecy or other equivalent obligations, in so far as this is necessary to ensure a balance between the right to the protection of personal data, and obligation to maintain professional secrecy. This is without prejudice to the existing obligations of the Member States to adopt rules on professional secrecy in situations required by Union law.

(165) This Regulation respects and is without prejudice to the status enjoyed by churches and religious associations or communities in the Member States under existing constitutional law as recognised in Article 17 TFEU.

(166) In order to achieve the objectives of this Regulation, namely the protection of the fundamental rights and freedoms of natural persons and, in particular, their right to the protection of personal data, and in order to ensure the free movement of personal data within the Union, the power to adopt acts in accordance with Article 290 TFEU should be delegated to the Commission. In particular, delegated acts should be adopted with regard to criteria and requirements for certification mechanisms, information to be submitted through standardised icons and procedures for the provision of such icons. It is particularly important that, in the course of its preparatory work, the Commission organises appropriate consultations, including at expert level. When preparing and drawing up delegated acts, the Commission should ensure that the relevant documents are transmitted simultaneously, on time and in due time to the European Parliament and the Council.

(167) In order to ensure uniform conditions for the implementation of this Regulation, the Commission should be vested with implementing powers in the situations laid down in this Regulation. Those powers should be exercised in accordance with Regulation (EU) No 1493/1999. 182/2011. In this context, the Commission should consider specific measures for micro-enterprises and small and medium-sized enterprises.

(168) The examination procedure should be used for the adoption of implementing acts concerning: standard contractual clauses between operators and processors, as well as between processors; codes of conduct; technical standards and certification mechanisms; the appropriate level of protection provided by a third country, a territory or a particular processing sector in that third country, or an international organisation; standard data protection clauses; formats and procedures for the electronic exchange of information between operators, processors and supervisory authorities for binding corporate rules; mutual assistance; as well as the arrangements for the electronic exchange of information between supervisory authorities and between supervisory authorities and the Committee.

(169) The Commission should adopt immediately applicable implementing acts where the available evidence shows that a third country, territory or processing sector in that third country, or an international organisation, does not provide an adequate level of protection, as well as for overriding reasons of urgency.

(170) Since the objective of this Regulation, namely to ensure an equivalent level of protection of natural persons and the free movement of personal data throughout the Union, cannot be satisfactorily achieved by the Member States but, given the scale or effects of the action, can be better achieved at Union level, it may adopt measures in accordance with the principle of subsidiarity , as defined in Article 5 of the Treaty on European Union (the “EU Treaty”). In accordance with the principle of proportionality as defined in that Article, this Regulation does not go beyond what is necessary to achieve those objectives.

(171) Directive 95/46/EC should be repealed by this Regulation. Processing in progress on the date of application of this Regulation should be brought into conformity with this Regulation within two years of the date of entry into force of this Regulation. Where processing is based on consent under Directive 95/46/EC, it is not necessary for the data subject to give his consent once again if the manner in which consent has been given is in accordance with the conditions of this Regulation, so that the controller is allowed to continue such processing after the date of application of this Regulation. Decisions taken by the Commission and authorisations of supervisory authorities issued on the basis of Directive 95/46/EC shall remain in force until they are amended, replaced or repealed.

(172) The European Data Protection Supervisor has been consulted in accordance with Article 28(2) of Regulation (EC) No 1493/1999. Article 45/2001 and delivered an opinion on 7 March 2012 (17).

(173) This Regulation should apply to all aspects relating to the protection of fundamental rights and freedoms relating to the processing of personal data, which are not subject to specific obligations with the same objective as that laid down in Directive 2002/58/EC of the European Parliament and of the Council (18), including obligations relating to the controller and the rights of natural persons. In order to clarify the relationship between this Regulation and Directive 2002/58/EC, that Directive should be amended accordingly. Following the adoption of this Regulation, Directive 2002/58/EC should be reviewed in particular to ensure consistency with this Regulation,

HAS ADOPTED THIS REGULATION:

CHAPTER I

General provisions

Article 1

Object and objectives

  1. This Regulation lays down rules on the protection of natural persons with regard to the processing of personal data and rules on the free movement of personal data.
  2. This Regulation shall ensure the protection of the fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.
  3. The free movement of personal data within the Union may not be restricted or prohibited on grounds relating to the protection of natural persons with regard to the processing of personal data.

Article 2

Material scope

  1. This Regulation shall apply to the processing of personal data, carried out in whole or in part by automated means, and to the processing by means other than automated means of personal data which form part of a data-recording system or which are intended to form part of a data-recording system.
  2. This Regulation shall not apply to the processing of personal data:

 

(a) in the context of an activity not covered by Union law;

(b) by The Member States when carrying out activities covered by Chapter 2 of Title V of the EU Treaty;

(c) by a natural person in the course of an exclusively personal or domestic activity;

(d) by the competent authorities for the purpose of preventing, investigating, detecting or prosecuting criminal offences, or of executing criminal penalties, including protecting against and preventing threats to public safety.

  1. For the processing of personal data by the institutions, bodies, offices and agencies of the Union, Regulation (EC) No 1493/1999 shall apply. Regulation (EC) No 45/2001 is hereby amended as amended by Regulation (EC) No 1493/1999. In accordance with Article 98 of Regulation (EC) No 45/2001 and other EU legal acts applicable to such processing of personal data, the Commission shall, in accordance with article 98, adapt to the principles and rules of this Regulation.
  2. This Regulation shall be without prejudice to the application of Directive 2000/31/EC, in particular the rules on the liability of intermediary service providers laid down in Articles 12 to 15 of that Directive.

Article 3

Territorial scope

  1. This Regulation shall apply to the processing of personal data in the course of the activities of an operator’s establishment or processor in the territory of the Union, whether or not the processing takes place within the territory of the Union.
  2. This Regulation shall apply to the processing of the personal data of data subjects who are in the Union by an operator or processor who is not established in the Union, where the processing activities are related to:

(a) the provision of goods or services to such data subjects in the Union, whether or not a payment is requested by the data subject; Or

(b) monitoring their behaviour if it occurs within the Union.

  1. This Regulation shall apply to the processing of personal data by an operator who is not established in the Union but in a place where national law applies under public international law.

Article 4

Definitions

For the purposes of this Regulation:

 

  1. „personal data“ means any information concerning an identified or identifiable natural person (‘the data subject’); an identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identification element, such as a name, an identification number, location data, an online identifier, or to one or more specific elements specific to his physical, physiological, genetic, mental, economic, cultural or social identity;
  2. „processing“ means any operation or set of operations carried out on personal data or on sets of personal data, with or without the use of automated means, such as collection, registration, organisation, structuring, storage, adaptation or modification, extraction, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, deletion or destruction;
  3. „restriction of processing“ means the marking of personal data stored in order to limit their future processing;
  4. ‘profile creation’ means any form of automatic processing of personal data consisting in the use of personal data to assess certain personal aspects relating to a natural person, in particular to analyse or foresee aspects of performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, the place of the natural person or his movements;
  5. ‘pseudonimisation’ means the processing of personal data in such a way that it can no longer be attributed to a particular data subject without the use of additional information, provided that such additional information is stored separately and is subject to technical and organisational measures ensuring that such personal data is not assigned to an identified or identifiable natural person;
  6. „data-recording system“ means any structured set of personal data accessible according to specific criteria, whether centralised, decentralised or distributed according to functional or geographical criteria;
  7. „operator“ means the natural or legal person, public authority, agency or other body which, alone or together with others, determines the purposes and means of processing personal data; where the purposes and means of processing are determined by Union or national law, the operator or the specific criteria for its designation may be laid down in Union or national law;
  8. „processor“means the natural or legal person, public authority, agency or other body processing personal data on behalf of the controller;
  9. „recipient“ means the natural or legal person, public authority, agency or other body to which personal data are disclosed, whether or not it is a third party. However, public authorities to which personal data may be communicated in the context of a particular investigation in accordance with Union or national law shall not be regarded as recipients; the processing of such data by the public authorities concerned shall comply with the applicable data protection rules in accordance with the purposes of the processing;
  10. „third party“means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
  11. ‘consent’ of the data subject means any expression of the data subject’s free, specific, informed and unambiguous will by which the data subject accepts, by a statement or by an unequivocal action, that the personal data concerning him or her be processed;
  12. ‘breach of personal data security’ means a breach of security which leads, by accident or illegally, to the destruction, loss, alteration, or unauthorised disclosure of personal data transmitted, stored or otherwise processed, or to unauthorised access to it;
  13. „genetic data“ means personal data relating to the inherited or acquired genetic characteristics of a natural person, which provide unique information on the physiology or health of that person and which results in particular from an analysis of a sample of biological material collected from the person concerned;
  14. „biometric data“ means personal data resulting from specific processing techniques relating to the physical, physiological or behavioural characteristics of a natural person which enable or confirm the unique identification of that person, such as facial images or fingerprint data;
  15. ‘health data’ means personal data relating to the physical or mental health of a natural person, including the provision of healthcare services, which disclose information about his or her health status;
  16. „head office“ means:

(a) in the case of an operator with head offices in at least two Member States, the place where its central administration is located in the Union, unless decisions on the purposes and means of processing personal data are taken at another premises of the operator in the Union, which has the power to order the implementation of those decisions , in which case the place of business which took those decisions shall be deemed to be the head office;

(b) in the case of a processor with head offices in at least two Member States, the place where its head office is located in the Union, or, where the processor does not have a central administration in the Union, the union seat of the processor in which the main processing activities take place, in the context of the activities of an establishment of the processor , in so far as it is subject to specific obligations under this Regulation;

  1. „representative“ means a natural or legal person established in the Union, designated in writing by the controller or processor pursuant to Article 27, who represents the controller or processor in respect of their respective obligations under this Regulation;
  2. „enterprise“ means a natural or legal person carrying out an economic activity, irrespective of its legal form, including partnerships or associations which regularly carry out an economic activity;
  3. „group of undertakings“ means an undertaking which exercises control and undertakings controlled by it;
  4. ‘binding corporate rules’ means the personal data protection policies to be complied with by an operator or processor established in the territory of a Member State, with regard to transfers or sets of transfers of personal data to an operator or processor in one or more third countries within a group of undertakings or a group of undertakings involved in an economic activity common;
  5. „supervisory authority“ means an independent public authority established by a Member State pursuant to Article 51;
  6. „surveillance authority“ means a supervisory authority which is concerned by the processing of personal data because:

(a) the controller or processor shall be established in the territory of the Member State of the supervisory authority concerned;

(b) data subjects residing in the Member State in which the supervisory authority is situated are significantly affected or are likely to be significantly affected by processing; Or

(c) a complaint has been lodged with the supervisory authority concerned;

  1. ‘cross-border processing’ means:

(a) the processing of personal data which takes place in the context of the activities of the premises of more than one Member State of an operator or processor within the territory of the Union, if the controller or processor has its premises in at least two Member States; Or

(b) the processing of personal data which takes place in the context of the activities of a single establishment of an operator or processor in the territory of the Union but which significantly affects or is likely to significantly affect data subjects in at least two Member States;

  1. ‘relevant and reasoned objection’ means an objection to a draft decision in order to determine whether there is an infringement of this Regulation or whether the measures envisaged with regard to the controller or processor comply with this Regulation, which clearly demonstrates the importance of the risks posed by the draft decision with regard to the fundamental rights and freedoms of the data subjects, and , where appropriate, the free movement of personal data within the Union;
  2. ‘information society services’ means a service as defined in Article 1(1)(b) of Directive 98/34/EC of the European Parliament and of the Council (19);
  3. „international organisation“ means an organisation and its subordinate bodies governed by public international law or any other body which is established by an agreement between two or more countries or under such an agreement.

CHAPTER II

Principles

Article 5

Principles related to the processing of personal data

  1. Personal data shall be:

(a) processed lawfully, fairly and transparently with the data subject (‘legality, fairness and transparency’);

(b) collected for specific, explicit and legitimate purposes and are not subsequently processed in a manner incompatible with those purposes; further processing for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes shall not be considered incompatible with the original purposes in accordance with Article 89(1) (‘purpose limitations’);

(c) appropriate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);

(d) accurate and, if necessary, up-to-date; all necessary measures must be taken to ensure that personal data which are inaccurate, having regard to the purposes for which they are processed, are deleted or rectified without delay (‘accuracy’);

(e) kept in a form which allows the identification of data subjects for a period not exceeding the period necessary to fulfil the purposes for which the data are processed; personal data may be stored for longer periods in so far as they are processed exclusively for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes, in accordance with Article 89(1), subject to the implementation of the appropriate technical and organisational measures provided for in this Regulation with a view to guaranteeing the rights and freedoms of the data subject (‘storage limitations’);

(f) processed in a manner that ensures the proper security of personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, by taking appropriate technical or organisational measures (‘integrity and confidentiality’).

  1. The operator shall be responsible for compliance with paragraph 1 and may demonstrate such compliance (‘responsibility’).

Article 6

Legality of processing

  1. Processing shall be lawful only if and to the extent that at least one of the following conditions applies:

(a) the data subject has given his consent to the processing of his personal data for one or more specific purposes;

(b) processing is necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject before the conclusion of a contract;

(c) processing is necessary in order to fulfil a legal obligation incumbent on the operator;

(d) processing is necessary to protect the vital interests of the data subject or of another natural person;

(e) processing is necessary for the performance of a task which serves a public interest or which results from the exercise of the public authority vested in the operator;

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, unless the interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, in particular where the data subject is a child, prevail.

Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their duties.

  1. Member States may maintain or introduce more specific provisions to adapt the application of the rules of this Regulation with regard to processing in order to comply with paragraph 1(c) and (e) by defining more precise specific requirements for processing and other measures to ensure legal and fair processing, including for other specific processing situations , as set out in Chapter IX.
  2. The basis for the processing referred to in paragraph 1(c) and (e) shall be laid down in:

(a) Union law; Or

(b) national law applicable to the operator.

The purpose of the processing shall be determined on the basis of that legal basis or, as regards the processing referred to in paragraph 1(e), it is necessary for the performance of a task carried out in the public interest or in the exercise of a public function assigned to the operator. That legal basis may contain specific provisions on the adaptation of the application of the rules of this Regulation, inter alia: the general conditions governing the legality of processing by the controller; the types of data being processed; data subjects; the entities to which the data may be disclosed and the purpose for which such personal data may be disclosed; purpose limitations; storage periods; and processing operations and procedures, including measures to ensure legal and fair processing such as those for other specific processing situations as provided for in Chapter IX. Union law or national law pursues an objective in the public interest and is proportionate to the legitimate objective pursued.

  1. Where processing for purposes other than that for which the personal data were collected is not based on the consent of the data subject or on Union or national law, which constitutes a necessary and proportionate measure in a democratic society to protect the objectives referred to in Article 23(1), the controller shall determine whether the processing for another purpose is compatible with the purpose for which the personal data were originally collected , take into account, inter alia:

(a) any link between the purposes for which the personal data were collected and the purposes of the planned subsequent processing;

(b) the context in which the personal data were collected, in particular as regards the relationship between the data subjects and the controller;

(c) the nature of personal data, in particular in the case of the processing of special categories of personal data in accordance with Article 9, or where personal data relating to criminal convictions and offences are processed in accordance with Article 10;

(d) the possible consequences for data subjects of the planned subsequent processing;

(e) the existence of adequate safeguards, which may include encryption or pseudonymisation.

Article 7

Consent conditions

  1. Where the processing is based on consent, the controller shall be able to demonstrate that the data subject has given his consent to the processing of his personal data.
  2. Where the consent of the data subject is given in the context of a written declaration which also covers other matters, the consent request shall be presented in a form which clearly distinguishes it from other aspects, in an intelligible and easily accessible form, using clear and simple language. No part of that declaration constituting a breach of this Regulation shall be binding.
  3. The data subject shall have the right to withdraw his consent at any time. Withdrawal of consent shall not affect the legality of the processing carried out on the basis of consent prior to its withdrawal. Before consent is granted, the data subject shall be informed thereof. Withdrawal of consent is as simple as granting it.
  4. When assessing whether consent is given freely, account shall be taken as much as possible of whether, inter alia, the performance of a contract, including the provision of a service, is subject or not to consent to the processing of personal data which is not necessary for the performance of that contract.

 

Article 8

Conditions applicable to the consent of children in relation to information society services

  1. Where Article 6(1)(a) applies, as regards the provision of information society services directly to a child, the processing of a child’s personal data shall be lawful if the child is at least 16 years of age. If the child is under the age of 16, such processing shall be lawful only if and to the extent that such consent is granted or authorised by the holder of parental responsibility for the child.

Member States may provide by law for a lower age for these purposes, provided that the lower age is not less than 13 years.

  1. The operator shall make every reasonable effort to verify in such cases that the holder of parental responsibility has given or authorised consent, taking into account available technologies.
  2. Paragraph 1 shall not affect the general law of contracts applicable in the Member States, such as rules on the validity, conclusion or effects of a contract in relation to a child.

