The text of the GDPR. The texts have been converted automatically – we thank you for pointing out errors. The assignment of the recitals to individual articles is not official and not clearly defined. As PDF you can find the
GDPR with recitals here, and the English version is
here to find.
Chapter I General provisions
Article 1 Subject matter and objectives
(1. This Regulation lays down rules relating to the protection of individuals with regard to the processing of personal data and to the free movement of such data.
(2. This Regulation protects the fundamental rights and freedoms of natural persons, and in particular their right to the protection of personal data.
(3. The free flow of personal data within the Union shall not be restricted or prohibited for reasons connected with the protection of individuals with regard to the processing of personal data.
Recitals
(1) The protection of individuals with regard to the processing of personal data is a fundamental right. In accordance with Article 8(1) of the Charter of Fundamental Rights of the European Union (hereinafter “Charter”) and Article 16(1) of the Treaty on the Functioning of the European Union (TFEU), everyone has the right to the protection of personal data concerning him or her.
(2) The principles and rules relating to the protection of individuals with regard to the processing of their personal data should ensure that their fundamental rights and freedoms, and in particular their right to the protection of personal data, are respected, regardless of their nationality or residence. This Regulation should contribute to the completion of an area of freedom, security and justice and of an economic union, to economic and social progress, to the strengthening and integration of economies within the internal market, and to the well-being of natural persons.
(3) The purpose of Directive 95/46/EC of the European Parliament and of the Council (4 ) is to harmonize the rules relating to the protection of fundamental rights and freedoms of natural persons with regard to the processing of data and to ensure the free flow of personal data between Member States.
(4) The processing of personal data should be in the service of mankind. The right to the protection of personal data is not an unlimited right; it must be seen in the light of its societal function and balanced against other fundamental rights, in accordance with the principle of proportionality. This Regulation respects all fundamental rights and observes all the freedoms and principles recognised by the Charter and reflected in the European Treaties, in particular respect for private and family life, home and communications, protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, freedom to conduct a business, the right to an effective remedy and to a fair trial, and cultural, religious and linguistic diversity.
(5) Economic and social integration resulting from a functioning internal market has led to a significant increase in the cross-border flow of personal data. The Union-wide exchange of personal data between public and private actors, including natural persons, associations and undertakings, has increased. Union law requires Member State administrations to cooperate and exchange personal data in order to carry out their duties or to perform tasks for an authority of another Member State.
(6) Rapid technological developments and globalization have created new challenges for data protection. The scale of collection and exchange of personal data has increased impressively. Technology makes it possible for private companies and public authorities to access personal data on an unprecedented scale in the course of their activities. Increasingly, individuals are also making information publicly available worldwide. Technology has transformed economic and social life and is likely to further facilitate the movement of personal data within the Union and the transfer of data to third countries and international organizations, while ensuring a high level of data protection.
(7) These developments call for a sound, more coherent and clearly enforceable legal framework in the area of data protection in the Union, as it is of great importance to create a basis of trust, which the digital economy urgently needs in order to continue to grow in the internal market. Natural persons should have control over their own data. Natural persons, the economy and the state should have more security in legal and practical terms.
(8. Where this Regulation provides for clarifications or restrictions of its provisions by the law of the Member States, Member States may incorporate parts of this Regulation into their national law to the extent necessary to ensure consistency and to make national law more comprehensible to the persons to whom it applies.
(9) The objectives and principles of Directive 95/46/EC remain valid, but the Directive has not prevented differences in data protection practices across the Union, legal uncertainty or widespread public perception of significant risks to the protection of individuals, in particular in relation to the use of the Internet. Differences in the level of protection of the rights and freedoms of natural persons in relation to the processing of personal data in the Member States, in particular in the right to the protection of such data, may hinder the free flow of such data throughout the Union. These differences in the level of protection may therefore constitute a barrier to the exercise of economic activities throughout the Union, distort competition and prevent public authorities from fulfilling their obligations under Union law. They are explained by the differences in the transposition and application of Directive 95/46/EC.
(10) In order to ensure a consistent and high level of data protection for natural persons and to remove barriers to the flow of personal data within the Union, the level of protection of the rights and freedoms of natural persons with regard to the processing of such data should be equivalent in all Member States. The rules protecting the fundamental rights and freedoms of natural persons with regard to the processing of personal data should be applied evenly and consistently throughout the Union. With regard to the processing of personal data for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, Member States should be able to maintain or introduce national provisions further specifying the application of the rules laid down in this Regulation. In conjunction with the general and horizontal legislation on data protection implementing Directive 95/46/EC, there are several sector-specific laws in Member States in areas that require more specific provisions. This Regulation also provides latitude for Member States to specify their rules, including for the processing of special categories of personal data (hereinafter “sensitive data”). In this regard, this Regulation does not preclude legislation of the Member States specifying the circumstances of particular processing situations, including a more precise determination of the conditions under which the processing of personal data is lawful.
(11) Effective protection of personal data throughout the Union requires the strengthening and precise definition of the rights of data subjects and the strengthening of obligations for those who process and decide on personal data, as well as – in the Member States – equal powers to monitor and ensure compliance with the rules on the protection of personal data and equal sanctions in the event of their breach.
(12) Article 16(2) of the TFEU empowers the European Parliament and the Council to adopt measures relating to the protection of individuals with regard to the processing of personal data and to the free movement of such data.
(13) In order to ensure an equivalent level of data protection for natural persons in the Union and to eliminate disparities which could hinder the free flow of personal data in the internal market, a Regulation is necessary to provide legal certainty and transparency for economic operators, including micro, small and medium-sized enterprises, provides natural persons in all Member States with the same level of enforceable rights, provides for the same obligations and responsibilities for controllers and processors, and ensures an equivalent level of control over the processing of personal data and equivalent sanctions in all Member States, as well as effective cooperation between the supervisory authorities of the different Member States. The proper functioning of the internal market requires that the free flow of personal data within the Union should not be restricted or prohibited for reasons connected with the protection of individuals with regard to the processing of personal data. In order to take into account the specific situation of micro, small and medium-sized enterprises, this Regulation contains a derogation as regards the keeping of a register for entities employing fewer than 250 staff. Furthermore, the Union institutions and bodies, as well as the Member States and their supervisory authorities, are encouraged to take into account the specific needs of micro, small and medium-sized enterprises when applying this Regulation. For the definition of the term “Micro, small and medium-sized enterprises”, Article 2 of the Annex to Commission Recommendation 2003/361/EC (5 ) should prevail.
Article 2 Material scope of application
(This Regulation shall apply to the processing of personal data wholly or partly by automatic means and to the processing otherwise than by automatic means of personal data which are stored or are intended to be stored in a filing system.
(2. This Regulation shall not apply to the processing of personal data
a) in the context of an activity that does not fall within the scope of Union law,
b) by Member States in the context of activities falling within the scope of Title V, Chapter 2, TEU,
c) by natural persons for the purpose of carrying out exclusively personal or family activities,
d) by the competent authorities for the purpose of preventing, investigating, detecting or prosecuting criminal offenses or the execution of criminal penalties, including the protection against and the prevention of threats to public safety.
(3. Regulation (EC) No 45/2001 shall apply to the processing of personal data by Union institutions, bodies, offices and agencies. Regulation (EC) No 45/2001 and other Union acts governing such processing of personal data shall be aligned with the principles and rules laid down in this Regulation, in accordance with Article 98.
(4. This Regulation shall be without prejudice to the application of Directive 2000/31/EC and, more specifically, to the provisions of Articles 12 to 15 of that Directive concerning the liability of intermediaries.
Recitals
(14) The protection afforded by this Regulation should apply to the processing of personal data of natural persons, whatever their nationality or residence. This Regulation does not apply to the processing of personal data of legal persons and in particular of companies incorporated as legal persons, including the name, legal form or contact details of the legal person.
(15) In order to avoid a serious risk of circumvention, the protection of natural persons should be technology neutral and not depend on the techniques used. The protection of natural persons should apply to automated processing of personal data as well as to manual processing of personal data where the personal data are stored or are intended to be stored in a file system. Files or uucollections of files, as well as their cover pages, which are not organized according to specific criteria, should not fall within the scope of this Regulation.
(16) This Regulation does not apply to matters concerning the protection of fundamental rights and freedoms and the free flow of personal data in relation to activities which fall outside the scope of Union law, such as activities concerning national security. This Regulation shall not apply to the processing of personal data carried out by Member States in the framework of the Union’s common foreign and security policy.
(17) Regulation (EC) No 45/2001 of the European Parliament and of the Council (6) applies to the processing of personal data by Union institutions, bodies, offices and agencies. Regulation (EC) No 45/2001 and other Union acts governing such processing of personal data should be aligned with the principles and rules laid down in this Regulation and applied in the light of this Regulation. In order to ensure a sound and coherent legal framework in the area of data protection in the Union, the necessary adaptations to Regulation (EC) No 45/2001 should be made following the adoption of this Regulation, so that they can be applied at the same time as this Regulation.
(18) This Regulation does not apply to the processing of personal data carried out by a natural person for the exercise of exclusively personal or family activities and thus unrelated to any professional or economic activity. Personal or family activities could also include the keeping of a correspondence or address lists or the use of social networks and online activities in the context of such activities. However, this Regulation applies to controllers or processors that provide the tools for processing personal data for such personal or family activities.
(19) The protection of individuals with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security, as well as the free movement of such data, are governed by a specific Union legal instrument. Therefore, this Regulation should not apply to processing activities of this type. However, personal data processed by public authorities under this Regulation, when used for the above purposes, should be subject to a more specific Union act, namely Directive (EU) 2016/680 of the European Parliament and of the Council (7). Member States may entrust competent authorities within the meaning of Directive (EU) 2016/680 with tasks which are not necessarily carried out for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security, so that the processing of personal data for those other purposes falls within the scope of this Regulation to the extent that it falls within the scope of Union law. With regard to the processing of personal data by those authorities for purposes falling within the scope of this Regulation, Member States should be able to maintain or introduce more specific provisions in order to adapt the application of the rules of this Regulation. Those provisions may specify more precisely the conditions for the processing of personal data by those competent authorities for those other purposes, taking into account the constitutional, organizational and administrative structure of the Member State concerned. To the extent that this Regulation applies to the processing of personal data by private parties, it should provide that Member States may, under certain conditions, restrict some obligations and rights by means of legislation where such restriction constitutes a necessary and proportionate measure in a democratic society for the protection of certain important interests, including public security and the prevention, investigation, detection and prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. This is relevant, for example, in the context of combating money laundering or the work of forensic laboratories.
(20) While this Regulation applies, inter alia, to the activities of courts and other judicial authorities, Union or Member State law could specify the details of the processing operations and processing procedures in the processing of personal data by courts and other judicial authorities. In order to ensure that the independence of the judiciary in the exercise of its judicial functions, including its decision-making, is not compromised, supervisory authorities should not be competent for the processing of personal data by courts in the course of their judicial activities. It should be possible to entrust the supervision of such data processing operations to specific bodies within the judicial system of the Member State, which should, in particular, ensure compliance with the provisions of this Regulation, make judges and prosecutors more aware of their obligations under this Regulation and deal with complaints relating to such data processing operations.
(21) This Regulation is without prejudice to the application of Directive 2000/31/EC of the European Parliament and of the Council (8) and in particular of the provisions of Articles 12 to 15 of that Directive concerning the liability of providers of pure intermediary services. That Directive is intended to contribute to the proper functioning of the internal market by ensuring the free movement of information society services between Member States.
Article 3 Territorial scope
(1. This Regulation shall apply to the processing of personal data insofar as it is carried out in the context of the activities of an establishment of a controller or processor in the Union, regardless of whether the processing takes place in the Union.
(2. This Regulation shall apply to the processing of personal data of data subjects located in the Union by a controller or processor not established in the Union where the data processing relates to
a) offer goods or services to data subjects in the Union, regardless of whether a payment is to be made by such data subjects;
b) observe the behavior of persons concerned, insofar as their behavior takes place in the Union.
(This Regulation shall apply to the processing of personal data by a controller not established in the Union in a place governed by the law of a Member State by virtue of public international law.
Recitals
(22) Any processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union should be carried out in accordance with this Regulation, whether the processing takes place in or outside the Union. Establishment implies the effective and actual exercise of an activity by a fixed establishment. The legal form of such an establishment, whether it is a branch or a subsidiary with its own legal personality, is not decisive in this respect.
(23) In order not to deprive a natural person of the protection afforded under this Regulation, the processing of personal data of data subjects located in the Union by a controller or processor not established in the Union should be subject to this Regulation where the processing is carried out for the purpose of offering goods or services, whether in return for payment or free of charge, to those data subjects. In order to determine whether that controller or processor offers goods or services to data subjects located in the Union, it should be established whether the controller or processor has an obvious intention to offer services to data subjects in one or more Member States of the Union. While the mere accessibility of the controller’s, processor’s or intermediary’s website in the Union, an email address or other contact details, or the use of a language commonly used in the third country where the controller is established is not a sufficient indication for this purpose, other factors such as the use of a language or currency, commonly used in one or more Member States, combined with the possibility to order goods and services in that other language, or the mention of customers or users located in the Union, may indicate that the controller intends to offer goods or services to persons in the Union.
(24) The processing of personal data of data subjects located in the Union by a controller or processor not established in the Union should also be subject to this Regulation where it is for the purpose of monitoring the behaviour of those data subjects insofar as their behaviour takes place in the Union. Whether a processing activity is for the purpose of monitoring the behaviour of data subjects should be determined by the tracking of their Internet activities, including the possible subsequent use of personal data processing techniques which create a profile of a natural person which is intended, in particular, to form the basis for decisions concerning him or her or to analyze or predict his or her personal preferences, behaviors or habits.
(25) Where the law of a Member State is applicable under international law, for example in a diplomatic or consular representation of a Member State, the Regulation should also apply to a controller not established in the Union.
Article 4 Definitions
For the purposes of this Regulation, the term:
1. „
personal data” any information relating to an identified or identifiable natural person (hereinafter “
Person concerned”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Recitals
(26) The principles of data protection should apply to any information relating to an identified or identifiable natural person. Personal data subject to pseudonymization which could be attributed to a natural person by reference to additional information should be considered as information relating to an identifiable natural person. To determine whether a natural person is identifiable, account should be taken of any means reasonably likely to be used by the controller or by any other person to identify the natural person, directly or indirectly, such as singling out. In determining whether means are generally likely to be used to identify the natural person, all objective factors, such as the cost of identification and the time required for it, should be taken into account, taking into account the technology and technological developments available at the time of the processing. The principles of data protection should therefore not apply to anonymous information, that is, information which does not relate to an identified or identifiable natural person, or personal data which has been anonymized in such a way that the data subject cannot be identified or can no longer be identified. This Regulation therefore does not concern the processing of such anonymous data, including for statistical or research purposes.
(27) This Regulation does not apply to the personal data of deceased persons. Member States may provide for rules concerning the processing of personal data of deceased persons.
(28) The application of pseudonymization to personal data can reduce risks to data subjects and assist controllers and processors in complying with their data protection obligations. By explicitly introducing the “Pseudonymization” in this Regulation is not intended to exclude other data protection measures.
(29) In order to incentivize the use of pseudonymization in the processing of personal data, pseudonymization measures, but allowing for general analysis, should be possible with the same controller, if that controller has taken the necessary technical and organizational measures to ensure – for the processing in question – the implementation of this Regulation, while ensuring that additional information enabling the personal data to be attributed to a specific data subject is kept separately. The controller of the personal data, should indicate the authorized persons with this controller.
(30) Natural persons may be assigned online identifiers such as IP addresses and cookie identifiers that provide his device or software applications and tools or protocols, or other identifiers such as radio frequency identifiers. This may leave traces that, especially in combination with unique identifiers and other information received by the server, may be used to profile and identify the natural persons.
2.„
Processing” means any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, filing, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
3.„
Restriction of processing” the marking of stored personal data with the aim of limiting their future processing;
4.„
Profiling” any automated processing of personal data which consists in using such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects relating to that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or change of location.
5.„
Pseudonymization” the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.”;
6.„
File system“any structured collection of personal data accessible according to specified criteria, whether such collection is maintained centrally, decentrally, or on a functional or geographic basis.
7.„
Responsible“the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its designation may be provided for by Union or Member State law;
8.„
Processor” a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
9.„
Receiver” means a natural or legal person, public authority, agency or other body to whom personal data are disclosed, whether or not a third party. However, public authorities that may receive personal data in the context of a specific investigation mandate under Union or Member State law shall not be considered as recipients; the processing of such data by the aforementioned authorities shall be carried out in accordance with the applicable data protection rules, in line with the purposes of the processing;
10.„
Third” means a natural or legal person, public authority, agency or other body, other than the data subject, the controller, the processor and the persons who, under the direct responsibility of the controller or the processor, are authorized to process the personal data.
11.„
Consent” of the data subject means any freely given specific, informed and unambiguous indication of his or her wishes in the form of a statement or other unambiguous affirmative act by which the data subject signifies his or her agreement to personal data relating to him or her being processed;
Recitals
(32) Consent should be given by a clear affirmative act indicating voluntarily, on a case-by-case basis, in an informed and unambiguous manner, that the data subject consents to the processing of personal data relating to him or her, such as a written statement, which may also be given electronically, or an oral statement. This could be done, for example, by ticking a box when visiting a website, by selecting technical settings for information society services or by any other statement or conduct by which the data subject unambiguously indicates his or her consent to the intended processing of his or her personal data in the relevant context. Silence, boxes already ticked or inaction by the data subject should therefore not constitute consent. Consent should cover all processing operations carried out for the same purpose or purposes. If the processing serves multiple purposes, consent should be given for all such processing purposes. If the data subject is requested to give consent by electronic means, the request must be made in a clear and concise manner and without unnecessary interruption of the service for which consent is given.
(33) Often, the purpose of the processing of personal data for scientific research purposes cannot be fully specified at the time when the personal data are collected. Therefore, data subjects should be allowed to give their consent for certain areas of scientific research if this is done in compliance with the accepted ethical standards of scientific research. Data subjects should be given the opportunity to give their consent only for certain areas of research or parts of research projects to the extent permitted by the purpose pursued. if this is done in compliance with the recognized ethical standards of scientific research. Data subjects should be given the opportunity to give their consent only for specific areas of research or parts of research projects to the extent permitted by the purpose pursued.
