GDPR

The text of the GDPR. The texts have been con­ver­ted auto­ma­ti­cal­ly – thank you for poin­ting out errors.

The assign­ment of the reci­tals to indi­vi­du­al arti­cles is not offi­cial and not clear­ly defi­ned. As PDF you can find the GDPR with reci­tals here, and the Eng­lish ver­si­on is here to find.

fold out | fold

Chap­ter I Gene­ral provisions

Arti­cle 1 Sub­ject mat­ter and objectives

(1) This Regu­la­ti­on lays down rules on the pro­tec­tion of indi­vi­du­als with regard to the pro­ces­sing of per­so­nal data and on the free move­ment of such data.

(2) This Regu­la­ti­on pro­tects the fun­da­men­tal rights and free­doms of natu­ral per­sons, and in par­ti­cu­lar their right to the pro­tec­tion of per­so­nal data.

(3) The free move­ment of per­so­nal data wit­hin the Uni­on may not be restric­ted or pro­hi­bi­ted for rea­sons con­nec­ted with the pro­tec­tion of indi­vi­du­als with regard to the pro­ces­sing of per­so­nal data.

Reci­tals

(1) The pro­tec­tion of indi­vi­du­als with regard to the pro­ces­sing of per­so­nal data is a fun­da­men­tal right. Pur­suant to Arti­cle 8(1) of the Char­ter of Fun­da­men­tal Rights of the Euro­pean Uni­on (her­ein­af­ter “Char­ter”) and Arti­cle 16(1) of the Trea­ty on the Func­tio­n­ing of the Euro­pean Uni­on (TFEU), ever­yo­ne has the right to the pro­tec­tion of per­so­nal data con­cer­ning him or her.

(2) The princi­ples and rules rela­ting to the pro­tec­tion of indi­vi­du­als with regard to the pro­ces­sing of their per­so­nal data should ensu­re that their fun­da­men­tal rights and free­doms, and in par­ti­cu­lar their right to the pro­tec­tion of per­so­nal data, are respec­ted, regard­less of their natio­na­li­ty or resi­dence. This Regu­la­ti­on should con­tri­bu­te to the com­ple­ti­on of an area of free­dom, secu­ri­ty and jus­ti­ce and of an eco­no­mic uni­on, to eco­no­mic and social pro­gress, to the streng­t­he­ning and inte­gra­ti­on of eco­no­mies wit­hin the inter­nal mar­ket, and to the well-being of natu­ral persons.

(3) The pur­po­se of Direc­ti­ve 95/46/EC of the Euro­pean Par­lia­ment and of the Coun­cil (4 ) is to har­mo­ni­ze the rules rela­ting to the pro­tec­tion of fun­da­men­tal rights and free­doms of natu­ral per­sons with regard to the pro­ces­sing of data and to ensu­re the free flow of per­so­nal data bet­ween Mem­ber States.

(4) The pro­ces­sing of per­so­nal data should be in the ser­vice of huma­ni­ty. The right to the pro­tec­tion of per­so­nal data is not an unli­mi­ted right; it must be seen in the light of its socie­tal func­tion and balan­ced against other fun­da­men­tal rights, in accordance with the princip­le of pro­por­tio­na­li­ty. This Regu­la­ti­on respects all fun­da­men­tal rights and obser­ves all the free­doms and princi­ples reco­gnis­ed by the Char­ter and reflec­ted in the Euro­pean Trea­ties, in par­ti­cu­lar respect for pri­va­te and fami­ly life, home and com­mu­ni­ca­ti­ons, pro­tec­tion of per­so­nal data, free­dom of thought, con­sci­ence and reli­gi­on, free­dom of expres­si­on and infor­ma­ti­on, free­dom to con­duct a busi­ness, the right to an effec­ti­ve reme­dy and to a fair tri­al, and cul­tu­ral, reli­gious and lin­gu­istic diversity.

(5) Eco­no­mic and social inte­gra­ti­on resul­ting from a func­tio­n­ing inter­nal mar­ket has led to a signi­fi­cant incre­a­se in the cross-bor­der flow of per­so­nal data. The Uni­on-wide exchan­ge of per­so­nal data bet­ween public and pri­va­te actors, inclu­ding indi­vi­du­als, asso­cia­ti­ons and busi­nes­ses, has incre­a­sed. Uni­on law requi­res Mem­ber Sta­te admi­ni­stra­ti­ons to coope­ra­te and exchan­ge per­so­nal data in order to car­ry out their duties or to per­form tasks for an aut­ho­ri­ty of ano­t­her Mem­ber State.

(6) Rapid tech­no­lo­gi­cal deve­lo­p­ments and glo­ba­liz­a­ti­on have crea­ted new chal­len­ges for data pro­tec­tion. The extent to which per­so­nal data is collec­ted and exch­an­ged has incre­a­sed impres­si­ve­ly. Tech­no­lo­gy makes it pos­si­ble for pri­va­te com­pa­nies and government agen­ci­es to access per­so­nal data on an unpre­ce­den­ted sca­le as part of their ope­ra­ti­ons. Incre­a­singly, indi­vi­du­als are also making infor­ma­ti­on publicly avail­ab­le world­wi­de. Tech­no­lo­gy has trans­for­med eco­no­mic and social life and is likely to fur­ther faci­li­ta­te the move­ment of per­so­nal data wit­hin the Uni­on and the trans­fer of data to third coun­tries and inter­na­tio­nal orga­niz­a­ti­ons, while ensu­ring a high level of data protection.

(7) The­se deve­lo­p­ments call for a solid, more cohe­rent and clear­ly enfor­ce­ab­le legal frame­work in the area of data pro­tec­tion in the Uni­on, as it is of gre­at import­ance to crea­te a basis of trust, which the digi­tal eco­no­my urgent­ly needs in order to con­ti­nue to grow in the sin­gle mar­ket. Natu­ral per­sons should have con­trol over their own data. Natu­ral per­sons, the eco­no­my and the sta­te should have more secu­ri­ty in legal and prac­ti­cal terms.

(8) Whe­re this Regu­la­ti­on pro­vi­des for cla­ri­fi­ca­ti­ons or restric­tions of its pro­vi­si­ons by the law of the Mem­ber Sta­tes, Mem­ber Sta­tes may incor­po­ra­te parts of this Regu­la­ti­on into their natio­nal law to the extent necessa­ry to ensu­re con­si­sten­cy and to make natio­nal law more com­pre­hen­si­ble to the per­sons to whom it applies.

(9) The objec­ti­ves and princi­ples of Direc­ti­ve 95/46/EC are still valid, but the Direc­ti­ve has not pre­ven­ted dif­fe­ren­ces in the way data pro­tec­tion is hand­led in the Uni­on, legal uncer­tain­ty or widespread public per­cep­ti­on of signi­fi­cant risks to the pro­tec­tion of indi­vi­du­als, in par­ti­cu­lar in rela­ti­on to the use of the Inter­net. Dif­fe­ren­ces in the level of pro­tec­tion of the rights and free­doms of natu­ral per­sons in rela­ti­on to the pro­ces­sing of per­so­nal data in the Mem­ber Sta­tes, in par­ti­cu­lar in the right to the pro­tec­tion of such data, may hin­der the free flow of such data throughout the Uni­on. The­se dif­fe­ren­ces in the level of pro­tec­tion may the­re­fo­re con­sti­tu­te a bar­ri­er to the exer­cise of eco­no­mic acti­vi­ties throughout the Uni­on, dis­tort com­pe­ti­ti­on and pre­vent public aut­ho­ri­ties from ful­fil­ling their obli­ga­ti­ons under Uni­on law. They are exp­lai­ned by the dif­fe­ren­ces in the trans­po­si­ti­on and app­li­ca­ti­on of Direc­ti­ve 95/46/EC.

(10) In order to ensu­re a con­si­stent and high level of data pro­tec­tion for natu­ral per­sons and to remo­ve bar­ri­ers to the flow of per­so­nal data wit­hin the Uni­on, the level of pro­tec­tion of the rights and free­doms of natu­ral per­sons with regard to the pro­ces­sing of such data should be equi­va­lent in all Mem­ber Sta­tes. The rules pro­tec­ting the fun­da­men­tal rights and free­doms of natu­ral per­sons with regard to the pro­ces­sing of per­so­nal data should be app­lied even­ly and con­sist­ent­ly throughout the Uni­on. With regard to the pro­ces­sing of per­so­nal data for com­pli­an­ce with a legal obli­ga­ti­on or for the per­for­mance of a task car­ri­ed out in the public inte­rest or in the exer­cise of offi­cial aut­ho­ri­ty vested in the con­trol­ler, Mem­ber Sta­tes should be able to main­tain or intro­du­ce natio­nal pro­vi­si­ons fur­ther spe­ci­fy­ing the app­li­ca­ti­on of the rules laid down in this Regu­la­ti­on. In con­junc­tion with the gene­ral and hori­zon­tal legis­la­ti­on on data pro­tec­tion imple­men­ting Direc­ti­ve 95/46/EC, the­re are several sec­tor-spe­ci­fic laws in Mem­ber Sta­tes in are­as that requi­re more spe­ci­fic pro­vi­si­ons. This Regu­la­ti­on also pro­vi­des lati­tu­de for Mem­ber Sta­tes to spe­ci­fy their rules, inclu­ding for the pro­ces­sing of spe­cial cate­go­ries of per­so­nal data (her­ein­af­ter “sen­si­ti­ve data”). In this regard, this Regu­la­ti­on does not pre­clu­de legis­la­ti­on of the Mem­ber Sta­tes spe­ci­fy­ing the cir­cum­stan­ces of par­ti­cu­lar pro­ces­sing situa­tions, inclu­ding a more pre­cise deter­mi­na­ti­on of the con­di­ti­ons under which the pro­ces­sing of per­so­nal data is lawful.

(11) Effec­ti­ve pro­tec­tion of per­so­nal data throughout the Uni­on requi­res the streng­t­he­ning and pre­cise defi­ni­ti­on of the rights of data sub­jects and the streng­t­he­ning of obli­ga­ti­ons for tho­se who pro­cess and deci­de on per­so­nal data, as well as – in the Mem­ber Sta­tes – equal powers in moni­to­ring and ensu­ring com­pli­an­ce with the rules on the pro­tec­tion of per­so­nal data and equal sanc­tions in the event of their violation.

(12) Arti­cle 16(2) TFEU empowers the Euro­pean Par­lia­ment and the Coun­cil to adopt rules rela­ting to the pro­tec­tion of indi­vi­du­als with regard to the pro­ces­sing of per­so­nal data and to the free move­ment of such data.

(13) In order to ensu­re an equi­va­lent level of data pro­tec­tion for natu­ral per­sons in the Uni­on and to eli­mi­na­te dis­pa­ri­ties which could hin­der the free flow of per­so­nal data in the inter­nal mar­ket, a Regu­la­ti­on is necessa­ry to pro­vi­de legal cer­tain­ty and trans­pa­ren­cy for eco­no­mic ope­ra­tors, inclu­ding micro, small and medi­um-sized enter­pri­ses, pro­vi­des natu­ral per­sons in all Mem­ber Sta­tes with the same level of enfor­ce­ab­le rights, pro­vi­des for the same obli­ga­ti­ons and respon­si­bi­li­ties for con­trol­lers and pro­ces­sors, and ensu­res an equi­va­lent level of con­trol over the pro­ces­sing of per­so­nal data and equi­va­lent sanc­tions in all Mem­ber Sta­tes, as well as effec­ti­ve coope­ra­ti­on bet­ween the super­vi­so­ry aut­ho­ri­ties of the dif­fe­rent Mem­ber Sta­tes. The pro­per func­tio­n­ing of the inter­nal mar­ket requi­res that the free flow of per­so­nal data wit­hin the Uni­on should not be restric­ted or pro­hi­bi­ted for rea­sons con­nec­ted with the pro­tec­tion of indi­vi­du­als with regard to the pro­ces­sing of per­so­nal data. In order to take into account the spe­ci­fic situa­ti­on of micro, small and medi­um-sized enter­pri­ses, this Regu­la­ti­on con­tains a dero­ga­ti­on as regards the kee­ping of a regi­ster for enti­ties employ­ing fewer than 250 staff. Fur­ther­mo­re, the Uni­on insti­tu­ti­ons and bodies, as well as the Mem­ber Sta­tes and their super­vi­so­ry aut­ho­ri­ties, are encou­ra­ged to take into account the spe­ci­fic needs of micro, small and medi­um-sized enter­pri­ses when app­ly­ing this Regu­la­ti­on. For the defi­ni­ti­on of the term “Micro, small and medi­um-sized enter­pri­ses”, Arti­cle 2 of the Annex to Com­mis­si­on Recom­men­da­ti­on 2003/361/EC (5 ) should prevail.

Arti­cle 2 Mate­ri­al scope of application

(1) This Regu­la­ti­on shall app­ly to the pro­ces­sing of per­so­nal data whol­ly or part­ly by auto­ma­tic means and to the pro­ces­sing other­wi­se than by auto­ma­tic means of per­so­nal data which are stored or are inten­ded to be stored in a filing system.

(2) This Regu­la­ti­on shall not app­ly to the pro­ces­sing of per­so­nal data

a) in the con­text of an acti­vi­ty that does not fall wit­hin the scope of Uni­on law,
b) by Mem­ber Sta­tes in the con­text of acti­vi­ties fal­ling wit­hin the scope of Tit­le V, Chap­ter 2, TEU,
c) by natu­ral per­sons for the pur­po­se of car­ry­ing out exclu­si­ve­ly per­so­nal or fami­ly activities,
d) by the com­pe­tent aut­ho­ri­ties for the pur­po­se of pre­ven­ting, inve­sti­ga­ting, detec­ting or pro­se­cu­ting cri­mi­nal offen­ses or the exe­cu­ti­on of cri­mi­nal pen­al­ties, inclu­ding the pro­tec­tion against and the pre­ven­ti­on of thre­ats to public safety.

(3) Regu­la­ti­on (EC) No 45/2001 shall app­ly to the pro­ces­sing of per­so­nal data by Uni­on insti­tu­ti­ons, bodies, offices and agen­ci­es. Regu­la­ti­on (EC) No 45/2001 and other Uni­on acts gover­ning such pro­ces­sing of per­so­nal data shall be ali­gned with the princi­ples and rules laid down in this Regu­la­ti­on, in accordance with Arti­cle 98.

(4) This Regu­la­ti­on is without pre­ju­di­ce to the app­li­ca­ti­on of Direc­ti­ve 2000/31/EC and, more spe­ci­fi­cal­ly, the pro­vi­si­ons of Arti­cles 12 to 15 of that Direc­ti­ve con­cer­ning the lia­bi­li­ty of intermediaries.

Reci­tals

(14) The pro­tec­tion affor­ded by this Regu­la­ti­on should app­ly to the pro­ces­sing of per­so­nal data of natu­ral per­sons, regard­less of their natio­na­li­ty or place of resi­dence. This Regu­la­ti­on does not app­ly to the pro­ces­sing of per­so­nal data of legal per­sons and, in par­ti­cu­lar, of com­pa­nies incor­po­ra­ted as legal per­sons, inclu­ding the name, legal form or con­ta­ct details of the legal person.

(15) In order to avoid a serious risk of cir­cum­ven­ti­on, the pro­tec­tion of natu­ral per­sons should be tech­no­lo­gy neu­tral and not depend on the tech­ni­ques used. The pro­tec­tion of natu­ral per­sons should app­ly to auto­ma­ted pro­ces­sing of per­so­nal data as well as to manu­al pro­ces­sing of per­so­nal data whe­re the per­so­nal data are stored or are to be stored in a file system. Files or uucollec­tions of files, as well as their cover pages, which are not orga­ni­zed accord­ing to spe­ci­fic cri­te­ria, should not fall wit­hin the scope of this Regulation.

(16) This Regu­la­ti­on shall not app­ly to mat­ters con­cer­ning the pro­tec­tion of fun­da­men­tal rights and free­doms and the free flow of per­so­nal data in rela­ti­on to acti­vi­ties which fall out­side the scope of Uni­on law, such as acti­vi­ties con­cer­ning natio­nal secu­ri­ty. This Regu­la­ti­on shall not app­ly to the pro­ces­sing of per­so­nal data car­ri­ed out by Mem­ber Sta­tes in the frame­work of the Union’s com­mon for­eign and secu­ri­ty policy.

(17) Regu­la­ti­on (EC) No 45/2001 of the Euro­pean Par­lia­ment and of the Coun­cil (6) app­lies to the pro­ces­sing of per­so­nal data by Uni­on insti­tu­ti­ons, bodies, offices and agen­ci­es. Regu­la­ti­on (EC) No 45/2001 and other Uni­on acts gover­ning such pro­ces­sing of per­so­nal data should be ali­gned with the princi­ples and rules laid down in this Regu­la­ti­on and app­lied in the light of this Regu­la­ti­on. In order to ensu­re a sound and cohe­rent legal frame­work in the area of data pro­tec­tion in the Uni­on, the necessa­ry adap­t­ati­ons to Regu­la­ti­on (EC) No 45/2001 should be made fol­lo­wing the adop­ti­on of this Regu­la­ti­on, so that they can be app­lied at the same time as this Regulation.

(18) This Regu­la­ti­on does not app­ly to the pro­ces­sing of per­so­nal data car­ri­ed out by a natu­ral per­son for the exer­cise of exclu­si­ve­ly per­so­nal or fami­ly acti­vi­ties and thus unre­la­ted to any pro­fes­sio­nal or eco­no­mic acti­vi­ty. Per­so­nal or fami­ly acti­vi­ties could inclu­de kee­ping a cor­re­spon­dence or address lists or using social net­works and online acti­vi­ties in the con­text of such acti­vi­ties. Howe­ver, this Regu­la­ti­on app­lies to con­trol­lers or pro­ces­sors that pro­vi­de the tools for pro­ces­sing per­so­nal data for such per­so­nal or fami­ly activities.

(19) The pro­tec­tion of indi­vi­du­als with regard to the pro­ces­sing of per­so­nal data by com­pe­tent aut­ho­ri­ties for the pur­po­ses of the pre­ven­ti­on, inve­sti­ga­ti­on, detec­tion or pro­se­cu­ti­on of cri­mi­nal offen­ces or the exe­cu­ti­on of cri­mi­nal pen­al­ties, inclu­ding the safe­guar­ding against and the pre­ven­ti­on of thre­ats to public secu­ri­ty, as well as the free move­ment of such data, are gover­ned by a spe­ci­fic Uni­on act. The­re­fo­re, this Regu­la­ti­on should not app­ly to pro­ces­sing acti­vi­ties of this type. Howe­ver, per­so­nal data pro­ces­sed by public aut­ho­ri­ties under this Regu­la­ti­on, when used for the abo­ve pur­po­ses, should be sub­ject to a more spe­ci­fic Uni­on act, name­ly Direc­ti­ve (EU) 2016/680 of the Euro­pean Par­lia­ment and of the Coun­cil (7). Mem­ber Sta­tes may ent­rust com­pe­tent aut­ho­ri­ties wit­hin the mea­ning of Direc­ti­ve (EU) 2016/680 with tasks which are not necessa­ri­ly car­ri­ed out for the pur­po­ses of the pre­ven­ti­on, inve­sti­ga­ti­on, detec­tion or pro­se­cu­ti­on of cri­mi­nal offen­ces or the exe­cu­ti­on of cri­mi­nal pen­al­ties, inclu­ding the safe­guar­ding against and the pre­ven­ti­on of thre­ats to public secu­ri­ty, so that the pro­ces­sing of per­so­nal data for tho­se other pur­po­ses falls wit­hin the scope of this Regu­la­ti­on to the extent that it falls wit­hin the scope of Uni­on law. With regard to the pro­ces­sing of per­so­nal data by tho­se aut­ho­ri­ties for pur­po­ses fal­ling wit­hin the scope of this Regu­la­ti­on, Mem­ber Sta­tes should be able to main­tain or intro­du­ce more spe­ci­fic pro­vi­si­ons in order to adapt the app­li­ca­ti­on of the rules of this Regu­la­ti­on. Tho­se pro­vi­si­ons may spe­ci­fy more pre­cise­ly the con­di­ti­ons for the pro­ces­sing of per­so­nal data by tho­se com­pe­tent aut­ho­ri­ties for tho­se other pur­po­ses, taking into account the con­sti­tu­tio­nal, orga­niz­a­tio­nal and admi­ni­stra­ti­ve struc­tu­re of the Mem­ber Sta­te con­cer­ned. To the extent that this Regu­la­ti­on app­lies to the pro­ces­sing of per­so­nal data by pri­va­te par­ties, it should pro­vi­de that Mem­ber Sta­tes may, under cer­tain con­di­ti­ons, restrict some obli­ga­ti­ons and rights by means of legis­la­ti­on whe­re such restric­tion con­sti­tu­tes a necessa­ry and pro­por­tio­na­te mea­su­re in a demo­cra­tic socie­ty for the pro­tec­tion of cer­tain important inte­rests, inclu­ding public secu­ri­ty and the pre­ven­ti­on, inve­sti­ga­ti­on, detec­tion and pro­se­cu­ti­on of cri­mi­nal offen­ces or the exe­cu­ti­on of cri­mi­nal pen­al­ties, inclu­ding the safe­guar­ding against and the pre­ven­ti­on of thre­ats to public secu­ri­ty. This is rele­vant, for examp­le, in the con­text of com­ba­ting money laun­de­ring or the work of foren­sic laboratories.

(20) While this Regu­la­ti­on app­lies, inter alia, to the acti­vi­ties of courts and other judi­cial aut­ho­ri­ties, Uni­on or Mem­ber Sta­te law could spe­ci­fy the details of the pro­ces­sing ope­ra­ti­ons and pro­ces­sing pro­ce­du­res when per­so­nal data are pro­ces­sed by courts and other judi­cial aut­ho­ri­ties. In order to ensu­re that the inde­pen­dence of the judi­cia­ry in the exer­cise of its judi­cial func­tions, inclu­ding its deci­si­on-making, is not com­pro­mi­sed, super­vi­so­ry aut­ho­ri­ties should not be com­pe­tent for the pro­ces­sing of per­so­nal data by courts in the cour­se of their judi­cial acti­vi­ties. It should be pos­si­ble to ent­rust the super­vi­si­on of such data pro­ces­sing ope­ra­ti­ons to spe­ci­fic bodies wit­hin the judi­cial system of the Mem­ber Sta­te, which should, in par­ti­cu­lar, ensu­re com­pli­an­ce with the pro­vi­si­ons of this Regu­la­ti­on, make jud­ges and pro­se­cu­tors more awa­re of their obli­ga­ti­ons under this Regu­la­ti­on and deal with com­p­laints rela­ting to such data pro­ces­sing operations.

(21) This Regu­la­ti­on is without pre­ju­di­ce to the app­li­ca­ti­on of Direc­ti­ve 2000/31/EC of the Euro­pean Par­lia­ment and of the Coun­cil (8 ) and, in par­ti­cu­lar, of the pro­vi­si­ons of Arti­cles 12 to 15 of that Direc­ti­ve con­cer­ning the lia­bi­li­ty of pro­vi­ders of pure swit­ching ser­vices. That Direc­ti­ve is inten­ded to con­tri­bu­te to the pro­per func­tio­n­ing of the inter­nal mar­ket by ensu­ring the free move­ment of infor­ma­ti­on socie­ty ser­vices bet­ween Mem­ber States.

Arti­cle 3 Ter­ri­to­ri­al scope

(1) This Regu­la­ti­on shall app­ly to the pro­ces­sing of per­so­nal data inso­far as it is car­ri­ed out in the con­text of the acti­vi­ties of an estab­lish­ment of a con­trol­ler or pro­ces­sor in the Uni­on, regard­less of whe­ther the pro­ces­sing takes place in the Union.

(2) This Regu­la­ti­on shall app­ly to the pro­ces­sing of per­so­nal data of data sub­jects loca­ted in the Uni­on by a con­trol­ler or pro­ces­sor not estab­lished in the Uni­on whe­re the data pro­ces­sing rela­tes to

a) offer goods or ser­vices to data sub­jects in the Uni­on, regard­less of whe­ther a pay­ment is to be made by such data subjects;
b) obser­ve the beha­vi­or of per­sons con­cer­ned, inso­far as their beha­vi­or takes place in the Union.

(3) This Regu­la­ti­on app­lies to the pro­ces­sing of per­so­nal data by a con­trol­ler not estab­lished in the Uni­on in a place gover­ned by the law of a Mem­ber Sta­te by vir­tue of public inter­na­tio­nal law.

Reci­tals

(22) Any pro­ces­sing of per­so­nal data in the con­text of the acti­vi­ties of an estab­lish­ment of a con­trol­ler or a pro­ces­sor in the Uni­on should be car­ri­ed out in accordance with this Regu­la­ti­on, whe­ther the pro­ces­sing takes place in or out­side the Uni­on. Estab­lish­ment implies the effec­ti­ve and actu­al exer­cise of an acti­vi­ty by a fixed estab­lish­ment. The legal form of such an estab­lish­ment, whe­ther it is a branch or a sub­si­dia­ry with its own legal per­so­na­li­ty, is not decisi­ve in this respect.

(23) In order not to depri­ve a natu­ral per­son of the pro­tec­tion affor­ded under this Regu­la­ti­on, the pro­ces­sing of per­so­nal data of data sub­jects loca­ted in the Uni­on by a con­trol­ler or pro­ces­sor not estab­lished in the Uni­on should be sub­ject to this Regu­la­ti­on whe­re the pro­ces­sing is car­ri­ed out for the pur­po­se of offe­ring goods or ser­vices to tho­se data sub­jects, whe­ther in return for pay­ment or free of char­ge. In order to deter­mi­ne whe­ther that con­trol­ler or pro­ces­sor offers goods or ser­vices to data sub­jects loca­ted in the Uni­on, it should be estab­lished whe­ther the con­trol­ler or pro­ces­sor has an obvious inten­ti­on to offer ser­vices to data sub­jects in one or more Mem­ber Sta­tes of the Uni­on. While the mere acces­si­bi­li­ty of the controller’s, processor’s or intermediary’s web­site in the Uni­on, an email address or other con­ta­ct details, or the use of a lan­guage com­mon­ly used in the third coun­try whe­re the con­trol­ler is estab­lished is not a suf­fi­ci­ent indi­ca­ti­on for this pur­po­se, other fac­tors such as the use of a lan­guage or cur­ren­cy, com­mon­ly used in one or more Mem­ber Sta­tes, com­bi­ned with the pos­si­bi­li­ty to order goods and ser­vices in that other lan­guage, or the men­ti­on of custo­mers or users loca­ted in the Uni­on, may indi­ca­te that the con­trol­ler intends to offer goods or ser­vices to per­sons in the Union.

(24) The pro­ces­sing of per­so­nal data of data sub­jects loca­ted in the Uni­on by a con­trol­ler or pro­ces­sor not estab­lished in the Uni­on should also be sub­ject to this Regu­la­ti­on if it is for the pur­po­se of moni­to­ring the beha­viour of tho­se data sub­jects, to the extent that their beha­viour takes place in the Uni­on. Whe­ther a pro­ces­sing acti­vi­ty is for the pur­po­se of moni­to­ring the beha­viour of data sub­jects should be deter­mi­ned by the tracking of their Inter­net acti­vi­ties, inclu­ding the pos­si­ble sub­se­quent use of per­so­nal data pro­ces­sing tech­ni­ques which crea­te a pro­fi­le of a natu­ral per­son which is inten­ded, in par­ti­cu­lar, to form the basis for deci­si­ons con­cer­ning him or her or to ana­ly­ze or pre­dict his or her per­so­nal pre­fe­ren­ces, beha­vi­ors or habits.

(25) Whe­re the law of a Mem­ber Sta­te is app­li­ca­ble under inter­na­tio­nal law, e.g. in a diplo­ma­tic or con­su­lar repre­sen­ta­ti­on of a Mem­ber Sta­te, the Regu­la­ti­on should also app­ly to a con­trol­ler not estab­lished in the Union.

Arti­cle 4 Definitions

For the pur­po­ses of this Regu­la­ti­on, the term:

1.per­so­nal data” any infor­ma­ti­on rela­ting to an iden­ti­fied or iden­ti­fia­ble natu­ral per­son (her­ein­af­ter “Per­son con­cer­ned”); an iden­ti­fia­ble per­son is one who can be iden­ti­fied, direct­ly or indi­rect­ly, in par­ti­cu­lar by refe­rence to an iden­ti­fier such as a name, an iden­ti­fi­ca­ti­on num­ber, loca­ti­on data, an online iden­ti­fier or to one or more fac­tors spe­ci­fic to the phy­si­cal, phy­sio­lo­gi­cal, gene­tic, men­tal, eco­no­mic, cul­tu­ral or social iden­ti­ty of that natu­ral person;

Reci­tals

(26) The princi­ples of data pro­tec­tion should app­ly to all infor­ma­ti­on rela­ting to an iden­ti­fied or iden­ti­fia­ble natu­ral per­son. Per­so­nal data sub­ject to pseud­ony­miz­a­ti­on which could be attri­buted to a natu­ral per­son by refe­rence to addi­tio­nal infor­ma­ti­on should be con­si­de­red as infor­ma­ti­on rela­ting to an iden­ti­fia­ble natu­ral per­son. In deter­mi­ning whe­ther a natu­ral per­son is iden­ti­fia­ble, account should be taken of any means rea­son­ab­ly likely to be used by the con­trol­ler or by any other per­son to iden­ti­fy the natu­ral per­son, direct­ly or indi­rect­ly, such as sing­ling out. In deter­mi­ning whe­ther means are gene­ral­ly likely to be used to iden­ti­fy the natu­ral per­son, all objec­ti­ve fac­tors, such as the cost of iden­ti­fi­ca­ti­on and the time requi­red for it, should be taken into account, taking into account the tech­no­lo­gy and tech­no­lo­gi­cal deve­lo­p­ments avail­ab­le at the time of the pro­ces­sing. The princi­ples of data pro­tec­tion should the­re­fo­re not app­ly to anony­mous infor­ma­ti­on, that is, infor­ma­ti­on which does not rela­te to an iden­ti­fied or iden­ti­fia­ble natu­ral per­son, or per­so­nal data which has been anony­mi­zed in such a way that the data sub­ject can­not be iden­ti­fied or can no lon­ger be iden­ti­fied. This Regu­la­ti­on the­re­fo­re does not con­cern the pro­ces­sing of such anony­mous data, inclu­ding for sta­tis­ti­cal or rese­arch purposes.

(27) This Regu­la­ti­on shall not app­ly to the per­so­nal data of decea­sed per­sons. Mem­ber Sta­tes may pro­vi­de for rules con­cer­ning the pro­ces­sing of per­so­nal data of decea­sed persons.

(28) App­ly­ing pseud­ony­miz­a­ti­on to per­so­nal data can redu­ce risks to data sub­jects and help data con­trol­lers and pro­ces­sors com­ply with their data pro­tec­tion obli­ga­ti­ons. By expli­ci­tly intro­du­cing the “Pseud­ony­miz­a­ti­on” in this Regu­la­ti­on is not inten­ded to exclu­de other data pro­tec­tion measures.

(29) In order to incen­ti­vi­ze the use of pseud­ony­miz­a­ti­on in the pro­ces­sing of per­so­nal data, pseud­ony­miz­a­ti­on mea­su­res, but allo­wing for gene­ral ana­ly­sis, should be pos­si­ble at the same con­trol­ler, if the con­trol­ler has taken the necessa­ry tech­ni­cal and orga­niz­a­tio­nal mea­su­res to ensu­re – for the respec­ti­ve pro­ces­sing – the imple­men­ta­ti­on of this Regu­la­ti­on, ensu­ring that addi­tio­nal infor­ma­ti­on enab­ling the per­so­nal data to be attri­buted to a spe­ci­fic data sub­ject is kept sepa­r­ate­ly. The con­trol­ler of the per­so­nal data, should indi­ca­te the aut­ho­ri­zed per­sons with this controller.

(30) Indi­vi­du­als may be asso­cia­ted with online iden­ti­fiers such as IP addres­ses and coo­kie iden­ti­fiers that pro­vi­de his or her device or soft­ware app­li­ca­ti­ons and tools or pro­to­cols, or other iden­ti­fiers such as radio fre­quen­cy iden­ti­fiers. This may lea­ve traces that, espe­cial­ly in com­bi­na­ti­on with uni­que iden­ti­fiers and other infor­ma­ti­on recei­ved by the ser­ver, may be used to pro­fi­le and iden­ti­fy the natu­ral persons.

2.Pro­ces­sing” means any ope­ra­ti­on or set of ope­ra­ti­ons which is per­for­med upon per­so­nal data, whe­ther or not by auto­ma­tic means, such as collec­tion, record­ing, orga­niz­a­ti­on, filing, sto­rage, adap­t­ati­on or alte­ra­ti­on, retrie­val, con­sul­ta­ti­on, use, dis­clo­sure by trans­mis­si­on, dis­se­mi­na­ti­on or other­wi­se making avail­ab­le, align­ment or com­bi­na­ti­on, restric­tion, era­su­re or destruction.

3.Restric­tion of pro­ces­sing” the mar­king of stored per­so­nal data with the aim of limi­t­ing their future processing;

4.Pro­filing” any auto­ma­ted pro­ces­sing of per­so­nal data which con­sists in using such per­so­nal data to eva­lua­te cer­tain per­so­nal aspects rela­ting to a natu­ral per­son, in par­ti­cu­lar to ana­ly­ze or pre­dict aspects rela­ting to that natu­ral person’s per­for­mance at work, eco­no­mic situa­ti­on, health, per­so­nal pre­fe­ren­ces, inte­rests, relia­bi­li­ty, beha­vi­or, loca­ti­on, or chan­ge of location.

5.Pseud­ony­miz­a­ti­on” the pro­ces­sing of per­so­nal data in such a way that the per­so­nal data can no lon­ger be attri­buted to a spe­ci­fic data sub­ject without the use of addi­tio­nal infor­ma­ti­on, pro­vi­ded that such addi­tio­nal infor­ma­ti­on is kept sepa­r­ate­ly and is sub­ject to tech­ni­cal and orga­niz­a­tio­nal mea­su­res to ensu­re that the per­so­nal data is not attri­buted to an iden­ti­fied or iden­ti­fia­ble natu­ral person.”;

6.File system“any struc­tu­red collec­tion of per­so­nal data acces­si­ble accord­ing to spe­ci­fied cri­te­ria, whe­ther such collec­tion is main­tai­ned cen­tral­ly, decen­tral­ly, or on a func­tio­n­al or geo­gra­phic basis.

7.Respon­si­ble“the natu­ral or legal per­son, public aut­ho­ri­ty, agen­cy or other body which alo­ne or joint­ly with others deter­mi­nes the pur­po­ses and means of the pro­ces­sing of per­so­nal data; whe­re the pur­po­ses and means of such pro­ces­sing are deter­mi­ned by Uni­on or Mem­ber Sta­te law, the con­trol­ler or the spe­ci­fic cri­te­ria for its desi­gna­ti­on may be pro­vi­ded for by Uni­on or Mem­ber Sta­te law;

8.Pro­ces­sor” a natu­ral or legal per­son, public aut­ho­ri­ty, agen­cy or other body which pro­ces­ses per­so­nal data on behalf of the controller;

9.Recei­ver” means a natu­ral or legal per­son, public aut­ho­ri­ty, agen­cy or other body to whom per­so­nal data are dis­c­lo­sed, whe­ther or not a third par­ty. Howe­ver, public aut­ho­ri­ties that may recei­ve per­so­nal data in the con­text of a spe­ci­fic inve­sti­ga­ti­on man­da­te under Uni­on or Mem­ber Sta­te law shall not be con­si­de­red as reci­pi­ents; the pro­ces­sing of such data by the afo­re­men­tio­ned aut­ho­ri­ties shall be car­ri­ed out in accordance with the app­li­ca­ble data pro­tec­tion rules, in line with the pur­po­ses of the processing;

10.Third” means a natu­ral or legal per­son, public aut­ho­ri­ty, agen­cy or other body, other than the data sub­ject, the con­trol­ler, the pro­ces­sor and the per­sons who, under the direct respon­si­bi­li­ty of the con­trol­ler or the pro­ces­sor, are aut­ho­ri­zed to pro­cess the per­so­nal data.

11.Con­sent” of the data sub­ject means any free­ly given spe­ci­fic, infor­med and unam­bi­guous indi­ca­ti­on of his or her wis­hes in the form of a state­ment or other unam­bi­guous affir­ma­ti­ve act by which the data sub­ject signi­fies his or her agree­ment to per­so­nal data rela­ting to him or her being processed;

Reci­tals

(32) Con­sent should be given by a clear affir­ma­ti­ve act indi­ca­ting volun­ta­ri­ly, for the spe­ci­fic case, in an infor­med man­ner and unam­bi­guous­ly that the data sub­ject cons­ents to the pro­ces­sing of per­so­nal data rela­ting to him or her, such as a writ­ten state­ment, which may also be given elec­tro­ni­cal­ly, or an oral state­ment. This could be done, for examp­le, by ticking a box when visi­t­ing a web­site, by selec­ting tech­ni­cal set­tings for infor­ma­ti­on socie­ty ser­vices or by any other state­ment or con­duct by which the data sub­ject unam­bi­guous­ly indi­ca­tes his or her con­sent to the inten­ded pro­ces­sing of his or her per­so­nal data in the rele­vant con­text. Silence, boxes alrea­dy ticked or inac­tion by the data sub­ject should the­re­fo­re not con­sti­tu­te con­sent. Con­sent should cover all pro­ces­sing ope­ra­ti­ons car­ri­ed out for the same pur­po­se or pur­po­ses. If the pro­ces­sing ser­ves mul­ti­ple pur­po­ses, con­sent should be given for all such pro­ces­sing pur­po­ses. If the data sub­ject is reque­sted to give con­sent by elec­tro­nic means, the requ­est must be made in a clear and con­cise man­ner and without unnecessa­ry inter­rup­ti­on of the ser­vice for which con­sent is given.

(33) Often, the pur­po­se of pro­ces­sing per­so­nal data for sci­en­ti­fic rese­arch pur­po­ses can­not be ful­ly spe­ci­fied at the time the per­so­nal data are collec­ted. The­re­fo­re, data sub­jects should be allo­wed to give their con­sent for cer­tain are­as of sci­en­ti­fic rese­arch if this is done in com­pli­an­ce with the accep­ted ethi­cal stan­dards of sci­en­ti­fic rese­arch. Data sub­jects should be given the oppor­tu­ni­ty to give their con­sent only for cer­tain are­as of rese­arch or parts of rese­arch pro­jects to the extent per­mit­ted by the pur­po­se pur­sued. if this is done in com­pli­an­ce with the reco­gni­zed ethi­cal stan­dards of sci­en­ti­fic rese­arch. Data sub­jects should be given the oppor­tu­ni­ty to give their con­sent only for spe­ci­fic are­as of rese­arch or parts of rese­arch pro­jects to the extent per­mit­ted by the pur­po­se pursued.

12.Vio­la­ti­on of the pro­tec­tion of per­so­nal data“a bre­ach of secu­ri­ty that results, whe­ther acci­dent­al­ly or unlaw­ful­ly, in the dest­ruc­tion, loss, alte­ra­ti­on, or unaut­ho­ri­zed dis­clo­sure of, or access to, per­so­nal data that has been trans­mit­ted, stored, or other­wi­se processed.

13.gene­tic data“per­so­nal data rela­ting to the inheri­ted or acqui­red gene­tic cha­rac­te­ri­stics of a natu­ral per­son which pro­vi­de uni­que infor­ma­ti­on about the phy­sio­lo­gy or health of that natu­ral per­son and have been obtai­ned, in par­ti­cu­lar, from the ana­ly­sis of a bio­lo­gi­cal sam­ple from that natu­ral person.

Reci­tals

(34) Gene­tic data should be defi­ned as per­so­nal data con­cer­ning the inheri­ted or acqui­red gene­tic cha­rac­te­ri­stics of a natu­ral per­son obtai­ned from the ana­ly­sis of a bio­lo­gi­cal sam­ple of that natu­ral per­son, in par­ti­cu­lar by chro­mo­so­mal, deoxy­ri­bonu­cleic acid (DNA) or ribonu­cleic acid (RNA) ana­ly­sis, or the ana­ly­sis of ano­t­her ele­ment by which equi­va­lent infor­ma­ti­on can be obtained.

14.bio­me­tric data” per­so­nal data, obtai­ned by means of spe­cial tech­ni­cal pro­ce­du­res, rela­ting to the phy­si­cal, phy­sio­lo­gi­cal or beha­vio­ral cha­rac­te­ri­stics of a natu­ral per­son which enab­le or con­firm the uni­que iden­ti­fi­ca­ti­on of that natu­ral per­son, such as facial images or dac­ty­lo­scopic data;

15.Health data“per­so­nal infor­ma­ti­on that rela­tes to the phy­si­cal or men­tal health of an indi­vi­du­al, inclu­ding the pro­vi­si­on of health care ser­vices, and that reve­als infor­ma­ti­on about the individual’s health status.

Reci­tals

(35) Per­so­nal health data should inclu­de any data rela­ting to the health sta­tus of a data sub­ject that reve­als infor­ma­ti­on about the data subject’s past, pre­sent and future phy­si­cal or men­tal health sta­tus. This inclu­des infor­ma­ti­on about the natu­ral per­son collec­ted in the cour­se of the regi­stra­ti­on for, as well as the pro­vi­si­on of, health ser­vices as defi­ned in Direc­ti­ve 2011/24/EU of the Euro­pean Par­lia­ment and of the Coun­cil (9) to the natu­ral per­son, num­bers, sym­bols or iden­ti­fiers assi­gned to a natu­ral per­son to uni­que­ly iden­ti­fy that natu­ral per­son for health pur­po­ses, infor­ma­ti­on obtai­ned from the exami­na­ti­on or testing of a body part or body sub­stance, inclu­ding from gene­tic data and bio­lo­gi­cal spe­ci­mens, and infor­ma­ti­on about, for examp­le, dise­a­ses, disa­bi­li­ties, risks of dise­a­se, pre­exi­sting con­di­ti­ons, cli­ni­cal tre­at­ments, or the phy­sio­lo­gi­cal or bio­me­di­cal con­di­ti­on of the indi­vi­du­al, regard­less of the source of the data, whe­ther from a phy­si­ci­an or other health care pro­fes­sio­nal, a hospi­tal, a medi­cal device, or an in vitro dia­gno­stic device.

16.Head office

a) in the case of a con­trol­ler with estab­lish­ments in more than one Mem­ber Sta­te, the place of its main admi­ni­stra­ti­on in the Uni­on, unless the deci­si­ons regar­ding the pur­po­ses and means of the pro­ces­sing of per­so­nal data are taken in ano­t­her estab­lish­ment of the con­trol­ler in the Uni­on and that estab­lish­ment is aut­ho­ri­zed to have tho­se deci­si­ons imple­men­ted, in which case the estab­lish­ment taking such deci­si­ons shall be con­si­de­red the main establishment;
b) in the case of a pro­ces­sor with estab­lish­ments in more than one Mem­ber Sta­te, the place of its head office in the Uni­on or, whe­re the pro­ces­sor does not have a head office in the Uni­on, the estab­lish­ment of the pro­ces­sor in the Uni­on whe­re the pro­ces­sing acti­vi­ties in the con­text of the acti­vi­ties of an estab­lish­ment of a pro­ces­sor main­ly take place, to the extent that the pro­ces­sor is sub­ject to spe­ci­fic obli­ga­ti­ons under this Regulation;
Reci­tals

(36) The main estab­lish­ment of the con­trol­ler in the Uni­on should be the place of its cen­tral admi­ni­stra­ti­on in the Uni­on, unless deci­si­ons on the pur­po­ses and means of the pro­ces­sing of per­so­nal data are taken in ano­t­her estab­lish­ment of the con­trol­ler in the Uni­on, in which case the lat­ter should be con­si­de­red the main estab­lish­ment. Objec­ti­ve cri­te­ria should be used to deter­mi­ne the main estab­lish­ment of a con­trol­ler in the Uni­on, one cri­ter­ion being the effec­ti­ve and actu­al exer­cise of manage­ment acti­vi­ties by a fixed estab­lish­ment wit­hin which the poli­cy deci­si­ons deter­mi­ning the pur­po­ses and means of the pro­ces­sing are taken. The decisi­ve fac­tor should not be whe­ther the pro­ces­sing of per­so­nal data is actual­ly car­ri­ed out at that loca­ti­on. The exi­stence and use of tech­ni­cal means and pro­ce­du­res for pro­ces­sing per­so­nal data or pro­ces­sing acti­vi­ties do not in them­sel­ves estab­lish a main estab­lish­ment and are the­re­fo­re not a deter­mi­ning fac­tor for the exi­stence of a main estab­lish­ment. The main estab­lish­ment of the pro­ces­sor should be the place whe­re the pro­ces­sor has its main admi­ni­stra­ti­on in the Uni­on or, if it has no main admi­ni­stra­ti­on in the Uni­on, the place whe­re the main pro­ces­sing acti­vi­ties take place in the Uni­on. Whe­re both the con­trol­ler and the pro­ces­sor are con­cer­ned, the super­vi­so­ry aut­ho­ri­ty of the Mem­ber Sta­te whe­re the con­trol­ler has its main estab­lish­ment should remain the com­pe­tent lead super­vi­so­ry aut­ho­ri­ty, but the super­vi­so­ry aut­ho­ri­ty of the pro­ces­sor should be con­si­de­red as the super­vi­so­ry aut­ho­ri­ty con­cer­ned and that super­vi­so­ry aut­ho­ri­ty should par­ti­ci­pa­te in the coope­ra­ti­on pro­ce­du­re pro­vi­ded for in this Regu­la­ti­on. In any event, the super­vi­so­ry aut­ho­ri­ties of the Mem­ber Sta­te or Mem­ber Sta­tes in which the pro­ces­sor has one or more estab­lish­ments should not be con­si­de­red as super­vi­so­ry aut­ho­ri­ties con­cer­ned if the draft deci­si­on rela­tes only to the con­trol­ler. Whe­re the pro­ces­sing is car­ri­ed out by a group of under­ta­kings, the main estab­lish­ment of the con­trol­ling under­ta­king should be con­si­de­red as the main estab­lish­ment of the group of under­ta­kings, unless the pur­po­ses and means of the pro­ces­sing are deter­mi­ned by ano­t­her undertaking.

17.Repre­sen­ta­ti­ve” means a natu­ral or legal per­son estab­lished in the Uni­on who has been appoin­ted in wri­ting by the con­trol­ler or pro­ces­sor in accordance with Arti­cle 27 and repres­ents the con­trol­ler or pro­ces­sor in rela­ti­on to the respec­ti­ve obli­ga­ti­ons incum­bent on them under this Regulation;

18.Com­pa­ny” a natu­ral and legal per­son enga­ged in an eco­no­mic acti­vi­ty, regard­less of its legal form, inclu­ding part­nerships or asso­cia­ti­ons regu­lar­ly enga­ged in an eco­no­mic activity;

19.Group of com­pa­nies” a group con­si­sting of a con­trol­ling com­pa­ny and its depen­dent companies;

Reci­tals

(37) A group of under­ta­kings should con­sist of a con­trol­ling under­ta­king and the under­ta­kings depen­dent on it, the con­trol­ling under­ta­king being the under­ta­king which can exer­cise a domi­nant influ­ence over the other under­ta­kings by vir­tue, for examp­le, of ownership, finan­cial par­ti­ci­pa­ti­on or the rules app­li­ca­ble to it or the power to have data pro­tec­tion rules imple­men­ted. A com­pa­ny that con­trols the pro­ces­sing of per­so­nal data in com­pa­nies affi­lia­ted to it should be con­si­de­red, tog­e­ther with them, as a “Group of com­pa­nies” can be considered.

20.Bin­ding inter­nal data pro­tec­tion regu­la­ti­ons“mea­su­res for the pro­tec­tion of per­so­nal data with which a con­trol­ler or pro­ces­sor estab­lished in the ter­ri­to­ry of a Mem­ber Sta­te under­ta­kes to com­ply in respect of data trans­fers or a set of data trans­fers of per­so­nal data to a con­trol­ler or pro­ces­sor belon­ging to the same group of under­ta­kings or to the same group of under­ta­kings enga­ged in a joint eco­no­mic acti­vi­ty in one or more third countries.

21.Super­vi­so­ry aut­ho­ri­ty” an inde­pen­dent govern­men­tal enti­ty estab­lished by a Mem­ber Sta­te pur­suant to Arti­cle 51;

22.super­vi­so­ry aut­ho­ri­ty con­cer­ned” a super­vi­so­ry aut­ho­ri­ty con­cer­ned by the pro­ces­sing of per­so­nal data because.

a) the con­trol­ler or pro­ces­sor is estab­lished in the ter­ri­to­ry of the Mem­ber Sta­te of that super­vi­so­ry authority,
b) that pro­ces­sing has or is likely to have a signi­fi­cant impact on data sub­jects resi­ding in the Mem­ber Sta­te of that super­vi­so­ry aut­ho­ri­ty, or
c) a com­p­laint has been filed with this super­vi­so­ry authority;

23.cross-bor­der pro­ces­sing” eit­her

a) a pro­ces­sing of per­so­nal data car­ri­ed out in the con­text of the acti­vi­ties of estab­lish­ments of a con­trol­ler or pro­ces­sor in the Uni­on in more than one Mem­ber Sta­te, whe­re the con­trol­ler or pro­ces­sor is estab­lished in more than one Mem­ber Sta­te, or
b) a pro­ces­sing of per­so­nal data which is car­ri­ed out in the cour­se of the acti­vi­ties of a sin­gle estab­lish­ment of a con­trol­ler or pro­ces­sor in the Uni­on but which has or is likely to have a signi­fi­cant impact on data sub­jects in more than one Mem­ber State;

24.aut­ho­ri­ta­ti­ve and rea­so­ned objec­tion” an objec­tion to a draft deci­si­on with regard to whe­ther the­re is a bre­ach of this Regu­la­ti­on or whe­ther inten­ded mea­su­res against the con­trol­ler or pro­ces­sor are in com­pli­an­ce with this Regu­la­ti­on, clear­ly indi­ca­ting the scope of the risks posed by the draft deci­si­on in rela­ti­on to the fun­da­men­tal rights and free­doms of data sub­jects and, whe­re app­li­ca­ble, the free flow of per­so­nal data wit­hin the Union;

25.Infor­ma­ti­on Socie­ty Ser­vice” a ser­vice as defi­ned in Arti­cle 1(1)(b) of Direc­ti­ve (EU) 2015/1535 of the Euro­pean Par­lia­ment and of the Coun­cil (19);

26.inter­na­tio­nal orga­niz­a­ti­on“an orga­niz­a­ti­on under inter­na­tio­nal law and its sub­or­di­na­te bodies or any other body estab­lished by or pur­suant to an agree­ment con­clu­ded bet­ween two or more countries.

Reci­tals

(31) Public aut­ho­ri­ties to which per­so­nal data are dis­c­lo­sed on the basis of a legal obli­ga­ti­on for the exer­cise of their offi­cial mis­si­on, such as tax and customs aut­ho­ri­ties, finan­cial intel­li­gence units, inde­pen­dent admi­ni­stra­ti­ve aut­ho­ri­ties or finan­cial mar­ket aut­ho­ri­ties respon­si­ble for the regu­la­ti­on and super­vi­si­on of secu­ri­ties mar­kets, should not be con­si­de­red as reci­pi­ents when they recei­ve per­so­nal data necessa­ry for the per­for­mance – in accordance with Uni­on or Mem­ber Sta­te law – of an indi­vi­du­al inve­sti­ga­ti­on task in the public inte­rest. Requests for dis­clo­sure emana­ting from public aut­ho­ri­ties should always be made in wri­ting, should be rea­so­ned and occa­sio­nal in natu­re, and should not con­cern com­ple­te file systems or lead to the inter­lin­king of file systems. The pro­ces­sing of per­so­nal data by the said aut­ho­ri­ties should com­ply with the data pro­tec­tion rules app­li­ca­ble to the pur­po­ses of the processing.

Chap­ter II Principles

Arti­cle 5 Princi­ples for the pro­ces­sing of per­so­nal data

(1) Per­so­nal data must be
a) pro­ces­sed law­ful­ly, fair­ly and in a man­ner com­pre­hen­si­ble to the data sub­ject (“Law­ful­ness, fair pro­ces­sing, trans­pa­ren­cy and infor­ma­ti­on„);
b) collec­ted for spe­ci­fied, expli­cit and legi­ti­ma­te pur­po­ses and shall not be fur­ther pro­ces­sed in a way incom­pa­ti­ble with tho­se pur­po­ses; fur­ther pro­ces­sing for archi­ving pur­po­ses in the public inte­rest, for sci­en­ti­fic or histo­ri­cal rese­arch pur­po­ses or for sta­tis­ti­cal pur­po­ses shall not be con­si­de­red incom­pa­ti­ble with the ori­gi­nal pur­po­ses pur­suant to Arti­cle 89(1) (“Ear­mar­king„);
c) ade­qua­te and rele­vant to the pur­po­se and limi­ted to what is necessa­ry for the pur­po­ses of the pro­ces­sing (data minimization);
d) accu­ra­te and, whe­re necessa­ry, kept up to date; every rea­son­ab­le step must be taken to ensu­re that per­so­nal data which are inac­cu­ra­te having regard to the pur­po­ses of their pro­ces­sing are era­sed or rec­ti­fied without delay (“Cor­rect­ness„);
e) kept in a form which per­mits iden­ti­fi­ca­ti­on of data sub­jects for no lon­ger than is necessa­ry for the pur­po­ses for which the data are pro­ces­sed; per­so­nal data may be kept for lon­ger peri­ods inso­far as the per­so­nal data are pro­ces­sed sole­ly for archi­ving pur­po­ses in the public inte­rest or for sci­en­ti­fic and histo­ri­cal rese­arch pur­po­ses, or for sta­tis­ti­cal pur­po­ses as refer­red to in Arti­cle 89(1), sub­ject to the imple­men­ta­ti­on of appro­pria­te tech­ni­cal and orga­niz­a­tio­nal mea­su­res requi­red by this Regu­la­ti­on to safe­guard the rights and free­doms of the data sub­ject (“Memo­ry limi­ta­ti­on„);
f) pro­ces­sed in a man­ner that ensu­res appro­pria­te secu­ri­ty of per­so­nal data, inclu­ding pro­tec­tion against unaut­ho­ri­zed or unlaw­ful pro­ces­sing and against acci­den­tal loss, dest­ruc­tion or dama­ge by appro­pria­te tech­ni­cal and orga­niz­a­tio­nal mea­su­res (“Inte­gri­ty and con­fi­dentia­li­ty„);

(2) The respon­si­ble par­ty is respon­si­ble for com­pli­an­ce with para­graph 1 and must be able to demon­stra­te com­pli­an­ce with it (“Accoun­ta­bi­li­ty„).