Article 9

Processing of special categories of personal data

  1. The processing of personal data revealing racial or ethnic origin, political opinions, religious confession or philosophical beliefs or membership of trade unions and the processing of genetic data, biometric data for the unique identification of a natural person, health data or data on the sexual life or sexual orientation of a natural person shall be prohibited.
  2. Paragraph 1 shall not apply in the following situations:

(a) the data subject has given his explicit consent to the processing of such personal data for one or more specific purposes, unless Union or national law provides that the prohibition referred to in paragraph 1 cannot be lifted by the consent of the data subject;

(b) processing is necessary for the purpose of fulfilling the obligations and exercising specific rights of the controller or data subject in the field of employment and social security and social protection, in so far as this is authorised by Union law or national law or by a collective labour agreement concluded under national law providing adequate safeguards for the fundamental rights and interests of the data subject;

(c) processing is necessary to protect the vital interests of the data subject or other natural person when the data subject is physically or legally unable to give consent;

(d) the processing is carried out in the course of their legitimate activities and with appropriate safeguards by a foundation, association or any other non-profit-making body with a political, philosophical, religious or trade union specific, provided that the processing relates only to members or former members of that body or to persons with whom it has permanent contacts in connection with its purposes and that personal data are not communicated to third parties without the consent of the data subjects;

(e) processing refers to personal data which are manifestly made public by the data subject;

(f) processing is necessary for the establishment, exercise or defence of a right in court or whenever the courts act in the exercise of their judicial function;

(g) processing is necessary for reasons of major public interest, under Union or national law, which is proportionate to the objective pursued, respects the essence of the right to data protection and provides for appropriate and specific measures to protect the fundamental rights and interests of the data subject;

(h) processing is necessary for purposes relating to preventive medicine or work, the assessment of the employee’s capacity to work, the establishment of a medical diagnosis, the provision of medical or social care or medical treatment, or the management of health or social care systems and services, under Union or national law or under a contract concluded with a healthcare professional and subject to compliance with the conditions and guarantees referred to in paragraph 3;

(i) processing is necessary for reasons of public interest in the field of public health, such as protection against serious cross-border threats to health or to ensure high standards of quality and safety of healthcare and medicinal products or medical devices, under Union or national law, which provides for appropriate and specific measures to protect the rights and freedoms of the data subject , in particular professional secrecy; Or

(j) processing is necessary for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes, in accordance with Article 89(1), under Union or national law, which is proportionate to the objective pursued, respects the essence of the right to data protection and provides for appropriate and specific measures to protect the fundamental rights and interests of the data subject.

  1. The personal data referred to in paragraph 1 may be processed for the purposes referred to in paragraph 2(h) where such data are processed by a professional subject to or under the obligation of professional secrecy under Union or national law or under the rules laid down by competent national bodies or by another person subject to the obligation of professional secrecy. also a confidentiality obligation under Union or national law or the rules laid down by competent national bodies.
  2. Member States may maintain or introduce additional conditions, including restrictions, with regard to the processing of genetic data, biometric data or health data.

Article 10

Processing of personal data relating to criminal convictions and offences

The processing of personal data relating to criminal convictions and offences or related security measures pursuant to Article 6(1) shall be carried out only under the control of a State authority or where the processing is authorised by Union or national law providing adequate safeguards for the rights and freedoms of data subjects. Any comprehensive register of criminal convictions shall be kept only under the control of a State authority.

Article 11

Processing that does not require identification

  1. Where the purposes for which an controller processes personal data do not require or no longer require the identification of a data subject by the controller, the controller shall not be required to retain, obtain or process additional information in order to identify the data subject for the sole purpose of complying with this Regulation.
  2. If, in the cases referred to in paragraph 1 of this Article, the controller can demonstrate that he is unable to identify the data subject, the controller shall inform the data subject accordingly, where possible. In such cases, Articles 15 to 20 shall not apply, unless the data subject, for the purpose of exercising his rights under those Articles, provides additional information enabling him to be identified.

CHAPTER III

Rights of the data subject

Section 1

Transparency and modalities

Article 12

Transparency of information, communications and arrangements for the exercise of the rights of the data subject

  1. The controller shall take appropriate measures to provide the data subject with any information referred to in Articles 13 and 14 and any communications pursuant to Articles 15 to 22 and 34 relating to processing, in a concise, transparent, comprehensible and easily accessible form, using clear and simple language, in particular for any information specifically addressed to a child. The information shall be provided in writing or by other means, including, where appropriate, in electronic form. At the request of the data subject, the information may be provided orally, provided that the identity of the data subject is proved by other means.
  2. The controller shall facilitate the exercise of the data subject’s rights pursuant to Articles 15 to 22. In the cases referred to in Article 11(2), the controller shall not refuse to comply with the data subject’s request to exercise his rights in accordance with Articles 15 to 22, unless the controller demonstrates that he is unable to identify the data subject.
  3. The controller shall provide the data subject with information on the actions taken following an application pursuant to Articles 15 to 22, without undue delay and in any case not later than one month after receipt of the request. This period may be extended by two months where necessary, taking into account the complexity and number of applications. The controller shall inform the data subject of any such extension within one month of receipt of the request, giving the reasons for the delay. Where the data subject enters an application in electronic form, the information shall be provided electronically where possible, unless the data subject requests a different format.
  4. If the data subject does not take action on the request of the data subject, the controller shall inform the data subject, without delay and not later than one month after receipt of the request, of the reasons why he is not taking action and of the possibility of lodging a complaint with a supervisory authority and of bringing a judicial appeal.
  5. Information provided pursuant to Articles 13 and 14 and any communication and any measures taken pursuant to Articles 15 to 22 and 34 shall be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive nature, the operator may:

(a) either charge a reasonable fee taking into account the administrative costs for providing the information or communication or for taking the requested measures;

(b) refuse to comply with the application.

In such cases, it is for the operator to demonstrate that the application is manifestly unfounded or excessive.

  1. Without prejudice to Article 11, where the controller has reasonable doubts as to the identity of the natural person submitting the application referred to in Articles 15 to 21, he may request the provision of additional information necessary to confirm the identity of the data subject.
  2. Information to be provided to data subjects pursuant to Articles 13 and 14 may be provided in combination with standardised pictograms in order to provide in a easily visible, comprehensible and clearly legible manner a meaningful overview of the processing envisaged. If the icons are presented in electronic form, they must be readable automatically.
  3. The Commission shall be empowered to adopt delegated acts in accordance with Article 92 with a view to determining the information to be submitted by the pictograms and the procedures for the provision of standardised pictograms.

 

Section 2

Information and access to personal data

Article 13

Information to be provided where personal data are collected from the data subject

  1. Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time of obtaining such personal data, provide the data subject with all the following information:

(a) the identity and contact details of the operator and, where appropriate, his representative;

(b) the contact details of the data protection officer, as appropriate;

(c) the purposes for which personal data are processed and the legal basis for the processing;

(d) where processing is carried out pursuant to Article 6(1)(f), the legitimate interests pursued by the operator or a third party;

(e) the recipients or categories of recipients of personal data;

(f) where appropriate, the intention of the controller to transfer personal data to a third country or an international organisation and the existence or absence of a Commission decision on adequacy or, in the case of transfers referred to in Article 46 or 47 or in the second subparagraph of Article 49(1), a reference to appropriate or appropriate safeguards and the means of obtaining a copy thereof , if they have been made available.

  1. In addition to the information referred to in paragraph 1, when the personal data are obtained, the controller shall provide the data subject with the following additional information necessary to ensure fair and transparent processing:

(a) the period for which the personal data will be stored or, if this is not possible, the criteria used to determine that period;

(b) the existence of the right to require the controller, in respect of personal data relating to the data subject, access to them, their rectification or deletion or the restriction of the processing or the right to object to the processing, as well as the right to the portability of the data;

(c) where the processing is based on Article 6(1)(a) or Article 9(2)(a), the existence of the right to withdraw consent at any time, without affecting the legality of the processing carried out on the basis of consent prior to its withdrawal;

 

(d) the right to lodge a complaint with a supervisory authority;

(e) whether the provision of personal data constitutes a legal or contractual obligation or a necessary obligation to conclude a contract, and whether the data subject is obliged to provide such personal data and what are the possible consequences of non-compliance with that obligation;

(f) the existence of an automated decision-making process including profiling, as referred to in Article 22(1) and (4), and, at least in those cases, relevant information on the logic used and on the expected importance and consequences of such processing for the data subject.

  1. Where the controller intends to further process the personal data for a purpose other than that for which it was collected, the controller shall provide the data subject, before such further processing, with information on that secondary purpose and any relevant additional information in accordance with paragraph 2.
  2. Paragraphs 1, 2 and 3 shall not apply if and to the extent that the data subject already has that information.

Article 14

Information to be provided if the personal data have not been obtained from the data subject

  1. Where personal data have not been obtained from the data subject, the controller shall provide the data subject with the following information:

(a) the identity and contact details of the operator and, where appropriate, his representative;

(b) the contact details of the data protection officer, as appropriate;

(c) the purposes for which personal data are processed and the legal basis for the processing;

(d) the categories of personal data concerned;

(e) the recipients or categories of recipients of personal data, as appropriate;

(f) where appropriate, the intention of the controller to transfer personal data to a recipient in a third country or an international organisation and the existence or absence of a Commission decision on adequacy or, in the case of transfers referred to in Article 46 or 47 or in the second subparagraph of Article 49(1), a reference to appropriate or appropriate safeguards and the means of obtaining a copy thereof , if they have been made available.

  1. In addition to the information referred to in paragraph 1, the controller shall provide the data subject with the following information necessary to ensure fair and transparent processing as regards the data subject:

(a) the period for which the personal data will be stored or, if this is not possible, the criteria used to determine that period;

(b)where processing is carried out pursuant to Article 6(1)(f), the legitimate interests pursued by the operator or a third party;

(c) the existence of the right to require the controller, in respect of personal data relating to the data subject, access to them, their rectification or deletion or the restriction of processing and the right to object to processing, as well as the right to data portability;

(d) where the processing is based on Article 6(1)(a) or Article 9(2)(a), the existence of the right to withdraw consent at any time, without affecting the legality of the processing carried out on the basis of consent prior to its withdrawal;

(e) the right to lodge a complaint with a supervisory authority;

(f) the source of the personal data and, where appropriate, whether they come from publicly available sources;

(g) the existence of an automated decision-making process including profiling, as referred to in Article 22(1) and (4), and, at least in those cases, relevant information on the logic used and on the expected importance and consequences of such processing for the data subject.

  1. The operator shall provide the information referred to in paragraphs 1 and 2:

(a) within a reasonable period after obtaining personal data, but not more than one month, taking into account the specific circumstances in which personal data are processed;

(b) whether the personal data are to be used for communication with the data subject, at the latest at the time of the first communication to the data subject; Or

(c) if it is intended to disclose personal data to another addressee, at the latest on the date on which they are first disclosed.

  1. Where the controller intends to further process the personal data for a purpose other than that for which it was obtained, the controller shall provide the data subject, before such further processing, with information on that secondary purpose and any relevant additional information in accordance with paragraph 2.
  2. Paragraphs 1 to 4 shall not apply if and to the extent that:

(a) the data subject already has the information;

(b) the provision of such information proves to be impossible or would involve disproportionate efforts, in particular in the case of processing for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes, subject to the conditions and guarantees laid down in Article 89(1), or to the extent that the obligation referred to in paragraph 1 of this Article is likely to make it impossible or seriously affect the achievement of the objectives of such processing in such the controller shall take appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, including making the information available to the public;

(c) the obtaining or disclosure of data is expressly provided for by Union or national law to which the controller is subject and provides for appropriate measures to protect the legitimate interests of the data subject; Or

(d) where personal data are to remain confidential under a statutory obligation of professional secrecy governed by Union or national law, including a legal obligation to keep it secret.

Article 15

The right of access of the data subject

  1. The data subject shall have the right to obtain confirmation from the controller that personal data relating to him or her or her is being processed or not and, if so, access to such data and the following information:

(a) the purposes of the processing;

(b) the categories of personal data concerned;

(c) recipients or categories of recipients to whom personal data have been or are to be disclosed, in particular recipients from third countries or international organisations

(d) where possible, the period for which personal data are expected to be stored or, if this is not possible, the criteria used to determine that period;

(e) the existence of the right to require the controller to rectify or delete personal data or to restrict the processing of personal data relating to the data subject or the right to object to processing;

(f) the right to lodge a complaint with a supervisory authority;

(g) where personal data are not collected from the data subject, any available information on their source;

(h) the existence of an automated decision-making process including profiling, as referred to in Article 22(1) and (4), and, at least in those cases, relevant information on the logic used and on the expected importance and consequences of such processing for the data subject.

  1. Where personal data are transferred to a third country or an international organisation, the data subject shall have the right to be informed of the appropriate safeguards under Article 46 relating to the transfer.
  2. The controller shall provide a copy of the personal data subject to processing. For any other copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject enters the application electronically and unless the data subject requests a different format, the information shall be provided in a commonly used electronic format.
  3. The right to obtain a copy referred to in paragraph 3 shall be without prejudice to the rights and freedoms of others.

Section 3

Correct and delete

Article 16

Right to rectification

The data subject shall have the right to obtain from the controller, without undue delay, the correction of inaccurate personal data concerning him. Taking into account the purposes for which the data were processed, the data subject shall have the right to obtain the completion of personal data which are incomplete, including by providing a supplementary declaration.

Article 17

Right to erasure of data (“right to be forgotten”)

  1. The data subject shall have the right to obtain from the controller the deletion of personal data concerning him, without undue delay, and the controller shall be obliged to delete personal data without undue delay if one of the following reasons applies:

(a) personal data are no longer necessary for the purposes for which they were collected or processed;

(b) the data subject withdraws his consent on the basis of which the processing takes place, in accordance with Article 6(1)(a) or Article 9(2)(a), and there is no other legal basis for the processing;

(c) the data subject opposes processing pursuant to Article 21(1) and there are no legitimate reasons to prevail with regard to the processing or the data subject opposes processing pursuant to Article 21(2);

(d) personal data have been illegally processed;

(e) personal data must be deleted in order to comply with a legal obligation incumbent on the controller under Union or national law under which the controller is subject;

(f) personal data have been collected in connection with the provision of information society services referred to in Article 8(1).

  1. Where the controller has made the personal data public and is obliged, pursuant to paragraph 1, to delete them, the controller, taking into account the available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform the controllers processing the personal data that the data subject has requested that those controllers delete any links to that data or any copies or reproductions of such personal data.
  2. Paragraphs 1 and 2a shall not apply to the extent that processing is necessary:

(a) for the exercise of the right to free expression and information;

(b) in order to comply with a legal obligation providing for processing under Union or national law applicable to the operator or to carrying out a task performed in the public interest or in the exercise of an official authority vested in the operator;

(c) for reasons of public interest in the field of public health, in accordance with Article 9(2)(h) and (i) and Article 9(3);

(d) for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes, in accordance with Article 89(1), in so far as the right referred to in paragraph 1 is likely to make impossible or seriously affect the achievement of the objectives of the processing in question; Or

(e) for the establishment, exercise or defence of a right in court.

Article 18

Right to restriction of processing

  1. The data subject shall have the right to obtain from the controller the restriction of processing where one of the following cases applies:

(a) the data subject disputes the accuracy of the data for a period which allows the controller to verify the accuracy of the data;

 

(b) the processing is illegal and the data subject opposes the deletion of personal data, instead requesting that their use be restricted;

(c) the controller no longer needs personal data for processing purposes, but the data subject requests it for the establishment, exercise or defence of a right in court; Or

(d) the data subject has objected to processing in accordance with Article 21(1) for the period during which it is verified that the legitimate rights of the controller prevail over those of the data subject.

  1. Where processing has been restricted pursuant to paragraph 1, such personal data may, with the exception of storage, be processed only with the consent of the data subject or for the establishment, exercise or defence of a right in court or for the protection of the rights of another natural or legal person or for reasons of significant public interest of the Union or a Member State.
  2. A data subject who has obtained the restriction of processing pursuant to paragraph 1 shall be informed by the controller before the processing restriction is lifted.

Article 19

Obligation to notify the rectification or deletion of personal data or restriction of processing

The controller shall notify each consignee to whom the personal data have been disclosed any correction or deletion of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18, unless this proves impossible or involves disproportionate efforts. The controller shall inform the data subject of the addressee concerned if the data subject so requests.

Article 20

Right to data portability

  1. The data subject shall have the right to receive personal data concerning him or her and which he has provided to the controller in a structured, commonly used and readable format and shall have the right to transmit such data to another controller, without obstacles from the controller to whom the personal data have been provided, if the data :

(a) the processing is based on consent pursuant to Article 6(1)(a) or Article 9(2)(a) or on a contract pursuant to Article 6(1)(b); And

(b) processing is carried out by automatic means.

  1. In exercising his right to data portability pursuant to paragraph 1, the data subject shall have the right to have personal data transmitted directly from one controller to another where technically feasible.
  2. The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. That right shall not apply to the processing necessary for the performance of a task carried out in the public interest or in the exercise of an official authority vested in the operator.
  3. The right referred to in paragraph 1 shall be without prejudice to the rights and freedoms of others.