12.„
Violation of the protection of personal data“a breach of security that results, whether accidentally or unlawfully, in the destruction, loss, alteration, or unauthorized disclosure of, or access to, personal data that has been transmitted, stored, or otherwise processed.
13.„
genetic data“personal data relating to the inherited or acquired genetic characteristics of a natural person which provide unique information about the physiology or health of that natural person and have been obtained, in particular, from the analysis of a biological sample from that natural person.
Recitals
(34) Genetic data should be defined as personal data concerning the inherited or acquired genetic characteristics of a natural person obtained from the analysis of a biological sample of that natural person, in particular by chromosomal, deoxyribonucleic acid (DNA) or ribonucleic acid (RNA) analysis or the analysis of any other element by which equivalent information can be obtained.
14.„
biometric data” personal data, obtained by means of special technical procedures, relating to the physical, physiological or behavioral characteristics of a natural person which enable or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;
15.„
Health data“personal information that relates to the physical or mental health of an individual, including the provision of health care services, and that reveals information about the individual’s health status.
Recitals
(35) Personal data concerning health should include any data relating to the health status of a data subject which reveals information about the past, present and future physical or mental health status of the data subject. This includes information about the natural person collected in the course of the registration for, as well as the provision of, health services as defined in Directive 2011/24/EU of the European Parliament and of the Council (9) to the natural person, numbers, symbols or identifiers assigned to a natural person to uniquely identify that natural person for health purposes, information obtained from the examination or testing of a body part or body substance, including from genetic data and biological specimens, and information about, for example, diseases, disabilities, risks of disease, preexisting conditions, clinical treatments, or the physiological or biomedical condition of the individual, regardless of the source of the data, whether from a physician or other health care professional, a hospital, a medical device, or an in vitro diagnostic device.
16.„
Head office“
a) in the case of a controller with establishments in more than one Member State, the place of its main administration in the Union, unless the decisions regarding the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and that establishment is authorized to have those decisions implemented, in which case the establishment taking such decisions shall be considered the main establishment;
b) in the case of a processor with establishments in more than one Member State, the place of its head office in the Union or, where the processor does not have a head office in the Union, the establishment of the processor in the Union where the processing activities in the context of the activities of an establishment of a processor mainly take place, to the extent that the processor is subject to specific obligations under this Regulation;
Recitals
(36) The main establishment of the controller in the Union should be the place of its central administration in the Union, unless decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union, in which case the latter should be considered the main establishment. Objective criteria should be used to determine the main establishment of a controller in the Union, one criterion being the effective and actual exercise of management activities by a fixed establishment within which the policy decisions determining the purposes and means of the processing are taken. The decisive factor should not be whether the processing of personal data is actually carried out at that location. The existence and use of technical means and procedures for processing personal data or processing activities do not in themselves establish a main establishment and are therefore not a determining factor for the existence of a main establishment. The main establishment of the processor should be the place where the processor has its main administration in the Union or, if it has no main administration in the Union, the place where the main processing activities take place in the Union. Where both the controller and the processor are concerned, the supervisory authority of the Member State where the controller has its main establishment should remain the competent lead supervisory authority, but the supervisory authority of the processor should be considered as the supervisory authority concerned and that supervisory authority should participate in the cooperation procedure provided for in this Regulation. In any event, the supervisory authorities of the Member State or Member States in which the processor has one or more establishments should not be considered as supervisory authorities concerned if the draft decision relates only to the controller. Where the processing is carried out by a group of undertakings, the main establishment of the controlling undertaking should be considered as the main establishment of the group of undertakings, unless the purposes and means of the processing are determined by another undertaking.
17.„
Representative” means a natural or legal person established in the Union who has been appointed in writing by the controller or processor in accordance with Article 27 and represents the controller or processor in relation to the respective obligations incumbent on them under this Regulation;
18.„
Company” a natural and legal person engaged in an economic activity, regardless of its legal form, including partnerships or associations regularly engaged in an economic activity;
19.„
Group of companies” a group consisting of a controlling company and its dependent companies;
Recitals
(37) A group of undertakings should consist of a controlling undertaking and the undertakings which are dependent on it, the controlling undertaking being the undertaking which can exercise a dominant influence over the other undertakings by virtue, for example, of ownership, financial participation or the rules which govern it or the power to have data protection rules implemented. A company that controls the processing of personal data in companies affiliated to it should be considered, together with them, as a “Group of companies” can be considered.
20.„
Binding internal data protection regulations“measures for the protection of personal data with which a controller or processor established in the territory of a Member State undertakes to comply in respect of data transfers or a set of data transfers of personal data to a controller or processor belonging to the same group of undertakings or to the same group of undertakings engaged in a joint economic activity in one or more third countries.
21.„
Supervisory authority” an independent governmental entity established by a Member State pursuant to Article 51;
22.„
supervisory authority concerned” a supervisory authority concerned by the processing of personal data because.
a) the controller or processor is established in the territory of the Member State of that supervisory authority,
b) that processing has or is likely to have a significant impact on data subjects residing in the Member State of that supervisory authority, or
c) a complaint has been filed with this supervisory authority;
23.„
cross-border processing” either
a) a processing of personal data carried out in the context of the activities of establishments of a controller or processor in the Union in more than one Member State, where the controller or processor is established in more than one Member State, or
b) a processing of personal data which is carried out in the course of the activities of a single establishment of a controller or processor in the Union but which has or is likely to have a significant impact on data subjects in more than one Member State;
24.„
authoritative and reasoned objection” an objection to a draft decision with regard to whether there is a breach of this Regulation or whether intended measures against the controller or processor are in compliance with this Regulation, clearly indicating the scope of the risks posed by the draft decision in relation to the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data within the Union;
25.„
Information Society Service” a service as defined in Article 1(1)(b) of Directive (EU) 2015/1535 of the European Parliament and of the Council (19);
26.„
international organization“an organization under international law and its subordinate bodies or any other body established by or pursuant to an agreement concluded between two or more countries.
Recitals
(31) Public authorities to which personal data are disclosed on the basis of a legal obligation for the performance of their official tasks, such as tax and customs authorities, financial intelligence units, independent administrative authorities or financial market authorities responsible for the regulation and supervision of securities markets, should not be considered as recipients when they receive personal data necessary for the performance, in accordance with Union or Member State law, of an individual investigation task in the public interest. Requests for disclosure emanating from public authorities should always be made in writing, should be reasoned and occasional in nature, and should not concern complete file systems or lead to the interlinking of file systems. The processing of personal data by the said authorities should comply with the data protection rules applicable to the purposes of the processing.
Chapter II Principles
Article 5 Principles for the processing of personal data
(1) Personal data must be
a) processed lawfully, fairly and in a manner comprehensible to the data subject (“Lawfulness, fair processing, transparency and information„);
b) collected for specified, explicit and legitimate purposes and shall not be further processed in a way incompatible with those purposes; further processing for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes shall not be considered incompatible with the original purposes pursuant to Article 89(1) (“Earmarking„);
c) adequate and relevant to the purpose and limited to what is necessary for the purposes of the processing (data minimization);
d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data which are inaccurate having regard to the purposes of their processing are erased or rectified without delay (“Correctness„);
e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data are processed; personal data may be kept for longer periods insofar as the personal data are processed solely for archiving purposes in the public interest or for scientific and historical research purposes, or for statistical purposes as referred to in Article 89(1), subject to the implementation of appropriate technical and organizational measures required by this Regulation to safeguard the rights and freedoms of the data subject (“Memory limitation„);
f) processed in a manner that ensures appropriate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage by appropriate technical and organizational measures (“Integrity and confidentiality„);
(2) The responsible party shall be responsible for compliance with paragraph (1) and shall be able to demonstrate compliance therewith (“Accountability„).
Recitals
39 Any processing of personal data should be lawful and fair. There should be transparency for natural persons as to the fact that personal data relating to them are collected, used, accessed or otherwise processed, and as to the extent to which the personal data are processed and will be processed in the future. The principle of transparency requires that all information and communications relating to the processing of such personal data be easily accessible and understandable and written in clear and plain language. This principle concerns, in particular, information on the identity of the controller and the purposes of the processing and other information ensuring fair and transparent processing with regard to the natural persons concerned, as well as their right to obtain confirmation and information about which personal data concerning them are being processed. Natural persons should be informed about the risks, rules, safeguards and rights related to the processing of personal data and how to exercise their rights in this regard. In particular, the specific purposes for which the personal data are processed should be clear, lawful and established at the time the personal data are collected. The personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. In particular, this requires that the retention period for personal data be limited to the minimum strictly necessary. Personal data should only be allowed to be processed if the purpose of the processing cannot reasonably be achieved by other means. In order to ensure that personal data are not kept longer than necessary, the controller should provide time limits for their erasure or periodic review. All reasonable steps should be taken to ensure that inaccurate personal data are erased or rectified. Personal data should be processed in such a way that their security and confidentiality are adequately ensured, including that unauthorized persons cannot access the data or use the data or the equipment with which they are processed.
Article 6 Lawfulness of processing
(1) Processing is lawful only if at least one of the following conditions is met:
a) The data subject has given his/her consent to the processing of personal data concerning him/her for one or more specific purposes;
b) the processing is necessary for the performance of a contract to which the data subject is party or for the implementation of pre-contractual measures taken at the data subject’s request;
c) processing is necessary for compliance with a legal obligation to which the controller is subject;
d) the processing is necessary in order to protect the vital interests of the data subject or another natural person;
e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
f) processing is necessary for the purposes of the legitimate interests of the controller or of a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.
Member States may maintain or introduce more specific provisions to adapt the application of the provisions of this Regulation in relation to processing to comply with points (c) and (e) of paragraph 1 by specifying more precisely specific requirements for processing as well as other measures to ensure lawful and fair processing, including for other specific processing situations referred to in Chapter IX.
The legal basis for the processing operations referred to in points (c) and (e) of paragraph 1 shall be established by
a) Union law or
b) the law of the Member States to which the controller is subject.
The purpose of the processing must be specified in that legal basis or, as regards the processing referred to in point (e) of paragraph 1, must be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. That legal basis may contain specific provisions adapting the application of the rules of this Regulation, including provisions on the general conditions governing the lawfulness of the processing by the controller, the types of data processed, the individuals concerned, the entities to which and the purposes for which the personal data may be disclosed, the purpose limitation, the storage period and the processing operations and procedures that may be applied, including measures to ensure lawful and fair processing, such as those for other specific processing situations in accordance with Chapter IX. Union or Member State law must pursue an objective in the public interest and be proportionate to the legitimate purpose pursued.
4. Where processing for a purpose other than that for which the personal data were collected is not based on the data subject’s consent or on a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1), the controller shall – in order to determine whether the processing for another purpose is compatible with that for which the personal data were originally collected – take into account, inter alia
a) any link between the purposes for which the personal data were collected and the purposes of the intended further processing,
b) the context in which the personal data were collected, in particular with regard to the relationship between the data subjects and the controller,
c) the nature of the personal data, in particular whether special categories of personal data are processed pursuant to Article 9 or whether personal data relating to criminal convictions and offenses are processed pursuant to Article 10,
d) the possible consequences of the intended further processing for the data subjects,
e) the existence of appropriate safeguards, which may include encryption or pseudonymization.
Recitals
(40) In order for processing to be lawful, personal data must be processed with the consent of the data subject or on any other admissible legal basis deriving from this Regulation or, whenever referred to in this Regulation, from other Union or Member State law, such as, inter alia, on the basis that it is necessary for compliance with the legal obligation to which the controller is subject or for the performance of a contract to which the data subject is party, or for the performance of pre-contractual measures taken at the data subject’s request.
(41) Where reference is made in this Regulation to a legal basis or a legislative measure, this does not necessarily require a legislative act adopted by a parliament, without prejudice to requirements under the constitutional order of the Member State concerned. However, the relevant legal basis or legislative measure should be clear and precise and its application should be transparent to those subject to the law, in accordance with the case law of the Court of Justice of the European Union (hereinafter “Court of Justice”) and the European Court of Human Rights should be foreseeable.
(44) The processing of data should be considered lawful if it is necessary for the performance or the envisaged conclusion of a contract.
(45) Where the processing is carried out by the controller on the basis of a legal obligation to which the controller is subject or where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority, there must be a basis for it in Union or Member State law. This Regulation does not require a specific law for each individual processing operation. A law may be sufficient as a basis for several processing operations where the processing is carried out on the basis of a legal obligation incumbent on the controller or where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority. Similarly, Union or Member State law should regulate the purposes for which the data may be processed. Furthermore, such law could specify the general conditions of this Regulation governing the lawfulness of the processing of personal data and could specify how the controller is to be determined, what type of personal data are processed, which individuals are concerned, to which entities the personal data may be disclosed, for what purposes and for how long they may be stored, and what other measures are taken to ensure that the processing is lawful and fair. Similarly, Union or Member State law should specify whether the controller performing a task carried out in the public interest or in the exercise of official authority should be a public authority or another natural or legal person governed by public law or, where justified by the public interest, including health purposes, such as public health or social security or the administration of healthcare benefits, a natural or legal person governed by private law, such as a professional association.
(46) The processing of personal data should also be considered lawful if it is necessary in order to protect a vital interest of the data subject or of another natural person. Personal data should in principle only be processed on the basis of a vital interest of another natural person if the processing clearly cannot be based on any other legal basis. Some types of processing may serve both important public interest reasons and vital interests of the data subject; for example, processing may be necessary for humanitarian purposes, including monitoring epidemics and their spread, or in humanitarian emergencies, in particular natural or man-made disasters.
(47) The lawfulness of the processing may be justified by the legitimate interests of a controller, including a controller to whom the personal data may be disclosed, or of a third party, provided that the interests or the fundamental rights and freedoms of the data subject are not overridden, taking into account the reasonable expectations of the data subject based on his or her relationship with the controller. For example, a legitimate interest could exist if there is an authoritative and appropriate relationship between the data subject and the controller, e.g., if the data subject is a customer of the controller or is in its service. In any case, the existence of a legitimate interest would have to be weighed particularly carefully, including whether a data subject could reasonably foresee, at the time of collection of the personal data and in light of the circumstances in which it takes place, that processing might take place for that purpose. In particular, where personal data are processed in situations where a data subject cannot reasonably expect further processing, the interests and fundamental rights of the data subject could override the interest of the controller. Since it is for the legislator to provide by law the legal basis for the processing of personal data by public authorities, this legal basis should not apply to processing operations carried out by public authorities in the performance of their tasks. The processing of personal data to the extent strictly necessary for the prevention of fraud also constitutes a legitimate interest of the relevant controller.
The processing of personal data for the purposes of direct marketing may be considered as processing serving a legitimate interest.
(48) Controllers that are part of a group of undertakings or a group of entities that are assigned to a central body may have a legitimate interest in transferring personal data within the group of undertakings for internal management purposes, including the processing of personal data of customers and employees. The basic principles for the transfer of personal data within groups of companies to a company in a third country remain unaffected.
(49) The processing of personal data by public authorities, Computer Emergency Response Teams (CERTs), Computer Security Incident Response Teams (CSIRTs), providers of electronic communications networks and services, and providers of security technologies and services constitutes a legitimate interest of the controller to the extent strictly necessary and proportionate for ensuring network and information security, i.e. to the extent that it ensures the ability of a network or information system to withstand, with a specified degree of reliability, disruptions or unlawful or malicious interference affecting the availability, authenticity, completeness or confidentiality of the network or information system.i.e., to the extent that it ensures the ability of a network or information system to withstand, with a specified degree of reliability, interference or unlawful or wanton intrusion affecting the availability, authenticity, completeness and confidentiality of stored or transmitted personal data, as well as the security of related services offered or accessible through those networks or information systems. Such a legitimate interest could be, for example, to prevent unauthorized access to electronic communications networks and the dissemination of malicious program code, as well as attacks in the form of targeted overloading of servers (“Denial of service” attacks) and to defend against damage to computer and electronic communications systems.
(50) Processing of personal data for purposes other than those for which the personal data were originally collected should only be allowed if the processing is compatible with the purposes for which the personal data were originally collected. In this case, no separate legal basis is required other than the one for the collection of the personal data. Where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, Union or Member State law may determine and specify the tasks and purposes for which further processing is deemed compatible and lawful. Further processing for archiving purposes in the public interest, for scientific or historical research purposes, or for statistical purposes should be considered compatible and lawful processing. The legal basis for processing personal data provided for in Union or Member State law may also serve as a legal basis for further processing. In order to determine whether a purpose of further processing is compatible with the purpose for which the personal data were originally collected, the controller, after complying with all requirements for the lawfulness of the original processing, should consider, inter alia, whether there is a link between the purposes for which the personal data were collected and the purposes of the intended further processing, the context in which the data were collected, in particular the reasonable expectations of the data subject, based on his or her relationship with the controller, as to the further use of such data, the nature of the personal data involved, the consequences of the intended further processing for the data subjects, and whether appropriate safeguards are in place for both the original and the intended further processing operation.
Where the data subject has given consent or the processing is based on Union or Member State law, which is a necessary and proportionate measure in a democratic society to protect, in particular, important general public interest objectives, the controller should be allowed to further process the personal data regardless of the compatibility of the purposes. In any case, it should be ensured that the principles laid down in this Regulation are applied and, in particular, that the data subject is informed of those other purposes and of his or her rights, including the right to object. The indication by the controller of possible criminal offences or threats to public security and the transfer to a competent authority of the relevant personal data in individual cases or in several cases related to the same criminal offence or the same threat to public security should be considered as a legitimate interest of the controller. However, such transfer of personal data in the legitimate interest of the controller or further processing thereof should be unlawful if the processing is incompatible with a legal, professional or other binding obligation of secrecy.
Article 7 Conditions for consent
(1) If the processing is based on consent, the controller must be able to prove that the data subject has consented to the processing of his/her personal data.
(2) If the data subject’s consent is given by means of a written statement which also concerns other matters, the request for consent shall be made in an understandable and easily accessible form in clear and simple language in such a way that it can be clearly distinguished from the other matters. Portions of the statement shall not be binding if they constitute a violation of this Ordinance.
(3) The data subject has the right to revoke his/her consent at any time. The revocation of consent shall not affect the lawfulness of the processing carried out on the basis of the consent until the revocation. The data subject shall be informed of this before giving consent. The revocation of consent must be as simple as giving consent.