Reci­tals

39 Any pro­ces­sing of per­so­nal data should be law­ful and fair. The­re should be trans­pa­ren­cy for natu­ral per­sons as to the fact that per­so­nal data rela­ting to them are collec­ted, used, acces­sed or other­wi­se pro­ces­sed, and as to the extent to which the per­so­nal data are pro­ces­sed and will be pro­ces­sed in the future. The princip­le of trans­pa­ren­cy requi­res that all infor­ma­ti­on and com­mu­ni­ca­ti­ons rela­ting to the pro­ces­sing of such per­so­nal data be easi­ly acces­si­ble and under­stand­a­ble and writ­ten in clear and plain lan­guage. This princip­le con­cerns, in par­ti­cu­lar, infor­ma­ti­on on the iden­ti­ty of the con­trol­ler and the pur­po­ses of the pro­ces­sing and other infor­ma­ti­on ensu­ring fair and trans­pa­rent pro­ces­sing with regard to the natu­ral per­sons con­cer­ned, as well as their right to obtain con­fir­ma­ti­on and infor­ma­ti­on about which per­so­nal data con­cer­ning them are being pro­ces­sed. Natu­ral per­sons should be infor­med about the risks, rules, safe­guards and rights rela­ted to the pro­ces­sing of per­so­nal data and how to exer­cise their rights in this regard. In par­ti­cu­lar, the spe­ci­fic pur­po­ses for which the per­so­nal data are pro­ces­sed should be clear, law­ful and estab­lished at the time the per­so­nal data are collec­ted. The per­so­nal data should be ade­qua­te, rele­vant and limi­ted to what is necessa­ry for the pur­po­ses for which they are pro­ces­sed. In par­ti­cu­lar, this requi­res that the reten­ti­on peri­od for per­so­nal data be limi­ted to the mini­mum strict­ly necessa­ry. Per­so­nal data should only be allo­wed to be pro­ces­sed if the pur­po­se of the pro­ces­sing can­not rea­son­ab­ly be achie­ved by other means. In order to ensu­re that per­so­nal data are not kept lon­ger than necessa­ry, the con­trol­ler should pro­vi­de time limits for their era­su­re or perio­dic review. All rea­son­ab­le steps should be taken to ensu­re that inac­cu­ra­te per­so­nal data are era­sed or rec­ti­fied. Per­so­nal data should be pro­ces­sed in such a way that their secu­ri­ty and con­fi­dentia­li­ty are ade­qua­te­ly ensu­red, inclu­ding that unaut­ho­ri­zed per­sons can­not access the data or use the data or the equip­ment with which they are processed.

Arti­cle 6 Law­ful­ness of processing

(1) Pro­ces­sing is law­ful only if at least one of the fol­lo­wing con­di­ti­ons is met:

a) The data sub­ject has given his/her con­sent to the pro­ces­sing of per­so­nal data con­cer­ning him/her for one or more spe­ci­fic purposes;
b) the pro­ces­sing is necessa­ry for the per­for­mance of a con­tract to which the data sub­ject is par­ty or for the imple­men­ta­ti­on of pre-con­trac­tu­al mea­su­res taken at the data subject’s request;
c) pro­ces­sing is necessa­ry for com­pli­an­ce with a legal obli­ga­ti­on to which the con­trol­ler is subject;
d) the pro­ces­sing is necessa­ry in order to pro­tect the vital inte­rests of the data sub­ject or ano­t­her natu­ral person;
e) pro­ces­sing is necessa­ry for the per­for­mance of a task car­ri­ed out in the public inte­rest or in the exer­cise of offi­cial aut­ho­ri­ty vested in the controller;
f) pro­ces­sing is necessa­ry for the pur­po­ses of the legi­ti­ma­te inte­rests of the con­trol­ler or of a third par­ty, except whe­re such inte­rests are over­rid­den by the inte­rests or fun­da­men­tal rights and free­doms of the data sub­ject which requi­re pro­tec­tion of per­so­nal data, in par­ti­cu­lar whe­re the data sub­ject is a child.

Point (f) of the first sub­pa­ra­graph shall not app­ly to pro­ces­sing car­ri­ed out by public aut­ho­ri­ties in the per­for­mance of their tasks.

(2) Mem­ber Sta­tes may main­tain or intro­du­ce more spe­ci­fic pro­vi­si­ons to adapt the app­li­ca­ti­on of the rules of this Regu­la­ti­on in rela­ti­on to pro­ces­sing to com­ply with points (c) and (e) of para­graph 1 by spe­ci­fy­ing more pre­cise­ly spe­ci­fic requi­re­ments for pro­ces­sing as well as other mea­su­res to ensu­re law­ful and fair pro­ces­sing, inclu­ding for other spe­ci­fic pro­ces­sing situa­tions refer­red to in Chap­ter IX.

(3) The legal basis for the pro­ces­sing ope­ra­ti­ons refer­red to in points (c) and (e) of para­graph 1 is deter­mi­ned by

a) Uni­on law or
b) the law of the Mem­ber Sta­tes to which the con­trol­ler is subject.

The pur­po­se of the pro­ces­sing must be spe­ci­fied in that legal basis or, as regards the pro­ces­sing refer­red to in point (e) of para­graph 1, must be necessa­ry for the per­for­mance of a task car­ri­ed out in the public inte­rest or in the exer­cise of offi­cial aut­ho­ri­ty vested in the con­trol­ler. That legal basis may con­tain spe­ci­fic pro­vi­si­ons adap­ting the app­li­ca­ti­on of the rules of this Regu­la­ti­on, inclu­ding pro­vi­si­ons on the gene­ral con­di­ti­ons gover­ning the law­ful­ness of the pro­ces­sing by the con­trol­ler, the types of data pro­ces­sed, the indi­vi­du­als con­cer­ned, the enti­ties to which and the pur­po­ses for which the per­so­nal data may be dis­c­lo­sed, the pur­po­se limi­ta­ti­on, the sto­rage peri­od and the pro­ces­sing ope­ra­ti­ons and pro­ce­du­res that may be app­lied, inclu­ding mea­su­res to ensu­re law­ful and fair pro­ces­sing, such as tho­se for other spe­ci­fic pro­ces­sing situa­tions in accordance with Chap­ter IX. Uni­on or Mem­ber Sta­te law must pur­sue an objec­ti­ve in the public inte­rest and be pro­por­tio­na­te to the legi­ti­ma­te pur­po­se pursued.

(4) Whe­re pro­ces­sing for a pur­po­se other than that for which the per­so­nal data were collec­ted is not based on the data subject’s con­sent or on a Uni­on or Mem­ber Sta­te law which con­sti­tu­tes a necessa­ry and pro­por­tio­na­te mea­su­re in a demo­cra­tic socie­ty to safe­guard the objec­ti­ves refer­red to in Arti­cle 23(1), the con­trol­ler shall – in order to deter­mi­ne whe­ther the pro­ces­sing for ano­t­her pur­po­se is com­pa­ti­ble with that for which the per­so­nal data were ori­gi­nal­ly collec­ted – take into account, among other things

a) any link bet­ween the pur­po­ses for which the per­so­nal data were collec­ted and the pur­po­ses of the inten­ded fur­ther processing,
b) the con­text in which the per­so­nal data were collec­ted, in par­ti­cu­lar with regard to the rela­ti­ons­hip bet­ween the data sub­jects and the controller,
c) the natu­re of the per­so­nal data, in par­ti­cu­lar whe­ther spe­cial cate­go­ries of per­so­nal data are pro­ces­sed pur­suant to Arti­cle 9 or whe­ther per­so­nal data rela­ting to cri­mi­nal con­vic­tions and offen­ses are pro­ces­sed pur­suant to Arti­cle 10,
d) the pos­si­ble con­se­quen­ces of the inten­ded fur­ther pro­ces­sing for the data subjects,
e) the exi­stence of appro­pria­te safe­guards, which may inclu­de encryp­ti­on or pseudonymization.
Reci­tals

(40) For pro­ces­sing to be law­ful, per­so­nal data must be pro­ces­sed with the con­sent of the data sub­ject or on any other per­mis­si­ble legal basis deri­ving from this Regu­la­ti­on or, whenever refer­red to in this Regu­la­ti­on, from other Uni­on or Mem­ber Sta­te law, such as, inter alia, on the basis that it is necessa­ry for com­pli­an­ce with the legal obli­ga­ti­on to which the con­trol­ler is sub­ject or for the per­for­mance of a con­tract to which the data sub­ject is par­ty, or for the per­for­mance of pre-con­trac­tu­al mea­su­res taken at the data subject’s request.

(41) Whe­re refe­rence is made in this Regu­la­ti­on to a legal basis or a legis­la­ti­ve mea­su­re, this does not necessa­ri­ly requi­re a legis­la­ti­ve act adop­ted by a par­lia­ment, without pre­ju­di­ce to requi­re­ments under the con­sti­tu­tio­nal order of the Mem­ber Sta­te con­cer­ned. Howe­ver, the rele­vant legal basis or legis­la­ti­ve mea­su­re should be clear and pre­cise, and its app­li­ca­ti­on should be trans­pa­rent to tho­se sub­ject to the law, in accordance with the case law of the Court of Jus­ti­ce of the Euro­pean Uni­on (her­ein­af­ter “Court of Jus­ti­ce”) and the Euro­pean Court of Human Rights should be foreseeable.

(44) The pro­ces­sing of data should be con­si­de­red law­ful if it is necessa­ry for the per­for­mance or plan­ned con­clu­si­on of a contract.

(45) Whe­re pro­ces­sing is car­ri­ed out by the con­trol­ler on the basis of a legal obli­ga­ti­on to which the con­trol­ler is sub­ject or whe­re pro­ces­sing is necessa­ry for the per­for­mance of a task car­ri­ed out in the public inte­rest or in the exer­cise of offi­cial aut­ho­ri­ty, the­re must be a basis for this in Uni­on or Mem­ber Sta­te law. This Regu­la­ti­on does not requi­re a spe­ci­fic law for each indi­vi­du­al pro­ces­sing ope­ra­ti­on. A law may be suf­fi­ci­ent as a basis for several pro­ces­sing ope­ra­ti­ons whe­re the pro­ces­sing is car­ri­ed out on the basis of a legal obli­ga­ti­on incum­bent on the con­trol­ler or whe­re the pro­ces­sing is necessa­ry for the per­for­mance of a task car­ri­ed out in the public inte­rest or in the exer­cise of offi­cial aut­ho­ri­ty. Simi­lar­ly, Uni­on or Mem­ber Sta­te law should regu­la­te the pur­po­ses for which the data may be pro­ces­sed. Fur­ther­mo­re, such law could spe­ci­fy the gene­ral con­di­ti­ons of this Regu­la­ti­on gover­ning the law­ful­ness of the pro­ces­sing of per­so­nal data and could spe­ci­fy how the con­trol­ler is to be deter­mi­ned, what type of per­so­nal data are pro­ces­sed, which indi­vi­du­als are con­cer­ned, to which enti­ties the per­so­nal data may be dis­c­lo­sed, for what pur­po­ses and for how long they may be stored, and what other mea­su­res are taken to ensu­re that the pro­ces­sing is law­ful and fair. Simi­lar­ly, Uni­on or Mem­ber Sta­te law should spe­ci­fy whe­ther the con­trol­ler per­for­ming a task car­ri­ed out in the public inte­rest or in the exer­cise of offi­cial aut­ho­ri­ty should be a public aut­ho­ri­ty or ano­t­her natu­ral or legal per­son gover­ned by public law or, whe­re justi­fied by the public inte­rest, inclu­ding health pur­po­ses, such as public health or social secu­ri­ty or the admi­ni­stra­ti­on of health­ca­re bene­fits, a natu­ral or legal per­son gover­ned by pri­va­te law, such as a pro­fes­sio­nal association.

(46) The pro­ces­sing of per­so­nal data should also be con­si­de­red law­ful if it is necessa­ry to pro­tect a vital inte­rest of the data sub­ject or of ano­t­her natu­ral per­son. Per­so­nal data should in princip­le only be pro­ces­sed on the basis of a vital inte­rest of ano­t­her natu­ral per­son if the pro­ces­sing obvious­ly can­not be based on any other legal basis. Some types of pro­ces­sing may ser­ve both important public inte­rest rea­sons and vital inte­rests of the data sub­ject; for examp­le, pro­ces­sing may be necessa­ry for huma­ni­ta­ri­an pur­po­ses, inclu­ding moni­to­ring epi­de­mics and their spread, or in huma­ni­ta­ri­an emer­gen­ci­es, in par­ti­cu­lar natu­ral or man-made disasters.

(47) The law­ful­ness of the pro­ces­sing may be justi­fied by the legi­ti­ma­te inte­rests of a con­trol­ler, inclu­ding a con­trol­ler to whom the per­so­nal data may be dis­c­lo­sed, or of a third par­ty, pro­vi­ded that the inte­rests or the fun­da­men­tal rights and free­doms of the data sub­ject are not over­rid­den, taking into account the rea­son­ab­le expec­ta­ti­ons of the data sub­ject based on his or her rela­ti­ons­hip with the con­trol­ler. For examp­le, a legi­ti­ma­te inte­rest could exist if the­re is an aut­ho­ri­ta­ti­ve and appro­pria­te rela­ti­ons­hip bet­ween the data sub­ject and the con­trol­ler, e.g., if the data sub­ject is a custo­mer of the con­trol­ler or is in its ser­vice. In any case, the exi­stence of a legi­ti­ma­te inte­rest would have to be weig­hed par­ti­cu­lar­ly care­ful­ly, inclu­ding whe­ther a data sub­ject could rea­son­ab­ly fore­see, at the time of collec­tion of the per­so­nal data and in light of the cir­cum­stan­ces in which it takes place, that pro­ces­sing might take place for that pur­po­se. In par­ti­cu­lar, whe­re per­so­nal data are pro­ces­sed in situa­tions whe­re a data sub­ject can­not rea­son­ab­ly expect fur­ther pro­ces­sing, the inte­rests and fun­da­men­tal rights of the data sub­ject could overri­de the inte­rest of the con­trol­ler. Sin­ce it is for the legis­la­tor to pro­vi­de by law the legal basis for the pro­ces­sing of per­so­nal data by public aut­ho­ri­ties, this legal basis should not app­ly to pro­ces­sing ope­ra­ti­ons car­ri­ed out by public aut­ho­ri­ties in the per­for­mance of their tasks. The pro­ces­sing of per­so­nal data to the extent strict­ly necessa­ry for the pre­ven­ti­on of fraud also con­sti­tu­tes a legi­ti­ma­te inte­rest of the rele­vant controller.

The pro­ces­sing of per­so­nal data for the pur­po­ses of direct mar­ke­ting may be con­si­de­red as pro­ces­sing ser­ving a legi­ti­ma­te interest.

(48) Con­trol­lers that are part of a group of com­pa­nies or a group of enti­ties that are assi­gned to a cen­tral body may have a legi­ti­ma­te inte­rest in trans­fer­ring per­so­nal data wit­hin the group of com­pa­nies for inter­nal manage­ment pur­po­ses, inclu­ding the pro­ces­sing of per­so­nal data of custo­mers and employees. The basic princi­ples for the trans­fer of per­so­nal data wit­hin groups of com­pa­nies to a com­pa­ny in a third coun­try remain unaffected.

(49) The pro­ces­sing of per­so­nal data by public aut­ho­ri­ties, Com­pu­ter Emer­gen­cy Respon­se Teams (CERTs), Com­pu­ter Secu­ri­ty Inci­dent Respon­se Teams (CSIRTs), pro­vi­ders of elec­tro­nic com­mu­ni­ca­ti­ons net­works and ser­vices, and pro­vi­ders of secu­ri­ty tech­no­lo­gies and ser­vices con­sti­tu­tes a legi­ti­ma­te inte­rest of the con­trol­ler to the extent strict­ly necessa­ry and pro­por­tio­na­te for ensu­ring net­work and infor­ma­ti­on secu­ri­ty, i.e., to the extent that it ensu­res the abi­li­ty of a net­work or infor­ma­ti­on system to with­stand, with a spe­ci­fied degree of relia­bi­li­ty, dis­rup­ti­ons or unlaw­ful or deli­be­ra­te inter­fe­rence that jeo­par­di­zes the avai­la­bi­li­ty, authen­ti­ci­ty, com­ple­teness or con­fi­dentia­li­ty of the net­work or infor­ma­ti­on system.i.e., to the extent that it ensu­res the abi­li­ty of a net­work or infor­ma­ti­on system to with­stand, with a spe­ci­fied degree of relia­bi­li­ty, inter­fe­rence or unlaw­ful or wan­ton intru­si­on affec­ting the avai­la­bi­li­ty, authen­ti­ci­ty, com­ple­teness and con­fi­dentia­li­ty of stored or trans­mit­ted per­so­nal data, as well as the secu­ri­ty of rela­ted ser­vices offe­red or acces­si­ble through tho­se net­works or infor­ma­ti­on systems. Such a legi­ti­ma­te inte­rest could be, for examp­le, to pre­vent unaut­ho­ri­zed access to elec­tro­nic com­mu­ni­ca­ti­ons net­works and the dis­se­mi­na­ti­on of mali­cious pro­gram code, as well as attacks in the form of tar­ge­ted over­loading of ser­vers (“Deni­al of ser­vice” attacks) and to defend against dama­ge to com­pu­ter and elec­tro­nic com­mu­ni­ca­ti­ons systems.

(50) Pro­ces­sing of per­so­nal data for pur­po­ses other than tho­se for which the per­so­nal data were ori­gi­nal­ly collec­ted should only be allo­wed if the pro­ces­sing is com­pa­ti­ble with the pur­po­ses for which the per­so­nal data were ori­gi­nal­ly collec­ted. In this case, no sepa­ra­te legal basis is requi­red other than the one for the collec­tion of the per­so­nal data. Whe­re pro­ces­sing is necessa­ry for the per­for­mance of a task car­ri­ed out in the public inte­rest or in the exer­cise of offi­cial aut­ho­ri­ty vested in the con­trol­ler, Uni­on or Mem­ber Sta­te law may deter­mi­ne and spe­ci­fy the tasks and pur­po­ses for which fur­ther pro­ces­sing is deemed com­pa­ti­ble and law­ful. Fur­ther pro­ces­sing for archi­ving pur­po­ses in the public inte­rest, for sci­en­ti­fic or histo­ri­cal rese­arch pur­po­ses, or for sta­tis­ti­cal pur­po­ses should be con­si­de­red com­pa­ti­ble and law­ful pro­ces­sing. The legal basis for pro­ces­sing per­so­nal data pro­vi­ded for in Uni­on or Mem­ber Sta­te law may also ser­ve as a legal basis for fur­ther pro­ces­sing. In order to deter­mi­ne whe­ther a pur­po­se of fur­ther pro­ces­sing is com­pa­ti­ble with the pur­po­se for which the per­so­nal data were ori­gi­nal­ly collec­ted, the con­trol­ler, after com­ply­ing with all requi­re­ments for the law­ful­ness of the ori­gi­nal pro­ces­sing, should con­si­der, inter alia, whe­ther the­re is a link bet­ween the pur­po­ses for which the per­so­nal data were collec­ted and the pur­po­ses of the inten­ded fur­ther pro­ces­sing, the con­text in which the data were collec­ted, in par­ti­cu­lar the rea­son­ab­le expec­ta­ti­ons of the data sub­ject, based on his or her rela­ti­ons­hip with the con­trol­ler, as to the fur­ther use of such data, the natu­re of the per­so­nal data invol­ved, the con­se­quen­ces of the inten­ded fur­ther pro­ces­sing for the data sub­jects, and whe­ther appro­pria­te safe­guards are in place for both the ori­gi­nal and the inten­ded fur­ther pro­ces­sing operation.

Whe­re the data sub­ject has given con­sent or the pro­ces­sing is based on Uni­on or Mem­ber Sta­te law, which is a necessa­ry and pro­por­tio­na­te mea­su­re in a demo­cra­tic socie­ty to pro­tect, in par­ti­cu­lar, important gene­ral public inte­rest objec­ti­ves, the con­trol­ler should be allo­wed to fur­ther pro­cess the per­so­nal data regard­less of the com­pa­ti­bi­li­ty of the pur­po­ses. In any case, it should be ensu­red that the princi­ples laid down in this Regu­la­ti­on are app­lied and, in par­ti­cu­lar, that the data sub­ject is infor­med of tho­se other pur­po­ses and of his or her rights, inclu­ding the right to object. The indi­ca­ti­on by the con­trol­ler of pos­si­ble cri­mi­nal offen­ces or thre­ats to public secu­ri­ty and the trans­fer to a com­pe­tent aut­ho­ri­ty of the rele­vant per­so­nal data in indi­vi­du­al cases or in several cases rela­ted to the same cri­mi­nal offence or the same thre­at to public secu­ri­ty should be con­si­de­red as a legi­ti­ma­te inte­rest of the con­trol­ler. Howe­ver, such trans­fer of per­so­nal data in the legi­ti­ma­te inte­rest of the con­trol­ler or fur­ther pro­ces­sing the­re­of should be unlaw­ful if the pro­ces­sing is incom­pa­ti­ble with a legal, pro­fes­sio­nal or other bin­ding obli­ga­ti­on of secrecy.

Arti­cle 7 Con­di­ti­ons for consent

(1) If the pro­ces­sing is based on con­sent, the con­trol­ler must be able to pro­ve that the data sub­ject has con­sen­ted to the pro­ces­sing of his or her per­so­nal data.

(2) If the data subject’s con­sent is given by means of a writ­ten state­ment which also con­cerns other mat­ters, the requ­est for con­sent shall be made in an intel­li­gi­ble and easi­ly acces­si­ble form in clear and plain lan­guage in such a way that it can be clear­ly distin­guis­hed from the other mat­ters. Por­ti­ons of the state­ment shall not be bin­ding if they con­sti­tu­te a vio­la­ti­on of this Ordinance.

(3) The data sub­ject has the right to with­draw his or her con­sent at any time. The revo­ca­ti­on of con­sent shall not affect the law­ful­ness of the pro­ces­sing car­ri­ed out on the basis of the con­sent until the revo­ca­ti­on. The data sub­ject shall be infor­med of this befo­re giving con­sent. The revo­ca­ti­on of con­sent must be as simp­le as giving consent.

(4) In asses­sing whe­ther con­sent has been free­ly given, it is necessa­ry to take into account, to the grea­test extent pos­si­ble, whe­ther, among other things, the per­for­mance of a con­tract, inclu­ding the pro­vi­si­on of a ser­vice, is depen­dent on con­sent to the pro­ces­sing of per­so­nal data that is not necessa­ry for the per­for­mance of the contract.

Reci­tals

(42) If the pro­ces­sing is car­ri­ed out with the con­sent of the data sub­ject, the con­trol­ler should be able to demon­stra­te that the data sub­ject has given his or her con­sent to the pro­ces­sing ope­ra­ti­on. In par­ti­cu­lar, whe­re a writ­ten state­ment is given in ano­t­her mat­ter, safe­guards should ensu­re that the data sub­ject knows that he or she is giving con­sent and to what extent. In accordance with Coun­cil Direc­ti­ve 93/13/EEC (10), a con­sent form pre-for­mu­la­ted by the con­trol­ler should be pro­vi­ded in an intel­li­gi­ble and easi­ly acces­si­ble form in plain and simp­le lan­guage and should not con­tain unfair terms. In order to be able to give infor­med con­sent, the data sub­ject should at least know who the con­trol­ler is and for what pur­po­ses his or her per­so­nal data are to be pro­ces­sed. She should only be con­si­de­red to have given her con­sent volun­ta­ri­ly if she has a genui­ne or free choice and is thus able to refu­se or with­draw con­sent without suf­fe­ring any disadvantages.

(43) In order to ensu­re that con­sent has been given volun­ta­ri­ly, it should not pro­vi­de a valid legal basis in spe­ci­fic cases whe­re the­re is a clear imba­lan­ce bet­ween the data sub­ject and the con­trol­ler, in par­ti­cu­lar whe­re the con­trol­ler is a public aut­ho­ri­ty and it is the­re­fo­re unli­kely, in view of all the cir­cum­stan­ces in the spe­ci­fic case, that con­sent was given volun­ta­ri­ly. Con­sent shall not be deemed to have been given volun­ta­ri­ly if con­sent can­not be given sepa­r­ate­ly for dif­fe­rent pro­ces­sing ope­ra­ti­ons of per­so­nal data, alt­hough this is appro­pria­te in the spe­ci­fic case, or if the per­for­mance of a con­tract, inclu­ding the pro­vi­si­on of a ser­vice, is depen­dent on con­sent, alt­hough such con­sent is not necessa­ry for performance.

Arti­cle 8 Con­di­ti­ons for the con­sent of a child in rela­ti­on to infor­ma­ti­on socie­ty services

(1) Whe­re Arti­cle 6(1)(a) app­lies in the case of an offer of infor­ma­ti­on socie­ty ser­vices made direct­ly to a child, the pro­ces­sing of the child’s per­so­nal data shall be law­ful if the child has rea­ched the age of six­teen. Whe­re the child has not rea­ched the age of six­teen, such pro­ces­sing shall be law­ful only if and to the extent that such con­sent is given by or with the con­sent of the hol­der of paren­tal respon­si­bi­li­ty over the child. Mem­ber Sta­tes may, by law, pro­vi­de for a lower age limit for the­se pur­po­ses, but it shall not be lower than the age of thir­te­en years.

(2) The Con­trol­ler shall make rea­son­ab­le efforts, taking into account avail­ab­le tech­no­lo­gy, to ascer­tain in such cases that con­sent has been given by or with the con­sent of the hol­der of paren­tal respon­si­bi­li­ty for the child.

(3) Para­graph 1 is without pre­ju­di­ce to the gene­ral con­tract law of the Mem­ber Sta­tes, such as the rules on the vali­di­ty, for­ma­ti­on or legal con­se­quen­ces of a con­tract in rela­ti­on to a child.

Reci­tals

(38) Child­ren deser­ve spe­cial pro­tec­tion with regard to their per­so­nal data, as child­ren may be less awa­re of the risks, con­se­quen­ces and safe­guards invol­ved and of their rights when per­so­nal data are pro­ces­sed. Such spe­cial pro­tec­tion should con­cern, in par­ti­cu­lar, the use of children’s per­so­nal data for adver­ti­sing or per­so­nal or user pro­filing pur­po­ses and the collec­tion of children’s per­so­nal data when using ser­vices offe­red direct­ly to child­ren. The con­sent of the hol­der of paren­tal respon­si­bi­li­ty should not be requi­red in the con­text of pre­ven­ti­on or coun­se­ling ser­vices offe­red direct­ly to a child.

Arti­cle 9 Pro­ces­sing of spe­cial cate­go­ries of per­so­nal data

(1) The pro­ces­sing of per­so­nal data reve­aling racial or eth­nic ori­gin, poli­ti­cal opi­ni­ons, reli­gious or phi­lo­so­phi­cal beliefs, or tra­de uni­on mem­bership, as well as the pro­ces­sing of gene­tic data, bio­me­tric data uni­que­ly iden­ti­fy­ing a natu­ral per­son, health data or data con­cer­ning a natu­ral person’s sex life or sexu­al ori­en­ta­ti­on is prohibited.

(2) Para­graph 1 shall not app­ly in the fol­lo­wing cases:

a) The data sub­ject has given his or her expli­cit con­sent to the pro­ces­sing of the per­so­nal data refer­red to abo­ve for one or more spe­ci­fied pur­po­ses, unless, under Uni­on or Mem­ber Sta­te law, the pro­hi­bi­ti­on in para­graph 1 can­not be lifted by the data subject’s consent,
b) the pro­ces­sing is necessa­ry to enab­le the con­trol­ler or the data sub­ject to exer­cise his or her rights and com­ply with his or her obli­ga­ti­ons under employ­ment law and social secu­ri­ty and social pro­tec­tion law, to the extent per­mit­ted by Uni­on law or Mem­ber Sta­te law or by a collec­ti­ve agree­ment under Mem­ber Sta­te law which pro­vi­des appro­pria­te safe­guards for the fun­da­men­tal rights and inte­rests of the data subject,
c) the pro­ces­sing is necessa­ry to pro­tect the vital inte­rests of the data sub­ject or ano­t­her natu­ral per­son and the data sub­ject is unab­le to give con­sent for phy­si­cal or legal reasons,
d) the pro­ces­sing is car­ri­ed out on the basis of appro­pria­te safe­guards by a poli­ti­cal, phi­lo­so­phi­cal, reli­gious or tra­de uni­on foun­da­ti­on, asso­cia­ti­on or other non-pro­fit orga­niz­a­ti­on in the cour­se of its legi­ti­ma­te acti­vi­ties and pro­vi­ded that the pro­ces­sing rela­tes exclu­si­ve­ly to the mem­bers or for­mer mem­bers of the orga­niz­a­ti­on or to per­sons who have regu­lar con­ta­cts with it in con­nec­tion with its pur­po­se of acti­vi­ty and that the per­so­nal data are not dis­c­lo­sed to out­side par­ties without the con­sent of the data subjects,
e) the pro­ces­sing rela­tes to per­so­nal data which the data sub­ject has mani­fest­ly made public,
f) pro­ces­sing is necessa­ry for the estab­lish­ment, exer­cise or defen­se of legal claims or in case of actions of the courts in the cour­se of their judi­cial activities,
g) pro­ces­sing is necessa­ry for rea­sons of sub­stan­ti­al public inte­rest based on Uni­on law or the law of a Mem­ber Sta­te which is pro­por­tio­na­te to the aim pur­sued, respects the essence of the right to data pro­tec­tion and pro­vi­des for ade­qua­te and spe­ci­fic mea­su­res to safe­guard the fun­da­men­tal rights and inte­rests of the data subject,
h) the pro­ces­sing is necessa­ry for the pur­po­ses of pre­ven­ti­ve health care or occup­a­tio­nal medi­ci­ne, the assess­ment of the employee’s fit­ness for work, medi­cal dia­gno­sis, health or social care or tre­at­ment, or the manage­ment of health or social care systems and ser­vices on the basis of Uni­on law or the law of a Mem­ber Sta­te or on the basis of a con­tract with a health pro­fes­sio­nal and sub­ject to the con­di­ti­ons and safe­guards refer­red to in para­graph 3,
i) the pro­ces­sing is necessa­ry for rea­sons of public inte­rest in the field of public health, such as pro­tec­tion against serious cross-bor­der thre­ats to health or to ensu­re high stan­dards of qua­li­ty and safe­ty in health­ca­re and medi­ci­nal pro­ducts and medi­cal devices, on the basis of Uni­on law or the law of a Mem­ber Sta­te which lays down appro­pria­te and spe­ci­fic mea­su­res to safe­guard the rights and free­doms of the data sub­ject, in par­ti­cu­lar pro­fes­sio­nal secrecy, or
j) pro­ces­sing is necessa­ry for archi­ving pur­po­ses in the public inte­rest, for sci­en­ti­fic or histo­ri­cal rese­arch pur­po­ses or for sta­tis­ti­cal pur­po­ses as refer­red to in Arti­cle 89(1), on the basis of Uni­on law or the law of a Mem­ber Sta­te which is pro­por­tio­na­te to the aim pur­sued, respects the essence of the right to data pro­tec­tion and pro­vi­des for ade­qua­te and spe­ci­fic mea­su­res to safe­guard the fun­da­men­tal rights and inte­rests of the data subject.

(3) The per­so­nal data refer­red to in para­graph 1 may be pro­ces­sed for the pur­po­ses refer­red to in point (h) of para­graph 2 whe­re tho­se data are pro­ces­sed by or under the respon­si­bi­li­ty of a spe­cia­li­sed staff mem­ber and that spe­cia­li­sed staff mem­ber is sub­ject to an obli­ga­ti­on of pro­fes­sio­nal secrecy under Uni­on law or the law of a Mem­ber Sta­te or the rules of natio­nal com­pe­tent bodies, or whe­re the pro­ces­sing is car­ri­ed out by ano­t­her per­son who is also sub­ject to an obli­ga­ti­on of secrecy under Uni­on law or the law of a Mem­ber Sta­te or the rules of natio­nal com­pe­tent bodies.

(4) Mem­ber Sta­tes may intro­du­ce or main­tain addi­tio­nal con­di­ti­ons, inclu­ding restric­tions, as far as the pro­ces­sing of gene­tic, bio­me­tric or health data is concerned.

Reci­tals

(51) Per­so­nal data which by their natu­re are par­ti­cu­lar­ly sen­si­ti­ve with regard to fun­da­men­tal rights and free­doms deser­ve spe­cial pro­tec­tion, sin­ce signi­fi­cant risks to fun­da­men­tal rights and free­doms may ari­se in con­nec­tion with their pro­ces­sing. Such per­so­nal data should inclu­de per­so­nal data reve­aling racial or eth­nic ori­gin, alt­hough the use of the term “racial ori­gin” in this Regu­la­ti­on does not mean that the Uni­on endor­ses theo­ries which attempt to pro­ve the exi­stence of dif­fe­rent human races. The pro­ces­sing of pho­to­graphs should not in princip­le be con­si­de­red as the pro­ces­sing of spe­cial cate­go­ries of per­so­nal data, sin­ce pho­to­graphs are only cove­r­ed by the defi­ni­ti­on of “bio­me­tric data” if they are pro­ces­sed by spe­ci­fic tech­ni­cal means enab­ling the uni­que iden­ti­fi­ca­ti­on or authen­ti­ca­ti­on of a natu­ral per­son. Such per­so­nal data should not be pro­ces­sed unless the pro­ces­sing is allo­wed in the spe­ci­fic cases set out in this Regu­la­ti­on, taking into account that spe­ci­fic data pro­tec­tion pro­vi­si­ons may be laid down in the law of the Mem­ber Sta­tes in order to adapt the app­li­ca­ti­on of the pro­vi­si­ons of this Regu­la­ti­on to allow com­pli­an­ce with a legal obli­ga­ti­on or the per­for­mance of a task car­ri­ed out in the public inte­rest or the exer­cise of offi­cial aut­ho­ri­ty vested in the con­trol­ler. In addi­ti­on to the spe­ci­fic requi­re­ments for such pro­ces­sing, the gene­ral princi­ples and other pro­vi­si­ons of this Regu­la­ti­on should app­ly, in par­ti­cu­lar as regards the con­di­ti­ons for law­ful pro­ces­sing. Dero­ga­ti­ons from the gene­ral pro­hi­bi­ti­on on pro­ces­sing tho­se spe­cial cate­go­ries of per­so­nal data should be expli­ci­tly pro­vi­ded for, inter alia, whe­re the data sub­ject has given his or her expli­cit con­sent or whe­re the­re are spe­ci­fic needs, in par­ti­cu­lar whe­re the pro­ces­sing is car­ri­ed out in the cour­se of legi­ti­ma­te acti­vi­ties of cer­tain asso­cia­ti­ons or foun­da­ti­ons pro­mo­ting the exer­cise of fun­da­men­tal freedoms.

(52) Dero­ga­ti­ons from the pro­hi­bi­ti­on on pro­ces­sing spe­cial cate­go­ries of per­so­nal data should also be allo­wed whe­re pro­vi­ded for in Uni­on or Mem­ber Sta­te law and, sub­ject to appro­pria­te safe­guards for the pro­tec­tion of per­so­nal data and other fun­da­men­tal rights, whe­re justi­fied by the public inte­rest, in par­ti­cu­lar for the pro­ces­sing of per­so­nal data in the field of employ­ment law and social secu­ri­ty law, inclu­ding pen­si­ons, and for the pur­po­ses of ensu­ring and moni­to­ring health and health warnings, pre­ven­ti­on or con­trol of con­ta­gious dise­a­ses and other serious health thre­ats. Such an excep­ti­on may be made for health pur­po­ses, such as ensu­ring public health and the manage­ment of health care bene­fits, in par­ti­cu­lar whe­re it is inten­ded to ensu­re the qua­li­ty and effi­ci­en­cy of the pro­ce­du­res for bil­ling bene­fits in social health insuran­ce sche­mes, or whe­re the pro­ces­sing ser­ves archi­ving, sci­en­ti­fic or histo­ri­cal rese­arch or sta­tis­ti­cal pur­po­ses in the public inte­rest. The pro­ces­sing of such per­so­nal data should also be excep­tio­nal­ly allo­wed if it is necessa­ry to assert, exer­cise or defend legal claims, whe­ther in judi­cial pro­ce­e­dings or in admi­ni­stra­ti­ve or extra­ju­di­cial proceedings.

(53) Spe­cial cate­go­ries of per­so­nal data which merit a hig­her level of pro­tec­tion should only be pro­ces­sed for health-rela­ted pur­po­ses if necessa­ry for the achie­ve­ment of tho­se pur­po­ses in the inte­rest of indi­vi­du­al natu­ral per­sons and socie­ty as a who­le, in par­ti­cu­lar in the con­text of the manage­ment of health or social care ser­vices and systems, inclu­ding the pro­ces­sing of such data by the admi­ni­stra­ti­on and cen­tral natio­nal health aut­ho­ri­ties for the pur­po­se of qua­li­ty con­trol, admi­ni­stra­ti­ve infor­ma­ti­on and gene­ral natio­nal and local moni­to­ring of the health or social care system and for the pur­po­se of ensu­ring con­ti­nui­ty of health and social care and cross-bor­der health­ca­re or health assuran­ce and moni­to­ring and health alerts, or for archi­ving pur­po­ses in the public inte­rest, sci­en­ti­fic or histo­ri­cal rese­arch pur­po­ses or sta­tis­ti­cal pur­po­ses based on Uni­on or Mem­ber Sta­te legis­la­ti­on which must ser­ve a public inte­rest objec­ti­ve, and for stu­dies car­ri­ed out in the public inte­rest in the field of public health. This Regu­la­ti­on should the­re­fo­re har­mo­ni­se con­di­ti­ons for the pro­ces­sing of spe­cial cate­go­ries of per­so­nal data con­cer­ning health with regard to cer­tain requi­re­ments, in par­ti­cu­lar whe­re the pro­ces­sing of such data for health-rela­ted pur­po­ses is car­ri­ed out by per­sons sub­ject to pro­fes­sio­nal secrecy pur­suant to a legal obli­ga­ti­on. Uni­on or Mem­ber Sta­te law should pro­vi­de for spe­ci­fic and pro­por­tio­na­te mea­su­res to pro­tect the fun­da­men­tal rights and per­so­nal data of natu­ral per­sons. Mem­ber Sta­tes should be allo­wed to main­tain or intro­du­ce fur­ther con­di­ti­ons, inclu­ding restric­tions, in rela­ti­on to the pro­ces­sing of gene­tic data, bio­me­tric data or health data. Howe­ver, this should not affect the free flow of per­so­nal data wit­hin the Uni­on if the con­di­ti­ons in que­sti­on app­ly to the cross-bor­der pro­ces­sing of such data.

(54) For rea­sons of public inte­rest in are­as of public health, it may be necessa­ry to pro­cess spe­cial cate­go­ries of per­so­nal data even without the con­sent of the data sub­ject. Such pro­ces­sing should be sub­ject to appro­pria­te and spe­ci­fic mea­su­res to pro­tect the rights and free­doms of natu­ral per­sons. In this con­text, the term “public health” shall be inter­pre­ted wit­hin the mea­ning of Regu­la­ti­on (EC) No 1338/2008 of the Euro­pean Par­lia­ment and of the Coun­cil (11) and shall inclu­de all ele­ments rela­ted to health such as health sta­tus, inclu­ding mor­bi­di­ty and disa­bi­li­ty, the deter­mi­nants affec­ting that health sta­tus, the need for health care, the resour­ces allo­ca­ted to health care, the pro­vi­si­on of and gene­ral access to health care ser­vices and the cor­re­spon­ding expen­dit­u­re and finan­cing, and final­ly the cau­ses of mor­ta­li­ty. Such pro­ces­sing of health data for rea­sons of public inte­rest shall not result in third par­ties, inclu­ding employ­ers or insuran­ce and finan­cial com­pa­nies, pro­ces­sing such per­so­nal data for other purposes.

(55) The pro­ces­sing of per­so­nal data by sta­te agen­ci­es for the pur­po­ses of sta­te-reco­gni­zed reli­gious com­mu­nities under con­sti­tu­tio­nal law or inter­na­tio­nal law is also car­ri­ed out for rea­sons of public interest.

(56) Whe­re, in a Mem­ber Sta­te, the func­tio­n­ing of the demo­cra­tic system requi­res that poli­ti­cal par­ties collect per­so­nal data rela­ting to the poli­ti­cal opi­ni­ons of indi­vi­du­als in the con­text of elec­tions, the pro­ces­sing of such data may be allo­wed for rea­sons of public inte­rest, pro­vi­ded that appro­pria­te safe­guards are established.

Arti­cle 10 Pro­ces­sing of per­so­nal data rela­ting to cri­mi­nal con­vic­tions and offences

The pro­ces­sing of per­so­nal data rela­ting to cri­mi­nal con­vic­tions and offen­ces or rela­ted secu­ri­ty mea­su­res based on Arti­cle 6(1) may only be car­ri­ed out under the super­vi­si­on of public aut­ho­ri­ties or whe­re per­mit­ted by Uni­on law or Mem­ber Sta­te law pro­vi­ding appro­pria­te safe­guards for the rights and free­doms of data sub­jects. A com­pre­hen­si­ve regi­ster of cri­mi­nal con­vic­tions may be kept only under admi­ni­stra­ti­ve supervision.

Arti­cle 11 Pro­ces­sing for which iden­ti­fi­ca­ti­on of the data sub­ject is not necessary

(1) Whe­re the iden­ti­fi­ca­ti­on of the data sub­ject by the con­trol­ler is not or is no lon­ger necessa­ry for the pur­po­ses for which a con­trol­ler pro­ces­ses per­so­nal data, the con­trol­ler shall not be requi­red to retain, obtain or pro­cess addi­tio­nal infor­ma­ti­on to iden­ti­fy the data sub­ject for the sole pur­po­se of com­ply­ing with this Regulation.

(2) If, in cases refer­red to in para­graph 1 of this Arti­cle, the con­trol­ler is able to demon­stra­te that it is not in a posi­ti­on to iden­ti­fy the data sub­ject, it shall inform the data sub­ject the­re­of, whe­re pos­si­ble. In such cases, Arti­cles 15 to 20 shall not app­ly unless the data sub­ject pro­vi­des addi­tio­nal infor­ma­ti­on enab­ling him or her to be iden­ti­fied in order to exer­cise his or her rights laid down in tho­se Articles.

Reci­tals

(57) Whe­re the con­trol­ler can­not iden­ti­fy a natu­ral per­son from the per­so­nal data it pro­ces­ses, it should not be obli­ged to obtain addi­tio­nal data in order to iden­ti­fy the data sub­ject for the sole pur­po­se of com­ply­ing with a pro­vi­si­on of this Regu­la­ti­on. Howe­ver, he should not refu­se to recei­ve addi­tio­nal infor­ma­ti­on pro­vi­ded by the data sub­ject in order to exer­cise his rights. The iden­ti­fi­ca­ti­on should inclu­de the digi­tal iden­ti­fi­ca­ti­on of a data sub­ject – for examp­le, through authen­ti­ca­ti­on pro­ce­du­res using, for examp­le, the same creden­ti­als as the data sub­ject uses to log in to the online ser­vice pro­vi­ded by the controller.

(64) The con­trol­ler should use all rea­son­ab­le means to veri­fy the iden­ti­ty of a data sub­ject see­king infor­ma­ti­on, espe­cial­ly in the con­text of online ser­vices and in the case of online iden­ti­fiers. A con­trol­ler should not store per­so­nal data for the sole pur­po­se of respon­ding to pos­si­ble requests for information.

Chap­ter III Rights of the data subject

Sec­tion 1 Trans­pa­ren­cy and modalities

Arti­cle 12 Trans­pa­rent infor­ma­ti­on, com­mu­ni­ca­ti­on and moda­li­ties for the exer­cise of the rights of the data subject

(1) The con­trol­ler shall take appro­pria­te mea­su­res to pro­vi­de the data sub­ject with all the infor­ma­ti­on refer­red to in Arti­cles 13 and 14 and all the noti­fi­ca­ti­ons refer­red to in Arti­cles 15 to 22 and Arti­cle 34 rela­ting to the pro­ces­sing in a pre­cise, trans­pa­rent, intel­li­gi­ble and easi­ly acces­si­ble form in plain and simp­le lan­guage; this shall app­ly in par­ti­cu­lar to infor­ma­ti­on spe­ci­fi­cal­ly addres­sed to child­ren. The infor­ma­ti­on shall be pro­vi­ded in wri­ting or in ano­t­her form, inclu­ding, whe­re appro­pria­te, elec­tro­ni­cal­ly. If reque­sted by the data sub­ject, the infor­ma­ti­on may be pro­vi­ded oral­ly, pro­vi­ded that the iden­ti­ty of the data sub­ject has been pro­ven in ano­t­her form.

(2) The con­trol­ler shall faci­li­ta­te the data subject’s exer­cise of his or her rights under Arti­cles 15 to 22. In the cases refer­red to in Arti­cle 11(2), the con­trol­ler may refu­se to act on the data subject’s requ­est to exer­cise his or her rights under Arti­cles 15 to 22 only if he or she credi­b­ly demon­stra­tes that he or she is unab­le to iden­ti­fy the data subject.

(3) The con­trol­ler shall pro­vi­de the data sub­ject with infor­ma­ti­on on the mea­su­res taken upon requ­est pur­suant to Arti­cles 15 to 22 without undue delay and in any case wit­hin one mon­th of rece­i­pt of the requ­est. This peri­od may be exten­ded by a fur­ther two mon­ths if necessa­ry, taking into account the com­ple­xi­ty and num­ber of requests. The data con­trol­ler shall inform the data sub­ject of any exten­si­on of the time limit, tog­e­ther with the rea­sons for the delay, wit­hin one mon­th of rece­i­pt of the requ­est. If the data sub­ject makes the requ­est elec­tro­ni­cal­ly, he or she shall be infor­med by elec­tro­nic means, if pos­si­ble, unless he or she indi­ca­tes otherwise.

(4) If the con­trol­ler fails to act on the data subject’s requ­est, it shall inform the data sub­ject without delay, but no later than wit­hin one mon­th of rece­i­pt of the requ­est, of the rea­sons for this and of the pos­si­bi­li­ty of lod­ging a com­p­laint with a super­vi­so­ry aut­ho­ri­ty or see­king judi­cial remedy.

(5) Infor­ma­ti­on pur­suant to Arti­cles 13 and 14 and all noti­fi­ca­ti­ons and mea­su­res pur­suant to Arti­cles 15 to 22 and Arti­cle 34 shall be pro­vi­ded free of char­ge. In the case of mani­fest­ly unfoun­ded or – espe­cial­ly in the case of fre­quent repe­ti­ti­on – exces­si­ve requests by a data sub­ject, the con­trol­ler may either

a) Char­ge a rea­son­ab­le fee that takes into account the admi­ni­stra­ti­ve costs of infor­ming or noti­fy­ing or imple­men­ting the reque­sted action; or
b) refu­se to act on the request.

The respon­si­ble par­ty shall pro­vi­de evi­dence of the mani­fest­ly unfoun­ded or exces­si­ve natu­re of the request.

(6) Without pre­ju­di­ce to Arti­cle 11, if the con­trol­ler has rea­son­ab­le doubts about the iden­ti­ty of the natu­ral per­son making the requ­est under Arti­cles 15 to 21, the con­trol­ler may requ­est addi­tio­nal infor­ma­ti­on necessa­ry to con­firm the iden­ti­ty of the data subject.

(7) The infor­ma­ti­on to be pro­vi­ded to data sub­jects pur­suant to Arti­cles 13 and 14 may be pro­vi­ded in com­bi­na­ti­on with stan­dar­di­zed icons in order to give a mea­ning­ful over­view of the inten­ded pro­ces­sing in an easi­ly per­ceiva­ble, under­stand­a­ble and clear­ly com­pre­hen­si­ble form. If the pic­to­ri­al sym­bols are pre­sen­ted in elec­tro­nic form, they must be machine-readable.

(8) The Com­mis­si­on shall be empowe­red to adopt dele­ga­ted acts in accordance with Arti­cle 92 con­cer­ning the defi­ni­ti­on of the infor­ma­ti­on to be repre­sen­ted by pic­to­ri­al sym­bols and the pro­ce­du­res for the pro­vi­si­on of stan­dar­di­zed pic­to­ri­al symbols.

Reci­tals

(58) The princip­le of trans­pa­ren­cy requi­res that infor­ma­ti­on inten­ded for the public or the data sub­ject be pre­cise, easi­ly acces­si­ble and under­stand­a­ble, and writ­ten in clear and simp­le lan­guage, with addi­tio­nal visu­al ele­ments whe­re appro­pria­te. This infor­ma­ti­on could be pro­vi­ded in elec­tro­nic form, for examp­le on a web­site, if it is inten­ded for the public. This is espe­cial­ly true in situa­tions whe­re the lar­ge num­ber of par­ties invol­ved and the com­ple­xi­ty of the tech­no­lo­gy requi­red to do so make it dif­fi­cult for the data sub­ject to know and under­stand whe­ther per­so­nal data con­cer­ning him or her are being collec­ted, by whom, and for what pur­po­se, such as in the case of adver­ti­sing on the Inter­net. If the pro­ces­sing is direc­ted at child­ren, due to the spe­cial vul­nera­bi­li­ty of child­ren, infor­ma­ti­on and noti­ces should be pro­vi­ded in such clear and simp­le lan­guage that a child can under­stand them.

(59) Moda­li­ties should be laid down to faci­li­ta­te the exer­cise of the rights of a data sub­ject under this Regu­la­ti­on, inclu­ding mecha­nisms to ensu­re that he or she can requ­est and, whe­re appro­pria­te, obtain free of char­ge, in par­ti­cu­lar access to, and rec­ti­fi­ca­ti­on or era­su­re of, per­so­nal data or exer­cise his or her right to object. Thus, the con­trol­ler should also ensu­re that requests can be made elec­tro­ni­cal­ly, in par­ti­cu­lar whe­re the per­so­nal data are pro­ces­sed elec­tro­ni­cal­ly. The con­trol­ler should be requi­red to respond to the data subject’s requ­est without undue delay and, at the latest, wit­hin one mon­th, and, whe­re appro­pria­te, to give rea­sons why it refu­ses the request.

(60) The princi­ples of fair and trans­pa­rent pro­ces­sing requi­re that the data sub­ject be infor­med of the exi­stence of the pro­ces­sing ope­ra­ti­on and its pur­po­ses. The con­trol­ler should pro­vi­de the data sub­ject with any fur­ther infor­ma­ti­on necessa­ry to ensu­re fair and trans­pa­rent pro­ces­sing, taking into account the spe­ci­fic cir­cum­stan­ces and con­text in which the per­so­nal data are pro­ces­sed. In addi­ti­on, he or she should inform the data sub­ject that pro­filing is taking place and what the con­se­quen­ces are. In addi­ti­on, if the per­so­nal data are collec­ted from the data sub­ject, he or she should be infor­med whe­ther he or she is obli­ged to pro­vi­de the per­so­nal data and what the con­se­quen­ces of with­hol­ding the data would be. The infor­ma­ti­on in que­sti­on may be pro­vi­ded in com­bi­na­ti­on with stan­dar­di­zed pic­to­ri­al icons to pro­vi­de a mea­ning­ful over­view of the inten­ded pro­ces­sing in an easi­ly per­ceiva­ble, under­stand­a­ble and clear­ly com­pre­hen­si­ble form. If the pic­to­ri­al sym­bols are pre­sen­ted in elec­tro­nic form, they should be machine-readable.

Sec­tion 2 Trans­pa­ren­cy and infor­ma­ti­on and right of access to per­so­nal data

Arti­cle 13 Trans­pa­ren­cy and infor­ma­ti­on when collec­ting per­so­nal data from the data subject

(1) If per­so­nal data are collec­ted from the data sub­ject, the data con­trol­ler shall inform the data sub­ject of the fol­lo­wing at the time of collec­tion of such data:

a) the name and con­ta­ct details of the per­son respon­si­ble and, if app­li­ca­ble, his representative;
b) if app­li­ca­ble, the con­ta­ct details of the data pro­tec­tion officer;
c) the pur­po­ses for which the per­so­nal data are to be pro­ces­sed and the legal basis for the processing;
d) if the pro­ces­sing is based on Arti­cle 6(1)(f), the legi­ti­ma­te inte­rests pur­sued by the con­trol­ler or a third party;
e) whe­re app­li­ca­ble, the reci­pi­ents or cate­go­ries of reci­pi­ents of the per­so­nal data; and
f) whe­re app­li­ca­ble, the controller’s inten­ti­on to trans­fer the per­so­nal data to a third coun­try or an inter­na­tio­nal orga­niz­a­ti­on and the exi­stence or absence of an ade­quacy deci­si­on by the Com­mis­si­on or, in the case of trans­fers pur­suant to Arti­cle 46 or Arti­cle 47 or the second sub­pa­ra­graph of Arti­cle 49(1), a refe­rence to the appro­pria­te or ade­qua­te safe­guards and how to obtain a copy of them or whe­re they are available.

(2) In addi­ti­on to the infor­ma­ti­on refer­red to in para­graph 1, the con­trol­ler shall pro­vi­de the data sub­ject with the fol­lo­wing addi­tio­nal infor­ma­ti­on at the time of collec­tion of such data, which is necessa­ry to ensu­re fair and trans­pa­rent processing:

a) the dura­ti­on for which the per­so­nal data will be stored or, if this is not pos­si­ble, the cri­te­ria for deter­mi­ning this duration;
b) the exi­stence of a right of access on the part of the con­trol­ler to the per­so­nal data con­cer­ned, as well as to rec­ti­fi­ca­ti­on or era­su­re or to restric­tion of pro­ces­sing or a right to object to pro­ces­sing, as well as the right to data portability;
c) if the pro­ces­sing is based on Arti­cle 6(1)(a) or Arti­cle 9(2)(a), the exi­stence of a right to with­draw con­sent at any time without affec­ting the law­ful­ness of the pro­ces­sing car­ri­ed out on the basis of con­sent until withdrawal;
d) the exi­stence of a right of appeal to a super­vi­so­ry authority;
e) whe­ther the pro­vi­si­on of the per­so­nal data is requi­red by law or by con­tract or is necessa­ry for the con­clu­si­on of a con­tract, whe­ther the data sub­ject is obli­ged to pro­vi­de the per­so­nal data and what the pos­si­ble con­se­quen­ces of not pro­vi­ding the data would be, and
f) the exi­stence of auto­ma­ted deci­si­on-making, inclu­ding pro­filing, pur­suant to Arti­cle 22(1) and (4) and, at least in tho­se cases, mea­ning­ful infor­ma­ti­on about the logic invol­ved and the scope and inten­ded effects of such pro­ces­sing for the data subject.

(3) If the con­trol­ler intends to fur­ther pro­cess the per­so­nal data for a pur­po­se other than that for which the per­so­nal data were collec­ted, the con­trol­ler shall pro­vi­de the data sub­ject with infor­ma­ti­on about such other pur­po­se and any other rele­vant infor­ma­ti­on pur­suant to para­graph 2 pri­or to such fur­ther processing.

(4) Para­graphs 1, 2 and 3 shall not app­ly if and to the extent that the data sub­ject alrea­dy pos­ses­ses the information.

Reci­tals

(61) The data sub­ject should be infor­med that per­so­nal data con­cer­ning him or her are being pro­ces­sed at the time of collec­tion or, if the data are not obtai­ned from him or her but from ano­t­her source, wit­hin a rea­son­ab­le peri­od of time depen­ding on the spe­ci­fic case. If the per­so­nal data may law­ful­ly be dis­c­lo­sed to ano­t­her reci­pi­ent, the data sub­ject should be made awa­re of this when the per­so­nal data is first dis­c­lo­sed to that reci­pi­ent. If the con­trol­ler intends to pro­cess the per­so­nal data for a pur­po­se other than that for which the data were collec­ted, it should pro­vi­de the data sub­ject with infor­ma­ti­on about that other pur­po­se and other necessa­ry infor­ma­ti­on pri­or to such fur­ther pro­ces­sing. If it was not pos­si­ble to inform the data sub­ject of the ori­gin of the per­so­nal data becau­se dif­fe­rent sources were used, the infor­ma­ti­on should be pro­vi­ded in gene­ral terms.

Arti­cle 14 Trans­pa­ren­cy and infor­ma­ti­on when the per­so­nal data have not been collec­ted from the data subject

(1) If per­so­nal data are not collec­ted from the data sub­ject, the con­trol­ler shall inform the data sub­ject of the following:

a) the name and con­ta­ct details of the per­son respon­si­ble and, if app­li­ca­ble, his representative;
b) addi­tio­nal­ly the con­ta­ct details of the data pro­tec­tion officer;
c) the pur­po­ses for which the per­so­nal data are to be pro­ces­sed and the legal basis for the processing;
d) the cate­go­ries of per­so­nal data that are processed;
e) whe­re app­li­ca­ble, the reci­pi­ents or cate­go­ries of reci­pi­ents of the per­so­nal data;
f) whe­re app­li­ca­ble, the controller’s inten­ti­on to trans­fer the per­so­nal data to a reci­pi­ent in a third coun­try or an inter­na­tio­nal orga­niz­a­ti­on and the exi­stence or absence of an ade­quacy deci­si­on by the Com­mis­si­on or, in the case of trans­fers pur­suant to Arti­cle 46 or Arti­cle 47 or Arti­cle 49(1), second sub­pa­ra­graph, a refe­rence to the appro­pria­te or ade­qua­te safe­guards and the pos­si­bi­li­ty of obtai­ning a copy of them or whe­re they are available.