Section 4

Right to opposition and automated individual decision-making

Article 21

Right to opposition

  1. At any time, the data subject shall have the right to object, on grounds relating to the particular situation in which he is in, to processing pursuant to Article 6(1)(e) or (f) or Article 6(1) personal data concerning him, including profiling on the basis of those provisions. The controller shall no longer process personal data unless the controller demonstrates that he has legitimate and compelling reasons justifying the processing and which prevail over the interests, rights and freedoms of the data subject or that the purpose is to establish, exercise or defend a right in court.
  2. Where the processing of personal data is aimed at direct marketing, the data subject shall have the right to object at any time to the processing for that purpose of the personal data concerning him, including the creation of profiles, in so far as it is linked to the direct marketing in question.
  3. Where the data subject objects to processing for direct marketing purposes, personal data shall no longer be processed for that purpose.
  4. At the latest at the time of the first communication with the data subject, the right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.
  5. In the context of the use of information society services and despite Directive 2002/58/EC, the data subject may exercise his right to object by automatic means using technical specifications.
  6. Where personal data are processed for scientific or historical research purposes or for statistical purposes in accordance with Article 89(1), the data subject shall, for reasons relating to his particular situation, have the right to object to the processing of personal data concerning him or her, unless the processing is necessary for the performance of a task on grounds of public interest.

Article 22

Automated individual decision-making, including profiling

  1. The data subject shall have the right not to be the subject of a decision based solely on automatic processing, including profiling, which produces legal effects concerning the data subject or similarly affects him to a significant extent.
  2. Paragraph 1 shall not apply where the decision:

(a) it is necessary for the conclusion or performance of a contract between the data subject and a data controller;

(b) is authorised by Union or national law which applies to the controller and which also provides for appropriate measures to protect the rights, freedoms and legitimate interests of the data subject; Or

(c) is based on the explicit consent of the data subject.

  1. In the cases referred to in paragraph 2(a) and (c), the data controller shall implement appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, at least his right to obtain human intervention from the controller, to express his views and to challenge the decision.
  2. The decisions referred to in paragraph 2 shall not be based on the special categories of personal data referred to in Article 9(1), unless Article 9(2)(a) or (g) applies and where appropriate measures have been put in place to protect the rights, freedoms and legitimate interests of the data subject.

Section 5

Restrictions

Article 23

Restrictions

  1. Union law or national law applicable to the data controller or processor may restrict by a legislative measure the scope of the obligations and rights laid down in Articles 12 to 22 and 34 and Article 5 in so far as its provisions correspond to the rights and obligations laid down in Articles 12 to 22, where such a restriction respects the essence of fundamental rights and freedoms and constitutes a necessary and proportionate measure in a democratic society , to ensure:

(a)national security;

(b) defence;

(c) public security;

(d) the prevention, investigation, detection or prosecution of criminal offences or the enforcement of criminal sanctions, including protection against and prevention of threats to public security;

(e) other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including in the monetary, budgetary and fiscal fields and in the field of public health and social security;

(f) the protection of judicial independence and judicial proceedings;

(g) the prevention, investigation, detection and prosecution of ethical violations in the case of regulated professions;

(h) the monitoring, inspection or regulatory function linked, even occasionally, to the exercise of official authority in the cases referred to in points (a) to (e) and (g);

(i) the protection of the data subject or the rights and freedoms of others;

(j) the implementation of civil law claims.

  1. In particular, any legislative measure referred to in paragraph 1 shall contain specific provisions at least, where appropriate, as regards:

(a) the purposes of the processing or categories of processing;

(b) categories of personal data;

(c) the scope of the restrictions introduced;

(d) safeguards to prevent abuse or unlawful access or transfer;

(e) an indication of the operator or categories of operators;

(f) storage periods and guarantees applicable in view of the nature, scope and purposes of the processing or categories of processing;

(g) risks to the rights and freedoms of data subjects; And

(h) the right of data subjects to be informed of the restriction, unless this may prejudice the purpose of the restriction.

CHAPTER IV

Operator and processor

Section 1

General obligations

Article 24

Operator’s responsibility

  1. Taking into account the nature, scope, context and purposes of the processing, as well as risks with varying degrees of probability and severity to the rights and freedoms of natural persons, the operator shall implement appropriate technical and organisational measures to ensure and be able to demonstrate that the processing is carried out in accordance with this Regulation. Those measures shall be reviewed and updated if necessary.
  2. Where proportionate to processing operations, the measures referred to in paragraph 1 shall include the implementation by the controller of appropriate data protection policies.
  3. Membership of approved codes of conduct referred to in Article 40 or an approved certification mechanism referred to in Article 42 may be used as an element demonstrating compliance by the operator.

Article 25

Ensuring data protection from the moment of conception and by default

  1. In view of the state of the art, the costs of implementation, and the nature, scope, context and purposes of the processing, as well as the risks with varying degrees of probability and severity to the rights and freedoms of natural persons posed by processing, the operator, both when determining the means of processing and the processing itself, shall implement appropriate technical and organisational measures , such as pseudonymisation, which are intended to effectively implement data protection principles, such as data minimisation, and to integrate the necessary safeguards into processing, in order to meet the requirements of this Regulation and protect the rights of data subjects.
  2. The operator shall implement appropriate technical and organisational measures to ensure that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation shall apply to the volume of data collected, the degree of their processing, their storage period and their accessibility. In particular, such measures ensure that, by default, personal data cannot be accessed, without the intervention of the person, by an unlimited number of persons.
  3. A certification mechanism approved in accordance with Article 42 may be used as an element demonstrating compliance with the requirements laid down in paragraphs 1 and 2 of this Article.

Article 26

Associated Operators

  1. Where two or more operators jointly establish the purposes and means of processing, they shall be associated operators. They shall establish in a transparent manner the responsibilities of each of them with regard to the fulfilment of their obligations under this Regulation, in particular as regards the exercise of the rights of data subjects and the duties of each of them to provide the information referred to in Articles 13 and 14, by means of an agreement between them, unless and to the extent that the responsibilities of the controllers are laid down in Union or national law applicable to them. The agreement may designate a contact point for the data subjects.
  2. The agreement referred to in paragraph 1 shall adequately reflect the respective roles and relationships of the associated operators with the data subjects. The essence of this agreement is made known to the data subject.
  3. Irrespective of the terms of the agreement referred to in paragraph 1, the data subject may exercise his rights under this Regulation in respect of and in relation to each of the operators.

Article 27

Representatives of operators or processors not established in the Union

  1. Where Article 3(2) applies, the controller or processor shall designate a representative in writing in the Union.
  2. The obligation referred to in paragraph 1 of this Article shall not apply to:

(a) processing which is of an occasional nature, which does not include, on a large scale, the processing of special categories of data as provided for in Article 9(1), or the processing of personal data relating to criminal convictions and offences referred to in Article 10, and which is unlikely to give rise to a risk to the rights and freedoms of persons, taking into account the nature of , the context, scope and purposes of the processing; Or

(b) a public authority or body.

  1. The representative shall be established in one of the Member States in which the data subjects whose personal data are processed in connection with the supply of goods and services or whose conduct is monitored are located.
  2. The representative shall receive from the controller or processor a mandate whereby supervisory authorities and data subjects, in particular, may address the representative, in addition to or in place of the processor or processor, on all matters relating to processing in order to ensure compliance with this Regulation.
  3. The appointment of a representative by the controller or processor shall be without prejudice to legal proceedings which may be brought against the controller or processor himself.

Article 28

Processor

  1. Where processing is to be carried out on behalf of an operator, the controller shall use only processors who provide sufficient guarantees for the implementation of appropriate technical and organisational measures so that the processing complies with the requirements laid down in this Regulation and ensures the protection of the rights of the data subject.
  2. The processor shall not recruit another processor without first receiving a written, specific or general authorisation from the controller. In the case of a general written authorisation, the processor shall inform the controller of any expected changes to the addition or replacement of other processors, thereby enabling the controller to object to such changes.
  3. Processing by a processor shall be governed by a contract or other legal act under Union or national law which is binding on the processor in relation to the controller and which determines the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and the categories of data subjects and the obligations and rights of the controller. That contract or legal act provides, in particular, that the processor:

(a) process personal data only on the basis of documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless that obligation falls to the person empowered under Union or national law applicable to him; in this case, notify this legal obligation to the operator before processing, unless that right prohibits such notification for important reasons relating to the public interest;

(b) ensure that persons authorised to process personal data have undertaken to respect confidentiality or have an appropriate statutory obligation of confidentiality;

(c) take all necessary measures in accordance with Article 32;

(d) comply with the conditions referred to in paragraphs 2 and 4 concerning the recruitment of another processor;

(e) taking into account the nature of the processing, provide assistance to the operator through appropriate technical and organisational measures, as far as possible, in fulfilling the operator’s obligation to respond to requests for the exercise by the data subject of the rights provided for in Chapter III;

(f) assist the operator in ensuring compliance with the obligations laid down in Articles 32 to 36, taking into account the nature of the processing and the information available to the processor;

(g) at the operator’s choice, delete or return to the controller all personal data after the provision of processing-related services has ceased and remove existing copies, unless Union or national law requires the storage of personal data;

(h)provide the operator with all the information necessary to demonstrate compliance with the obligations laid down in this Article, permit and contribute to audits, including inspections, carried out by the operator or other mandated auditor.

With regard to the first subparagraph of point (h), the processor shall immediately inform the controller if, in his opinion, an instruction infringes this Regulation or other provisions of national or Union law relating to data protection.

  1. Where a person empowered by a controller recruits another person empowered to carry out specific processing activities on behalf of the controller, the same data protection obligations laid down in the contract or other legal act concluded between the controller and the processor as referred to in paragraph 3 shall be the responsibility of the second processor , by means of a contract or other legal act under Union or national law, in particular the provision of sufficient safeguards for the implementation of appropriate technical and organisational measures so that processing meets the requirements of this Regulation. If that second processor fails to comply with its data protection obligations, the original processor shall remain fully liable to the controller for the fulfilment of the obligations of that second processor.
  2. The membership of the processor to an approved code of conduct referred to in Article 40 or to an approved certification mechanism referred to in Article 42 may be used as an element demonstrating the existence of the sufficient guarantees referred to in paragraphs 1 and 4 of this Article.
  3. Without prejudice to an individual contract concluded between the controller and the processor, the contract or other legal act referred to in paragraphs 3 and 4 of this Article may be based, in whole or in part, on standard contractual clauses referred to in paragraphs 7 and 8 of this Article, including where they form part of a certification granted to the controller or processor pursuant to Articles 42 and 43.
  4. The Commission may provide for standard contractual clauses for the matters referred to in paragraphs 3 and 4 of this Article and in accordance with the examination procedure referred to in Article 93(2).
  5. A supervisory authority may adopt standard contractual clauses for the matters referred to in paragraphs 3 and 4 of this Article and in accordance with the mechanism for ensuring consistency referred to in Article 63.
  6. The contract or other legal act referred to in paragraphs 3 and 4 shall be formulated in writing, including in electronic form.
  7. Without prejudice to Articles 82, 83 and 84, where a processor violates this Regulation by establishing the purposes and means of processing personal data, the processor shall be deemed to be an controller with regard to that processing.

Article 29

Conduct of the processing activity under the authority of the controller or processor

The processor and any person acting under the authority of the controller or the processor who has access to personal data shall process them only at the request of the controller, unless Union or national law obliges him to do so.

Article 30

Records of processing activities

  1. Each operator and, where appropriate, his representative shall keep a record of the processing activities carried out under their responsibility. That record shall contain all the following information:

(a) the name and contact details of the controller and, where appropriate, the associate operator, the operator’s representative and the data protection officer;

(b) the purposes of the processing;

(c) a description of the categories of data subjects and categories of personal data;

(d) the categories of recipients to whom personal data have been or will be disclosed, including recipients from third countries or international organisations;

(e) where appropriate, transfers of personal data to a third country or an international organisation, including the identification of the third country or international organisation concerned and, in the case of transfers referred to in the second subparagraph of Article 49(1), documentation proving the existence of adequate safeguards;

(f) where possible, the expected deadlines for erasing the different categories of data;

(g) where possible, a general description of the technical and organisational security measures referred to in Article 32(1).

  1. Each controller and, where appropriate, the processor shall keep a record of all categories of processing activities carried out on behalf of the controller, comprising:

(a) the names and contact details of the person or persons empowered by the controller and of each controller on whose behalf that person (such persons) and the representative of the controller or processor, as the case may be;

(b) the categories of processing activities carried out on behalf of each operator;

(c) where appropriate, transfers of personal data to a third country or an international organisation, including the identification of the third country or international organisation concerned and, in the case of transfers referred to in the second subparagraph of Article 49(1), documentation proving the existence of adequate safeguards;

(d) where possible, a general description of the technical and organisational security measures referred to in Article 32(1).

  1. The records referred to in paragraphs 1 and 2 shall be made in writing, including in electronic form.
  2. The controller or processor and, where appropriate, the representative of the controller or processor shall make the records available to the supervisory authority at its request.
  3. The obligations referred to in paragraphs 1 and 2 shall not apply to an undertaking or organisation with fewer than 250 employees, unless the processing they carry out is likely to give rise to a risk to the rights and freedoms of data subjects, the processing is not occasional or the processing includes special categories of data as provided for in Article 9(1). , or personal data relating to criminal convictions and offences as referred to in Article 10.

Article 31

Cooperation with the supervisory authority

The controller and the processor and, where appropriate, their representative shall cooperate, on request, with the supervisory authority in the performance of their tasks.

Section 2

Security of personal data

Article 32

Security of processing

  1. In view of the current state of development, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk with varying degrees of probability and severity to the rights and freedoms of natural persons, the controller and the person empowered by it shall implement appropriate technical and organisational measures to ensure a level of security appropriate to that risk, including, inter alia, where appropriate, where appropriate :

(a) pseudonymisation and encryption of personal data;

(b) the ability to ensure the continued confidentiality, integrity, availability and resilience of processing systems and services;

(c) the ability to restore the availability and access to personal data in a timely manner in the event of an incident of a physical or technical nature;

(d) a process for the regular testing, evaluation and evaluation of the effectiveness of technical and organisational measures to ensure the security of processing.

  1. In assessing the appropriate level of security, account shall be taken in particular of the risks posed by processing, arising in particular, by accident or illegally, from the destruction, loss, alteration, unauthorised disclosure or unauthorised access to personal data transmitted, stored or otherwise processed.
  2. Adherence to an approved code of conduct referred to in Article 40 or to an approved certification mechanism referred to in Article 42 may be used as an element demonstrating compliance with the requirements referred to in paragraph 1 of this Article.
  3. The controller and the processor shall take measures to ensure that any natural person acting under the authority of the controller or processor and having access to personal data processes it only at the request of the controller, unless that obligation falls to him under Union or national law.

Article 33

Notification to the supervisory authority in the event of a personal data breach

  1. Where a personal data breach occurs, the controller shall notify the competent supervisory authority pursuant to Article 55 without undue delay and, where possible, no later than 72 hours after the date on which he became aware of it, unless it is likely to give rise to a risk to the rights and freedoms of natural persons. If the notification does not take place within 72 hours, it shall be accompanied by a reasoned explanation from the supervisory authority if.
  2. The processor shall notify the controller without undue delay after becoming aware of a personal data breach.
  3. The notification referred to in paragraph 1 shall at least:

(a) describe the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects concerned, as well as the categories and approximate number of personal data records concerned;

(b) communicate the name and contact details of the Data Protection Officer or another contact point from which more information can be obtained;

(c) describe the likely consequences of the personal data breach;

(d) describe the measures taken or proposed to be taken by the controller to remedy the personal data breach, including, where appropriate, measures to mitigate its possible negative effects.

  1. Where and to the extent that it is not possible to provide the information at the same time, it may be provided in several stages without undue delay.
  2. The controller shall keep documents relating to all cases of personal data breach, including a description of the facts of the personal data breach, its effects and the remedial measures taken. This documentation shall enable the supervisory authority to verify compliance with this Article.

Article 34

Informing the data subject of the breach of personal data security

  1. Where the breach of personal data security is likely to give rise to a high risk to the rights and freedoms of natural persons, the controller shall inform the data subject without undue delay of that breach.
  2. The information provided for in paragraph 1 of this Article shall include a clear and simple description of the nature of the personal data breach and at least the information and measures referred to in Article 33(3)(b), (c) and (d).
  3. Information to the data subject referred to in paragraph 1 shall not be required if any of the following conditions are met:

(a) the controller has implemented appropriate technical and organisational safeguards and these measures have been applied to personal data affected by the personal data breach, in particular measures to ensure that personal data becomes unintelligible to any person who is not authorised to access it, such as encryption;

(b) the operator has taken further steps to ensure that the high risk to the rights and freedoms of the data subjects referred to in paragraph 1 is no longer likely to materialise;

(c) would require a disproportionate effort. In this situation, public information shall be carried out instead or a similar measure shall be taken whereby data subjects are informed in an equally effective manner.

  1. Where the controller has not already communicated the personal data breach to the data subject, the supervisory authority, after taking into account the likelihood that the personal data breach will result in a high risk, may require the data subject to do so or decide that any of the conditions referred to in paragraph 3 are met.

Section 3

Data protection impact assessment and prior consultation

Article 35

Data protection impact assessment

  1. In view of the nature, scope, context and purposes of processing, where a type of processing, in particular that based on the use of new technologies, is likely to give rise to a high risk to the rights and freedoms of natural persons, the controller shall, before processing, carry out an assessment of the impact of the planned processing operations on the protection of personal data. A single assessment may address a set of similar processing operations with similar high risks.
  2. When carrying out a data protection impact assessment, the controller shall seek the opinion of the Data Protection Officer, if he has been appointed.
  3. The data protection impact assessment referred to in paragraph 1 shall be necessary in particular in the case of:

(a) a systematic and comprehensive assessment of personal aspects relating to natural persons, which is based on automatic processing, including profiling, and which is the basis for decisions which have legal effects on the natural person or which similarly affect it to a significant extent;

(b) the widespread processing of special categories of data referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10; Or

(c) widespread systematic monitoring of a publicly available area.