(4) In assessing whether consent has been freely given, it is necessary to take into account, to the greatest extent possible, whether, inter alia, the performance of a contract, including the provision of a service, is dependent on consent to the processing of personal data that are not necessary for the performance of the contract.
Recitals
(42) Where processing is carried out with the consent of the data subject, the controller should be able to demonstrate that the data subject has given his or her consent to the processing operation. In particular, where a written statement is given in another matter, safeguards should ensure that the data subject knows that he or she is giving consent and to what extent. In accordance with Council Directive 93/13/EEC (10), a consent form pre-formulated by the controller should be provided in an intelligible and easily accessible form in plain and simple language and should not contain unfair terms. In order to be able to give informed consent, the data subject should at least know who the controller is and for what purposes his or her personal data are to be processed. She should only be considered to have given her consent voluntarily if she has a genuine or free choice and is thus able to refuse or withdraw consent without suffering any disadvantages.
(43) In order to ensure that consent is freely given, it should not provide a valid legal basis in specific cases where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely, in view of all the circumstances in the specific case, that consent was freely given. Consent shall not be deemed to have been given voluntarily if consent cannot be given separately for different processing operations of personal data, although this is appropriate in the specific case, or if the performance of a contract, including the provision of a service, is dependent on consent, although such consent is not necessary for performance.
Article 8 Conditions for the consent of a child in relation to information society services
(1) Where Article 6(1)(a) applies in the case of an offer of information society services made directly to a child, the processing of the child’s personal data shall be lawful if the child has reached the age of sixteen. If the child has not reached the age of sixteen, such processing shall be lawful only if and to the extent that such consent is given by or with the consent of the holder of parental responsibility over the child. Member States may, by law, provide for a lower age limit for these purposes, but it shall not be lower than the age of thirteen years.
(2) The Controller shall make reasonable efforts, taking into account available technology, to ascertain in such cases that consent has been given by or with the consent of the holder of parental responsibility for the child.
(Paragraph 1 shall be without prejudice to the general contract law of the Member States, such as the rules on the validity, formation or legal consequences of a contract in relation to a child.
Recitals
(38) Children deserve special protection with regard to their personal data, as children may be less aware of the risks, consequences and safeguards involved and of their rights when personal data are processed. Such special protection should in particular concern the use of children’s personal data for advertising purposes or for personal or user profiling and the collection of children’s personal data when using services offered directly to children. The consent of the holder of parental responsibility should not be required in the context of prevention or counseling services offered directly to a child.
Article 9 Processing of special categories of personal data
(1) The processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as the processing of genetic data, biometric data uniquely identifying a natural person, health data or data concerning a natural person’s sex life or sexual orientation shall be prohibited.
(2) Paragraph 1 shall not apply in the following cases:
a) The data subject has given his or her explicit consent to the processing of the personal data referred to above for one or more specified purposes, unless, under Union or Member State law, the prohibition in paragraph 1 cannot be lifted by the data subject’s consent,
b) the processing is necessary to enable the controller or the data subject to exercise his or her rights and comply with his or her obligations under employment law and social security and social protection law, to the extent permitted by Union law or Member State law or by a collective agreement under Member State law which provides appropriate safeguards for the fundamental rights and interests of the data subject,
c) the processing is necessary to protect the vital interests of the data subject or another natural person and the data subject is unable to give consent for physical or legal reasons,
d) the processing is carried out on the basis of appropriate safeguards by a political, philosophical, religious or trade union foundation, association or other non-profit organization in the course of its legitimate activities and provided that the processing relates exclusively to the members or former members of the organization or to persons who have regular contacts with it in connection with its purpose of activity and that the personal data are not disclosed to outside parties without the consent of the data subjects,
e) the processing relates to personal data which the data subject has manifestly made public,
f) processing is necessary for the establishment, exercise or defense of legal claims or in case of actions of the courts in the course of their judicial activities,
g) processing is necessary for reasons of substantial public interest based on Union law or the law of a Member State which is proportionate to the aim pursued, respects the essence of the right to data protection and provides for adequate and specific measures to safeguard the fundamental rights and interests of the data subject,
h) the processing is necessary for the purposes of preventive health care or occupational medicine, the assessment of the employee’s fitness for work, medical diagnosis, health or social care or treatment, or the management of health or social care systems and services on the basis of Union law or the law of a Member State or on the basis of a contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3,
i) the processing is necessary for reasons of public interest in the field of public health, such as protection against serious cross-border threats to health or to ensure high standards of quality and safety in healthcare and medicinal products and medical devices, on the basis of Union law or the law of a Member State which lays down appropriate and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy, or
j) processing is necessary for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes as referred to in Article 89(1), on the basis of Union law or the law of a Member State which is proportionate to the aim pursued, respects the essence of the right to data protection and provides for adequate and specific measures to safeguard the fundamental rights and interests of the data subject.
The personal data referred to in paragraph 1 may be processed for the purposes referred to in point (h) of paragraph 2 where those data are processed by or under the responsibility of specialised staff and those specialised staff are subject to professional secrecy under Union law or the law of a Member State or the rules of national competent bodies, or where the processing is carried out by another person who is also subject to professional secrecy under Union law or the law of a Member State or the rules of national competent bodies.
(4. Member States may introduce or maintain additional conditions, including restrictions, as far as the processing of genetic, biometric or health data is concerned.
Recitals
(51) Personal data which are, by their nature, particularly sensitive with regard to fundamental rights and freedoms deserve specific protection, since significant risks to fundamental rights and freedoms may arise in the context of their processing. Such personal data should include personal data revealing racial or ethnic origin, with the use of the term “racial origin” in this Regulation does not mean that the Union endorses theories which attempt to prove the existence of different human races. The processing of photographs should not in principle be considered as the processing of special categories of personal data, since photographs are only covered by the definition of “biometric data” if they are processed by specific technical means enabling the unique identification or authentication of a natural person. Such personal data should not be processed unless the processing is allowed in the specific cases set out in this Regulation, taking into account that specific data protection provisions may be laid down in the law of the Member States in order to adapt the application of the provisions of this Regulation to allow compliance with a legal obligation or the performance of a task carried out in the public interest or the exercise of official authority vested in the controller. In addition to the specific requirements for such processing, the general principles and other provisions of this Regulation should apply, in particular as regards the conditions for lawful processing. Derogations from the general prohibition on processing those special categories of personal data should be explicitly provided for, inter alia, where the data subject has given his or her explicit consent or where there are specific needs, in particular where the processing is carried out in the course of legitimate activities of certain associations or foundations promoting the exercise of fundamental freedoms.
(52) Derogations from the prohibition on processing special categories of personal data should also be allowed where provided for by Union or Member State law and, subject to appropriate safeguards for the protection of personal data and other fundamental rights, where justified by the public interest, in particular for the processing of personal data in the field of employment law and social security law, including pensions, and for the purposes of ensuring and monitoring health and health warnings, prevention or control of contagious diseases and other serious health threats. Such an exception may be made for health purposes, such as ensuring public health and the administration of health care benefits, in particular where it is intended to ensure the quality and efficiency of the procedures for billing benefits in social health insurance schemes, or where the processing serves archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes. The processing of such personal data should also be exceptionally allowed if it is necessary to assert, exercise or defend legal claims, whether in judicial proceedings or in administrative or extrajudicial proceedings.
(53) Special categories of personal data which merit a higher level of protection should only be processed for health-related purposes if necessary for the achievement of those purposes in the interest of individual natural persons and society as a whole, in particular in the context of the management of health or social care services and systems, including the processing of such data by the administration and central national health authorities for the purpose of quality control, administrative information and general national and local monitoring of the health or social care system and for the purpose of ensuring continuity of health and social care and cross-border healthcare or health assurance and monitoring and health alerts, or for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes based on Union or Member State legislation which must serve a public interest objective, and for studies carried out in the public interest in the field of public health. This Regulation should therefore harmonise conditions for the processing of special categories of personal data concerning health with regard to certain requirements, in particular where the processing of such data for health-related purposes is carried out by persons subject to professional secrecy pursuant to a legal obligation. Union or Member State law should provide for specific and proportionate measures to protect the fundamental rights and personal data of natural persons. Member States should be allowed to maintain or introduce further conditions, including restrictions, in relation to the processing of genetic data, biometric data or health data. However, this should not affect the free flow of personal data within the Union if the conditions in question apply to the cross-border processing of such data.
(54) For reasons of public interest in areas of public health, it may be necessary to process special categories of personal data even without the consent of the data subject. Such processing should be subject to appropriate and specific measures to protect the rights and freedoms of natural persons. In this context, the term “public health” shall be interpreted within the meaning of Regulation (EC) No 1338/2008 of the European Parliament and of the Council (11) and shall include all elements related to health such as health status, including morbidity and disability, the determinants affecting that health status, the need for health care, the resources allocated to health care, the provision of and general access to health care services and the corresponding expenditure and financing, and finally the causes of mortality. Such processing of health data for reasons of public interest shall not result in third parties, including employers or insurance and financial companies, processing such personal data for other purposes.
(55) The processing of personal data by state agencies for the constitutionally or internationally enshrined purposes of state-recognized religious communities is also carried out for reasons of public interest.
(56) Where, in a Member State, the functioning of the democratic system requires that political parties collect personal data relating to the political opinions of individuals in the context of elections, the processing of such data may be authorised for reasons of public interest, provided that appropriate safeguards are established.
Article 10 Processing of personal data relating to criminal convictions and offences
The processing of personal data relating to criminal convictions and offences or related security measures based on Article 6(1) may only be carried out under the supervision of public authorities or where permitted by Union law or Member State law providing appropriate safeguards for the rights and freedoms of data subjects. A comprehensive register of criminal convictions may be kept only under administrative supervision.
Article 11 Processing for which identification of the data subject is not necessary
(1) If the identification of the data subject by the controller is not or is no longer necessary for the purposes for which a controller processes personal data, the controller shall not be required to retain, obtain or process additional information to identify the data subject for the sole purpose of complying with this Regulation.
(In cases referred to in paragraph 1 of this Article, if the controller can demonstrate that he is unable to identify the data subject, he shall inform the data subject thereof, where possible. In such cases, Articles 15 to 20 shall not apply unless the data subject provides additional information enabling him/her to be identified in order to exercise his/her rights set forth in those Articles.
Recitals
(57) Where the controller cannot identify a natural person from the personal data it processes, it should not be obliged to obtain additional data in order to identify the data subject for the sole purpose of complying with a provision of this Regulation. However, he should not refuse to receive additional information provided by the data subject in order to exercise his rights. The identification should include the digital identification of a data subject – for example, through authentication procedures using, for example, the same credentials as the data subject uses to log in to the online service provided by the controller.
(64) The controller should use all reasonable means to verify the identity of a data subject seeking information, in particular in the context of online services and in the case of online identifiers. A controller should not store personal data for the sole purpose of responding to possible requests for information.
Chapter III Rights of the data subject
Section 1 Transparency and modalities
Article 12 Transparent information, communication and modalities for the exercise of the rights of the data subject
(The controller shall take appropriate measures to provide the data subject with all the information referred to in Articles 13 and 14 and all the notifications referred to in Articles 15 to 22 and Article 34 relating to the processing in a precise, transparent, comprehensible and easily accessible form in plain and simple language; this shall apply in particular to information specifically addressed to children. The information shall be provided in writing or in another form, including, where appropriate, electronically. If requested by the data subject, the information may be provided orally, provided that the identity of the data subject has been proven in another form.
The controller shall facilitate the data subject’s exercise of his or her rights under Articles 15 to 22. In the cases referred to in Article 11(2), the controller may refuse to act on the data subject’s request to exercise his or her rights under Articles 15 to 22 only if he or she credibly demonstrates that he or she is unable to identify the data subject.
(The controller shall provide the data subject with information on the measures taken upon request pursuant to Articles 15 to 22 without undue delay and in any case within one month of receipt of the request. This period may be extended by another two months if necessary, taking into account the complexity and the number of requests. The data controller shall inform the data subject of any extension of the time limit, together with the reasons for the delay, within one month of receipt of the request. If the data subject makes the request electronically, he or she shall be informed by electronic means, if possible, unless he or she indicates otherwise.
(4) If the data controller fails to act on the data subject’s request, it shall inform the data subject without delay, but no later than within one month of receipt of the request, of the reasons therefor and of the possibility of lodging a complaint with a supervisory authority or seeking judicial remedy.
(5. Information pursuant to Articles 13 and 14 and any notices and measures pursuant to Articles 15 to 22 and Article 34 shall be provided free of charge. In the case of manifestly unfounded or – in particular in the case of frequent repetition – excessive requests by a data subject, the controller may either
a) Charge a reasonable fee that takes into account the administrative costs of informing or notifying or implementing the requested action; or
b) refuse to act on the request.
The responsible party shall provide evidence of the manifestly unfounded or excessive nature of the request.
(6. Without prejudice to Article 11, where the controller has reasonable doubts about the identity of the natural person making the request referred to in Articles 15 to 21, the controller may request additional information necessary to confirm the identity of the data subject.
(7. The information to be provided to data subjects pursuant to Articles 13 and 14 may be provided in combination with standardized icons in order to give a meaningful overview of the intended processing in an easily perceivable, understandable and clearly comprehensible form. If the pictorial symbols are presented in electronic form, they must be machine-readable.
(8. The Commission shall be empowered to adopt delegated acts in accordance with Article 92 concerning the definition of the information to be represented by graphic symbols and the procedures for the provision of standardized graphic symbols.
Recitals
(58) The principle of transparency requires that information intended for the public or the data subject should be accurate, easily accessible and comprehensible, in clear and plain language, and, where appropriate, should additionally use visual elements. This information could be provided in electronic form, for example on a website, if it is intended for the public. This is especially true in situations where the large number of parties involved and the complexity of the technology needed to do so make it difficult for the data subject to know and understand whether personal data concerning him or her are being collected, by whom, and for what purpose, such as in the case of advertising on the Internet. If the processing is directed at children, due to the special vulnerability of children, information and notices should be provided in such clear and simple language that a child can understand them.
(59) Modalities should be laid down to facilitate the exercise of the rights of a data subject under this Regulation, including mechanisms to ensure that he or she can request and, where appropriate, obtain free of charge, in particular access to and rectification or erasure of personal data or exercise his or her right to object. Thus, the controller should also ensure that requests can be made electronically, in particular where the personal data are processed electronically. The controller should be required to respond to the data subject’s request without undue delay and, at the latest, within one month, and, where appropriate, to give reasons why it refuses the request.
(60) The principles of fair and transparent processing require that the data subject be informed of the existence of the processing operation and its purposes. The controller should provide the data subject with any further information necessary to ensure fair and transparent processing, taking into account the specific circumstances and context in which the personal data are processed. In addition, he or she should inform the data subject that profiling is taking place and what the consequences are. In addition, if the personal data are collected from the data subject, he or she should be informed whether he or she is obliged to provide the personal data and what the consequences of withholding the data would be. The information in question may be provided in combination with standardized pictorial icons to provide a meaningful overview of the intended processing in an easily perceivable, understandable and clearly comprehensible form. If the pictorial symbols are presented in electronic form, they should be machine-readable.
Section 2 Transparency and information and right of access to personal data
Article 13 Transparency and information when collecting personal data from the data subject
(1) If personal data are collected from the data subject, the controller shall inform the data subject of the following at the time of collection of such data:
a) the name and contact details of the person responsible and, if applicable, his representative;
b) if applicable, the contact details of the data protection officer;
c) the purposes for which the personal data are to be processed and the legal basis for the processing;
d) if the processing is based on Article 6(1)(f), the legitimate interests pursued by the controller or a third party;
e) where applicable, the recipients or categories of recipients of the personal data; and
f) where applicable, the controller’s intention to transfer the personal data to a third country or an international organization and the existence or absence of an adequacy decision by the Commission or, in the case of transfers pursuant to Article 46 or Article 47 or the second subparagraph of Article 49(1), a reference to the appropriate or adequate safeguards and how to obtain a copy of them or where they are available.
(2) In addition to the information referred to in paragraph 1, the controller shall provide the data subject with the following additional information necessary to ensure fair and transparent processing at the time of collection of such data:
a) the duration for which the personal data will be stored or, if this is not possible, the criteria for determining this duration;
b) the existence of a right of access on the part of the controller to the personal data concerned, as well as to rectification or erasure or to restriction of processing or a right to object to processing, as well as the right to data portability;
c) if the processing is based on Article 6(1)(a) or Article 9(2)(a), the existence of a right to withdraw consent at any time without affecting the lawfulness of the processing carried out on the basis of consent until withdrawal;
d) the existence of a right of appeal to a supervisory authority;
e) whether the provision of the personal data is required by law or by contract or is necessary for the conclusion of a contract, whether the data subject is obliged to provide the personal data and what the possible consequences of not providing the data would be, and
f) the existence of automated decision-making, including profiling, pursuant to Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved and the scope and intended effects of such processing for the data subject.
(Where the controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the controller shall provide the data subject with information on that other purpose and any other relevant information pursuant to paragraph 2 prior to such further processing.
(4) Paragraphs 1, 2 and 3 shall not apply if and to the extent that the data subject already possesses the information.
Recitals
(61) The fact that personal data concerning him or her are being processed should be communicated to the data subject at the time of collection or, if the data are not obtained from him or her but from another source, within a reasonable period of time, depending on the specific case. If the personal data may lawfully be disclosed to another recipient, the data subject should be made aware of this when the personal data is first disclosed to that recipient. If the controller intends to process the personal data for a purpose other than that for which the data were collected, it should provide the data subject with information about that other purpose and other necessary information prior to such further processing. If it was not possible to inform the data subject of the origin of the personal data because different sources were used, the information should be provided in general terms.
Article 14 Transparency and information when the personal data have not been collected from the data subject
(1) If personal data are not collected from the data subject, the controller shall inform the data subject of the following:
a) the name and contact details of the person responsible and, if applicable, his representative;
b) additionally the contact details of the data protection officer;
c) the purposes for which the personal data are to be processed and the legal basis for the processing;
d) the categories of personal data that are processed;
e) where applicable, the recipients or categories of recipients of the personal data;
f) where applicable, the controller’s intention to transfer the personal data to a recipient in a third country or an international organization and the existence or absence of an adequacy decision by the Commission or, in the case of transfers pursuant to Article 46 or Article 47 or Article 49(1), second subparagraph, a reference to the appropriate or adequate safeguards and the possibility of obtaining a copy of them or where they are available.