(2) In addi­ti­on to the infor­ma­ti­on refer­red to in para­graph 1, the con­trol­ler shall pro­vi­de the data sub­ject with the fol­lo­wing infor­ma­ti­on necessa­ry to ensu­re fair and trans­pa­rent pro­ces­sing vis-à-vis the data subject:

a) the dura­ti­on for which the per­so­nal data will be stored or, if this is not pos­si­ble, the cri­te­ria for deter­mi­ning this duration;
b) if the pro­ces­sing is based on Arti­cle 6(1)(f), the legi­ti­ma­te inte­rests pur­sued by the con­trol­ler or a third party;
c) the exi­stence of a right of access on the part of the con­trol­ler to the per­so­nal data con­cer­ned and to rec­ti­fi­ca­ti­on or era­su­re or = to restric­tion of pro­ces­sing and a right to object to pro­ces­sing and the right to data portability;
d) if the pro­ces­sing is based on Arti­cle 6(1)(a) or Arti­cle 9(2)(a), the exi­stence of a right to with­draw con­sent at any time without affec­ting the law­ful­ness of the pro­ces­sing car­ri­ed out on the basis of con­sent until withdrawal;
e) the exi­stence of a right of appeal to a super­vi­so­ry authority;
f) the source of the per­so­nal data and, if app­li­ca­ble, whe­ther it comes from publicly avail­ab­le sources;
g) the exi­stence of auto­ma­ted deci­si­on-making, inclu­ding pro­filing, pur­suant to Arti­cle 22(1) and (4) and, at least in tho­se cases, mea­ning­ful infor­ma­ti­on about the logic invol­ved and the scope and inten­ded effects of such pro­ces­sing for the data subject.

(3) The respon­si­ble per­son shall pro­vi­de the infor­ma­ti­on in accordance with para­graphs 1 and 2

a) taking into account the spe­ci­fic cir­cum­stan­ces of the pro­ces­sing of the per­so­nal data, wit­hin a rea­son­ab­le peri­od after obtai­ning the per­so­nal data, but no lon­ger than wit­hin one month,
b) if the per­so­nal data are to be used to com­mu­ni­ca­te with the data sub­ject, at the latest at the time of the first com­mu­ni­ca­ti­on to him, or,
c) if dis­clo­sure to ano­t­her reci­pi­ent is inten­ded, no later than the time of the first disclosure.

(4) If the con­trol­ler intends to fur­ther pro­cess the per­so­nal data for a pur­po­se other than that for which the per­so­nal data were obtai­ned, the con­trol­ler shall pro­vi­de the data sub­ject with infor­ma­ti­on about such other pur­po­se and any other rele­vant infor­ma­ti­on pur­suant to para­graph 2 pri­or to such fur­ther processing.

(5) Para­graphs 1 to 4 shall not app­ly if and to the extent that

a) the data sub­ject alrea­dy has the information,
b) the pro­vi­si­on of such infor­ma­ti­on pro­ves impos­si­ble or would invol­ve a dis­pro­por­tio­na­te effort, in par­ti­cu­lar for pro­ces­sing for archi­ving pur­po­ses in the public inte­rest, for sci­en­ti­fic or histo­ri­cal rese­arch pur­po­ses or for sta­tis­ti­cal pur­po­ses, sub­ject to the con­di­ti­ons and safe­guards refer­red to in Arti­cle 89(1), or inso­far as the obli­ga­ti­on refer­red to in para­graph 1 of this Arti­cle is likely to ren­der impos­si­ble or serious­ly pre­ju­di­ce the achie­ve­ment of the pur­po­ses of such pro­ces­sing. In such cases, the con­trol­ler shall take appro­pria­te mea­su­res to pro­tect the rights and free­doms and legi­ti­ma­te inte­rests of the data sub­ject, inclu­ding making such infor­ma­ti­on avail­ab­le to the public,
c) the obtai­ning or dis­clo­sure is express­ly regu­la­ted by Uni­on or Mem­ber Sta­te law to which the con­trol­ler is sub­ject and which pro­vi­des for appro­pria­te mea­su­res to pro­tect the data subject’s legi­ti­ma­te inte­rests, or
d) the per­so­nal data are sub­ject to pro­fes­sio­nal secrecy, inclu­ding a sta­tu­to­ry duty of con­fi­dentia­li­ty, in accordance with Uni­on law or the law of the Mem­ber Sta­tes and must the­re­fo­re be trea­ted confidentially.
Reci­tals
[see also Reci­tal 61]

(62) Howe­ver, the obli­ga­ti­on to pro­vi­de infor­ma­ti­on is unnecessa­ry if the data sub­ject alrea­dy has the infor­ma­ti­on, if the sto­rage or dis­clo­sure of the per­so­nal data is express­ly regu­la­ted by law, or if infor­ming the data sub­ject pro­ves impos­si­ble or invol­ves a dis­pro­por­tio­na­te effort. The lat­ter could be the case, in par­ti­cu­lar, in the case of pro­ces­sing for archi­ving pur­po­ses in the public inte­rest, for sci­en­ti­fic or histo­ri­cal rese­arch pur­po­ses, or for sta­tis­ti­cal pur­po­ses. The num­ber of data sub­jects, the age of the data or any appro­pria­te safe­guards should be con­si­de­red as indications.

Arti­cle 15 Right of access of the data subject

(1) The data sub­ject has the right to obtain con­fir­ma­ti­on from the con­trol­ler as to whe­ther per­so­nal data con­cer­ning him or her are being pro­ces­sed; if this is the case, he or she has a right of access to such per­so­nal data and to the fol­lo­wing information:

a) the pur­po­ses of processing;
b) the cate­go­ries of per­so­nal data that are processed;
c) the reci­pi­ents or cate­go­ries of reci­pi­ents to whom the per­so­nal data have been or will be dis­c­lo­sed, in par­ti­cu­lar in the case of reci­pi­ents in third coun­tries or inter­na­tio­nal organizations;
d) if pos­si­ble, the plan­ned dura­ti­on for which the per­so­nal data will be stored or, if this is not pos­si­ble, the cri­te­ria for deter­mi­ning this duration;
e) the exi­stence of a right to obtain the rec­ti­fi­ca­ti­on or era­su­re of per­so­nal data con­cer­ning him or her, or to obtain the restric­tion of pro­ces­sing by the con­trol­ler, or a right to object to such processing;
f) the exi­stence of a right of appeal to a super­vi­so­ry authority;
g) if the per­so­nal data are not collec­ted from the data sub­ject, any avail­ab­le infor­ma­ti­on on the ori­gin of the data;
h) the exi­stence of auto­ma­ted deci­si­on-making, inclu­ding pro­filing, pur­suant to Arti­cle 22(1) and (4) and, at least in tho­se cases, mea­ning­ful infor­ma­ti­on about the logic invol­ved and the scope and inten­ded effects of such pro­ces­sing for the data subject.

(2) Whe­re per­so­nal data are trans­fer­red to a third coun­try or to an inter­na­tio­nal orga­niz­a­ti­on, the data sub­ject shall have the right to be infor­med of the appro­pria­te safe­guards pur­suant to Arti­cle 46 in con­nec­tion with the transfer.

(3) The data con­trol­ler shall pro­vi­de a copy of the per­so­nal data that is the sub­ject of the pro­ces­sing. For any addi­tio­nal copies reque­sted by the data sub­ject, the con­trol­ler may char­ge a rea­son­ab­le fee based on the admi­ni­stra­ti­ve costs. If the data sub­ject makes the requ­est elec­tro­ni­cal­ly, the infor­ma­ti­on shall be pro­vi­ded in a com­mon­ly used elec­tro­nic for­mat, unless other­wi­se spe­ci­fied by the data subject.

(4) The right to recei­ve a copy under para­graph 3 shall not affect the rights and free­doms of other persons.

Reci­tals

(63) A data sub­ject should have a right of access regar­ding per­so­nal data con­cer­ning him or her that have been collec­ted and should be able to exer­cise that right easi­ly and at rea­son­ab­le inter­vals in order to be awa­re of the pro­ces­sing and to be able to veri­fy its law­ful­ness. This inclu­des the right of data sub­jects to have access to their own health-rela­ted data, such as data in their pati­ent files con­tai­ning infor­ma­ti­on such as dia­gno­ses, exami­na­ti­on results, fin­dings of the trea­ting phy­si­ci­ans and infor­ma­ti­on on tre­at­ments or inter­ven­ti­ons. Every data sub­ject should the­re­fo­re be enti­t­led to know and be infor­med, in par­ti­cu­lar, for what pur­po­ses the per­so­nal data are pro­ces­sed and, whe­re pos­si­ble, for how long they are stored, who are the reci­pi­ents of the per­so­nal data, what is the logic invol­ved in the auto­ma­tic pro­ces­sing of per­so­nal data and what are the likely con­se­quen­ces of such pro­ces­sing, at least in cases whe­re the pro­ces­sing is based on pro­filing. Whe­re pos­si­ble, the con­trol­ler should be able to pro­vi­de remo­te access to a secu­re system that would allow the data sub­ject direct access to his or her per­so­nal data. This right should not affect the rights and free­doms of other per­sons, such as tra­de secrets or intel­lec­tu­al pro­per­ty rights and in par­ti­cu­lar copy­right in soft­ware. Howe­ver, this should not result in denying the data sub­ject any access. Whe­re the con­trol­ler pro­ces­ses a lar­ge amount of infor­ma­ti­on about the data sub­ject, he should be able to requi­re that the data sub­ject spe­ci­fy to which infor­ma­ti­on or which pro­ces­sing ope­ra­ti­ons his requ­est for infor­ma­ti­on rela­tes befo­re he gives him access.

Sec­tion 3 Cor­rec­tion and deletion

Arti­cle 16 Right of rectification

The data sub­ject shall have the right to obtain from the con­trol­ler the rec­ti­fi­ca­ti­on without undue delay of inac­cu­ra­te per­so­nal data con­cer­ning him or her. Taking into account the pur­po­ses of the pro­ces­sing, the data sub­ject has the right to requ­est that incom­ple­te per­so­nal data be com­ple­ted, inclu­ding by means of a sup­ple­men­ta­ry declaration.

(1) The data sub­ject shall have the right to obtain from the con­trol­ler the era­su­re without delay of per­so­nal data con­cer­ning him or her, and the con­trol­ler shall be obli­ged to era­se per­so­nal data without delay whe­re one of the fol­lo­wing rea­sons applies:

a) The per­so­nal data are no lon­ger necessa­ry for the pur­po­ses for which they were collec­ted or other­wi­se processed.
b) The data sub­ject revo­kes the con­sent on which the pro­ces­sing was based pur­suant to Arti­cle 6(1)(a) or Arti­cle 9(2)(a) and the­re is no other legal basis for the processing.
c) The data sub­ject objects to the pro­ces­sing pur­suant to Arti­cle 21(1) and the­re are no over­ri­ding legi­ti­ma­te grounds for the pro­ces­sing, or the data sub­ject objects to the pro­ces­sing pur­suant to Arti­cle 21(2).
d) The per­so­nal data have been pro­ces­sed unlawfully.
e) The dele­ti­on of the per­so­nal data is necessa­ry for com­pli­an­ce with a legal obli­ga­ti­on under Uni­on or Mem­ber Sta­te law to which the con­trol­ler is subject.
f) The per­so­nal data have been collec­ted in rela­ti­on to infor­ma­ti­on socie­ty ser­vices offe­red in accordance with Arti­cle 8(1).

(2) If the con­trol­ler has dis­c­lo­sed the per­so­nal data to the public and is obli­ged to era­se it pur­suant to para­graph 1, it shall take rea­son­ab­le mea­su­res, inclu­ding tech­ni­cal mea­su­res, having regard to the avail­ab­le tech­no­lo­gy and the cost of imple­men­ta­ti­on, to inform data con­trol­lers which pro­cess the per­so­nal data that a data sub­ject has reque­sted that they era­se all links to or copies or repli­ca­ti­ons of such per­so­nal data.

(3) Para­graphs 1 and 2 shall not app­ly inso­far as the pro­ces­sing is necessa­ry to

a) to exer­cise the right to free­dom of expres­si­on and information;
b) for com­pli­an­ce with a legal obli­ga­ti­on which requi­res pro­ces­sing under Uni­on or Mem­ber Sta­te law to which the con­trol­ler is sub­ject, or for the per­for­mance of a task car­ri­ed out in the public inte­rest or in the exer­cise of offi­cial aut­ho­ri­ty vested in the controller;
c) for rea­sons of public inte­rest in the field of public health in accordance with Arti­cle 9(2)(h) and (i) and Arti­cle 9(3);
d) for archi­ving pur­po­ses in the public inte­rest, sci­en­ti­fic or histo­ri­cal rese­arch pur­po­ses, or sta­tis­ti­cal pur­po­ses as refer­red to in Arti­cle 89(1), whe­re the right refer­red to in para­graph 1 is likely to ren­der impos­si­ble or serious­ly pre­ju­di­ce the achie­ve­ment of the pur­po­ses of such pro­ces­sing, or
e) for the asser­ti­on, exer­cise or defen­se of legal claims.
Reci­tals

(65) A data sub­ject should have a right to rec­ti­fy per­so­nal data con­cer­ning him or her, as well as a “Right to be for­got­ten” if the sto­rage of their data infrin­ges this Regu­la­ti­on or Uni­on law or the law of the Mem­ber Sta­tes to which the con­trol­ler is sub­ject. In par­ti­cu­lar, data sub­jects should be enti­t­led to have their per­so­nal data era­sed and no lon­ger pro­ces­sed whe­re the per­so­nal data are no lon­ger necessa­ry in rela­ti­on to the pur­po­ses for which they were collec­ted or other­wi­se pro­ces­sed, whe­re data sub­jects have with­drawn their con­sent to pro­ces­sing or objec­ted to the pro­ces­sing of per­so­nal data con­cer­ning them, or whe­re the pro­ces­sing of their per­so­nal data other­wi­se infrin­ges this Regu­la­ti­on. This right is par­ti­cu­lar­ly important in cases whe­re the data sub­ject gave his or her con­sent while still a child and, in this respect, could not ful­ly fore­see the risks asso­cia­ted with the pro­ces­sing and wis­hes to era­se the per­so­nal data – espe­cial­ly tho­se stored on the Inter­net – at a later sta­ge. The data sub­ject should be able to exer­cise this right even if he or she is no lon­ger a child. Howe­ver, the con­ti­nued sto­rage of the per­so­nal data should be law­ful if it is necessa­ry for the exer­cise of the right to free­dom of expres­si­on and infor­ma­ti­on, for com­pli­an­ce with a legal obli­ga­ti­on, for the per­for­mance of a task car­ri­ed out in the public inte­rest or in the exer­cise of offi­cial aut­ho­ri­ty vested in the con­trol­ler, for rea­sons of public inte­rest in the field of public health, for archi­ving pur­po­ses in the public inte­rest, for sci­en­ti­fic or histo­ri­cal rese­arch pur­po­ses or for sta­tis­ti­cal pur­po­ses, or for the estab­lish­ment, exer­cise or defen­se of legal claims.

(66) To fol­low the “Right to be for­got­ten” on the net­work, the right to era­su­re should be exten­ded by requi­ring a con­trol­ler who has made the per­so­nal data public to noti­fy the con­trol­lers who pro­cess that per­so­nal data to era­se all links to, or copies or repli­ca­ti­ons of, that per­so­nal data. In doing so, the con­trol­ler should take rea­son­ab­le mea­su­res, inclu­ding tech­ni­cal mea­su­res, taking into account the avail­ab­le tech­no­lo­gies and means at its dis­po­sal, to inform the con­trol­lers pro­ces­sing such per­so­nal data of the data subject’s request.

Arti­cle 18 Right to restric­tion of processing

(1) The data sub­ject shall have the right to obtain from the con­trol­ler the restric­tion of pro­ces­sing whe­re one of the fol­lo­wing con­di­ti­ons is met:

a) the accu­ra­cy of the per­so­nal data is con­te­sted by the data sub­ject for a peri­od enab­ling the con­trol­ler to veri­fy the accu­ra­cy of the per­so­nal data,
b) the pro­ces­sing is unlaw­ful and the data sub­ject refu­ses the era­su­re of the per­so­nal data and ins­tead requests the restric­tion of the use of the per­so­nal data;
c) the con­trol­ler no lon­ger needs the per­so­nal data for the pur­po­ses of pro­ces­sing, but the data sub­ject needs them for the estab­lish­ment, exer­cise or defen­se of legal claims, or
d) the data sub­ject has objec­ted to the pro­ces­sing pur­suant to Arti­cle 21(1), as long as it is not yet estab­lished whe­ther the legi­ti­ma­te grounds of the con­trol­ler overri­de tho­se of the data subject.

(2) Whe­re pro­ces­sing has been restric­ted in accordance with para­graph 1, tho­se per­so­nal data may be pro­ces­sed, except for sto­rage, only with the con­sent of the data sub­ject or for the estab­lish­ment, exer­cise or defen­se of legal claims or for the pro­tec­tion of the rights of ano­t­her natu­ral or legal per­son or for rea­sons of sub­stan­ti­al public inte­rest of the Uni­on or of a Mem­ber State.

(3) A data sub­ject who has obtai­ned a restric­tion of pro­ces­sing pur­suant to para­graph 1 shall be infor­med by the con­trol­ler befo­re the restric­tion is lifted.

Reci­tals

(67) Methods of restric­ting the pro­ces­sing of per­so­nal data could inclu­de tem­pora­ri­ly trans­fer­ring selec­ted per­so­nal data to ano­t­her pro­ces­sing system, blocking them from users, or tem­pora­ri­ly remo­ving published data from a web­site. In auto­ma­ted file systems, the restric­tion of pro­ces­sing should in princip­le be car­ri­ed out by tech­ni­cal means in such a way that the per­so­nal data can­not be fur­ther pro­ces­sed in any way and can­not be modi­fied. The fact that the pro­ces­sing of per­so­nal data has been restric­ted should be clear­ly indi­ca­ted in the system.

Arti­cle 19 Noti­fi­ca­ti­on obli­ga­ti­on in con­nec­tion with the rec­ti­fi­ca­ti­on or era­su­re of per­so­nal data or the restric­tion of processing

The con­trol­ler shall noti­fy all reci­pi­ents to whom per­so­nal data have been dis­c­lo­sed of any rec­ti­fi­ca­ti­on or era­su­re of the per­so­nal data or restric­tion of pro­ces­sing pur­suant to Arti­cle 16, Arti­cle 17(1) and Arti­cle 18, unless this pro­ves impos­si­ble or invol­ves a dis­pro­por­tio­na­te effort. The con­trol­ler shall inform the data sub­ject of the­se reci­pi­ents if the data sub­ject so requests.

Arti­cle 20 Right to data portability

(1) The data sub­ject shall have the right to recei­ve the per­so­nal data con­cer­ning him or her that he or she has pro­vi­ded to a con­trol­ler in a struc­tu­red, com­mon­ly used and machi­ne-read­a­ble for­mat, and shall have the right to trans­mit such data to ano­t­her con­trol­ler without hin­dran­ce from the con­trol­ler to whom the per­so­nal data have been pro­vi­ded, pro­vi­ded that

a) the pro­ces­sing is based on con­sent pur­suant to Arti­cle 6(1)(a) or Arti­cle 9(2)(a) or on a con­tract pur­suant to Arti­cle 6(1)(b); and
b) the pro­ces­sing is car­ri­ed out with the help of auto­ma­ted procedures.

(2) When exer­ci­s­ing his or her right to data por­ta­bi­li­ty pur­suant to para­graph 1, the data sub­ject shall have the right to obtain that the per­so­nal data be trans­fer­red direct­ly from one con­trol­ler to ano­t­her con­trol­ler, whe­re tech­ni­cal­ly feasible.

(3) The exer­cise of the right refer­red to in para­graph 1 of this Arti­cle shall be without pre­ju­di­ce to Arti­cle 17. This right shall not app­ly to pro­ces­sing necessa­ry for the per­for­mance of a task car­ri­ed out in the public inte­rest or in the exer­cise of offi­cial aut­ho­ri­ty vested in the controller.

(4) The right refer­red to in para­graph 2 shall not inter­fe­re with the rights and free­doms of other persons.

Reci­tals

(68) In addi­ti­on, in order to have bet­ter con­trol over one’s own data in the case of pro­ces­sing of per­so­nal data by auto­ma­ted means, the data sub­ject should be enti­t­led to recei­ve the per­so­nal data con­cer­ning him or her that he or she has pro­vi­ded to a con­trol­ler in a struc­tu­red, com­mon­ly used, machi­ne-read­a­ble and inter­ope­ra­ble for­mat and to trans­mit them to ano­t­her con­trol­ler. Con­trol­lers should be encou­ra­ged to deve­lop inter­ope­ra­ble for­mats that enab­le data por­ta­bi­li­ty. This right should app­ly whe­re the data sub­ject has pro­vi­ded the per­so­nal data with his or her con­sent or the pro­ces­sing is necessa­ry for the per­for­mance of a con­tract. It should not app­ly if the pro­ces­sing is based on a legal basis other than their con­sent or a con­tract. By its natu­re, this right should not be exer­cis­ed against con­trol­lers who pro­cess per­so­nal data in the per­for­mance of their public tasks. It should the­re­fo­re not app­ly whe­re the pro­ces­sing of per­so­nal data is necessa­ry for com­pli­an­ce with a legal obli­ga­ti­on to which the con­trol­ler is sub­ject or for the per­for­mance of a task car­ri­ed out in the public inte­rest or in the exer­cise of offi­cial aut­ho­ri­ty vested in the con­trol­ler. The right of the data sub­ject to trans­mit or recei­ve per­so­nal data con­cer­ning him or her should not crea­te an obli­ga­ti­on for the con­trol­ler to adopt or main­tain tech­ni­cal­ly com­pa­ti­ble data pro­ces­sing systems. Whe­re, in the case of a given set of per­so­nal data, more than one data sub­ject is affec­ted, the right to recei­ve the data should be without pre­ju­di­ce to the fun­da­men­tal rights and free­doms of other data sub­jects under this Regu­la­ti­on. Moreo­ver, that right should not affect the data subject’s right to era­su­re of his or her per­so­nal data and the limi­ta­ti­ons on that right under this Regu­la­ti­on and, in par­ti­cu­lar, should not mean that the data rela­ting to the data sub­ject and pro­vi­ded by him or her for the per­for­mance of a con­tract are era­sed to the extent and for as long as tho­se per­so­nal data are necessa­ry for the per­for­mance of the con­tract. Whe­re tech­ni­cal­ly fea­si­ble, the data sub­ject should have the right to obtain that the per­so­nal data be trans­fer­red direct­ly from one con­trol­ler to ano­t­her controller.

Sec­tion 4 Right to object and auto­ma­ted deci­si­on-making in indi­vi­du­al cases

Arti­cle 21 Right of objection

(1) The data sub­ject shall have the right to object at any time, on grounds rela­ting to his or her par­ti­cu­lar situa­ti­on, to pro­ces­sing of per­so­nal data con­cer­ning him or her which is car­ri­ed out on the basis of Arti­cle 6(1)(e) or (f); this shall also app­ly to any pro­filing based on tho­se pro­vi­si­ons. The con­trol­ler shall no lon­ger pro­cess the per­so­nal data unless he can demon­stra­te com­pel­ling legi­ti­ma­te grounds for the pro­ces­sing which overri­de the inte­rests, rights and free­doms of the data sub­ject, or for the estab­lish­ment, exer­cise or defen­se of legal claims.

(2) If per­so­nal data are pro­ces­sed for the pur­po­ses of direct mar­ke­ting, the data sub­ject shall have the right to object at any time to pro­ces­sing of per­so­nal data con­cer­ning him or her for such mar­ke­ting; this shall also app­ly to pro­filing inso­far as it is rela­ted to such direct marketing.

(3) If the data sub­ject objects to the pro­ces­sing for direct mar­ke­ting pur­po­ses, the per­so­nal data will no lon­ger be pro­ces­sed for the­se purposes.

(4) The data sub­ject shall be express­ly infor­med of the right refer­red to in para­graphs 1 and 2 no later than at the time of the first com­mu­ni­ca­ti­on with him/her; this infor­ma­ti­on shall be pro­vi­ded in a com­pre­hen­si­ble form sepa­ra­te from other information.

(5) In the con­text of the use of infor­ma­ti­on socie­ty ser­vices, not­with­stan­ding Direc­ti­ve 2002/58/EC, the data sub­ject may exer­cise his or her right to object by means of auto­ma­ted pro­ce­du­res using tech­ni­cal specifications.

(6) The data sub­ject shall have the right, on grounds rela­ting to his or her par­ti­cu­lar situa­ti­on, to object to pro­ces­sing of per­so­nal data con­cer­ning him or her which is car­ri­ed out for sci­en­ti­fic or histo­ri­cal rese­arch pur­po­ses, or for sta­tis­ti­cal pur­po­ses pur­suant to Arti­cle 89(1), unless the pro­ces­sing is necessa­ry for the per­for­mance of a task car­ri­ed out in the public interest.

Reci­tals

(69) Whe­re the per­so­nal data may be law­ful­ly pro­ces­sed becau­se the pro­ces­sing is necessa­ry for the per­for­mance of a task car­ri­ed out in the public inte­rest or in the exer­cise of offi­cial aut­ho­ri­ty vested in the con­trol­ler, or on grounds of the legi­ti­ma­te inte­rest of the con­trol­ler or a third par­ty, any data sub­ject should still have the right to object to the pro­ces­sing of per­so­nal data rela­ting to his or her par­ti­cu­lar situa­ti­on. The con­trol­ler should have to demon­stra­te that its com­pel­ling legi­ti­ma­te inte­rests overri­de the inte­rests or fun­da­men­tal rights and free­doms of the data subject.

(70) Whe­re per­so­nal data are pro­ces­sed for the pur­po­ses of direct mar­ke­ting, the data sub­ject should be able to object, free of char­ge, at any time to such pro­ces­sing, inclu­ding pro­filing, whe­ther car­ri­ed out initi­al­ly or sub­se­quent­ly, inso­far as it rela­tes to such direct mar­ke­ting. The data sub­ject should be express­ly infor­med of this right; this infor­ma­ti­on should be pro­vi­ded in a com­pre­hen­si­ble form, sepa­ra­te from other information.

Arti­cle 22 Auto­ma­ted deci­si­ons in indi­vi­du­al cases inclu­ding profiling

(1) The data sub­ject shall have the right not to be sub­ject to a deci­si­on based sole­ly on auto­ma­ted pro­ces­sing, inclu­ding pro­filing, which pro­du­ces legal effects con­cer­ning him or her or simi­lar­ly signi­fi­cant­ly affects him or her.

(2) Para­graph 1 shall not app­ly if the decision

a) is necessa­ry for the con­clu­si­on or per­for­mance of a con­tract bet­ween the data sub­ject and the controller,
b) is per­mit­ted by Uni­on or Mem­ber Sta­te legis­la­ti­on to which the con­trol­ler is sub­ject and that legis­la­ti­on con­tains appro­pria­te mea­su­res to safe­guard the rights and free­doms and legi­ti­ma­te inte­rests of the data sub­ject, or
c) takes place with the express con­sent of the data subject.

(3) In the cases refer­red to in para­graph 2(a) and (c), the con­trol­ler shall take rea­son­ab­le steps to safe­guard the rights and free­doms as well as the legi­ti­ma­te inte­rests of the data sub­ject, which shall inclu­de, at least, the right to obtain the inter­ven­ti­on of a data sub­ject on the part of the con­trol­ler, to express his or her point of view and to con­test the decision.

(4) Deci­si­ons under para­graph 2 shall not be based on spe­cial cate­go­ries of per­so­nal data refer­red to in Arti­cle 9(1), unless Arti­cle 9(2)(a) or (g) app­lies and appro­pria­te mea­su­res have been taken to pro­tect the rights and free­doms and legi­ti­ma­te inte­rests of the data subject.

Reci­tals

(71) The data sub­ject should have the right not to be sub­ject to a deci­si­on – which may inclu­de a mea­su­re – eva­lua­ting per­so­nal aspects rela­ting to him or her which is based sole­ly on auto­ma­ted pro­ces­sing and which pro­du­ces legal effects con­cer­ning him or her or simi­lar­ly signi­fi­cant­ly affects him or her, such as the auto­ma­tic rejec­tion of an online credit app­li­ca­ti­on or online recruit­ment pro­ce­du­res without any human inter­ven­ti­on. Such pro­ces­sing also inclu­des the “Pro­filing”, which con­sists in any form of auto­ma­ted pro­ces­sing of per­so­nal data eva­lua­ting per­so­nal aspects rela­ting to a natu­ral per­son, in par­ti­cu­lar for the pur­po­se of ana­ly­zing or fore­ca­sting aspects con­cer­ning the data subject’s per­for­mance at work, eco­no­mic situa­ti­on, health, per­so­nal pre­fe­ren­ces or inte­rests, relia­bi­li­ty or con­duct, loca­ti­on or chan­ge of loca­ti­on, whe­re this pro­du­ces legal effects con­cer­ning the data sub­ject or simi­lar­ly signi­fi­cant­ly affects him or her. Howe­ver, deci­si­on making based on such pro­ces­sing, inclu­ding pro­filing, should be allo­wed whe­re express­ly per­mit­ted by Uni­on law or the law of the Mem­ber Sta­tes to which the con­trol­ler is sub­ject, inclu­ding in order to com­ply with the rules, stan­dards and recom­men­da­ti­ons of Uni­on insti­tu­ti­ons or natio­nal super­vi­so­ry bodies, to moni­tor and pre­vent fraud and tax eva­si­on and to ensu­re the secu­ri­ty and relia­bi­li­ty of a ser­vice pro­vi­ded by the con­trol­ler, or whe­re it is necessa­ry for the con­clu­si­on or per­for­mance of a con­tract bet­ween the data sub­ject and a con­trol­ler, or whe­re the data sub­ject has given his or her expli­cit con­sent. In any case, such pro­ces­sing should be sub­ject to appro­pria­te safe­guards, inclu­ding spe­ci­fic infor­ma­ti­on to the data sub­ject and the right to direct inter­ven­ti­on by a per­son, to express his or her point of view, to have the deci­si­on taken after an appro­pria­te eva­lua­ti­on exp­lai­ned, and to have the right to chal­len­ge the deci­si­on. This mea­su­re should not affect a child.

In order to ensu­re fair and trans­pa­rent pro­ces­sing vis-à-vis the data sub­ject, taking into account the spe­ci­fic cir­cum­stan­ces and con­text in which the per­so­nal data are pro­ces­sed, the con­trol­ler should use appro­pria­te mathe­ma­ti­cal or sta­tis­ti­cal methods for pro­filing, imple­ment tech­ni­cal and orga­ni­sa­tio­nal mea­su­res to ensu­re in an appro­pria­te man­ner, in par­ti­cu­lar, that fac­tors lea­ding to inac­cu­ra­te per­so­nal data, are cor­rec­ted and the risk of error is mini­mi­zed, and secu­re per­so­nal data in a man­ner that takes into account poten­ti­al thre­ats to the inte­rests and rights of the data sub­ject and that pre­vents discri­mi­na­to­ry effects against natu­ral per­sons on the basis of race, eth­nic ori­gin, poli­ti­cal opi­ni­on, reli­gi­on or belief, tra­de uni­on mem­bership, gene­tic make­up or health sta­tus, and sexu­al ori­en­ta­ti­on, or mea­su­res that have such an effect. Auto­ma­ted deci­si­on making and pro­filing based on spe­cial cate­go­ries of per­so­nal data should only be allo­wed under cer­tain conditions.

(72) Pro­filing is sub­ject to the pro­vi­si­ons of this Regu­la­ti­on gover­ning the pro­ces­sing of per­so­nal data, such as the legal basis for the pro­ces­sing or the data pro­tec­tion princi­ples. The Euro­pean Data Pro­tec­tion Board estab­lished by this Regu­la­ti­on (her­ein­af­ter “Com­mit­tee”) should be able to issue gui­de­li­nes in this regard.

Sec­tion 5 Restrictions

Arti­cle 23 Restrictions

(1) Uni­on or Mem­ber Sta­te legis­la­ti­on to which the con­trol­ler or pro­ces­sor is sub­ject may, by way of legis­la­ti­ve mea­su­res, restrict the obli­ga­ti­ons and rights refer­red to in Arti­cles 12 to 22 and Arti­cle 34, and Arti­cle 5 in so far as its pro­vi­si­ons cor­re­spond to the rights and obli­ga­ti­ons pro­vi­ded for in Arti­cles 12 to 22, pro­vi­ded that such restric­tion respects the essence of fun­da­men­tal rights and free­doms and con­sti­tu­tes a necessa­ry and pro­por­tio­na­te mea­su­re in a demo­cra­tic socie­ty ensu­ring the following:

a) natio­nal security;
b) natio­nal defense;
c) public safety;
d) the pre­ven­ti­on, inve­sti­ga­ti­on, detec­tion or pro­se­cu­ti­on of cri­mi­nal offen­ses or the exe­cu­ti­on of sen­ten­ces, inclu­ding the pro­tec­tion against and the pre­ven­ti­on of thre­ats to public safety;
e) the pro­tec­tion of other important objec­ti­ves of gene­ral public inte­rest of the Uni­on or of a Mem­ber Sta­te, in par­ti­cu­lar an important eco­no­mic or finan­cial inte­rest of the Uni­on or of a Mem­ber Sta­te, such as in the mone­ta­ry, bud­get­a­ry, fis­cal, public health and social secu­ri­ty fields;
f) the pro­tec­tion of the inde­pen­dence of the judi­cia­ry and the pro­tec­tion of judi­cial proceedings;
g) the pre­ven­ti­on, detec­tion, inve­sti­ga­ti­on and pro­se­cu­ti­on of vio­la­ti­ons of the pro­fes­sio­nal rules of regu­la­ted professions;
h) con­trol, super­vi­so­ry and regu­la­to­ry func­tions per­ma­nent­ly or tem­pora­ri­ly con­nec­ted with the exer­cise of offi­cial aut­ho­ri­ty for the pur­po­ses refer­red to in sub­pa­ra­graphs (a) to (e) and (g);
i) the pro­tec­tion of the data sub­ject or the rights and free­doms of others;
j) the enfor­ce­ment of civil claims.

(2) Any legis­la­ti­ve mea­su­re refer­red to in para­graph 1 shall, in par­ti­cu­lar, con­tain spe­ci­fic pro­vi­si­ons, as appro­pria­te, at least with respect to the following

a) the pur­po­ses of the pro­ces­sing or the cate­go­ries of processing,
b) the cate­go­ries of per­so­nal data,
c) the scope of the restric­tions made,
d) the safe­guards against misu­se or unlaw­ful access or unlaw­ful transmission;
e) the details of the per­son or cate­go­ries of per­sons responsible,
f) the respec­ti­ve sto­rage peri­ods and the app­li­ca­ble safe­guards, taking into account the natu­re, scope and pur­po­ses of the pro­ces­sing or the cate­go­ries of processing,
g) the risks to the rights and free­doms of data sub­jects, and
h) the right of data sub­jects to be infor­med of the restric­tion, unless this is detri­men­tal to the pur­po­se of the restriction.
Reci­tals

(73) Uni­on or Mem­ber Sta­te law may pro­vi­de for restric­tions in rela­ti­on to cer­tain princi­ples and in rela­ti­on to the right of infor­ma­ti­on, access to and rec­ti­fi­ca­ti­on or era­su­re of per­so­nal data, the right to data por­ta­bi­li­ty and objec­tion, deci­si­ons based on pro­filing, as well as noti­fi­ca­ti­ons of a per­so­nal data bre­ach to a data sub­ject and cer­tain rela­ted obli­ga­ti­ons of data con­trol­lers, to the extent necessa­ry and pro­por­tio­na­te in a demo­cra­tic socie­ty to main­tain public safe­ty, inclu­ding, but not limi­ted to, the pro­tec­tion of human life, in par­ti­cu­lar in the event of natu­ral or man-made dis­a­sters, the pre­ven­ti­on, detec­tion and pro­se­cu­ti­on of cri­mi­nal offen­ces or the exe­cu­ti­on of sen­ten­ces – which inclu­des the pro­tec­tion against and the pre­ven­ti­on of thre­ats to public secu­ri­ty – or the pre­ven­ti­on, detec­tion and pro­se­cu­ti­on of brea­ches of pro­fes­sio­nal ethics in the case of regu­la­ted pro­fes­si­ons, the kee­ping of public regi­sters for rea­sons of gene­ral public inte­rest, and the fur­ther pro­ces­sing of archi­ved per­so­nal data to pro­vi­de spe­ci­fic infor­ma­ti­on rela­ted to poli­ti­cal beha­vi­or under for­mer tota­li­ta­ri­an regimes, and to pro­tect other important objec­ti­ves of gene­ral public inte­rest of the Uni­on or a Mem­ber Sta­te, such as important eco­no­mic or finan­cial inte­rests, or to pro­tect the data sub­ject and the rights and free­doms of others, inclu­ding in the are­as of social secu­ri­ty, public health and huma­ni­ta­ri­an aid. The­se restric­tions should be con­si­stent with the Char­ter and with the Euro­pean Con­ven­ti­on for the Pro­tec­tion of Human Rights and Fun­da­men­tal Freedoms.

Chap­ter IV Con­trol­ler and Processor

Sec­tion 1 Gene­ral Duties

Arti­cle 24 Respon­si­bi­li­ty of the controller

(1) The con­trol­ler shall imple­ment appro­pria­te tech­ni­cal and orga­niz­a­tio­nal mea­su­res to ensu­re and pro­vi­de evi­dence that the pro­ces­sing is car­ri­ed out in com­pli­an­ce with this Regu­la­ti­on, taking into account the natu­re, scope, con­text and pur­po­ses of the pro­ces­sing and the vary­ing likeli­hood and seve­ri­ty of the risks to the rights and free­doms of natu­ral per­sons. Tho­se mea­su­res shall be review­ed and updated as necessary.

(2) Pro­vi­ded that this is pro­por­tio­na­te to the pro­ces­sing acti­vi­ties, the mea­su­res refer­red to in para­graph 1 shall inclu­de the app­li­ca­ti­on by the con­trol­ler of appro­pria­te data pro­tec­tion safeguards.

(3) Com­pli­an­ce with the appro­ved rules of con­duct pur­suant to Arti­cle 40 or with an appro­ved cer­ti­fi­ca­ti­on pro­ce­du­re pur­suant to Arti­cle 42 of the may be used as a point of view to demon­stra­te com­pli­an­ce with the obli­ga­ti­ons of the controller.

Reci­tals

(74) The respon­si­bi­li­ty and lia­bi­li­ty of the con­trol­ler for any pro­ces­sing of per­so­nal data car­ri­ed out by him or on his behalf should be regu­la­ted. In par­ti­cu­lar, the con­trol­ler should be requi­red to take appro­pria­te and effec­ti­ve mea­su­res and to be able to demon­stra­te that the pro­ces­sing acti­vi­ties com­ply with this Regu­la­ti­on and that the mea­su­res are also effec­ti­ve. In doing so, he should take into account the natu­re, scope, cir­cum­stan­ces and pur­po­ses of the pro­ces­sing and the risk to the rights and free­doms of natu­ral persons.

(75) The risks to the rights and free­doms of natu­ral per­sons – with vary­ing likeli­hood and seve­ri­ty – may ari­se from pro­ces­sing of per­so­nal data that could result in phy­si­cal, mate­ri­al or non-mate­ri­al harm, in par­ti­cu­lar whe­re the pro­ces­sing may result in discri­mi­na­ti­on, iden­ti­ty theft or fraud, finan­cial loss, dama­ge to repu­ta­ti­on, a loss of con­fi­dentia­li­ty of per­so­nal data sub­ject to pro­fes­sio­nal secrecy, the unaut­ho­ri­zed remo­val of pseud­ony­miz­a­ti­on, or other signi­fi­cant eco­no­mic or social harm, if data sub­jects are depri­ved of their rights and free­doms or pre­ven­ted from con­trol­ling per­so­nal data con­cer­ning them, if per­so­nal data reve­aling racial or eth­nic ori­gin, poli­ti­cal opi­ni­ons, reli­gious or phi­lo­so­phi­cal beliefs or tra­de uni­on mem­bership, and gene­tic data, health data or data con­cer­ning sexu­al life or cri­mi­nal con­vic­tions and offen­ces or rela­ted secu­ri­ty mea­su­res are pro­ces­sed, when per­so­nal aspects are eva­lua­ted, in par­ti­cu­lar when aspects con­cer­ning work per­for­mance, eco­no­mic situa­ti­on, health, per­so­nal pre­fe­ren­ces or inte­rests, relia­bi­li­ty or beha­vi­or, loca­ti­on or chan­ge of loca­ti­on are ana­ly­zed or pre­dic­ted in order to crea­te or use per­so­nal pro­files, when per­so­nal data of vul­nerable natu­ral per­sons, in par­ti­cu­lar data of child­ren, are pro­ces­sed, or when the pro­ces­sing invol­ves a lar­ge amount of per­so­nal data and a lar­ge num­ber of data subjects.

(76) The likeli­hood and seve­ri­ty of the risk to the rights and free­doms of the data sub­ject should be deter­mi­ned in rela­ti­on to the natu­re, scope, cir­cum­stan­ces and pur­po­ses of the pro­ces­sing. The risk should be asses­sed on the basis of an objec­ti­ve eva­lua­ti­on deter­mi­ning whe­ther the data pro­ces­sing pres­ents a risk or a high risk.

(77) Gui­d­ance on how the con­trol­ler or pro­ces­sor should imple­ment appro­pria­te mea­su­res and how to demon­stra­te com­pli­an­ce with the requi­re­ments, in par­ti­cu­lar as regards the iden­ti­fi­ca­ti­on of the risk asso­cia­ted with the pro­ces­sing, its assess­ment in terms of cau­se, natu­re, likeli­hood and seve­ri­ty, and the iden­ti­fi­ca­ti­on of best prac­ti­ces for its miti­ga­ti­on, could be pro­vi­ded in par­ti­cu­lar in the form of appro­ved codes of con­duct, appro­ved cer­ti­fi­ca­ti­on pro­ce­du­res, gui­d­ance issued by the Board or advice from a data pro­tec­tion offi­cer. The Board may also issue gui­d­ance on pro­ces­sing ope­ra­ti­ons that are not con­si­de­red to pre­sent a high risk to the rights and free­doms of natu­ral per­sons and indi­ca­te which miti­ga­ti­on mea­su­res may be suf­fi­ci­ent in such cases.

Arti­cle 25 Data pro­tec­tion by design and by default Pri­va­cy by design Pri­va­cy by default

(1) Taking into account the sta­te of the art, the costs of imple­men­ta­ti­on and the natu­re, scope, cir­cum­stan­ces and pur­po­ses of the pro­ces­sing, as well as the vary­ing likeli­hood and seve­ri­ty of the risks to the rights and free­doms of natu­ral per­sons repre­sen­ted by the pro­ces­sing, the con­trol­ler shall imple­ment appro­pria­te tech­ni­cal and orga­niz­a­tio­nal mea­su­res – such as pseud­ony­miz­a­ti­on – both at the time of the deter­mi­na­ti­on of the means for the pro­ces­sing and at the time of the actu­al pro­ces­sing. such as pseud­ony­miz­a­ti­on – desi­gned to effec­tively imple­ment data pro­tec­tion princi­ples such as data mini­miz­a­ti­on and to incor­po­ra­te the necessa­ry safe­guards in the pro­ces­sing in order to meet the requi­re­ments of this Regu­la­ti­on and to pro­tect the rights of data subjects.

(2) The con­trol­ler shall take appro­pria­te tech­ni­cal and orga­niz­a­tio­nal mea­su­res to ensu­re that, by default, only per­so­nal data who­se pro­ces­sing is necessa­ry for the spe­ci­fic pro­ces­sing pur­po­se in que­sti­on are pro­ces­sed. This obli­ga­ti­on app­lies to the amount of per­so­nal data collec­ted, the scope of their pro­ces­sing, their sto­rage peri­od and their acces­si­bi­li­ty. In par­ti­cu­lar, such mea­su­res must ensu­re that per­so­nal data are not made acces­si­ble to an inde­fi­ni­te num­ber of natu­ral per­sons through default set­tings without the inter­ven­ti­on of the individual.

(3) An appro­ved cer­ti­fi­ca­ti­on pro­ce­du­re pur­suant to Arti­cle 42 may be used as a fac­tor to demon­stra­te com­pli­an­ce with the requi­re­ments set forth in para­graphs 1 and 2 of this Article.

Reci­tals

(78) In order to pro­tect the rights and free­doms of natu­ral per­sons with regard to the pro­ces­sing of per­so­nal data, it is necessa­ry that appro­pria­te tech­ni­cal and orga­niz­a­tio­nal mea­su­res are taken to ensu­re com­pli­an­ce with the requi­re­ments of this Regu­la­ti­on. In order to be able to demon­stra­te com­pli­an­ce with this Regu­la­ti­on, the con­trol­ler should estab­lish inter­nal poli­ci­es and imple­ment mea­su­res that com­ply, in par­ti­cu­lar, with the princi­ples of data pro­tec­tion by design and data pro­tec­tion by default. Such mea­su­res could inclu­de mini­mi­zing the pro­ces­sing of per­so­nal data, pseud­ony­mi­zing per­so­nal data as soon as pos­si­ble, pro­vi­ding trans­pa­ren­cy regar­ding the func­tions and pro­ces­sing of per­so­nal data, enab­ling the data sub­ject to moni­tor the pro­ces­sing of per­so­nal data, and enab­ling the con­trol­ler to crea­te and impro­ve secu­ri­ty fea­tures. With regard to the deve­lo­p­ment, design, selec­tion and use of app­li­ca­ti­ons, ser­vices and pro­ducts that eit­her rely on the pro­ces­sing of per­so­nal data or pro­cess per­so­nal data to per­form their tasks, the pro­du­cers of the pro­ducts, ser­vices and app­li­ca­ti­ons should be encou­ra­ged to take into account the right to data pro­tec­tion in the deve­lo­p­ment and design of the pro­ducts, ser­vices and app­li­ca­ti­ons and to ensu­re, with due regard to the sta­te of the art, that con­trol­lers and pro­ces­sors are able to com­ply with their data pro­tec­tion obli­ga­ti­ons. The princi­ples of data pro­tec­tion by design and by default should also be taken into account in public tenders.

Arti­cle 26 Joint controllers

(1) Whe­re two or more con­trol­lers joint­ly deter­mi­ne the pur­po­ses and means of the pro­ces­sing, they shall be joint con­trol­lers. They shall spe­ci­fy in an agree­ment in a trans­pa­rent man­ner which of them ful­fills which obli­ga­ti­on under this Regu­la­ti­on, in par­ti­cu­lar as regards the exer­cise of the rights of the data sub­ject, and which of them ful­fills which infor­ma­ti­on obli­ga­ti­ons under Arti­cles 13 and 14, unless and inso­far as the respec­ti­ve tasks of the con­trol­lers are laid down by Uni­on or Mem­ber Sta­te law to which the con­trol­lers are sub­ject. The agree­ment may spe­ci­fy a con­ta­ct point for the data subjects.

(2) The agree­ment refer­red to in para­graph 1 shall duly reflect the respec­ti­ve actu­al func­tions and rela­ti­ons­hips of the joint­ly respon­si­ble per­sons towards data sub­jects. The essen­ti­al of the agree­ment shall be made avail­ab­le to the data subject.

(3) Not­with­stan­ding the details of the agree­ment refer­red to in para­graph 1, the data sub­ject may exer­cise his/her rights under this Regu­la­ti­on with and against each of the controllers.

Reci­tals

(79) In order to pro­tect the rights and free­doms of data sub­jects and with regard to the respon­si­bi­li­ty and lia­bi­li­ty of con­trol­lers and pro­ces­sors, the­re is a need for a clear allo­ca­ti­on of respon­si­bi­li­ties by this Regu­la­ti­on, inclu­ding whe­re a con­trol­ler deter­mi­nes the pur­po­ses and means of pro­ces­sing joint­ly with other con­trol­lers or whe­re a pro­ces­sing ope­ra­ti­on is car­ri­ed out on behalf of a con­trol­ler, also with a view to inclu­ding gf the moni­to­ring and other mea­su­res of super­vi­so­ry authorities.

Arti­cle 27 Repre­sen­ta­ti­ves of con­trol­lers or pro­ces­sors not estab­lished in the Union

(1) In the cases refer­red to in Arti­cle 3(2), the con­trol­ler or pro­ces­sor shall desi­gna­te in wri­ting a repre­sen­ta­ti­ve in the Union.

(2) The obli­ga­ti­on under para­graph 1 of this Arti­cle does not app­ly to

a) pro­ces­sing which is occa­sio­nal does not invol­ve the pro­ces­sing of spe­cial cate­go­ries of data on a lar­ge sca­le wit­hin the mea­ning of Arti­cle 9(1) or the pro­ces­sing of per­so­nal data rela­ting to cri­mi­nal con­vic­tions and offen­ces on a lar­ge sca­le wit­hin the mea­ning of Arti­cle 10 and is not likely to result in a risk to the rights and free­doms of natu­ral per­sons, taking into account the natu­re, cir­cum­stan­ces, scope and pur­po­ses of the pro­ces­sing; or
b) Aut­ho­ri­ties or public bodies.

(3) The repre­sen­ta­ti­ve must be estab­lished in one of the Mem­ber Sta­tes whe­re the data sub­jects who­se per­so­nal data are pro­ces­sed in con­nec­tion with the goods or ser­vices offe­red to them or who­se beha­vi­or is moni­to­red are located.

(4) The repre­sen­ta­ti­ve shall be appoin­ted by the con­trol­ler or pro­ces­sor to ser­ve as a point of con­ta­ct, in addi­ti­on to or in place of the con­trol­ler, in par­ti­cu­lar for super­vi­so­ry aut­ho­ri­ties and data sub­jects on all issu­es rela­ted to the pro­ces­sing to ensu­re com­pli­an­ce with this Regulation.

(5) The appoint­ment of a repre­sen­ta­ti­ve by the Con­trol­ler or Pro­ces­sor shall be without pre­ju­di­ce to any legal action against the Con­trol­ler or Pro­ces­sor itself.

Reci­tals

(80) Any con­trol­ler or pro­ces­sor not estab­lished in the Uni­on who­se pro­ces­sing acti­vi­ties rela­te to data sub­jects pre­sent in the Uni­on and are inten­ded to offer goods or ser­vices to such data sub­jects in the Uni­on, whe­ther or not pay­ment is requi­red from the data sub­ject, or to moni­tor their beha­viour whe­re it takes place wit­hin the Uni­on, should be requi­red to desi­gna­te a repre­sen­ta­ti­ve, unless, the pro­ces­sing is car­ri­ed out on an occa­sio­nal basis, does not invol­ve lar­ge-sca­le pro­ces­sing of spe­cial cate­go­ries of per­so­nal data or the pro­ces­sing of per­so­nal data rela­ting to cri­mi­nal con­vic­tions and offen­ces, and is unli­kely to result in a risk to the rights and free­doms of natu­ral per­sons, taking into account its natu­re, cir­cum­stan­ces, scope and pur­po­ses, or the con­trol­ler is a public aut­ho­ri­ty or public body. The repre­sen­ta­ti­ve should act on behalf of the con­trol­ler or pro­ces­sor and ser­ve as a point of con­ta­ct for the super­vi­so­ry aut­ho­ri­ties. The con­trol­ler or pro­ces­sor should express­ly appoint and aut­ho­ri­ze in wri­ting the repre­sen­ta­ti­ve to act in its stead with respect to the obli­ga­ti­ons incum­bent on it under this Regu­la­ti­on. The appoint­ment of such a repre­sen­ta­ti­ve does not affect the respon­si­bi­li­ty or lia­bi­li­ty of the con­trol­ler or pro­ces­sor under this Regu­la­ti­on. Such repre­sen­ta­ti­ve should per­form his or her tasks in accordance with the man­da­te of the con­trol­ler or pro­ces­sor and, in par­ti­cu­lar, coope­ra­te with the com­pe­tent super­vi­so­ry aut­ho­ri­ties with regard to mea­su­res to ensu­re com­pli­an­ce with this Regu­la­ti­on. In the event of brea­ches by the con­trol­ler or pro­ces­sor, the appoin­ted repre­sen­ta­ti­ve should be sub­ject to enfor­ce­ment procedures.

Arti­cle 28 Processor

(1) Whe­re pro­ces­sing is car­ri­ed out on behalf of a con­trol­ler, the con­trol­ler shall only work with pro­ces­sors pro­vi­ding suf­fi­ci­ent gua­ran­tees that appro­pria­te tech­ni­cal and orga­niz­a­tio­nal mea­su­res will be imple­men­ted in such a way that the pro­ces­sing will com­ply with the requi­re­ments of this Regu­la­ti­on and ensu­re the pro­tec­tion of the rights of the data subject.

(2) The Pro­ces­sor shall not use any other Pro­ces­sor without the pri­or sepa­ra­te or gene­ral writ­ten con­sent of the Con­trol­ler. In the case of gene­ral writ­ten appro­val, the Pro­ces­sor shall always inform the Con­trol­ler of any inten­ded chan­ge regar­ding the use or repla­ce­ment of other Pro­ces­sors, giving the Con­trol­ler the oppor­tu­ni­ty to object to such changes.

(3) Pro­ces­sing by a pro­ces­sor shall be car­ri­ed out on the basis of a con­tract or other legal instru­ment under Uni­on or Mem­ber Sta­te law which binds the pro­ces­sor in rela­ti­on to the con­trol­ler and which spe­ci­fies the sub­ject mat­ter and dura­ti­on of the pro­ces­sing, the natu­re and pur­po­se of the pro­ces­sing, the type of per­so­nal data, the cate­go­ries of data sub­jects and the obli­ga­ti­ons and rights of the con­trol­ler. This con­tract or other legal instru­ment shall pro­vi­de in par­ti­cu­lar that the pro­ces­sor shall

a) pro­ces­ses the per­so­nal data only on the docu­men­ted inst­ruc­tions of the con­trol­ler – inclu­ding in rela­ti­on to the trans­fer of per­so­nal data to a third coun­try or an inter­na­tio­nal orga­niz­a­ti­on – unless requi­red to do so by Uni­on or Mem­ber Sta­te law to which the pro­ces­sor is sub­ject; in such a case, the pro­ces­sor shall noti­fy the con­trol­ler of such legal requi­re­ments pri­or to the pro­ces­sing, unless the law in que­sti­on pro­hi­bits such noti­fi­ca­ti­on on grounds of important public interest;
b) ensu­res that the per­sons aut­ho­ri­zed to pro­cess the per­so­nal data have com­mit­ted them­sel­ves to con­fi­dentia­li­ty or are sub­ject to an appro­pria­te legal duty of confidentiality;
c) takes all necessa­ry mea­su­res in accordance with Arti­cle 32;
d) com­plies with the con­di­ti­ons refer­red to in para­graphs 2 and 4 for the use of the ser­vices of ano­t­her processor;
e) in view of the natu­re of the pro­ces­sing, assists the con­trol­ler, whe­re pos­si­ble, with appro­pria­te tech­ni­cal and orga­niz­a­tio­nal mea­su­res to com­ply with its obli­ga­ti­on to respond to requests to exer­cise the rights of the data sub­ject refer­red to in Chap­ter III;
f) taking into account the natu­re of the pro­ces­sing and the infor­ma­ti­on at its dis­po­sal, assists the con­trol­ler in com­ply­ing with the obli­ga­ti­ons refer­red to in Arti­cles 32 to 36;
g) upon com­ple­ti­on of the pro­vi­si­on of the pro­ces­sing ser­vices, eit­her era­ses or returns all per­so­nal data at the choice of the con­trol­ler and dele­tes the exi­sting copies, unless the­re is an obli­ga­ti­on to store the per­so­nal data under Uni­on or Mem­ber Sta­te law;
h) pro­vi­des the respon­si­ble par­ty with all necessa­ry infor­ma­ti­on to demon­stra­te com­pli­an­ce with the obli­ga­ti­ons set forth in this Arti­cle and allo­ws and con­tri­bu­tes to veri­fi­ca­ti­ons, inclu­ding inspec­tions, con­duc­ted by the respon­si­ble par­ty or ano­t­her audi­tor appoin­ted by the respon­si­ble party.