  1. The supervisory authority shall draw up and publish a list of the types of processing operations subject to the requirement to carry out a data protection impact assessment in accordance with paragraph 1. The supervisory authority shall communicate these lists to the Committee referred to in Article 68.
  2. The supervisory authority may also establish and make available to the public a list of the types of processing operations for which a data protection impact assessment is not required. The supervisory authority shall communicate these lists to the Committee.
  3. Prior to the adoption of the lists referred to in paragraphs 4 and 5, the competent supervisory authority shall apply the mechanism for ensuring consistency referred to in Article 63 where those lists involve processing activities involving the provision of goods or services to data subjects or the monitoring of their conduct in several Member States or which may substantially affect the free movement of personal data within the Union.
  4. The assessment shall contain at least:

(a) a systematic description of the processing operations envisaged and the purposes of the processing, including, where appropriate, the legitimate interest pursued by the operator;

(b) an assessment of the necessity and proportionality of processing operations in relation to these purposes;

(c) a risk assessment for the rights and freedoms of the data subjects referred to in paragraph 1; And

(d) the measures envisaged to address risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the provisions of this Regulation, taking into account the legitimate rights and interests of data subjects and other interested parties.

  1. In assessing the impact of processing operations carried out by the relevant controllers or processors, due consideration shall be given to compliance by the operators or processors concerned with the approved codes of conduct referred to in Article 40, in particular with a view to a data protection impact assessment.
  2. The operator shall, where appropriate, seek the opinion of data subjects or their representatives on the intended processing, without prejudice to the protection of commercial or public interests or the security of processing operations.
  3. Where processing pursuant to Article 6(1)(c) or (e) has a legal basis in Union law or of a Member State to which the operator is subject, and that right governs the specific processing operation or set of specific operations concerned and a data protection impact assessment has already been carried out as part of a general impact assessment in the context of the adoption of that legal basis. Paragraphs 1 to 7 shall not apply unless Member States consider it necessary to carry out such an assessment before processing activities are carried out.
  4. Where necessary, the controller shall carry out an analysis to assess whether the processing is taking place in accordance with the data protection impact assessment, at least when there is a change in the risk posed by the processing operations.

Article 36

Prior consultation

  1. The controller shall consult the supervisory authority before processing when the data protection impact assessment provided for in Article 35 indicates that the processing would create a high risk in the absence of measures taken by the controller to mitigate the risk.
  2. Where the supervisory authority considers that the processing referred to in paragraph 1 would infringe this Regulation, in particular where the risk has not been sufficiently identified or mitigated by the controller, the supervisory authority shall provide written advice to the controller and, where appropriate, to the processor within eight weeks of receipt of the request for consultation, and may use any of the powers referred to in Article 58. This period may be extended by six weeks, taking into account the complexity of the processing envisaged. The supervisory authority shall inform the controller and, where appropriate, the processor, within one month of receipt of the request, of any such extension, giving the reasons for the delay. These periods may be suspended until the supervisory authority has obtained the information it has requested for consultation purposes.
  3. When consulting the supervisory authority in accordance with paragraph 1, the operator shall provide it with:

(a) where appropriate, the respective responsibilities of the controller, associated operators and processors involved in the processing activities, in particular for processing within a group of undertakings;

(b) the purposes and means of the processing envisaged;

(c) the measures and safeguards provided for the protection of the rights and freedoms of data subjects in accordance with this Regulation;

(d) where appropriate, the contact details of the data protection officer;

(e) the data protection impact assessment provided for in Article 35; And

(f) any other information requested by the supervisory authority.

  1. Member States shall consult the supervisory authority in the preparation of a proposal for a legislative measure to be adopted by a national parliament or a regulatory measure based on such a legislative measure, which relates to processing.
  2. Notwithstanding paragraph 1, national law may require operators to consult with the supervisory authority and obtain prior authorisation from the supervisory authority in connection with the processing by an operator to perform a task carried out by it in the public interest, including processing in connection with social protection and public health.

Section 4

Data Protection Officer

Article 37

Designation of data protection officer

  1. The controller and the processor shall designate a data protection officer whenever:

(a) the processing is carried out by a public authority or body, with the exception of courts acting in the exercise of their judicial function;

(b) the main activities of the controller or processor consist of processing operations which, by their nature, scope and/or purposes, require regular and systematic monitoring of data subjects on a large scale; Or

(c) the main activities of the controller or processor consist of the widespread processing of special categories of data referred to in Article 9, or personal data relating to criminal convictions and offences referred to in Article 10.

  1. A group of undertakings may appoint a single data protection officer, provided that the data protection officer is easily accessible from each undertaking.
  2. Where the controller or processor is a public authority or a public body, a single data protection officer may be designated for several of those authorities or bodies, taking into account their organisational structure and size.
  3. In cases other than those referred to in paragraph 1, the controller or processor or associations and other bodies representing categories of controllers or processors may designate or, where required, Union or national law so requires, designate a data protection officer. The Data Protection Officer may act in favour of such associations and other bodies representing controllers or processors.
  4. The Data Protection Officer shall be appointed on the basis of professional qualities and, in particular, expertise in data protection law and practices, as well as on the basis of the ability to carry out the tasks referred to in Article 39.
  5. The Data Protection Officer may be a member of the controller’s or processor’s staff or perform his duties under a service contract.
  6. The controller or processor shall publish the contact details of the data protection officer and communicate them to the supervisory authority.

Article 38

Function of the Data Protection Officer

  1. The controller and the processor shall ensure that the Data Protection Officer is properly and in a timely manner involved in all aspects of the protection of personal data.
  2. The controller and the processor shall assist the data protection officer in carrying out the tasks referred to in Article 39, providing him with the resources necessary for the performance of those tasks, as well as accessing personal data and processing operations, and for maintaining his expertise.
  3. The controller and the processor shall ensure that the Data Protection Officer does not receive any instructions as to the performance of these tasks. He shall not be dismissed or sanctioned by the controller or by the processor for the performance of his duties. The Data Protection Officer shall be directly liable to the highest level of management of the controller or processor.
  4. Data subjects may contact the Data Protection Officer on all matters relating to the processing of their data and the exercise of their rights under this Regulation.
  5. The Data Protection Officer shall be bound by secrecy or confidentiality in respect of the performance of his duties in accordance with Union or national law.
  6. The Data Protection Officer may perform other tasks and tasks. The controller or processor shall ensure that none of these tasks and tasks giverise to a conflict of interest.

Article 39

Tasks of the Data Protection Officer

  1. The Data Protection Officer shall have at least the following tasks:

(a) informing and advising the controller, or the processor, and the processing employees of their obligations under this Regulation and other provisions of Union or national data protection law;

(b) monitoring compliance with this Regulation, other provisions of Union or national law relating to the protection of data and the policies of the controller or processor with regard to the protection of personal data, including the allocation of responsibilities and actions to raise awareness and training of staff involved in processing operations, and related audits;

(c) providing on-demand advice on the impact assessment of data protection and monitoring its functioning in accordance with Article 35;

(d) cooperation with the supervisory authority;

(e) taking on the role of contact point for the supervisory authority on processing matters, including the prior consultation referred to in Article 36, and, where appropriate, consultation on any other matter.

  1. In carrying out his duties, the Data Protection Officer shall take due account of the risk associated with processing operations, taking into account the nature, scope, context and purposes of the processing.

Section 5

Codes of conduct and certification

Article 40

Codes of conduct

  1. Member States, supervisory authorities, the Committee and the Commission shall encourage the development of codes of conduct to contribute to the proper application of this Regulation, taking into account the specific characteristics of the various processing sectors and the specific needs of micro, small and medium-sized enterprises.
  2. Associations and other bodies representing categories of operators or processors may prepare codes of conduct or amend or extend existing codes of conduct in order to specify how to apply this Regulation, such as as regards:

(a) fair and transparent processing;

(b) the legitimate interests pursued by operators in specific contexts;

(c) the collection of personal data;

(d) pseudonymisation of personal data;

(e) informing the public and data subjects;

(f) the exercise of the rights of data subjects;

(g) informing and protecting children and how consent of holders of parental responsibility for children must be obtained;

(h) the measures and procedures referred to in Articles 24 and 25 and the measures to ensure the security of processing referred to in Article 32;

(i) notifying supervisory authorities of personal data breaches and informing data subjects of such breaches;

(j) the transfer of personal data to third countries or international organisations; Or

(k) out-of-court procedures and other dispute resolution procedures for the settlement of disputes between operators and data subjects with regard to processing, without prejudice to the rights of data subjects pursuant to Articles 77 and 79.

  1. Codes of conduct approved pursuant to paragraph 5 of this Article and which have a general validity pursuant to paragraph 9 of this Article may join not only operators or processors covered by this Regulation, but also controllers or processors not covered by this Regulation under Article 3, in order to provide adequate safeguards in the context of transfers of personal data to third countries or international organisations. under the conditions referred to in Article 46(2)(e). Such operators or processors shall undertake binding and enforceable commitments, by means of contractual instruments or other legally binding instruments, for the purpose of applying those appropriate safeguards, including with regard to the rights of data subjects.
  2. The Code of Conduct referred to in paragraph 2 of this Article shall contain mechanisms enabling the body referred to in Article 41(1) to carry out mandatory monitoring of compliance with its provisions by operators or processors who undertake to apply it, without prejudice to the tasks and powers of supervisory authorities which are competent under Article 55 or 56.
  3. Associations and other bodies referred to in paragraph 2 of this Article intending to prepare a code of conduct or amend or extend an existing code shall transmit the draft code, amendment or extension to the supervisory authority which is competent under Article 55. The supervisory authority shall deliver an opinion on the conformity of the draft Code, amendment or extension with this Regulation and shall approve it if it is found to provide sufficient adequate safeguards.
  4. Where the draft code, amendment or extension is approved in accordance with paragraph 5 and the code of conduct in question is not related to processing activities in several Member States, the supervisory authority shall register and publish the code.
  5. Where a draft code of conduct, amendment or extension relates to processing activities in several Member States, the supervisory authority competent pursuant to Article 55 shall forward it, by the procedure referred to in Article 63, to the Committee, which shall deliver an opinion on the conformity with this Regulation of the project concerned. , or, in the situation referred to in paragraph 3 of this Article, provide adequate safeguards.
  6. Where the opinion referred to in paragraph 7 confirms compliance with this Regulation of the draft code, amendment or extension or where, in the situation referred to in paragraph 3, it provides adequate guarantees, the Committee shall forward its opinion to the Commission.
  7. The Commission may adopt implementing acts to decide that the approved code of conduct, amendment or extension submitted to it pursuant to paragraph 8 of this Article shall have general validity in the Union. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 93(2).
  8. The Commission shall ensure adequate publicity for approved codes which have been decided to be generally valid in accordance with paragraph 9.
  9. The Committee shall group together all codes of conduct, amendments and extensions approved in a register and make them available to the public by appropriate means.

Article 41

Monitoring approved codes of conduct

  1. Without prejudice to the tasks and powers of the competent supervisory authority pursuant to Articles 57 and 58, monitoring of compliance with a code of conduct pursuant to Article 40 may be carried out by a body which has an adequate level of expertise in relation to the subject-matter of the Code and which is accredited for that purpose by the competent supervisory authority.
  2. A body referred to in paragraph 1 may be accredited to monitor compliance with a code of conduct if:

(a) demonstrated to the competent supervisory authority, in a satisfactory manner, its independence and expertise in relation to the subject matter of the Code;

(b) has established procedures to enable it to assess the eligibility of operators and processors to enforce the Code, monitor their compliance with the provisions of the Code and regularly review its functioning;

(c) has put in place procedures and structures to deal with complaints of breaches of the code or as to how the code has been or is being implemented by an operator or processor, and to ensure the transparency of such procedures and structures for data subjects and the public; And

(d) has demonstrated to the competent supervisory authority, to a satisfactory extent, that its tasks and tasks do not create conflicts of interest.

  1. The competent supervisory authority shall forward the draft criteria for the accreditation of a body referred to in paragraph 1 of this Article to the Committee in accordance with the mechanism for ensuring consistency referred to in Article 63.
  2. Without prejudice to the tasks and powers of the competent supervisory authority and the provisions of Chapter VIII, a body referred to in paragraph 1 of this Article shall take appropriate measures, subject to appropriate safeguards, in the event of a breach of the code by an operator or processor, including by suspending or excluding that controller or person from the Code. The body concerned shall inform the competent supervisory authority of these measures and of the reasons for them.
  3. The competent supervisory authority shall revoke the accreditation of a body referred to in paragraph 1 if the conditions for accreditation or the measures taken by that body are no longer fulfilled in breach of this Regulation.
  4. This Article shall not apply to processing by public authorities and bodies.

Article 42

Certification

  1. Member States, supervisory authorities, the Committee and the Commission shall, in particular at Union level, encourage the establishment of certification mechanisms in the field of data protection and of seals and marks in this field to demonstrate that processing operations carried out by operators and processors comply with this Regulation. The specific needs of micro, small and medium-sized enterprises shall be taken into account.
  2. Certification mechanisms in the field of data protection, seals or marks approved pursuant to paragraph 5 of this Article shall be established not only to be complied with by operators or processors covered by this Regulation, but also to demonstrate the existence of adequate safeguards provided by operators or processors not covered by this Regulation, but also to demonstrate the existence of adequate safeguards provided by operators or processors not covered by this Regulation. , pursuant to Article 3, in the context of transfers of personal data to third countries or international organisations under the conditions referred to in Article 46(2)(f). Such operators or processors shall undertake binding and enforceable commitments, by means of contractual instruments or other legally binding instruments, for the purpose of applying those appropriate safeguards, including with regard to the rights of data subjects.
  3. Certification shall be voluntary and available through a transparent process.
  4. Certification pursuant to this Article shall not reduce the responsibility of the controller or processor to comply with this Regulation and shall be without prejudice to the tasks and powers of the supervisory authorities which are competent under Article 55 or 56.
  5. The certification bodies referred to in Article 43 or the competent supervisory authority shall issue a certification under this Article on the basis of criteria approved by the competent supervisory authority concerned pursuant to Article 58(3), or by the Committee pursuant to Article 63. If the criteria are approved by the Committee, it may lead to a common certification, i.e. the European data protection seal.
  6. The controller or processor subjecting its processing activities to the certification mechanism shall provide the certification body referred to in Article 43 or, where appropriate, the competent supervisory authority with all the information necessary for the conduct of the certification procedure and access to those processing activities.
  7. Certification shall be issued to an operator or processor for a maximum period of three years and may be renewed under the same conditions, provided that the relevant requirements are still met. Certification shall be withdrawn, as appropriate, by the certification bodies referred to in Article 43 or by the competent supervisory authority if the certification requirements are no longer met.
  8. The Committee shall group all certification mechanisms and seals and data protection marks into a register and make them available to the public by any appropriate means.

Article 43

Certification bodies

  1. Without prejudice to the tasks and powers of the competent supervisory authority referred to in Articles 57 and 58, certification bodies having an adequate level of competence in the field of data protection, after informing the supervisory authority to enable it to exercise its powers pursuant to Article 58(2)(h), shall issue and renew the certification. Member States shall ensure that these certification bodies are accredited by one or both of the following entities:

(a) the supervisory authority which is competent under Article 55 or 56;

(b) the national accreditation body designated in accordance with Regulation (EC) No 1493/1999; 765/2008 of the European Parliament and of the Council (20) in accordance with EN-ISO/IEC 17065/2012 standard and the additional requirements laid down by the supervisory authority which is competent under Article 55 or 56.

  1. A certification body referred to in paragraph 1 shall be accredited in accordance with that paragraph only if:

(a) demonstrateto the competent supervisory authority, in a satisfactory manner, its independence and expertise in relation to the subject matter of certification;

(b) has undertaken to comply with the criteria referred to in Article 42(5) and approved by the supervisory authority which is competent under Article 55 or 56, or by the Committee pursuant to Article 63;

(c) has procedures in place for the issue, periodic review and withdrawal of data protection certification, seals and marks;

(d) has put in place procedures and structures to deal with complaints of infringements of certification or to how certification has been or is implemented by an operator or processor, and to ensure the transparency of such procedures and structures for data subjects and the public; And

(e) has demonstrated to the competent supervisory authority, to a satisfactory extent, that its tasks and tasks do not create conflicts of interest.