(2) In addition to the information referred to in paragraph 1, the controller shall provide the data subject with the following information necessary to ensure fair and transparent processing vis-à-vis the data subject:
a) the duration for which the personal data will be stored or, if this is not possible, the criteria for determining this duration;
b) if the processing is based on Article 6(1)(f), the legitimate interests pursued by the controller or a third party;
c) the existence of a right of access on the part of the controller to the personal data concerned and to rectification or erasure or = to restriction of processing and a right to object to processing and the right to data portability;
d) if the processing is based on Article 6(1)(a) or Article 9(2)(a), the existence of a right to withdraw consent at any time without affecting the lawfulness of the processing carried out on the basis of consent until withdrawal;
e) the existence of a right of appeal to a supervisory authority;
f) the source of the personal data and, if applicable, whether it comes from publicly available sources;
g) the existence of automated decision-making, including profiling, pursuant to Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved and the scope and intended effects of such processing for the data subject.
(3) The responsible person shall provide the information pursuant to paragraphs 1 and 2
a) taking into account the specific circumstances of the processing of the personal data, within a reasonable period after obtaining the personal data, but no longer than within one month,
b) if the personal data are to be used to communicate with the data subject, at the latest at the time of the first communication to him, or,
c) if disclosure to another recipient is intended, no later than the time of the first disclosure.
(Where the controller intends to further process the personal data for a purpose other than that for which the personal data were obtained, the controller shall provide the data subject with information on that other purpose and any other relevant information pursuant to paragraph 2 prior to such further processing.
(5) Paragraphs 1 to 4 shall not apply if and to the extent that
a) the data subject already has the information,
b) the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes, subject to the conditions and safeguards referred to in Article 89(1), or insofar as the obligation referred to in paragraph 1 of this Article is likely to render impossible or seriously prejudice the achievement of the purposes of such processing. In such cases, the controller shall take appropriate measures to protect the rights and freedoms and legitimate interests of the data subject, including making such information available to the public,
c) the obtaining or disclosure is expressly regulated by Union or Member State law to which the controller is subject and which provides for appropriate measures to protect the data subject’s legitimate interests, or
d) the personal data are subject to professional secrecy, including a statutory duty of confidentiality, in accordance with Union law or the law of the Member States and must therefore be treated confidentially.
Recitals
[see also Recital 61]
(62) However, the obligation to provide information is unnecessary if the data subject already has the information, if the storage or disclosure of the personal data is expressly regulated by law, or if informing the data subject proves impossible or would involve a disproportionate effort. The latter could be the case, in particular, in the case of processing for archiving purposes in the public interest, for scientific or historical research purposes, or for statistical purposes. The number of data subjects, the age of the data or any appropriate safeguards should be considered as indications.
Article 15 Right of access of the data subject
(1) The data subject shall have the right to obtain from the controller confirmation as to whether personal data concerning him or her are being processed; if this is the case, he or she shall have the right to obtain access to such personal data and the following information:
a) the purposes of processing;
b) the categories of personal data that are processed;
c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular in the case of recipients in third countries or international organizations;
d) if possible, the planned duration for which the personal data will be stored or, if this is not possible, the criteria for determining this duration;
e) the existence of a right to obtain the rectification or erasure of personal data concerning him or her, or to obtain the restriction of processing by the controller, or a right to object to such processing;
f) the existence of a right of appeal to a supervisory authority;
g) if the personal data are not collected from the data subject, any available information on the origin of the data;
h) the existence of automated decision-making, including profiling, pursuant to Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved and the scope and intended effects of such processing for the data subject.
(Where personal data are transferred to a third country or to an international organization, the data subject shall have the right to be informed of the appropriate safeguards referred to in Article 46 in connection with the transfer.
(3) The controller shall provide a copy of the personal data subject to processing. For any additional copies requested by the data subject, the controller may charge a reasonable fee based on the administrative costs. If the data subject makes the request electronically, the information shall be provided in a commonly used electronic format, unless otherwise specified by the data subject.
(4) The right to receive a copy under paragraph 3 shall not interfere with the rights and freedoms of other persons.
Recitals
(63) A data subject should have the right of access to personal data concerning him or her which have been collected and should be able to exercise that right easily and at reasonable intervals in order to be aware of the processing and to verify its lawfulness. This includes the right of data subjects to have access to their own health-related data, such as data in their patient files containing information such as diagnoses, examination results, findings of the treating physicians and information on treatments or interventions. Every data subject should therefore be entitled to know and be informed, in particular, for what purposes the personal data are processed and, where possible, for how long they are stored, who are the recipients of the personal data, what is the logic involved in the automatic processing of personal data and what are the likely consequences of such processing, at least in cases where the processing is based on profiling. Where possible, the controller should be able to provide remote access to a secure system that would allow the data subject direct access to his or her personal data. This right should not affect the rights and freedoms of other individuals, such as trade secrets or intellectual property rights and in particular copyright in software. However, this should not result in denying the data subject any access. Where the controller processes a large amount of information about the data subject, he should be able to require that the data subject specify to which information or which processing operations his request for information relates before he gives him access.
Section 3 Correction and deletion
Article 16 Right of rectification
The data subject shall have the right to obtain from the controller the rectification without undue delay of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject has the right to request that incomplete personal data be completed, including by means of a supplementary declaration.
(1) The data subject shall have the right to obtain from the controller the erasure without delay of personal data concerning him or her, and the controller shall be obliged to erase personal data without delay where one of the following reasons applies:
a) The personal data are no longer necessary for the purposes for which they were collected or otherwise processed.
b) The data subject revokes the consent on which the processing was based pursuant to Article 6(1)(a) or Article 9(2)(a) and there is no other legal basis for the processing.
c) The data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2).
d) The personal data have been processed unlawfully.
e) The deletion of the personal data is necessary for compliance with a legal obligation under Union or Member State law to which the controller is subject.
f) The personal data have been collected in relation to information society services offered in accordance with Article 8(1).
(2) If the controller has made the personal data public and is obliged to erase it pursuant to paragraph 1, it shall take reasonable measures, including technical measures, having regard to the available technology and the cost of implementation, to inform data controllers which process the personal data that a data subject has requested that they erase all links to or copies or replications of that personal data.
(3) Paragraphs 1 and 2 shall not apply insofar as the processing is necessary to
a) to exercise the right to freedom of expression and information;
b) for compliance with a legal obligation which requires processing under Union or Member State law to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
c) for reasons of public interest in the field of public health in accordance with Article 9(2)(h) and (i) and Article 9(3);
d) for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes as referred to in Article 89(1), where the right referred to in paragraph 1 is likely to render impossible or seriously prejudice the achievement of the purposes of such processing, or
e) for the assertion, exercise or defense of legal claims.
Recitals
(65) A data subject should have a right of rectification of personal data concerning him or her and a “Right to be forgotten” if the storage of their data infringes this Regulation or Union law or the law of the Member States to which the controller is subject. In particular, data subjects should be entitled to have their personal data erased and no longer processed where the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed, where data subjects have withdrawn their consent to processing or objected to the processing of personal data concerning them, or where the processing of their personal data otherwise infringes this Regulation. This right is particularly important in cases where the data subject gave his or her consent while still a child and, in this respect, could not fully foresee the risks associated with the processing and wishes to erase the personal data – especially those stored on the Internet – at a later stage. The data subject should be able to exercise this right even if he or she is no longer a child. However, the continued storage of the personal data should be lawful if it is necessary for the exercise of the right to freedom of expression and information, for compliance with a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, for reasons of public interest in the field of public health, for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes, or for the establishment, exercise or defense of legal claims.
(66) In order to meet the “Right to be forgotten” on the network, the right to erasure should be extended by requiring a controller who has made the personal data public to notify the controllers who process that personal data to erase all links to, or copies or replications of, that personal data. In doing so, the controller should take reasonable measures, including technical measures, taking into account the available technologies and means at its disposal, to inform the controllers processing such personal data of the data subject’s request.
Article 18 Right to restriction of processing
(1) The data subject shall have the right to obtain from the controller the restriction of processing if one of the following conditions is met:
a) the accuracy of the personal data is contested by the data subject for a period enabling the controller to verify the accuracy of the personal data,
b) the processing is unlawful and the data subject refuses the erasure of the personal data and instead requests the restriction of the use of the personal data;
c) the controller no longer needs the personal data for the purposes of processing, but the data subject needs them for the establishment, exercise or defense of legal claims, or
d) the data subject has objected to the processing pursuant to Article 21(1), as long as it is not yet established whether the legitimate grounds of the controller override those of the data subject.
(Where processing has been restricted in accordance with paragraph 1, those personal data may be processed, except for storage, only with the consent of the data subject or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of substantial public interest of the Union or of a Member State.
(3) A data subject who has obtained a restriction of processing pursuant to paragraph 1 shall be informed by the controller before the restriction is lifted.
Recitals
(67) Methods to restrict the processing of personal data could include temporarily transferring selected personal data to another processing system, blocking them from users, or temporarily removing published data from a website. In automated file systems, the restriction of processing should in principle be carried out by technical means in such a way that the personal data cannot be further processed in any way and cannot be modified. The fact that the processing of personal data has been restricted should be clearly indicated in the system.
Article 19 Notification obligation in connection with the rectification or erasure of personal data or the restriction of processing
The controller shall notify all recipients to whom personal data have been disclosed of any rectification or erasure of the personal data or restriction of processing pursuant to Article 16, Article 17(1) and Article 18, unless this proves impossible or involves a disproportionate effort. The controller shall inform the data subject of these recipients if the data subject so requests.
Article 20 Right to data portability
(1) The data subject shall have the right to receive the personal data concerning him or her that he or she has provided to a controller in a structured, commonly used and machine-readable format, and shall have the right to transmit such data to another controller without hindrance from the controller to whom the personal data have been provided, provided that
a) the processing is based on consent pursuant to Article 6(1)(a) or Article 9(2)(a) or on a contract pursuant to Article 6(1)(b); and
b) the processing is carried out with the help of automated procedures.
(2) When exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to obtain that the personal data be transferred directly from one controller to another controller, where technically feasible.
(The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. This right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
(4) The right referred to in paragraph 2 of this Article shall not interfere with the rights and freedoms of other persons.
Recitals
(68) In order to have better control over their own data in case of processing of personal data by automatic means, the data subject should also be entitled to receive the personal data relating to him or her which he or she has provided to a controller in a structured, commonly used, machine-readable and interoperable format and to transmit them to another controller. Controllers should be encouraged to develop interoperable formats that enable data portability. This right should apply where the data subject has provided the personal data with his or her consent or the processing is necessary for the performance of a contract. It should not apply if the processing is based on a legal basis other than their consent or a contract. By its nature, this right should not be exercised against controllers who process personal data in the performance of their public tasks. It should therefore not apply where the processing of personal data is necessary for compliance with a legal obligation to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The right of the data subject to transmit or receive personal data concerning him or her should not create an obligation for the controller to adopt or maintain technically compatible data processing systems. Where, in the case of a given set of personal data, more than one data subject is affected, the right to receive the data should be without prejudice to the fundamental rights and freedoms of other data subjects under this Regulation. Moreover, that right should not affect the data subject’s right to erasure of his or her personal data and the limitations on that right under this Regulation and, in particular, should not mean that the data relating to the data subject and provided by him or her for the performance of a contract are erased to the extent and for as long as those personal data are necessary for the performance of the contract. Where technically feasible, the data subject should have the right to obtain that the personal data be transferred directly from one controller to another controller.
Section 4 Right to object and automated decision-making in individual cases
Article 21 Right of objection
(1) The data subject shall have the right to object at any time, on grounds relating to his or her particular situation, to the processing of personal data concerning him or her which is carried out on the basis of Article 6(1)(e) or (f); this shall also apply to any profiling based on those provisions. The controller shall no longer process the personal data unless he can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defense of legal claims.
(2) If personal data are processed for the purpose of direct marketing, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing; this shall also apply to profiling insofar as it is related to such direct marketing.
(3) If the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for these purposes.
(4) The data subject shall be expressly informed of the right referred to in paragraphs (1) and (2) no later than at the time of the first communication with him or her; this information shall be provided in a comprehensible form separate from other information.
(5) In the context of the use of information society services, notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by means of automated procedures using technical specifications.
6. The data subject shall have the right, on grounds relating to his or her particular situation, to object to processing of personal data concerning him or her which is carried out for scientific or historical research purposes, or for statistical purposes pursuant to Article 89(1), unless the processing is necessary for the performance of a task carried out in the public interest.
Recitals
(69) Where the personal data may be lawfully processed because the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, or on grounds of the legitimate interest of the controller or a third party, any data subject should nevertheless have the right to object to the processing of personal data relating to his or her particular situation. The controller should have to demonstrate that its compelling legitimate interests override the interests or fundamental rights and freedoms of the data subject.
(70) Where personal data are processed for the purposes of direct marketing, the data subject should be able to object, free of charge, at any time to such processing, including profiling, whether carried out initially or subsequently, insofar as it relates to such direct marketing. The data subject should be expressly informed of this right; this information should be provided in a comprehensible form, separate from other information.
Article 22 Automated decisions in individual cases including profiling
(1) The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
(2) Paragraph (1) shall not apply if the decision is
a) is necessary for the conclusion or performance of a contract between the data subject and the controller,
b) is permitted by Union or Member State legislation to which the controller is subject and that legislation contains appropriate measures to safeguard the rights and freedoms and legitimate interests of the data subject, or
c) takes place with the express consent of the data subject.
(3) In the cases referred to in paragraph 2(a) and (c), the controller shall take reasonable steps to safeguard the rights and freedoms as well as the legitimate interests of the data subject, which shall include, at least, the right to obtain the intervention of a person on the part of the controller, to express his or her point of view and to contest the decision.
Decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 9(1), unless Article 9(2)(a) or (g) applies and appropriate measures have been taken to protect the rights and freedoms and legitimate interests of the data subject.
Recitals
(71) The data subject should have the right not to be subject to a decision – which may include a measure – evaluating personal aspects relating to him or her which is based solely on automated processing and which produces legal effects concerning him or her or similarly significantly affects him or her, such as the automatic rejection of an online credit application or online recruitment procedures without any human intervention. Such processing also includes the “Profiling”, which consists in any form of automated processing of personal data evaluating personal aspects relating to a natural person, in particular for the purpose of analyzing or forecasting aspects concerning the data subject’s performance at work, economic situation, health, personal preferences or interests, reliability or conduct, location or change of location, where this produces legal effects concerning the data subject or similarly significantly affects him or her. However, decision making based on such processing, including profiling, should be allowed where expressly permitted by Union law or the law of the Member States to which the controller is subject, including in order to comply with the rules, standards and recommendations of Union institutions or national supervisory bodies, to monitor and prevent fraud and tax evasion and to ensure the security and reliability of a service provided by the controller, or where it is necessary for the conclusion or performance of a contract between the data subject and a controller, or where the data subject has given his or her explicit consent. In any case, such processing should be subject to appropriate safeguards, including specific information to the data subject and the right to direct intervention by a person, to express his or her point of view, to have the decision taken after an appropriate evaluation explained, and to have the right to challenge the decision. This measure should not affect a child.
In order to ensure fair and transparent processing vis-à-vis the data subject, taking into account the specific circumstances and context in which the personal data are processed, the controller should use appropriate mathematical or statistical methods for profiling, implement technical and organisational measures to ensure in an appropriate manner, in particular, that factors leading to inaccurate personal data, are corrected and the risk of error is minimized, and secure personal data in a manner that takes into account potential threats to the interests and rights of the data subject and that prevents discriminatory effects against natural persons on the basis of race, ethnic origin, political opinion, religion or belief, trade union membership, genetic makeup or health status, and sexual orientation, or measures that have such an effect. Automated decision making and profiling based on special categories of personal data should only be allowed under certain conditions.
(72) Profiling is subject to the rules laid down in this Regulation for the processing of personal data, such as the legal basis for the processing or the data protection principles. The European Data Protection Board established by this Regulation (hereinafter “Committee”) should be able to issue guidelines in this regard.
Section 5 Restrictions
Article 23 Restrictions
(Union or Member State legislation to which the controller or processor is subject may, by way of legislative measures, restrict the obligations and rights referred to in Articles 12 to 22 and Article 34, and Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22, provided that such restriction respects the essence of fundamental rights and freedoms and constitutes a necessary and proportionate measure in a democratic society ensuring the following:
a) national security;
b) national defense;
c) public safety;
d) the prevention, investigation, detection or prosecution of criminal offenses or the execution of sentences, including the protection against and the prevention of threats to public safety;
e) the protection of other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, such as in the monetary, budgetary, fiscal, public health and social security fields;
f) the protection of the independence of the judiciary and the protection of judicial proceedings;
g) the prevention, detection, investigation and prosecution of violations of the professional rules of regulated professions;
h) control, supervisory and regulatory functions permanently or temporarily connected with the exercise of official authority for the purposes referred to in subparagraphs (a) to (e) and (g);
i) the protection of the data subject or the rights and freedoms of others;
j) the enforcement of civil claims.
(2) Any legislative measure referred to in paragraph (1) shall, in particular, contain specific provisions, as appropriate, at least with respect to the following
a) the purposes of the processing or the categories of processing,
b) the categories of personal data,
c) the scope of the restrictions made,
d) the safeguards against misuse or unlawful access or unlawful transmission;
e) the details of the person or categories of persons responsible,
f) the respective storage periods and the applicable safeguards, taking into account the nature, scope and purposes of the processing or the categories of processing,
g) the risks to the rights and freedoms of data subjects, and
h) the right of data subjects to be informed of the restriction, unless this is detrimental to the purpose of the restriction.