With regard to point (h) of the first sub­pa­ra­graph, the pro­ces­sor shall inform the con­trol­ler without undue delay if it con­si­ders that an inst­ruc­tion infrin­ges this Regu­la­ti­on or other Uni­on or Mem­ber Sta­te data pro­tec­tion provisions.

(4) Whe­re the pro­ces­sor uses the ser­vices of ano­t­her pro­ces­sor to car­ry out cer­tain pro­ces­sing acti­vi­ties on behalf of the con­trol­ler, the same data pro­tec­tion obli­ga­ti­ons as tho­se laid down in the con­tract or other legal instru­ment bet­ween the con­trol­ler and the pro­ces­sor refer­red to in para­graph 3 shall be impo­sed on that other pro­ces­sor by way of a con­tract or other legal instru­ment in accordance with Uni­on law or the law of the Mem­ber Sta­te con­cer­ned, in par­ti­cu­lar pro­vi­ding suf­fi­ci­ent gua­ran­tees that the appro­pria­te tech­ni­cal and orga­niz­a­tio­nal mea­su­res will be imple­men­ted in such a way that the pro­ces­sing will be car­ri­ed out in accordance with the requi­re­ments of this Regu­la­ti­on. If the fur­ther pro­ces­sor fails to com­ply with its data pro­tec­tion obli­ga­ti­ons, the first pro­ces­sor shall be liable to the con­trol­ler for com­pli­an­ce with the obli­ga­ti­ons of that other processor.

(5) A Processor’s com­pli­an­ce with appro­ved codes of con­duct pur­suant to Arti­cle 40 or an appro­ved cer­ti­fi­ca­ti­on pro­ce­du­re pur­suant to Arti­cle 42 may be used as a fac­tor to demon­stra­te suf­fi­ci­ent gua­ran­tees wit­hin the mea­ning of para­graphs 1 and 4 of this Article.

(6) Without pre­ju­di­ce to an indi­vi­du­al con­tract bet­ween the con­trol­ler and the pro­ces­sor, the con­tract or other legal instru­ment refer­red to in para­graphs 3 and 4 of this Arti­cle may be based, in who­le or in part, on the stan­dard con­trac­tu­al clau­ses refer­red to in para­graphs 7 and 8 of this Arti­cle, even if they are part of a cer­ti­fi­ca­ti­on gran­ted to the con­trol­ler or the pro­ces­sor pur­suant to Arti­cles 42 and 43.

(7) The Com­mis­si­on may, in accordance with the exami­na­ti­on pro­ce­du­re refer­red to in Arti­cle 87(2), estab­lish stan­dard con­trac­tu­al clau­ses to address the issu­es refer­red to in para­graphs 3 and 4 of this Article.

(8) A super­vi­so­ry aut­ho­ri­ty may, in accordance with the con­si­sten­cy mecha­nism refer­red to in Arti­cle 63, estab­lish stan­dard con­trac­tu­al clau­ses to address the issu­es refer­red to in para­graphs 3 and 4 of this Article.

(9) The con­tract or other legal instru­ment refer­red to in para­graphs 3 and 4 shall be in wri­ting, which may also be in an elec­tro­nic format.

(10) Without pre­ju­di­ce to Arti­cles 82, 83 and 84, a pro­ces­sor who deter­mi­nes the pur­po­ses and means of pro­ces­sing in bre­ach of this Regu­la­ti­on shall be deemed to be a con­trol­ler in respect of such processing.

Reci­tals

(81) In order to com­ply with the requi­re­ments of this Regu­la­ti­on in rela­ti­on to the pro­ces­sing to be car­ri­ed out by the pro­ces­sor on behalf of the con­trol­ler, a con­trol­ler inten­ding to ent­rust pro­ces­sing acti­vi­ties to a pro­ces­sor should only use pro­ces­sors which pro­vi­de suf­fi­ci­ent gua­ran­tees, in par­ti­cu­lar in terms of exper­ti­se, relia­bi­li­ty and resour­ces, that tech­ni­cal and orga­ni­sa­tio­nal mea­su­res, inclu­ding for the secu­ri­ty of the pro­ces­sing, will be imple­men­ted in com­pli­an­ce with the requi­re­ments of this Regu­la­ti­on. A processor’s com­pli­an­ce with appro­ved codes of con­duct or an appro­ved cer­ti­fi­ca­ti­on pro­ce­du­re may be used as a fac­tor to demon­stra­te com­pli­an­ce with the controller’s obli­ga­ti­ons. Pro­ces­sing by a pro­ces­sor should be car­ri­ed out on the basis of a con­tract or other legal instru­ment under Uni­on or Mem­ber Sta­te law bin­ding the pro­ces­sor to the con­trol­ler and spe­ci­fy­ing the sub­ject-mat­ter and dura­ti­on of the pro­ces­sing, the natu­re and pur­po­ses of the pro­ces­sing, the type of per­so­nal data and the cate­go­ries of data sub­jects, taking into account the spe­ci­fic tasks and obli­ga­ti­ons of the pro­ces­sor in the pro­ces­sing envi­sa­ged and the risk to the rights and free­doms of the data sub­ject. The con­trol­ler and pro­ces­sor may deci­de to use an indi­vi­du­al con­tract or stan­dard con­trac­tu­al clau­ses eit­her adop­ted direct­ly by the Com­mis­si­on or adop­ted by a super­vi­so­ry aut­ho­ri­ty after the con­si­sten­cy pro­ce­du­re and then adop­ted by the Com­mis­si­on. Upon ter­mi­na­ti­on of the pro­ces­sing on behalf of the con­trol­ler, the pro­ces­sor should, at the choice of the con­trol­ler, eit­her return or era­se the per­so­nal data, unless the­re is an obli­ga­ti­on to retain the per­so­nal data under Uni­on or Mem­ber Sta­te law to which the pro­ces­sor is subject.

(95) Whe­re necessa­ry, the pro­ces­sor should assist the con­trol­ler, upon requ­est, in ensu­ring com­pli­an­ce with the obli­ga­ti­ons resul­ting from the per­for­mance of the data pro­tec­tion impact assess­ment and the pri­or con­sul­ta­ti­on of the super­vi­so­ry authority.

Arti­cle 29 Pro­ces­sing under the super­vi­si­on of the con­trol­ler or processor

The pro­ces­sor and any per­son sub­or­di­na­te to the con­trol­ler or pro­ces­sor who has access to per­so­nal data may pro­cess such data only on the inst­ruc­tions of the con­trol­ler, unless they are obli­ged to pro­cess under Uni­on or Mem­ber Sta­te law.

Arti­cle 30 Direc­to­ry of pro­ces­sing activities

(1) Each Con­trol­ler and, whe­re app­li­ca­ble, its repre­sen­ta­ti­ve shall keep a regi­ster of all pro­ces­sing acti­vi­ties under its respon­si­bi­li­ty. This regi­ster shall con­tain all of the fol­lo­wing information:

a) the name and con­ta­ct details of the con­trol­ler and, if app­li­ca­ble, of the per­son joint­ly respon­si­ble with him/her, of the controller’s repre­sen­ta­ti­ve and of any data pro­tec­tion officer;
b) the pur­po­ses of the processing;
c) a descrip­ti­on of the cate­go­ries of data sub­jects and the cate­go­ries of per­so­nal data;
d) the cate­go­ries of reci­pi­ents to whom the per­so­nal data have been or will be dis­c­lo­sed, inclu­ding reci­pi­ents in third coun­tries or inter­na­tio­nal organizations;
e) whe­re app­li­ca­ble, trans­fers of per­so­nal data to a third coun­try or to an inter­na­tio­nal orga­niz­a­ti­on, inclu­ding an indi­ca­ti­on of the third coun­try or inter­na­tio­nal orga­niz­a­ti­on con­cer­ned and, in the case of trans­fers refer­red to in the second sub­pa­ra­graph of Arti­cle 49(1), docu­men­ta­ti­on of appro­pria­te safeguards;
f) if pos­si­ble, the fore­se­en dead­lines for the dele­ti­on of the dif­fe­rent cate­go­ries of data;
g) if pos­si­ble, a gene­ral descrip­ti­on of the tech­ni­cal and orga­niz­a­tio­nal mea­su­res refer­red to in Arti­cle 32(1).

(2) Each pro­ces­sor and, whe­re app­li­ca­ble, its repre­sen­ta­ti­ve shall keep a regi­ster of all cate­go­ries of pro­ces­sing acti­vi­ties car­ri­ed out on behalf of a con­trol­ler, which shall include:

a) the name and con­ta­ct details of the pro­ces­sor or pro­ces­sors and of any con­trol­ler on who­se behalf the pro­ces­sor is acting and, whe­re app­li­ca­ble, of the controller’s or processor’s repre­sen­ta­ti­ve and of any data pro­tec­tion officer;
b) the cate­go­ries of pro­ces­sing ope­ra­ti­ons car­ri­ed out on behalf of each controller;
c) whe­re app­li­ca­ble, trans­fers of per­so­nal data to a third coun­try or to an inter­na­tio­nal orga­niz­a­ti­on, inclu­ding an indi­ca­ti­on of the third coun­try or inter­na­tio­nal orga­niz­a­ti­on con­cer­ned and, in the case of trans­fers refer­red to in the second sub­pa­ra­graph of Arti­cle 49(1), docu­men­ta­ti­on of appro­pria­te safeguards;
d) if pos­si­ble, a gene­ral descrip­ti­on of the tech­ni­cal and orga­niz­a­tio­nal mea­su­res refer­red to in Arti­cle 32(1).

(3) The regi­ster refer­red to in para­graphs 1 and 2 shall be kept in wri­ting, which may also be in an elec­tro­nic format.

(4) The con­trol­ler or pro­ces­sor and, if app­li­ca­ble, the controller’s or processor’s repre­sen­ta­ti­ve shall make the direc­to­ry avail­ab­le to the super­vi­so­ry aut­ho­ri­ty upon request.

(5) The obli­ga­ti­ons refer­red to in para­graphs 1 and 2 shall not app­ly to under­ta­kings or bodies employ­ing fewer than 250 staff, unless the pro­ces­sing they car­ry out invol­ves a risk to the rights and free­doms of data sub­jects, the pro­ces­sing is not occa­sio­nal or invol­ves the pro­ces­sing of spe­cial cate­go­ries of data refer­red to in Arti­cle 9(1) or the pro­ces­sing of per­so­nal data rela­ting to cri­mi­nal con­vic­tions and offen­ces refer­red to in Arti­cle 10.

Reci­tals

(82) In order to demon­stra­te com­pli­an­ce with this Regu­la­ti­on, the con­trol­ler or pro­ces­sor should keep a regi­ster of the pro­ces­sing acti­vi­ties under its respon­si­bi­li­ty. Each con­trol­ler and pro­ces­sor should be obli­ged to coope­ra­te with the super­vi­so­ry aut­ho­ri­ty and to pro­vi­de it, upon requ­est, with the rele­vant regi­ster so that the pro­ces­sing ope­ra­ti­ons con­cer­ned can be checked against tho­se registers.

Arti­cle 31 Coope­ra­ti­on with the super­vi­so­ry authority

The Con­trol­ler and Pro­ces­sor and, if app­li­ca­ble, their repre­sen­ta­ti­ves shall coope­ra­te with the Super­vi­so­ry Aut­ho­ri­ty in the per­for­mance of their duties upon request.

Sec­tion 2 Secu­ri­ty of per­so­nal data

Arti­cle 32 Secu­ri­ty of processing

(1) Taking into account the sta­te of the art, the costs of imple­men­ta­ti­on and the natu­re, scope, cir­cum­stan­ces and pur­po­ses of the pro­ces­sing, as well as the vary­ing likeli­hood and seve­ri­ty of the risk to the rights and free­doms of natu­ral per­sons, the con­trol­ler and pro­ces­sor shall imple­ment appro­pria­te tech­ni­cal and orga­niz­a­tio­nal mea­su­res to ensu­re a level of secu­ri­ty appro­pria­te to the risk, inclu­ding, whe­re rele­vant, the following:

a) the pseud­ony­miz­a­ti­on and encryp­ti­on of per­so­nal data;
b) the abi­li­ty to ensu­re the con­fi­dentia­li­ty, inte­gri­ty, avai­la­bi­li­ty and resi­li­en­ce of the systems and ser­vices rela­ted to the pro­ces­sing on a per­ma­nent basis;
c) the abi­li­ty to quick­ly res­to­re the avai­la­bi­li­ty of and access to per­so­nal data in the event of a phy­si­cal or tech­ni­cal incident;
d) a pro­ce­du­re for perio­dic review, assess­ment and eva­lua­ti­on of the effec­ti­ve­ness of tech­ni­cal and orga­niz­a­tio­nal mea­su­res to ensu­re the secu­ri­ty of processing.

(2) The assess­ment of the ade­qua­te level of pro­tec­tion shall, in par­ti­cu­lar, take into account the risks asso­cia­ted with the pro­ces­sing, in par­ti­cu­lar from dest­ruc­tion, loss, alte­ra­ti­on or unaut­ho­ri­zed dis­clo­sure of, or access to, per­so­nal data trans­mit­ted, stored or other­wi­se pro­ces­sed, whe­ther acci­den­tal or unlawful.

(3) Com­pli­an­ce with appro­ved rules of con­duct pur­suant to Arti­cle 40 or an appro­ved cer­ti­fi­ca­ti­on pro­ce­du­re pur­suant to Arti­cle 42 may be used as a fac­tor to demon­stra­te com­pli­an­ce with the requi­re­ments set forth in para­graph 1 of this Article.

(4) The con­trol­ler and pro­ces­sor shall take steps to ensu­re that natu­ral per­sons under their aut­ho­ri­ty who have access to per­so­nal data pro­cess them only on the inst­ruc­tions of the con­trol­ler, unless they are obli­ged to pro­cess them under Uni­on or Mem­ber Sta­te law.

Reci­tals

(83) In order to main­tain secu­ri­ty and to pre­vent pro­ces­sing in bre­ach of this Regu­la­ti­on, the con­trol­ler or pro­ces­sor should iden­ti­fy the risks asso­cia­ted with the pro­ces­sing and imple­ment mea­su­res to miti­ga­te them, such as encryp­ti­on. The­se mea­su­res should ensu­re a level of pro­tec­tion, inclu­ding con­fi­dentia­li­ty, appro­pria­te to the risks repre­sen­ted by the pro­ces­sing and the natu­re of the per­so­nal data to be pro­tec­ted, taking into account the sta­te of the art and the costs of imple­men­ta­ti­on. The data secu­ri­ty risk assess­ment should take into account the risks asso­cia­ted with the pro­ces­sing of per­so­nal data, such as, whe­ther acci­den­tal or unlaw­ful, dest­ruc­tion, loss, alte­ra­ti­on or unaut­ho­ri­zed dis­clo­sure of, or access to, per­so­nal data trans­mit­ted, stored or other­wi­se pro­ces­sed, in par­ti­cu­lar whe­re this could result in phy­si­cal, mate­ri­al or non-mate­ri­al damage.

Arti­cle 33 Noti­fi­ca­ti­on of per­so­nal data brea­ches to the super­vi­so­ry authority

(1) In the event of a per­so­nal data bre­ach, the con­trol­ler shall, without undue delay and, whe­re pos­si­ble, wit­hin 72 hours of beco­m­ing awa­re of the bre­ach, noti­fy it to the super­vi­so­ry aut­ho­ri­ty respon­si­ble pur­suant to Arti­cle 51, unless the per­so­nal data bre­ach is unli­kely to result in a risk to the rights and free­doms of natu­ral per­sons. If the noti­fi­ca­ti­on to the super­vi­so­ry aut­ho­ri­ty is not made wit­hin 72 hours, it shall be accom­pa­nied by a justi­fi­ca­ti­on for the delay.

(2) If the Pro­ces­sor beco­mes awa­re of a per­so­nal data bre­ach, it shall noti­fy the Con­trol­ler without undue delay.

(3) The noti­fi­ca­ti­on refer­red to in para­graph 1 shall con­tain at least the fol­lo­wing information:

a) A descrip­ti­on of the natu­re of the per­so­nal data bre­ach, inclu­ding, to the extent pos­si­ble, the cate­go­ries and appro­xi­ma­te num­ber of indi­vi­du­als affec­ted, the cate­go­ries affec­ted, and the appro­xi­ma­te num­ber of per­so­nal data records affected;
b) the name and con­ta­ct details of the data pro­tec­tion offi­cer or other point of con­ta­ct for fur­ther information;
c) a descrip­ti­on of the likely con­se­quen­ces of the per­so­nal data breach;
d) A descrip­ti­on of the mea­su­res taken or pro­po­sed by the data con­trol­ler to address the per­so­nal data bre­ach and, whe­re appro­pria­te, mea­su­res to miti­ga­te its poten­ti­al adver­se effects.

(4) If and to the extent that the infor­ma­ti­on can­not be pro­vi­ded at the same time, the respon­si­ble par­ty may pro­vi­de such infor­ma­ti­on incre­ment­al­ly without unre­a­son­ab­le fur­ther delay.

(5) The Con­trol­ler shall docu­ment per­so­nal data brea­ches, inclu­ding all facts rela­ted to the per­so­nal data bre­ach, its effects and the reme­di­al actions taken. This docu­men­ta­ti­on shall enab­le the super­vi­so­ry aut­ho­ri­ty to veri­fy com­pli­an­ce with the pro­vi­si­ons of this Article.

Reci­tals

(85) A per­so­nal data bre­ach, if not addres­sed in a time­ly and appro­pria­te man­ner, may result in phy­si­cal, mate­ri­al or non-mate­ri­al harm to indi­vi­du­als, such as loss of con­trol over their per­so­nal data or limi­ta­ti­on of their rights, discri­mi­na­ti­on, iden­ti­ty theft or fraud, finan­cial loss, unaut­ho­ri­zed remo­val of pseud­ony­miz­a­ti­on, dama­ge to repu­ta­ti­on, loss of con­fi­dentia­li­ty of data sub­ject to pro­fes­sio­nal secrecy, or other signi­fi­cant eco­no­mic or social harm to the indi­vi­du­al con­cer­ned. The­re­fo­re, as soon as the con­trol­ler beco­mes awa­re of a per­so­nal data bre­ach, it should noti­fy the super­vi­so­ry aut­ho­ri­ty of the per­so­nal data bre­ach without undue delay and, if pos­si­ble, wit­hin no more than 72 hours of beco­m­ing awa­re of the bre­ach, unless the con­trol­ler can demon­stra­te, in accordance with the accoun­ta­bi­li­ty princip­le, that the per­so­nal data bre­ach is unli­kely to result in a risk to the per­so­nal rights and free­doms of natu­ral per­sons. If this noti­fi­ca­ti­on can­not be pro­vi­ded wit­hin 72 hours, it should be requi­red to spe­ci­fy the rea­sons for the delay and the infor­ma­ti­on can be pro­vi­ded pro­gres­si­ve­ly without unre­a­son­ab­le fur­ther delay.

(88) Detail­ed rules gover­ning the for­mat and pro­ce­du­res for reporting per­so­nal data brea­ches should give suf­fi­ci­ent con­si­de­ra­ti­on to the cir­cum­stan­ces of the bre­ach, such as whe­ther per­so­nal data was pro­tec­ted by appro­pria­te tech­ni­cal safe­guards that effec­tively redu­ce the likeli­hood of iden­ti­ty fraud or other forms of data misu­se. Moreo­ver, such rules and pro­ce­du­res should take into account the legi­ti­ma­te inte­rests of law enfor­ce­ment in cases whe­re ear­ly dis­clo­sure would unnecessa­ri­ly impe­de the inve­sti­ga­ti­on of the cir­cum­stan­ces sur­roun­ding a per­so­nal data breach.

Arti­cle 34 Noti­fi­ca­ti­on to the data sub­ject of a per­so­nal data breach

(1) If the per­so­nal data bre­ach is likely to result in a high risk to the per­so­nal rights and free­doms of natu­ral per­sons, the con­trol­ler shall noti­fy the data sub­ject of the bre­ach without undue delay.

(2) The noti­fi­ca­ti­on to the data sub­ject refer­red to in para­graph 1 shall descri­be in clear and plain lan­guage the natu­re of the per­so­nal data bre­ach and shall inclu­de at least the infor­ma­ti­on and mea­su­res refer­red to in Arti­cle 33(3)(b), (c) and (d).

(3) Noti­fi­ca­ti­on to the data sub­ject under para­graph 1 is not requi­red if any of the fol­lo­wing con­di­ti­ons are met:

a) the con­trol­ler has imple­men­ted appro­pria­te tech­ni­cal and orga­niz­a­tio­nal secu­ri­ty mea­su­res and the­se mea­su­res have been app­lied to the per­so­nal data affec­ted by the bre­ach, in par­ti­cu­lar tho­se that make the per­so­nal data inac­ces­si­ble to all per­sons who are not aut­ho­ri­zed to access the per­so­nal data, such as through encryption;
b) the con­trol­ler has ensu­red by sub­se­quent mea­su­res that the high risk to the rights and free­doms of the data sub­jects refer­red to in para­graph 1 is no lon­ger likely to exist;
c) the noti­fi­ca­ti­on would invol­ve a dis­pro­por­tio­na­te effort. In this case, a public announ­ce­ment or a simi­lar mea­su­re must be made ins­tead, by which the per­sons affec­ted are infor­med in a com­pa­ra­b­ly effec­ti­ve manner.

(4) If the data con­trol­ler has not alrea­dy noti­fied the data sub­ject of the per­so­nal data bre­ach, the super­vi­so­ry aut­ho­ri­ty, taking into account the likeli­hood that the per­so­nal data bre­ach will result in a high risk, may requi­re the data con­trol­ler to do so, or may deter­mi­ne by means of a deci­si­on that cer­tain of the con­di­ti­ons refer­red to in para­graph 3 are met.

Reci­tals

(86) The con­trol­ler should noti­fy the data sub­ject of the per­so­nal data bre­ach without undue delay whe­re the per­so­nal data bre­ach is likely to result in a high risk to the per­so­nal rights and free­doms of natu­ral per­sons, in order to enab­le them to take the necessa­ry pre­cau­ti­ons. The noti­fi­ca­ti­on should inclu­de a descrip­ti­on of the natu­re of the per­so­nal data bre­ach and recom­men­da­ti­ons addres­sed to the natu­ral per­son con­cer­ned to miti­ga­te any adver­se effects of that bre­ach. Such noti­fi­ca­ti­ons to the data sub­ject should always be made as soon as rea­son­ab­ly prac­ti­ca­ble, in clo­se con­sul­ta­ti­on with the super­vi­so­ry aut­ho­ri­ty and in accordance with any inst­ruc­tions given by the super­vi­so­ry aut­ho­ri­ty or other com­pe­tent aut­ho­ri­ties, such as law enfor­ce­ment aut­ho­ri­ties. For examp­le, to be able to miti­ga­te the risk of immedia­te harm, data sub­jects would need to be noti­fied immedia­te­ly, whe­re­as a lon­ger noti­fi­ca­ti­on peri­od may be justi­fied when the pur­po­se is to take appro­pria­te mea­su­res against ongo­ing or simi­lar per­so­nal data breaches.

(87) It should be deter­mi­ned whe­ther all appro­pria­te tech­ni­cal pro­tec­tion as well as orga­niz­a­tio­nal mea­su­res have been taken in order to be able to immedia­te­ly deter­mi­ne whe­ther a per­so­nal data bre­ach has occur­red and to be able to prompt­ly noti­fy the super­vi­so­ry aut­ho­ri­ty and the data sub­ject. In deter­mi­ning whe­ther noti­fi­ca­ti­on has been made without undue delay, the natu­re and seve­ri­ty of the per­so­nal data bre­ach and its con­se­quen­ces and adver­se effects for the data sub­ject should be taken into account. The appro­pria­te noti­fi­ca­ti­on may result in action by the super­vi­so­ry aut­ho­ri­ty in accordance with its duties and powers set forth in this Regulation.

Sec­tion 3 Data pro­tec­tion impact assess­ment and pri­or consultation

Arti­cle 35 Data pro­tec­tion impact assessment

(1) Whe­re a form of pro­ces­sing, in par­ti­cu­lar whe­re new tech­no­lo­gies are used, is likely to result in a high risk to the rights and free­doms of natu­ral per­sons by vir­tue of the natu­re, scope, con­text and pur­po­ses of the pro­ces­sing, the con­trol­ler shall car­ry out an assess­ment of the impact of the envi­sa­ged pro­ces­sing ope­ra­ti­ons on the pro­tec­tion of per­so­nal data in advan­ce. A sin­gle assess­ment may be car­ri­ed out to exami­ne several simi­lar pro­ces­sing ope­ra­ti­ons with simi­lar high risks.

(2) The con­trol­ler shall seek the advice of the data pro­tec­tion offi­cer, if one has been appoin­ted, when con­duc­ting a data pro­tec­tion impact assessment.

(3) A data pro­tec­tion impact assess­ment pur­suant to para­graph 1 is requi­red in par­ti­cu­lar in the fol­lo­wing cases:

a) syste­ma­tic and com­pre­hen­si­ve assess­ment of per­so­nal aspects rela­ting to natu­ral per­sons which is based on auto­ma­ted pro­ces­sing, inclu­ding pro­filing, and which in turn ser­ves as a basis for deci­si­ons which pro­du­ce legal effects con­cer­ning natu­ral per­sons or simi­lar­ly signi­fi­cant­ly affect them;
b) exten­si­ve pro­ces­sing of spe­cial cate­go­ries of per­so­nal data pur­suant to Arti­cle 9(1) or of per­so­nal data rela­ting to cri­mi­nal con­vic­tions and offen­ces pur­suant to Arti­cle 10; or
c) syste­ma­tic exten­si­ve moni­to­ring of publicly acces­si­ble areas.

(4) The super­vi­so­ry aut­ho­ri­ty shall estab­lish and make public a list of the pro­ces­sing ope­ra­ti­ons for which a data pro­tec­tion impact assess­ment is to be car­ri­ed out pur­suant to para­graph 1. The super­vi­so­ry aut­ho­ri­ty shall com­mu­ni­ca­te tho­se lists to the com­mit­tee refer­red to in Arti­cle 68.

(5) The super­vi­so­ry aut­ho­ri­ty may also estab­lish and publish a list of the types of pro­ces­sing ope­ra­ti­ons for which a data pro­tec­tion impact assess­ment is not requi­red. The super­vi­so­ry aut­ho­ri­ty shall com­mu­ni­ca­te the­se lists to the Board.

(6) Befo­re deter­mi­ning the lists refer­red to in para­graphs 4 and 5, the com­pe­tent super­vi­so­ry aut­ho­ri­ty shall app­ly the con­si­sten­cy mecha­nism refer­red to in Arti­cle 63 whe­re such lists inclu­de pro­ces­sing acti­vi­ties which are rela­ted to the offe­ring of goods or ser­vices to data sub­jects or the moni­to­ring of the beha­vi­or of such data sub­jects in several Mem­ber Sta­tes or which could signi­fi­cant­ly affect the free flow of per­so­nal data wit­hin the Union.

(7) At a mini­mum, the impact assess­ment inclu­des the following:

a) a syste­ma­tic descrip­ti­on of the pro­ces­sing ope­ra­ti­ons envi­sa­ged and the pur­po­ses of the pro­ces­sing, inclu­ding, whe­re appro­pria­te, the legi­ti­ma­te inte­rests pur­sued by the controller;
b) an assess­ment of the neces­si­ty and pro­por­tio­na­li­ty of the pro­ces­sing ope­ra­ti­ons in rela­ti­on to the purpose;
c) an assess­ment of the risks to the rights and free­doms of the data sub­jects refer­red to in para­graph 1; and
d) the miti­ga­ting mea­su­res envi­sa­ged to address the risks, inclu­ding safe­guards, secu­ri­ty mea­su­res and pro­ce­du­res ensu­ring the pro­tec­tion of per­so­nal data and demon­stra­ting com­pli­an­ce with this Regu­la­ti­on, taking into account the rights and legi­ti­ma­te inte­rests of data sub­jects and other data subjects.

(8) Com­pli­an­ce with appro­ved rules of con­duct pur­suant to Arti­cle 40 by the respon­si­ble con­trol­lers or the respon­si­ble pro­ces­sors shall be duly taken into account when asses­sing the impact of the pro­ces­sing ope­ra­ti­ons car­ri­ed out by them, in par­ti­cu­lar for the pur­po­ses of a data pro­tec­tion impact assessment.

(9) Whe­re appro­pria­te, the con­trol­ler shall seek the views of data sub­jects or their repre­sen­ta­ti­ves on the inten­ded pro­ces­sing without pre­ju­di­ce to the pro­tec­tion of com­mer­cial or public inte­rests or the secu­ri­ty of the pro­ces­sing operations.

(10) Whe­re the pro­ces­sing refer­red to in Arti­cle 6(1)(c) or (e) is based on a legal basis in Uni­on law or in the law of the Mem­ber Sta­te to which the con­trol­ler is sub­ject and whe­re that legis­la­ti­on governs the spe­ci­fic pro­ces­sing ope­ra­ti­on or ope­ra­ti­ons and a data pro­tec­tion impact assess­ment has alrea­dy been car­ri­ed out in the con­text of the gene­ral impact assess­ment rela­ted to the adop­ti­on of that legal basis, para­graphs 1 to 7 shall app­ly only if, at the dis­cre­ti­on of the Mem­ber Sta­tes, it is necessa­ry to car­ry out such an impact assess­ment pri­or to the pro­ces­sing acti­vi­ties concerned.

(11) If necessa­ry, the con­trol­ler shall con­duct a review to assess whe­ther the pro­ces­sing is car­ri­ed out in accordance with the data pro­tec­tion impact assess­ment, at least if chan­ges have occur­red with regard to the risk asso­cia­ted with the pro­ces­sing operations.

Reci­tals

(84) In order to bet­ter com­ply with this Regu­la­ti­on in cases whe­re the pro­ces­sing ope­ra­ti­ons are likely to result in a high risk to the rights and free­doms of natu­ral per­sons, the con­trol­ler should be respon­si­ble for car­ry­ing out a data pro­tec­tion impact assess­ment eva­lua­ting in par­ti­cu­lar the cau­se, natu­re, spe­ci­fi­ci­ty and seve­ri­ty of that risk. The results of the assess­ment should be taken into account when deci­ding on the appro­pria­te mea­su­res to be taken to demon­stra­te that the pro­ces­sing of per­so­nal data com­plies with this Regu­la­ti­on. Whe­re a data pro­tec­tion impact assess­ment indi­ca­tes that pro­ces­sing ope­ra­ti­ons pre­sent a high risk which the con­trol­ler can­not miti­ga­te by appro­pria­te mea­su­res in terms of avail­ab­le tech­no­lo­gy and imple­men­ta­ti­on costs, the super­vi­so­ry aut­ho­ri­ty should be con­sul­ted pri­or to the processing.

(89) Under Direc­ti­ve 95/46/EC, per­so­nal data pro­ces­sing ope­ra­ti­ons were gene­ral­ly sub­ject to noti­fi­ca­ti­on to super­vi­so­ry aut­ho­ri­ties. This noti­fi­ca­ti­on requi­re­ment is bureau­cra­tic and finan­cial­ly bur­den­so­me and yet has not led to bet­ter pro­tec­tion of per­so­nal data in all cases. The­se indiscri­mi­na­te gene­ral noti­fi­ca­ti­on requi­re­ments should the­re­fo­re be abolished and repla­ced by effec­ti­ve pro­ce­du­res and mecha­nisms that ins­tead prio­ri­ti­ze tho­se types of pro­ces­sing ope­ra­ti­ons that are likely to pre­sent a high risk to the rights and free­doms of natu­ral per­sons by vir­tue of their natu­re, their scope, their cir­cum­stan­ces and their pur­po­ses. Such types of pro­ces­sing ope­ra­ti­ons inclu­de, in par­ti­cu­lar, tho­se that invol­ve new tech­no­lo­gies or are novel and for which the con­trol­ler has not yet car­ri­ed out a data pro­tec­tion impact assess­ment or for which a data pro­tec­tion impact assess­ment has beco­me necessa­ry due to the time that has elap­sed sin­ce the ori­gi­nal processing.

(90) In such cases, the con­trol­ler should car­ry out a data pro­tec­tion impact assess­ment pri­or to the pro­ces­sing, eva­lua­ting the spe­ci­fic likeli­hood and seve­ri­ty of that high risk, taking into account the natu­re, scope, cir­cum­stan­ces and pur­po­ses of the pro­ces­sing and the cau­ses of the risk. That impact assess­ment should address in par­ti­cu­lar the mea­su­res, safe­guards and pro­ce­du­res to miti­ga­te that risk, ensu­re the pro­tec­tion of per­so­nal data and demon­stra­te com­pli­an­ce with the pro­vi­si­ons of this Regulation.

(91) This should app­ly in par­ti­cu­lar to lar­ge pro­ces­sing ope­ra­ti­ons which are inten­ded to pro­cess lar­ge amounts of per­so­nal data at regio­nal, natio­nal or supra­na­tio­nal level, are likely to affect a lar­ge num­ber of indi­vi­du­als and are likely to invol­ve a high risk, for examp­le, due to their sen­si­ti­vi­ty, and which make exten­si­ve use of new tech­no­lo­gy in accordance with the sta­te of the art, as well as to other pro­ces­sing ope­ra­ti­ons which pre­sent a high risk to the rights and free­doms of data sub­jects, in par­ti­cu­lar whe­re tho­se pro­ces­sing ope­ra­ti­ons make it dif­fi­cult for data sub­jects to exer­cise their rights. A data pro­tec­tion impact assess­ment should also be car­ri­ed out whe­re the per­so­nal data are pro­ces­sed for the pur­po­se of taking deci­si­ons rela­ting to spe­ci­fic natu­ral per­sons fol­lo­wing a syste­ma­tic and in-depth assess­ment of per­so­nal aspects of natu­ral per­sons based on pro­filing of tho­se data or fol­lo­wing the pro­ces­sing of spe­cial cate­go­ries of per­so­nal data, bio­me­tric data or data rela­ting to cri­mi­nal con­vic­tions and offen­ces and rela­ted secu­ri­ty mea­su­res. Simi­lar­ly, a data pro­tec­tion impact assess­ment is requi­red for wide-area moni­to­ring of publicly acces­si­ble are­as, in par­ti­cu­lar by means of opto­elec­tro­nic devices, or for any other ope­ra­ti­on whe­re, in the opi­ni­on of the com­pe­tent super­vi­so­ry aut­ho­ri­ty, the pro­ces­sing is likely to result in a high risk to the rights and free­doms of data sub­jects, in par­ti­cu­lar becau­se it pre­vents data sub­jects from exer­ci­s­ing a right or using a ser­vice or per­for­ming a con­tract, or becau­se it is car­ri­ed out on a lar­ge sca­le on a syste­ma­tic basis. The pro­ces­sing of per­so­nal data should not be con­si­de­red to be on a lar­ge sca­le if the pro­ces­sing con­cerns per­so­nal data of pati­ents or of cli­ents and is car­ri­ed out by an indi­vi­du­al doc­tor, other health pro­fes­sio­nal or lawy­er. In the­se cases, a data pro­tec­tion impact assess­ment should not be mandatory.

(92) In cer­tain cir­cum­stan­ces, it may be rea­son­ab­le and appro­pria­te from an eco­no­mic point of view not to base a data pro­tec­tion impact assess­ment sole­ly on a spe­ci­fic pro­ject, but to make it broa­der in sub­ject mat­ter – for examp­le, when public aut­ho­ri­ties or public bodies want to crea­te a com­mon app­li­ca­ti­on or pro­ces­sing plat­form, or when several con­trol­lers want to imple­ment a com­mon app­li­ca­ti­on or pro­ces­sing envi­ron­ment for an enti­re eco­no­mic sec­tor, for a spe­ci­fic mar­ket seg­ment, or for a widespread hori­zon­tal activity.

(93) On the occa­si­on of the adop­ti­on of the law of the Mem­ber Sta­te on the basis of which the public aut­ho­ri­ty or body per­forms its tasks and which regu­la­tes the pro­ces­sing ope­ra­ti­on or types of pro­ces­sing ope­ra­ti­ons in que­sti­on, Mem­ber Sta­tes may deem it necessa­ry to car­ry out such impact assess­ments pri­or to the pro­ces­sing operations.

Arti­cle 36 Pre­vious consultation

(1) The con­trol­ler shall con­sult the super­vi­so­ry aut­ho­ri­ty pri­or to the pro­ces­sing if a data pro­tec­tion impact assess­ment pur­suant to Arti­cle 35 indi­ca­tes that the pro­ces­sing would result in a high risk, unless the con­trol­ler takes mea­su­res to miti­ga­te the risk.

(2) If the super­vi­so­ry aut­ho­ri­ty con­si­ders that the inten­ded pro­ces­sing refer­red to in para­graph 1 would not be in com­pli­an­ce with this Regu­la­ti­on, in par­ti­cu­lar becau­se the con­trol­ler has not suf­fi­ci­ent­ly iden­ti­fied or miti­ga­ted the risk, it shall make appro­pria­te writ­ten recom­men­da­ti­ons to the con­trol­ler and, whe­re app­li­ca­ble, the pro­ces­sor wit­hin a peri­od of up to eight weeks after rece­i­pt of the requ­est for con­sul­ta­ti­on and may exer­cise its powers refer­red to in Arti­cle 58. 2 This peri­od may be exten­ded by six weeks, taking into account the com­ple­xi­ty of the inten­ded pro­ces­sing. 3 The super­vi­so­ry aut­ho­ri­ty shall inform the con­trol­ler or, whe­re app­li­ca­ble, the pro­ces­sor of any such exten­si­on of time limits wit­hin one mon­th of rece­i­pt of the requ­est for con­sul­ta­ti­on, tog­e­ther with the rea­sons for the delay. 4 Such time limits may be sus­pen­ded until the super­vi­so­ry aut­ho­ri­ty has recei­ved the infor­ma­ti­on reque­sted for the pur­po­ses of the consultation.

(3) The con­trol­ler shall pro­vi­de the fol­lo­wing infor­ma­ti­on to the super­vi­so­ry aut­ho­ri­ty during a con­sul­ta­ti­on pur­suant to para­graph 1:

a) whe­re app­li­ca­ble, infor­ma­ti­on on the respec­ti­ve respon­si­bi­li­ties of the con­trol­ler, the joint con­trol­lers and the pro­ces­sors invol­ved in the pro­ces­sing, in par­ti­cu­lar in the case of pro­ces­sing wit­hin a group of companies;
b) the pur­po­ses and means of the inten­ded processing;
c) the mea­su­res and safe­guards pro­vi­ded for the pro­tec­tion of the rights and free­doms of data sub­jects under this Regulation;
d) if app­li­ca­ble, the con­ta­ct details of the data pro­tec­tion officer;
e) the data pro­tec­tion impact assess­ment pur­suant to Arti­cle 35, and
f) any other infor­ma­ti­on reque­sted by the super­vi­so­ry authority.

(4) Mem­ber Sta­tes shall con­sult the super­vi­so­ry aut­ho­ri­ty when pre­pa­ring a pro­po­sal for legis­la­ti­ve mea­su­res to be adop­ted by a natio­nal par­lia­ment or regu­la­to­ry mea­su­res based on such legis­la­ti­ve mea­su­res which affect processing.

(5) Not­with­stan­ding para­graph 1, con­trol­lers may be requi­red by Mem­ber Sta­te law to con­sult with and obtain pri­or aut­ho­riz­a­ti­on from the super­vi­so­ry aut­ho­ri­ty when pro­ces­sing for the per­for­mance of a task car­ri­ed out in the public inte­rest, inclu­ding pro­ces­sing for social secu­ri­ty and public health purposes.

Reci­tals

(94) Whe­re a data pro­tec­tion impact assess­ment indi­ca­tes that the pro­ces­sing would result in a high risk to the rights and free­doms of natu­ral per­sons in the absence of safe­guards, secu­ri­ty mea­su­res and mecha­nisms to miti­ga­te the risk, and the con­trol­ler con­si­ders that the risk can­not be miti­ga­ted by means that are rea­son­ab­le in terms of avail­ab­le tech­no­lo­gies and imple­men­ta­ti­on costs, the super­vi­so­ry aut­ho­ri­ty should be con­sul­ted pri­or to the start of the pro­ces­sing acti­vi­ties. Such high risk is likely to be asso­cia­ted with cer­tain types of pro­ces­sing and the sca­le and fre­quen­cy of pro­ces­sing, which may also result in dama­ge to or inter­fe­rence with per­so­nal rights and free­doms for natu­ral per­sons. The super­vi­so­ry aut­ho­ri­ty should respond to the requ­est for advice wit­hin a cer­tain peri­od of time. Howe­ver, even if it has not respon­ded wit­hin this peri­od, it may inter­vene in accordance with its tasks and powers set out in this Regu­la­ti­on, which inclu­des the power to pro­hi­bit pro­ces­sing ope­ra­ti­ons. As part of this con­sul­ta­ti­on pro­cess, the result of a data pro­tec­tion impact assess­ment car­ri­ed out in rela­ti­on to the pro­ces­sing of per­so­nal data con­cer­ned may be sub­mit­ted to the super­vi­so­ry aut­ho­ri­ty, in par­ti­cu­lar as regards the mea­su­res envi­sa­ged to miti­ga­te the risk to the rights and free­doms of natu­ral persons.

(96) Con­sul­ta­ti­on of the super­vi­so­ry aut­ho­ri­ty should also take place during the pre­pa­ra­ti­on of legis­la­ti­ve or regu­la­to­ry pro­vi­si­ons pro­vi­ding for the pro­ces­sing of per­so­nal data, in order to ensu­re the com­pa­ti­bi­li­ty of the envi­sa­ged pro­ces­sing with this Regu­la­ti­on and, in par­ti­cu­lar, to miti­ga­te the risk asso­cia­ted with it for the data subject.

Sec­tion 4 Data Pro­tec­tion Officer

Arti­cle 37 Appoint­ment of a data pro­tec­tion officer

(1) The con­trol­ler and the pro­ces­sor shall in any case appoint a data pro­tec­tion offi­cer if

a) the pro­ces­sing is car­ri­ed out by a public aut­ho­ri­ty or public body, with the excep­ti­on of courts, inso­far as they act wit­hin the scope of their judi­cial activities,
b) the core acti­vi­ty of the con­trol­ler or pro­ces­sor con­sists in car­ry­ing out pro­ces­sing ope­ra­ti­ons which, by vir­tue of their natu­re, their scope and/or their pur­po­ses, requi­re exten­si­ve regu­lar and syste­ma­tic moni­to­ring of data sub­jects, or
c) the core acti­vi­ty of the con­trol­ler or pro­ces­sor con­sists in the exten­si­ve pro­ces­sing of spe­cial cate­go­ries of data pur­suant to Arti­cle 9 or of per­so­nal data rela­ting to cri­mi­nal con­vic­tions and cri­mi­nal offen­ses pur­suant to Arti­cle 10.

(2) A group of com­pa­nies may appoint a joint data pro­tec­tion offi­cer, pro­vi­ded that the data pro­tec­tion offi­cer can be easi­ly rea­ched from each branch.

(3) If the con­trol­ler or pro­ces­sor is a public aut­ho­ri­ty or public body, a joint data pro­tec­tion offi­cer may be appoin­ted for several such aut­ho­ri­ties or bodies, taking into account their orga­niz­a­tio­nal struc­tu­re and size.

(4) In cases other than tho­se refer­red to in para­graph 1, the con­trol­ler or pro­ces­sor or asso­cia­ti­ons and other fede­ra­ti­ons repre­sen­ting cate­go­ries of con­trol­lers or pro­ces­sors may, and if requi­red by Uni­on or Mem­ber Sta­te law, shall, desi­gna­te a data pro­tec­tion offi­cer. The Data Pro­tec­tion Offi­cer may act on behalf of such asso­cia­ti­ons and other fede­ra­ti­ons repre­sen­ting con­trol­lers or processors.

(5) The Data Pro­tec­tion Offi­cer shall be appoin­ted on the basis of his/her pro­fes­sio­nal qua­li­fi­ca­ti­ons and, in par­ti­cu­lar, the exper­ti­se he/she pos­ses­ses in the field of data pro­tec­tion law and prac­ti­ce, as well as his/her abi­li­ty to per­form the tasks refer­red to in Arti­cle 39.

(6) The data pro­tec­tion offi­cer may be an employee of the con­trol­ler or pro­ces­sor, or may per­form his/her duties on the basis of a ser­vice contract.

(7) The con­trol­ler or pro­ces­sor shall publish the con­ta­ct details of the data pro­tec­tion offi­cer and shall noti­fy the­se data to the super­vi­so­ry authority.

Reci­tals

(97) In cases whe­re the pro­ces­sing is car­ri­ed out by a public aut­ho­ri­ty, with the excep­ti­on of courts or inde­pen­dent judi­cial aut­ho­ri­ties acting in the cour­se of their judi­cial acti­vi­ties, in the pri­va­te sec­tor by a con­trol­ler who­se core acti­vi­ty con­sists of pro­ces­sing ope­ra­ti­ons which requi­re regu­lar and syste­ma­tic moni­to­ring of data sub­jects on a lar­ge sca­le, or whe­re the core acti­vi­ty of the con­trol­ler or pro­ces­sor con­sists of lar­ge-sca­le pro­ces­sing of spe­cial cate­go­ries of per­so­nal data or data rela­ting to cri­mi­nal con­vic­tions and cri­mi­nal offen­ses, the con­trol­ler or pro­ces­sor should be assi­sted in moni­to­ring inter­nal com­pli­an­ce with the pro­vi­si­ons of this Regu­la­ti­on by ano­t­her per­son with exper­ti­se in data pro­tec­tion law and pro­ce­du­res. In the pri­va­te sec­tor, the core acti­vi­ty of a con­trol­ler refers to its main acti­vi­ties and not to the pro­ces­sing of per­so­nal data as an ancil­la­ry acti­vi­ty. The level of exper­ti­se requi­red should be based, in par­ti­cu­lar, on the data pro­ces­sing ope­ra­ti­ons car­ri­ed out and the pro­tec­tion requi­red for the per­so­nal data pro­ces­sed by the con­trol­ler or pro­ces­sor. Such data pro­tec­tion offi­cers, whe­ther or not they are employees of the con­trol­ler, should be able to per­form their duties and tasks in com­ple­te independence.

Arti­cle 38 Posi­ti­on of the Data Pro­tec­tion Officer

(1) The Con­trol­ler and Pro­ces­sor shall ensu­re that the Data Pro­tec­tion Offi­cer is pro­per­ly invol­ved at an ear­ly sta­ge in all mat­ters rela­ted to the pro­tec­tion of per­so­nal data.

(2) The Con­trol­ler and Pro­ces­sor shall assist the Data Pro­tec­tion Offi­cer in the per­for­mance of his or her duties under Arti­cle 39 by pro­vi­ding the resour­ces and access to per­so­nal data and pro­ces­sing ope­ra­ti­ons necessa­ry for the per­for­mance of tho­se duties and the resour­ces necessa­ry to main­tain his or her expertise.

(3) The con­trol­ler and the pro­ces­sor shall ensu­re that the data pro­tec­tion offi­cer does not recei­ve any inst­ruc­tions regar­ding the per­for­mance of the­se tasks. The data pro­tec­tion offi­cer may not be dis­mis­sed or dis­ad­van­ta­ged by the con­trol­ler or pro­ces­sor becau­se of the per­for­mance of his/her tasks. The data pro­tec­tion offi­cer shall report direct­ly to the hig­hest manage­ment level of the con­trol­ler or processor.

(4) Data sub­jects may con­sult the Data Pro­tec­tion Offi­cer on any mat­ter rela­ting to the pro­ces­sing of their per­so­nal data and the exer­cise of their rights under this Regulation.

(5) The Data Pro­tec­tion Offi­cer shall be bound by secrecy or con­fi­dentia­li­ty in the per­for­mance of his or her duties under Uni­on or Mem­ber Sta­te law.

(6) The data pro­tec­tion offi­cer may per­form other tasks and duties. The con­trol­ler or pro­ces­sor shall ensu­re that such tasks and duties do not lead to a con­flict of interest.

Arti­cle 39 Tasks of the Data Pro­tec­tion Officer

(1) The data pro­tec­tion offi­cer is respon­si­ble for at least the fol­lo­wing tasks:

a) infor­ming and advi­sing the con­trol­ler or pro­ces­sor and the employees car­ry­ing out pro­ces­sing ope­ra­ti­ons about their obli­ga­ti­ons under this Regu­la­ti­on and under other Uni­on or natio­nal data pro­tec­tion legislation;
b) Moni­to­ring com­pli­an­ce with this Regu­la­ti­on, other Uni­on or Mem­ber Sta­te data pro­tec­tion legis­la­ti­on, and the controller’s or processor’s per­so­nal data pro­tec­tion poli­ci­es, inclu­ding the allo­ca­ti­on of respon­si­bi­li­ties, awa­reness-rai­sing and trai­ning of staff invol­ved in pro­ces­sing ope­ra­ti­ons, and reviews thereof;
c) Advice – upon requ­est – in con­nec­tion with the data pro­tec­tion impact assess­ment and moni­to­ring of its imple­men­ta­ti­on pur­suant to Arti­cle 35;
d) Coope­ra­ti­on with the super­vi­so­ry authority;
e) Acting as a point of con­ta­ct for the super­vi­so­ry aut­ho­ri­ty on mat­ters rela­ted to the pro­ces­sing, inclu­ding pri­or con­sul­ta­ti­on pur­suant to Arti­cle 36, and advi­sing on any other mat­ters as appropriate.

(2) In per­for­ming his/her duties, the Data Pro­tec­tion Offi­cer shall take due account of the risk asso­cia­ted with the pro­ces­sing ope­ra­ti­ons, taking into account the natu­re, scope, cir­cum­stan­ces and pur­po­ses of the processing.

Sec­tion 5 Rules of con­duct and certification

Arti­cle 40 Rules of conduct

(1) The Mem­ber Sta­tes, the super­vi­so­ry aut­ho­ri­ties, the Com­mit­tee and the Com­mis­si­on shall encou­ra­ge the deve­lo­p­ment of codes of con­duct to con­tri­bu­te to the pro­per app­li­ca­ti­on of this Regu­la­ti­on, taking into account the spe­ci­fi­ci­ties of each pro­ces­sing sec­tor and the par­ti­cu­lar needs of micro, small and medi­um-sized enterprises.

(2) Asso­cia­ti­ons and other fede­ra­ti­ons repre­sen­ting cate­go­ries of con­trol­lers or pro­ces­sors may deve­lop or amend or extend codes of con­duct cla­ri­fy­ing the app­li­ca­ti­on of this Regu­la­ti­on to, for examp­le, the following:

a) fair and trans­pa­rent processing;
b) the legi­ti­ma­te inte­rests of the per­son respon­si­ble in cer­tain contexts;
c) Collec­tion of per­so­nal data;
d) Pseud­ony­miz­a­ti­on of per­so­nal data;
e) Infor­ming the public and affec­ted individuals;
f) Exer­cise of the rights of data subjects;
g) Infor­ma­ti­on and pro­tec­tion of child­ren and the man­ner in which the con­sent of the hol­der of paren­tal respon­si­bi­li­ty for the child is to be obtained;
h) the mea­su­res and pro­ce­du­res refer­red to in Arti­cles 24 and 25 and the mea­su­res for the secu­ri­ty of pro­ces­sing refer­red to in Arti­cle 32;
i) reporting per­so­nal data brea­ches to super­vi­so­ry aut­ho­ri­ties and noti­fy­ing the data sub­ject of such per­so­nal data breaches;
j) the trans­fer of per­so­nal data to third coun­tries or to inter­na­tio­nal orga­niz­a­ti­ons, or
k) out-of-court pro­ce­du­res and other dis­pu­te reso­lu­ti­on pro­ce­du­res for the sett­le­ment of dis­pu­tes bet­ween con­trol­lers and data sub­jects in rela­ti­on to pro­ces­sing, without pre­ju­di­ce to the rights of data sub­jects under Arti­cles 77 and 79.

(3) In addi­ti­on to com­pli­an­ce by con­trol­lers or pro­ces­sors cove­r­ed by this Regu­la­ti­on, codes of con­duct appro­ved in accordance with para­graph 5 of this Arti­cle and having gene­ral app­li­ca­ti­on in accordance with para­graph 9 of this Arti­cle may also be com­plied with by con­trol­lers or pro­ces­sors not cove­r­ed by this Regu­la­ti­on in accordance with Arti­cle 3 in order to pro­vi­de appro­pria­te safe­guards in the con­text of trans­fers of per­so­nal data to third coun­tries or inter­na­tio­nal orga­niz­a­ti­ons in accordance with Arti­cle 46(2)(e). Tho­se con­trol­lers or pro­ces­sors shall enter into a bin­ding and enfor­ce­ab­le obli­ga­ti­on, by means of con­trac­tu­al or other legal­ly bin­ding instru­ments, to app­ly the appro­pria­te safe­guards, inclu­ding with respect to the rights of data subjects.

(4) The rules of con­duct refer­red to in para­graph 2 of this Arti­cle shall pro­vi­de for pro­ce­du­res enab­ling the body refer­red to in Arti­cle 41(1) to car­ry out man­da­to­ry moni­to­ring of com­pli­an­ce with its pro­vi­si­ons by con­trol­lers or pro­ces­sors who under­ta­ke to app­ly the rules of con­duct, without pre­ju­di­ce to the tasks and powers of the super­vi­so­ry aut­ho­ri­ty com­pe­tent under Arti­cle 55 or 56.

(5) Asso­cia­ti­ons and other asso­cia­ti­ons refer­red to in para­graph 2 of this Arti­cle inten­ding to pre­pa­re codes of con­duct or to amend or extend exi­sting codes of con­duct shall sub­mit the draft code of con­duct or the draft amend­ment or exten­si­on the­re­of to the super­vi­so­ry aut­ho­ri­ty com­pe­tent under Arti­cle 55. The super­vi­so­ry aut­ho­ri­ty shall give an opi­ni­on on whe­ther the draft code of con­duct or the draft amend­ment or exten­si­on the­re­of is com­pa­ti­ble with this Regu­la­ti­on and shall appro­ve such draft code of con­duct or the draft amend­ment or exten­si­on the­re­of if it con­si­ders that it pro­vi­des suf­fi­ci­ent appro­pria­te safeguards.

(6) If the opi­ni­on refer­red to in para­graph 5 appro­ves the draft rules of con­duct or the draft amend­ment or exten­si­on the­re­of, and if the rules of con­duct in que­sti­on do not rela­te to pro­ces­sing acti­vi­ties in several Mem­ber Sta­tes, the super­vi­so­ry aut­ho­ri­ty shall inclu­de the rules of con­duct in a list and publish them.

(7) Whe­re the draft code of con­duct rela­tes to pro­ces­sing acti­vi­ties in several Mem­ber Sta­tes, the super­vi­so­ry aut­ho­ri­ty com­pe­tent pur­suant to Arti­cle 55 shall, befo­re appro­ving the draft code of con­duct or the draft amend­ment or exten­si­on the­re­of, sub­mit it in accordance with the pro­ce­du­re refer­red to in Arti­cle 63 to the Board, which shall give an opi­ni­on on whe­ther the draft code of con­duct or the draft amend­ment or exten­si­on the­re­of com­plies with this Regu­la­ti­on or, in the case refer­red to in para­graph 3 of this Arti­cle, pro­vi­des for appro­pria­te safeguards.