  1. Accreditation of the certification bodies referred to in paragraphs 1 and 2 of this Article shall be carried out on the basis of criteria approved by the supervisory authority which is competent under Article 55 or 56, or by the Committee pursuant to Article 63. In the case of accreditation in accordance with paragraph 1(b) of this Article, these requirements shall supplement those laid down in Regulation (EC) No 1493/1999. 765/2008 and the technical rules describing the methods and procedures of the certification bodies.
  2. The certification bodies referred to in paragraph 1 shall be responsible for carrying out an appropriate assessment with a view to certifying or withdrawing such certification, without prejudice to the responsibility of the controller or processor to comply with this Regulation. Accreditation shall be issued for a maximum period of five years and may be renewed under the same conditions, provided that the certification body meets the requirements laid down in this Article.
  3. The certification bodies referred to in paragraph 1 shall forward to the competent supervisory authorities the reasons for granting or withdrawing the requested certification.
  4. The requirements referred to in paragraph 3 of this Article and the criteria referred to in Article 42(5) shall be published by the supervisory authority in an easily accessible form. The supervisory authorities shall also transmit these requirements and criteria to the Committee. The Committee shall group all certification mechanisms and data protection seals into a register and make them available to the public by any appropriate means.
  5. Without prejudice to the provisions of Chapter VIII, the competent supervisory authority or the national accreditation body shall revoke the accreditation granted to a certification body pursuant to paragraph 1 of this Article if the conditions for accreditation or the measures taken by the accreditation body are not or are no longer fulfilled in breach of this Regulation.
  6. The Commission shall be empowered to adopt delegated acts in accordance with Article 92, with a view to specifying the requirements to be taken into account for the certification mechanisms in the field of data protection referred to in Article 42(1).
  7. The Commission may adopt implementing acts to establish technical standards for certification mechanisms and for seals and marks in the field of data protection, as well as mechanisms for the promotion and recognition of those certification mechanisms, seals and marks. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 93(2).

CHAPTER V

Transfers of personal data to third countries or international organisations

Article 44

General principle of transfers

Any personal data which is the subject of processing or to be processed after being transferred to a third country or to an international organisation may be transferred only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and the processor, including with regard to subsequent transfers of personal data from the third country or from the international organisation to another third country, or to another international organisation. All provisions of this Chapter shall apply to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined.

Article 45

Transfers pursuant to a decision on the adequacy of the level of protection

  1. The transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors of that third country or the international organisation concerned provides an adequate level of protection. Transfers made under these conditions do not require special authorisations.
  2. When assessing the adequacy of the level of protection, the Commission shall take into account, in particular, the following elements:

(a) the rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including on public security, defence, national security and criminal law, as well as public authorities’ access to personal data, as well as the implementation of that legislation, data protection rules, professional rules and security measures, including rules on the subsequent transfer of personal data to another third country or international organisation , which are respected in the third country concerned or in the international organisation concerned, the case-law, as well as the existence of effective and enforceable rights of data subjects and effective administrative and judicial redress for data subjects whose personal data are transferred;

(b) the existence and effective functioning of one or more independent supervisory authorities in the third country or under the jurisdiction of an international organisation, with responsibility for ensuring and enforcing compliance with data protection rules, including appropriate enforcement powers, for assisting and advising data subjects on the exercise of their rights and for cooperation with supervisory authorities in the Member States; And

(c) international commitments to which the third country or international organisation concerned has joined, or other obligations arising from legally binding conventions or instruments, as well as its participation in multilateral or regional systems, in particular in the field of personal data protection.

  1. The Commission may, after assessing the adequacy of the level of protection, decide, by means of an implementing act, that a third country, a territory or one or more specified sectors in a third country or an international organisation shall ensure an adequate level of protection within the meaning of paragraph 2 of this Article. The implementing act provides for a periodic review mechanism, at least every four years, which takes into account all relevant developments in the third country or international organisation. The implementing act shall specify the geographical and sectoral application and, where appropriate, identify the supervisory authority or authorities referred to in paragraph 2(b) of this Article. The implementing act shall be adopted in accordance with the examination procedure referred to in Article 93(2).
  2. The Commission shall continuously monitor developments in third countries and at the level of international organisations which could affect the functioning of decisions taken pursuant to paragraph 3 of this Article and decisions taken pursuant to Article 25(6) of Directive 95/46/EC.
  3. Where the available information reveals, in particular as a result of the review referred to in paragraph 3 of this Article, that a third country, a specified territory or sector of that third country or an international organisation no longer provides an adequate level of protection within the meaning of paragraph 2 of this Article, the Commission, if necessary, repeals, amends or suspends , by means of an implementing act, the decision referred to in paragraph 3 of this Article without retroactive effect. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 93(2).

For urgent reasons, the Commission shall adopt implementing acts immediately applicable in accordance with the procedure referred to in Article 93(3).

  1. The Commission shall initiate consultations with the third country or international organisation with a view to remedying the situation underlying the decision taken in accordance with paragraph 5.
  2. A decision taken pursuant to paragraph 5 of this Article shall be without prejudice to transfers of personal data to the third country, one territory or one or more specified sectors of that third country or to the international organisation concerned in accordance with Articles 46 to 49.
  3. The Commission shall publish in the Official Journal of the European Union and on its website a list of third countries, specified territories and sectors of a third country and international organisations where it has decided that the appropriate level of protection is ensured or is no longer ensured.
  4. Decisions taken by the Commission pursuant to Article 25(6) of Directive 95/46/EC shall remain in force until they are amended, replaced or repealed by a Commission Decision adopted in accordance with paragraph 3 or 5 of this Article.

Article 46

Transfers on the basis of appropriate safeguards

  1. In the absence of a decision pursuant to Article 45(3), the controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided adequate safeguards and provided that there are enforceable rights and effective remedies for the data subjects.
  2. The appropriate guarantees referred to in paragraph 1 may be provided without the need for any specific authorisation from a supervisory authority by:

(a) a legally binding and enforceable instrument between public authorities or bodies;

(b) binding corporate rules in accordance with Article 47;

(c) standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93(2);

(d) standard data protection clauses adopted by a supervisory authority and approved by the Commission in accordance with the examination procedure referred to in Article 93(2);

(e) a code of conduct approved in accordance with Article 40, accompanied by a binding and enforceable undertaking by the controller or processor of the third country to apply appropriate safeguards, including with regard to the rights of data subjects; Or

 

(f) a certification mechanism approved in accordance with Article 42, accompanied by a binding and enforceable undertaking by the controller or processor of the third country to apply appropriate safeguards, including with regard to the rights of data subjects.

  1. Subject to authorisation by the competent supervisory authority, the appropriate guarantees referred to in paragraph 1 may also be provided, in particular, by:

(a) contractual clauses between the controller or processor and the controller, the processor or the recipient of the personal data of the third country or international organisation; Or

(b)provisions to be included in administrative agreements between public authorities or bodies, which include enforceable and effective rights for data subjects.

  1. The supervisory authority shall apply the mechanism for ensuring consistency referred to in Article 63 in the cases referred to in paragraph 3 of this Article.
  2. Authorisations granted by a Member State or a supervisory authority pursuant to Article 26(2) of Directive 95/46/EC shall be valid until the date on which they are amended, replaced or repealed, if necessary, by that supervisory authority. Decisions taken by the Commission pursuant to Article 26(4) of Directive 95/46/EC shall remain in force until they are amended, replaced or repealed, if necessary, by a Commission Decision adopted in accordance with paragraph 2 of this Article.

Article 47

Mandatory corporate rules

  1. In accordance with the mechanism for ensuring consistency provided for in Article 63, the competent supervisory authority shall approve binding corporate rules, provided that they:

(a) be legally binding and apply to each concerned member of the group of undertakings or group of undertakings involved in a common economic activity, including its employees, and be implemented by the members concerned;

(b) expressly confer rights against data subjects with regard to the processing of their personal data; And

(c) meet the requirements laid down in paragraph 2.

  1. The binding corporate rules referred to in paragraph 1 shall specify at least:

(a) the structure and contact details of the group of undertakings or group of undertakings involved in a common economic activity and of each of its members;

(b) data transfers or the set of transfers, including categories of personal data, type of processing and purposes of processing, types of data subjects affected and identification of the third country or third countries concerned;

(c) their legally binding nature, both internally and externally;

(d) the application of general data protection principles, in particular purpose limitation, data minimisation, limited storage periods, data quality, data protection from the moment of conception and implicit protection, the legal basis for processing, the processing of special categories of personal data, data security measures and the requirements for subsequent transfers to bodies not subject to mandatory corporate rules;

(e) the rights of data subjects with regard to the processing and means of exercising those rights, including the right not to be subject to decisions based solely on automatic processing, including profiling, in accordance with Article 22, the right to lodge a complaint with the competent supervisory authority and the competent courts of the Member States in accordance with Article 79 , as well as the right to obtain repairs and, where appropriate, compensation for violations of mandatory corporate rules;

(f) acceptance by the controller or processor, established in the territory of a Member State, of liability for any breach of binding corporate rules by any member concerned who is not established in the Union; the controller or processor shall be relieved of such liability, in whole or in part, only if it proves that the member concerned was not responsible for the event which caused the damage;

(g) how information on binding corporate rules, in particular on the provisions referred to in points (d), (e) and (f) of this paragraph, is provided to data subjects in addition to the information referred to in Articles 13 and 14;

(h) the tasks of any data protection officer designated in accordance with Article 37 or any other person or entity responsible for monitoring compliance with binding corporate rules within the group of undertakings or group of undertakings involved in a common economic activity, training activities and complaint management;

(i) complaint procedures;

(j) mechanisms within the group of undertakings or group of undertakings involved in a common economic activity to ensure compliance with binding corporate rules is verified. These mechanisms include data protection audits and methods of ensuring corrective actions to protect the rights of the data subject. The results of such checks should be communicated to the person or entity referred to in point (h) and to the management board of the undertaking exercising control of the group of undertakings or group of undertakings involved in a common economic activity and should be made available to the competent supervisory authority on request;

(k) the mechanisms for reporting and recording changes to the rules and reporting these changes to the supervisory authority;

(l) the mechanism for cooperation with the supervisory authority to ensure compliance with the rules by any member of the group of undertakings or group of undertakings involved in a common economic activity, in particular by making available to the supervisory authority the results of checks on the measures referred to in point (j);

(m) mechanisms for reporting to the competent supervisory authority any legal requirements imposed on a member of the group of undertakings or of the group of undertakings involved in a common economic activity in a third country which may have a considerable adverse effect on the guarantees provided by binding corporate rules; And

(n) appropriate training in the field of data protection of personnel who have permanent or periodic access to personal data.

  1. The Commission may specify the format and procedures for the exchange of information between operators, processors and supervisory authorities for binding corporate rules for the purposes of this Article. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 93(2).

Article 48

Transfers or disclosures of information not authorised by Union law

Any decision of a court or tribunal and any decision of a third country administrative authority requiring an operator or processor to transfer or disclose personal data may be recognised or enforced in any way only if it is based on an international agreement, such as a mutual legal assistance treaty in force between the requesting third country and the Union or a Member State , without prejudice to other grounds for transfer under this Chapter.

Article 49

Derogations for specific situations

  1. In the absence of a decision on the adequacy of the level of protection in accordance with Article 45(3) or adequate safeguards in accordance with Article 46, including binding corporate rules, a transfer or set of transfers of personal data to a third country or an international organisation may take place only under one of the following conditions :

 

(a) the data subject has explicitly agreed to the proposed transfer, after being informed of the possible risks that such transfers may entail for the data subject as a result of the lack of a decision on the adequacy of the level of protection and adequate safeguards;

(b) the transfer is necessary for the performance of a contract between the data subject and the controller or for the application of pre-contractual measures adopted at the request of the data subject;

(c) the transfer is necessary for the conclusion of a contract or for the performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;

(d) the transfer is necessary for important reasons of public interest;

(e) the transfer is necessary for the establishment, exercise or defence of a right in court;

(f) the transfer is necessary to protect the vital interests of the data subject or other persons, where the data subject does not have the physical or legal capacity to express his consent;

(g) the transfer shall be made from a register which, under Union or national law, is intended to provide information to the public and which may be consulted either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions for consultation laid down by Union or national law in that specific case are fulfilled.

Where a transfer could not be based on a provision provided for in Article 45 or 46, including provisions on binding corporate rules, and none of the derogations for specific situations referred to in the first subparagraph of this paragraph shall apply, a transfer to a third country or an international organisation may take place only if the transfer is not repetitive. , refers only to a limited number of data subjects, is necessary in order to achieve the major legitimate interests pursued by the controller over whom the interests or rights and freedoms of the data subject do not prevail and the controller has assessed all the circumstances of the data transfer and, on the basis of that assessment, has provided appropriate safeguards with regard to the protection of personal data. The operator shall inform the supervisory authority of the transfer. The controller, in addition to providing the information referred to in Articles 13 and 14, shall inform the data subject of the transfer and of the major legitimate interests it pursues.

  1. Transfer pursuant to point (g) of the first subparagraph of paragraph 1 shall not involve all personal data or all categories of personal data included in the register. Where the register is to be consulted by persons having a legitimate interest, the transfer shall be made only at the request of those persons or where they will be the addressees.
  2. The first subparagraph of paragraph 1(a), (b) and (c) and the second subparagraph shall not apply to activities carried out by public authorities in the exercise of their public powers.
  3. The public interest referred to in point (d) of the first subparagraph of paragraph 1 shall be recognised in Union law or in the law of the Member State to which the operator is subject.
  4. In the absence of a decision on the adequacy of the level of protection, Union or national law may, for important reasons of public interest, expressly set limits on the transfer of specific categories of personal data to a third country or an international organisation. Member States shall notify these provisions to the Commission.
  5. The controller or processor shall record the assessment and the appropriate guarantees provided for in the second subparagraph of paragraph 1 of this Article in the records referred to in Article 30.

Article 50

International cooperation in the field of personal data protection

As regards third countries and international organisations, the Commission and the supervisory authorities shall take appropriate measures to:

(a) developing mechanisms for international cooperation to facilitate the effective enforcement of legislation on the protection of personal data;

(b)providing mutual international assistance in the enforcement of personal data protection legislation, including by notification, transfer of complaints, assistance in investigations and exchange of information, subject to appropriate safeguards for the protection of personal data and other fundamental rights and freedoms;

(c) the involvement of relevant stakeholders in discussions and activities aimed at enhancing international cooperation in the field of the application of personal data protection legislation;

(d) promoting mutual exchange and documentation on personal data protection legislation and practices, including judicial conflicts with third countries.

CHAPTER VI

Independent supervisory authorities

Section 1

Independent status

Article 51

Supervisory authority

  1. Each Member State shall ensure that one or more independent public authorities are responsible for monitoring the application of this Regulation, with a view to protecting the fundamental rights and freedoms of natural persons with regard to the processing and facilitating the free movement of personal data within the Union (the ‘supervisory authority’).
  2. Each supervisory authority shall contribute to the consistent application of this Regulation throughout the Union. To this end, the supervisory authorities shall cooperate with each other and with the Commission in accordance with Chapter VII.
  3. Where several supervisory authorities are established in a Member State, it shall designate the supervisory authority representing those authorities within the Committee and establish a mechanism to ensure that the other authorities comply with the rules on the mechanism for ensuring consistency provided for in Article 63.
  4. Each Member State shall notify the Commission of the legal provisions it adopts pursuant to this Chapter by 25 May 2018 and, without delay, any subsequent amendments it makes to those provisions.

Article 52

Independence

  1. Each supervisory authority shall enjoy full independence in the performance of its tasks and the exercise of its powers in accordance with this Regulation.
  2. The Member or members of each supervisory authority, in the performance of his duties and the exercise of his/her powers in accordance with this Regulation, shall remain (remain) independent (independent) of any direct or indirect external influence, nor shall he seek or accept instructions from an external party.
  3. The member or members of each supervisory authority shall refrain from taking actions incompatible with their duties and shall not engage in incompatible activities, whether or not they are not engaged in incompatible activities.
  4. Each Member State shall ensure that each supervisory authority has the human, technical and financial resources, an establishment and infrastructure necessary for the performance of its tasks and the effective exercise of its powers, including those to be applied in the context of mutual assistance, cooperation and participation in the Committee.
  5. Each Member State shall ensure that each supervisory authority selects its own staff and has its own staff under the sole direction of the member or members of that supervisory authority.
  6. Each Member State shall ensure that each supervisory authority is subject to financial control without prejudice to its independence and that it has separate, public annual budgets which may form part of the general State or national budget.

Article 53

General conditions applicable to members of the supervisory authority

  1. Member States shall ensure that each member of their supervisory authority is appointed by means of a transparent procedure:

— by parliament,

— by the government,

—by the Head of State, Or

— by an independent body empowered to make appointments under national law.

  1. Each member concerned shall have the necessary qualifications, experience and competences, in particular in the field of the protection of personal data, to be able to carry out his duties and exercise his powers.
  2. The duties of a member shall cease in the event of expiry of his term of office, in the event of resignation or ex officio retirement in accordance with the relevant national law.
  3. A member may be dismissed only in cases of serious misconduct or if he no longer fulfils the conditions necessary for the performance of his duties.

Article 54

Rules on the establishment of the supervisory authority

  1. Each Member State shall provide, by legislative means, the following:

(a) the establishment of each supervisory authority;

(b) the qualifications and eligibility conditions required to be appointed as a member of each supervisory authority;

(c) the rules and procedures for the appointment of the member or members of each supervisory authority;

(d) the term of office of the member or members of each supervisory authority of at least four years, with the exception of the first appointment after 24 May 2016, a party of which may be for a shorter period if this is necessary to protect the independence of the supervisory authority through a staggered appointment procedure;

(e) whether and how many times the term of office of the member or members of each supervisory authority is eligible for renewal;

(f) the conditions governing the obligations of the member or members and staff of each supervisory authority, prohibitions on actions, occupations and benefits incompatible with them during and after the term of office, and the rules governing termination of the employment contract.