Recitals
(73) Union or Member State law may provide for limitations with regard to certain principles and with regard to the right of information, access to and rectification or erasure of personal data, the right to data portability and to object, decisions based on profiling, as well as notifications of a personal data breach to a data subject and certain related obligations of data controllers, to the extent necessary and proportionate in a democratic society to maintain public safety, including, but not limited to, the protection of human life, in particular in the event of natural or man-made disasters, the prevention, detection and prosecution of criminal offences or the execution of sentences – which includes the protection against and the prevention of threats to public security – or the prevention, detection and prosecution of breaches of professional ethics in the case of regulated professions, the keeping of public registers for reasons of general public interest, and the further processing of archived personal data to provide specific information related to political behavior under former totalitarian regimes, and to protect other important objectives of general public interest of the Union or a Member State, such as important economic or financial interests, or to protect the data subject and the rights and freedoms of others, including in the areas of social security, public health and humanitarian aid. These restrictions should be consistent with the Charter and with the European Convention for the Protection of Human Rights and Fundamental Freedoms.
Chapter IV Controller and Processor
Section 1 General Duties
Article 24 Responsibility of the controller
(1. The controller shall implement appropriate technical and organizational measures to ensure and provide evidence that the processing is carried out in compliance with this Regulation, taking into account the nature, scope, context and purposes of the processing as well as the varying likelihood and severity of the risks to the rights and freedoms of natural persons. Those measures shall be reviewed and updated as necessary.
(2) Provided that it is proportionate to the processing activities, the measures referred to in paragraph 1 shall include the application by the controller of appropriate data protection safeguards.
(3) Compliance with the approved rules of conduct pursuant to Article 40 or with an approved certification procedure pursuant to Article 42 of may be used as a consideration to demonstrate compliance with the obligations of the controller.
Recitals
(74) The responsibility and liability of the controller for any processing of personal data carried out by it or on its behalf should be regulated. In particular, the controller should be required to take appropriate and effective measures and to be able to demonstrate that the processing activities comply with this Regulation and that the measures are also effective. In doing so, he should take into account the nature, scope, circumstances and purposes of the processing and the risk to the rights and freedoms of natural persons.
(75) The risks to the rights and freedoms of natural persons – with varying likelihood and severity – may arise from processing of personal data that could result in physical, material or non-material damage, in particular where the processing may result in discrimination, identity theft or fraud, financial loss, damage to reputation, loss of confidentiality of personal data subject to professional secrecy, unauthorized removal of pseudonymization, or other significant economic or social disadvantage, if data subjects are deprived of their rights and freedoms or prevented from controlling personal data concerning them, if personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, and genetic data, health data or data concerning sexual life or criminal convictions and offences or related security measures are processed, when personal aspects are evaluated, in particular when aspects concerning work performance, economic situation, health, personal preferences or interests, reliability or behavior, location or change of location are analyzed or predicted in order to create or use personal profiles, when personal data of vulnerable natural persons, in particular data of children, are processed, or when the processing involves a large amount of personal data and a large number of data subjects.
(76) The likelihood and severity of the risk to the rights and freedoms of the data subject should be determined in relation to the nature, scope, circumstances and purposes of the processing. The risk should be assessed on the basis of an objective evaluation determining whether the data processing presents a risk or a high risk.
(77) Guidance on how the controller or processor is to implement appropriate measures and how to demonstrate compliance with the requirements, in particular as regards the identification of the risk associated with the processing, its assessment in terms of cause, nature, likelihood and severity, and the identification of best practices for its mitigation, could be provided in particular in the form of approved codes of conduct, approved certification procedures, guidance issued by the Board or advice from a data protection officer. The Board may also issue guidance on processing operations that are not considered to present a high risk to the rights and freedoms of natural persons and indicate which mitigation measures may be sufficient in such cases.
Article 25 Data protection by design and by default Privacy by design Privacy by default
(1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing, as well as the varying likelihood and severity of the risks to the rights and freedoms of natural persons represented by the processing, the controller shall implement appropriate technical and organizational measures – such as pseudonymization – both at the time of the determination of the means for the processing and at the time of the processing itself. such as pseudonymization – designed to effectively implement data protection principles such as data minimization and to incorporate the necessary safeguards in the processing in order to meet the requirements of this Regulation and to protect the rights of data subjects.
(2) The controller shall take appropriate technical and organizational measures to ensure that, by default, only personal data whose processing is necessary for the respective specific processing purpose are processed in principle. This obligation shall apply to the amount of personal data collected, the scope of their processing, their storage period and their accessibility. In particular, such measures must ensure that personal data are not made accessible to an indefinite number of natural persons through default settings without the intervention of the individual.
(3) An approved certification procedure pursuant to Article 42 may be used as a factor to demonstrate compliance with the requirements referred to in paragraphs (1) and (2) of this Article.
Recitals
(78) In order to protect the rights and freedoms of natural persons with regard to the processing of personal data, it is necessary that appropriate technical and organisational measures are taken to ensure compliance with the requirements of this Regulation. In order to be able to demonstrate compliance with this Regulation, the controller should establish internal policies and implement measures that comply, in particular, with the principles of data protection by design and data protection by default. Such measures could include minimizing the processing of personal data, pseudonymizing personal data as soon as possible, providing transparency regarding the functions and processing of personal data, enabling the data subject to monitor the processing of personal data, and enabling the controller to create and improve security features. With regard to the development, design, selection and use of applications, services and products that either rely on the processing of personal data or process personal data to perform their tasks, the producers of the products, services and applications should be encouraged to take into account the right to data protection in the development and design of the products, services and applications and to ensure, with due regard to the state of the art, that controllers and processors are able to comply with their data protection obligations. The principles of data protection by design and by default should also be taken into account in public tenders.
Article 26 Joint controllers
(1) If two or more controllers jointly determine the purposes of and means for processing, they shall be joint controllers. They shall specify in an agreement in a transparent manner which of them fulfills which obligation under this Regulation, in particular as regards the exercise of the rights of the data subject, and which of them fulfills which information obligations under Articles 13 and 14, unless and insofar as the respective tasks of the controllers are laid down by Union or Member State law to which the controllers are subject. The agreement may specify a contact point for the data subjects.
(2) The agreement referred to in paragraph 1 shall duly reflect the respective actual functions and relations of the jointly responsible persons towards data subjects. The essential of the agreement shall be made available to the data subject.
(Notwithstanding the details of the agreement referred to in paragraph 1, the data subject may exercise his or her rights under this Regulation with and against each of the controllers.
Recitals
(79) In order to protect the rights and freedoms of data subjects and with regard to the responsibility and liability of controllers and processors, there is a need for a clear allocation of responsibilities by this Regulation, including where a controller determines the purposes and means of processing jointly with other controllers or where a processing operation is carried out on behalf of a controller, also with a view to including gf the monitoring and other measures of supervisory authorities.
Article 27 Representatives of controllers or processors not established in the Union
In the cases referred to in Article 3(2), the controller or processor shall designate in writing a representative in the Union.
(2) The obligation under paragraph 1 of this Article shall not apply to
a) processing which is occasional does not involve the processing of special categories of data on a large scale within the meaning of Article 9(1) or the processing of personal data relating to criminal convictions and offences on a large scale within the meaning of Article 10 and is not likely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, circumstances, scope and purposes of the processing; or
b) Authorities or public bodies.
(3) The representative must be established in one of the Member States where the data subjects whose personal data are processed in connection with the goods or services offered to them or whose behavior is monitored are located.
(4) The representative shall be appointed by the controller or processor to serve, in addition to or in place of the controller or processor, as a point of contact in particular for supervisory authorities and data subjects on all issues related to the processing to ensure compliance with this Regulation.
(5) The appointment of a representative by the controller or processor shall be without prejudice to any legal action against the controller or processor itself.
Recitals
(80) Any controller or processor not established in the Union whose processing activities relate to data subjects present in the Union and are intended to offer goods or services to such data subjects in the Union, whether or not payment is required from the data subject, or to monitor their behaviour where it takes place within the Union, should be required to designate a representative, unless, the processing is carried out on an occasional basis, does not involve the processing of special categories of personal data on a large scale or the processing of personal data relating to criminal convictions and offences, and is unlikely to result in a risk to the rights and freedoms of natural persons having regard to its nature, circumstances, scope and purposes, or the controller is a public authority or body. The representative should act on behalf of the controller or processor and serve as a point of contact for supervisory authorities. The controller or processor should expressly appoint and authorize in writing the representative to act in its stead with respect to the obligations incumbent on it under this Regulation. The appointment of such a representative does not affect the responsibility or liability of the controller or processor under this Regulation. Such representative should perform his or her tasks in accordance with the mandate of the controller or processor and, in particular, cooperate with the competent supervisory authorities with regard to measures to ensure compliance with this Regulation. In the event of breaches by the controller or processor, the appointed representative should be subject to enforcement procedures.
Article 28 Processor
(Where processing is carried out on behalf of a controller, the controller shall only work with processors providing sufficient guarantees that appropriate technical and organizational measures will be implemented in such a way that the processing will be carried out in compliance with the requirements of this Regulation and will ensure the protection of the rights of the data subject.
(2) The Processor shall not use any other Processor without the prior separate or general written consent of the Controller. In the case of general written approval, the Processor shall always inform the Controller of any intended change regarding the use or substitution of other Processors, giving the Controller the opportunity to object to such changes.
(Processing by a processor shall be carried out on the basis of a contract or other legal instrument under Union or Member State law which binds the processor in relation to the controller and which specifies the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data, the categories of data subjects and the obligations and rights of the controller. Such contract or other legal instrument shall provide, in particular, that the Processor shall.
a) processes the personal data only on the documented instructions of the controller – including in relation to the transfer of personal data to a third country or an international organization – unless required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall notify the controller of such legal requirements prior to the processing, unless the law in question prohibits such notification on grounds of important public interest;
b) ensures that the persons authorized to process the personal data have committed themselves to confidentiality or are subject to an appropriate legal duty of confidentiality;
c) takes all necessary measures in accordance with Article 32;
d) complies with the conditions referred to in paragraphs 2 and 4 for the use of the services of another processor;
e) in view of the nature of the processing, assists the controller, where possible, with appropriate technical and organizational measures to comply with its obligation to respond to requests to exercise the rights of the data subject referred to in Chapter III;
f) taking into account the nature of the processing and the information at its disposal, assists the controller in complying with the obligations referred to in Articles 32 to 36; g) upon completion of the provision of the processing services, either erases or returns all personal data at the choice of the controller and deletes the existing copies, unless there is an obligation to store the personal data under Union or Member State law;
h) provides the responsible party with all necessary information to demonstrate compliance with the obligations set forth in this Article and allows and contributes to verifications, including inspections, conducted by the responsible party or another auditor appointed by the responsible party.
With regard to point (h) of the first subparagraph, the processor shall inform the controller without undue delay if it considers that an instruction infringes this Regulation or other Union or Member State data protection provisions.
(4. Where the processor uses the services of another processor to carry out certain processing activities on behalf of the controller, the same data protection obligations as those laid down in the contract or other legal instrument between the controller and the processor referred to in paragraph 3 shall be imposed on that other processor by way of a contract or other legal instrument in accordance with Union law or the law of the Member State concerned, in particular providing sufficient guarantees that the appropriate technical and organizational measures will be implemented in such a way that the processing will be carried out in accordance with the requirements of this Regulation. If the further processor fails to comply with its data protection obligations, the first processor shall be liable to the controller for compliance with the obligations of that other processor.
(5. Compliance by a processor with approved codes of conduct pursuant to Article 40 or with an approved certification procedure pursuant to Article 42 may be used as a factor to demonstrate sufficient guarantees within the meaning of paragraphs 1 and 4 of this Article.
(6. Without prejudice to an individual contract between the controller and the processor, the contract or other legal instrument referred to in paragraphs 3 and 4 of this Article may be based, in whole or in part, on the standard contractual clauses referred to in paragraphs 7 and 8 of this Article, even if they are part of a certification granted to the controller or the processor pursuant to Articles 42 and 43.
7. The Commission may, in accordance with the examination procedure referred to in Article 87(2), adopt standard contractual clauses to address the issues referred to in paragraphs 3 and 4 of this Article.
(8. A supervisory authority may, in accordance with the consistency mechanism referred to in Article 63, establish standard contractual clauses to address the issues referred to in paragraphs 3 and 4 of this Article.
(9) The contract or other legal instrument referred to in paragraphs 3 and 4 shall be in writing, which may also be in an electronic format.
(10. Without prejudice to Articles 82, 83 and 84, a processor who determines the purposes and means of processing in breach of this Regulation shall be deemed to be a controller in relation to that processing.
Recitals
(81) In order to comply with the requirements of this Regulation in relation to the processing to be carried out by the processor on behalf of the controller, a controller intending to entrust processing activities to a processor should only use processors providing sufficient guarantees, in particular in terms of expertise, reliability and resources, that technical and organisational measures, including for the security of the processing, will be implemented in compliance with the requirements of this Regulation. A processor’s compliance with approved codes of conduct or an approved certification procedure may be used as a factor to demonstrate compliance with the controller’s obligations. Processing by a processor should be carried out on the basis of a contract or other legal instrument under Union or Member State law binding the processor to the controller and specifying the subject-matter and duration of the processing, the nature and purposes of the processing, the type of personal data and the categories of data subjects, taking into account the specific tasks and obligations of the processor in the processing envisaged and the risk to the rights and freedoms of the data subject. The controller and processor may decide to use an individual contract or standard contractual clauses, either adopted directly by the Commission or adopted by a supervisory authority after the consistency procedure and then adopted by the Commission. Upon termination of the processing on behalf of the controller, the processor should, at the choice of the controller, either return or erase the personal data, unless there is an obligation to retain the personal data under Union or Member State law to which the processor is subject.
(95) Where necessary, the processor should assist the controller, upon request, in ensuring compliance with the obligations resulting from the performance of the data protection impact assessment and the prior consultation of the supervisory authority.
Article 29 Processing under the supervision of the controller or processor
The processor and any person subordinate to the controller or processor who has access to personal data may process such data only on the instructions of the controller, unless they are obliged to process under Union or Member State law.
Article 30 Directory of processing activities
(1) Each controller and, where applicable, its representative shall keep a register of all processing activities under its responsibility. This register shall contain all of the following information:
a) the name and contact details of the controller and, if applicable, of the person jointly responsible with him/her, of the controller’s representative and of any data protection officer;
b) the purposes of the processing;
c) a description of the categories of data subjects and the categories of personal data;
d) the categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organizations;
e) where applicable, transfers of personal data to a third country or to an international organization, including an indication of the third country or international organization concerned and, in the case of transfers referred to in the second subparagraph of Article 49(1), documentation of appropriate safeguards;
f) if possible, the foreseen deadlines for the deletion of the different categories of data;
g) if possible, a general description of the technical and organizational measures referred to in Article 32(1).
(Each processor and, where applicable, its representative shall keep a register of all categories of processing activities carried out on behalf of a controller, which shall include:
a) the name and contact details of the processor or processors and of any controller on whose behalf the processor is acting and, where applicable, of the controller’s or processor’s representative and of any data protection officer;
b) the categories of processing operations carried out on behalf of each controller;
c) where applicable, transfers of personal data to a third country or to an international organization, including an indication of the third country or international organization concerned and, in the case of transfers referred to in the second subparagraph of Article 49(1), documentation of appropriate safeguards;
d) if possible, a general description of the technical and organizational measures referred to in Article 32(1).
(3) The register referred to in paragraphs 1 and 2 shall be kept in writing, which may also be in an electronic format.
(4) The controller or processor and, if applicable, the controller’s or processor’s representative shall make the list available to the supervisory authority upon request.
The obligations referred to in paragraphs 1 and 2 shall not apply to undertakings or bodies employing fewer than 250 staff, unless the processing they carry out involves a risk to the rights and freedoms of data subjects, the processing is not occasional or involves the processing of special categories of data referred to in Article 9(1) or the processing of personal data relating to criminal convictions and offences referred to in Article 10.
Recitals
(82) In order to demonstrate compliance with this Regulation, the controller or processor should keep a register of the processing activities under its responsibility. Each controller and processor should be obliged to cooperate with the supervisory authority and to provide it, upon request, with the relevant register so that the processing operations concerned can be checked against those registers.
Article 31 Cooperation with the supervisory authority
The Controller and Processor and, if applicable, their representatives shall cooperate with the Supervisory Authority in the performance of their duties upon request.
Section 2 Security of personal data
Article 32 Security of processing
(1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, the controller and processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, where applicable, the following:
a) the pseudonymization and encryption of personal data;
b) the ability to ensure the confidentiality, integrity, availability and resilience of the systems and services related to the processing on a permanent basis;
c) the ability to quickly restore the availability of and access to personal data in the event of a physical or technical incident;
d) a procedure for periodic review, assessment and evaluation of the effectiveness of technical and organizational measures to ensure the security of processing.
(2. The assessment of the adequate level of protection shall take into account, in particular, the risks posed by the processing, in particular by the destruction, loss, alteration or unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed, whether accidental or unlawful.
(3) Compliance with approved rules of conduct pursuant to Article 40 or an approved certification procedure pursuant to Article 42 may be used as a factor to demonstrate compliance with the requirements referred to in paragraph 1 of this Article.
(4. The controller and the processor shall take steps to ensure that natural persons under their authority who have access to personal data process them only on instructions from the controller, unless they are obliged to process them under Union or Member State law.
Recitals
(83) In order to maintain security and to prevent processing in breach of this Regulation, the controller or processor should identify the risks inherent in the processing and implement measures to mitigate them, such as encryption. These measures should ensure a level of protection, including confidentiality, appropriate to the risks represented by the processing and the nature of the personal data to be protected, taking into account the state of the art and the costs of implementation. The data security risk assessment should take into account the risks associated with the processing of personal data, such as, whether accidental or unlawful, destruction, loss, alteration or unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed, in particular where this could result in physical, material or non-material damage.
Article 33 Notification of personal data breaches to the supervisory authority
(In the event of a personal data breach, the controller shall, without undue delay and, where possible, within 72 hours of becoming aware of the breach, notify it to the supervisory authority responsible pursuant to Article 51, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. If the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by a justification for the delay.
(2) If the Processor becomes aware of a personal data breach, it shall notify the Controller thereof without undue delay.
(3) The notification referred to in paragraph 1 shall contain at least the following information:
a) A description of the nature of the personal data breach, including, to the extent possible, the categories and approximate number of individuals affected, the categories affected, and the approximate number of personal data records affected;
b) the name and contact details of the data protection officer or other point of contact for further information;
c) a description of the likely consequences of the personal data breach;
d) A description of the measures taken or proposed by the data controller to address the personal data breach and, where appropriate, measures to mitigate its potential adverse effects.