(8) If the opi­ni­on refer­red to in para­graph 7 con­firms that the draft code of con­duct or the draft amend­ment or exten­si­on the­re­of is com­pa­ti­ble with this Regu­la­ti­on or, in the case refer­red to in para­graph 3, pro­vi­des for appro­pria­te safe­guards, the Com­mit­tee shall for­ward its opi­ni­on to the Commission.

(9) The Com­mis­si­on may, by means of imple­men­ting acts, deci­de that the appro­ved con­duct rules noti­fied to it in accordance with para­graph 8, or their appro­ved amend­ment or exten­si­on, shall have gene­ral vali­di­ty in the Uni­on. Tho­se imple­men­ting acts shall be adop­ted in accordance with the exami­na­ti­on pro­ce­du­re refer­red to in Arti­cle 93(2).

(10) The Com­mis­si­on shall ensu­re that the appro­ved rules of con­duct, which have been gran­ted gene­ral vali­di­ty in accordance with para­graph 9, are published in an appro­pria­te manner.

(11) The Com­mit­tee shall record all appro­ved rules of con­duct or their appro­ved amend­ments or exten­si­ons in a regi­ster and publish them in an appro­pria­te manner.

Reci­tals

(98) Asso­cia­ti­ons or other bodies repre­sen­ting cer­tain cate­go­ries of con­trol­lers or pro­ces­sors should be encou­ra­ged to draw up codes of con­duct wit­hin the limits of this Regu­la­ti­on in order to faci­li­ta­te the effec­ti­ve app­li­ca­ti­on of this Regu­la­ti­on, taking into account the spe­ci­fi­ci­ties of pro­ces­sing ope­ra­ti­ons car­ri­ed out in cer­tain sec­tors and the spe­ci­fic needs of micro, small and medi­um-sized enter­pri­ses. In par­ti­cu­lar, the­se codes of con­duct could deter­mi­ne the obli­ga­ti­ons of con­trol­lers and pro­ces­sors, taking into account the risk to the rights and free­doms of natu­ral per­sons likely to be repre­sen­ted by the processing.

(99) When deve­lo­ping or amen­ding or exten­ding such codes of con­duct, asso­cia­ti­ons and or other bodies repre­sen­ting cer­tain cate­go­ries of con­trol­lers or pro­ces­sors should con­sult rele­vant sta­ke­hol­ders, inclu­ding, whe­re pos­si­ble, data sub­jects, and take into account the input and opi­ni­ons they recei­ve in the process.

Arti­cle 41 Moni­to­ring of the appro­ved rules of conduct

(1) Without pre­ju­di­ce to the tasks and powers of the com­pe­tent super­vi­so­ry aut­ho­ri­ty pur­suant to Arti­cles 57 and 58, the moni­to­ring of com­pli­an­ce with rules of con­duct pur­suant to Arti­cle 40 may be car­ri­ed out by a body which has the appro­pria­te exper­ti­se with regard to the sub­ject mat­ter of the rules of con­duct and which has been accredi­ted for that pur­po­se by the com­pe­tent super­vi­so­ry authority.

(2) A body refer­red to in para­graph 1 may be accredi­ted for the pur­po­se of moni­to­ring com­pli­an­ce with rules of con­duct if it

a) has demon­stra­ted its inde­pen­dence and exper­ti­se with respect to the sub­ject mat­ter of the rules of con­duct to the satis­fac­tion of the com­pe­tent super­vi­so­ry authority;
b) has estab­lished pro­ce­du­res that enab­le it to assess whe­ther con­trol­lers and pro­ces­sors can app­ly the rules of con­duct, to moni­tor the com­pli­an­ce of con­trol­lers and pro­ces­sors with the rules of con­duct, and to review the app­li­ca­ti­on of the rules of con­duct on a regu­lar basis;
c) has estab­lished pro­ce­du­res and struc­tures for inve­sti­ga­ting com­p­laints about vio­la­ti­ons of the rules of con­duct or about the way in which the rules of con­duct are or have been app­lied by the con­trol­ler or pro­ces­sor and for making the­se pro­ce­du­res and struc­tures trans­pa­rent to data sub­jects and the public; and
d) has demon­stra­ted to the satis­fac­tion of the rele­vant super­vi­so­ry aut­ho­ri­ty that its duties and respon­si­bi­li­ties do not give rise to a con­flict of interest.

(3) The com­pe­tent super­vi­so­ry aut­ho­ri­ty shall sub­mit the draft cri­te­ria for the accredi­ta­ti­on of a body refer­red to in para­graph 1 to the Com­mit­tee in accordance with the con­si­sten­cy pro­ce­du­re refer­red to in Arti­cle 63.

(4) Without pre­ju­di­ce to the tasks and powers of the com­pe­tent super­vi­so­ry aut­ho­ri­ty and the pro­vi­si­ons of Chap­ter VIII, a body refer­red to in para­graph 1 shall, sub­ject to appro­pria­te safe­guards, take appro­pria­te mea­su­res in the event of a bre­ach of the rules of con­duct by a con­trol­ler or a pro­ces­sor, inclu­ding tem­pora­ry or per­ma­nent exclu­si­on of the con­trol­ler or pro­ces­sor from the rules of con­duct. It shall inform the com­pe­tent super­vi­so­ry aut­ho­ri­ty of such mea­su­res and their justification.

(5) The com­pe­tent super­vi­so­ry aut­ho­ri­ty shall revo­ke the accredi­ta­ti­on of a body refer­red to in para­graph 1 if the con­di­ti­ons for its accredi­ta­ti­on are not or are no lon­ger ful­fil­led or if the body takes mea­su­res which are not in con­for­mi­ty with this Regulation.

(6) This Arti­cle does not app­ly to pro­ces­sing by public aut­ho­ri­ties or public bodies.

Arti­cle 42 Certification

(1) Mem­ber Sta­tes, super­vi­so­ry aut­ho­ri­ties, the Board and the Com­mis­si­on shall encou­ra­ge, in par­ti­cu­lar at Uni­on level, the estab­lish­ment of data pro­tec­tion cer­ti­fi­ca­ti­on sche­mes and data pro­tec­tion seals and marks to demon­stra­te com­pli­an­ce with this Regu­la­ti­on in pro­ces­sing ope­ra­ti­ons by con­trol­lers or pro­ces­sors. The spe­ci­fic needs of micro, small and medi­um-sized enter­pri­ses shall be taken into account.

(2) In addi­ti­on to com­pli­an­ce by con­trol­lers or pro­ces­sors cove­r­ed by this Regu­la­ti­on, data pro­tec­tion spe­ci­fic cer­ti­fi­ca­ti­on pro­ce­du­res, seals or marks appro­ved in accordance with para­graph 5 of this Arti­cle may also be pro­vi­ded for in order to demon­stra­te that con­trol­lers or pro­ces­sors not cove­r­ed by this Regu­la­ti­on pur­suant to Arti­cle 3 pro­vi­de appro­pria­te safe­guards in the con­text of trans­fers of per­so­nal data to third coun­tries or inter­na­tio­nal orga­niz­a­ti­ons in accordance with point (f) of Arti­cle 46(2). Tho­se con­trol­lers or pro­ces­sors shall enter into a bin­ding and enfor­ce­ab­le obli­ga­ti­on, by means of con­trac­tu­al or other legal­ly bin­ding instru­ments, to app­ly tho­se appro­pria­te safe­guards, inclu­ding with respect to the rights of data subjects.

(3) Cer­ti­fi­ca­ti­on must be volun­ta­ry and acces­si­ble through a trans­pa­rent process.

(4) Cer­ti­fi­ca­ti­on under this Arti­cle shall not dimi­nish the respon­si­bi­li­ty of the con­trol­ler or pro­ces­sor for com­pli­an­ce with this Regu­la­ti­on and shall not affect the tasks and powers of the super­vi­so­ry aut­ho­ri­ties com­pe­tent under Arti­cle 55 or 56.

(5) Cer­ti­fi­ca­ti­on under this Arti­cle shall be gran­ted by the cer­ti­fi­ca­ti­on bodies refer­red to in Arti­cle 43 or by the com­pe­tent super­vi­so­ry aut­ho­ri­ty on the basis of cri­te­ria appro­ved by that com­pe­tent super­vi­so­ry aut­ho­ri­ty pur­suant to Arti­cle 58(3) or, pur­suant to Arti­cle 63, by the Board. If the cri­te­ria are appro­ved by the Board, this may lead to a com­mon cer­ti­fi­ca­ti­on, the Euro­pean Data Pro­tec­tion Seal.

(6) The con­trol­ler or pro­ces­sor sub­jec­ting the pro­ces­sing car­ri­ed out by it to the cer­ti­fi­ca­ti­on pro­ce­du­re shall pro­vi­de the cer­ti­fi­ca­ti­on body refer­red to in Arti­cle 43 or, whe­re app­li­ca­ble, the com­pe­tent super­vi­so­ry aut­ho­ri­ty with all the infor­ma­ti­on necessa­ry for car­ry­ing out the cer­ti­fi­ca­ti­on pro­ce­du­re and shall grant it the access to its pro­ces­sing acti­vi­ties requi­red in this context.

(7) Cer­ti­fi­ca­ti­on shall be gran­ted to a con­trol­ler or pro­ces­sor for a maxi­mum peri­od of three years and may be rene­wed under the same con­di­ti­ons, pro­vi­ded that the rele­vant requi­re­ments con­ti­nue to be met. Cer­ti­fi­ca­ti­on shall be revo­ked, as appro­pria­te, by the cer­ti­fi­ca­ti­on bodies refer­red to in Arti­cle 43 or by the com­pe­tent super­vi­so­ry aut­ho­ri­ty if the con­di­ti­ons for cer­ti­fi­ca­ti­on are not or are no lon­ger met.

(8) The Com­mit­tee shall record all cer­ti­fi­ca­ti­on pro­ce­du­res and data pro­tec­tion seals and marks in a regi­ster and publish them in an appro­pria­te manner.

Reci­tals

(100) In order to incre­a­se trans­pa­ren­cy and impro­ve com­pli­an­ce with this Regu­la­ti­on, it should be encou­ra­ged that cer­ti­fi­ca­ti­on pro­ce­du­res and data pro­tec­tion seals and marks are put in place to allow data sub­jects to have a quick over­view of the level of data pro­tec­tion of rele­vant pro­ducts and services.

Arti­cle 43 Cer­ti­fi­ca­ti­on bodies

(1) Without pre­ju­di­ce to the tasks and powers of the com­pe­tent super­vi­so­ry aut­ho­ri­ty pur­suant to Arti­cles 57 and 58, cer­ti­fi­ca­ti­on bodies having the appro­pria­te exper­ti­se with regard to data pro­tec­tion shall, after infor­ming the super­vi­so­ry aut­ho­ri­ty – in order to enab­le it to make use of its powers under point (h) of Arti­cle 58(2), if necessa­ry – grant or renew cer­ti­fi­ca­ti­on. Mem­ber Sta­tes shall ensu­re that tho­se cer­ti­fi­ca­ti­on bodies are accredi­ted by one or both of the fol­lo­wing bodies:

a) the com­pe­tent super­vi­so­ry aut­ho­ri­ty pur­suant to Arti­cle 55 or 56;
b) the natio­nal accredi­ta­ti­on body desi­gna­ted in accordance with Regu­la­ti­on (EC) No 765/2008 of the Euro­pean Par­lia­ment and of the Coun­cil (20 ) in con­for­mi­ty with EN-ISO/IEC 17065/2012 and with the addi­tio­nal requi­re­ments estab­lished by the com­pe­tent super­vi­so­ry aut­ho­ri­ty in accordance with Arti­cle 55 or 56.

(2) Cer­ti­fi­ca­ti­on bodies refer­red to in para­graph 1 may be accredi­ted in accordance with that para­graph only if they

a) have demon­stra­ted their inde­pen­dence and exper­ti­se with respect to the sub­ject mat­ter of the cer­ti­fi­ca­ti­on to the satis­fac­tion of the com­pe­tent super­vi­so­ry authority;
b) have under­ta­ken to com­ply with the cri­te­ria refer­red to in Arti­cle 42(5) appro­ved by the super­vi­so­ry aut­ho­ri­ty com­pe­tent in accordance with Arti­cle 55 or 56 or, in accordance with Arti­cle 63, by the Committee;
c) have estab­lished pro­ce­du­res for the issu­an­ce, perio­dic review, and revo­ca­ti­on of data pro­tec­tion cer­ti­fi­ca­ti­on and data pro­tec­tion seals and marks;
d) Have estab­lished pro­ce­du­res and struc­tures for inve­sti­ga­ting com­p­laints about brea­ches of cer­ti­fi­ca­ti­on or the man­ner in which cer­ti­fi­ca­ti­on is or has been imple­men­ted by the con­trol­ler or pro­ces­sor and for making tho­se pro­ce­du­res and struc­tures trans­pa­rent to data sub­jects and the public; and
e) have demon­stra­ted to the satis­fac­tion of the rele­vant super­vi­so­ry aut­ho­ri­ty that their duties and respon­si­bi­li­ties do not give rise to a con­flict of interest.

(3) The accredi­ta­ti­on of cer­ti­fi­ca­ti­on bodies refer­red to in para­graphs 1 and 2 of this Arti­cle shall be car­ri­ed out on the basis of the cri­te­ria appro­ved by the com­pe­tent sur­veil­lan­ce aut­ho­ri­ty in accordance with Arti­cle 55 or 56 or, in accordance with Arti­cle 63, by the Com­mit­tee. In the case of accredi­ta­ti­on under para­graph 1(b) of this Arti­cle, the­se requi­re­ments shall be addi­tio­nal to tho­se pro­vi­ded for in Regu­la­ti­on (EC) No 765/2008 and in the tech­ni­cal rules describ­ing the methods and pro­ce­du­res of cer­ti­fi­ca­ti­on bodies.

(4) The cer­ti­fi­ca­ti­on bodies refer­red to in para­graph 1 shall be respon­si­ble for the appro­pria­te assess­ment under­ly­ing the cer­ti­fi­ca­ti­on or with­dra­wal of cer­ti­fi­ca­ti­on, without pre­ju­di­ce to the respon­si­bi­li­ty of the con­trol­ler or pro­ces­sor for com­pli­an­ce with this Regu­la­ti­on. Accredi­ta­ti­on shall be gran­ted for a maxi­mum peri­od of five years and may be rene­wed under the same con­di­ti­ons, pro­vi­ded that the cer­ti­fi­ca­ti­on body com­plies with the requi­re­ments of this Article.

(5) The cer­ti­fi­ca­ti­on bodies refer­red to in para­graph 1 shall noti­fy the com­pe­tent super­vi­so­ry aut­ho­ri­ties of the rea­sons for gran­ting or with­drawing the cer­ti­fi­ca­ti­on app­lied for.

(6) The requi­re­ments refer­red to in para­graph 3 of this Arti­cle and the cri­te­ria refer­red to in Arti­cle 42(5) shall be published by the super­vi­so­ry aut­ho­ri­ty in an easi­ly acces­si­ble form. The super­vi­so­ry aut­ho­ri­ties shall also com­mu­ni­ca­te tho­se requi­re­ments and cri­te­ria to the Board. The Board shall inclu­de all cer­ti­fi­ca­ti­on pro­ce­du­res and data pro­tec­tion seals in a regi­ster and publish them in an appro­pria­te manner.

(7) Without pre­ju­di­ce to Chap­ter VIII, the com­pe­tent super­vi­so­ry aut­ho­ri­ty or the natio­nal accredi­ta­ti­on body shall with­draw the accredi­ta­ti­on of a cer­ti­fi­ca­ti­on body refer­red to in para­graph 1 if the con­di­ti­ons for accredi­ta­ti­on are not or are no lon­ger ful­fil­led or if a cer­ti­fi­ca­ti­on body takes mea­su­res which are not in con­for­mi­ty with this Regulation.

(8) The Com­mis­si­on shall be empowe­red to adopt dele­ga­ted acts in accordance with Arti­cle 92 to spe­ci­fy the requi­re­ments to be taken into account for the data pro­tec­tion spe­ci­fic cer­ti­fi­ca­ti­on pro­ce­du­res refer­red to in Arti­cle 42(1).

(9) The Com­mis­si­on may adopt imple­men­ting acts lay­ing down tech­ni­cal stan­dards for cer­ti­fi­ca­ti­on sche­mes and data pro­tec­tion seals and marks and mecha­nisms for the pro­mo­ti­on and reco­gni­ti­on of tho­se cer­ti­fi­ca­ti­on sche­mes and data pro­tec­tion seals and marks. Tho­se imple­men­ting acts shall be adop­ted in accordance with the exami­na­ti­on pro­ce­du­re refer­red to in Arti­cle 93(2).

Chap­ter V Trans­fers of per­so­nal data to third coun­tries or to inter­na­tio­nal organizations

Arti­cle 44 Gene­ral princi­ples of data transmission

Any trans­fer of per­so­nal data alrea­dy pro­ces­sed or to be pro­ces­sed after their trans­fer to a third coun­try or an inter­na­tio­nal orga­niz­a­ti­on shall only be allo­wed if the con­trol­ler and the pro­ces­sor com­ply with the con­di­ti­ons laid down in this Chap­ter and also with the other pro­vi­si­ons of this Regu­la­ti­on, inclu­ding any onward trans­fer of per­so­nal data by the third coun­try or inter­na­tio­nal orga­niz­a­ti­on con­cer­ned to ano­t­her third coun­try or inter­na­tio­nal orga­niz­a­ti­on. All pro­vi­si­ons of this Chap­ter shall be app­lied in order to ensu­re that the level of pro­tec­tion of natu­ral per­sons ensu­red by this Regu­la­ti­on is not undermined.
Reci­tals

(101) The flow of per­so­nal data from and to third coun­tries and inter­na­tio­nal orga­niz­a­ti­ons is necessa­ry for the expan­si­on of inter­na­tio­nal tra­de and coope­ra­ti­on. The incre­a­se in the­se data flows has crea­ted new chal­len­ges and requi­re­ments in rela­ti­on to the pro­tec­tion of per­so­nal data. Howe­ver, the level of pro­tec­tion of indi­vi­du­als ensu­red by this Regu­la­ti­on throughout the Uni­on should not be under­mi­ned when per­so­nal data are trans­fer­red from the Uni­on to con­trol­lers, pro­ces­sors or other reci­pi­ents in third coun­tries or to inter­na­tio­nal orga­niz­a­ti­ons, inclu­ding when per­so­nal data are fur­ther trans­fer­red from a third coun­try or from an inter­na­tio­nal orga­niz­a­ti­on to con­trol­lers or pro­ces­sors in the same or ano­t­her third coun­try or to the same or ano­t­her inter­na­tio­nal orga­niz­a­ti­on. In any case, such data trans­fers to third coun­tries and inter­na­tio­nal orga­niz­a­ti­ons are only per­mit­ted in strict com­pli­an­ce with this Regu­la­ti­on. A data trans­fer could only take place if the con­di­ti­ons set out in this Regu­la­ti­on for the trans­fer of per­so­nal data to third coun­tries or inter­na­tio­nal orga­niz­a­ti­ons are met by the con­trol­ler or pro­ces­sor, sub­ject to the other pro­vi­si­ons of this Regulation.

(102) Inter­na­tio­nal agree­ments bet­ween the Uni­on and third coun­tries on the trans­fer of per­so­nal data, inclu­ding appro­pria­te safe­guards for data sub­jects, are not affec­ted by this Regu­la­ti­on. Mem­ber Sta­tes may con­clu­de inter­na­tio­nal agree­ments invol­ving the trans­fer of per­so­nal data to third coun­tries or inter­na­tio­nal orga­niz­a­ti­ons, pro­vi­ded that tho­se agree­ments do not affect this Regu­la­ti­on or other pro­vi­si­ons of Uni­on law and inclu­de an ade­qua­te level of pro­tec­tion for the fun­da­men­tal rights of data subjects.

Arti­cle 45 Data trans­fer on the basis of an ade­quacy decision

(1) A trans­fer of per­so­nal data to a third coun­try or an inter­na­tio­nal orga­niz­a­ti­on may take place if the Com­mis­si­on has deci­ded that the third coun­try, ter­ri­to­ry or one or more spe­ci­fic sec­tors wit­hin that third coun­try or inter­na­tio­nal orga­niz­a­ti­on in que­sti­on pro­vi­des an ade­qua­te level of pro­tec­tion. Such trans­fer of data does not requi­re a spe­ci­fic authorization.

(2) In con­si­de­ring the ade­quacy of the level of pro­tec­tion affor­ded, the Com­mis­si­on shall have regard in par­ti­cu­lar to the following:

a) the rule of law, respect for human rights and fun­da­men­tal free­doms, rele­vant legis­la­ti­on in for­ce in the coun­try or inter­na­tio­nal orga­niz­a­ti­on con­cer­ned, both gene­ral and sec­to­ral, inclu­ding in rela­ti­on to public secu­ri­ty, defen­se, natio­nal secu­ri­ty and cri­mi­nal law, and access to per­so­nal data by public aut­ho­ri­ties, as well as the app­li­ca­ti­on of such legis­la­ti­on, data pro­tec­tion rules, pro­fes­sio­nal rules and secu­ri­ty rules, inclu­ding rules gover­ning onward trans­fers of per­so­nal data to ano­t­her third coun­try or ano­t­her inter­na­tio­nal orga­niz­a­ti­on, juris­dic­tion, and effec­ti­ve and enfor­ce­ab­le data sub­ject rights and effec­ti­ve admi­ni­stra­ti­ve and judi­cial reme­di­es for data sub­jects who­se per­so­nal data are transferred,
b) the exi­stence and effec­ti­ve func­tio­n­ing of one or more inde­pen­dent super­vi­so­ry aut­ho­ri­ties in the third coun­try con­cer­ned or to which an inter­na­tio­nal orga­niz­a­ti­on is ans­wer­able and which are respon­si­ble for ensu­ring com­pli­an­ce with and enfor­ce­ment of data pro­tec­tion rules, inclu­ding appro­pria­te enfor­ce­ment powers, for assi­sting and advi­sing data sub­jects in the exer­cise of their rights, and for coope­ra­ting with the super­vi­so­ry aut­ho­ri­ties of the Mem­ber Sta­tes; and
c) the inter­na­tio­nal com­mit­ments ente­red into by the third coun­try or inter­na­tio­nal orga­niz­a­ti­on con­cer­ned or other obli­ga­ti­ons ari­sing from legal­ly bin­ding agree­ments or instru­ments and from the par­ti­ci­pa­ti­on of the third coun­try or inter­na­tio­nal orga­niz­a­ti­on in mul­ti­la­te­ral or regio­nal systems, in par­ti­cu­lar with regard to the pro­tec­tion of per­so­nal data.

(3) Fol­lo­wing the assess­ment of the ade­quacy of the level of pro­tec­tion, the Com­mis­si­on may deci­de, by means of an imple­men­ting act, that a third coun­try, a ter­ri­to­ry or one or more spe­ci­fic sec­tors in a third coun­try or an inter­na­tio­nal orga­niz­a­ti­on pro­vi­de an ade­qua­te level of pro­tec­tion wit­hin the mea­ning of para­graph 2 of this Arti­cle. The imple­men­ting act shall pro­vi­de for a mecha­nism for regu­lar review, at least every four years, taking into account any rele­vant deve­lo­p­ments in the third coun­try or inter­na­tio­nal orga­niz­a­ti­on. The imple­men­ting act shall spe­ci­fy the ter­ri­to­ri­al and sec­to­ral scope and, whe­re app­li­ca­ble, the super­vi­so­ry aut­ho­ri­ty or aut­ho­ri­ties refer­red to in point (b) of para­graph 2 of this Arti­cle. The imple­men­ting act shall be adop­ted in accordance with the exami­na­ti­on pro­ce­du­re refer­red to in Arti­cle 93(2).

(4) The Com­mis­si­on shall keep under con­stant review deve­lo­p­ments in third coun­tries and inter­na­tio­nal orga­niz­a­ti­ons which could affect the ope­ra­ti­on of the deci­si­ons adop­ted pur­suant to para­graph 3 of this Arti­cle and the fin­dings made pur­suant to Arti­cle 25(6) of Direc­ti­ve 95/46/EC.

(5) The Com­mis­si­on shall, by means of imple­men­ting acts, revo­ke, amend or sus­pend the deci­si­ons refer­red to in para­graph 3 of this Arti­cle, whe­re necessa­ry and without retroac­ti­ve effect, whe­re rele­vant infor­ma­ti­on is avail­ab­le, in par­ti­cu­lar fol­lo­wing the review refer­red to in para­graph 3 of this Arti­cle, to the effect that a third coun­try, a ter­ri­to­ry or one or more spe­ci­fic sec­tors in a third coun­try or an inter­na­tio­nal orga­niz­a­ti­on no lon­ger ensu­res an ade­qua­te level of pro­tec­tion wit­hin the mea­ning of para­graph 2 of this Arti­cle. Tho­se imple­men­ting acts shall be adop­ted in accordance with the exami­na­ti­on pro­ce­du­re refer­red to in Arti­cle 93(2).

On duly justi­fied impe­ra­ti­ve grounds of urgen­cy, the Com­mis­si­on shall adopt immedia­te­ly app­li­ca­ble imple­men­ting acts in accordance with the pro­ce­du­re refer­red to in Arti­cle 93(3).

(6) The Com­mis­si­on shall enter into con­sul­ta­ti­ons with the third coun­try or inter­na­tio­nal orga­niz­a­ti­on con­cer­ned with a view to reme­dy­ing the situa­ti­on which gave rise to the deci­si­on adop­ted pur­suant to para­graph 5.

(7) Trans­fers of per­so­nal data to the third coun­try, ter­ri­to­ry or one or more spe­ci­fic sec­tors in that third coun­try or to the inter­na­tio­nal orga­niz­a­ti­on con­cer­ned pur­suant to Arti­cles 46 to 49 shall not be affec­ted by a deci­si­on taken pur­suant to para­graph 5 of this Article.

(8) The Com­mis­si­on shall publish in the Offi­cial Jour­nal of the Euro­pean Uni­on and on its web­site a list of all third coun­tries or ter­ri­to­ries and spe­ci­fic sec­tors in a third coun­try and of all inter­na­tio­nal orga­niz­a­ti­ons in respect of which it has deter­mi­ned by deci­si­on that they do or do not ensu­re an ade­qua­te level of protection.

(9) Fin­dings adop­ted by the Com­mis­si­on on the basis of Arti­cle 25(6) of Direc­ti­ve 95/46/EC shall remain in for­ce until they are amen­ded, repla­ced or repealed by a Com­mis­si­on deci­si­on adop­ted in accordance with the exami­na­ti­on pro­ce­du­re refer­red to in para­graphs 3 or 5 of this Article.

Reci­tals

(103) The Com­mis­si­on may deci­de, with effect for the enti­re Uni­on, that a spe­ci­fic third coun­try, ter­ri­to­ry or sec­tor of a third coun­try, or an inter­na­tio­nal orga­niz­a­ti­on, pro­vi­des an ade­qua­te level of data pro­tec­tion, ther­eby crea­ting legal cer­tain­ty and ensu­ring uni­form app­li­ca­ti­on of the law throughout the Uni­on with respect to the third coun­try or inter­na­tio­nal orga­niz­a­ti­on deemed capa­ble of pro­vi­ding such a level of pro­tec­tion. In such cases, per­so­nal data may be trans­fer­red to that coun­try or inter­na­tio­nal orga­niz­a­ti­on without fur­ther aut­ho­riz­a­ti­on. The Com­mis­si­on may, after pro­vi­ding a detail­ed explana­ti­on giving rea­sons to the third coun­try or inter­na­tio­nal orga­niz­a­ti­on, also deci­de to revo­ke such a determination.

(104) In accordance with the fun­da­men­tal values of the Uni­on, which inclu­de in par­ti­cu­lar the pro­tec­tion of human rights, the Com­mis­si­on should, when asses­sing the third coun­try or a ter­ri­to­ry or a spe­ci­fic sec­tor of a third coun­try, take into account the extent to which the rule of law is respec­ted, the cour­se of jus­ti­ce is gua­ran­te­ed and inter­na­tio­nal human rights norms and stan­dards are respec­ted, as well as the gene­ral and sec­tor-spe­ci­fic rules, inclu­ding tho­se on public secu­ri­ty, natio­nal defen­se and secu­ri­ty, public order and cri­mi­nal law, app­li­ca­ble in that third coun­try. The adop­ti­on of an ade­quacy deci­si­on in rela­ti­on to a ter­ri­to­ry or a spe­ci­fic sec­tor of a third coun­try should be made taking into account clear and objec­ti­ve cri­te­ria such as spe­ci­fic pro­ces­sing ope­ra­ti­ons and the scope of app­li­ca­ble legal stan­dards and app­li­ca­ble legis­la­ti­on in the third coun­try. The third coun­try should pro­vi­de gua­ran­tees of an ade­qua­te level of pro­tec­tion equi­va­lent in sub­stance to that ensu­red wit­hin the Uni­on, in par­ti­cu­lar in cases whe­re per­so­nal data are pro­ces­sed in one or more spe­ci­fic sec­tors. In par­ti­cu­lar, the third coun­try should ensu­re effec­ti­ve inde­pen­dent super­vi­si­on of data pro­tec­tion and pro­vi­de mecha­nisms for coope­ra­ti­on with Mem­ber Sta­tes’ data pro­tec­tion aut­ho­ri­ties, and data sub­jects should be gran­ted effec­ti­ve and enfor­ce­ab­le rights and effec­ti­ve admi­ni­stra­ti­ve and judi­cial remedies.

(105) The Com­mis­si­on should take into account, in addi­ti­on to the inter­na­tio­nal com­mit­ments ente­red into by the third coun­try or inter­na­tio­nal orga­niz­a­ti­on, the obli­ga­ti­ons ari­sing from the third country’s or inter­na­tio­nal organization’s par­ti­ci­pa­ti­on in mul­ti­la­te­ral or regio­nal systems, in par­ti­cu­lar with regard to the pro­tec­tion of per­so­nal data, and the imple­men­ta­ti­on of tho­se obli­ga­ti­ons. In par­ti­cu­lar, the third country’s acces­si­on to the Coun­cil of Euro­pe Con­ven­ti­on for the Pro­tec­tion of Indi­vi­du­als with regard to Auto­ma­tic Pro­ces­sing of Per­so­nal Data of 28 Janu­a­ry 1981 and the Addi­tio­nal Pro­to­col the­re­to should be taken into account. The Com­mis­si­on should con­sult the Com­mit­tee when asses­sing the level of pro­tec­tion in third coun­tries or inter­na­tio­nal organizations.

(106) The Com­mis­si­on should moni­tor the ope­ra­ti­on of fin­dings on the level of pro­tec­tion in a third coun­try, a ter­ri­to­ry or a spe­ci­fic sec­tor of a third coun­try or an inter­na­tio­nal orga­niz­a­ti­on; it should also moni­tor the ope­ra­ti­on of fin­dings adop­ted on the basis of Arti­cle 25(6) or Arti­cle 26(4) of Direc­ti­ve 95/46/EC. In its ade­quacy deci­si­ons, the Com­mis­si­on should pro­vi­de a mecha­nism for perio­dic review of their ope­ra­ti­on. This perio­dic review should be car­ri­ed out in con­sul­ta­ti­on with the third coun­try or inter­na­tio­nal orga­niz­a­ti­on con­cer­ned and should take into account any rele­vant deve­lo­p­ments in the third coun­try or inter­na­tio­nal orga­niz­a­ti­on. For the pur­po­ses of moni­to­ring and car­ry­ing out the perio­dic reviews, the Com­mis­si­on should take into account the views and fin­dings of the Euro­pean Par­lia­ment and the Coun­cil and of other rele­vant bodies and sources. The Com­mis­si­on should, wit­hin a rea­son­ab­le peri­od of time, eva­lua­te the ope­ra­ti­on of the lat­ter deci­si­ons and report any rele­vant fin­dings to the Com­mit­tee estab­lished by this Regu­la­ti­on wit­hin the mea­ning of Regu­la­ti­on (EU) No 182/2011 of the Euro­pean Par­lia­ment and of the Coun­cil (12) and to the Euro­pean Par­lia­ment and the Council.

(107) The Com­mis­si­on may deter­mi­ne that a third coun­try, a ter­ri­to­ry or a spe­ci­fic sec­tor of a third coun­try, or an inter­na­tio­nal orga­niz­a­ti­on no lon­ger pro­vi­des an ade­qua­te level of data pro­tec­tion. The trans­fer of per­so­nal data to that third coun­try or inter­na­tio­nal orga­niz­a­ti­on should the­reu­pon be pro­hi­bi­ted unless the requi­re­ments of this Regu­la­ti­on rela­ting to the trans­fer of data are met, sub­ject to appro­pria­te safe­guards, inclu­ding bin­ding inter­nal data pro­tec­tion rules and to excep­ti­ons for spe­ci­fic cases. In that case, pro­vi­si­on should be made for con­sul­ta­ti­ons bet­ween the Com­mis­si­on and the third coun­tries or inter­na­tio­nal orga­niz­a­ti­ons con­cer­ned. The Com­mis­si­on should inform the third coun­try or inter­na­tio­nal orga­niz­a­ti­on at an ear­ly sta­ge of the rea­sons and start con­sul­ta­ti­ons in order to reme­dy the situation.

(169) The Com­mis­si­on should adopt immedia­te­ly app­li­ca­ble imple­men­ting acts whe­re it is estab­lished on the basis of avail­ab­le evi­dence that a third coun­try, a ter­ri­to­ry or a spe­ci­fic sec­tor wit­hin that third coun­try, or an inter­na­tio­nal orga­niz­a­ti­on, does not ensu­re an ade­qua­te level of pro­tec­tion and this is necessa­ry on impe­ra­ti­ve grounds of urgency.

Arti­cle 46 Data trans­fer sub­ject to appro­pria­te safeguards

(1) In the absence of a deci­si­on pur­suant to Arti­cle 45(3), a con­trol­ler or pro­ces­sor may trans­fer per­so­nal data to a third coun­try or an inter­na­tio­nal orga­niz­a­ti­on only if the con­trol­ler or pro­ces­sor has pro­vi­ded appro­pria­te safe­guards and if enfor­ce­ab­le rights and effec­ti­ve reme­di­es are avail­ab­le to the data subjects.

(2) The appro­pria­te safe­guards refer­red to in para­graph 1 may, without the need for spe­ci­fic aut­ho­riz­a­ti­on from a super­vi­so­ry aut­ho­ri­ty, con­sist in

a) a legal­ly bin­ding and enfor­ce­ab­le docu­ment bet­ween aut­ho­ri­ties or public bodies,
b) bin­ding inter­nal data pro­tec­tion rules in accordance with Arti­cle 47,
c) stan­dard data pro­tec­tion clau­ses adop­ted by the Com­mis­si­on in accordance with the exami­na­ti­on pro­ce­du­re refer­red to in Arti­cle 93(2),
d) stan­dard data pro­tec­tion clau­ses adop­ted by a super­vi­so­ry aut­ho­ri­ty and appro­ved by the Com­mis­si­on in accordance with the exami­na­ti­on pro­ce­du­re refer­red to in Arti­cle 93(2),
e) appro­ved codes of con­duct in accordance with Arti­cle 40, tog­e­ther with legal­ly bin­ding and enfor­ce­ab­le com­mit­ments by the con­trol­ler or pro­ces­sor in the third coun­try to app­ly the appro­pria­te safe­guards, inclu­ding in rela­ti­on to the rights of data sub­jects; or
f) an appro­ved cer­ti­fi­ca­ti­on mecha­nism pur­suant to Arti­cle 42, tog­e­ther with legal­ly bin­ding and enfor­ce­ab­le com­mit­ments by the con­trol­ler or pro­ces­sor in the third coun­try to app­ly the appro­pria­te safe­guards, inclu­ding in rela­ti­on to the rights of data subjects.

(3) Sub­ject to the appro­val of the com­pe­tent super­vi­so­ry aut­ho­ri­ty, the appro­pria­te safe­guards refer­red to in para­graph 1 may also con­sist in par­ti­cu­lar in

a) Con­trac­tu­al clau­ses agreed bet­ween the con­trol­ler or pro­ces­sor and the con­trol­ler, pro­ces­sor or reci­pi­ent of the per­so­nal data in the third coun­try or inter­na­tio­nal orga­niz­a­ti­on; or
b) Pro­vi­si­ons to be inclu­ded in admi­ni­stra­ti­ve agree­ments bet­ween public aut­ho­ri­ties or public bodies that inclu­de enfor­ce­ab­le and effec­ti­ve rights for data subjects.

(4) The super­vi­so­ry aut­ho­ri­ty shall app­ly the con­si­sten­cy pro­ce­du­re refer­red to in Arti­cle 63 when a case refer­red to in para­graph 3 of this Arti­cle arises.

(5) Aut­ho­ri­sa­ti­ons issued by a Mem­ber Sta­te or a super­vi­so­ry aut­ho­ri­ty on the basis of Arti­cle 26(2) of Direc­ti­ve 95/46/EC shall remain valid until amen­ded, repla­ced or revo­ked by that super­vi­so­ry aut­ho­ri­ty, as necessa­ry. Deter­mi­na­ti­ons issued by the Com­mis­si­on on the basis of Arti­cle 26(4) of Direc­ti­ve 95/46/EC shall remain in for­ce until amen­ded, repla­ced or revo­ked, as necessa­ry, by a Com­mis­si­on deci­si­on adop­ted in accordance with para­graph 2 of this Article.

Reci­tals

(108) In the absence of an ade­quacy deci­si­on, the con­trol­ler or pro­ces­sor should pro­vi­de appro­pria­te safe­guards for the pro­tec­tion of the data sub­ject as com­pen­sa­ti­on for the lack of data pro­tec­tion in a third coun­try. The­se appro­pria­te safe­guards may con­sist in rely­ing on bin­ding inter­nal data pro­tec­tion rules, stan­dard data pro­tec­tion clau­ses adop­ted by the Com­mis­si­on or by a super­vi­so­ry aut­ho­ri­ty, or con­trac­tu­al clau­ses appro­ved by a super­vi­so­ry aut­ho­ri­ty. Tho­se safe­guards should ensu­re that data pro­tec­tion rules and the rights of data sub­jects are respec­ted in a man­ner appro­pria­te to the pro­ces­sing car­ri­ed out wit­hin the Uni­on, inclu­ding as regards the avai­la­bi­li­ty of enfor­ce­ab­le data sub­ject rights and effec­ti­ve judi­cial reme­di­es, inclu­ding the right to effec­ti­ve admi­ni­stra­ti­ve or judi­cial reme­dy and the right to seek redress in the Uni­on or in a third coun­try. They should rela­te in par­ti­cu­lar to com­pli­an­ce with the gene­ral princi­ples for the pro­ces­sing of per­so­nal data, the princi­ples of data pro­tec­tion by design and by default. Data trans­fers may also be made by public aut­ho­ri­ties or public bodies to public aut­ho­ri­ties or public bodies in third coun­tries or to inter­na­tio­nal orga­niz­a­ti­ons with cor­re­spon­ding obli­ga­ti­ons or tasks, inclu­ding on the basis of pro­vi­si­ons to be inclu­ded in admi­ni­stra­ti­ve arran­ge­ments – such as a Memo­ran­dum of Under­stan­ding – gran­ting enfor­ce­ab­le and effec­ti­ve rights to data sub­jects. The appro­val of the com­pe­tent super­vi­so­ry aut­ho­ri­ty should be obtai­ned if the safe­guards are pro­vi­ded for in admi­ni­stra­ti­ve arran­ge­ments that are not legal­ly binding.

(109) The pos­si­bi­li­ty for the con­trol­ler or pro­ces­sor to use the stan­dard data pro­tec­tion clau­ses estab­lished by the Com­mis­si­on or a super­vi­so­ry aut­ho­ri­ty should not pre­vent the con­trol­ler or pro­ces­sor from using the stan­dard data pro­tec­tion clau­ses also in more exten­si­ve con­tracts, such as con­tracts bet­ween the pro­ces­sor and ano­t­her pro­ces­sor, nor pre­vent it from adding other clau­ses or addi­tio­nal safe­guards to them, as long as they do not direct­ly or indi­rect­ly con­flict with the stan­dard data pro­tec­tion clau­ses adop­ted by the Com­mis­si­on or a super­vi­so­ry aut­ho­ri­ty or inter­fe­re with the fun­da­men­tal rights and free­doms of data sub­jects. Con­trol­lers and pro­ces­sors should be encou­ra­ged to pro­vi­de addi­tio­nal safe­guards with con­trac­tu­al obli­ga­ti­ons that com­ple­ment the stan­dard safeguards.

(114) In all cases whe­re the­re is no Com­mis­si­on deci­si­on on the ade­quacy of the level of data pro­tec­tion exi­sting in a third coun­try, the con­trol­ler or pro­ces­sor should have recour­se to solu­ti­ons that pro­vi­de data sub­jects with enfor­ce­ab­le and effec­ti­ve rights in rela­ti­on to the pro­ces­sing of their per­so­nal data in the Uni­on after the trans­fer of that data, so that they can con­ti­nue to enjoy the fun­da­men­tal rights and safeguards.

Arti­cle 47 Bin­ding inter­nal data pro­tec­tion rules

(1) The com­pe­tent super­vi­so­ry aut­ho­ri­ty shall, in accordance with the con­si­sten­cy mecha­nism laid down in Arti­cle 63, appro­ve bin­ding inter­nal data pro­tec­tion rules, pro­vi­ded that they are

a) are legal­ly bin­ding, app­ly to and are enfor­ced by all rele­vant mem­bers of the group of com­pa­nies or a group of com­pa­nies enga­ged in a com­mon eco­no­mic acti­vi­ty, and this also app­lies to their employees,
b) con­fer on data sub­jects expli­cit enfor­ce­ab­le rights in rela­ti­on to the pro­ces­sing of their per­so­nal data; and
c) meet the requi­re­ments spe­ci­fied in para­graph 2.

(2) The bin­ding inter­nal data pro­tec­tion rules refer­red to in para­graph 1 shall con­tain at least the fol­lo­wing information:

a) Struc­tu­re and con­ta­ct details of the group of com­pa­nies or group of com­pa­nies enga­ged in joint eco­no­mic acti­vi­ty and each of its members;
b) the data trans­fers or seri­es of data trans­fers con­cer­ned, inclu­ding the types of per­so­nal data con­cer­ned, the natu­re and pur­po­se of the data pro­ces­sing, the type of data sub­jects and the third coun­try or third coun­tries concerned;
c) inter­nal and exter­nal legal­ly bin­ding natu­re of the rele­vant inter­nal data pro­tec­tion regulations;
d) the app­li­ca­ti­on of gene­ral data pro­tec­tion princi­ples, in par­ti­cu­lar pur­po­se limi­ta­ti­on, data mini­miz­a­ti­on, limi­ted sto­rage peri­ods, data qua­li­ty, data pro­tec­tion through tech­no­lo­gy design and through data pro­tec­tion-friend­ly default set­tings, legal basis for pro­ces­sing, pro­ces­sing of spe­cial cate­go­ries of per­so­nal data, mea­su­res to ensu­re data secu­ri­ty and requi­re­ments for onward trans­fers to enti­ties not bound by the­se inter­nal data pro­tec­tion rules;
e) the rights of data sub­jects with regard to pro­ces­sing and the means avail­ab­le to them to exer­cise tho­se rights, inclu­ding the right not to be sub­ject to a deci­si­on based sole­ly on auto­ma­ted pro­ces­sing, inclu­ding pro­filing, as refer­red to in Arti­cle 22, and the right to lodge a com­p­laint with the com­pe­tent super­vi­so­ry aut­ho­ri­ty or to seek judi­cial reme­dy befo­re the com­pe­tent courts of the Mem­ber Sta­tes, as laid down in Arti­cle 79, and to obtain redress and, whe­re appro­pria­te, com­pen­sa­ti­on in the event of a bre­ach of the bin­ding inter­nal data pro­tec­tion rules;
f) the lia­bi­li­ty assu­med by the con­trol­ler or pro­ces­sor estab­lished in a Mem­ber Sta­te for any bre­ach of the man­da­to­ry inter­nal data pro­tec­tion rules by a rele­vant mem­ber of the group of under­ta­kings not estab­lished in the Uni­on; the con­trol­ler or pro­ces­sor shall be exempt from such lia­bi­li­ty, in who­le or in part, only if it pro­ves that the cir­cum­stance giving rise to the dama­ge can­not be attri­buted to the mem­ber concerned;
g) the man­ner in which the data sub­jects are infor­med, in addi­ti­on to the pro­vi­si­ons of Arti­cles 13 and 14, of the man­da­to­ry inter­nal data pro­tec­tion rules and, in par­ti­cu­lar, of the aspects refer­red to in points (d), (e) and (f) of this paragraph;
h) the tasks of any data pro­tec­tion offi­cer appoin­ted in accordance with Arti­cle 37 or any other per­son or body invol­ved in moni­to­ring com­pli­an­ce with the man­da­to­ry inter­nal data pro­tec­tion rules in the group of under­ta­kings or group of under­ta­kings car­ry­ing out a joint eco­no­mic acti­vi­ty, as well as moni­to­ring trai­ning acti­vi­ties and dealing with complaints;
i) the appeal procedures;
j) the pro­ce­du­res in place wit­hin the group of com­pa­nies or group of com­pa­nies enga­ged in joint eco­no­mic acti­vi­ty to veri­fy com­pli­an­ce with man­da­to­ry inter­nal data pro­tec­tion rules. Such pro­ce­du­res shall inclu­de data pro­tec­tion reviews and pro­ce­du­res to ensu­re reme­di­al action to pro­tect the rights of the data sub­ject. The results of such reviews should be com­mu­ni­ca­ted to the per­son or enti­ty refer­red to in point (h) and to the manage­ment board of the con­trol­ling under­ta­king of a group of under­ta­kings or of the group of under­ta­kings enga­ged in joint eco­no­mic acti­vi­ties and should be made avail­ab­le to the com­pe­tent super­vi­so­ry aut­ho­ri­ty upon request;
k) the pro­ce­du­res for reporting and record­ing chan­ges in regu­la­ti­ons and reporting them to the super­vi­so­ry authority;
l) the pro­ce­du­res for coope­ra­ti­on with the super­vi­so­ry aut­ho­ri­ty that ensu­re com­pli­an­ce by all mem­bers of the group of under­ta­kings or group of under­ta­kings enga­ged in a joint eco­no­mic acti­vi­ty, in par­ti­cu­lar by dis­clo­sing to the super­vi­so­ry aut­ho­ri­ty the results of reviews of the mea­su­res refer­red to in point (j);
m) the noti­fi­ca­ti­on pro­ce­du­res for infor­ming the com­pe­tent super­vi­so­ry aut­ho­ri­ty of any legal pro­vi­si­ons app­li­ca­ble to a mem­ber of the group of under­ta­kings or group of enti­ties enga­ged in a joint eco­no­mic acti­vi­ty in a third coun­try that could have an adver­se effect on the safe­guards pro­vi­ded by the bin­ding inter­nal data pro­tec­tion rules; and
n) appro­pria­te data pro­tec­tion trai­ning for per­son­nel with per­ma­nent or regu­lar access to per­so­nal data.

(3) The Com­mis­si­on may estab­lish the for­mat and pro­ce­du­res for the exchan­ge of infor­ma­ti­on on bin­ding inter­nal data pro­tec­tion rules wit­hin the mea­ning of this Arti­cle bet­ween con­trol­lers, pro­ces­sors and super­vi­so­ry aut­ho­ri­ties. Tho­se imple­men­ting acts shall be adop­ted in accordance with the exami­na­ti­on pro­ce­du­re refer­red to in Arti­cle 93(2).

Arti­cle 48 Trans­fer or dis­clo­sure not per­mit­ted by Uni­on law

Any judgment of a court of a third coun­try and any deci­si­on of an admi­ni­stra­ti­ve aut­ho­ri­ty of a third coun­try requi­ring a con­trol­ler or pro­ces­sor to trans­fer or dis­c­lo­se per­so­nal data shall, in any event, without pre­ju­di­ce to other grounds for trans­fer under this Chap­ter, only be reco­gni­zed or enfor­ce­ab­le if based on an inter­na­tio­nal agree­ment in for­ce, such as a mutu­al legal assi­stance agree­ment bet­ween the reque­sting third coun­try and the Uni­on or a Mem­ber State.

Reci­tals

(115) Some third coun­tries adopt laws, regu­la­ti­ons and other legal acts that pur­port to direct­ly regu­la­te the pro­ces­sing acti­vi­ties of natu­ral and legal per­sons sub­ject to the juris­dic­tion of Mem­ber Sta­tes. This may inclu­de judgments of courts and deci­si­ons of admi­ni­stra­ti­ve aut­ho­ri­ties in third coun­tries requi­ring a con­trol­ler or pro­ces­sor to trans­fer or dis­c­lo­se per­so­nal data that are not based on an inter­na­tio­nal agree­ment in for­ce, such as a mutu­al legal assi­stance agree­ment bet­ween the reque­sting third coun­try and the Uni­on or a Mem­ber Sta­te. The app­li­ca­ti­on of tho­se laws, regu­la­ti­ons and other legal instru­ments out­side the ter­ri­to­ry of the third coun­tries con­cer­ned may be con­tra­ry to inter­na­tio­nal law and may run coun­ter to the pro­tec­tion of natu­ral per­sons ensu­red by this Regu­la­ti­on in the Uni­on. Data trans­fers should the­re­fo­re only be allo­wed if the con­di­ti­ons laid down in this Regu­la­ti­on for data trans­fers to third coun­tries are com­plied with. This may be the case, inter alia, whe­re the dis­clo­sure is necessa­ry for an important public inte­rest reco­gni­zed by Uni­on law or by the law of the Mem­ber Sta­te to which the con­trol­ler is subject.

Arti­cle 49 Excep­ti­ons for cer­tain cases

(1) If the­re is neit­her an ade­quacy deci­si­on pur­suant to Arti­cle 45(3) nor appro­pria­te safe­guards pur­suant to Arti­cle 46, inclu­ding bin­ding inter­nal data pro­tec­tion rules, a trans­fer or a set of trans­fers of per­so­nal data to a third coun­try or to an inter­na­tio­nal orga­niz­a­ti­on shall only be per­mit­ted under one of the fol­lo­wing conditions:

a) the data sub­ject has given his or her expli­cit con­sent to the pro­po­sed data trans­fer after having been infor­med of the poten­ti­al risks to him or her of such data trans­fers in the absence of an ade­quacy deci­si­on and appro­pria­te safeguards,
b) the trans­fer is necessa­ry for the per­for­mance of a con­tract bet­ween the data sub­ject and the con­trol­ler or for the per­for­mance of pre-con­trac­tu­al mea­su­res at the requ­est of the data subject,
c) the trans­fer is necessa­ry for the con­clu­si­on or per­for­mance of a con­tract con­clu­ded in the inte­rest of the data sub­ject by the con­trol­ler with ano­t­her natu­ral or legal person,
d) the trans­fer is necessa­ry for important rea­sons of public interest,
e) the trans­fer is necessa­ry for the asser­ti­on, exer­cise or defen­se of legal claims,
f) the trans­fer is necessa­ry to pro­tect the vital inte­rests of the data sub­ject or of others, whe­re the data sub­ject is phy­si­cal­ly or legal­ly inca­pa­ble of giving consent,
g) the trans­fer is made from a regi­ster which, in accordance with Uni­on or Mem­ber Sta­te law, is inten­ded to pro­vi­de infor­ma­ti­on to the public and which is open to con­sul­ta­ti­on eit­her by the public at lar­ge or by any per­son who can demon­stra­te a legi­ti­ma­te inte­rest, but only to the extent that the con­di­ti­ons for con­sul­ta­ti­on laid down in Uni­on or Mem­ber Sta­te law are met in the indi­vi­du­al case.

If the trans­fer could not be based on a pro­vi­si­on of Arti­cles 45 or 46 – inclu­ding bin­ding inter­nal data pro­tec­tion rules – and none of the excep­ti­ons for a spe­ci­fic case under the first sub­pa­ra­graph app­lies, a trans­fer to a third coun­try or an inter­na­tio­nal orga­niz­a­ti­on may only take place if the trans­fer is not repeated, con­cerns only a limi­ted num­ber of data sub­jects, is necessa­ry for the pur­po­ses of the com­pel­ling legi­ti­ma­te inte­rests of the con­trol­ler, pro­vi­ded that the inte­rests or the rights and free­doms of the data sub­ject are not over­rid­den, and the con­trol­ler has asses­sed all the cir­cum­stan­ces sur­roun­ding the data trans­fer and, on the basis of that assess­ment, has pro­vi­ded appro­pria­te safe­guards with respect to the pro­tec­tion of per­so­nal data. The con­trol­ler shall noti­fy the super­vi­so­ry aut­ho­ri­ty of the trans­fer. The con­trol­ler shall inform the data sub­ject of the trans­fer and its com­pel­ling legi­ti­ma­te inte­rests; this shall be in addi­ti­on to the infor­ma­ti­on pro­vi­ded to the data sub­ject pur­suant to Arti­cles 13 and 14.

(2) Data trans­fers refer­red to in point (g) of the first sub­pa­ra­graph of para­graph 1 may not inclu­de all or enti­re cate­go­ries of per­so­nal data con­tai­ned in the regi­ster. If the regi­ster is inten­ded for inspec­tion by per­sons with a legi­ti­ma­te inte­rest, the trans­fer may be made only at the requ­est of tho­se per­sons or only if tho­se per­sons are the addres­sees of the transfer.

(3) Points (a), (b) and (c) of the first sub­pa­ra­graph of para­graph 1 and the second sub­pa­ra­graph of para­graph 1 shall not app­ly to acti­vi­ties car­ri­ed out by public aut­ho­ri­ties in the exer­cise of their offi­cial powers.

(4) The public inte­rest refer­red to in point (d) of the first sub­pa­ra­graph of para­graph 1 shall be reco­gni­zed by Uni­on law or by the law of the Mem­ber Sta­te to which the con­trol­ler is subject.

(5) In the absence of an ade­quacy deci­si­on, Uni­on or Mem­ber Sta­te law may express­ly pro­vi­de for restric­tions on the trans­fer of cer­tain cate­go­ries of per­so­nal data to third coun­tries or inter­na­tio­nal orga­niz­a­ti­ons for important rea­sons of public inte­rest. Mem­ber Sta­tes shall noti­fy such pro­vi­si­ons to the Commission.

(6) The con­trol­ler or pro­ces­sor shall record the assess­ment it has made and the appro­pria­te safe­guards refer­red to in the second sub­pa­ra­graph of para­graph 1 of this Arti­cle in the docu­men­ta­ti­on refer­red to in Arti­cle 30.

Reci­tals

(111) Data trans­fers should be allo­wed under cer­tain con­di­ti­ons, name­ly whe­re the data sub­ject has given his or her expli­cit con­sent, whe­re the trans­fer is occa­sio­nal and necessa­ry in the con­text of a con­tract or for the enfor­ce­ment of legal claims, be they judi­cial or admi­ni­stra­ti­ve, or in out-of-court pro­ce­e­dings, which inclu­de pro­ce­e­dings befo­re regu­la­to­ry aut­ho­ri­ties. The trans­fer should also be pos­si­ble if it is necessa­ry for the pro­tec­tion of an important public inte­rest laid down in Uni­on law or in the law of a Mem­ber Sta­te, or if it is made from a regi­ster pro­vi­ded for by law which may be con­sul­ted by the public or by per­sons having a legi­ti­ma­te inte­rest. In the lat­ter case, such trans­fer should not be allo­wed to extend to all or who­le cate­go­ries of per­so­nal data con­tai­ned in the regi­ster. If the regi­ster in que­sti­on is inten­ded for con­sul­ta­ti­on by per­sons with a legi­ti­ma­te inte­rest, the trans­fer should be made only at the requ­est of tho­se per­sons or only if tho­se per­sons are the addres­sees of the trans­fer, taking full account of the inte­rests and fun­da­men­tal rights of the data subject.