  1. The Member or members and staff of each supervisory authority shall be required, in accordance with Union or national law, to respect, both during and after the term of office, professional secrecy with regard to confidential information which they have become aware of in the course of the performance of their duties or the exercise of their powers. During their term of office, this obligation of professional secrecy shall apply in particular as regards the reporting by natural persons of infringements of this Regulation.

Section 2

Skills, tasks and competences

Article 55

Competence

  1. Each supervisory authority shall have the power to carry out the tasks and exercise the powers conferred on it under this Regulation in the territory of the Member State to which it belongs.
  2. Where the processing is carried out by public authorities or private bodies acting on the basis of point (c) or (e) of Article 6(1), it shall be the supervisory authority of the Member State concerned. In such cases, Article 56 shall not apply.
  3. Supervisory authorities shall not be competent to supervise the processing operations of courts acting in the performance of their judicial function.

Article 56

Jurisdiction of the main supervisory authority

  1. Without prejudice to Article 55, the supervisory authority of the head office or sole establishment of the controller or processor shall be competent to act as the primary supervisory authority for the cross-border processing carried out by that controller or processor concerned in accordance with the procedure laid down in Article 60.

 

  1. By way of derogation from paragraph 1, each supervisory authority shall have jurisdiction to deal with a complaint lodged to its attention or a possible infringement of this Regulation, where its subject-matter relates only to an establishment in its Member State or significantly affects data subjects only in its Member State.
  2. In the cases referred to in paragraph 2 of this Article, the supervisory authority shall inform the supervisory authority of the matter without delay. Within three weeks of the time of the information, the lead supervisory authority shall decide whether or not to deal with the case in accordance with the procedure laid down in Article 60, taking into account whether or not there is an establishment of the controller or processor in the territory of the Member State whose supervisory authority has informed it.
  3. Where the lead supervisory authority decides to deal with the case, the procedure laid down in Article 60 shall apply. The supervisory authority which has informed the main supervisory authority may submit a draft decision to the latter. The main supervisory authority shall take the draft as much as possible into account when preparing the draft decision referred to in Article 60(3).
  4. Where the lead supervisory authority decides not to deal with the case, the supervisory authority which has informed the lead supervisory authority shall deal with the case in accordance with Articles 61 and 62
  5. The primary supervisory authority shall be the sole interlocutor of the controller or processor in respect of cross-border processing carried out by that controller or by that processor.

Article 57

Tasks

  1. Without prejudice to other tasks laid down under this Regulation, each supervisory authority shall, in its territory:

(a) monitor and ensure the application of this Regulation;

(b) promote actions to raise awareness and understand risks, rules, safeguards and processing rights among the public. Particular attention shall be paid to activities specifically aimed at children;

(c) advise, in accordance with national law, the national parliament, the Government and other institutions and bodies on legislative and administrative measures relating to the protection of the rights and freedoms of natural persons with regard to processing;

(d) promote actions to raise awareness among operators and processors of their obligations under this Regulation;

(e) on request, provide information to any data subject in connection with the exercise of his rights in accordance with this Regulation and, where appropriate, cooperate with the supervisory authorities of other Member States for this purpose;

(f) deal with complaints lodged by a data subject, body, organisation or association in accordance with Article 80 and investigate to an appropriate extent the subject-matter of the complaint and inform the complainant of the progress and outcome of the investigation within a reasonable time, in particular if it is necessary to carry out a more thorough investigation or coordination with another supervisory authority;

(g) cooperate, including through the exchange of information, with other supervisory authorities and provide mutual assistance to ensure consistency in the application and compliance with this Regulation;

(h) carry out investigations into the application of this Regulation, including on the basis of information received from another supervisory authority or other public authority;

(i) monitor relevant developments in so far as they have an impact on the protection of personal data, in particular developments in information and communication technologies and commercial practices;

(j) adopt standard contractual clauses referred to in Article 28(8) and Article 46(2)(d);

(k) draw up and maintain a list of the data protection impact assessment requirement in accordance with Article 35(4);

(l) provide advice on the processing operations referred to in Article 36(2);

(m) encourage the development of codes of conduct in accordance with Article 40(1), give its opinion on them and approve those which provide sufficient guarantees in accordance with Article 40(5);

(n) encourage the establishment of certification mechanisms as well as seals and marks in the field of data protection in accordance with Article 42(1) and approve the certification criteria in accordance with Article 42(5);

(o) where appropriate, carry out a periodic review of the certifications granted in accordance with Article 42(7);

(p) develop and publish the accreditation criteria for a code-of-conduct monitoring body in accordance with Article 41 and a certification body in accordance with Article 43;

(q) coordinate the accreditation procedure of a code-of-conduct monitoring body in accordance with Article 41 and a certification body in accordance with Article 43;

 

(r) authorise the contractual clauses and provisions referred to in Article 46(3);

(s) approve the binding corporate rules in accordance with Article 47;

(t) contribute to the committee’s activities;

(u) keep up-to-date internal records of infringements of this Regulation and the measures taken, in particular warnings issued and penalties imposed in accordance with Article 58(2); And

(v) perform any other tasks related to the protection of personal data.

  1. Each supervisory authority shall facilitate the lodging of complaints referred to in paragraph 1(f) by means of measures such as the provision of a complaint form which can also be completed in electronic form, without excluding other means of communication.
  2. The performance of the tasks of each supervisory authority shall be free of charge for the data subject and, where appropriate, for the data protection officer.
  3. Where the claims are manifestly unfounded or excessive, in particular because of their repetitive nature, the supervisory authority may charge a reasonable fee, based on administrative costs, or refuse to deal with them. The supervisory authority is responsible for demonstrating the obviously unfounded or excessive nature of the request.

Article 58

Skills

  1. Each supervisory authority shall have all the following investigative powers

(a) to make provision for the controller and the processor and, where appropriate, the representative of the controller or processor to provide any information which the supervisory authority requests in order to carry out its tasks;

(b) to carry out investigations in the form of data protection audits;

(c) to carry out a review of the certifications granted pursuant to Article 42(7);

(d) notify the controller or processor of the alleged infringement of this Regulation;

(e) to obtain from the controller and the processor access to all personal data and information necessary for the performance of his duties;

(f) to obtain access to any of the premises of the controller and the processor, including any equipment and means of data processing, in accordance with Union or national procedural law.

 

  1. Each supervisory authority shall have all the following corrective powers:

(a)to issue warnings to an operator or processor of the possibility that the processing operations provided for may be in breach of the provisions of this Regulation;

(b) to issue reprimands to an operator or processor where processing operations have infringed the provisions of this Regulation;

(c) to make provision for the controller or processor to comply with the data subject’s requests to exercise his rights under this Regulation;

(d) to make provision for the controller or processor to ensure that processing operations comply with the provisions of this Regulation, specifying, where appropriate, the manner and deadline for it;

(e) to oblige the controller to inform the data subject of a breach of the protection of personal data;

(f) to impose a temporary or definitive limitation, including a prohibition on processing;

(g) to order the rectification or deletion of personal data or the restriction of processing pursuant to Articles 16, 17 and 18 and the notification of such actions to the recipients to whom the personal data have been disclosed, in accordance with Article 17(2) and Article 19;

(h) to withdraw a certification or to oblige the certification body to withdraw a certification issued pursuant to Article 42 and 43 or to oblige the certification body not to issue a certification if the certification requirements are no longer met;

(i) to impose administrative fines in accordance with Article 83, in addition to or in place of the measures referred to in this paragraph, depending on the circumstances of each individual case;

(j) to order the suspension of data flows to a recipient from a third country or to an international organisation.

  1. Each supervisory authority shall have all the following powers of authorisation and advice:

(a) to advise the operator in accordance with the prior consultation procedure referred to in Article 36;

(b) to issue opinions, on its own initiative or on request, to the national parliament, the Government of the Member State or, in accordance with national law, to other institutions and bodies, as well as to the public, on any matter relating to the protection of personal data;

(c) to authorise the processing referred to in Article 36(5), where the law of the Member State provides for such prior authorisation;

 

(d) to deliver an opinion and approve draft codes of conduct in accordance with Article 40(5);

(e) to accredit certification bodies in accordance with Article 43;

(f) to issue certifications and approve certification criteria in accordance with Article 42(5);

(g) to adopt the standard data protection clauses referred to in Article 28(8) and Article 46(2)(d);

(h) to authorise the contractual clauses referred to in Article 46(3)(a);

(i) to authorise the administrative arrangements referred to in Article 46(3)(b); And

(j) to approve binding corporate rules in accordance with Article 47.

  1. The exercise of the powers conferred on the supervisory authority under this Article shall be subject to appropriate safeguards, including effective judicial remedies and fair trials, provided for in Union and national law in accordance with the Charter.
  2. Each Member State shall provide, by legislative means, that its supervisory authority has the power to bring before the judicial authorities cases of infringement of this Regulation and, where appropriate, to initiate or otherwise engage in judicial proceedings in order to ensure the application of the provisions of this Regulation.
  3. Each Member State may provide in its law that its supervisory authority has additional powers, other than those referred to in paragraphs 1, 2 and 3. The exercise of these powers does not affect the efficient operation of Chapter VII.

Article 59

Activity Reports

Each supervisory authority shall draw up an annual report on its activities, which may include a list of the types of infringements notified and the types of measures taken in accordance with Article 58(2). The reports shall be forwarded to the national parliament, the government and other authorities designated by national law. They shall be made available to the public, the Commission and the Committee.

CHAPTER VII

Cooperation and coherence

Section 1

Cooperation

 

Article 60

Cooperation between the main supervisory authority and the other supervisory authorities concerned

  1. The lead supervisory authority shall cooperate with the other supervisory authorities concerned, in accordance with this Article, in an attempt to reach a consensus. The main supervisory authority and the supervisory authorities concerned shall communicate to each other all relevant information.
  2. The lead supervisory authority may at any time request other supervisory authorities concerned to provide mutual assistance pursuant to Article 61 and may carry out joint operations pursuant to Article 62, in particular with a view to investigating or monitoring the implementation of a measure relating to an operator or processor established in another Member State.
  3. The main supervisory authority shall communicate without delay the relevant information on this matter to the other supervisory authorities concerned. The lead supervisory authority shall without delay forward a draft decision to the other supervisory authorities concerned in order to obtain their opinion and shall take due account of their views.
  4. Where any of the other supervisory authorities concerned express, within four weeks of being consulted in accordance with paragraph 3 of this Article, a relevant and reasoned objection to the draft decision, the main supervisory authority, if it does not comply with the relevant and reasoned objection or considers that the objection is not relevant or reasoned , refer to the mechanism for ensuring consistency referred to in Article 63.
  5. Where the lead intends to give effect to the relevant and reasoned objection raised, the lead supervisory authority shall forward to the other supervisory authorities concerned a revised draft decision in order to obtain their opinion. This revised draft decision shall be subject to the procedure referred to in paragraph 4 for a period of two weeks.
  6. Where none of the other supervisory authorities concerned has objected to the draft decision submitted by the main supervisory authority within the time limit referred to in paragraphs 4 and 5, the main supervisory authority and the supervisory authorities concerned shall be deemed to agree with that draft decision, which shall become binding on them.
  7. The lead supervisory authority shall take the decision and notify it to the head office or sole head office of the controller or processor, as appropriate, and shall inform the other supervisory authorities concerned and the Committee of the decision in question, including a summary of the relevant elements and reasons. The supervisory authority to which the complaint was lodged shall inform the complainant of the decision.
  8. By way of derogation from paragraph 7, if a complaint is refused or rejected, the supervisory authority to which the complaint was lodged shall take its decision, notify it to the complainant and inform the operator thereof. 9. Where the main supervisory authority and the supervisory authorities concerned agree to refuse or reject certain parts of a complaint and to comply with other parts of that complaint, a separate decision shall be taken for each of those parties. The lead supervisory authority shall take the decision for the party concerned to the actions relating to the controller, notify it to the head office or sole seat of the controller or processor in the territory of the Member State concerned and inform the complainant thereof, while the applicant’s supervisory authority shall take the decision for the party seeking to refuse or reject that complaint. , notify the applicant and inform the controller or processor thereof.
  9. Following notification of the decision of the main supervisory authority pursuant to paragraphs 7 and 9, the controller or processor shall take the necessary measures to ensure that the processing activities are in accordance with the decision in all its premises in the Union. The controller or processor shall notify the measures taken to comply with the decision of the main supervisory authority, which shall inform the other supervisory authorities concerned.

(11) Where, in exceptional circumstances, a supervisory authority concerned has reason to believe that there is an urgent need to act in order to protect the interests of data subjects, the emergency procedure laid down in Article 66 shall apply.

(12) The main supervisory authority and the other supervisory authorities concerned shall provide each other with the information required under this Article, electronically, using a standard form.

Article 61

Mutual assistance

  1. Supervisory authorities shall provide each other with relevant information and assistance in order to implement this Regulation in a coherent manner and shall establish effective cooperation measures between them. Mutual assistance shall relate in particular to requests for information and surveillance measures, such as requests for authorisations and prior consultations, inspections and investigations.
  2. Each supervisory authority shall take all appropriate measures necessary to respond to a request from another supervisory authority without undue delay and not later than one month after the date of receipt of the request. Such measures may include, in particular, the transmission of relevant information on the conduct of an investigation.
  3. Requests for assistance shall contain all the necessary information, including the purpose of the request and the reasons for it. The information exchanged shall be used only for the purpose for which it was requested.
  4. The requested supervisory authority may not refuse to comply with the request unless:

 

(a) has no jurisdiction over the subject-matter of the application or the measures it is requested to execute; Or

(b) complywith the application would infringe this Regulation or Union law or national law to which the supervisory authority which received the request falls.

  1. The supervisory authority to which the request has been addressed shall inform the supervisory authority which forwarded the request of the results or, where appropriate, of the progress made or the measures taken to respond to the request. The requested supervisory authority shall give reasons for each refusal to comply with the request pursuant to paragraph 4.
  2. As a rule, the requested supervisory authorities shall provide the information requested by other supervisory authorities electronically using a standard form.
  3. The requested supervisory authorities shall not charge any fee for their actions undertaken on the basis of a request for mutual assistance. Supervisory authorities may agree on rules on mutual remuneration in the case of specific expenditure resulting from the granting of mutual assistance in exceptional circumstances.
  4. Where a supervisory authority does not provide the information referred to in paragraph 5 of this Article within one month of receipt of the request from another supervisory authority, the supervisory authority may adopt a provisional measure in the territory of its own Member State in accordance with Article 55(1). In this case, the urgent need to act pursuant to Article 66(1) shall be deemed to have been fulfilled and shall require an urgent mandatory decision by the Committee in accordance with Article 66(2).
  5. The Commission may, by means of an implementing act, specify the form and procedures for mutual assistance referred to in this Article and the arrangements for the exchange of information electronically between supervisory authorities and between supervisory authorities and the Committee, in particular the standard form referred to in paragraph 6 of this Article. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 93(2).

Article 62

Joint operations of supervisory authorities

  1. Where appropriate, supervisory authorities shall carry out joint operations, including joint investigations and joint law enforcement measures, involving members or staff from supervisory authorities of other Member States.
  2. Where the controller or processor has premises in more than one Member State or where a significant number of data subjects in more than one Member State are likely to be significantly affected by processing operations, a supervisory authority in each of those Member States shall be entitled to participate in joint operations. The supervisory authority which is competent in accordance with Article 56(1) or (4) shall invite the supervisory authorities of each of those Member States to take part in those joint operations and shall respond without delay to the request for participation of a supervisory authority.
  3. A supervisory authority may, in accordance with national law and with the agreement of the supervisory authority of the home Member State, grant powers, including investigative powers, to members or staff of the home Member State’s supervisory authority involved in joint operations or, in so far as the law of the Member State of the supervisory authority of the receiving Member State so permits , may authorise members or staff of the supervisory authority of the home Member State to exercise their investigative powers in accordance with the law of the Member State of the latter authority. Such investigative powers may be exercised only under the coordination and in the presence of members or staff of the supervisory authority of the receiving Member State. Members or staff of the supervisory authority of the home Member State shall be subject to national law subject to the supervisory authority of the receiving Member State.
  4. Where, in accordance with paragraph 1, the staff of a supervisory authority of the home Member State are active in another Member State, the receiving Member State shall assume responsibility for the actions of the staff concerned, including liability for any damage caused by the members of that staff in the course of their operations, in accordance with the law of the Member State in whose territory they operate.
  5. The Member State in whose territory the damage has occurred shall remedy such damage under the conditions applicable to damage caused by its own staff. The home Member State of the supervisory authority whose staff has caused damage to a person in the territory of another Member State shall reimburse that other Member State for all the sums it has paid to persons entitled on their behalf.
  6. Without prejudice to the exercise of its rights vis-Ă -vis third parties and with the exception of paragraph 5, each Member State shall refrain, in the case referred to in paragraph 1, from claiming compensation from another Member State for the damage referred to in paragraph 4.
  7. Where a joint operation is planned and a supervisory authority does not comply, within one month, with the obligation laid down in the second sentence of paragraph 2 of this Article, the other supervisory authorities may adopt a provisional measure in the territory of the Member State of that authority in accordance with Article 55. In this case, the urgent need to act pursuant to Article 66(1) shall be deemed to have been fulfilled and shall require an urgent opinion or an urgent binding decision by the Committee in accordance with Article 66(2).