(4) If and to the extent that the information cannot be provided at the same time, the responsible party may provide such information incrementally without unreasonable further delay.
(5) The Controller shall document personal data breaches, including all facts related to the personal data breach, its effects and the remedial actions taken. This documentation shall enable the supervisory authority to verify compliance with the provisions of this Article.
Recitals
(85) A personal data breach, if not addressed in a timely and appropriate manner, may result in physical, material or non-material harm to natural persons, such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorized removal of pseudonymization, damage to reputation, loss of confidentiality of data subject to professional secrecy, or other significant economic or social harm to the natural person concerned. Therefore, as soon as the controller becomes aware of a personal data breach, it should notify the supervisory authority of the personal data breach without undue delay and, if possible, within no more than 72 hours of becoming aware of the breach, unless the controller can demonstrate, in accordance with the accountability principle, that the personal data breach is unlikely to result in a risk to the personal rights and freedoms of natural persons. If this notification cannot be provided within 72 hours, it should be required to specify the reasons for the delay and the information can be provided progressively without unreasonable further delay.
(88) Detailed rules governing the format and procedures for the notification of personal data breaches should take sufficient account of the circumstances of the breach, such as whether personal data was protected by appropriate technical safeguards that effectively reduce the likelihood of identity fraud or other forms of data misuse. Moreover, such rules and procedures should take into account the legitimate interests of law enforcement in cases where early disclosure would unnecessarily impede the investigation of the circumstances surrounding a personal data breach.
Article 34 Notification to the data subject of a personal data breach
(1) If the personal data breach is likely to result in a high risk to the personal rights and freedoms of natural persons, the controller shall notify the data subject of the breach without undue delay.
The notification to the data subject referred to in paragraph 1 shall describe in clear and plain language the nature of the personal data breach and shall include at least the information and measures referred to in points (b), (c) and (d) of Article 33(3).
(3) Notification to the data subject under paragraph (1) is not required if any of the following conditions are met:
a) the controller has implemented appropriate technical and organizational security measures and these measures have been applied to the personal data affected by the breach, in particular those that make the personal data inaccessible to all persons who are not authorized to access the personal data, such as through encryption;
b) the controller has ensured by subsequent measures that the high risk to the rights and freedoms of the data subjects referred to in paragraph 1 is no longer likely to exist;
c) the notification would involve a disproportionate effort. In this case, a public announcement or a similar measure must be made instead, by which the persons affected are informed in a comparably effective manner.
(4) If the data controller has not already notified the data subject of the personal data breach, the supervisory authority, taking into account the likelihood that the personal data breach will result in a high risk, may require the data controller to do so, or may determine by means of a decision that certain of the conditions referred to in paragraph 3 are met.
Recitals
(86) The controller should notify the data subject of the personal data breach without undue delay where the personal data breach is likely to result in a high risk to the personal rights and freedoms of natural persons, in order to enable them to take the necessary precautions. The notification should include a description of the nature of the personal data breach and recommendations addressed to the natural person concerned to mitigate any adverse effects of that breach. Such notifications to the data subject should always be made as soon as reasonably practicable, in close consultation with the supervisory authority and in accordance with any instructions given by the supervisory authority or other competent authorities, such as law enforcement authorities. For example, to be able to mitigate the risk of immediate harm, data subjects would need to be notified immediately, whereas a longer notification period may be justified when the purpose is to take appropriate measures against ongoing or similar personal data breaches.
(87) It should be determined whether all appropriate technical protection measures as well as organizational measures have been taken in order to be able to determine immediately whether a personal data breach has occurred and to be able to notify the supervisory authority and the data subject without undue delay. In determining whether notification has been made without undue delay, consideration should be given to the nature and gravity of the personal data breach and its consequences and adverse effects for the data subject. The appropriate notification may result in action by the supervisory authority in accordance with its duties and powers set forth in this Regulation.
Section 3 Data protection impact assessment and prior consultation
Article 35 Data protection impact assessment
(Where a form of processing, in particular where new technologies are used, is likely to result in a high risk to the rights and freedoms of natural persons by virtue of the nature, scope, context and purposes of the processing, the controller shall conduct a prior assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may be carried out to examine several similar processing operations with similar high risks.
(2) The controller shall seek the advice of the data protection officer, if one has been appointed, when conducting a data protection impact assessment.
(3) A data protection impact assessment pursuant to paragraph 1 shall be required in particular in the following cases:
a) systematic and comprehensive assessment of personal aspects relating to natural persons which is based on automated processing, including profiling, and which in turn serves as a basis for decisions which produce legal effects concerning natural persons or similarly significantly affect them;
b) extensive processing of special categories of personal data pursuant to Article 9(1) or of personal data relating to criminal convictions and offences pursuant to Article 10; or
c) systematic extensive monitoring of publicly accessible areas.
(The supervisory authority shall draw up and make public a list of the processing operations for which a data protection impact assessment is to be carried out pursuant to paragraph 1. The supervisory authority shall communicate those lists to the Committee referred to in Article 68.
(5) The supervisory authority may further establish and publish a list of the types of processing operations for which a data protection impact assessment is not required. The supervisory authority shall communicate these lists to the Board.
(Before determining the lists referred to in paragraphs 4 and 5, the competent supervisory authority shall apply the consistency mechanism referred to in Article 63 where such lists include processing activities which are related to the offering of goods or services to data subjects or the monitoring of the behavior of such data subjects in several Member States or which could significantly affect the free flow of personal data within the Union.
(7) At a minimum, the impact assessment shall include the following:
a) a systematic description of the processing operations envisaged and the purposes of the processing, including, where appropriate, the legitimate interests pursued by the controller;
b) an assessment of the necessity and proportionality of the processing operations in relation to the purpose;
c) an assessment of the risks to the rights and freedoms of the data subjects referred to in paragraph 1; and
d) the mitigating measures envisaged to address the risks, including safeguards, security measures and procedures ensuring the protection of personal data and demonstrating compliance with this Regulation, taking into account the rights and legitimate interests of data subjects and other data subjects.
(8. Compliance with approved codes of conduct referred to in Article 40 by the responsible controllers or the responsible processors shall be duly taken into account when assessing the impact of the processing operations carried out by them, in particular for the purposes of a data protection impact assessment.
(9. The controller shall, where appropriate, seek the views of data subjects or their representatives on the intended processing without prejudice to the protection of commercial or public interests or the security of processing operations.
10. Where the processing referred to in Article 6(1)(c) or (e) is based on a legal basis in Union law or in the law of the Member State to which the controller is subject and where that legislation governs the specific processing operation or operations and a data protection impact assessment has already been carried out in the context of the general impact assessment related to the adoption of that legal basis, paragraphs 1 to 7 shall apply only where Member States have the discretion to require such an impact assessment to be carried out prior to the processing activities concerned.
(11. Where necessary, the controller shall conduct a review to assess whether the processing is carried out in accordance with the data protection impact assessment, at least where there have been changes in the risk associated with the processing operations.
Recitals
(84) In order to better comply with this Regulation in cases where the processing operations are likely to result in a high risk to the rights and freedoms of natural persons, the controller should be responsible for carrying out a data protection impact assessment evaluating in particular the cause, nature, specificity and severity of that risk. The results of the assessment should be taken into account when deciding on the appropriate measures to be taken to demonstrate that the processing of personal data complies with this Regulation. Where a data protection impact assessment indicates that processing operations present a high risk which the controller cannot mitigate by appropriate measures in terms of available technology and implementation costs, the supervisory authority should be consulted prior to the processing.
(89) Under Directive 95/46/EC, personal data processing operations were generally subject to notification to supervisory authorities. This notification obligation is bureaucratic and financially burdensome and has nevertheless not led to better protection of personal data in all cases. These indiscriminate general notification requirements should therefore be abolished and replaced by effective procedures and mechanisms that instead prioritize those types of processing operations that are likely to present a high risk to the rights and freedoms of natural persons by virtue of their nature, their scope, their circumstances and their purposes. Such types of processing operations include, in particular, those that involve new technologies or are novel and for which the controller has not yet carried out a data protection impact assessment or for which a data protection impact assessment has become necessary due to the time that has elapsed since the original processing.
(90) In such cases, the controller should carry out a data protection impact assessment prior to the processing, evaluating the specific likelihood and severity of that high risk, taking into account the nature, scope, circumstances and purposes of the processing and the causes of the risk. That impact assessment should address in particular the measures, safeguards and procedures to mitigate that risk, ensure the protection of personal data and demonstrate compliance with the provisions of this Regulation.
(91) This should apply in particular to large processing operations which are intended to process large amounts of personal data at regional, national or supranational level, are likely to affect a large number of individuals and are likely to involve a high risk, for example, due to their sensitivity, and which involve the widespread use of new technology in accordance with the state of the art, as well as to other processing operations which present a high risk to the rights and freedoms of data subjects, in particular where those processing operations make it difficult for data subjects to exercise their rights. A data protection impact assessment should also be carried out where the personal data are processed for the purpose of taking decisions relating to specific natural persons following a systematic and in-depth assessment of personal aspects of natural persons based on profiling of those data or following the processing of special categories of personal data, biometric data or data relating to criminal convictions and offences and related security measures. Similarly, a data protection impact assessment is required for wide-area monitoring of publicly accessible areas, in particular by means of optoelectronic devices, or for any other operation where, in the opinion of the competent supervisory authority, the processing is likely to result in a high risk to the rights and freedoms of data subjects, in particular because it prevents data subjects from exercising a right or using a service or performing a contract, or because it is carried out on a large scale on a systematic basis. The processing of personal data should not be considered to be on a large scale if the processing concerns personal data of patients or of clients and is carried out by an individual doctor, other health professional or lawyer. In these cases, a data protection impact assessment should not be mandatory.
(92) In certain circumstances, it may be reasonable and appropriate from an economic point of view not to base a data protection impact assessment only on a specific project, but to make it broader in scope – for example, when public authorities or public bodies want to create a common application or processing platform, or when several controllers want to implement a common application or processing environment for an entire economic sector, for a specific market segment, or for a widespread horizontal activity.
(93) On the occasion of the adoption of the law of the Member State on the basis of which the public authority or body performs its tasks and which regulates the processing operation or types of processing operations in question, Member States may deem it necessary to carry out such impact assessments prior to the processing operations.
Article 36 Previous consultation
(1) The controller shall consult the supervisory authority prior to the processing if a data protection impact assessment pursuant to Article 35 indicates that the processing would result in a high risk, unless the controller takes measures to mitigate the risk.
(If the supervisory authority considers that the intended processing referred to in paragraph 1 would not be in compliance with this Regulation, in particular because the controller has not sufficiently identified or mitigated the risk, it shall make appropriate written recommendations to the controller and, where applicable, to the processor within a period of up to eight weeks after receipt of the request for consultation and may exercise its powers referred to in Article 58. 2 This period may be extended by six weeks, taking into account the complexity of the intended processing. 3 The supervisory authority shall inform the controller or, where applicable, the processor of any such extension of time limits within one month of receipt of the request for consultation, together with the reasons for the delay. 4 Such time limits may be suspended until the supervisory authority has received the information requested for the purposes of the consultation.
(3) The controller shall provide the following information to the supervisory authority during a consultation pursuant to paragraph 1:
a) where applicable, information on the respective responsibilities of the controller, the joint controllers and the processors involved in the processing, in particular in the case of processing within a group of companies;
b) the purposes and means of the intended processing;
c) the measures and safeguards provided for the protection of the rights and freedoms of data subjects under this Regulation;
d) if applicable, the contact details of the data protection officer;
e) the data protection impact assessment pursuant to Article 35, and
f) any other information requested by the supervisory authority.
(4. Member States shall consult the supervisory authority when preparing a proposal for legislative measures to be adopted by a national parliament or regulatory measures based on such legislative measures which relate to processing.
(5. Notwithstanding paragraph 1, controllers may be required by Member State law to consult the supervisory authority and obtain its prior authorisation when processing for the performance of a task carried out in the public interest, including processing for social security and public health purposes.
Recitals
(94) Where a data protection impact assessment indicates that the processing would result in a high risk to the rights and freedoms of natural persons in the absence of safeguards, security measures and mechanisms to mitigate the risk, and the controller considers that the risk cannot be mitigated by means that are reasonable in terms of available technologies and implementation costs, the supervisory authority should be consulted prior to the start of the processing activities. Such high risk is likely to be associated with certain types of processing and the scale and frequency of processing, which may also result in damage to or interference with personal rights and freedoms for natural persons. The supervisory authority should respond to the request for advice within a certain period of time. However, even if it has not responded within this period, it may intervene in accordance with its tasks and powers set out in this Regulation, which includes the power to prohibit processing operations. As part of this consultation process, the result of a data protection impact assessment carried out in relation to the processing of personal data concerned may be submitted to the supervisory authority, in particular as regards the measures envisaged to mitigate the risk to the rights and freedoms of natural persons.
(96) Consultation of the supervisory authority should also take place during the preparation of legislative or regulatory measures providing for the processing of personal data, in order to ensure the compatibility of the envisaged processing with this Regulation and, in particular, to mitigate the risk thereof for the data subject.
Section 4 Data Protection Officer
Article 37 Appointment of a data protection officer
(1) The controller and the processor shall appoint a data protection officer in any case if
a) the processing is carried out by a public authority or public body, with the exception of courts, insofar as they act within the scope of their judicial activities,
b) the core activity of the controller or processor consists in carrying out processing operations which, by virtue of their nature, their scope and/or their purposes, require extensive regular and systematic monitoring of data subjects, or
c) the core activity of the controller or processor consists in the extensive processing of special categories of data pursuant to Article 9 or of personal data relating to criminal convictions and criminal offenses pursuant to Article 10.
(2) A group of companies may appoint a joint data protection officer, provided that the data protection officer can be easily reached from each branch.
(3) If the controller or processor is a public authority or public body, a joint data protection officer may be appointed for several such authorities or bodies, taking into account their organizational structure and size.
(In cases other than those referred to in paragraph 1, the controller or processor or associations and other unions representing categories of controllers or processors may, and if required by Union or Member State law, shall, designate a data protection officer. The Data Protection Officer may act on behalf of such associations and other federations representing controllers or processors.
(5) The Data Protection Officer shall be appointed on the basis of his/her professional qualifications and, in particular, the expertise he/she possesses in the field of data protection law and practice, as well as his/her ability to perform the tasks referred to in Article 39.
(6) The Data Protection Officer may be an employee of the Controller or the Processor or perform his/her tasks on the basis of a service contract.
(7) The Controller or Processor shall publish the contact details of the Data Protection Officer and notify these data to the supervisory authority.
Recitals
(97) In cases where the processing is carried out by a public authority, with the exception of courts or independent judicial authorities acting in the course of their judicial activities, in the private sector by a controller whose core activity consists of processing operations which require regular and systematic monitoring of data subjects on a large scale, or where the core activity of the controller or processor consists of large-scale processing of special categories of personal data or data relating to criminal convictions and criminal offenses, the controller or processor should be assisted in monitoring internal compliance with the provisions of this Regulation by another person with expertise in data protection law and procedures. In the private sector, the core activity of a controller refers to its main activities and not to the processing of personal data as an ancillary activity. The level of expertise required should be based, in particular, on the data processing operations carried out and the protection required for the personal data processed by the controller or processor. Such data protection officers, whether or not they are employees of the controller, should be able to perform their duties and tasks in complete independence.
Article 38 Position of the Data Protection Officer
(1) The Controller and the Processor shall ensure that the Data Protection Officer is properly involved in all issues related to the protection of personal data at an early stage.
(The Controller and Processor shall assist the Data Protection Officer in the performance of his or her duties under Article 39 by providing the resources necessary for the performance of those duties and access to personal data and processing operations, as well as the resources necessary to maintain his or her expertise.
(3) The controller and the processor shall ensure that the data protection officer does not receive any instructions regarding the performance of these tasks. The data protection officer may not be dismissed or disadvantaged by the controller or processor because of the performance of his/her tasks. The data protection officer shall report directly to the highest management level of the controller or processor.
(4. Data subjects may consult the Data Protection Officer on any matter relating to the processing of their personal data and the exercise of their rights under this Regulation.
(5. The Data Protection Officer shall be bound by secrecy or confidentiality in the performance of his or her duties under Union or national law.
(6) The data protection officer may perform other tasks and duties. The controller or processor shall ensure that such tasks and duties do not lead to a conflict of interest.
Article 39 Tasks of the Data Protection Officer
(1) The data protection officer shall be responsible for at least the following tasks:
a) informing and advising the controller or processor and the employees carrying out processing operations about their obligations under this Regulation and under other Union or national data protection legislation;
b) Monitoring compliance with this Regulation, other Union or Member State data protection legislation, and the controller’s or processor’s personal data protection policies, including the allocation of responsibilities, awareness-raising and training of staff involved in processing operations, and reviews thereof;
c) Advice – upon request – in connection with the data protection impact assessment and monitoring of its implementation pursuant to Article 35;
d) Cooperation with the supervisory authority;
e) Acting as a point of contact for the supervisory authority on matters related to the processing, including prior consultation pursuant to Article 36, and advising on any other matters as appropriate.
(2) The Data Protection Officer shall, in the performance of his/her duties, take due account of the risk associated with the processing operations, taking into account the nature, scope, circumstances and purposes of the processing.
Section 5 Rules of conduct and certification
Article 40 Rules of conduct
(Member States, the supervisory authorities, the Committee and the Commission shall encourage the development of codes of conduct to contribute to the proper application of this Regulation, taking into account the specificities of each processing sector and the particular needs of micro, small and medium-sized enterprises.
(2. Associations and other bodies representing categories of controllers or processors may draw up or amend or extend codes of conduct clarifying the application of this Regulation, for example on the following:
a) fair and transparent processing;
b) the legitimate interests of the person responsible in certain contexts;
c) Collection of personal data;
d) Pseudonymization of personal data;
e) Informing the public and affected individuals;
f) Exercise of the rights of data subjects;
g) Information and protection of children and the manner in which the consent of the holder of parental responsibility for the child is to be obtained;
h) the measures and procedures referred to in Articles 24 and 25 and the measures for the security of processing referred to in Article 32;
i) reporting personal data breaches to supervisory authorities and notifying the data subject of such personal data breaches;
j) the transfer of personal data to third countries or to international organizations, or
k) out-of-court procedures and other dispute resolution procedures for the settlement of disputes between controllers and data subjects in relation to processing, without prejudice to the rights of data subjects under Articles 77 and 79.