(112) The­se excep­ti­ons should app­ly, in par­ti­cu­lar, to data trans­fers that are necessa­ry for important rea­sons of public inte­rest, such as the inter­na­tio­nal exchan­ge of data bet­ween com­pe­ti­ti­on, tax or customs aut­ho­ri­ties, bet­ween finan­cial super­vi­so­ry aut­ho­ri­ties, or bet­ween ser­vices respon­si­ble for social secu­ri­ty mat­ters or public health, for examp­le in the case of envi­ron­men­tal scree­ning for con­ta­gious dise­a­ses or to redu­ce and/or eli­mi­na­te doping in sport. The trans­fer of per­so­nal data should also be con­si­de­red law­ful if it is necessa­ry to pro­tect an inte­rest essen­ti­al to the vital inte­rests – inclu­ding the phy­si­cal inte­gri­ty or life – of the data sub­ject or ano­t­her per­son and the data sub­ject is unab­le to give con­sent. In the absence of an ade­quacy deci­si­on, Uni­on or Mem­ber Sta­te law may express­ly pro­vi­de for restric­tions on the trans­fer of cer­tain cate­go­ries of data to third coun­tries or inter­na­tio­nal orga­niz­a­ti­ons for important rea­sons of public inte­rest. Mem­ber Sta­tes should noti­fy such pro­vi­si­ons to the Com­mis­si­on. Any trans­fer to an inter­na­tio­nal huma­ni­ta­ri­an orga­niz­a­ti­on of per­so­nal data of a data sub­ject who is phy­si­cal­ly or legal­ly inca­pa­ble of giving con­sent, in order to car­ry out a task requi­red by the Gene­va Con­ven­ti­ons or to com­ply with inter­na­tio­nal huma­ni­ta­ri­an law app­li­ca­ble in armed con­flicts, could be con­si­de­red necessa­ry for an important rea­son rela­ting to the public inte­rest or in the vital inte­rest of the data subject.

(113) Trans­fers that can be con­si­de­red as non-recur­rent and invol­ving only a limi­ted num­ber of data sub­jects could also be pos­si­ble to safe­guard the com­pel­ling legi­ti­ma­te inte­rests of the con­trol­ler, pro­vi­ded that the inte­rests or rights and free­doms of the data sub­ject are not over­rid­den and the con­trol­ler has con­si­de­red all the cir­cum­stan­ces sur­roun­ding the data trans­fer. In par­ti­cu­lar, the con­trol­ler should take into account the natu­re of the per­so­nal data, the pur­po­se and dura­ti­on of the inten­ded pro­ces­sing, the situa­ti­on in the coun­try of ori­gin, in the third coun­try con­cer­ned and in the coun­try of final desti­na­ti­on, and pro­vi­de appro­pria­te safe­guards to pro­tect the fun­da­men­tal rights and free­doms of natu­ral per­sons with regard to the pro­ces­sing of their per­so­nal data. Such trans­fers should only be pos­si­ble in the remai­ning cases whe­re none of the other grounds for trans­fer is app­li­ca­ble. In the case of sci­en­ti­fic or histo­ri­cal rese­arch pur­po­ses or sta­tis­ti­cal pur­po­ses, legi­ti­ma­te socie­tal expec­ta­ti­ons regar­ding an incre­a­se in know­ledge should be taken into account. The con­trol­ler should inform the super­vi­so­ry aut­ho­ri­ty and the data sub­ject of the transfer.

Arti­cle 50 Inter­na­tio­nal coope­ra­ti­on for the pro­tec­tion of per­so­nal data

With regard to third coun­tries and inter­na­tio­nal orga­niz­a­ti­ons, the Com­mis­si­on and the super­vi­so­ry aut­ho­ri­ties shall take appro­pria­te mea­su­res to

a) Deve­lop inter­na­tio­nal coope­ra­ti­on mecha­nisms that faci­li­ta­te effec­ti­ve enfor­ce­ment of per­so­nal data pro­tec­tion laws,
b) Mutu­al pro­vi­si­on of inter­na­tio­nal admi­ni­stra­ti­ve assi­stance in the enfor­ce­ment of legis­la­ti­on on the pro­tec­tion of per­so­nal data, inclu­ding through noti­fi­ca­ti­ons, com­p­laint refer­rals, assi­stance in inve­sti­ga­ti­ons and exchan­ge of infor­ma­ti­on, pro­vi­ded that appro­pria­te safe­guards exist for the pro­tec­tion of per­so­nal data and other fun­da­men­tal rights and freedoms,
c) Enga­ge rele­vant sta­ke­hol­ders in dis­cus­sions and acti­vi­ties desi­gned to enhan­ce inter­na­tio­nal coope­ra­ti­on in the enfor­ce­ment of per­so­nal data pro­tec­tion laws,
d) Pro­mo­te the exchan­ge and docu­men­ta­ti­on of per­so­nal data pro­tec­tion legis­la­ti­on and prac­ti­ces, inclu­ding juris­dic­tio­n­al con­flicts with third countries.
Reci­tals

(116) When per­so­nal data is trans­fer­red to ano­t­her coun­try out­side the Uni­on, the­re is an incre­a­sed risk that indi­vi­du­als may not be able to exer­cise their data pro­tec­tion rights and, in par­ti­cu­lar, pro­tect them­sel­ves against the unlaw­ful use or dis­clo­sure of that infor­ma­ti­on. Simi­lar­ly, super­vi­so­ry aut­ho­ri­ties may not be able to inve­sti­ga­te com­p­laints or con­duct inve­sti­ga­ti­ons that are rela­ted to acti­vi­ties out­side the bor­ders of their Mem­ber Sta­te. Their efforts to coope­ra­te across bor­ders may also be ham­pe­red by insuf­fi­ci­ent pre­ven­ti­ve and reme­di­al powers, con­flic­ting legal regimes, and prac­ti­cal obsta­cles such as resour­ce cons­traints. Coope­ra­ti­on among data pro­tec­tion super­vi­sors must the­re­fo­re be encou­ra­ged so that they can share infor­ma­ti­on and con­duct inve­sti­ga­ti­ons with super­vi­sors in other coun­tries. In order to deve­lop mecha­nisms of inter­na­tio­nal coope­ra­ti­on to faci­li­ta­te and ensu­re inter­na­tio­nal mutu­al assi­stance in the enfor­ce­ment of legis­la­ti­on on the pro­tec­tion of per­so­nal data, the Com­mis­si­on and the super­vi­so­ry aut­ho­ri­ties should exchan­ge infor­ma­ti­on and coope­ra­te with the com­pe­tent aut­ho­ri­ties of third coun­tries, on the basis of reci­pro­ci­ty and in accordance with this Regu­la­ti­on, in acti­vi­ties rela­ted to the exer­cise of their powers.

Chap­ter VI Inde­pen­dent super­vi­so­ry authorities

Sec­tion 1 Independence

Arti­cle 51 Super­vi­so­ry authority

(1) Each Mem­ber Sta­te shall pro­vi­de that one or more inde­pen­dent aut­ho­ri­ties are respon­si­ble for moni­to­ring the app­li­ca­ti­on of this Regu­la­ti­on in order to pro­tect the fun­da­men­tal rights and free­doms of natu­ral per­sons with regard to pro­ces­sing and to faci­li­ta­te the free flow of per­so­nal data wit­hin the Uni­on (her­ein­af­ter “Super­vi­so­ry aut­ho­ri­ty„).

(2) Each super­vi­so­ry aut­ho­ri­ty shall con­tri­bu­te to the con­si­stent app­li­ca­ti­on of this Regu­la­ti­on throughout the Uni­on. To that end, the super­vi­so­ry aut­ho­ri­ties shall coope­ra­te with each other and with the Com­mis­si­on in accordance with Chap­ter VII.

(3) Whe­re the­re is more than one super­vi­so­ry aut­ho­ri­ty in a Mem­ber Sta­te, that Mem­ber Sta­te shall desi­gna­te the super­vi­so­ry aut­ho­ri­ty repre­sen­ting tho­se aut­ho­ri­ties in the Com­mit­tee and shall estab­lish a pro­ce­du­re to ensu­re that the other aut­ho­ri­ties com­ply with the rules on the con­si­sten­cy mecha­nism refer­red to in Arti­cle 63.

(4) Each Mem­ber Sta­te shall noti­fy to the Com­mis­si­on, by 25 May 2018 at the latest, the pro­vi­si­ons of law which it adopts pur­suant to this Chap­ter and, without delay, any sub­se­quent amend­ment affec­ting them.

Reci­tals

(117) The estab­lish­ment of super­vi­so­ry aut­ho­ri­ties in Mem­ber Sta­tes, empowe­red to exer­cise their func­tions and powers with com­ple­te inde­pen­dence, is an essen­ti­al ele­ment of the pro­tec­tion of indi­vi­du­als with regard to the pro­ces­sing of per­so­nal data. Mem­ber Sta­tes should be able to estab­lish more than one super­vi­so­ry aut­ho­ri­ty whe­re this is appro­pria­te to their con­sti­tu­tio­nal, orga­niz­a­tio­nal and admi­ni­stra­ti­ve structure.

(119) Whe­re a Mem­ber Sta­te estab­lishes several super­vi­so­ry aut­ho­ri­ties, it should ensu­re, by means of legis­la­ti­on, that tho­se super­vi­so­ry aut­ho­ri­ties are effec­tively invol­ved in the con­si­sten­cy mecha­nism. In par­ti­cu­lar, that Mem­ber Sta­te should desi­gna­te a super­vi­so­ry aut­ho­ri­ty to act as a focal point for the effec­ti­ve par­ti­ci­pa­ti­on of tho­se aut­ho­ri­ties in the Mecha­nism and to ensu­re swift and smooth coope­ra­ti­on with other super­vi­so­ry aut­ho­ri­ties, the Board and the Commission.

(123) The super­vi­so­ry aut­ho­ri­ties should moni­tor the app­li­ca­ti­on of the pro­vi­si­ons of this Regu­la­ti­on and con­tri­bu­te to its con­si­stent app­li­ca­ti­on throughout the Uni­on in order to pro­tect natu­ral per­sons with regard to the pro­ces­sing of their data and to faci­li­ta­te the free flow of per­so­nal data in the inter­nal mar­ket. To that end, the super­vi­so­ry aut­ho­ri­ties should coope­ra­te with each other and with the Com­mis­si­on without the need for an agree­ment bet­ween Mem­ber Sta­tes on the pro­vi­si­on of mutu­al assi­stance or on such cooperation.

Arti­cle 52 Independence

(1) Each super­vi­so­ry aut­ho­ri­ty shall act with com­ple­te inde­pen­dence in the per­for­mance of its duties and in the exer­cise of its powers under this Regulation.

(2) The mem­ber or mem­bers of each super­vi­so­ry aut­ho­ri­ty shall not be sub­ject to any out­side influ­ence, direct or indi­rect, in the per­for­mance of their duties or the exer­cise of their powers under this Ordi­nan­ce, and shall neit­her seek nor take instructions.

(3) The mem­ber or mem­bers of the Super­vi­so­ry Aut­ho­ri­ty shall refrain from any action incom­pa­ti­ble with the duties of their office and shall not, during their term of office, enga­ge in any other paid or unpaid acti­vi­ty incom­pa­ti­ble with their office.

(4) Each Mem­ber Sta­te shall ensu­re that each super­vi­so­ry aut­ho­ri­ty is pro­vi­ded with the human, tech­ni­cal and finan­cial resour­ces, pre­mi­ses and infra­st­ruc­tu­re necessa­ry to car­ry out its tasks and exer­cise its powers effec­tively, inclu­ding in the con­text of mutu­al assi­stance, coope­ra­ti­on and par­ti­ci­pa­ti­on in the Committee.

(5) Each Mem­ber Sta­te shall ensu­re that each super­vi­so­ry aut­ho­ri­ty selects and has its own staff, who shall be sub­ject exclu­si­ve­ly to the direc­tion of the mem­ber or mem­bers of the super­vi­so­ry aut­ho­ri­ty concerned.

(6) Each Mem­ber Sta­te shall ensu­re that each super­vi­so­ry aut­ho­ri­ty is sub­ject to finan­cial con­trol that does not impair its inde­pen­dence and that it has its own public annu­al bud­gets, which may be part of the over­all sta­te or natio­nal budget.

Reci­tals

(118) The fact that super­vi­sors are inde­pen­dent should not mean that they are not sub­ject to any con­trol or moni­to­ring mecha­nism with respect to their expen­dit­ures or that they are not sub­ject to judi­cial review.

(120) Each super­vi­so­ry aut­ho­ri­ty should be pro­vi­ded with finan­cial resour­ces, staff, pre­mi­ses and infra­st­ruc­tu­re as necessa­ry for the effec­ti­ve per­for­mance of its tasks, inclu­ding tho­se rela­ted to mutu­al assi­stance and coope­ra­ti­on with other super­vi­so­ry aut­ho­ri­ties throughout the Uni­on. Each super­vi­so­ry aut­ho­ri­ty should have its own public annu­al bud­get, which may be part of the over­all sta­te or natio­nal budget.

Arti­cle 53 Gene­ral con­di­ti­ons for the mem­bers of the Super­vi­so­ry Authority

(1) Mem­ber Sta­tes shall pro­vi­de that each mem­ber of their super­vi­so­ry aut­ho­ri­ties shall be appoin­ted through a trans­pa­rent pro­ce­du­re, as follows

from the Parliament,

from the government,

by the head of sta­te or

by an inde­pen­dent body ent­ru­sted with the appoint­ment under the law of the Mem­ber State.

(2) Each mem­ber must have the qua­li­fi­ca­ti­ons, expe­ri­ence and exper­ti­se requi­red to per­form their duties and exer­cise their powers, par­ti­cu­lar­ly in the area of per­so­nal data protection.

(3) A member’s term of office shall end upon expi­ry of the term of office, upon resi­gna­ti­on or man­da­to­ry reti­re­ment in accordance with the law of the Mem­ber Sta­te concerned.

(4) A mem­ber shall be remo­ved from office only if he has com­mit­ted serious mis­con­duct or no lon­ger ful­fills the requi­re­ments for the per­for­mance of his duties.

Reci­tals

(121) The gene­ral requi­re­ments for the mem­ber or mem­bers of the super­vi­so­ry aut­ho­ri­ty should be laid down by legis­la­ti­on of each Mem­ber Sta­te and should in par­ti­cu­lar pro­vi­de that tho­se mem­bers are appoin­ted through a trans­pa­rent pro­ce­du­re eit­her by the par­lia­ment, government or head of sta­te of the Mem­ber Sta­te, on a pro­po­sal from the government, a mem­ber of the government, the par­lia­ment or a cham­ber of the par­lia­ment, or by an inde­pen­dent body ent­ru­sted with the appoint­ment under the law of the Mem­ber Sta­te. In order to ensu­re the inde­pen­dence of the super­vi­so­ry aut­ho­ri­ty, its mem­bers should per­form their duties with inte­gri­ty, refrain from any action incom­pa­ti­ble with the duties of their office and should not, during their term of office, enga­ge in any other occup­a­ti­on, whe­ther gain­ful or not, which is incom­pa­ti­ble with their office. The super­vi­so­ry aut­ho­ri­ty should have its own staff, selec­ted by the super­vi­so­ry aut­ho­ri­ty its­elf or by an inde­pen­dent body estab­lished under the law of the Mem­ber Sta­te, who should be sub­ject exclu­si­ve­ly to the direc­tion of the mem­ber or mem­bers of the super­vi­so­ry authority.

Arti­cle 54 Estab­lish­ment of the super­vi­so­ry authority

(1) Each Mem­ber Sta­te shall pro­vi­de by law for the following:

a) the estab­lish­ment of any super­vi­so­ry authority;
b) the necessa­ry qua­li­fi­ca­ti­ons and other requi­re­ments for appoint­ment as a mem­ber of each super­vi­so­ry authority;
c) the rules and pro­ce­du­res for the appoint­ment of the mem­ber or mem­bers of each super­vi­so­ry authority;
d) the term of office of the mem­ber or mem­bers of each super­vi­so­ry aut­ho­ri­ty of at least four years; this shall not app­ly to the first term of office after May 24, 2016, which may be shor­ter for some of the mem­bers if a stag­ge­red appoint­ment is necessa­ry to pre­ser­ve the inde­pen­dence of the super­vi­so­ry authority;
e) the que­sti­on of whe­ther and, if so, how often the mem­ber or mem­bers of each super­vi­so­ry aut­ho­ri­ty may be reappointed;
f) the con­di­ti­ons rela­ting to the duties of the mem­ber or mem­bers and the staff of each super­vi­so­ry aut­ho­ri­ty, the pro­hi­bi­ti­ons of acts, pro­fes­sio­nal acti­vi­ties and remu­ne­ra­ti­on during and after the term of office that are incom­pa­ti­ble with the­se duties, and the rules for ter­mi­na­ti­on of employment.

(2) The mem­ber or mem­bers and the staff of each super­vi­so­ry aut­ho­ri­ty shall be bound by the obli­ga­ti­on of pro­fes­sio­nal secrecy, in accordance with Uni­on or Mem­ber Sta­te law, both during and after their term of office, with regard to any con­fi­denti­al infor­ma­ti­on which has come to their know­ledge in the cour­se of the per­for­mance of their duties or the exer­cise of their powers. During that peri­od of office or ser­vice, that obli­ga­ti­on of secrecy shall app­ly in par­ti­cu­lar to infrin­ge­ments of this Regu­la­ti­on repor­ted by natu­ral persons.

Sec­tion 2 Respon­si­bi­li­ty, Duties and Powers

Arti­cle 55 Competence

(1) Each super­vi­so­ry aut­ho­ri­ty shall be com­pe­tent to car­ry out the tasks and exer­cise the powers con­fer­red on it by this Regu­la­ti­on wit­hin the ter­ri­to­ry of its own Mem­ber State.

(2) Whe­re the pro­ces­sing is car­ri­ed out by public aut­ho­ri­ties or pri­va­te bodies on the basis of Arti­cle 6(1)(c) or (e), the super­vi­so­ry aut­ho­ri­ty of the Mem­ber Sta­te con­cer­ned shall be com­pe­tent. In this case, Arti­cle 56 shall not apply.

(3) Super­vi­so­ry aut­ho­ri­ties are not com­pe­tent to super­vi­se pro­ces­sing ope­ra­ti­ons car­ri­ed out by courts in the cour­se of their judi­cial activities.

Reci­tals

(122) Each super­vi­so­ry aut­ho­ri­ty should be com­pe­tent to exer­cise the powers and car­ry out the tasks con­fer­red on it by this Regu­la­ti­on wit­hin the ter­ri­to­ry of its Mem­ber Sta­te. This should app­ly in par­ti­cu­lar to the following:

pro­ces­sing in the cour­se of the acti­vi­ties of an estab­lish­ment of the con­trol­ler or pro­ces­sor in the ter­ri­to­ry of their Mem­ber State,

the pro­ces­sing of per­so­nal data by public aut­ho­ri­ties or pri­va­te bodies acting in the public interest,

pro­ces­sing acti­vi­ties that have an impact on data sub­jects wit­hin their ter­ri­to­ry, or

pro­ces­sing acti­vi­ties of a con­trol­ler or pro­ces­sor not estab­lished in the Uni­on, pro­vi­ded that they are tar­ge­ted at data sub­jects resi­ding on its territory.

This should inclu­de hand­ling com­p­laints from a data sub­ject, con­duc­ting inve­sti­ga­ti­ons into the app­li­ca­ti­on of this Regu­la­ti­on, and pro­mo­ting infor­ma­ti­on to the public about the risks, rules, safe­guards and rights rela­ted to the pro­ces­sing of per­so­nal data.

(128) The rules on the lead aut­ho­ri­ty and the coope­ra­ti­on and con­si­sten­cy pro­ce­du­re should not app­ly whe­re the pro­ces­sing is car­ri­ed out by public aut­ho­ri­ties or pri­va­te bodies in the public inte­rest. In such cases, the super­vi­so­ry aut­ho­ri­ty of the Mem­ber Sta­te whe­re the public aut­ho­ri­ty or pri­va­te body is estab­lished should be the only super­vi­so­ry aut­ho­ri­ty com­pe­tent to exer­cise the powers con­fer­red on it by this Regulation.

Arti­cle 56 Com­pe­tence of the lead super­vi­so­ry authority

(1) Without pre­ju­di­ce to Arti­cle 55, the super­vi­so­ry aut­ho­ri­ty of the main estab­lish­ment or the sin­gle estab­lish­ment of the con­trol­ler or pro­ces­sor shall be the com­pe­tent lead super­vi­so­ry aut­ho­ri­ty for the cross-bor­der pro­ces­sing car­ri­ed out by that con­trol­ler or pro­ces­sor in accordance with the pro­ce­du­re refer­red to in Arti­cle 60.

(2) By way of dero­ga­ti­on from para­graph 1, each super­vi­so­ry aut­ho­ri­ty shall be com­pe­tent to deal with a com­p­laint lod­ged with it or a pos­si­ble bre­ach of this Regu­la­ti­on if the sub­ject mat­ter rela­tes only to an estab­lish­ment in its Mem­ber Sta­te or signi­fi­cant­ly affects data sub­jects only of its Mem­ber State.

(3) In the cases refer­red to in para­graph 2 of this Arti­cle, the super­vi­so­ry aut­ho­ri­ty shall without delay inform the lead super­vi­so­ry aut­ho­ri­ty of the mat­ter. Wit­hin a peri­od of three weeks after being infor­med, the lead super­vi­so­ry aut­ho­ri­ty shall deci­de whe­ther or not to deal with the case in accordance with the pro­ce­du­re laid down in Arti­cle 60, taking into account whe­ther or not the con­trol­ler or pro­ces­sor has an estab­lish­ment in the Mem­ber Sta­te who­se super­vi­so­ry aut­ho­ri­ty has infor­med it.

(4) If the lead super­vi­so­ry aut­ho­ri­ty deci­des to deal with the case, the pro­ce­du­re laid down in Arti­cle 60 shall app­ly. The super­vi­so­ry aut­ho­ri­ty which has infor­med the lead super­vi­so­ry aut­ho­ri­ty may sub­mit a draft deci­si­on to the lat­ter. The lead super­vi­so­ry aut­ho­ri­ty shall take the utmost account of that draft when pre­pa­ring the draft deci­si­on refer­red to in Arti­cle 60(3).

(5) If the lead super­vi­so­ry aut­ho­ri­ty deci­des not to deal with the case its­elf, the super­vi­so­ry aut­ho­ri­ty which infor­med the lead super­vi­so­ry aut­ho­ri­ty shall deal with the case in accordance with Arti­cles 61 and 62.

(6) The lead super­vi­so­ry aut­ho­ri­ty shall be the sin­gle point of con­ta­ct of the con­trol­ler or pro­ces­sor for issu­es rela­ted to the cross-bor­der pro­ces­sing car­ri­ed out by that con­trol­ler or processor.

Reci­tals

(124) Whe­re the pro­ces­sing of per­so­nal data takes place in the con­text of the acti­vi­ties of an estab­lish­ment of a con­trol­ler or a pro­ces­sor in the Uni­on and the con­trol­ler or pro­ces­sor has estab­lish­ments in more than one Mem­ber Sta­te or whe­re the pro­ces­sing acti­vi­ty in the con­text of the acti­vi­ties of a sin­gle estab­lish­ment of a con­trol­ler or pro­ces­sor in the Uni­on has or is likely to have a signi­fi­cant impact on data sub­jects in more than one Mem­ber Sta­te, the super­vi­so­ry aut­ho­ri­ty for the main estab­lish­ment of the con­trol­ler or pro­ces­sor or for the sin­gle estab­lish­ment of the con­trol­ler or pro­ces­sor should act as the lead aut­ho­ri­ty. It should coope­ra­te with the other aut­ho­ri­ties con­cer­ned becau­se the con­trol­ler or pro­ces­sor has an estab­lish­ment on the ter­ri­to­ry of its Mem­ber Sta­te, becau­se the pro­ces­sing has a signi­fi­cant impact on data sub­jects resi­ding on its ter­ri­to­ry or becau­se a com­p­laint has been lod­ged with them. Also, whe­re a data sub­ject not resi­ding in the Mem­ber Sta­te con­cer­ned has lod­ged a com­p­laint, the super­vi­so­ry aut­ho­ri­ty to which the com­p­laint has been lod­ged should also be a super­vi­so­ry aut­ho­ri­ty con­cer­ned. The Board should be able to issue gui­d­ance – as part of its tasks in rela­ti­on to issuing gui­d­ance on all issu­es rela­ted to the app­li­ca­ti­on of this Regu­la­ti­on – in par­ti­cu­lar on the cri­te­ria to be taken into account when deter­mi­ning whe­ther the pro­ces­sing in que­sti­on has a signi­fi­cant impact on data sub­jects in more than one Mem­ber Sta­te and what con­sti­tu­tes a rele­vant and well-foun­ded objection.

(125) The lead aut­ho­ri­ty should be enti­t­led to adopt bin­ding deci­si­ons on mea­su­res exer­ci­s­ing the powers con­fer­red on it under this Regu­la­ti­on. In its capa­ci­ty as lead aut­ho­ri­ty, that super­vi­so­ry aut­ho­ri­ty should ensu­re the clo­se invol­ve­ment and coor­di­na­ti­on of the super­vi­so­ry aut­ho­ri­ties con­cer­ned in the deci­si­on-making pro­cess. Whe­re it is deci­ded to reject the com­p­laint of the data sub­ject in who­le or in part, that deci­si­on should be adop­ted by the super­vi­so­ry aut­ho­ri­ty with which the com­p­laint was lodged.

(127) Any super­vi­so­ry aut­ho­ri­ty other than the lead super­vi­so­ry aut­ho­ri­ty should be com­pe­tent in local cases whe­re the con­trol­ler or pro­ces­sor has estab­lish­ments in more than one Mem­ber Sta­te but the sub­ject-mat­ter of the spe­ci­fic pro­ces­sing con­cerns only pro­ces­sing acti­vi­ties in one Mem­ber Sta­te and only data sub­jects in that one Mem­ber Sta­te, for examp­le whe­re the pro­ces­sing of per­so­nal data of employees in the spe­ci­fic employ­ment con­text of one Mem­ber Sta­te is at sta­ke. In such cases, the super­vi­so­ry aut­ho­ri­ty should inform the lead super­vi­so­ry aut­ho­ri­ty of the mat­ter without delay. Fol­lo­wing its noti­fi­ca­ti­on, the lead super­vi­so­ry aut­ho­ri­ty should deci­de whe­ther to exami­ne the case under the pro­vi­si­ons on coope­ra­ti­on bet­ween the lead super­vi­so­ry aut­ho­ri­ty and other super­vi­so­ry aut­ho­ri­ties con­cer­ned pur­suant to the pro­vi­si­on on coope­ra­ti­on bet­ween the lead super­vi­so­ry aut­ho­ri­ty and other super­vi­so­ry aut­ho­ri­ties con­cer­ned (her­ein­af­ter “Coope­ra­ti­on and cohe­rence pro­ce­du­res”) or whe­ther the super­vi­so­ry aut­ho­ri­ty which infor­med it should sett­le the case at local level. In doing so, the lead super­vi­so­ry aut­ho­ri­ty should take into account whe­ther the con­trol­ler or pro­ces­sor has an estab­lish­ment in the Mem­ber Sta­te who­se super­vi­so­ry aut­ho­ri­ty has infor­med it, so that deci­si­ons are effec­tively enfor­ced against the con­trol­ler or pro­ces­sor. If the lead super­vi­so­ry aut­ho­ri­ty deci­des to sett­le the case its­elf, the super­vi­so­ry aut­ho­ri­ty which infor­med it should have the pos­si­bi­li­ty to sub­mit a draft deci­si­on, which the lead super­vi­so­ry aut­ho­ri­ty should take into account to the grea­test extent pos­si­ble when pre­pa­ring its draft deci­si­on under this coope­ra­ti­on and con­si­sten­cy procedure.

(130) Whe­re the super­vi­so­ry aut­ho­ri­ty with which the com­p­laint has been lod­ged is not the lead super­vi­so­ry aut­ho­ri­ty, the lead super­vi­so­ry aut­ho­ri­ty should coope­ra­te clo­se­ly with the super­vi­so­ry aut­ho­ri­ty with which the com­p­laint has been lod­ged in accordance with the pro­vi­si­ons of this Regu­la­ti­on on coope­ra­ti­on and con­si­sten­cy. In such cases, the lead super­vi­so­ry aut­ho­ri­ty should take the utmost account of the posi­ti­on of the super­vi­so­ry aut­ho­ri­ty with which the com­p­laint has been lod­ged, which should retain the power to con­duct inve­sti­ga­ti­ons on the ter­ri­to­ry of its own Mem­ber Sta­te in coor­di­na­ti­on with the com­pe­tent super­vi­so­ry aut­ho­ri­ty, when taking mea­su­res inten­ded to pro­du­ce legal effects, inclu­ding the impo­si­ti­on of fines.

(131) Whe­re ano­t­her super­vi­so­ry aut­ho­ri­ty should act as the lead super­vi­so­ry aut­ho­ri­ty for the pro­ces­sing acti­vi­ties of the con­trol­ler or pro­ces­sor, but the spe­ci­fic sub­ject mat­ter of a com­p­laint or the pos­si­ble bre­ach con­cerns only the pro­ces­sing acti­vi­ties of the con­trol­ler or pro­ces­sor in the Mem­ber Sta­te whe­re the com­p­laint was lod­ged or the pos­si­ble bre­ach was dis­co­ve­r­ed, and the mat­ter does not have or is not likely to have a signi­fi­cant impact on data sub­jects in other Mem­ber Sta­tes, the super­vi­so­ry aut­ho­ri­ty to which a com­p­laint was lod­ged or which dis­co­ve­r­ed or was other­wi­se infor­med of situa­tions con­sti­tu­ting pos­si­ble brea­ches of this Regu­la­ti­on should has other­wi­se been infor­med about it, should attempt to reach an ami­ca­ble sett­le­ment with the con­trol­ler; if this pro­ves unsuc­cess­ful, it should exer­cise the full ran­ge of its powers. This should inclu­de: pro­ces­sing spe­ci­fi­cal­ly on the ter­ri­to­ry of the Mem­ber Sta­te of the super­vi­so­ry aut­ho­ri­ty or with regard to data sub­jects on the ter­ri­to­ry of that Mem­ber Sta­te; pro­ces­sing in the con­text of an offer of goods or ser­vices spe­ci­fi­cal­ly tar­ge­ted at data sub­jects on the ter­ri­to­ry of the Mem­ber Sta­te of the super­vi­so­ry aut­ho­ri­ty; or pro­ces­sing which must be asses­sed in the light of the rele­vant legal obli­ga­ti­ons under the law of the Mem­ber States.

Arti­cle 57 Tasks

(1) Without pre­ju­di­ce to other duties set out in this Regu­la­ti­on, each super­vi­so­ry aut­ho­ri­ty wit­hin its ter­ri­to­ry shall

a) moni­tor and enfor­ce the app­li­ca­ti­on of this regulation;
b) Rai­se awa­reness and edu­ca­te the public about the risks, rules, safe­guards and rights rela­ted to pro­ces­sing. Spe­cial atten­ti­on will be paid to spe­ci­fic mea­su­res for children;
c) in accordance with the law of the Mem­ber Sta­te, advi­se the natio­nal par­lia­ment, government and other insti­tu­ti­ons and bodies on legis­la­ti­ve and admi­ni­stra­ti­ve mea­su­res to pro­tect the rights and free­doms of natu­ral per­sons with regard to processing;
d) Rai­se awa­reness among data con­trol­lers and pro­ces­sors of the obli­ga­ti­ons impo­sed on them by this Regulation;
e) pro­vi­de, upon requ­est, infor­ma­ti­on to any data sub­ject on the exer­cise of his or her rights under this Regu­la­ti­on and, whe­re appro­pria­te, coope­ra­te with super­vi­so­ry aut­ho­ri­ties in other Mem­ber Sta­tes for this purpose;
f) deal with com­p­laints lod­ged by a data sub­ject or com­p­laints lod­ged by a body, orga­niz­a­ti­on or asso­cia­ti­on pur­suant to Arti­cle 80, inve­sti­ga­te the sub­ject mat­ter of the com­p­laint to a rea­son­ab­le extent and inform the com­p­lai­nant of the pro­gress and out­co­me of the inve­sti­ga­ti­on wit­hin a rea­son­ab­le peri­od of time, in par­ti­cu­lar if fur­ther inve­sti­ga­ti­on or coor­di­na­ti­on with ano­t­her super­vi­so­ry aut­ho­ri­ty is necessary;
g) coope­ra­te with and pro­vi­de assi­stance to other super­vi­so­ry aut­ho­ri­ties, inclu­ding through the exchan­ge of infor­ma­ti­on, to ensu­re the con­si­stent app­li­ca­ti­on and enfor­ce­ment of this Regulation;o
h) Con­duct inve­sti­ga­ti­ons into the app­li­ca­ti­on of this Regu­la­ti­on, inclu­ding on the basis of infor­ma­ti­on pro­vi­ded by ano­t­her super­vi­so­ry aut­ho­ri­ty or ano­t­her authority;
i) moni­tor rele­vant deve­lo­p­ments inso­far as they have an impact on the pro­tec­tion of per­so­nal data, in par­ti­cu­lar the deve­lo­p­ment of infor­ma­ti­on and com­mu­ni­ca­ti­on tech­no­lo­gy and busi­ness practices;
j) estab­lish stan­dard con­trac­tu­al clau­ses wit­hin the mea­ning of Arti­cle 28(8) and Arti­cle 46(2)(d);
k) estab­lish and main­tain a list of the types of pro­ces­sing for which a data pro­tec­tion impact assess­ment is to be car­ri­ed out pur­suant to Arti­cle 35(4);
l) Pro­vi­de advice in rela­ti­on to the pro­ces­sing ope­ra­ti­ons refer­red to in Arti­cle 36(2);
m) pro­mo­te the deve­lo­p­ment of codes of con­duct refer­red to in Arti­cle 40(1) and issue opi­ni­ons on and appro­ve such codes of con­duct, which shall pro­vi­de suf­fi­ci­ent safe­guards as refer­red to in Arti­cle 40(5);
n) encou­ra­ge the estab­lish­ment of data pro­tec­tion cer­ti­fi­ca­ti­on mecha­nisms and data pro­tec­tion seals and marks in accordance with Arti­cle 42(1) and endor­se cer­ti­fi­ca­ti­on cri­te­ria in accordance with Arti­cle 42(5);
o) perio­di­cal­ly review, as appro­pria­te, the cer­ti­fi­ca­ti­ons issued pur­suant to Arti­cle 42(7);
p) draft and publish the cri­te­ria for accredi­ta­ti­on of a body for moni­to­ring com­pli­an­ce with the rules of con­duct pur­suant to Arti­cle 41 and a cer­ti­fi­ca­ti­on body pur­suant to Arti­cle 43;
q) car­ry out the accredi­ta­ti­on of a body for moni­to­ring com­pli­an­ce with the rules of con­duct pur­suant to Arti­cle 41 and a cer­ti­fi­ca­ti­on body pur­suant to Arti­cle 43;
r) Appro­ve con­trac­tu­al clau­ses and pro­vi­si­ons refer­red to in Arti­cle 46(3);
s) appro­ve bin­ding inter­nal rules in accordance with Arti­cle 47;
t) Con­tri­bu­te to the acti­vi­ties of the Committee;
u) inter­nal records of infrin­ge­ments of this Regu­la­ti­on and mea­su­res taken pur­suant to Arti­cle 58(2); and
v) per­form any other task rela­ted to the pro­tec­tion of per­so­nal data.

(2) Each super­vi­so­ry aut­ho­ri­ty shall faci­li­ta­te the sub­mis­si­on of com­p­laints refer­red to in para­graph 1(f) by taking mea­su­res such as pro­vi­ding a com­p­laint form that may also be com­ple­ted elec­tro­ni­cal­ly, without exclu­ding other means of communication.

(3) The per­for­mance of the tasks of each super­vi­so­ry aut­ho­ri­ty shall be free of char­ge for the data sub­ject and, if app­li­ca­ble, for the data pro­tec­tion officer.

(4) In the case of mani­fest­ly unfoun­ded or – espe­cial­ly in the case of fre­quent repe­ti­ti­on – exces­si­ve requests, the super­vi­so­ry aut­ho­ri­ty may char­ge a rea­son­ab­le fee based on the admi­ni­stra­ti­ve costs or refu­se to act on the requ­est. In this case, the super­vi­so­ry aut­ho­ri­ty shall bear the bur­den of pro­ving the mani­fest­ly unfoun­ded or exces­si­ve natu­re of the request.

Reci­tals

(132) Awa­reness-rai­sing acti­vi­ties by super­vi­so­ry aut­ho­ri­ties aimed at the public should inclu­de spe­ci­fic mea­su­res tar­ge­ting con­trol­lers and pro­ces­sors, inclu­ding micro, small and medi­um-sized enter­pri­ses, and natu­ral per­sons, espe­cial­ly in the edu­ca­ti­on sector.

Arti­cle 58 Powers

(1) Each regu­la­to­ry agen­cy shall have all of the fol­lo­wing inve­sti­ga­ti­ve powers that per­mit it,

a) inst­ruct the con­trol­ler, pro­ces­sor and, whe­re app­li­ca­ble, the controller’s or processor’s repre­sen­ta­ti­ve to pro­vi­de all infor­ma­ti­on necessa­ry for the per­for­mance of their tasks,
b) Con­duct inve­sti­ga­ti­ons in the form of data pro­tec­tion reviews,
c) con­duct a review of cer­ti­fi­ca­ti­ons issued under Arti­cle 42(7),
d) draw the atten­ti­on of the con­trol­ler or pro­ces­sor to an alle­ged bre­ach of this Regulation,
e) obtain from the Con­trol­ler and the Pro­ces­sor access to all per­so­nal data and infor­ma­ti­on necessa­ry for the per­for­mance of their tasks,
f) in accordance with Uni­on pro­ce­du­ral law or the pro­ce­du­ral law of the Mem­ber Sta­te, to have access to the busi­ness pre­mi­ses, inclu­ding all data pro­ces­sing faci­li­ties and equip­ment, of the con­trol­ler and processor.

(2) Each regu­la­to­ry agen­cy shall have all of the fol­lo­wing reme­di­al powers that per­mit it,

a) warn a con­trol­ler or pro­ces­sor that inten­ded pro­ces­sing ope­ra­ti­ons are likely to infrin­ge this Regulation,
b) to warn a con­trol­ler or a pro­ces­sor if it has vio­la­ted this Regu­la­ti­on with pro­ces­sing operations,
c) inst­ruct the con­trol­ler or pro­ces­sor to com­ply with the data subject’s requests to exer­cise the rights to which he or she is enti­t­led under this Regulation,
d) inst­ruct the con­trol­ler or pro­ces­sor to bring pro­ces­sing ope­ra­ti­ons into com­pli­an­ce with this Regu­la­ti­on, as appro­pria­te, in a spe­ci­fic man­ner and wit­hin a spe­ci­fic peri­od of time,
e) inst­ruct the data con­trol­ler to noti­fy the data sub­ject of a per­so­nal data bre­ach accordingly,
f) impo­se a tem­pora­ry or per­ma­nent restric­tion on pro­ces­sing, inclu­ding a ban,
g) order the rec­ti­fi­ca­ti­on or era­su­re of per­so­nal data or the restric­tion of pro­ces­sing pur­suant to Arti­cles 16, 17 and 18 and the noti­fi­ca­ti­on of such mea­su­res to the reci­pi­ents to whom such per­so­nal data have been dis­c­lo­sed pur­suant to Arti­cle 17(2) and Arti­cle 19,
h) revo­ke a cer­ti­fi­ca­ti­on or direct the cer­ti­fi­ca­ti­on body to revo­ke a cer­ti­fi­ca­ti­on gran­ted under Arti­cles 42 and 43, or direct the cer­ti­fi­ca­ti­on body not to grant a cer­ti­fi­ca­ti­on if the requi­re­ments for cer­ti­fi­ca­ti­on are not or are no lon­ger met,
i) impo­se a fine in accordance with Arti­cle 83, in addi­ti­on to or ins­tead of mea­su­res refer­red to in this para­graph, depen­ding on the cir­cum­stan­ces of the case,
j) order the sus­pen­si­on of the trans­fer of data to a reci­pi­ent in a third coun­try or to an inter­na­tio­nal organization.

(3) Each regu­la­to­ry agen­cy shall have all of the fol­lo­wing appro­val powers and advi­so­ry powers that per­mit it,

a) in accordance with the pri­or con­sul­ta­ti­on pro­ce­du­re refer­red to in Arti­cle 36, to advi­se the respon­si­ble person,
b) to issue opi­ni­ons on any mat­ter rela­ting to the pro­tec­tion of per­so­nal data, on its own initia­ti­ve or upon requ­est, to the natio­nal par­lia­ment, the government of the Mem­ber Sta­te or, in accordance with the law of the Mem­ber Sta­te, to other insti­tu­ti­ons and bodies, as well as to the public,
c) aut­ho­ri­ze the pro­ces­sing pur­suant to Arti­cle 36(5) if such pri­or aut­ho­riz­a­ti­on is requi­red by the law of the Mem­ber State,
d) to give an opi­ni­on and appro­ve draft codes of con­duct in accordance with Arti­cle 40(5),
e) Cer­ti­fi­ca­ti­on bodies to be accredi­ted in accordance with Arti­cle 43,
f) issue cer­ti­fi­ca­ti­ons and appro­ve cri­te­ria for cer­ti­fi­ca­ti­on in accordance with Arti­cle 42(5),
g) estab­lish stan­dard data pro­tec­tion clau­ses in accordance with Arti­cle 28(8) and Arti­cle 46(2)(d),
h) Appro­ve con­tract clau­ses pur­suant to Arti­cle 46(3)(a),
i) Appro­ve admi­ni­stra­ti­ve arran­ge­ments pur­suant to Arti­cle 46(3)(b)
j) appro­ve bin­ding inter­nal rules in accordance with Arti­cle 47.

(4) The exer­cise of the powers con­fer­red on the super­vi­so­ry aut­ho­ri­ty under this Arti­cle shall be sub­ject to appro­pria­te safe­guards, inclu­ding effec­ti­ve judi­cial reme­di­es and due pro­cess, in accordance with Uni­on law and the law of the Mem­ber Sta­te, con­si­stent with the Charter.

(5) Each Mem­ber Sta­te shall pro­vi­de by law that its super­vi­so­ry aut­ho­ri­ty shall have the power to bring infrin­ge­ments of this Regu­la­ti­on to the atten­ti­on of the judi­cial aut­ho­ri­ties and, whe­re appro­pria­te, to insti­tu­te or other­wi­se par­ti­ci­pa­te in legal pro­ce­e­dings to enfor­ce the pro­vi­si­ons of this Regulation.

(6) Each Mem­ber Sta­te may pro­vi­de by law that its super­vi­so­ry aut­ho­ri­ty shall have powers addi­tio­nal to tho­se listed in para­graphs 1, 2 and 3. The exer­cise of the­se powers shall not impair the effec­ti­ve imple­men­ta­ti­on of Chap­ter VII.

Reci­tals

(129) In order to ensu­re the con­si­stent moni­to­ring and enfor­ce­ment of this Regu­la­ti­on throughout the Uni­on, the super­vi­so­ry aut­ho­ri­ties in each Mem­ber Sta­te should have the same tasks and effec­ti­ve powers, inclu­ding, in par­ti­cu­lar in the case of com­p­laints by natu­ral per­sons, powers of inve­sti­ga­ti­on, reme­di­al powers and powers to impo­se sanc­tions and aut­ho­ri­sa­ti­ons and advi­so­ry powers, as well as, without pre­ju­di­ce to the powers of law enfor­ce­ment aut­ho­ri­ties under the law of the Mem­ber Sta­tes, the power to bring infrin­ge­ments of this Regu­la­ti­on to the atten­ti­on of judi­cial aut­ho­ri­ties and to initia­te judi­cial pro­ce­e­dings. This should inclu­de the power to impo­se a tem­pora­ry or defi­ni­ti­ve restric­tion on pro­ces­sing, inclu­ding a ban. Mem­ber Sta­tes may deter­mi­ne other tasks rela­ted to the pro­tec­tion of per­so­nal data under this Regu­la­ti­on. The powers of the super­vi­so­ry aut­ho­ri­ties should be exer­cis­ed impar­ti­al­ly, fair­ly and wit­hin a rea­son­ab­le time, in accordance with the appro­pria­te pro­ce­du­ral safe­guards under Uni­on and Mem­ber Sta­te law. In par­ti­cu­lar, any mea­su­re should be appro­pria­te, necessa­ry and pro­por­tio­na­te with a view to ensu­ring com­pli­an­ce with this Regu­la­ti­on, taking into account the cir­cum­stan­ces of each indi­vi­du­al case, respec­ting the right of every per­son to be heard befo­re any indi­vi­du­al mea­su­re is taken which would have an adver­se effect on that per­son, and avoiding unnecessa­ry costs and exces­si­ve incon­ve­ni­ence for data sub­jects. Inve­sti­ga­to­ry powers with regard to access to pre­mi­ses should be exer­cis­ed in accordance with spe­ci­fic requi­re­ments in the pro­ce­du­ral law of the Mem­ber Sta­tes, such as the requi­re­ment of pri­or judi­cial aut­ho­riz­a­ti­on. Any legal­ly bin­ding mea­su­re of the super­vi­so­ry aut­ho­ri­ty should be issued in wri­ting and it should be clear and unam­bi­guous; the super­vi­so­ry aut­ho­ri­ty that issued the mea­su­re and the date on which the mea­su­re was issued should be indi­ca­ted and the mea­su­re should be signed by the head or by a mem­ber of the super­vi­so­ry aut­ho­ri­ty aut­ho­ri­zed by him or her and should con­tain a justi­fi­ca­ti­on for the mea­su­re and a refe­rence to the right to an effec­ti­ve reme­dy. This should not pre­clu­de addi­tio­nal requi­re­ments under the pro­ce­du­ral law of the Mem­ber Sta­tes. The adop­ti­on of a legal­ly bin­ding deci­si­on requi­res that it be sub­ject to judi­cial review in the Mem­ber Sta­te of the super­vi­so­ry aut­ho­ri­ty that adop­ted the decision.

Arti­cle 59 Acti­vi­ty report

Each super­vi­so­ry aut­ho­ri­ty shall draw up an annu­al report on its acti­vi­ties, which may inclu­de a list of the types of infrin­ge­ments repor­ted and the types of mea­su­res taken pur­suant to Arti­cle 58(2). The­se reports shall be sent to the natio­nal par­lia­ment, the government and other aut­ho­ri­ties desi­gna­ted under the law of the Mem­ber Sta­tes. They shall be made avail­ab­le to the public, the Com­mis­si­on and the Committee.

Chap­ter VII Coope­ra­ti­on and coherence

Sec­tion 1 Cooperation

Arti­cle 60 Coope­ra­ti­on bet­ween the lead super­vi­so­ry aut­ho­ri­ty and the other super­vi­so­ry aut­ho­ri­ties concerned

(1) The lead super­vi­so­ry aut­ho­ri­ty shall coope­ra­te with the other super­vi­so­ry aut­ho­ri­ties con­cer­ned in accordance with this Arti­cle, endea­vo­ring to reach con­sen­sus. The lead super­vi­so­ry aut­ho­ri­ty and the super­vi­so­ry aut­ho­ri­ties con­cer­ned shall exchan­ge among them­sel­ves all rele­vant information.

(2) The lead super­vi­so­ry aut­ho­ri­ty may at any time requ­est assi­stance from other super­vi­so­ry aut­ho­ri­ties con­cer­ned in accordance with Arti­cle 61 and car­ry out joint actions in accordance with Arti­cle 62, in par­ti­cu­lar to car­ry out inve­sti­ga­ti­ons or moni­tor the imple­men­ta­ti­on of a mea­su­re in rela­ti­on to a con­trol­ler or pro­ces­sor estab­lished in ano­t­her Mem­ber State.

(3) The lead super­vi­so­ry aut­ho­ri­ty shall without undue delay pro­vi­de the other super­vi­so­ry aut­ho­ri­ties con­cer­ned with the rele­vant infor­ma­ti­on on the mat­ter. It shall without delay sub­mit a draft deci­si­on to the other super­vi­so­ry aut­ho­ri­ties con­cer­ned for their opi­ni­on and shall duly take into account their views.

(4) If one of the other super­vi­so­ry aut­ho­ri­ties con­cer­ned lod­ges an aut­ho­ri­ta­ti­ve and rea­so­ned objec­tion to that draft deci­si­on wit­hin four weeks of being con­sul­ted in accordance with para­graph 3 of this Arti­cle and the lead super­vi­so­ry aut­ho­ri­ty does not join the aut­ho­ri­ta­ti­ve and rea­so­ned objec­tion or con­si­ders that the objec­tion is not aut­ho­ri­ta­ti­ve or not rea­so­ned, the lead super­vi­so­ry aut­ho­ri­ty shall initia­te the con­si­sten­cy pro­ce­du­re refer­red to in Arti­cle 63 for the matter.

(5) If the lead super­vi­so­ry aut­ho­ri­ty intends to join the aut­ho­ri­ta­ti­ve and rea­so­ned objec­tion, it shall sub­mit a revi­sed draft deci­si­on to the other super­vi­so­ry aut­ho­ri­ties con­cer­ned for their opi­ni­on. The revi­sed draft deci­si­on shall be sub­ject to the pro­ce­du­re under para­graph 4 wit­hin two weeks.

(6) If none of the other super­vi­so­ry aut­ho­ri­ties con­cer­ned objects to the draft deci­si­on sub­mit­ted by the lead super­vi­so­ry aut­ho­ri­ty wit­hin the peri­od spe­ci­fied in para­graphs 4 and 5, the lead super­vi­so­ry aut­ho­ri­ty and the super­vi­so­ry aut­ho­ri­ties con­cer­ned shall be deemed to agree with the draft deci­si­on and shall be bound by it.

(7) The lead super­vi­so­ry aut­ho­ri­ty shall adopt the deci­si­on and noti­fy it to the head office or the sin­gle estab­lish­ment of the con­trol­ler or the pro­ces­sor, as the case may be, and shall inform the other super­vi­so­ry aut­ho­ri­ties con­cer­ned and the Board of the deci­si­on in que­sti­on, inclu­ding a sum­ma­ry of the rele­vant facts and rea­sons. The super­vi­so­ry aut­ho­ri­ty to which a com­p­laint has been lod­ged shall inform the com­p­lai­nant of the decision.

(8) If a com­p­laint is rejec­ted or dis­mis­sed, the super­vi­so­ry aut­ho­ri­ty to which the com­p­laint was filed shall, not­with­stan­ding para­graph 7, issue the deci­si­on, noti­fy the com­p­lai­nant the­re­of and inform the per­son responsible.

(9) If the lead super­vi­so­ry aut­ho­ri­ty and the super­vi­so­ry aut­ho­ri­ties con­cer­ned agree to reject or dis­miss parts of the com­p­laint and to take action with respect to other parts of that com­p­laint, a sepa­ra­te deci­si­on shall be adop­ted on that mat­ter for each of tho­se parts. The lead super­vi­so­ry aut­ho­ri­ty shall adopt the deci­si­on for the part con­cer­ning action in respect of the con­trol­ler, noti­fy it to the main or only estab­lish­ment of the con­trol­ler or pro­ces­sor in the ter­ri­to­ry of its Mem­ber Sta­te and inform the com­p­lai­nant the­re­of, while the super­vi­so­ry aut­ho­ri­ty respon­si­ble for the com­p­lai­nant shall adopt the deci­si­on for the part con­cer­ning the rejec­tion or dis­mis­sal of that com­p­laint and noti­fy it to that com­p­lai­nant and inform the con­trol­ler or pro­ces­sor thereof.

(10) After infor­ming the lead super­vi­so­ry aut­ho­ri­ty of the deci­si­on in accordance with para­graphs 7 and 9, the con­trol­ler or pro­ces­sor shall take the necessa­ry mea­su­res to bring the pro­ces­sing acti­vi­ties of all its estab­lish­ments in the Uni­on into com­pli­an­ce with the deci­si­on. The con­trol­ler or pro­ces­sor shall noti­fy the lead super­vi­so­ry aut­ho­ri­ty of the mea­su­res taken to com­ply with the deci­si­on, which shall in turn noti­fy the other super­vi­so­ry aut­ho­ri­ties concerned.

(11) If – in excep­tio­nal cases – a super­vi­so­ry aut­ho­ri­ty con­cer­ned has rea­son to belie­ve that the­re is an urgent need to act to pro­tect the inte­rests of data sub­jects, the urgen­cy pro­ce­du­re under Arti­cle 66 shall apply.

(12) The lead super­vi­so­ry aut­ho­ri­ty and the other super­vi­so­ry aut­ho­ri­ties con­cer­ned shall pro­vi­de each other with the infor­ma­ti­on requi­red under this Arti­cle by elec­tro­nic means using a stan­dar­di­zed format.

Reci­tals

(126) The deci­si­on should be joint­ly agreed by the lead super­vi­so­ry aut­ho­ri­ty and the super­vi­so­ry aut­ho­ri­ties con­cer­ned and should be addres­sed to the main estab­lish­ment or the sin­gle estab­lish­ment of the con­trol­ler or pro­ces­sor and should be bin­ding on the con­trol­ler and the pro­ces­sor. The con­trol­ler or pro­ces­sor should take the necessa­ry mea­su­res to ensu­re com­pli­an­ce with this Regu­la­ti­on and the imple­men­ta­ti­on of the deci­si­on noti­fied by the lead super­vi­so­ry aut­ho­ri­ty to the main estab­lish­ment of the con­trol­ler or pro­ces­sor with regard to the pro­ces­sing acti­vi­ties in the Union.

Arti­cle 61 Mutu­al assistance

(1) The super­vi­so­ry aut­ho­ri­ties shall pro­vi­de each other with rele­vant infor­ma­ti­on and mutu­al assi­stance in order to imple­ment and app­ly this Regu­la­ti­on con­sist­ent­ly and shall make arran­ge­ments for effec­ti­ve coope­ra­ti­on. Mutu­al assi­stance shall in par­ti­cu­lar cover requests for infor­ma­ti­on and super­vi­so­ry mea­su­res, such as requests for pri­or aut­ho­riz­a­ti­ons and pri­or con­sul­ta­ti­on, inspec­tions and investigations.

(2) Each super­vi­so­ry aut­ho­ri­ty shall take all appro­pria­te mea­su­res to com­ply with a requ­est from ano­t­her super­vi­so­ry aut­ho­ri­ty without undue delay and at the latest wit­hin one mon­th of rece­i­pt of the requ­est. This may inclu­de, in par­ti­cu­lar, pro­vi­ding rele­vant infor­ma­ti­on on the con­duct of an investigation.

(3) Requests for admi­ni­stra­ti­ve assi­stance con­tain all necessa­ry infor­ma­ti­on, inclu­ding the pur­po­se and justi­fi­ca­ti­on of the requ­est. The infor­ma­ti­on pro­vi­ded will be used sole­ly for the pur­po­se for which it was requested.

(4) The reque­sted super­vi­so­ry aut­ho­ri­ty shall refu­se the requ­est only if

a) it is not com­pe­tent for the sub­ject mat­ter of the requ­est or for the mea­su­res it is to car­ry out, or
b) respon­ding to the requ­est would be con­tra­ry to this Regu­la­ti­on or to Uni­on law or the law of the Mem­ber Sta­tes to which the super­vi­so­ry aut­ho­ri­ty recei­ving the requ­est is subject.