Section 2

Ensuring consistency

Article 63

Mechanism for ensuring consistency

In order to contribute to the coherent application of this Regulation throughout the Union, supervisory authorities shall cooperate with each other and, where appropriate, with the Commission through the Coherence Mechanism as provided for in this section.

Article 64

Opinion of the Committee

  1. The Committee shall deliver an opinion whenever a competent supervisory authority intends to take any of the following measures. To this end, the competent supervisory authority shall communicate the draft decision to the Committee when:

(a) aims to adopt a list of processing operations subject to the requirement to carry out a data protection impact assessment in accordance with Article 35(4);

(b) in accordance with Article 40(7), refers to the compliance with this Regulation of a draft code of conduct or an amendment or extension of a code of conduct;

(c) aims to approve the criteria for the accreditation of a body in accordance with Article 41(3) or a certification body in accordance with Article 43(3);

(d) aims to determine the standard data protection clauses referred to in Article 46(2)(d) or Article 28(8);

(e) aims to authorise the contractual clauses referred to in Article 46(3)(a); Or

(f) aims to approve binding corporate rules within the meaning of Article 47.

  1. Any supervisory authority, the chairman of the committee or the Commission may require that any matter of general application or which takes effect in more than one Member State be examined by the Committee for an opinion, in particular where a competent supervisory authority fails to comply with the obligations relating to mutual assistance in accordance with Article 61 or on joint operations in accordance with Article 62.
  2. In the cases referred to in paragraphs 1 and 2, the Committee shall deliver an opinion on the matter before it, provided that it has not already delivered an opinion on the same matter. That opinion shall be delivered within eight weeks by a simple majority of the members of the Committee. This period may be extended by six weeks, taking into account the complexity of the matter. With regard to the draft decision referred to in paragraph 1 submitted to the members of the Committee in accordance with paragraph 5, a member who has not raised objections within a reasonable time indicated by the Chairman shall be deemed to agree with the draft decision.

 

  1. The supervisory authorities and the Commission shall communicate electronically to the Committee, without undue delay, by means of a standard form, any relevant information, including, where appropriate, a summary of the facts, the draft decision, the reasons for the adoption of such a measure and the views of the other supervisory authorities concerned.
  2. The Chairman of the Committee shall inform electronically, without undue delay:

(a) the members of the Committee and the Commission on any relevant information communicated to it using a standard form. The Secretariat of the Committee shall provide translations of the relevant information where necessary; And

(b) the supervisory authority referred to, as appropriate, in paragraphs 1 and 2, and the Commission on the opinion and publish it.

  1. The competent supervisory authority shall not adopt its draft decision referred to in paragraph 1 within the time limit referred to in paragraph 3.
  2. The supervisory authority referred to in paragraph 1 shall take full account of the opinion of the Committee and shall communicate electronically to the Chairman of the Committee, within two weeks of receipt of the opinion, whether it will retain or amend its draft decision and, where appropriate, forward the amended draft decision using a standard form.
  3. Where the supervisory authority concerned informs the chairman of the Committee within the time limit referred to in paragraph 7 of this Article that it intends not to comply with the opinion of the Committee, in whole or in part, giving the relevant reasons, Article 65(1) shall apply.

Article 65

Dispute resolution by the Committee

  1. In order to ensure the correct and consistent application of this Regulation in individual cases, the Committee shall adopt a binding decision in the following cases:

(a) where, in one of the cases referred to in Article 60(4), a supervisory authority concerned has raised a relevant and reasoned objection to a draft decision of the main authority or the lead authority has rejected such an objection as irrelevant or reasoned. The binding decision shall cover all matters covered by the relevant and reasoned objection, in particular the question whether this Regulation has been infringed;

(b) where there are divergent views as to which of the supervisory authorities concerned has jurisdiction over the head office;

(c) where a competent supervisory authority does not seek the opinion of the Committee in the cases referred to in Article 64(1) or does not take account of the opinion of the Committee delivered pursuant to Article 64. In this case, any supervisory authority concerned or the Commission may communicate the matter to the Committee.

  1. The decision referred to in paragraph 1 shall be taken within one month of the submission of the matter by a two-thirds majority of the members of the Committee. This period may be extended by one month, taking into account the complexity of the matter. The decision referred to in paragraph 1 shall be reasoned and addressed to the main supervisory authority and to all the supervisory authorities concerned, which shall be binding on them.
  2. If the Committee has not been able to adopt a decision within the time limits referred to in paragraph 2, it shall take its decision within two weeks of the expiry of the second month referred to in paragraph 2 by a simple majority of its members. Where the members of the Committee have divergent views in equal proportions, the decision shall be taken by a vote of the Chairman.
  3. The supervisory authorities concerned shall not take a decision on the matter submitted to the Committee in accordance with paragraph 1 within the time limits referred to in paragraphs 2 and 3.
  4. The Chairman of the Committee shall notify, without undue delay, the decision referred to in paragraph 1 to the supervisory authorities concerned. The Committee shall inform the Commission thereof. The decision shall be published on the committee’s website without delay after notification by the supervisory authority of the final decision referred to in paragraph 6.
  5. The lead supervisory authority or, where appropriate, the supervisory authority to which the complaint was lodged shall take its final decision on the basis of the decision referred to in paragraph 1 of this Article, without undue delay and not later than one month after notification by the Committee of its decision. The lead supervisory authority or, where appropriate, the supervisory authority to which the complaint was lodged shall inform the Committee of the date on which its final decision is notified to the controller or processor and the data subject respectively. The final decision of the supervisory authorities concerned shall be taken in accordance with the conditions laid down in Article 60(7), (8) and (9). The final decision shall refer to the decision referred to in paragraph 1 of this Article and shall specify that the decision referred to in that paragraph shall be published on the committee’s website in accordance with paragraph 5. The decision referred to in paragraph 1 of this Article shall be attached to the final decision.

Article 66

Emergency procedure

  1. In exceptional circumstances, where a supervisory authority concerned considers that there is an urgent need to act in order to protect the rights and freedoms of data subjects, it may, by way of derogation from the mechanism for ensuring consistency referred to in Articles 63, 64 and 65 or from the procedure referred to in Article 60, immediately adopt provisional measures designed to produce legal effects in its own territory , with a fixed period of validity not exceeding three months. The supervisory authority shall communicate these measures without delay and the reasons for their adoption to the other supervisory authorities concerned, the Committee and the Commission.
  2. Where a supervisory authority has adopted a measure pursuant to paragraph 1 and considers that definitive measures are urgently necessary, it may request an urgent opinion or an urgent binding decision from the Committee, indicating the reasons for such request.
  3. Any supervisory authority may request an emergency opinion or an urgent binding decision, as appropriate, from the Committee where a competent supervisory authority has not taken appropriate action in a situation where there is an urgent need to act to protect the rights and freedoms of data subjects, indicating the reasons for requesting such an opinion or decision , including the urgent need to act.
  4. By way of derogation from Article 64(3) and Article 65(2), an emergency notice or an urgent mandatory decision referred to in paragraphs 2 and 3 of this Article shall be adopted within two weeks by a simple majority of the members of the Committee.

Article 67

Exchange of information

The Commission may adopt implementing acts with a general scope to define the arrangements for the electronic exchange of information between supervisory authorities and between supervisory authorities and the Committee, in particular the standard form referred to in Article 64.

Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 93(2).

Section 3

European Data Protection Committee

Article 68

European Data Protection Committee

  1. The European Data Protection Board (‘the Committee’) shall be established as a Body of the Union and shall have legal personality.
  2. The Committee shall be represented by its chairman.
  3. The Committee shall be composed of the head of a supervisory authority in each Member State and the European Data Protection Supervisor or their respective representatives.
  4. Where more than one supervisory authority in a Member State is responsible for monitoring the application of the provisions adopted pursuant to this Regulation, a common representative shall be appointed in accordance with the national law of that Member State.
  5. The Commission shall have the right to participate in the activities and meetings of the Committee without the right to vote. The Commission shall appoint a representative. The Chairman of the Committee shall communicate the activities of the Committee to the Commission.
  6. In the cases referred to in Article 65, the European Data Protection Supervisor shall have the right to vote only on decisions concerning the principles and rules applicable to Union institutions, bodies, offices and agencies which correspond in substance to those of this Regulation.

Article 69

Independence

  1. The Committee shall act independently in the performance of its tasks or in the exercise of its powers in accordance with Articles 70 and 71.
  2. Without prejudice to requests from the Commission referred to in Article 70(1)(b) and Article 70(2), the Committee, in the performance of its tasks or in the exercise of its powers, shall not seek or accept instructions from any external party.

Article 70

Tasks of the Committee

  1. The Committee shall ensure the consistent application of this Regulation. To that end, on its own initiative or, where appropriate, at the request of the Commission, the Committee shall, in particular, have the following tasks:

(a) monitor and ensure the correct application of this Regulation, in the cases referred to in Articles 64 and 65, without prejudice to the tasks of the national supervisory authorities;

(b) advise the Commission on any matter relating to the protection of personal data within the Union, including any proposal to amend this Regulation;

(c) advise the Commission on the format and procedures for the exchange of information between operators, processors and supervisory authorities for binding corporate rules;

(d) issue guidelines, recommendations and best practices on procedures for deleting links to personal data, copies or reproductions of publicly available communications services as referred to in Article 17(2);

(e) examine, on its own initiative, at the request of one of its members or at the request of the Commission, any matter relating to the application of this Regulation and issue guidelines, recommendations and best practices in order to encourage the coherent application of this Regulation;

(f) issue guidelines, recommendations and best practices in accordance with this paragraph (e) with a view to detailing the criteria and conditions for decisions based on the profiling referred to in Article 22(2);

 

(g) issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for the determination of the personal data breach and the determination of the unjustified delays referred to in Article 33(1) and (2), as well as for the special circumstances in which an controller or processor is required to notify the personal data breach;

(h) issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph as regards the circumstances in which a personal data breach is likely to give rise to a high risk to the rights and freedoms of natural persons referred to in Article 34(1);

(i) issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph in order to detail the criteria and requirements applicable to transfers of personal data based on binding corporate rules to be complied with by operators and those to be complied with by processors, as well as on additional requirements necessary to ensure the protection of the personal data of the persons referred to in Article 47;

(j) issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph with a view to detailing the criteria and requirements for transfers of personal data referred to in Article 49(1);

(k) draw up guidelines for supervisory authorities on the application of the measures referred to in Article 58(1), (2) and (3) and establish administrative fines in accordance with Article 83;

(l) review the practical application of the guidelines, recommendations and best practices referred to in points (e) and (f);

(m) issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph with a view to establishing common procedures for the reporting by natural persons of infringements of this Regulation in accordance with Article 54(2);

(n) encourage the development of codes of conduct and the establishment of certification mechanisms, as well as seals and marks in the field of data protection, in accordance with Articles 40 and 42;

(o) carry out the accreditation of certification bodies and the periodic review of accreditation in accordance with Article 43 and keep a public register of accredited bodies in accordance with Article 43(6) and accredited operators or accredited processors established (established) in third countries in accordance with Article 42(7);

(p) specify the requirements referred to in Article 43(3) with a view to the accreditation of the certification bodies referred to in Article 42;

(q) submit to the Commission an opinion on the certification requirements referred to in Article 43(8);

(r) submit to the Commission an opinion on the pictograms referred to in Article 12(7);

(s) submit to the Commission an opinion to assess the adequacy of the level of protection in a third country or an international organisation, including to determine whether a third country, territory, or one or more specified sectors of that third country, or an international organisation no longer provides an adequate level of protection. To this end, the Commission shall make available to the Committee all the necessary documentation, including correspondence with the public authorities of the third country, in respect of that third country, territory or sector, or with the international organisation;

(t) to issue opinions on draft decisions of supervisory authorities in accordance with the mechanism for ensuring coherence referred to in Article 64(1) on matters submitted in accordance with Article 64(2) and to issue binding decisions pursuant to Article 65, including in the cases referred to in Article 66;

(u) promote effective bilateral and multilateral cooperation and exchange of information and best practices between supervisory authorities;

(v) promote joint training programmes and facilitate exchanges of staff between supervisory authorities and, where appropriate, with supervisory authorities of third countries or international organisations;

(w) promote the exchange of knowledge and documents on data protection legislation and practices with data protection supervisors worldwide;

(x) issue opinions on codes of conduct developed at Union level pursuant to Article 40(9); And

(y) keep an electronic register accessible to the public with decisions taken by supervisory authorities and courts on matters dealt with under the consistency mechanism.

  1. Where the Commission consults the Committee, it may indicate a time limit, taking into account the urgency of the matter.
  2. The Committee shall forward its opinions, guidelines, recommendations and best practices to the Commission and the Committee referred to in Article 93 and shall make them public.
  3. Where appropriate, the Committee shall consult interested parties and give them the opportunity to comment within a reasonable time. Without prejudice to the provisions of Article 76, the Committee shall publish the results of the consultation procedure.

Article 71

Reports

 

  1. The Committee shall draw up an annual report on the protection of natural persons with regard to processing in the Union and, where relevant, in third countries and international organisations. The report shall be made available to the public and forwarded to the European Parliament, the Council and the Commission.
  2. The annual report shall include a review of the practical application of the guidelines, recommendations and best practices referred to in Article 70(1)(l) and of the binding decisions referred to in Article 65.

Article 72

Procedure

  1. The Committee shall take decisions by a simple majority of its members, unless otherwise provided for in this Regulation.
  2. The Committee shall adopt its own rules of procedure by a two-thirds majority of its members and shall organise its own operating mechanisms.

Article 73

President

  1. The Committee shall elect a chairman and two vice-chairmen from among its members by a simple majority.
  2. The term of office of the President and Vice-Presidents shall be five years and may be renewed once.

Article 74

Tasks of the President

  1. The President shall have the following tasks:

(a) convene meetings of the Committee and set the agenda;

(b) notify the decisions taken by the Committee in accordance with Article 65 to the main supervisory authority and the supervisory authorities concerned;

(c) ensure that the tasks of the Committee are carried out in a timely way, in particular as regards the mechanism for ensuring consistency referred to in Article 63.

  1. The Committee shall determine in its rules of procedure the division of tasks between the Chairman and the Vice-Presidents.

Article 75

Secretariat

  1. The Committee shall have a secretariat, which shall be provided by the European Data Protection Supervisor.
  2. The Secretariat shall carry out its tasks solely on the instructions of the Chairman of the Committee.
  3. The staff of the European Data Protection Supervisor involved in the performance of the tasks conferred on the Committee under this Regulation shall be subject to separate reporting lines in relation to the staff involved in the performance of the tasks conferred on the European Data Protection Supervisor.
  4. Where appropriate, the Committee and the European Data Protection Supervisor shall draw up and publish a Memorandum of Understanding for the implementation of this Article setting out the conditions for cooperation and applying to the staff of the European Data Protection Supervisor involved in the performance of the tasks conferred on the Committee under this Regulation.
  5. The Secretariat shall provide analytical, administrative and logistical support to the Committee.
  6. The Secretariat shall be responsible in particular for the following:

(a) the day-to-day management of the work of the Committee;

(b) communication between the members of the Committee, its chairman and the Commission;

(c) communication with other institutions and the public;

(d) the use of electronic means for internal and external communication;

(e) translation of the relevant information;

(f) preparing and monitoring follow-up to committee meetings;

(g) the preparation, drafting and publication of opinions, decisions on the settlement of disputes between supervisory authorities and other texts adopted by the Committee.

Article 76

Privacy

  1. Discussions within the Committee shall be confidential if the Committee considers this necessary in accordance with its rules of procedure.
  2. Access to documents submitted to members of the Committee, experts and representatives of third parties shall be governed by Regulation (EC) No 1493/1999. 1049/2001 of the European Parliament and of the Council (21).

CHAPTER VIII

Remedies, liability and sanctions

Article 77

Right to lodge a complaint with a supervisory authority

  1. Without prejudice to any other administrative or judicial remedies, any data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State in which he is habitually resident, where his place of employment is situated or where the alleged infringement has taken place, if he considers that the processing of personal data relating to him is in breach of this Regulation.
  2. The supervisory authority to which the complaint was lodged shall inform the complainant of the progress and outcome of the complaint, including the possibility of bringing a judicial appeal under Article 78.

Article 78

Right to an effective judicial remedy against a supervisory authority

  1. Without prejudice to any other administrative or non-judicial remedies, each natural or legal person shall have the right to exercise an effective judicial remedy against a legally binding decision of a supervisory authority which concerns him.
  2. Without prejudice to any other administrative or non-judicial remedies, each data subject shall have the right to exercise an effective judicial remedy if the supervisory authority which is competent under Articles 55 and 56 does not deal with a complaint or inform the data subject within three months of the progress or resolution of the complaint lodged pursuant to Article 77.
  3. Actions brought against a supervisory authority shall be brought before the courts of the Member State in which the supervisory authority is established.
  4. Where proceedings are brought against a decision of a supervisory authority which has been preceded by an opinion or decision of the Committee within the framework of the consistency mechanism, the supervisory authority shall forward that opinion or decision to the Court.

Article 79

Right to an effective judicial remedy against an operator or processor

  1. Without prejudice to any available administrative or non-judicial remedies, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, each data subject shall have the right to exercise an effective judicial remedy if he considers that his rights under this Regulation have been infringed as a result of the processing of his personal data without complying with this Regulation.
  2. Actions brought against an operator or processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such an action may be brought before the courts of the Member State in which the data subject is habitually resident, unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers.