In addition to compliance by controllers or processors covered by this Regulation, codes of conduct approved in accordance with paragraph 5 of this Article and having general application in accordance with paragraph 9 of this Article may also be complied with by controllers or processors not covered by this Regulation in accordance with Article 3 in order to provide appropriate safeguards in the context of transfers of personal data to third countries or international organizations in accordance with Article 46(2)(e). Those controllers or processors shall enter into a binding and enforceable obligation, by means of contractual or other legally binding instruments, to apply the appropriate safeguards, including with respect to the rights of data subjects.
The rules of conduct referred to in paragraph 2 of this Article shall provide for procedures enabling the body referred to in Article 41(1) to carry out mandatory monitoring of compliance with its provisions by controllers or processors who undertake to apply the rules of conduct, without prejudice to the tasks and powers of the supervisory authority competent under Article 55 or 56.
(5) Associations and other associations referred to in paragraph 2 of this Article intending to develop codes of conduct or to amend or extend existing codes of conduct shall submit the draft code of conduct or the draft amendment or extension thereof to the supervisory authority competent pursuant to Article 55. The supervisory authority shall give an opinion on whether the draft code of conduct or the draft amendment or extension thereof is compatible with this Regulation and shall approve such draft code of conduct or the draft amendment or extension thereof if it considers that it provides sufficient appropriate safeguards.
(6. If the opinion referred to in paragraph 5 approves the draft code of conduct or the draft amendment or extension thereof and the code of conduct in question does not relate to processing activities in several Member States, the supervisory authority shall include the code of conduct in a list and publish it.
(7. Where the draft code of conduct relates to processing activities in several Member States, the supervisory authority competent pursuant to Article 55 shall, before approving the draft code of conduct or the draft amendment or extension thereof, submit it in accordance with the procedure referred to in Article 63 to the Board, which shall give an opinion on whether the draft code of conduct or the draft amendment or extension thereof complies with this Regulation or, in the case referred to in paragraph 3 of this Article, provides for appropriate safeguards.
(8. If the opinion referred to in paragraph 7 confirms that the draft code of conduct or the draft amendment or extension thereof is compatible with this Regulation or, in the case referred to in paragraph 3, provides for appropriate safeguards, the Committee shall forward its opinion to the Commission.
(9. The Commission may, by means of implementing acts, decide that the approved conduct rules notified to it in accordance with paragraph 8, or their approved amendment or extension, shall have general application in the Union. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 93(2).
(10) The Commission shall ensure that the approved rules of conduct, which have been granted general validity in accordance with paragraph 9, are published in an appropriate manner.
(11) The committee shall record all approved rules of conduct or their approved amendments or extensions in a register and publish them in an appropriate manner.
Recitals
(98) Associations or other bodies representing certain categories of controllers or processors should be encouraged to draw up codes of conduct within the limits of this Regulation in order to facilitate the effective application of this Regulation, taking into account the specificities of processing operations carried out in certain sectors and the specific needs of micro, small and medium-sized enterprises. In particular, these codes of conduct could determine the obligations of controllers and processors, taking into account the risk to the rights and freedoms of natural persons likely to be represented by the processing.
(99) When developing or amending or extending such codes of conduct, associations and or other bodies representing certain categories of controllers or processors should consult relevant stakeholders, including, where possible, data subjects, and take into account the input and opinions they receive in the process.
Article 41 Monitoring of the approved rules of conduct
(1) Without prejudice to the duties and powers of the competent supervisory authority under Articles 57 and 58, the monitoring of compliance with rules of conduct under Article 40 may be carried out by a body which has the appropriate expertise with respect to the subject matter of the rules of conduct and which has been accredited by the competent supervisory authority for that purpose.
(2) A body referred to in paragraph (1) may be accredited for the purpose of monitoring compliance with rules of conduct if it
a) has demonstrated its independence and expertise with respect to the subject matter of the rules of conduct to the satisfaction of the competent supervisory authority;
b) has established procedures that enable it to assess whether controllers and processors can apply the rules of conduct, to monitor the compliance of controllers and processors with the rules of conduct, and to review the application of the rules of conduct on a regular basis;
c) has established procedures and structures for investigating complaints about violations of the rules of conduct or about the way in which the rules of conduct are or have been applied by the controller or processor and for making these procedures and structures transparent to data subjects and the public; and
d) has demonstrated to the satisfaction of the relevant supervisory authority that its duties and responsibilities do not give rise to a conflict of interest.
(The competent supervisory authority shall communicate the draft criteria for the accreditation of a body referred to in paragraph 1 to the Committee in accordance with the consistency mechanism referred to in Article 63.
(Without prejudice to the tasks and powers of the competent supervisory authority and the provisions of Chapter VIII, a body referred to in paragraph 1 shall, subject to appropriate safeguards, take appropriate measures in the event of a breach of the rules of conduct by a controller or a processor, including temporary or permanent exclusion of the controller or processor from the rules of conduct. It shall inform the competent supervisory authority of such measures and their justification.
(5) The competent supervisory authority shall revoke the accreditation of a body referred to in paragraph 1 if the conditions for its accreditation are not or are no longer fulfilled or if the body takes measures which are not in conformity with this Regulation.
(6) This Article shall not apply to processing by public authorities or public bodies.
Article 42 Certification
(Member States, supervisory authorities, the Board and the Commission shall encourage, in particular at Union level, the establishment of data protection certification schemes and data protection seals and marks to demonstrate compliance with this Regulation in processing operations by controllers or processors. The specific needs of micro, small and medium-sized enterprises shall be taken into account.
In addition to compliance by controllers or processors covered by this Regulation, data protection specific certification procedures, seals or marks approved in accordance with paragraph 5 of this Article may also be provided for in order to demonstrate that controllers or processors not covered by this Regulation pursuant to Article 3 provide appropriate safeguards in the context of transfers of personal data to third countries or international organizations in accordance with point (f) of Article 46(2). Those controllers or processors shall enter into a binding and enforceable obligation, by means of contractual or other legally binding instruments, to apply those appropriate safeguards, including with respect to the rights of data subjects.
(3) Certification must be voluntary and accessible via a transparent procedure.
(4. Certification pursuant to this Article shall not diminish the responsibility of the controller or processor for compliance with this Regulation and shall not affect the tasks and powers of the supervisory authorities competent pursuant to Article 55 or 56.
5. Certification under this Article shall be granted by the certification bodies referred to in Article 43 or by the competent supervisory authority on the basis of criteria approved by that competent supervisory authority in accordance with Article 58(3) or, in accordance with Article 63, by the Board. Where the criteria are approved by the Board, this may lead to a common certification, the European Data Protection Seal.
(6. The controller or processor subjecting the processing carried out by it to the certification procedure shall provide the certification body referred to in Article 43 or, where applicable, the competent supervisory authority with all the information necessary for carrying out the certification procedure and shall grant it the access to its processing activities required in this context.
(7. Certification shall be granted to a controller or processor for a maximum period of three years and may be renewed under the same conditions, provided that the relevant requirements continue to be met. Certification shall be revoked, as appropriate, by the certification bodies referred to in Article 43 or by the competent supervisory authority if the conditions for certification are not or are no longer met.
(8) The Committee shall record all certification procedures and data protection seals and marks in a register and publish them in an appropriate manner.
Recitals
(100) In order to increase transparency and improve compliance with this Regulation, it should be encouraged that certification procedures and data protection seals and marks are put in place to allow data subjects to have a quick overview of the level of data protection of relevant products and services.
Article 43 Certification bodies
Without prejudice to the tasks and powers of the competent supervisory authority as referred to in Articles 57 and 58, certification bodies having the appropriate expertise in data protection shall, after informing the supervisory authority – in order to enable it to make use of its powers under point (h) of Article 58(2), if necessary – grant or renew certification. Member States shall ensure that those certification bodies are accredited by one or both of the following bodies:
a) the competent supervisory authority pursuant to Article 55 or 56;
b) the national accreditation body designated in accordance with Regulation (EC) No 765/2008 of the European Parliament and of the Council (20 ) in conformity with EN-ISO/IEC 17065/2012 and with the additional requirements established by the competent supervisory authority in accordance with Article 55 or 56.
(2) Certification bodies referred to in paragraph (1) may be accredited in accordance with that paragraph only if they
a) have demonstrated their independence and expertise with respect to the subject matter of the certification to the satisfaction of the competent supervisory authority;
b) have undertaken to comply with the criteria referred to in Article 42(5) approved by the supervisory authority competent in accordance with Article 55 or 56 or, in accordance with Article 63, by the Committee;
c) have established procedures for the issuance, periodic review, and revocation of data protection certification and data protection seals and marks;
d) Have established procedures and structures for investigating complaints about breaches of certification or the manner in which certification is or has been implemented by the controller or processor and for making those procedures and structures transparent to data subjects and the public; and
e) have demonstrated to the satisfaction of the relevant supervisory authority that their duties and responsibilities do not give rise to a conflict of interest.
(3. The accreditation of certification bodies referred to in paragraphs 1 and 2 shall be carried out on the basis of the criteria approved by the competent supervisory authority referred to in Article 55 or 56 or, in accordance with Article 63, by the Committee. In the case of accreditation under paragraph 1(b) of this Article, those requirements shall be additional to those provided for in Regulation (EC) No 765/2008 and in the technical rules describing the methods and procedures of certification bodies.
(The certification bodies referred to in paragraph 1 shall be responsible for the appropriate assessment underlying the certification or withdrawal of certification, without prejudice to the responsibility of the controller or processor for compliance with this Regulation. Accreditation shall be granted for a maximum period of five years and may be renewed under the same conditions, provided that the certification body complies with the requirements of this Article.
(5) The certification bodies referred to in paragraph 1 shall notify the competent supervisory authorities of the reasons for granting or withdrawing the certification applied for.
6. The requirements referred to in paragraph 3 of this Article and the criteria referred to in Article 42(5) shall be published by the supervisory authority in an easily accessible form. The supervisory authorities shall also communicate those requirements and criteria to the Board. The Board shall include all certification procedures and data protection seals in a register and publish them in an appropriate manner.
(7. Without prejudice to Chapter VIII, the competent supervisory authority or the national accreditation body shall withdraw the accreditation of a certification body referred to in paragraph 1 if the conditions for accreditation are not or are no longer fulfilled or if a certification body takes measures which are incompatible with this Regulation.
8. The Commission shall be empowered to adopt delegated acts in accordance with Article 92 to specify the requirements to be taken into account for the data protection specific certification procedures referred to in Article 42(1).
(9. The Commission may adopt implementing acts laying down technical standards for certification schemes and data protection seals and marks and mechanisms for the promotion and recognition of those certification schemes and data protection seals and marks. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 93(2).
Chapter V Transfers of personal data to third countries or to international organizations
Article 44 General principles of data transmission
Any transfer of personal data already processed or to be processed after their transfer to a third country or an international organization shall only be allowed if the controller and the processor comply with the conditions laid down in this Chapter and also with the other provisions of this Regulation, including any onward transfer of personal data by the third country or international organization concerned to another third country or international organization. All provisions of this Chapter shall be applied in order to ensure that the level of protection of natural persons ensured by this Regulation is not undermined.
Recitals
(101) The flow of personal data from and to third countries and international organizations is necessary for the expansion of international trade and cooperation. The increase in these data flows has created new challenges and requirements in relation to the protection of personal data. However, the level of protection of individuals ensured by this Regulation throughout the Union should not be undermined when personal data are transferred from the Union to controllers, processors or other recipients in third countries or to international organizations, including when personal data are further transferred from a third country or from an international organization to controllers or processors in the same or another third country or to the same or another international organization. In any case, such data transfers to third countries and international organizations are only permitted in strict compliance with this Regulation. A data transfer could only take place if the conditions set out in this Regulation for the transfer of personal data to third countries or international organizations are met by the controller or processor, subject to the other provisions of this Regulation.
(102) This Regulation is without prejudice to international agreements between the Union and third countries concerning the transfer of personal data, including appropriate safeguards for data subjects. Member States may conclude international agreements involving the transfer of personal data to third countries or international organizations, provided that those agreements do not affect this Regulation or other provisions of Union law and include an adequate level of protection for the fundamental rights of data subjects.
Article 45 Data transfer on the basis of an adequacy decision
(A transfer of personal data to a third country or an international organization may take place if the Commission has decided that the third country, territory or one or more specific sectors within that third country or international organization in question provides an adequate level of protection. Such transfer of data does not require a specific authorization.
(2. In assessing the adequacy of the level of protection afforded, the Commission shall take into account, in particular, the following:
a) the rule of law, respect for human rights and fundamental freedoms, relevant legislation in force in the country or international organization concerned, both general and sectoral, including in relation to public security, defense, national security and criminal law, and access to personal data by public authorities, as well as the application of such legislation, data protection rules, professional rules and security rules, including rules governing onward transfers of personal data to another third country or another international organization, jurisdiction, and effective and enforceable data subject rights and effective administrative and judicial remedies for data subjects whose personal data are transferred,
b) the existence and effective functioning of one or more independent supervisory authorities in the third country concerned or to which an international organization is answerable and which are responsible for ensuring compliance with and enforcement of data protection rules, including appropriate enforcement powers, for assisting and advising data subjects in the exercise of their rights, and for cooperating with the supervisory authorities of the Member States; and
c) the international commitments entered into by the third country or international organization concerned or other obligations arising from legally binding agreements or instruments and from the participation of the third country or international organization in multilateral or regional systems, in particular with regard to the protection of personal data.
(3. Following the assessment of the adequacy of the level of protection, the Commission may decide, by means of an implementing act, that a third country, a territory or one or more specific sectors in a third country or an international organization provide an adequate level of protection within the meaning of paragraph 2 of this Article. The implementing act shall provide for a mechanism for regular review, at least every four years, taking into account any relevant developments in the third country or international organization. The implementing act shall specify the territorial and sectoral scope and, where applicable, the supervisory authority or authorities referred to in point (b) of paragraph 2 of this Article. The implementing act shall be adopted in accordance with the examination procedure referred to in Article 93(2).
4. The Commission shall keep under constant review developments in third countries and in international organizations which could affect the operation of the decisions adopted pursuant to paragraph 3 of this Article and the findings adopted pursuant to Article 25(6) of Directive 95/46/EC.
(The Commission shall, by means of implementing acts, revoke, amend or suspend the decisions referred to in paragraph 3 of this Article, where necessary and without retroactive effect, where relevant information is available, in particular following the review referred to in paragraph 3 of this Article, to the effect that a third country, a territory or one or more specific sectors within a third country or an international organization no longer ensures an adequate level of protection within the meaning of paragraph 2 of this Article. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 93(2).
On duly justified imperative grounds of urgency, the Commission shall adopt immediately applicable implementing acts in accordance with the procedure referred to in Article 93(3).
(6. The Commission shall enter into consultations with the third country or international organization concerned with a view to remedying the situation which gave rise to the decision adopted pursuant to paragraph 5.
(7. Transfers of personal data to the third country, territory or one or more specific sectors in that third country or to the international organization concerned pursuant to Articles 46 to 49 shall not be affected by a decision taken pursuant to paragraph 5 of this Article.
(8. The Commission shall publish in the Official Journal of the European Union and on its website a list of all third countries or territories and specific sectors within a third country and all international organizations in respect of which it has determined by decision that they do or do not ensure an adequate level of protection.
9. Findings adopted by the Commission on the basis of Article 25(6) of Directive 95/46/EC shall remain in force until they are amended, replaced or repealed by a Commission decision adopted in accordance with the examination procedure referred to in paragraphs 3 or 5 of this Article.
Recitals
(103) The Commission may decide, with effect for the whole Union, that a specific third country, territory or sector of a third country, or an international organization, provides an adequate level of data protection, thereby creating legal certainty and ensuring uniform application of the law throughout the Union with respect to the third country or international organization deemed capable of providing such a level of protection. In such cases, personal data may be transferred to that country or international organization without further authorization. The Commission may, after providing a detailed explanation giving reasons to the third country or international organization, also decide to revoke such a determination.
(104) In accordance with the fundamental values of the Union, which include in particular the protection of human rights, the Commission, when assessing the third country or a territory or a particular sector of a third country, should take into account the extent to which the rule of law is respected, the course of justice is guaranteed and international human rights norms and standards are respected, as well as the general and sector-specific rules, including those on public security, national defense and security, public order and criminal law, applicable there. The adoption of an adequacy decision in relation to a territory or a specific sector of a third country should be made taking into account clear and objective criteria such as specific processing operations and the scope of applicable legal standards and applicable legislation in the third country. The third country should provide guarantees of an adequate level of protection equivalent in substance to that ensured within the Union, in particular in cases where personal data are processed in one or more specific sectors. In particular, the third country should ensure effective independent supervision of data protection and provide mechanisms for cooperation with Member States’ data protection authorities, and data subjects should be provided with effective and enforceable rights and effective administrative and judicial remedies.
(105) The Commission should take into account, in addition to the international commitments entered into by the third country or international organization, the obligations arising from the third country’s or international organization’s participation in multilateral or regional systems, in particular with regard to the protection of personal data, and the implementation of those obligations. In particular, the third country’s accession to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data of 28 January 1981 and the Additional Protocol thereto should be taken into account. The Commission should consult the Committee when assessing the level of protection in third countries or international organizations.
(106) The Commission should monitor the functioning of findings on the level of protection in a third country, a territory or a specific sector of a third country or an international organisation; it should also monitor the functioning of findings adopted on the basis of Article 25(6) or Article 26(4) of Directive 95/46/EC. In its adequacy decisions, the Commission should provide a mechanism for periodic review of their operation. This periodic review should be carried out in consultation with the third country or international organization concerned and should take into account any relevant developments in the third country or international organization. For the purposes of monitoring and carrying out the periodic reviews, the Commission should take into account the views and findings of the European Parliament and the Council and of other relevant bodies and sources. The Commission should, within a reasonable period of time, evaluate the operation of the latter decisions and report any relevant findings to the Committee established by this Regulation within the meaning of Regulation (EU) No 182/2011 of the European Parliament and of the Council (12) and to the European Parliament and the Council.