(5) The reque­sted super­vi­so­ry aut­ho­ri­ty shall inform the reque­sting super­vi­so­ry aut­ho­ri­ty of the results or, as the case may be, of the pro­gress of the mea­su­res taken to com­ply with the requ­est. The reque­sted super­vi­so­ry aut­ho­ri­ty shall exp­lain the rea­sons for refu­sing the requ­est in accordance with para­graph 4.

(6) As a rule, the reque­sted super­vi­so­ry aut­ho­ri­ties shall trans­mit the infor­ma­ti­on reque­sted by ano­t­her super­vi­so­ry aut­ho­ri­ty elec­tro­ni­cal­ly using a stan­dar­di­zed format.

(7) Reque­sted super­vi­so­ry aut­ho­ri­ties shall not char­ge fees for mea­su­res taken on the basis of a requ­est for assi­stance. The super­vi­so­ry aut­ho­ri­ties may agree among them­sel­ves on rules to reim­bur­se each other in excep­tio­nal cases for spe­cial expen­ses incur­red as a result of mutu­al assistance.

(8) Whe­re a reque­sted super­vi­so­ry aut­ho­ri­ty does not pro­vi­de the infor­ma­ti­on refer­red to in para­graph 5 wit­hin one mon­th of rece­i­pt of the requ­est from ano­t­her super­vi­so­ry aut­ho­ri­ty, the reque­sting super­vi­so­ry aut­ho­ri­ty may take a pro­vi­sio­nal mea­su­re wit­hin the ter­ri­to­ry of its Mem­ber Sta­te in accordance with Arti­cle 55(1). In that case, the need for urgent action refer­red to in Arti­cle 66(1) shall be deemed to requi­re a bin­ding deci­si­on of the Com­mit­tee adop­ted under the urgen­cy pro­ce­du­re refer­red to in Arti­cle 66(2).

(9) The Com­mis­si­on may, by means of imple­men­ting acts, spe­ci­fy the form and pro­ce­du­re for mutu­al assi­stance under this Arti­cle and the arran­ge­ments for the elec­tro­nic exchan­ge of infor­ma­ti­on bet­ween super­vi­so­ry aut­ho­ri­ties and bet­ween super­vi­so­ry aut­ho­ri­ties and the Board, in par­ti­cu­lar the stan­dar­di­zed for­mat refer­red to in para­graph 6 of this Arti­cle. Tho­se imple­men­ting acts shall be adop­ted in accordance with the exami­na­ti­on pro­ce­du­re refer­red to in Arti­cle 93(2).

Reci­tals

(133) The super­vi­so­ry aut­ho­ri­ties should assist each other in the per­for­mance of their duties and pro­vi­de mutu­al assi­stance in order to ensu­re the con­si­stent app­li­ca­ti­on and enfor­ce­ment of this Regu­la­ti­on in the inter­nal mar­ket. A super­vi­so­ry aut­ho­ri­ty which has reque­sted mutu­al assi­stance may adopt a pro­vi­sio­nal mea­su­re if it has not recei­ved a respon­se from the reque­sted super­vi­so­ry aut­ho­ri­ty wit­hin one mon­th of the date of rece­i­pt of the requ­est for mutu­al assi­stance by the reque­sted super­vi­so­ry authority.

Arti­cle 62 Joint actions by super­vi­so­ry authorities

(1) The super­vi­so­ry aut­ho­ri­ties shall, whe­re appro­pria­te, con­duct joint ope­ra­ti­ons, inclu­ding joint inve­sti­ga­ti­ons and joint enfor­ce­ment ope­ra­ti­ons, invol­ving mem­bers or staff of the super­vi­so­ry aut­ho­ri­ties of other Mem­ber States.

(2) Whe­re the con­trol­ler or pro­ces­sor has estab­lish­ments in more than one Mem­ber Sta­te or whe­re the pro­ces­sing ope­ra­ti­ons are likely to have a signi­fi­cant impact on a sub­stan­ti­al num­ber of data sub­jects in more than one Mem­ber Sta­te, the super­vi­so­ry aut­ho­ri­ty of each of tho­se Mem­ber Sta­tes shall be enti­t­led to par­ti­ci­pa­te in the joint actions. The super­vi­so­ry aut­ho­ri­ty com­pe­tent pur­suant to Arti­cle 56(1) or (4) shall invi­te the super­vi­so­ry aut­ho­ri­ty of each of tho­se Mem­ber Sta­tes to par­ti­ci­pa­te in the joint actions and shall respond without delay to the requ­est of a super­vi­so­ry aut­ho­ri­ty to participate.

(3) A super­vi­so­ry aut­ho­ri­ty may, in accordance with the law of the Mem­ber Sta­te and with the appro­val of the assi­sting super­vi­so­ry aut­ho­ri­ty, dele­ga­te powers, inclu­ding inve­sti­ga­ti­ve powers, to the mem­bers or staff of the assi­sting super­vi­so­ry aut­ho­ri­ty invol­ved in the joint ope­ra­ti­ons or, to the extent per­mit­ted by the law of the Mem­ber Sta­te of the invi­t­ing super­vi­so­ry aut­ho­ri­ty, allow the mem­bers or staff of the assi­sting super­vi­so­ry aut­ho­ri­ty to exer­cise their inve­sti­ga­ti­ve powers in accordance with the law of the Mem­ber Sta­te of the assi­sting super­vi­so­ry aut­ho­ri­ty. Tho­se inve­sti­ga­ti­ve powers may only be exer­cis­ed under the direc­tion and in the pre­sence of the mem­bers or staff of the invi­t­ing super­vi­so­ry aut­ho­ri­ty. The mem­bers or staff of the assi­sting super­vi­so­ry aut­ho­ri­ty shall be sub­ject to the law of the Mem­ber Sta­te of the invi­t­ing super­vi­so­ry authority.

(4) Whe­re, in accordance with para­graph 1, staff of a sup­porting super­vi­so­ry aut­ho­ri­ty are on mis­si­on in ano­t­her Mem­ber Sta­te, the Mem­ber Sta­te of the invi­t­ing super­vi­so­ry aut­ho­ri­ty shall, in accordance with the law of the Mem­ber Sta­te on who­se ter­ri­to­ry the mis­si­on takes place, assu­me respon­si­bi­li­ty for their actions, inclu­ding lia­bi­li­ty for any dama­ge cau­sed by them during their mission.

(5) The Mem­ber Sta­te in who­se ter­ri­to­ry the dama­ge was cau­sed shall make good such dama­ge as it would have had to make good if its own offi­cials had cau­sed it. The Mem­ber Sta­te of the assi­sting super­vi­so­ry aut­ho­ri­ty who­se staff have cau­sed dama­ge to a per­son in the ter­ri­to­ry of ano­t­her Mem­ber Sta­te shall reim­bur­se that other Mem­ber Sta­te for the total amount of com­pen­sa­ti­on paid by it to the per­sons entitled.

(6) Without pre­ju­di­ce to the exer­cise of its rights vis-à-vis third par­ties and with the excep­ti­on of para­graph 5, each Mem­ber Sta­te shall refrain, in the case refer­red to in para­graph 1, from clai­ming from other Mem­ber Sta­tes the amount of the dama­ge suf­fe­red refer­red to in para­graph 4.

(7) Whe­re joint action is envi­sa­ged and a super­vi­so­ry aut­ho­ri­ty does not com­ply with the obli­ga­ti­on refer­red to in the second sen­tence of para­graph 2 of this Arti­cle wit­hin one mon­th, the other super­vi­so­ry aut­ho­ri­ties may take inte­rim mea­su­res wit­hin the ter­ri­to­ry of their Mem­ber Sta­te in accordance with Arti­cle 55. In that case, the need for urgent action refer­red to in Arti­cle 66(1) shall be deemed to requi­re an opi­ni­on adop­ted under the urgen­cy pro­ce­du­re or a bin­ding deci­si­on of the Com­mit­tee adop­ted under the urgen­cy pro­ce­du­re refer­red to in Arti­cle 66(2).

Reci­tals

(134) Each super­vi­so­ry aut­ho­ri­ty should par­ti­ci­pa­te in joint actions by other super­vi­so­ry aut­ho­ri­ties, as appro­pria­te. The reque­sted super­vi­so­ry aut­ho­ri­ty should be requi­red to respond to the requ­est wit­hin a spe­ci­fied peri­od of time.

Sec­tion 2 Coherence

Arti­cle 63 Cohe­rence procedure

In order to con­tri­bu­te to the con­si­stent app­li­ca­ti­on of this Regu­la­ti­on throughout the Uni­on, the super­vi­so­ry aut­ho­ri­ties shall coope­ra­te with each other and, whe­re appro­pria­te, with the Com­mis­si­on through the con­si­sten­cy mecha­nism descri­bed in this section.

Reci­tals

(135) In order to ensu­re the con­si­stent app­li­ca­ti­on of this Regu­la­ti­on throughout the Uni­on, a pro­ce­du­re to ensu­re con­si­stent app­li­ca­ti­on of the law (con­si­sten­cy mecha­nism) should be estab­lished for coope­ra­ti­on bet­ween super­vi­so­ry aut­ho­ri­ties. That pro­ce­du­re should app­ly, in par­ti­cu­lar, whe­re a super­vi­so­ry aut­ho­ri­ty intends to adopt a mea­su­re inten­ded to pro­du­ce legal effects in rela­ti­on to pro­ces­sing ope­ra­ti­ons which pro­du­ce signi­fi­cant effects for a sub­stan­ti­al num­ber of data sub­jects in several Mem­ber Sta­tes. It should also app­ly whe­re a super­vi­so­ry aut­ho­ri­ty con­cer­ned or the Com­mis­si­on requests that the mat­ter be dealt with under the con­si­sten­cy mecha­nism. This pro­ce­du­re should be without pre­ju­di­ce to other mea­su­res that the Com­mis­si­on may take in the exer­cise of its powers under the Treaties.

(136) When app­ly­ing the con­si­sten­cy mecha­nism, the Com­mit­tee should, if so deci­ded by a majo­ri­ty of its mem­bers or if reque­sted by ano­t­her super­vi­so­ry aut­ho­ri­ty con­cer­ned or by the Com­mis­si­on, issue an opi­ni­on wit­hin a spe­ci­fied peri­od. The Com­mit­tee should also be empowe­red to adopt legal­ly bin­ding deci­si­ons in the event of dis­pu­tes bet­ween super­vi­so­ry aut­ho­ri­ties. To that end, it should, in princip­le, adopt legal­ly bin­ding deci­si­ons by a two-thirds majo­ri­ty of its mem­bers in clear­ly iden­ti­fied cases whe­re super­vi­so­ry aut­ho­ri­ties take con­flic­ting posi­ti­ons on the facts of the case, in par­ti­cu­lar on the que­sti­on of whe­ther the­re has been an infrin­ge­ment of this Regu­la­ti­on, in par­ti­cu­lar in the con­text of the coope­ra­ti­on pro­ce­du­re bet­ween the lead super­vi­so­ry aut­ho­ri­ty and the super­vi­so­ry aut­ho­ri­ties concerned.

(138) The app­li­ca­ti­on of this pro­ce­du­re should be a con­di­ti­on for the law­ful­ness of a mea­su­re taken by a super­vi­so­ry aut­ho­ri­ty to pro­du­ce legal effects in cases whe­re it is man­da­to­ry. In other cases of cross-bor­der rele­van­ce, the coope­ra­ti­on pro­ce­du­re bet­ween the lead super­vi­so­ry aut­ho­ri­ty and the super­vi­so­ry aut­ho­ri­ties con­cer­ned should app­ly, and the super­vi­so­ry aut­ho­ri­ties con­cer­ned may pro­vi­de mutu­al assi­stance and imple­ment joint mea­su­res on a bila­te­ral or mul­ti­la­te­ral basis without recour­se to the con­si­sten­cy procedure.

Arti­cle 64 Opi­ni­on Committee

(1) The Com­mit­tee shall issue an opi­ni­on if the com­pe­tent super­vi­so­ry aut­ho­ri­ty intends to adopt any of the fol­lo­wing mea­su­res. For this pur­po­se, the com­pe­tent super­vi­so­ry aut­ho­ri­ty shall send the draft deci­si­on to the Com­mit­tee when it is

a) ser­ves to adopt a list of pro­ces­sing ope­ra­ti­ons sub­ject to the requi­re­ment of a data pro­tec­tion impact assess­ment pur­suant to Arti­cle 35(4),
b) a mat­ter refer­red to in Arti­cle 40(7) and thus con­cerns whe­ther a draft code of con­duct or an amend­ment or addi­ti­on to a code of con­duct com­plies with this Regulation,
c) ser­ves to appro­ve the cri­te­ria for accredi­ta­ti­on of a body refer­red to in Arti­cle 41(3) or a cer­ti­fi­ca­ti­on body refer­red to in Arti­cle 43(3),
d) ser­ves to estab­lish stan­dard data pro­tec­tion clau­ses pur­suant to Arti­cle 46(2)(d) and Arti­cle 28(8),
e) ser­ves to appro­ve con­trac­tu­al clau­ses in accordance with Arti­cle 46(3)(a), or
f) ser­ves the adop­ti­on of bin­ding inter­nal rules wit­hin the mea­ning of Arti­cle 47.

(2) Any super­vi­so­ry aut­ho­ri­ty, the Chair of the Com­mit­tee or the Com­mis­si­on may requ­est that a mat­ter of gene­ral app­li­ca­ti­on or with impli­ca­ti­ons in more than one Mem­ber Sta­te be exami­ned by the Com­mit­tee with a view to obtai­ning an opi­ni­on, in par­ti­cu­lar whe­re a com­pe­tent super­vi­so­ry aut­ho­ri­ty does not com­ply with the obli­ga­ti­ons to pro­vi­de assi­stance under Arti­cle 61 or to take joint action under Arti­cle 62.

(3) In the cases refer­red to in para­graphs 1 and 2, the com­mit­tee shall deli­ver an opi­ni­on on the mat­ter refer­red to it, unless it has alrea­dy deli­ve­r­ed an opi­ni­on on the same mat­ter. This opi­ni­on shall be adop­ted wit­hin eight weeks by a simp­le majo­ri­ty of the mem­bers of the Com­mit­tee. This peri­od may be exten­ded by a fur­ther six weeks, taking into account the com­ple­xi­ty of the mat­ter. With regard to the draft deci­si­on refer­red to in para­graph 1, which shall be for­war­ded to the mem­bers of the Com­mit­tee in accordance with para­graph 5, a mem­ber who has not objec­ted wit­hin a rea­son­ab­le peri­od indi­ca­ted by the Chair shall be deemed to have appro­ved the draft decision.

(4) The super­vi­so­ry aut­ho­ri­ties and the Com­mis­si­on shall, without undue delay, trans­mit elec­tro­ni­cal­ly to the Board, using a stan­dar­di­zed for­mat, all rele­vant infor­ma­ti­on, inclu­ding, as appro­pria­te, a brief state­ment of the facts, the draft deci­si­on, the rea­sons why such action is necessa­ry and the views of other super­vi­so­ry aut­ho­ri­ties concerned.

(5) The chair of the com­mit­tee shall immedia­te­ly inform by elec­tro­nic means

a) using a stan­dar­di­zed for­mat, the mem­bers of the Com­mit­tee and the Com­mis­si­on of any per­ti­nent infor­ma­ti­on it has recei­ved. To the extent necessa­ry, the secre­ta­ri­at of the com­mit­tee shall pro­vi­de trans­la­ti­ons of the per­ti­nent infor­ma­ti­on; and
b) as the case may be, the super­vi­so­ry aut­ho­ri­ty refer­red to in para­graphs 1 and 2 and the Com­mis­si­on of the opi­ni­on and shall make it public.

(6) The com­pe­tent super­vi­so­ry aut­ho­ri­ty shall not adopt the draft deci­si­on refer­red to in para­graph 1 befo­re the expi­ry of the peri­od refer­red to in para­graph 3.

(7) The Super­vi­so­ry Aut­ho­ri­ty refer­red to in para­graph 1 shall take the utmost account of the opi­ni­on of the Com­mit­tee and shall noti­fy its Chair elec­tro­ni­cal­ly, using a stan­dar­di­zed for­mat, wit­hin two weeks of rece­i­pt of the opi­ni­on, whe­ther it will main­tain or amend the draft deci­si­on and, whe­re appro­pria­te, trans­mit the amen­ded draft decision.

(8) If, wit­hin the peri­od refer­red to in para­graph 7 of this Arti­cle, the super­vi­so­ry aut­ho­ri­ty con­cer­ned noti­fies the Chair of the Com­mit­tee of its inten­ti­on not to fol­low the opi­ni­on of the Com­mit­tee in who­le or in part, sta­ting the rele­vant rea­sons, Arti­cle 65(1) shall apply.

Arti­cle 65 Dis­pu­te sett­le­ment by the Committee

(1) In order to ensu­re the pro­per and uni­form app­li­ca­ti­on of this Regu­la­ti­on in indi­vi­du­al cases, the Com­mit­tee shall issue a bin­ding deci­si­on in the fol­lo­wing cases:

a) whe­re, in a case refer­red to in Arti­cle 60(4), a super­vi­so­ry aut­ho­ri­ty con­cer­ned has rai­sed an aut­ho­ri­ta­ti­ve and rea­so­ned objec­tion to a draft deci­si­on of the lead aut­ho­ri­ty or the lead aut­ho­ri­ty has rejec­ted such objec­tion as not aut­ho­ri­ta­ti­ve or not rea­so­ned. The bin­ding deci­si­on shall con­cern all mat­ters which are the sub­ject of the aut­ho­ri­ta­ti­ve and rea­so­ned objec­tion, in par­ti­cu­lar whe­ther the­re has been a bre­ach of this Regulation;
b) if the­re are con­flic­ting views as to which of the super­vi­so­ry aut­ho­ri­ties con­cer­ned has juris­dic­tion over the head office,
c) whe­re a com­pe­tent super­vi­so­ry aut­ho­ri­ty does not seek the opi­ni­on of the Board in the cases refer­red to in Arti­cle 64(1) or does not fol­low the opi­ni­on of the Board pur­suant to Arti­cle 64. In that case, any super­vi­so­ry aut­ho­ri­ty con­cer­ned or the Com­mis­si­on may refer the mat­ter to the Committee.

(2) The deci­si­on refer­red to in para­graph 1 shall be adop­ted by a majo­ri­ty of two-thirds of the mem­bers of the Com­mit­tee wit­hin one mon­th of the mat­ter being refer­red to it. This peri­od may be exten­ded by a fur­ther mon­th due to the com­ple­xi­ty of the mat­ter. The deci­si­on refer­red to in para­graph 1 shall be rea­so­ned and com­mu­ni­ca­ted to the lead super­vi­so­ry aut­ho­ri­ty and all super­vi­so­ry aut­ho­ri­ties con­cer­ned and shall be bin­ding on them.

(3) If the Com­mit­tee has been unab­le to adopt a deci­si­on wit­hin the time limits refer­red to in para­graph 2, it shall adopt its deci­si­on by a simp­le majo­ri­ty of the mem­bers of the Com­mit­tee wit­hin two weeks of the end of the second mon­th refer­red to in para­graph 2. In the event of a tie bet­ween the mem­bers of the Com­mit­tee, the Chair shall have the casting vote.

(4) The super­vi­so­ry aut­ho­ri­ties con­cer­ned shall not adopt a deci­si­on on the mat­ter sub­mit­ted to the Com­mit­tee befo­re the expi­ry of the dead­lines refer­red to in para­graphs 2 and 3.

(5) The Chair of the Com­mit­tee shall immedia­te­ly inform the super­vi­so­ry aut­ho­ri­ties con­cer­ned of the deci­si­on refer­red to in para­graph 1. He shall inform the Com­mis­si­on the­re­of. The deci­si­on shall be published on the web­site of the Board without delay after the super­vi­so­ry aut­ho­ri­ty has noti­fied the final deci­si­on refer­red to in para­graph 6.

(6) The lead super­vi­so­ry aut­ho­ri­ty or, whe­re app­li­ca­ble, the super­vi­so­ry aut­ho­ri­ty to which the com­p­laint has been lod­ged shall take the final deci­si­on on the basis of the deci­si­on refer­red to in para­graph 1 of this Arti­cle without undue delay and no later than one mon­th after the Euro­pean Data Pro­tec­tion Board has noti­fied its deci­si­on. The lead super­vi­so­ry aut­ho­ri­ty or, whe­re app­li­ca­ble, the super­vi­so­ry aut­ho­ri­ty to which the com­p­laint has been lod­ged shall inform the Board of the date on which its final deci­si­on is noti­fied to the con­trol­ler or pro­ces­sor or the data sub­ject. The final deci­si­on of the super­vi­so­ry aut­ho­ri­ties con­cer­ned shall be adop­ted in accordance with Arti­cle 60(7), (8) and (9). The final deci­si­on shall refer to the deci­si­on refer­red to in para­graph 1 and shall spe­ci­fy that the deci­si­on refer­red to in para­graph 1 of this Arti­cle shall be published on the Board’s web­site in accordance with para­graph 5. The final deci­si­on shall be accom­pa­nied by the deci­si­on refer­red to in para­graph 1 of this _article.

Arti­cle 66 Emer­gen­cy procedure

(1) In excep­tio­nal cir­cum­stan­ces, a super­vi­so­ry aut­ho­ri­ty con­cer­ned may, by way of dero­ga­ti­on from the con­si­sten­cy pro­ce­du­re laid down in Arti­cles 63, 64 and 65 or the pro­ce­du­re laid down in Arti­cle 60, immedia­te­ly adopt inte­rim mea­su­res with a defi­ned dura­ti­on of no more than three mon­ths, inten­ded to have legal effect on its ter­ri­to­ry, if it con­si­ders that the­re is an urgent need to act in order to pro­tect the rights and free­doms of data sub­jects. The super­vi­so­ry aut­ho­ri­ty shall, without undue delay, inform the other super­vi­so­ry aut­ho­ri­ties con­cer­ned, the Board and the Com­mis­si­on of tho­se mea­su­res and the rea­sons for their adoption.

(2) Whe­re a super­vi­so­ry aut­ho­ri­ty has taken a mea­su­re under para­graph 1 and con­si­ders that defi­ni­ti­ve mea­su­res need to be adop­ted urgent­ly, it may requ­est an opi­ni­on or a bin­ding deci­si­on of the Com­mit­tee under the urgen­cy pro­ce­du­re, sta­ting the reasons.

(3) Any super­vi­so­ry aut­ho­ri­ty may requ­est an opi­ni­on or, as the case may be, a bin­ding deci­si­on of the Com­mit­tee under the urgent pro­ce­du­re, giving rea­sons, inclu­ding for the urgent need for action, if a com­pe­tent super­vi­so­ry aut­ho­ri­ty has not taken an appro­pria­te mea­su­re to pro­tect the rights and free­doms of data sub­jects despi­te the urgent need for action.

(4) By way of dero­ga­ti­on from Rules 64(3) and 65(2), an opi­ni­on or a bin­ding deci­si­on adop­ted under the urgen­cy pro­ce­du­re refer­red to in para­graphs 2 and 3 shall be adop­ted wit­hin two weeks by a simp­le majo­ri­ty of the mem­bers of the Committee.

Reci­tals

(137) The­re may be an urgent need to act to pro­tect the rights and free­doms of data sub­jects, in par­ti­cu­lar whe­re the­re is a risk of a signi­fi­cant impe­di­ment to the enfor­ce­ment of a data subject’s right. A super­vi­so­ry aut­ho­ri­ty should the­re­fo­re be able to adopt duly justi­fied pro­vi­sio­nal mea­su­res wit­hin its ter­ri­to­ry with a fixed peri­od of vali­di­ty not exce­e­ding three months.

Arti­cle 67 Exchan­ge of information

The Com­mis­si­on may adopt imple­men­ting acts of gene­ral scope lay­ing down the arran­ge­ments for the elec­tro­nic exchan­ge of infor­ma­ti­on bet­ween super­vi­so­ry aut­ho­ri­ties and bet­ween super­vi­so­ry aut­ho­ri­ties and the Board, in par­ti­cu­lar the stan­dar­di­zed for­mat refer­red to in Arti­cle 64.

Tho­se imple­men­ting acts shall be adop­ted in accordance with the exami­na­ti­on pro­ce­du­re refer­red to in Arti­cle 93(2).

Sec­tion 3 Euro­pean Data Pro­tec­tion Board

Arti­cle 68 Euro­pean Data Pro­tec­tion Board

(1) The Euro­pean Data Pro­tec­tion Board (her­ein­af­ter “Com­mit­tee”) shall be estab­lished as a body of the Uni­on having legal personality.

(2) The com­mit­tee is repre­sen­ted by its chair.

(3) The Board shall con­sist of the head of a super­vi­so­ry aut­ho­ri­ty of each Mem­ber Sta­te and the Euro­pean Data Pro­tec­tion Super­vi­sor or their respec­ti­ve representatives.

(4) Whe­re more than one super­vi­so­ry aut­ho­ri­ty in a Mem­ber Sta­te is respon­si­ble for super­vi­sing the app­li­ca­ti­on of the pro­vi­si­ons adop­ted pur­suant to this Regu­la­ti­on, a com­mon repre­sen­ta­ti­ve shall be desi­gna­ted in accordance with the law of that Mem­ber State.

(5) The Com­mis­si­on shall be enti­t­led to par­ti­ci­pa­te in the acti­vi­ties and mee­tings of the Com­mit­tee without voting rights. The Com­mis­si­on shall appoint a repre­sen­ta­ti­ve. The Chair of the Com­mit­tee shall inform the Com­mis­si­on of the acti­vi­ties of the Committee.

(6) In the cases refer­red to in Arti­cle 65, the EDPS shall only be enti­t­led to vote on deci­si­ons which con­cern princi­ples and rules app­li­ca­ble to the Uni­on insti­tu­ti­ons, bodies, offices and agen­ci­es and which cor­re­spond in sub­stance to the princi­ples and rules laid down in this Regulation.

Reci­tals

(139) In order to pro­mo­te the uni­form app­li­ca­ti­on of this Regu­la­ti­on, the Com­mit­tee should be estab­lished as an inde­pen­dent body of the Uni­on. In order to achie­ve its objec­ti­ves, the Com­mit­tee should have legal per­so­na­li­ty. The Com­mit­tee should be repre­sen­ted by its Chair. It should replace the Working Par­ty on the Pro­tec­tion of Indi­vi­du­als with regard to the Pro­ces­sing of Per­so­nal Data estab­lished by Direc­ti­ve 95/46/EC. It should be com­po­sed of the head of a super­vi­so­ry aut­ho­ri­ty of each Mem­ber Sta­te and the Euro­pean Data Pro­tec­tion Super­vi­sor or their respec­ti­ve repre­sen­ta­ti­ves. The Com­mis­si­on should par­ti­ci­pa­te in the Committee’s deli­be­ra­ti­ons without voting rights and the Euro­pean Data Pro­tec­tion Super­vi­sor should have spe­ci­fic voting rights. The Board should con­tri­bu­te to the con­si­stent app­li­ca­ti­on of the Regu­la­ti­on throughout the Uni­on, advi­se the Com­mis­si­on in par­ti­cu­lar on the level of pro­tec­tion in third coun­tries or inter­na­tio­nal orga­niz­a­ti­ons, and pro­mo­te coope­ra­ti­on bet­ween super­vi­so­ry aut­ho­ri­ties in the Uni­on. The Board should act inde­pendent­ly in the per­for­mance of its tasks.

Arti­cle 69 Independence

(1) The Com­mit­tee shall act inde­pendent­ly in the per­for­mance of its duties or in the exer­cise of its powers under Arti­cles 70 and 71.

(2) Without pre­ju­di­ce to requests by the Com­mis­si­on pur­suant to Rule 70(1)(b) and (2), the Com­mit­tee shall not seek or take inst­ruc­tions in the per­for­mance of its func­tions or in the exer­cise of its powers.

Arti­cle 70 Tasks of the Committee

(1) The Com­mit­tee shall ensu­re the uni­form app­li­ca­ti­on of this Regu­la­ti­on. To this end, the Com­mit­tee shall, in par­ti­cu­lar, on its own initia­ti­ve or, whe­re appro­pria­te, at the requ­est of the Com­mis­si­on, car­ry out the fol­lo­wing activities:

a) moni­to­ring and ensu­ring the pro­per app­li­ca­ti­on of this Regu­la­ti­on in the cases refer­red to in Arti­cles 64 and 65, without pre­ju­di­ce to the tasks of the natio­nal super­vi­so­ry authorities;
b) Advi­se the Com­mis­si­on on all mat­ters rela­ting to the pro­tec­tion of per­so­nal data in the Uni­on, inclu­ding any pro­po­sals to amend this Regulation;
c) Advi­se the Com­mis­si­on on the for­mat and pro­ce­du­res for the exchan­ge of infor­ma­ti­on bet­ween con­trol­lers, pro­ces­sors and super­vi­so­ry aut­ho­ri­ties regar­ding bin­ding inter­nal data pro­tec­tion rules;
d) Pro­vi­de gui­d­ance, recom­men­da­ti­ons and best prac­ti­ces on pro­ce­du­res for the era­su­re, pur­suant to Arti­cle 17(2), of links to per­so­nal data or copies or repli­ca­ti­ons of such data from publicly avail­ab­le com­mu­ni­ca­ti­ons services;
e) Con­si­der, on its own initia­ti­ve, at the requ­est of one of its mem­bers, or at the requ­est of the Com­mis­si­on, mat­ters rela­ting to the app­li­ca­ti­on of this Regu­la­ti­on and pro­vi­de gui­d­ance, recom­men­da­ti­ons, and best prac­ti­ces for the pur­po­se of ensu­ring uni­form app­li­ca­ti­on of this Regulation;
f) Pro­vi­de gui­d­ance, recom­men­da­ti­ons and best prac­ti­ces, as refer­red to in point (e) of this para­graph, to fur­ther defi­ne the cri­te­ria and con­di­ti­ons for the pro­filing-based deci­si­ons refer­red to in Arti­cle 22(2);
g) Pro­vi­de gui­d­ance, recom­men­da­ti­ons and best prac­ti­ces in accordance with sub­pa­ra­graph (e) of this para­graph on the iden­ti­fi­ca­ti­on of per­so­nal data brea­ches and the deter­mi­na­ti­on of prompt­ness for the pur­po­ses of Arti­cle 33(1) and (2), and on the spe­ci­fic cir­cum­stan­ces in which the con­trol­ler or pro­ces­sor shall noti­fy the per­so­nal data breach;
h) Pro­vi­de gui­d­ance, recom­men­da­ti­ons and best prac­ti­ces, as refer­red to in point (e) of this para­graph, on the cir­cum­stan­ces in which a per­so­nal data bre­ach is likely to result in a high risk to the rights and free­doms of natu­ral per­sons wit­hin the mea­ning of Arti­cle 34(1);
i) Pro­vi­de gui­d­ance, recom­men­da­ti­ons and best prac­ti­ces, as refer­red to in point (e) of this para­graph, to fur­ther spe­ci­fy the cri­te­ria and requi­re­ments for trans­fers of per­so­nal data listed in Arti­cle 47 that are based on bin­ding inter­nal data pro­tec­tion rules of con­trol­lers or pro­ces­sors and the fur­ther necessa­ry requi­re­ments for the pro­tec­tion of per­so­nal data of data sub­jects listed therein;
j) Pro­vi­de gui­de­li­nes, recom­men­da­ti­ons, and best prac­ti­ces, as refer­red to in sub­pa­ra­graph (e) of this para­graph, to fur­ther defi­ne the cri­te­ria and con­di­ti­ons for trans­fers of per­so­nal data pur­suant to Arti­cle 49(1);
k) Deve­lop gui­de­li­nes for super­vi­so­ry aut­ho­ri­ties regar­ding the app­li­ca­ti­on of mea­su­res under Arti­cle 58(1), (2) and (3) and the set­ting of fines under Arti­cle 83;
l) Review the prac­ti­cal app­li­ca­ti­on of the gui­de­li­nes, recom­men­da­ti­ons, and best prac­ti­ces iden­ti­fied in sub­pa­ra­graphs (e) and (f);
m) Pro­vi­de gui­d­ance, recom­men­da­ti­ons, and best prac­ti­ces, as refer­red to in sub­pa­ra­graph (e) of this para­graph, to estab­lish com­mon pro­ce­du­res for the reporting by natu­ral per­sons of vio­la­ti­ons of this Regu­la­ti­on pur­suant to Arti­cle 54(2);
n) Pro­mo­te the deve­lo­p­ment of codes of con­duct and the estab­lish­ment of pri­va­cy cer­ti­fi­ca­ti­on sche­mes and pri­va­cy seals and marks in accordance with Arti­cles 40 and 42;
o) Accredi­ta­ti­on of cer­ti­fi­ca­ti­on bodies and their perio­dic review pur­suant to Arti­cle 43 and main­ten­an­ce of a public regi­ster of accredi­ted bodies pur­suant to Arti­cle 43(6) and of accredi­ted con­trol­lers or pro­ces­sors estab­lished in third coun­tries pur­suant to Arti­cle 42(7);
p) Cla­ri­fi­ca­ti­on of the requi­re­ments refer­red to in Arti­cle 43(3) with regard to the accredi­ta­ti­on of cer­ti­fi­ca­ti­on bodies under Arti­cle 42;
q) Issuing an opi­ni­on for the Com­mis­si­on on the cer­ti­fi­ca­ti­on requi­re­ments under Arti­cle 43(8);
r) Issuing an opi­ni­on for the Com­mis­si­on on the pic­to­ri­al sym­bols refer­red to in Arti­cle 12(7);
s) issue an opi­ni­on for the Com­mis­si­on on the ade­quacy of the level of pro­tec­tion pro­vi­ded in a third coun­try or inter­na­tio­nal orga­niz­a­ti­on, inclu­ding on the assess­ment of whe­ther the third coun­try, ter­ri­to­ry, spe­ci­fic sector(s) in that third coun­try or inter­na­tio­nal orga­niz­a­ti­on no lon­ger pro­vi­des an ade­qua­te level of pro­tec­tion. To that end, the Com­mis­si­on shall pro­vi­de the Com­mit­tee with all necessa­ry docu­men­ta­ti­on, inclu­ding cor­re­spon­dence with the government of the third coun­try, ter­ri­to­ry or spe­ci­fic sec­tor or inter­na­tio­nal organization;
t) issuing opi­ni­ons under the con­si­sten­cy pro­ce­du­re refer­red to in Arti­cle 64(1) on draft deci­si­ons of super­vi­so­ry aut­ho­ri­ties, on mat­ters sub­mit­ted in accordance with Arti­cle 64(2) and for the adop­ti­on of bin­ding deci­si­ons in accordance with Arti­cle 65, inclu­ding the cases refer­red to in Arti­cle 66;
u) Pro­mo­te coope­ra­ti­on and effec­ti­ve bila­te­ral and mul­ti­la­te­ral exchan­ge of infor­ma­ti­on and best prac­ti­ces among regulators;
v) Pro­mo­te trai­ning pro­grams and faci­li­ta­te staff exchan­ges among super­vi­sors and, whe­re appro­pria­te, with super­vi­sors of third coun­tries or with inter­na­tio­nal organizations;
w) Pro­mo­te the exchan­ge of exper­ti­se and docu­men­ta­ti­on on data pro­tec­tion regu­la­ti­ons and prac­ti­ces with data pro­tec­tion super­vi­so­ry aut­ho­ri­ties around the world;
x) issuing opi­ni­ons on the rules of con­duct drawn up at Uni­on level pur­suant to Arti­cle 40(9); and
y) Main­tai­ning a publicly acces­si­ble elec­tro­nic regi­s­try of deci­si­ons of regu­la­to­ry agen­ci­es and courts regar­ding issu­es addres­sed through the con­si­sten­cy process.

(2) The Com­mis­si­on, when see­king the advice of the Com­mit­tee, may spe­ci­fy a time limit, taking into account the urgen­cy of the matter.

(3) The Com­mit­tee shall for­ward and make public its opi­ni­ons, gui­de­li­nes, recom­men­da­ti­ons, and best prac­ti­ces to the Com­mis­si­on and to the Com­mit­tee refer­red to in Rule 93.

(4) The Com­mit­tee shall, whe­re appro­pria­te, con­sult inte­re­sted par­ties and give them the oppor­tu­ni­ty to com­ment wit­hin a rea­son­ab­le time. Without pre­ju­di­ce to Arti­cle 76, the Com­mit­tee shall make the results of the con­sul­ta­ti­on avail­ab­le to the public.

Arti­cle 71 Reporting

(1) The Board shall draw up an annu­al report on the pro­tec­tion of indi­vi­du­als with regard to pro­ces­sing in the Uni­on and, whe­re appro­pria­te, in third coun­tries and inter­na­tio­nal orga­niz­a­ti­ons. The report shall be made public and sent to the Euro­pean Par­lia­ment, the Coun­cil and the Commission.

(2) The annu­al report shall inclu­de a review of the prac­ti­cal app­li­ca­ti­on of the gui­de­li­nes, recom­men­da­ti­ons and best prac­ti­ces refer­red to in Arti­cle 70(1)(l) and of the bin­ding deci­si­ons refer­red to in Arti­cle 65.

Arti­cle 72 Procedure

(1) Unless other­wi­se pro­vi­ded in this Regu­la­ti­on, the Com­mit­tee shall take its deci­si­ons by a simp­le majo­ri­ty of its members.

(2) The Com­mit­tee shall adopt its rules of pro­ce­du­re by a two-thirds majo­ri­ty of its mem­bers and shall deter­mi­ne its methods of operation.

Arti­cle 73 Chair

(1) The Com­mit­tee shall elect a Chair­per­son and two Vice-Chair­per­sons from among its mem­bers by a simp­le majority.

(2) The term of office of the Chair­man and his two depu­ties shall be five years; they may be re-elec­ted once.

Arti­cle 74 Tasks of the Chair

(1) The Chair has the fol­lo­wing responsibilities:

a) Con­ve­ne mee­tings of the Com­mit­tee and pre­pa­re agendas,
b) Trans­mis­si­on of the deci­si­ons of the Arti­cle 65 Com­mit­tee to the lead super­vi­so­ry aut­ho­ri­ty and the super­vi­so­ry aut­ho­ri­ties concerned,
c) Ensu­re time­ly exe­cu­ti­on of the Committee’s tasks, par­ti­cu­lar­ly tho­se rela­ted to the con­si­sten­cy pro­cess under Rule 63.

(2) The Com­mit­tee shall deter­mi­ne the divi­si­on of duties bet­ween the Chair­man and his depu­ties in its rules of procedure.

Arti­cle 75 Secretariat

(1) The Com­mit­tee shall be assi­sted by a secre­ta­ri­at pro­vi­ded by the EDPS.

(2) The Secre­ta­ri­at shall per­form its duties sole­ly at the direc­tion of the Chair of the Committee.

(3) The staff of the EDPS invol­ved in the per­for­mance of the tasks ent­ru­sted to the Board under this Regu­la­ti­on shall be sub­ject to dif­fe­rent reporting obli­ga­ti­ons than the staff invol­ved in the per­for­mance of the tasks ent­ru­sted to the EDPS.

(4) Whe­re appro­pria­te, the Board and the Euro­pean Data Pro­tec­tion Super­vi­sor shall draw up and publish a memo­ran­dum of under­stan­ding for the app­li­ca­ti­on of this Arti­cle, set­ting out the con­di­ti­ons of their coope­ra­ti­on and app­li­ca­ble to the staff of the Euro­pean Data Pro­tec­tion Super­vi­sor invol­ved in the per­for­mance of the tasks ent­ru­sted to the Board under this Regulation.

(5) The Secre­ta­ri­at pro­vi­des ana­ly­ti­cal, admi­ni­stra­ti­ve, and logi­sti­cal sup­port to the Committee.

(6) The secre­ta­ri­at is respon­si­ble in par­ti­cu­lar for

a) the day-to-day busi­ness of the committee,
b) com­mu­ni­ca­ti­on bet­ween the mem­bers of the Com­mit­tee, its Chair and the Commission,
c) com­mu­ni­ca­ti­on with other insti­tu­ti­ons and with the public,
d) the use of elec­tro­nic means for inter­nal and exter­nal communication,
e) the trans­la­ti­on of rele­vant information,
f) the pre­pa­ra­ti­on and fol­low-up of the mee­tings of the Committee,
g) pre­pa­ring, draf­ting and publi­shing opi­ni­ons, deci­si­ons on the sett­le­ment of dis­pu­tes bet­ween super­vi­so­ry aut­ho­ri­ties and other docu­ments adop­ted by the Committee.
Reci­tals

(140) The Board should be assi­sted by a secre­ta­ri­at pro­vi­ded by the EDPS. The staff of the EDPS invol­ved in the per­for­mance of the tasks ent­ru­sted to the Board under this Regu­la­ti­on should car­ry out tho­se tasks exclu­si­ve­ly in accordance with the inst­ruc­tions of, and report to, the Chair of the Board.

Arti­cle 76 Confidentiality

(1) In accordance with its rules of pro­ce­du­re, the Committee’s deli­be­ra­ti­ons shall be con­fi­denti­al if the Com­mit­tee deems it necessary.

(2) Access to docu­ments sub­mit­ted to mem­bers of the Com­mit­tee, experts and repre­sen­ta­ti­ves of third par­ties is gover­ned by Regu­la­ti­on (EC) No 1049/2001 of the Euro­pean Par­lia­ment and of the Coun­cil (21).

Chap­ter VIII Reme­di­es, lia­bi­li­ty and sanctions

Arti­cle 77 Right to com­p­lain to a super­vi­so­ry authority

(1) Without pre­ju­di­ce to any other admi­ni­stra­ti­ve or judi­cial reme­dy, every data sub­ject shall have the right to lodge a com­p­laint with a super­vi­so­ry aut­ho­ri­ty, in par­ti­cu­lar in the Mem­ber Sta­te of his or her resi­dence, place of work or the place of the alle­ged infrin­ge­ment, if the data sub­ject con­si­ders that the pro­ces­sing of per­so­nal data rela­ting to him or her infrin­ges this Regulation.
(2) The super­vi­so­ry aut­ho­ri­ty to which the com­p­laint has been filed shall inform the com­p­lai­nant of the sta­tus and out­co­me of the com­p­laint, inclu­ding the pos­si­bi­li­ty of a judi­cial reme­dy under Arti­cle 78.
Reci­tals

(141) Every data sub­ject should have the right to lodge a com­p­laint with a sin­gle super­vi­so­ry aut­ho­ri­ty, in par­ti­cu­lar in the Mem­ber Sta­te of his or her habi­tu­al resi­dence, and to seek an effec­ti­ve judi­cial reme­dy in accordance with Arti­cle 47 of the Char­ter, whe­re he or she con­si­ders that his or her rights under this Regu­la­ti­on have been infrin­ged or whe­re the super­vi­so­ry aut­ho­ri­ty fails to act on a com­p­laint, rejects or refu­ses a com­p­laint in part or in who­le, or fails to act despi­te the need to pro­tect the rights of the data sub­ject. The inve­sti­ga­ti­on fol­lo­wing a com­p­laint should be as broad as appro­pria­te in the indi­vi­du­al case, sub­ject to judi­cial review. The super­vi­so­ry aut­ho­ri­ty should inform the data sub­ject of the pro­gress and out­co­me of the com­p­laint wit­hin a rea­son­ab­le peri­od of time. If fur­ther inve­sti­ga­ti­on or coor­di­na­ti­on with ano­t­her super­vi­so­ry aut­ho­ri­ty is necessa­ry, the data sub­ject should be infor­med of the inte­rim sta­tus. Each super­vi­so­ry aut­ho­ri­ty should take mea­su­res to faci­li­ta­te the sub­mis­si­on of com­p­laints, such as pro­vi­ding a com­p­laint form that can also be com­ple­ted elec­tro­ni­cal­ly, without exclu­ding other means of communication.

Arti­cle 78 Right to effec­ti­ve judi­cial reme­dy against a super­vi­so­ry authority

(1) Any natu­ral or legal per­son shall have the right to an effec­ti­ve judi­cial reme­dy against a legal­ly bin­ding deci­si­on of a super­vi­so­ry aut­ho­ri­ty con­cer­ning them, without pre­ju­di­ce to any other admi­ni­stra­ti­ve or extra­ju­di­cial remedy.

(2) Any data sub­ject shall have the right to an effec­ti­ve judi­cial reme­dy, without pre­ju­di­ce to any other admi­ni­stra­ti­ve or extra­ju­di­cial reme­dy, if the super­vi­so­ry aut­ho­ri­ty com­pe­tent pur­suant to Arti­cles 55 and 56 has not dealt with a com­p­laint or has not infor­med the data sub­ject wit­hin three mon­ths of the sta­tus or out­co­me of the com­p­laint lod­ged pur­suant to Arti­cle 77.

(3) Pro­ce­e­dings against a super­vi­so­ry aut­ho­ri­ty shall be brought befo­re the courts of the Mem­ber Sta­te in which the super­vi­so­ry aut­ho­ri­ty has its seat.

(4) In the event of pro­ce­e­dings against the deci­si­on of a super­vi­so­ry aut­ho­ri­ty pre­ce­ded by an opi­ni­on or deci­si­on of the Com­mit­tee under the con­si­sten­cy pro­ce­du­re, the super­vi­so­ry aut­ho­ri­ty shall for­ward such opi­ni­on or deci­si­on to the court.

Reci­tals

(143) Any natu­ral or legal per­son shall have the right to bring an action befo­re the Court of Jus­ti­ce for the annulment of a deci­si­on of the Board, under the con­di­ti­ons laid down in Arti­cle 263 TFEU. As addres­sees of such deci­si­ons, the super­vi­so­ry aut­ho­ri­ties con­cer­ned wis­hing to chal­len­ge tho­se deci­si­ons must bring an action under Arti­cle 263 TFEU wit­hin two mon­ths of their noti­fi­ca­ti­on. Whe­re deci­si­ons of the Board direct­ly and indi­vi­du­al­ly affect a con­trol­ler, a pro­ces­sor or the com­p­lai­nant, tho­se per­sons may bring an action for annulment in accordance with Arti­cle 263 TFEU wit­hin two mon­ths of the publi­ca­ti­on of the rele­vant deci­si­ons on the Board’s web­site. Without pre­ju­di­ce to that right under Arti­cle 263 TFEU, any natu­ral or legal per­son should have the right to an effec­ti­ve judi­cial reme­dy befo­re the com­pe­tent natio­nal court against a deci­si­on of a super­vi­so­ry aut­ho­ri­ty which pro­du­ces legal effects vis-à-vis that per­son. Such a deci­si­on con­cerns, in par­ti­cu­lar, the exer­cise by the super­vi­so­ry aut­ho­ri­ty of powers of inve­sti­ga­ti­on, redress and aut­ho­ri­sa­ti­on, or the rejec­tion or dis­mis­sal of com­p­laints. Howe­ver, the right to an effec­ti­ve judi­cial reme­dy does not cover legal­ly non-bin­ding mea­su­res taken by the super­vi­so­ry aut­ho­ri­ties, such as opi­ni­ons or recom­men­da­ti­ons issued by it. Pro­ce­e­dings against a super­vi­so­ry aut­ho­ri­ty should be brought befo­re the courts of the Mem­ber Sta­te whe­re the super­vi­so­ry aut­ho­ri­ty is estab­lished and should be con­duc­ted in accordance with the pro­ce­du­ral law of that Mem­ber Sta­te. Tho­se courts should have unli­mi­ted juris­dic­tion, which inclu­des the com­pe­tence to exami­ne all issu­es of fact and law rele­vant to the dis­pu­te befo­re them. Whe­re a com­p­laint has been rejec­ted or dis­mis­sed by a super­vi­so­ry aut­ho­ri­ty, the com­p­lai­nant may bring an action befo­re the courts of the same Mem­ber State.

In the con­text of judi­cial reme­di­es rela­ting to the app­li­ca­ti­on of this Regu­la­ti­on, natio­nal courts which con­si­der that a deci­si­on on the mat­ter is necessa­ry to enab­le them to give judgment may, or, in the cases refer­red to in Arti­cle 267 TFEU, must, requ­est the Court of Jus­ti­ce to give a preli­mi­na­ry ruling on the inter­pre­ta­ti­on of Uni­on law, which inclu­des this Regu­la­ti­on. Fur­ther­mo­re, if a deci­si­on of a super­vi­so­ry aut­ho­ri­ty to imple­ment a deci­si­on of the Board is chal­len­ged befo­re a natio­nal court and the vali­di­ty of the deci­si­on of the Board is cal­led into que­sti­on, that natio­nal court does not have the power to annul the deci­si­on of the Board but, in accordance with Arti­cle 267 TFEU as inter­pre­ted by the Court of Jus­ti­ce, must refer the que­sti­on of vali­di­ty to the Court of Jus­ti­ce if it con­si­ders the deci­si­on to be void. Howe­ver, a natio­nal court may not refer que­sti­ons of the vali­di­ty of the Committee’s deci­si­on to the Court of Jus­ti­ce at the requ­est of a natu­ral or legal per­son if that per­son has had an oppor­tu­ni­ty to bring an action for annulment of that deci­si­on – in par­ti­cu­lar if he or she was direct­ly and indi­vi­du­al­ly con­cer­ned by the deci­si­on – but has not avai­led hims­elf or herself of that oppor­tu­ni­ty wit­hin the time limit laid down in Arti­cle 263 TFEU.

Arti­cle 79 Right to an effec­ti­ve judi­cial reme­dy against con­trol­lers or processors

(1) Without pre­ju­di­ce to any avail­ab­le admi­ni­stra­ti­ve or judi­cial reme­dy, inclu­ding the right to lodge a com­p­laint with a super­vi­so­ry aut­ho­ri­ty pur­suant to Arti­cle 77, every data sub­ject shall have the right to an effec­ti­ve judi­cial reme­dy if he or she con­si­ders that his or her rights under this Regu­la­ti­on have been infrin­ged as a result of the pro­ces­sing of his or her per­so­nal data not in com­pli­an­ce with this Regulation.

(2) Actions against a con­trol­ler or a pro­ces­sor shall be brought in the courts of the Mem­ber Sta­te whe­re the con­trol­ler or pro­ces­sor has an estab­lish­ment. Alter­na­tively, such actions may also be brought befo­re the courts of the Mem­ber Sta­te whe­re the data sub­ject is domic­i­led, unless the con­trol­ler or pro­ces­sor is an aut­ho­ri­ty of a Mem­ber Sta­te acting in the exer­cise of its public powers.

Reci­tals

(145) In pro­ce­e­dings against con­trol­lers or pro­ces­sors, it should be left to the plain­tiff to deci­de whe­ther to bring pro­ce­e­dings befo­re the courts of the Mem­ber Sta­te whe­re the con­trol­ler or pro­ces­sor has an estab­lish­ment or of the Mem­ber Sta­te whe­re the data sub­ject is domic­i­led, except whe­re the con­trol­ler is an aut­ho­ri­ty of a Mem­ber Sta­te acting in the exer­cise of its public powers.

(147) To the extent that this Regu­la­ti­on con­tains spe­ci­fic rules on juris­dic­tion, in par­ti­cu­lar with regard to pro­ce­e­dings for a judi­cial reme­dy, inclu­ding dama­ges, against a con­trol­ler or pro­ces­sor, the gene­ral rules on juris­dic­tion, such as tho­se con­tai­ned in Regu­la­ti­on (EU) No 1215/2012 of the Euro­pean Par­lia­ment and of the Coun­cil (13), should not pre­vent the app­li­ca­ti­on of tho­se spe­ci­fic rules.

Arti­cle 80 Repre­sen­ta­ti­on of data subjects

(1) The data sub­ject shall have the right to inst­ruct a non-pro­fit body, orga­niz­a­ti­on or asso­cia­ti­on, duly con­sti­tuted in accordance with the law of a Mem­ber Sta­te, who­se sta­tu­to­ry objec­ti­ves are in the public inte­rest and which is acti­ve in the field of the pro­tec­tion of the rights and free­doms of data sub­jects with regard to the pro­tec­tion of their per­so­nal data, to lodge a com­p­laint on his or her behalf, to exer­cise on his or her behalf the rights refer­red to in Arti­cles 77, 78 and 79 and to exer­cise the right to com­pen­sa­ti­on refer­red to in Arti­cle 82, whe­re pro­vi­ded for in the law of the Mem­ber States.

(2) Mem­ber Sta­tes may pro­vi­de that any of the bodies, orga­niz­a­ti­ons or asso­cia­ti­ons refer­red to in para­graph 1 of this Arti­cle, irre­spec­ti­ve of any man­da­te given by the data sub­ject in that Mem­ber Sta­te, shall have the right to lodge a com­p­laint with the super­vi­so­ry aut­ho­ri­ty com­pe­tent pur­suant to Arti­cle 77 and to exer­cise the rights set out in Arti­cles 78 and 79 whe­re they con­si­der that the rights of a data sub­ject under this Regu­la­ti­on have been infrin­ged as a result of a pro­ces­sing operation.

Reci­tals

(142) Data sub­jects who con­si­der that their rights under this Regu­la­ti­on have been infrin­ged should have the right to inst­ruct bodies, orga­niz­a­ti­ons or asso­cia­ti­ons estab­lished in accordance with the law of a Mem­ber Sta­te, not-for-pro­fit, who­se sta­tu­to­ry objec­ti­ves are in the public inte­rest and which are acti­ve in the field of per­so­nal data pro­tec­tion, to lodge a com­p­laint on their behalf with a super­vi­so­ry aut­ho­ri­ty or to seek judi­cial reme­dy or to exer­cise the right to com­pen­sa­ti­on, whe­re pro­vi­ded for in the law of the Mem­ber Sta­tes. Mem­ber Sta­tes may pro­vi­de that such bodies, orga­niz­a­ti­ons or asso­cia­ti­ons should have the right to lodge their own com­p­laint, inde­pendent­ly of being man­da­ted by a data sub­ject in the Mem­ber Sta­te con­cer­ned, and the right to an effec­ti­ve judi­cial reme­dy whe­re they have rea­son to belie­ve that the rights of the data sub­ject have been infrin­ged as a result of pro­ces­sing not in com­pli­an­ce with this Regu­la­ti­on. Such bodies, orga­niz­a­ti­ons or asso­cia­ti­ons may not be allo­wed to claim dama­ges on behalf of a data sub­ject, regard­less of the man­da­te of a data subject.

Arti­cle 81 Sus­pen­si­on of proceedings

(1) If a com­pe­tent court in a Mem­ber Sta­te beco­mes awa­re of pro­ce­e­dings on the same sub­ject mat­ter rela­ting to pro­ces­sing by the same con­trol­ler or pro­ces­sor which are pen­ding befo­re a court in ano­t­her Mem­ber Sta­te, it shall con­ta­ct that court to ascer­tain that such pro­ce­e­dings exist.

(2) Whe­re pro­ce­e­dings on the same sub­ject mat­ter rela­ting to pro­ces­sing by the same con­trol­ler or pro­ces­sor are pen­ding befo­re a court in ano­t­her Mem­ber Sta­te, any court sei­sed sub­se­quent­ly may stay the pro­ce­e­dings pen­ding befo­re it.

(3) Whe­re such pro­ce­e­dings are pen­ding at first instance, any court sub­se­quent­ly sei­sed may also, on app­li­ca­ti­on by a par­ty, decli­ne juris­dic­tion if the court first sei­sed has juris­dic­tion over the actions in que­sti­on and the join­der of the actions is per­mit­ted by its law.

Reci­tals

(144) Whe­re a court sei­zed of pro­ce­e­dings against a deci­si­on of a super­vi­so­ry aut­ho­ri­ty has rea­son to belie­ve that pro­ce­e­dings con­cer­ning the same pro­ces­sing – for examp­le, on the same sub­ject mat­ter with regard to pro­ces­sing by the same con­trol­ler or pro­ces­sor or con­cer­ning the same claim – are pen­ding befo­re a com­pe­tent court in ano­t­her Mem­ber Sta­te, it should con­ta­ct that court to ascer­tain that such rela­ted pro­ce­e­dings exist. Whe­re rela­ted pro­ce­e­dings are pen­ding befo­re a court in ano­t­her Mem­ber Sta­te, any court other than the court first sei­sed may stay its pro­ce­e­dings or, at the requ­est of one of the par­ties, may also decli­ne juris­dic­tion in favor of the court first sei­sed if that court, other than the court first sei­sed, has juris­dic­tion over the pro­ce­e­dings in que­sti­on and the join­der of such rela­ted pro­ce­e­dings is per­mit­ted under its law. Pro­ce­e­dings shall be deemed to be rela­ted if they are so clo­se­ly con­nec­ted that it is expe­dient to hear and deter­mi­ne them tog­e­ther to avoid irre­con­cil­ab­le judgments in sepa­ra­te proceedings.