Article 80

Representation of data subjects

  1. The data subject shall have the right to mandate a non-profit-making body, organisation or association, which has been duly established in accordance with national law, the statutory objectives of which are in the public interest, which are active in the protection of the rights and freedoms of data subjects with regard to the protection of their personal data, to lodge the complaint on his behalf , to exercise on its behalf the rights referred to in Articles 77, 78 and 79, and to exercise the right to receive compensation referred to in Article 82 on behalf of the data subject, if this is provided for in national law.
  2. Member States may provide that any body, organisation or association referred to in paragraph 1 of this Article, irrespective of the mandate of a data subject, shall have the right to lodge a complaint in that Member State with the supervisory authority which is competent under Article 77 and to exercise the rights referred to in Articles 78 and 79 if it considers that the rights of a data subject under this Regulation have been infringed as a result of processing.

Article 81

Suspension of proceedings

  1. Where a competent court of a Member State has information that an action involving the same object is before a court of another Member State in respect of the processing activities of the same controller or processors, that court shall contact the court of the other Member State to confirm the existence of such actions.
  2. Where an action relating to the processing activities of the same operator or processors is before a court of another Member State in respect of the processing activities of the same operator or processors, any court competent other than the court initially seised may stay the action before it.
  3. Where such an action is heard at first instance, any court subsequently seised may also, at the request of one of the parties, decline jurisdiction, provided that that action falls within the jurisdiction of the court first seised and that the law applicable to it allows the proceedings to be joined.

Article 82

Right to compensation and liability

  1. Any person who has suffered material or moral damage as a result of an infringement of this Regulation shall be entitled to obtain compensation from the controller or the processor for the damage suffered.
  2. Any operator involved in processing operations shall be liable for the damage caused by its processing operations in breach of this Regulation. The processor shall be liable for the damage caused by the processing only if it has failed to comply with the obligations of this Regulation which are specifically incumbent on the processors or has acted outside or in contradiction with the operator’s legal instructions.
  3. The controller or processor shall be exempted from liability pursuant to paragraph 2 if it proves that it is not liable in any way for the event which caused the damage.
  4. Where more than one controller or processor, or an operator and a processor are involved (involved) in the same processing operation and are liable, pursuant to paragraphs 2 and 3, for any damage caused by the processing, each controller or processor shall be liable (responsible) for all the damage in order to ensure effective compensation of the data subject.
  5. Where an operator or processor has paid, in accordance with paragraph 4, in full compensation for the damage caused, that controller or processor shall have the right to claim from the other controllers or processors involved in the same processing operation the recovery of that part of the compensation corresponding to their share of liability for the damage , in accordance with the conditions laid down in paragraph 2.
  6. Actions in the exercise of the right to recover compensation paid shall be brought before the competent courts under the law of the Member State referred to in Article 79(2).

Article 83

General conditions for imposing administrative fines

  1. Each supervisory authority shall ensure that the imposition of administrative fines in accordance with this Article for infringements of this Regulation referred to in paragraphs 4, 5 and 6 is, in each case, effective, proportionate and dissuasive.
  2. Depending on the circumstances of each individual case, administrative fines shall be imposed in addition to or in place of the measures referred to in Article 58(2)(a) to (h) and (j). When deciding whether to impose an administrative fine and the decision on the amount of the administrative fine in each individual case, due consideration shall be given to the following aspects:

(a) the nature, gravity and duration of the infringement, taking into account the nature, scope or purpose of the processing in question, the number of data subjects affected and the level of damage suffered by them;

(b) whether the infringement was committed intentionally or negligently;

(c) any actions taken by the controller or processor to reduce the damage suffered by the data subject;

(d) the degree of responsibility of the controller or processor taking into account the technical and organisational measures implemented by them pursuant to Articles 25 and 32;

(e) any relevant previous infringements committed by the controller or processor;

(f) the degree of cooperation with the supervisory authority to remedy the infringement and mitigate the possible negative effects of the infringement;

(g) the categories of personal data affected by the infringement;

(h) the manner in which the infringement was brought to the attention of the supervisory authority, in particular whether and to what extent the controller or processor notified the infringement;

(i) where the measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned in respect of the same object, compliance with those measures;

(j) adherence to approved codes of conduct in accordance with Article 40 or to approved certification mechanisms in accordance with Article 42; And

(k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as the financial benefits acquired or losses directly or indirectly avoided from the infringement.

  1. Where an operator or processor intentionally or negligently infringes, for the same processing or related processing operations, several provisions of this Regulation, the total amount of the administrative fine may not exceed the amount laid down for the most serious infringement.
  2. For infringements of the following provisions, in accordance with paragraph 2, administrative fines of up to EUR 10 000 000 or, in the case of an undertaking, up to 2 % of the total annual worldwide turnover corresponding to the previous financial year shall be applied, taking into account the highest value:

(a) the obligations of the controller and the processor in accordance with Articles 8, 11, 25-39, 42 and 43;

(b) the obligations of the certification body in accordance with Articles 42 and 43;

(c) the obligations of the monitoring body in accordance with Article 41(4).

  1. For infringements of the following provisions, in accordance with paragraph 2, administrative fines of up to EUR 2000 000 or, in the case of an undertaking, up to 4 % of the total annual worldwide turnover corresponding to the previous financial year shall be applied, taking into account the highest value:

(a) the basic principles for processing, including conditions of consent, in accordance with Articles 5, 6, 7 and 9;

(b) the rights of data subjects in accordance with Articles 12 to 22;

(c) transfers of personal data to a recipient in a third country or an international organisation in accordance with Articles 44 to 49;

(d) any obligations under national law adopted pursuant to Chapter IX;

(e) non-compliance with a temporary or definitive order or limitation on processing, or suspension of data flows, issued by the supervisory authority pursuant to Article 58(2), or failure to grant access, in breach of Article 58(1).

  1. For infringement of an order issued by the supervisory authority in accordance with Article 58(2), administrative fines of up to EUR 20 000 000 or, in the case of an undertaking, up to 4 % of the total annual worldwide turnover corresponding to the previous financial year, taking into account the highest amount, shall be applied in accordance with article 58(2) of this Article.
  2. Without prejudice to the corrective powers of the supervisory authorities referred to in Article 58(2), each Member State may lay down rules establishing whether and to what extent administrative fines may be imposed on public authorities and public bodies established in that Member State.
  3. The exercise by the supervisory authority of its powers under this Article shall take place provided that adequate procedural safeguards are in place in accordance with Union and national law, including effective judicial remedies and the right to a fair trial.
  4. Where the legal system of the Member State does not provide for administrative fines, this Article may be imposed in such a way that the fine is initiated by the competent supervisory authority and imposed by the competent national courts, while ensuring that such remedies are effective and have an effect equivalent to that of administrative fines imposed by the supervisory authorities. In any event, the fines imposed must be effective, proportionate and dissuasive. Those Member States shall inform the Commission of the provisions of national law which they adopt pursuant to this paragraph by 25 May 2018 and, without delay, of any legislative act amending or subsequentamendments thereto.

Article 84

Penalties

  1. Member States shall lay down rules on other penalties applicable in the event of infringements of this Regulation, in particular for infringements which are not subject to administrative fines pursuant to Article 83, and shall take all necessary measures to ensure that they are implemented. Those penalties shall be effective, proportionate and dissuasive.
  2. Each Member State shall inform the Commission of the provisions of national law which it adopts pursuant to paragraph 1 by 25 May 2018 and, without delay, of any subsequent amendments thereto.

CHAPTER IX

Provisions relating to specific processing situations

Article 85

Processing and freedom of expression and information

  1. By means of national law, Member States shall strike a balance between the right to the protection of personal data under this Regulation and the right to freedom of expression and information, including processing for journalistic purposes or for the purpose of academic, artistic or literary expression.
  2. For processing carried out for journalistic purposes or for the purposes of academic, artistic or literary expression, Member States shall provide for exemptions or derogations from the provisions of Chapter II (principles), Chapter III (data subject’s rights), Chapter IV (operator and processor), Chapter V (transfer of personal data to third countries or international organisations), Chapter VI (independent supervisory authorities) , Chapter VII (cooperation and coherence) and Chapter IX (specific data processing situations) where they are necessary to ensure a balance between the right to the protection of personal data and freedom of expression and information.
  3. Each Member State shall inform the Commission of the provisions of national law which it has adopted pursuant to paragraph 2 and, without delay, of any legislative act amending or subsequent amendment thereto.

Article 86

Processing and public access to official documents

Personal data from official documents held by a public authority or a public or private body for the performance of a task serving the public interest may be disclosed by that authority or body in accordance with Union law or national law to which the authority or body falls, in order to establish a balance between public access to official documents and the right to the protection of personal data under this Regulation.

Article 87

Processing of a national identification number

Member States may further detail the specific conditions for processing a national identification number or any other identifier of general application. In this case, the national identification number or any other identifier of general application shall be used only on the basis of appropriate safeguards for the rights and freedoms of the data subject under this Regulation.

Article 88

Processing in the context of employment

  1. By law or by collective agreements, Member States may lay down more detailed rules to ensure the protection of the rights and freedoms with regard to the processing of employees’ personal data in the context of employment, in particular for the purpose of recruitment, the fulfilment of the terms of the employment contract, including the discharge of obligations laid down by law or by collective agreements , the management, planning and organisation of work, equality and diversity at work, ensuring health and safety at work, protecting the ownership of the employer or client, and for the purpose of exercising and benefiting, individually or collectively, from the rights and benefits of employment and for the termination of employment.
  2. These rules shall include appropriate and specific measures to ensure the human dignity, legitimate interests and fundamental rights of data subjects, in particular as regards transparency of processing, the transfer of personal data within a group of undertakings or a group of undertakings involved in a common economic activity and monitoring systems at work.
  3. Each Member State shall inform the Commission of the provisions of national law which it adopts pursuant to paragraph 1 by 25 May 2018 and, without delay, of any subsequent amendments thereto.

Article 89

Guarantees and derogations for processing for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes

  1. Processing for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes shall take place provided that adequate safeguards are in place, in accordance with this Regulation, for the rights and freedoms of data subjects. Those guarantees shall ensure that the necessary technical and organisational measures have been put in place to ensure, in particular, compliance with the principle of data minimisation. Those measures may include pseudonymisation, provided that those purposes are fulfilled in this way. Where those purposes can be achieved by further processing which does not permit or no longer permit the identification of data subjects, those purposes shall be achieved in this way.
  2. Where personal data are processed for scientific or historical research purposes or for statistical purposes, Union or national law may provide for derogations from the rights referred to in Articles 15, 16, 18 and 21, subject to the conditions and guarantees laid down in paragraph 1 of this Article, in so far as those rights are likely to make it impossible or seriously affecting the achievement of the specific purposes. , and those derogations are necessary to achieve these purposes.
  3. Where personal data are processed for archiving purposes in the public interest, Union law or national law may provide for derogations from the rights referred to in Articles 15, 16, 18, 19, 20 and 21, subject to the conditions and guarantees laid down in paragraph 1 of this Article, in so far as those rights are likely to make it impossible or seriously affect the achievement of the specific purposes , and those derogations are necessary to achieve these purposes.
  4. Where the processing referred to in paragraphs 2 and 3 serves at the same time as another purpose, the derogations shall apply only to processing for the purposes referred to in those paragraphs.

Article 90

Confidentiality obligations

  1. Member States may adopt specific rules to determine the powers of the supervisory authorities referred to in Article 58(1)(e) and (f) in relation to controllers or processors who, under Union or national law or under the rules laid down by the competent national bodies, are required to maintain professional secrecy or other equivalent confidentiality obligations , where this is necessary and proportionate in order to strike a balance between the right to the protection of personal data and the obligation to maintain confidentiality. Those rules shall apply only to personal data which the controller or processor has received as a result of or in the context of an activity covered by that obligation to maintain confidentiality.
  2. Each Member State shall notify the Commission of the rules adopted pursuant to paragraph 1 by 25 May 2018 and, without delay, any subsequent amendments thereto.

Article 91

Existing data protection rules for churches and religious associations

  1. Where, in a Member State, churches and associations or religious communities apply, on the date of entry into force of this Regulation, a comprehensive set of rules for the protection of natural persons with regard to processing, such rules may continue to apply, provided that they are aligned with this Regulation.
  2. Churches and religious associations applying a comprehensive set of rules in accordance with paragraph 1 of this Article shall be subject to the supervision of an independent supervisory authority which may be specific, provided that they fulfil the conditions laid down in Chapter VI of this Regulation.

CHAPTER X

Delegated acts and implementing acts

Article 92

Exercise of delegation

  1. The power to adopt delegated acts shall be conferred on the Commission under the conditions laid down in this Article.
  2. The delegation of powers referred to in Article 12(8) and Article 43(8) shall be conferred on the Commission for an indefinite period from 24 May 2016.
  3. The delegation of powers referred to in Article 12(8) and Article 43(8) may be revoked at any time by the European Parliament or the Council. A revocation decision shall terminate the delegation of powers specified in that decision. The Decision shall take effect from the day following its publication in the Official Journal of the European Union or from a later date referred to in the Decision. The decision shall be without prejudice to the validity of delegated acts which are already in force.
  4. As soon as the Commission adopts a delegated act, it shall simultaneously notify the European Parliament and the Council.
  5. A delegated act adopted in accordance with Article 12(8) and Article 43(8) shall enter into force only if neither the European Parliament nor the Council has raised objections within three months of its notification to the European Parliament and the Council, or if, before the expiry of that period, the European Parliament and the Council have informed the Commission that they will not object. That period shall be extended by three months on the initiative of the European Parliament or the Council.

Article 93

Committee procedure

  1. The Commission shall be assisted by a committee. That Committee shall be a committee within the meaning of Regulation (EU) No 1493/1999. 182/2011.
  2. Where reference is made to this paragraph, Article 5 of Regulation (EU) No 1493/1999 shall apply. 182/2011.
  3. Where reference is made to this paragraph, Article 8 of Regulation (EU) No 1493/1999 shall apply. 182/2011 in conjunction with Article 5 of that Regulation.

CHAPTER XI

Final provisions

Article 94

Repeal of Directive 95/46/EC

(1) Decision 95/46/EC is repealed with effect from 25 May 2018.

  1. References to the repealed Directive shall be construed as references to this Regulation. References to the Working Party on the Protection of Persons with regard to the Processing of Personal Data established by Article 29 of Directive 95/46/EC shall be construed as references to the European Data Protection Committee established by this Regulation.

Article 95

Relationship with Directive 2002/58/EC

This Regulation does not impose additional obligations on natural or legal persons with regard to processing in connection with the provision of electronic communications services to the public in public communications networks in the Union, in respect of matters for which they have specific obligations with the same objective set out in Directive 2002/58/EC.

Article 96

Relationship with previously concluded agreements

International agreements involving the transfer of personal data to third countries or international organisations, which were concluded by The Member States before 24 May 2016 and which comply with applicable Union law before that date, shall remain in force until they are amended, replaced or revoked.

Article 97

Commission reports

  1. By 25 May 2020 and every four years thereafter, the Commission shall submit to the European Parliament and the Council a report on the evaluation and revision of this Regulation. Reports are made public.
  2. In the context of the evaluations and revisions referred to in paragraph 1, the Commission shall examine in particular the application and functioning of:

(a) Chapter V on the transfer of personal data to third countries or international organisations, having regard in particular to decisions taken pursuant to Article 45(3) of this Regulation and decisions taken pursuant to Article 25(6) of Directive 95/46/EC;

(b) Chapter VII on cooperation and coherence.

  1. For the purposes of paragraph 1, the Commission may request information from the Member States and the supervisory authorities.
  2. In carrying out the evaluations and revisions referred to in paragraphs 1 and 2, the Commission shall take into account the positions and findings of the European Parliament, the Council and other relevant bodies or sources.
  3. The Commission shall, if necessary, submit appropriate proposals to amend this Regulation, in particular in the light of developments in information technology and in the light of advances in the information society.

Article 98

Review of other Union data protection legal acts

Where appropriate, the Commission shall submit legislative proposals to amend other Union legal acts on the protection of personal data with a view to ensuring uniform and consistent protection of natural persons with regard to processing. This concerns, in particular, the rules on the protection of natural persons with regard to processing by the institutions, bodies, offices and agencies of the Union and the rules on the free movement of such data.

Article 99

Entry into force and application

  1. This Regulation shall enter into force on the 20th day following its publication in the Official Journal of the European Union.
  2. This Regulation shall apply from 25 May 2018.

This Regulation shall be binding in its entirety and directly applicable in all Member States.

Done at Brussels, 27 April 2016.

For the European Parliament

 

President

Mr Schulz

For the Council

President

J.A. HENNIS-LASSCHAERT

This website has been produced with the support of the European Union. The content of this website is the responsibility of the Maramureș County Council and does not necessarily reflect the official position of the European Union or the management structures of the Romania-Ukraine Joint Operational Program 2014-2021.
© 2020-2021 Maramureș County Council. All rights reserved.
 
 

Contact:

Adress: Strada Gheorghe Șincai 46, Baia Mare 430311

Tel. : +40 262.212.110

E-mail: office@cjmaramures.ro