Arti­cle 82 Lia­bi­li­ty and right to compensation

(1) Any per­son who has suf­fe­red mate­ri­al or non-mate­ri­al dama­ge as a result of a bre­ach of this Regu­la­ti­on shall be enti­t­led to com­pen­sa­ti­on from the con­trol­ler or the processor.

(2) Any con­trol­ler invol­ved in a pro­ces­sing ope­ra­ti­on shall be liable for the dama­ge cau­sed by a pro­ces­sing ope­ra­ti­on that does not com­ply with this Regu­la­ti­on. A pro­ces­sor shall be liable for the dama­ge cau­sed by a pro­ces­sing ope­ra­ti­on only if it has fai­led to com­ply with its obli­ga­ti­ons under this Regu­la­ti­on spe­ci­fi­cal­ly impo­sed on pro­ces­sors or has acted in dis­re­gard of or against the law­ful­ly given inst­ruc­tions of the data controller.

(3) The per­son respon­si­ble or the pro­ces­sor shall be exempt from lia­bi­li­ty under para­graph 2 if he pro­ves that he is not respon­si­ble in any respect for the cir­cum­stance by which the dama­ge occurred.

(4) If more than one con­trol­ler or more than one pro­ces­sor or both a con­trol­ler and a pro­ces­sor are invol­ved in the same pro­ces­sing and they are respon­si­ble for dama­ge cau­sed by the pro­ces­sing pur­suant to para­graphs 2 and 3, each con­trol­ler or pro­ces­sor shall be liable for the enti­re dama­ge in order to ensu­re effec­ti­ve com­pen­sa­ti­on for the data subject.

(5) If a con­trol­ler or pro­ces­sor has paid full com­pen­sa­ti­on for the dama­ge suf­fe­red pur­suant to para­graph 4, such con­trol­ler or pro­ces­sor shall be enti­t­led to reco­ver from the other data con­trol­lers or pro­ces­sors invol­ved in the same pro­ces­sing the part of the com­pen­sa­ti­on cor­re­spon­ding to their share of respon­si­bi­li­ty for the dama­ge under the con­di­ti­ons set forth in para­graph 2.

(6) Legal pro­ce­e­dings to invo­ke the right to com­pen­sa­ti­on shall be brought befo­re the courts having juris­dic­tion under the law of the Mem­ber Sta­te refer­red to in Arti­cle 79(2).

Reci­tals

(146) The con­trol­ler or pro­ces­sor should com­pen­sa­te dama­ge suf­fe­red by a per­son as a result of pro­ces­sing that does not com­ply with this Regu­la­ti­on. The con­trol­ler or pro­ces­sor should be exemp­ted from lia­bi­li­ty if it pro­ves that it is not in any way respon­si­ble for the dama­ge. The con­cept of dama­ge should be inter­pre­ted broad­ly in the light of the case law of the Court of Jus­ti­ce in a way that is ful­ly con­si­stent with the objec­ti­ves of this Regu­la­ti­on. This is without pre­ju­di­ce to claims for dama­ges based on infrin­ge­ments of other pro­vi­si­ons of Uni­on or Mem­ber Sta­te law. Pro­ces­sing that is not in com­pli­an­ce with this Regu­la­ti­on inclu­des pro­ces­sing that is not in com­pli­an­ce with dele­ga­ted and imple­men­ting acts adop­ted pur­suant to this Regu­la­ti­on and legis­la­ti­on of the Mem­ber Sta­tes cla­ri­fy­ing pro­vi­si­ons of this Regu­la­ti­on. Data sub­jects should recei­ve full and effec­ti­ve com­pen­sa­ti­on for the dama­ge suf­fe­red. Whe­re con­trol­lers or pro­ces­sors are invol­ved in the same pro­ces­sing, each con­trol­ler or pro­ces­sor should be held liable for the enti­re dama­ge. Howe­ver, whe­re they are invol­ved in the same pro­ces­sing in accordance with the law of the Mem­ber Sta­tes, they may be held liable in pro­por­ti­on to the respon­si­bi­li­ty bor­ne by each con­trol­ler or pro­ces­sor for the dama­ge cau­sed by the pro­ces­sing, pro­vi­ded that it is ensu­red that the data sub­ject recei­ves full and effec­ti­ve com­pen­sa­ti­on for the dama­ge suf­fe­red. Any con­trol­ler or pro­ces­sor who has paid full com­pen­sa­ti­on for the dama­ge may sub­se­quent­ly initia­te recour­se pro­ce­e­dings against other con­trol­lers or pro­ces­sors invol­ved in the same processing.

Arti­cle 83 Gene­ral con­di­ti­ons for the impo­si­ti­on of fines

(1) Each super­vi­so­ry aut­ho­ri­ty shall ensu­re that the impo­si­ti­on of fines under this Arti­cle for vio­la­ti­ons of this Regu­la­ti­on pur­suant to para­graphs 5 and 6 is effec­ti­ve, pro­por­tio­na­te and dissua­si­ve in each case.

(2) Fines shall be impo­sed in addi­ti­on to or in lieu of mea­su­res under Arti­cle 58(2)(a) to (h) and (i), depen­ding on the cir­cum­stan­ces of each case. In deci­ding whe­ther to impo­se a fine and the amount the­re­of, due con­si­de­ra­ti­on shall be given to the fol­lo­wing in each indi­vi­du­al case:

a) The natu­re, gra­vi­ty and dura­ti­on of the bre­ach, taking into account the natu­re, scope or pur­po­ses of the pro­ces­sing in que­sti­on, as well as the num­ber of data sub­jects affec­ted by the pro­ces­sing and the extent of the dama­ge suf­fe­red by them;
b) Inten­tio­na­li­ty or negli­gence of the violation;
c) any mea­su­res taken by the con­trol­ler or pro­ces­sor to miti­ga­te the dama­ge cau­sed to the data subjects;
d) Degree of respon­si­bi­li­ty of the con­trol­ler or pro­ces­sor, taking into account the tech­ni­cal and orga­niz­a­tio­nal mea­su­res taken by them in accordance with Arti­cles 25 and 32;
e) any rele­vant pre­vious infrin­ge­ments by the con­trol­ler or processor;
f) Extent of coope­ra­ti­on with the super­vi­so­ry aut­ho­ri­ty to reme­dy the vio­la­ti­on and miti­ga­te its poten­ti­al adver­se effects;
g) Cate­go­ries of per­so­nal data affec­ted by the breach;
h) How the bre­ach came to the atten­ti­on of the super­vi­so­ry aut­ho­ri­ty, in par­ti­cu­lar whe­ther and, if so, to what extent the con­trol­ler or pro­ces­sor noti­fied the breach;
i) Com­pli­an­ce with the mea­su­res pre­vious­ly orde­red under Arti­cle 58(2) against the con­trol­ler or pro­ces­sor con­cer­ned in rela­ti­on to the same sub­ject mat­ter, if such mea­su­res have been ordered;
j) Com­pli­an­ce with appro­ved codes of con­duct under Arti­cle 40 or appro­ved cer­ti­fi­ca­ti­on pro­ce­du­res under Arti­cle 42; and
k) any other aggra­vating or miti­ga­ting cir­cum­stan­ces in the par­ti­cu­lar case, such as finan­cial bene­fits obtai­ned direct­ly or indi­rect­ly as a result of the bre­ach or los­ses avoided.

(3) Whe­re a con­trol­ler or pro­ces­sor inten­tio­nal­ly or negli­gent­ly infrin­ges more than one pro­vi­si­on of this Regu­la­ti­on in the same or rela­ted pro­ces­sing ope­ra­ti­ons, the total amount of the fine shall not exce­ed the amount for the most serious infringement.

(4) For vio­la­ti­ons of the fol­lo­wing pro­vi­si­ons, in accordance with para­graph 2, fines of up to EUR 10,000,000 or, in the case of an enter­pri­se, up to 2 % of its total annu­al world­wi­de tur­no­ver for the pre­ce­ding fis­cal year, whiche­ver is grea­ter, shall be imposed:

a) the obli­ga­ti­ons of con­trol­lers and pro­ces­sors under Arti­cles 8, 11, 25 to 39, 42 and 43;
b) the duties of the cer­ti­fi­ca­ti­on body accord­ing to Arti­cles 42 and 43;
c) the obli­ga­ti­ons of the moni­to­ring body pur­suant to Arti­cle 41(4).

(5) For vio­la­ti­ons of the fol­lo­wing pro­vi­si­ons, in accordance with para­graph 2, fines of up to EUR 20,000,000 or, in the case of an enter­pri­se, up to 4 % of its total annu­al world­wi­de tur­no­ver for the pre­ce­ding fis­cal year, whiche­ver is grea­ter, shall be imposed:

a) the princi­ples for pro­ces­sing, inclu­ding the con­di­ti­ons for con­sent, in accordance with Arti­cles 5, 6, 7 and 9;
b) the rights of the data sub­ject under Arti­cles 12 to 22;
c) the trans­fer of per­so­nal data to a reci­pi­ent in a third coun­try or to an inter­na­tio­nal orga­niz­a­ti­on in accordance with Arti­cles 44 to 49;
d) all obli­ga­ti­ons under the legis­la­ti­on of the Mem­ber Sta­tes adop­ted under Chap­ter IX;
e) Fail­u­re to com­ply with an order or tem­pora­ry or per­ma­nent restric­tion or sus­pen­si­on of data trans­fer by the super­vi­so­ry aut­ho­ri­ty pur­suant to Arti­cle 58(2) or fail­u­re to grant access in bre­ach of Arti­cle 58(1).

(6) Fail­u­re to com­ply with an inst­ruc­tion of the Super­vi­so­ry Aut­ho­ri­ty pur­suant to Arti­cle 58(2) shall be sub­ject to fines of up to EUR 20,000,000 or, in the case of an under­ta­king, up to 4 % of its total annu­al world­wi­de tur­no­ver in the pre­ce­ding finan­cial year, whiche­ver is hig­her, in accordance with para­graph 2 of this Article.

(7) Without pre­ju­di­ce to the reme­di­al powers of super­vi­so­ry aut­ho­ri­ties under Arti­cle 58(2), each Mem­ber Sta­te may lay down rules on whe­ther and to what extent admi­ni­stra­ti­ve fines may be impo­sed on public aut­ho­ri­ties and public bodies estab­lished in that Mem­ber State.

(8) The exer­cise by a super­vi­so­ry aut­ho­ri­ty of its own powers under this Arti­cle shall be sub­ject to ade­qua­te pro­ce­du­ral safe­guards in accordance with Uni­on and Mem­ber Sta­te law, inclu­ding effec­ti­ve judi­cial reme­di­es and due process.

(9) Whe­re the legal order of a Mem­ber Sta­te does not pro­vi­de for fines, this Arti­cle may be app­lied in such a way that the fine is initia­ted by the com­pe­tent super­vi­so­ry aut­ho­ri­ty and impo­sed by the com­pe­tent natio­nal courts, while ensu­ring that such reme­di­es are effec­ti­ve and have the same effect as fines impo­sed by super­vi­so­ry aut­ho­ri­ties. In any event, the fines impo­sed shall be effec­ti­ve, pro­por­tio­na­te and dissua­si­ve. The Mem­ber Sta­tes con­cer­ned shall com­mu­ni­ca­te to the Com­mis­si­on, by 25 May 2018, the pro­vi­si­ons of natio­nal law which they adopt pur­suant to this para­graph and, without delay, any sub­se­quent amen­ding law or amend­ment thereto.

Reci­tals

(148) In the inte­rest of more con­si­stent enfor­ce­ment of the pro­vi­si­ons of this Regu­la­ti­on, sanc­tions, inclu­ding fines, should be impo­sed for infrin­ge­ments of this Regu­la­ti­on in addi­ti­on to, or ins­tead of, the appro­pria­te mea­su­res impo­sed by the super­vi­so­ry aut­ho­ri­ty pur­suant to this Regu­la­ti­on. In the case of a minor infrin­ge­ment or if fines likely to be impo­sed would impo­se a dis­pro­por­tio­na­te bur­den on a natu­ral per­son, a warning may be issued ins­tead of a fine. Howe­ver, due account should be taken of the natu­re, gra­vi­ty and dura­ti­on of the bre­ach, the inten­tio­nal natu­re of the bre­ach, the mea­su­res taken to miti­ga­te the dama­ge cau­sed, the degree of respon­si­bi­li­ty or any pre­vious bre­ach, the man­ner in which the bre­ach came to the atten­ti­on of the super­vi­so­ry aut­ho­ri­ty, com­pli­an­ce with the mea­su­res orde­red against the con­trol­ler or pro­ces­sor, com­pli­an­ce with rules of con­duct and any other aggra­vating or miti­ga­ting cir­cum­stance. The­re should be ade­qua­te pro­ce­du­ral safe­guards for the impo­si­ti­on of sanc­tions, inclu­ding fines, in accordance with the gene­ral princi­ples of Uni­on law and the Char­ter, inclu­ding the right to effec­ti­ve judi­cial pro­tec­tion and a fair trial.

(149) Mem­ber Sta­tes should be able to lay down the cri­mi­nal sanc­tions app­li­ca­ble to infrin­ge­ments of this Regu­la­ti­on, inclu­ding infrin­ge­ments of natio­nal pro­vi­si­ons adop­ted pur­suant to and wit­hin the limits of this Regu­la­ti­on. Tho­se cri­mi­nal pen­al­ties may also allow for the con­fis­ca­ti­on of the pro­fits obtai­ned from the infrin­ge­ments of this Regu­la­ti­on. Howe­ver, the impo­si­ti­on of cri­mi­nal sanc­tions for vio­la­ti­ons of such natio­nal pro­vi­si­ons and admi­ni­stra­ti­ve sanc­tions should not result in a vio­la­ti­on of the princip­le of “ne bis in idem” as it has been inter­pre­ted by the Court.

(150) In order to har­mo­ni­ze the admi­ni­stra­ti­ve sanc­tions for infrin­ge­ments of this Regu­la­ti­on and to make them more effec­ti­ve, each super­vi­so­ry aut­ho­ri­ty should have the power to impo­se fines. This Regu­la­ti­on should spe­ci­fy the infrin­ge­ments as well as the upper limit of the rele­vant fines and the cri­te­ria for set­ting them, such fines to be set by the com­pe­tent super­vi­so­ry aut­ho­ri­ty in each indi­vi­du­al case taking into account all spe­ci­fic cir­cum­stan­ces and in par­ti­cu­lar the natu­re, gra­vi­ty and dura­ti­on of the infrin­ge­ment and its con­se­quen­ces, as well as the mea­su­res taken to ensu­re com­pli­an­ce with the obli­ga­ti­ons under this Regu­la­ti­on and to pre­vent or miti­ga­te the con­se­quen­ces of the infrin­ge­ment. Whe­re fines are impo­sed on under­ta­kings, the term “.Com­pa­ny” should be under­s­tood in the sen­se of Arti­cles 101 and 102 TFEU. Whe­re fines are impo­sed on per­sons other than under­ta­kings, the super­vi­so­ry aut­ho­ri­ty should take into account the gene­ral level of inco­me in the Mem­ber Sta­te con­cer­ned and the eco­no­mic situa­ti­on of the per­sons when con­si­de­ring the appro­pria­te amount for the fine. The con­si­sten­cy mecha­nism can also be used to pro­mo­te con­si­stent app­li­ca­ti­on of fines. Mem­ber Sta­tes should be able to deter­mi­ne whe­ther and to what extent fines can be impo­sed on public aut­ho­ri­ties. Even if super­vi­so­ry aut­ho­ri­ties have alrea­dy impo­sed fines or issued a warning, they may exer­cise their other powers or impo­se other sanc­tions in accordance with this Regulation.

(151) The legal systems of Den­mark and Esto­nia do not allow the fines pro­vi­ded for in this Regu­la­ti­on. The rules on fines may be app­lied in such a way that the fine is impo­sed in Den­mark by the com­pe­tent natio­nal courts as a penal­ty and in Esto­nia by the super­vi­so­ry aut­ho­ri­ty in the con­text of mis­de­me­a­nor pro­ce­e­dings, pro­vi­ded that such app­li­ca­ti­on of the rules in tho­se Mem­ber Sta­tes has the same effect as the fines impo­sed by the super­vi­so­ry aut­ho­ri­ties. The­re­fo­re, the com­pe­tent natio­nal courts should take into account the recom­men­da­ti­on of the super­vi­so­ry aut­ho­ri­ty that initia­ted the fine. In any event, the fines impo­sed should be effec­ti­ve, pro­por­tio­na­te and dissuasive.

Arti­cle 84 Penal sanctions

(1) Mem­ber Sta­tes shall lay down the rules on other sanc­tions app­li­ca­ble to infrin­ge­ments of this Regu­la­ti­on, in par­ti­cu­lar to infrin­ge­ments not sub­ject to a fine pur­suant to Arti­cle 83, and shall take all mea­su­res necessa­ry to ensu­re that they are imple­men­ted. Tho­se pen­al­ties shall be effec­ti­ve, pro­por­tio­na­te and dissuasive.

(2) Each Mem­ber Sta­te shall noti­fy the Com­mis­si­on by 25 May 2018 of the pro­vi­si­ons of law which it adopts pur­suant to para­graph 1 and, without delay, of any sub­se­quent amend­ment affec­ting them.

Reci­tals

(152) To the extent that this Regu­la­ti­on does not har­mo­ni­ze admi­ni­stra­ti­ve sanc­tions, or whe­re it is necessa­ry in other cases, such as serious infrin­ge­ments of this Regu­la­ti­on, Mem­ber Sta­tes should app­ly a system pro­vi­ding for effec­ti­ve, pro­por­tio­na­te and dissua­si­ve sanc­tions. It should be regu­la­ted in the law of the Mem­ber Sta­tes whe­ther tho­se sanc­tions are of a cri­mi­nal or admi­ni­stra­ti­ve nature.

Chap­ter IX Pro­vi­si­ons for spe­cial pro­ces­sing situations

Arti­cle 85 Pro­ces­sing and Free­dom of Expres­si­on and Information

(1) Mem­ber Sta­tes shall, by law, recon­ci­le the right to the pro­tec­tion of per­so­nal data under this Regu­la­ti­on with the right to free­dom of expres­si­on and infor­ma­ti­on, inclu­ding pro­ces­sing for jour­na­li­stic pur­po­ses and for sci­en­ti­fic, artis­tic or litera­ry purposes.

(2) For pro­ces­sing car­ri­ed out for jour­na­li­stic pur­po­ses or for sci­en­ti­fic, artis­tic or litera­ry pur­po­ses, Mem­ber Sta­tes shall pro­vi­de for dero­ga­ti­ons or exemp­ti­ons from Chap­ter II (Princi­ples), Chap­ter III (Rights of the data sub­ject), Chap­ter IV (Con­trol­ler and pro­ces­sor), Chap­ter V (Trans­fer of per­so­nal data to third coun­tries or to inter­na­tio­nal orga­niz­a­ti­ons), Chap­ter VI (Inde­pen­dent super­vi­so­ry aut­ho­ri­ties), Chap­ter VII (Coope­ra­ti­on and con­si­sten­cy), and Chap­ter IX (Rules app­li­ca­ble to spe­ci­fic pro­ces­sing situa­tions) whe­re necessa­ry to recon­ci­le the right to the pro­tec­tion of per­so­nal data with the free­dom of expres­si­on and information.

(3) Each Mem­ber Sta­te shall com­mu­ni­ca­te to the Com­mis­si­on the pro­vi­si­ons of law which it has adop­ted pur­suant to para­graph 2 and, without delay, any sub­se­quent amen­ding law or amend­ment thereto.

Reci­tals

(153) In the law of the Mem­ber Sta­tes, rules on free­dom of expres­si­on and infor­ma­ti­on, inclu­ding by jour­na­lists, sci­en­tists, artists and/or wri­ters, should be recon­ci­led with the right to the pro­tec­tion of per­so­nal data under this Regu­la­ti­on. Dero­ga­ti­ons and exemp­ti­ons from cer­tain pro­vi­si­ons of this Regu­la­ti­on should app­ly to the pro­ces­sing of per­so­nal data sole­ly for jour­na­li­stic pur­po­ses or for sci­en­ti­fic, artis­tic or litera­ry pur­po­ses, whe­re this is necessa­ry to recon­ci­le the right to pro­tec­tion of per­so­nal data with the right to free­dom of expres­si­on and infor­ma­ti­on as gua­ran­te­ed by Arti­cle 11 of the Char­ter. This should app­ly in par­ti­cu­lar to the pro­ces­sing of per­so­nal data in the audio­vi­su­al sec­tor and in news and press archi­ves. Mem­ber Sta­tes should the­re­fo­re adopt legis­la­ti­ve mea­su­res regu­la­ting the dero­ga­ti­ons and excep­ti­ons necessa­ry for the pur­po­se of balan­cing the­se fun­da­men­tal rights. Mem­ber Sta­tes should adopt such dero­ga­ti­ons and excep­ti­ons in rela­ti­on to the gene­ral princi­ples, the rights of the data sub­ject, the con­trol­ler and pro­ces­sor, the trans­fer of per­so­nal data to third coun­tries or to inter­na­tio­nal orga­niz­a­ti­ons, the inde­pen­dent super­vi­so­ry aut­ho­ri­ties, coope­ra­ti­on and con­si­sten­cy, and spe­ci­fic data pro­ces­sing situa­tions. If the­se dero­ga­ti­ons or excep­ti­ons dif­fer from one Mem­ber Sta­te to ano­t­her, the law of the Mem­ber Sta­te to which the con­trol­ler is sub­ject should be app­lied. In order to take into account the import­ance of the right to free­dom of expres­si­on in a demo­cra­tic socie­ty, terms such as jour­na­lism that rela­te to this free­dom must be inter­pre­ted broadly.

Arti­cle 86 Pro­ces­sing and public access to offi­cial documents

Per­so­nal data con­tai­ned in offi­cial docu­ments held by a public aut­ho­ri­ty or a public body or by a pri­va­te body for the per­for­mance of a task car­ri­ed out in the public inte­rest may be dis­c­lo­sed by the public aut­ho­ri­ty or body in accordance with Uni­on law or the law of the Mem­ber Sta­te to which the public aut­ho­ri­ty or body is sub­ject, in order to recon­ci­le public access to offi­cial docu­ments with the right to the pro­tec­tion of per­so­nal data under this Regulation.

Reci­tals

(154) This Regu­la­ti­on enab­les the princip­le of public access to offi­cial docu­ments to be taken into account in its app­li­ca­ti­on. Public access to offi­cial docu­ments can be con­si­de­red as a public inte­rest. Per­so­nal data con­tai­ned in docu­ments held by a public aut­ho­ri­ty or a public body should be able to be publicly dis­c­lo­sed by that aut­ho­ri­ty or body whe­re pro­vi­ded for by Uni­on law or by the law of the Mem­ber Sta­tes to which it is sub­ject. Such legis­la­ti­on should recon­ci­le public access to offi­cial docu­ments and the re-use of public sec­tor infor­ma­ti­on with the right to the pro­tec­tion of per­so­nal data and may the­re­fo­re regu­la­te the necessa­ry con­si­sten­cy with the right to the pro­tec­tion of per­so­nal data under this Regu­la­ti­on. The refe­rence to public aut­ho­ri­ties and public sec­tor bodies in this con­text should inclu­de all public aut­ho­ri­ties or other bodies cove­r­ed by the law of the rele­vant Mem­ber Sta­te on public access to docu­ments. Direc­ti­ve 2003/98/EC of the Euro­pean Par­lia­ment and of the Coun­cil (14) is without pre­ju­di­ce to, and in no way affects, the level of pro­tec­tion of indi­vi­du­als with regard to the pro­ces­sing of per­so­nal data under the pro­vi­si­ons of Uni­on and Mem­ber Sta­te law, and in par­ti­cu­lar does not have the effect of alte­ring the rights and obli­ga­ti­ons set out in this Regu­la­ti­on. In par­ti­cu­lar, that Direc­ti­ve should not app­ly to docu­ments to which access is pro­hi­bi­ted or restric­ted under Mem­ber Sta­tes’ access regimes for rea­sons of pro­tec­tion of per­so­nal data, or to parts of docu­ments which are acces­si­ble under tho­se regimes, whe­re they con­tain per­so­nal data in respect of which legis­la­ti­on pro­vi­des that their fur­ther use is incom­pa­ti­ble with the law on the pro­tec­tion of indi­vi­du­als with regard to the pro­ces­sing of per­so­nal data.

Arti­cle 87 Pro­ces­sing of the natio­nal iden­ti­fi­ca­ti­on number

Mem­ber Sta­tes may fur­ther spe­ci­fy the spe­ci­fic con­di­ti­ons under which a natio­nal iden­ti­fi­ca­ti­on num­ber or other iden­ti­fier of gene­ral app­li­ca­ti­on may be the sub­ject of pro­ces­sing. In that case, the natio­nal iden­ti­fi­ca­ti­on num­ber or other iden­ti­fier of gene­ral app­li­ca­ti­on may only be used sub­ject to appro­pria­te safe­guards for the rights and free­doms of the data sub­ject under this Regulation.

Arti­cle 88 Data pro­ces­sing in the employ­ment context

(1) Mem­ber Sta­tes may, by law or by collec­ti­ve agree­ment, lay down more spe­ci­fic rules to ensu­re the pro­tec­tion of rights and free­doms with regard to the pro­ces­sing of per­so­nal data of employees in the employ­ment con­text, in par­ti­cu­lar for the pur­po­ses of recruit­ment, the per­for­mance of the employ­ment con­tract, inclu­ding the per­for­mance of obli­ga­ti­ons laid down by law or by collec­ti­ve agree­ment, manage­ment, plan­ning and orga­niz­a­ti­on of work, equa­li­ty and diver­si­ty at work, health and safe­ty at work, pro­tec­tion of employ­ers’ or cli­ents’ pro­per­ty, as well as for pur­po­ses of clai­ming indi­vi­du­al or collec­ti­ve rights and bene­fits rela­ted to employ­ment and for pur­po­ses of ter­mi­na­ti­on of employment.

(2) The­se rules shall inclu­de appro­pria­te and spe­ci­fic mea­su­res to safe­guard human digni­ty, legi­ti­ma­te inte­rests and fun­da­men­tal rights of the data sub­ject, in par­ti­cu­lar with regard to trans­pa­ren­cy of pro­ces­sing, trans­fer of per­so­nal data wit­hin a group of under­ta­kings or a group of under­ta­kings enga­ged in joint eco­no­mic acti­vi­ty and work­place moni­to­ring systems.

(3) Each Mem­ber Sta­te shall noti­fy the Com­mis­si­on by 25 May 2018 of the pro­vi­si­ons of law which it adopts pur­suant to para­graph 1 and, without delay, of any sub­se­quent amend­ment affec­ting them.

Arti­cle 89 Safe­guards and exemp­ti­ons in rela­ti­on to pro­ces­sing for archi­ving pur­po­ses in the public inte­rest, sci­en­ti­fic or histo­ri­cal rese­arch pur­po­ses and sta­tis­ti­cal purposes

(1) Pro­ces­sing for archi­ving pur­po­ses in the public inte­rest, for sci­en­ti­fic or histo­ri­cal rese­arch pur­po­ses or for sta­tis­ti­cal pur­po­ses shall be sub­ject to appro­pria­te safe­guards for the rights and free­doms of the data sub­ject under this Regu­la­ti­on. Tho­se safe­guards shall ensu­re that tech­ni­cal and orga­niz­a­tio­nal mea­su­res are in place to ensu­re, in par­ti­cu­lar, respect for the princip­le of data mini­miz­a­ti­on. The­se mea­su­res may inclu­de pseud­ony­miz­a­ti­on, whe­re it is pos­si­ble to ful­fill the­se pur­po­ses in this way. In all cases whe­re the­se pur­po­ses can be ful­fil­led by fur­ther pro­ces­sing in which the iden­ti­fi­ca­ti­on of data sub­jects is not or no lon­ger pos­si­ble, the­se pur­po­ses shall be ful­fil­led in this way.

(2) Whe­re per­so­nal data are pro­ces­sed for sci­en­ti­fic or histo­ri­cal rese­arch pur­po­ses or for sta­tis­ti­cal pur­po­ses, and sub­ject to the con­di­ti­ons and safe­guards refer­red to in para­graph 1 of this Arti­cle, Uni­on or Mem­ber Sta­te law may pro­vi­de for excep­ti­ons to the rights refer­red to in Arti­cles 15, 16, 18 and 21 to the extent that tho­se rights are likely to ren­der impos­si­ble or serious­ly pre­ju­di­ce the achie­ve­ment of the spe­ci­fic pur­po­ses and such excep­ti­ons are necessa­ry for the achie­ve­ment of tho­se purposes.

(3) Whe­re per­so­nal data are pro­ces­sed for archi­ving pur­po­ses in the public inte­rest, and sub­ject to the con­di­ti­ons and safe­guards refer­red to in para­graph 1 of this Arti­cle, Uni­on or Mem­ber Sta­te law may pro­vi­de for excep­ti­ons to the rights refer­red to in Arti­cles 15, 16, 18, 19, 20 and 21 to the extent that tho­se rights are likely to ren­der impos­si­ble or serious­ly pre­ju­di­ce the achie­ve­ment of the spe­ci­fic pur­po­ses and such excep­ti­ons are necessa­ry for the achie­ve­ment of tho­se purposes.

(4) If the pro­ces­sing refer­red to in para­graphs 2 and 3 ser­ves ano­t­her pur­po­se at the same time, the excep­ti­ons shall app­ly only to the pro­ces­sing for the pur­po­ses refer­red to in tho­se paragraphs.

Reci­tals

(156) The pro­ces­sing of per­so­nal data for archi­ving pur­po­ses in the public inte­rest, for sci­en­ti­fic or histo­ri­cal rese­arch pur­po­ses, or for sta­tis­ti­cal pur­po­ses should be sub­ject to appro­pria­te safe­guards for the rights and free­doms of the data sub­ject under this Regu­la­ti­on. Tho­se safe­guards should ensu­re that tech­ni­cal and orga­niz­a­tio­nal mea­su­res are in place to ensu­re, in par­ti­cu­lar, the princip­le of data mini­miz­a­ti­on. Fur­ther pro­ces­sing of per­so­nal data for archi­ving pur­po­ses in the public inte­rest, for sci­en­ti­fic or histo­ri­cal rese­arch pur­po­ses, or for sta­tis­ti­cal pur­po­ses shall only take place after the con­trol­ler has asses­sed the fea­si­bi­li­ty of ful­fil­ling tho­se pur­po­ses by pro­ces­sing per­so­nal data whe­re the iden­ti­fi­ca­ti­on of data sub­jects is not or no lon­ger pos­si­ble, pro­vi­ded that appro­pria­te safe­guards are in place (such as the pseud­ony­miz­a­ti­on of per­so­nal data). Mem­ber Sta­tes should pro­vi­de appro­pria­te safe­guards with respect to the pro­ces­sing of per­so­nal data for archi­ving pur­po­ses in the public inte­rest, for sci­en­ti­fic or histo­ri­cal rese­arch pur­po­ses, or for sta­tis­ti­cal pur­po­ses. Mem­ber Sta­tes should be allo­wed, under cer­tain con­di­ti­ons and sub­ject to appro­pria­te safe­guards for data sub­jects, to pro­vi­de for cla­ri­fi­ca­ti­ons and exemp­ti­ons in rela­ti­on to infor­ma­ti­on requi­re­ments and the rights to rec­ti­fi­ca­ti­on, era­su­re, to be for­got­ten, to restric­tion of pro­ces­sing, to data por­ta­bi­li­ty and to object to the pro­ces­sing of per­so­nal data for archi­ving pur­po­ses in the public inte­rest, for sci­en­ti­fic or histo­ri­cal rese­arch pur­po­ses or for sta­tis­ti­cal pur­po­ses. The con­di­ti­ons and safe­guards in que­sti­on may pro­vi­de for spe­ci­fic pro­ce­du­res for the exer­cise of tho­se rights by data sub­jects – whe­re appro­pria­te in view of the pur­po­ses pur­sued by the spe­ci­fic pro­ces­sing – as well as tech­ni­cal and orga­niz­a­tio­nal mea­su­res to mini­mi­ze the pro­ces­sing of per­so­nal data with regard to the princi­ples of pro­por­tio­na­li­ty and neces­si­ty. The pro­ces­sing of per­so­nal data for sci­en­ti­fic pur­po­ses should also com­ply with other rele­vant legis­la­ti­on, for examp­le for cli­ni­cal trials.

(157) By lin­king infor­ma­ti­on from regi­stries, rese­ar­chers can gain new insights of gre­at value rela­ted to com­mon dise­a­ses such as car­dio­vascu­lar dise­a­se, can­cer, and depres­si­on. The use of regi­stries can yield bet­ter rese­arch results becau­se they are based on a lar­ger pro­por­ti­on of the popu­la­ti­on. In the social sci­en­ces, rese­arch using regi­stries allo­ws rese­ar­chers to gain cri­ti­cal insights into the long-term asso­cia­ti­on of a ran­ge of social cir­cum­stan­ces, such as unem­ploy­ment and edu­ca­ti­on with other life cir­cum­stan­ces. Rese­arch obtai­ned through regi­stries pro­vi­des robust, high-qua­li­ty evi­dence that can form the basis for the for­mu­la­ti­on and imple­men­ta­ti­on of know­ledge-based poli­ci­es, impro­ve the qua­li­ty of life for lar­ge num­bers of peop­le, and impro­ve the effi­ci­en­cy of social ser­vices. The­re­fo­re, in order to faci­li­ta­te sci­en­ti­fic rese­arch, per­so­nal data may be pro­ces­sed for sci­en­ti­fic rese­arch pur­po­ses, sub­ject to appro­pria­te con­di­ti­ons and safe­guards laid down in Uni­on or Mem­ber Sta­te law.

(158) This Regu­la­ti­on should also app­ly to the pro­ces­sing of per­so­nal data for archi­ving pur­po­ses, noting that the Regu­la­ti­on should not app­ly to decea­sed per­sons. Public aut­ho­ri­ties or public or pri­va­te bodies hol­ding records of public inte­rest should be under a legal obli­ga­ti­on, in accordance with Uni­on or Mem­ber Sta­te law, to acqui­re, pre­ser­ve, eva­lua­te, pro­cess, descri­be, com­mu­ni­ca­te, pro­mo­te, dis­se­mi­na­te and pro­vi­de access to records of lasting value for the gene­ral public inte­rest. Mem­ber Sta­tes should also be allo­wed to pro­vi­de that per­so­nal data are fur­ther pro­ces­sed for archi­val pur­po­ses, for examp­le, with a view to pro­vi­ding spe­ci­fic infor­ma­ti­on rela­ted to poli­ti­cal beha­vi­or under for­mer tota­li­ta­ri­an regimes, geno­ci­de, cri­mes against huma­ni­ty, in par­ti­cu­lar the Holo­caust, and war crimes.

(159) This Regu­la­ti­on should also app­ly to the pro­ces­sing of per­so­nal data for sci­en­ti­fic rese­arch pur­po­ses. The pro­ces­sing of per­so­nal data for sci­en­ti­fic rese­arch pur­po­ses wit­hin the mea­ning of this Regu­la­ti­on should be inter­pre­ted broad­ly to inclu­de pro­ces­sing for, for examp­le, tech­no­lo­gi­cal deve­lo­p­ment and demon­stra­ti­on, fun­da­men­tal rese­arch, app­lied rese­arch and pri­va­te­ly fun­ded rese­arch. It should also take into account the objec­ti­ve of crea­ting a Euro­pean area of rese­arch as set out in Arti­cle 179(1) TFEU. The sci­en­ti­fic rese­arch pur­po­ses should also inclu­de stu­dies car­ri­ed out in the public inte­rest in the field of public health. In order to com­ply with the spe­ci­fi­ci­ties of the pro­ces­sing of per­so­nal data for sci­en­ti­fic rese­arch pur­po­ses, spe­ci­fic con­di­ti­ons should app­ly in par­ti­cu­lar as regards the publi­ca­ti­on or other dis­clo­sure of per­so­nal data in the con­text of sci­en­ti­fic pur­po­ses. Whe­re the results of sci­en­ti­fic rese­arch, in par­ti­cu­lar in the area of public health, give rise to fur­ther mea­su­res in the inte­rest of the data sub­ject, the gene­ral rules of this Regu­la­ti­on should app­ly to tho­se measures.

(160) This Regu­la­ti­on should also app­ly to the pro­ces­sing of per­so­nal data for histo­ri­cal rese­arch pur­po­ses. This should inclu­de histo­ri­cal rese­arch and rese­arch in the field of genea­lo­gy, alt­hough it should be noted that this Regu­la­ti­on should not app­ly to decea­sed persons.

(161) For the pur­po­ses of con­sent to par­ti­ci­pa­te in sci­en­ti­fic rese­arch acti­vi­ties in the con­text of cli­ni­cal tri­als, the rele­vant pro­vi­si­ons of Regu­la­ti­on (EU) No 536/2014 of the Euro­pean Par­lia­ment and of the Coun­cil (15) should apply.

(162) This Regu­la­ti­on should also app­ly to the pro­ces­sing of per­so­nal data for sta­tis­ti­cal pur­po­ses. Uni­on or Mem­ber Sta­te law should deter­mi­ne, wit­hin the limits of this Regu­la­ti­on, the sta­tis­ti­cal con­tent, access con­trol, spe­ci­fi­ca­ti­ons for the pro­ces­sing of per­so­nal data for sta­tis­ti­cal pur­po­ses and appro­pria­te mea­su­res to safe­guard the rights and free­doms of data sub­jects and to ensu­re sta­tis­ti­cal con­fi­dentia­li­ty. Under the term “sta­tis­ti­cal pur­po­ses” means any ope­ra­ti­on of collec­tion and pro­ces­sing of per­so­nal data necessa­ry for the per­for­mance of sta­tis­ti­cal rese­arch and the pro­duc­tion of sta­tis­ti­cal results. The­se sta­tis­ti­cal results may be fur­ther used for various pur­po­ses, inclu­ding sci­en­ti­fic rese­arch pur­po­ses. In the con­text of sta­tis­ti­cal pur­po­ses, it is under­s­tood that the results of pro­ces­sing for sta­tis­ti­cal pur­po­ses are not per­so­nal data, but aggre­ga­ted data, and the­se results or per­so­nal data are not used for mea­su­res or deci­si­ons regar­ding indi­vi­du­al natu­ral persons.

(163) The con­fi­denti­al infor­ma­ti­on collec­ted by the sta­tis­ti­cal aut­ho­ri­ties of the Uni­on and of the Mem­ber Sta­tes for the pro­duc­tion of offi­cial Euro­pean sta­tis­tics and offi­cial natio­nal sta­tis­tics should be pro­tec­ted. Euro­pean sta­tis­tics should be deve­lo­ped, pro­du­ced and dis­se­mi­na­ted in accordance with the sta­tis­ti­cal princi­ples set out in Arti­cle 338(2) TFEU and natio­nal sta­tis­tics should also com­ply with the law of the Mem­ber Sta­tes. Regu­la­ti­on (EC) No 223/2009 of the Euro­pean Par­lia­ment and of the Coun­cil (16 ) con­tains more detail­ed pro­vi­si­ons on the con­fi­dentia­li­ty of Euro­pean statistics.

Arti­cle 90 Con­fi­dentia­li­ty obligations

(1) Mem­ber Sta­tes may regu­la­te the powers of the super­vi­so­ry aut­ho­ri­ties refer­red to in points (e) and (f) of Arti­cle 58(1) in rela­ti­on to con­trol­lers or pro­ces­sors who are sub­ject to pro­fes­sio­nal secrecy or an equi­va­lent obli­ga­ti­on of con­fi­dentia­li­ty under Uni­on or Mem­ber Sta­te law or under an obli­ga­ti­on impo­sed by the com­pe­tent natio­nal aut­ho­ri­ties, to the extent necessa­ry and pro­por­tio­na­te to recon­ci­le the right to the pro­tec­tion of per­so­nal data with the obli­ga­ti­on of con­fi­dentia­li­ty. The­se rules shall app­ly only in rela­ti­on to per­so­nal data obtai­ned or collec­ted by the con­trol­ler or pro­ces­sor in the cour­se of an acti­vi­ty sub­ject to such a duty of confidentiality.

(2) Each Mem­ber Sta­te shall noti­fy the Com­mis­si­on by 25 May 2018 of the pro­vi­si­ons it adopts pur­suant to para­graph 1 and shall noti­fy it without delay of any sub­se­quent amend­ment affec­ting them.

Reci­tals

(164) With regard to the powers of super­vi­so­ry aut­ho­ri­ties to obtain from the con­trol­ler or pro­ces­sor access to per­so­nal data or to its pre­mi­ses, Mem­ber Sta­tes may, wit­hin the limits of this Regu­la­ti­on, regu­la­te by law the pro­tec­tion of pro­fes­sio­nal secrecy or other equi­va­lent duties of con­fi­dentia­li­ty to the extent necessa­ry to recon­ci­le the right to the pro­tec­tion of per­so­nal data with a duty of pro­fes­sio­nal secrecy. This is without pre­ju­di­ce to the exi­sting obli­ga­ti­ons of Mem­ber Sta­tes to adopt rules on pro­fes­sio­nal secrecy whe­re requi­red by Uni­on law.

Arti­cle 91 Exi­sting data pro­tec­tion rules of church­es and reli­gious asso­cia­ti­ons or communities

(1) Whe­re a church or reli­gious asso­cia­ti­on or com­mu­ni­ty in a Mem­ber Sta­te app­lies com­pre­hen­si­ve rules on the pro­tec­tion of indi­vi­du­als with regard to pro­ces­sing at the time of the ent­ry into for­ce of this Regu­la­ti­on, tho­se rules may con­ti­nue to app­ly pro­vi­ded that they are brought into line with this Regulation.

(2) Church­es and reli­gious asso­cia­ti­ons or com­mu­nities that app­ly com­pre­hen­si­ve data pro­tec­tion rules pur­suant to para­graph 1 shall be sub­ject to super­vi­si­on by an inde­pen­dent super­vi­so­ry aut­ho­ri­ty, which may be of a spe­ci­fic natu­re, pro­vi­ded that it meets the con­di­ti­ons set forth in Chap­ter VI.

Reci­tals

(165) In accordance with Arti­cle 17 TFEU, this Regu­la­ti­on respects and does not pre­ju­di­ce the sta­tus under exi­sting con­sti­tu­tio­nal law of church­es and reli­gious asso­cia­ti­ons or com­mu­nities in the Mem­ber States.

Chap­ter X Dele­ga­ted and imple­men­ting acts

Arti­cle 92 Exer­cise of delegation

(1) The power to adopt dele­ga­ted acts is con­fer­red on the Com­mis­si­on sub­ject to the con­di­ti­ons laid down in this Article.

(2) The power to adopt dele­ga­ted acts refer­red to in Arti­cles 12(8) and 43(8) shall be con­fer­red on the Com­mis­si­on for an inde­ter­mi­na­te peri­od of time from 24 May 2016.

(3) The dele­ga­ti­on of power refer­red to in Arti­cles 12(8) and 43(8) may be revo­ked at any time by the Euro­pean Par­lia­ment or by the Coun­cil. The deci­si­on of revo­ca­ti­on shall put an end to the dele­ga­ti­on of the power spe­ci­fied in that deci­si­on. It shall take effect the day fol­lo­wing the publi­ca­ti­on of the deci­si­on in the Offi­cial Jour­nal of the Euro­pean Uni­on or at a later date spe­ci­fied the­r­ein. The deci­si­on of revo­ca­ti­on shall not affect the vali­di­ty of any dele­ga­ted acts alrea­dy in force.

(4) As soon as it adopts a dele­ga­ted act, the Com­mis­si­on shall noti­fy it simul­ta­ne­ous­ly to the Euro­pean Par­lia­ment and to the Council.

(5) A dele­ga­ted act adop­ted pur­suant to Arti­cle 12(8) and Arti­cle 43(8) shall enter into for­ce only if no objec­tion has been expres­sed eit­her by the Euro­pean Par­lia­ment or the Coun­cil wit­hin a peri­od of three mon­ths of noti­fi­ca­ti­on of that act to the Euro­pean Par­lia­ment and the Coun­cil or if, befo­re the expi­ry of that peri­od, the Euro­pean Par­lia­ment and the Coun­cil have both infor­med the Com­mis­si­on that they will not object. At the initia­ti­ve of the Euro­pean Par­lia­ment or the Coun­cil, that peri­od shall be exten­ded by three months.

Reci­tals

(166) In order to achie­ve the objec­ti­ves of this Regu­la­ti­on, name­ly to pro­tect the fun­da­men­tal rights and free­doms of natu­ral per­sons, and in par­ti­cu­lar their right to the pro­tec­tion of their per­so­nal data, and to ensu­re the free flow of per­so­nal data wit­hin the Uni­on, the power to adopt acts in accordance with Arti­cle 290 TFEU should be dele­ga­ted to the Com­mis­si­on. Dele­ga­ted acts should be adop­ted in par­ti­cu­lar in rela­ti­on to the cri­te­ria and requi­re­ments app­li­ca­ble to cer­ti­fi­ca­ti­on pro­ce­du­res, the infor­ma­ti­on to be repre­sen­ted by stan­dar­di­zed icons and the pro­ce­du­res for making tho­se icons avail­ab­le. It is of par­ti­cu­lar import­ance that the Com­mis­si­on car­ry out appro­pria­te con­sul­ta­ti­ons, inclu­ding at expert level, as part of its pre­pa­ra­to­ry work. The Com­mis­si­on, when pre­pa­ring and drawing-up dele­ga­ted acts, should ensu­re a simul­ta­ne­ous, time­ly and appro­pria­te trans­mis­si­on of rele­vant docu­ments to the Euro­pean Par­lia­ment and to the Council.

(167) In order to ensu­re uni­form con­di­ti­ons for the imple­men­ta­ti­on of this Regu­la­ti­on, imple­men­ting powers should be con­fer­red on the Com­mis­si­on whe­re pro­vi­ded for in this Regu­la­ti­on. Tho­se powers should be exer­cis­ed in accordance with Regu­la­ti­on (EU) No 182/2011 of the Euro­pean Par­lia­ment and of the Coun­cil. In this con­text, the Com­mis­si­on should con­si­der spe­ci­fic mea­su­res for micro, small and medi­um-sized enterprises.

(170) Sin­ce the objec­ti­ve of this Regu­la­ti­on, name­ly to ensu­re an equi­va­lent level of data pro­tec­tion for natu­ral per­sons and the free flow of per­so­nal data wit­hin the Uni­on, can­not be suf­fi­ci­ent­ly achie­ved by the Mem­ber Sta­tes but can rather, by rea­son of the sca­le or effects of the action, be bet­ter achie­ved at Uni­on level, the Uni­on may adopt mea­su­res, in accordance with the princip­le of sub­si­dia­ri­ty as set out in Arti­cle 5 of the Trea­ty on Euro­pean Uni­on (TEU). In accordance with the princip­le of pro­por­tio­na­li­ty, as set out in that Arti­cle, this Regu­la­ti­on does not go beyond what is necessa­ry in order to achie­ve that objective.

Arti­cle 93 Com­mit­tee procedure

(1) The Com­mis­si­on shall be assi­sted by a com­mit­tee. This com­mit­tee shall be a com­mit­tee wit­hin the mea­ning of Regu­la­ti­on (EU) No 182/2011.

(2) Whe­re refe­rence is made to this para­graph, Arti­cle 5 of Regu­la­ti­on (EU) No 182/2011 shall apply.

(3) Whe­re refe­rence is made to this para­graph, Arti­cle 8 of Regu­la­ti­on (EU) No 182/2011 shall app­ly in con­junc­tion with Arti­cle 5 thereof.

Reci­tals

(168) For the adop­ti­on of imple­men­ting acts regar­ding stan­dard con­trac­tu­al clau­ses for con­tracts bet­ween con­trol­lers and pro­ces­sors and bet­ween pro­ces­sors; codes of con­duct; tech­ni­cal stan­dards and pro­ce­du­res for cer­ti­fi­ca­ti­on; requi­re­ments for the ade­quacy of the level of data pro­tec­tion in a third coun­try, a ter­ri­to­ry or spe­ci­fic sec­tor of that third coun­try, or in an inter­na­tio­nal orga­niz­a­ti­on; stan­dard safe­guards; for­mats and pro­ce­du­res for the exchan­ge of infor­ma­ti­on bet­ween con­trol­lers, pro­ces­sors and super­vi­so­ry aut­ho­ri­ties with regard to bin­ding inter­nal data pro­tec­tion rules; admi­ni­stra­ti­ve assi­stance; and arran­ge­ments for the elec­tro­nic exchan­ge of infor­ma­ti­on bet­ween super­vi­so­ry aut­ho­ri­ties and bet­ween super­vi­so­ry aut­ho­ri­ties and the Com­mit­tee should the review pro­ce­du­re be applied.

Chap­ter XI Final Provisions

Arti­cle 94 Repeal of Direc­ti­ve 95/46/EC

(1) Direc­ti­ve 95/46/EC will be repealed effec­ti­ve May 25, 2018.

(2) Refe­ren­ces to the repealed Direc­ti­ve shall be con­strued as refe­ren­ces to this Regu­la­ti­on. Refe­ren­ces to the Working Par­ty on the Pro­tec­tion of Indi­vi­du­als with regard to the Pro­ces­sing of Per­so­nal Data estab­lished by Arti­cle 29 of Direc­ti­ve 95/46/EC shall be con­strued as refe­ren­ces to the Euro­pean Data Pro­tec­tion Board estab­lished by this Regulation.

Reci­tals

(171) Direc­ti­ve 95/46/EC should be repealed by this Regu­la­ti­on. Pro­ces­sing ope­ra­ti­ons alrea­dy under way at the time of app­li­ca­ti­on of this Regu­la­ti­on should be brought into com­pli­an­ce with it wit­hin two years of its ent­ry into for­ce. Whe­re the pro­ces­sing ope­ra­ti­ons are based on con­sent pur­suant to Direc­ti­ve 95/46/EC, it is not necessa­ry for the data sub­ject to give con­sent again if the natu­re of the con­sent alrea­dy given com­plies with the con­di­ti­ons laid down in this Regu­la­ti­on, so that the con­trol­ler may con­ti­nue the pro­ces­sing after the date of app­li­ca­ti­on of this Regu­la­ti­on. Com­mis­si­on deci­si­ons or deci­si­ons based on Direc­ti­ve 95/46/EC and aut­ho­riz­a­ti­ons of super­vi­so­ry aut­ho­ri­ties shall remain in for­ce until they are amen­ded, repla­ced or repealed.

Arti­cle 95 Rela­ti­ons­hip with Direc­ti­ve 2002/58/EC

This Regu­la­ti­on does not impo­se addi­tio­nal obli­ga­ti­ons on natu­ral or legal per­sons with regard to pro­ces­sing in con­nec­tion with the pro­vi­si­on of publicly avail­ab­le elec­tro­nic com­mu­ni­ca­ti­ons ser­vices in public com­mu­ni­ca­ti­ons net­works in the Uni­on to the extent that they are sub­ject to spe­ci­fic obli­ga­ti­ons laid down in Direc­ti­ve 2002/58/EC which pur­sue the same objective.

Reci­tals

(173) This Regu­la­ti­on should app­ly to all mat­ters con­cer­ning the pro­tec­tion of fun­da­men­tal rights and free­doms with regard to the pro­ces­sing of per­so­nal data which are not sub­ject to the obli­ga­ti­ons set out in Direc­ti­ve 2002/58/EC of the Euro­pean Par­lia­ment and of the Coun­cil (18), which pur­sue the same objec­ti­ve, inclu­ding the obli­ga­ti­ons of the con­trol­ler and the rights of natu­ral per­sons. In order to cla­ri­fy the rela­ti­ons­hip bet­ween this Regu­la­ti­on and Direc­ti­ve 2002/58/EC, that Direc­ti­ve should be amen­ded accord­in­gly. Once this Regu­la­ti­on is adop­ted, Direc­ti­ve 2002/58/EC should be sub­ject to a review, in par­ti­cu­lar to ensu­re con­si­sten­cy with this Regulation -.

Arti­cle 96 on agree­ments alrea­dy concluded

Inter­na­tio­nal agree­ments invol­ving the trans­fer of per­so­nal data to third coun­tries or inter­na­tio­nal orga­niz­a­ti­ons con­clu­ded by Mem­ber Sta­tes befo­re 24 May 2016 and which are in con­for­mi­ty with Uni­on law in for­ce befo­re that date shall remain in for­ce until amen­ded, repla­ced or terminated.

Arti­cle 97 Com­mis­si­on reports

(1) By May 25, 2020, and every four years the­re­af­ter, the Com­mis­si­on shall sub­mit to the Euro­pean Par­lia­ment and the Coun­cil a report on the eva­lua­ti­on and review of this Regu­la­ti­on. The reports shall be made public.

(2) As part of the eva­lua­tions and reviews refer­red to in para­graph 1, the Com­mis­si­on shall exami­ne in par­ti­cu­lar the app­li­ca­ti­on and ope­ra­ti­on of

a) of Chap­ter V on the trans­fer of per­so­nal data to third coun­tries or to inter­na­tio­nal orga­niz­a­ti­ons, in par­ti­cu­lar with regard to the deci­si­ons adop­ted pur­suant to Arti­cle 45(3) of this Regu­la­ti­on and the fin­dings adop­ted pur­suant to Arti­cle 25(6) of Direc­ti­ve 95/46/EC,
b) of Chap­ter VII on coope­ra­ti­on and consistency.

(3) For the pur­po­se refer­red to in para­graph 1, the Com­mis­si­on may requ­est infor­ma­ti­on from Mem­ber Sta­tes and super­vi­so­ry authorities.

(4) In the assess­ments and reviews refer­red to in para­graphs 1 and 2, the Com­mis­si­on shall take into account the views and fin­dings of the Euro­pean Par­lia­ment, the Coun­cil and other rele­vant bodies or sources.

(5) The Com­mis­si­on shall, if necessa­ry, sub­mit appro­pria­te pro­po­sals to amend this Regu­la­ti­on, taking into account, in par­ti­cu­lar, deve­lo­p­ments in infor­ma­ti­on tech­no­lo­gy and advan­ces in the infor­ma­ti­on society.

Reci­tals

(172) The EDPS was con­sul­ted in accordance with Arti­cle 28(2) of Regu­la­ti­on (EC) No 45/2001 and issued an opi­ni­on on 7 March 2012 (17).

Arti­cle 98 Review of other Uni­on acts on data protection

The Com­mis­si­on shall, whe­re appro­pria­te, sub­mit legis­la­ti­ve pro­po­sals to amend other Uni­on acts rela­ting to the pro­tec­tion of per­so­nal data in order to ensu­re con­si­stent and cohe­rent pro­tec­tion of natu­ral per­sons with regard to the pro­ces­sing. This con­cerns in par­ti­cu­lar the rules on the pro­tec­tion of indi­vi­du­als with regard to the pro­ces­sing of such data by the Uni­on insti­tu­ti­ons, bodies, offices and agen­ci­es and on the free move­ment of such data.

Arti­cle 99 Ent­ry into for­ce and application

(1) This Regu­la­ti­on shall enter into for­ce on the twen­tieth day fol­lo­wing that of its publi­ca­ti­on in the Offi­cial Jour­nal of the Euro­pean Union.

(2) It will app­ly as of May 25, 2018.

Table of Contents