(107) The Commission may determine that a third country, a territory or a specific sector of a third country, or an international organization no longer provides an adequate level of data protection. The transfer of personal data to that third country or international organization should thereupon be prohibited unless the requirements of this Regulation relating to the transfer of data, subject to appropriate safeguards, including binding internal data protection rules and to exceptions for specific cases, are met. In that case, provision should be made for consultations between the Commission and the third countries or international organizations concerned. The Commission should inform the third country or international organization at an early stage of the reasons and start consultations in order to remedy the situation.
(169) The Commission should adopt immediately applicable implementing acts where it is established on the basis of available evidence that a third country, a territory or a specific sector within that third country, or an international organization, does not ensure an adequate level of protection and that this is necessary on imperative grounds of urgency.
Article 46 Data transfer subject to appropriate safeguards
In the absence of a decision pursuant to Article 45(3), a controller or processor may transfer personal data to a third country or an international organization only if the controller or processor has provided appropriate safeguards and if enforceable rights and effective legal remedies are available to the data subjects.
(2) The appropriate safeguards referred to in paragraph (1) may, without the need for specific approval by a supervisory authority, consist in
a) a legally binding and enforceable document between authorities or public bodies,
b) binding internal data protection rules in accordance with Article 47,
c) standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93(2),
d) standard data protection clauses adopted by a supervisory authority and approved by the Commission in accordance with the examination procedure referred to in Article 93(2),
e) approved codes of conduct in accordance with Article 40, together with legally binding and enforceable commitments by the controller or processor in the third country to apply the appropriate safeguards, including in relation to the rights of data subjects; or
f) an approved certification mechanism pursuant to Article 42, together with legally binding and enforceable commitments by the controller or processor in the third country to apply the appropriate safeguards, including in relation to the rights of data subjects.
(3. Subject to the approval of the competent supervisory authority, the appropriate safeguards referred to in paragraph 1 may also consist in particular in
a) Contractual clauses agreed between the controller or processor and the controller, processor or recipient of the personal data in the third country or international organization; or
b) Provisions to be included in administrative agreements between public authorities or public bodies that include enforceable and effective rights for data subjects.
(4) The supervisory authority shall apply the consistency procedure referred to in Article 63 in the event of a case referred to in paragraph 3 of this Article.
5. Authorisations issued by a Member State or a supervisory authority on the basis of Article 26(2) of Directive 95/46/EC shall remain valid until amended, replaced or revoked, as necessary, by that supervisory authority. Determinations issued by the Commission on the basis of Article 26(4) of Directive 95/46/EC shall remain in force until amended, replaced or revoked, as necessary, by a Commission decision adopted in accordance with paragraph 2 of this Article.
Recitals
(108) In the absence of an adequacy decision, the controller or processor should provide appropriate safeguards for the protection of the data subject as compensation for the lack of data protection in a third country. These appropriate safeguards may consist in relying on binding internal data protection rules, standard data protection clauses adopted by the Commission or by a supervisory authority, or contractual clauses approved by a supervisory authority. Those safeguards should ensure that data protection rules and the rights of data subjects are respected in a manner appropriate to the processing carried out within the Union, including as regards the availability of enforceable data subject rights and effective judicial remedies, including the right to effective administrative or judicial remedy and the right to seek redress in the Union or in a third country. They should relate in particular to compliance with the general principles for the processing of personal data, the principles of data protection by design and by default. Data transfers may also be made by public authorities or public bodies to public authorities or public bodies in third countries or to international organizations with equivalent obligations or tasks, including on the basis of provisions to be included in administrative arrangements – such as a Memorandum of Understanding – granting enforceable and effective rights to data subjects. The approval of the competent supervisory authority should be obtained if the safeguards are provided for in administrative arrangements that are not legally binding.
(109) The possibility for the controller or processor to use the standard data protection clauses established by the Commission or a supervisory authority should not prevent the controller or processor from using the standard data protection clauses also in more extensive contracts, such as contracts between the processor and another processor, nor prevent them from adding further clauses or additional safeguards to them, as long as they do not directly or indirectly conflict with the standard data protection clauses adopted by the Commission or a supervisory authority or interfere with the fundamental rights and freedoms of data subjects. Controllers and processors should be encouraged to provide additional safeguards with contractual obligations that complement the standard safeguards.
(114) In all cases where there is no Commission decision on the adequacy of the level of data protection existing in a third country, the controller or processor should have recourse to solutions that provide data subjects with enforceable and effective rights in relation to the processing of their personal data in the Union after the transfer of those data, so that they can continue to enjoy the fundamental rights and safeguards.
Article 47 Binding internal data protection rules
(1. The competent supervisory authority shall, in accordance with the consistency mechanism referred to in Article 63, approve binding internal rules on data protection, provided that they
a) are legally binding, apply to and are enforced by all relevant members of the group of companies or a group of companies engaged in a common economic activity, and this also applies to their employees,
b) confer on data subjects explicit enforceable rights in relation to the processing of their personal data; and
c) meet the requirements specified in paragraph 2.
(2) The binding internal data protection rules referred to in paragraph 1 shall contain at least the following information:
a) Structure and contact details of the group of companies or group of companies engaged in joint economic activity and each of its members;
b) the data transfers or series of data transfers concerned, including the types of personal data concerned, the nature and purpose of the data processing, the type of data subjects and the third country or third countries concerned;
c) internal and external legally binding nature of the relevant internal data protection regulations;
d) the application of general data protection principles, in particular purpose limitation, data minimization, limited storage periods, data quality, data protection through technology design and through data protection-friendly default settings, legal basis for processing, processing of special categories of personal data, measures to ensure data security and requirements for onward transfers to entities not bound by these internal data protection rules;
e) the rights of data subjects with regard to processing and the means available to them to exercise those rights, including the right not to be subject to a decision based solely on automated processing, including profiling, as referred to in Article 22, and the right to lodge a complaint with the competent supervisory authority or to seek judicial remedy before the competent courts of the Member States, as laid down in Article 79, and to obtain redress and, where appropriate, compensation in the event of a breach of the binding internal data protection rules;
f) the liability assumed by the controller or processor established in a Member State for any breach of the mandatory internal data protection rules by a relevant member of the group of undertakings not established in the Union; the controller or processor shall be exempt from such liability, in whole or in part, only if it proves that the circumstance giving rise to the damage cannot be attributed to the member concerned;
g) the manner in which the data subjects are informed, in addition to the provisions of Articles 13 and 14, of the mandatory internal data protection rules and, in particular, of the aspects referred to in points (d), (e) and (f) of this paragraph;
h) the tasks of any data protection officer appointed in accordance with Article 37 or any other person or body involved in monitoring compliance with the mandatory internal data protection rules in the group of undertakings or group of undertakings carrying out a joint economic activity, as well as monitoring training activities and dealing with complaints;
i) the appeal procedures;
j) the procedures in place within the group of companies or group of companies engaged in joint economic activity to verify compliance with mandatory internal data protection rules. Such procedures shall include data protection reviews and procedures to ensure remedial action to protect the rights of the data subject. The results of such reviews should be communicated to the person or entity referred to in point (h) and to the management board of the controlling undertaking of a group of undertakings or of the group of undertakings engaged in joint economic activities and should be made available to the competent supervisory authority upon request;
k) the procedures for reporting and recording changes in regulations and reporting them to the supervisory authority;
l) the procedures for cooperation with the supervisory authority that ensure compliance by all members of the group of undertakings or group of undertakings engaged in a joint economic activity, in particular by disclosing to the supervisory authority the results of reviews of the measures referred to in point (j);
m) the notification procedures for informing the competent supervisory authority of any legal provisions applicable to a member of the group of undertakings or group of entities engaged in a joint economic activity in a third country that could have an adverse effect on the safeguards provided by the binding internal data protection rules; and
n) appropriate data protection training for personnel with permanent or regular access to personal data.
(The Commission may establish the format and procedures for the exchange of information on binding internal data protection rules referred to in this Article between controllers, processors and supervisory authorities. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 93(2).
Article 48 Transfer or disclosure not permitted by Union law
Any judgment of a court of a third country and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data shall, in any event, without prejudice to other grounds for transfer under this Chapter, only be recognized or enforceable if based on an international agreement in force, such as a mutual legal assistance agreement between the requesting third country and the Union or a Member State.
Recitals
(115) Some third countries adopt laws, regulations and other legal acts which purport to directly regulate the processing activities of natural and legal persons under the jurisdiction of the Member States. This may include judgments of courts and decisions of administrative authorities in third countries requiring a controller or processor to transfer or disclose personal data and which are not based on an international agreement in force, such as a mutual legal assistance agreement between the requesting third country and the Union or a Member State. The application of those laws, regulations and other legal instruments outside the territory of the third countries concerned may be contrary to international law and may run counter to the protection of natural persons ensured by this Regulation in the Union. Data transfers should therefore only be allowed if the conditions laid down in this Regulation for data transfers to third countries are complied with. This may be the case, inter alia, where the disclosure is necessary for an important public interest recognized by Union law or by the law of the Member State to which the controller is subject.
Article 49 Exceptions for certain cases
In the absence of an adequacy decision pursuant to Article 45(3) or of appropriate safeguards pursuant to Article 46, including binding internal data protection rules, a transfer or set of transfers of personal data to a third country or to an international organization shall only be allowed under one of the following conditions:
a) the data subject has given his or her explicit consent to the proposed data transfer after having been informed of the potential risks to him or her of such data transfers in the absence of an adequacy decision and appropriate safeguards,
b) the transfer is necessary for the performance of a contract between the data subject and the controller or for the performance of pre-contractual measures at the request of the data subject,
c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject by the controller with another natural or legal person,
d) the transfer is necessary for important reasons of public interest,
e) the transfer is necessary for the assertion, exercise or defense of legal claims,
f) the transfer is necessary to protect the vital interests of the data subject or of others, where the data subject is physically or legally incapable of giving consent,
g) the transfer is made from a register which, in accordance with Union or Member State law, is intended to provide information to the public and which is open to consultation either by the public at large or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions for consultation laid down in Union or Member State law are met in the individual case.
If the transfer could not be based on a provision of Articles 45 or 46 – including binding internal data protection rules – and none of the exceptions for a specific case under the first subparagraph applies, a transfer to a third country or an international organization may only take place if the transfer is not repeated, concerns only a limited number of data subjects, is necessary for the purposes of the compelling legitimate interests of the controller, provided that the interests or the rights and freedoms of the data subject are not overridden, and the controller has assessed all the circumstances surrounding the data transfer and, on the basis of that assessment, has provided appropriate safeguards with respect to the protection of personal data. The controller shall notify the supervisory authority of the transfer. The controller shall inform the data subject of the transfer and its compelling legitimate interests; this shall be in addition to the information provided to the data subject pursuant to Articles 13 and 14.
Data transfers referred to in point (g) of the first subparagraph of paragraph 1 may not include all or entire categories of personal data contained in the register. If the register is intended for inspection by persons with a legitimate interest, the transfer may be made only at the request of those persons or only if those persons are the addressees of the transfer.
(3) Points (a), (b) and (c) of the first subparagraph of paragraph 1 and the second subparagraph of paragraph 1 shall not apply to activities carried out by public authorities in the exercise of their sovereign powers.
The public interest referred to in point (d) of the first subparagraph of paragraph 1 shall be recognized by Union law or by the law of the Member State to which the controller is subject.
(5. In the absence of an adequacy decision, Union or Member State law may, for important reasons of public interest, expressly provide for restrictions on the transfer of certain categories of personal data to third countries or international organisations. Member States shall notify such provisions to the Commission.
(6) The controller or processor shall record the assessment it has made and the adequate safeguards referred to in the second subparagraph of paragraph 1 of this Article in the documentation referred to in Article 30.
Recitals
(111) Transfers should be allowed under certain conditions, namely where the data subject has given his or her explicit consent, where the transfer is occasional and necessary in the context of a contract or in order to pursue legal claims, whether in court or through administrative channels, or in out-of-court proceedings, including proceedings before regulatory authorities. The transfer should also be possible if it is necessary for the protection of an important public interest laid down in Union law or in the law of a Member State, or if it is made from a register provided for by law which may be consulted by the public or by persons having a legitimate interest. In the latter case, such transfer should not be allowed to extend to all or whole categories of personal data contained in the register. If the register in question is intended for consultation by persons with a legitimate interest, the transfer should be made only at the request of those persons or only if those persons are the addressees of the transfer, taking full account of the interests and fundamental rights of the data subject.
(112) These exceptions should apply in particular to data transfers which are necessary for important reasons of public interest, such as the international exchange of data between competition, tax or customs authorities, between financial supervisory authorities, or between services responsible for social security matters or public health, for example in the case of environmental screening for contagious diseases or to reduce and/or eliminate doping in sport. The transfer of personal data should also be considered lawful if it is necessary to protect an interest essential to the vital interests – including the physical integrity or life – of the data subject or another person and the data subject is unable to give consent. In the absence of an adequacy decision, Union or Member State law may expressly provide for restrictions on the transfer of certain categories of data to third countries or international organizations for important reasons of public interest. Member States should notify such provisions to the Commission. Any transfer to an international humanitarian organization of personal data of a data subject who is physically or legally incapable of giving consent, in order to carry out a task required by the Geneva Conventions or to comply with international humanitarian law applicable in armed conflicts, could be considered necessary for an important reason relating to the public interest or in the vital interest of the data subject.
(113) Transfers that can be considered as not being repetitive and involving only a limited number of data subjects could also be possible in order to safeguard the compelling legitimate interests of the controller, provided that the interests or rights and freedoms of the data subject are not overriding and the controller has considered all the circumstances surrounding the data transfer. In particular, the controller should take into account the nature of the personal data, the purpose and duration of the intended processing, the situation in the country of origin, in the third country concerned and in the country of final destination, and provide appropriate safeguards to protect the fundamental rights and freedoms of natural persons with regard to the processing of their personal data. Such transfers should only be possible in the remaining cases where none of the other grounds for transfer is applicable. In the case of scientific or historical research purposes or statistical purposes, legitimate societal expectations regarding an increase in knowledge should be taken into account. The controller should inform the supervisory authority and the data subject of the transfer.
Article 50 International cooperation for the protection of personal data
With regard to third countries and international organizations, the Commission and the supervisory authorities shall take appropriate measures to
a) Develop international cooperation mechanisms that facilitate effective enforcement of personal data protection laws,
b) Mutual provision of international administrative assistance in the enforcement of legislation on the protection of personal data, including through notifications, complaint referrals, assistance in investigations and exchange of information, provided that appropriate safeguards exist for the protection of personal data and other fundamental rights and freedoms,
c) Engage relevant stakeholders in discussions and activities designed to enhance international cooperation in the enforcement of personal data protection laws,
d) Promote the exchange and documentation of personal data protection legislation and practices, including jurisdictional conflicts with third countries.
Recitals
(116) When personal data are transferred to another country outside the Union, there is an increased risk that individuals may not be able to exercise their data protection rights and, in particular, to protect themselves against the unlawful use or disclosure of that information. Similarly, supervisory authorities may not be able to investigate complaints or conduct investigations that are related to activities outside the borders of their Member State. Their efforts to cooperate across borders may also be hampered by insufficient preventive and remedial powers, conflicting legal regimes, and practical obstacles such as resource constraints. Cooperation among data protection supervisors must therefore be encouraged so that they can share information and conduct investigations with supervisors in other countries. In order to develop international cooperation mechanisms to facilitate and ensure international mutual assistance in the enforcement of personal data protection laws, the Commission and the supervisory authorities should exchange information and cooperate with the competent authorities of third countries, on the basis of reciprocity and in accordance with this Regulation, in activities related to the exercise of their powers.
Chapter VI Independent supervisory authorities
Section 1 Independence
Article 51 Supervisory authority
(Each Member State shall provide that one or more independent authorities are responsible for monitoring the application of this Regulation in order to protect the fundamental rights and freedoms of natural persons with regard to processing and to facilitate the free flow of personal data within the Union (hereinafter “Supervisory authority„).
(2. Each supervisory authority shall contribute to the consistent application of this Regulation throughout the Union. To that end, the supervisory authorities shall cooperate with each other and with the Commission in accordance with Chapter VII.
(3. Where there is more than one supervisory authority in a Member State, that Member State shall designate the supervisory authority representing those authorities in the Committee and shall establish a procedure to ensure that the other authorities comply with the rules on the consistency mechanism referred to in Article 63.
(Each Member State shall notify to the Commission, by 25 May 2018 at the latest, the provisions of law which it adopts pursuant to this Chapter and, without delay, any subsequent amendment affecting them.
Recitals
(117) The establishment of supervisory authorities in Member States, empowered to exercise their functions and powers with complete independence, is an essential element of the protection of individuals with regard to the processing of personal data. Member States should be able to establish more than one supervisory authority where this is appropriate to their constitutional, organizational and administrative structure.
(119) Where a Member State establishes several supervisory authorities, it should ensure through legislation that those supervisory authorities are effectively involved in the consistency mechanism. In particular, that Member State should designate a supervisory authority to act as a focal point for the effective participation of those authorities in the mechanism and to ensure a swift and smooth cooperation with other supervisory authorities, the Board and the Commission.
(123) The supervisory authorities should monitor the application of the provisions of this Regulation and contribute to its consistent application throughout the Union in order to protect natural persons with regard to the processing of their data and to facilitate the free flow of personal data in the internal market. To that end, the supervisory authorities should cooperate with each other and with the Commission without the need for an agreement between Member States on the provision of mutual assistance or on such cooperation.
Article 52 Independence
(1) Each supervisory authority shall act fully independently in the performance of its duties and in the exercise of its powers under this Regulation.
(2) The member or members of each supervisory authority shall not be subject to any outside influence, direct or indirect, in the performance of their duties and the exercise of their powers under this Ordinance, and shall neither seek nor take instructions.
(3) The member or members of the Supervisory Authority shall refrain from any action incompatible with the duties of their office and shall not, during their term of office, engage in any other paid or unpaid activity incompatible with their office.
(4. Each Member State shall ensure that each supervisory authority is provided with the human, technical and financial resources, premises and infrastructure necessary to carry out its tasks and exercise its powers effectively, including in the context of mutual assistance, cooperation and participation in the Committee.
(5. Each Member State shall ensure that each supervisory authority selects and has its own staff, who shall be subject exclusively to the direction of the member or members of the supervisory authority concerned.
(6. Each Member State shall ensure that each supervisory authority is subject to financial control which does not impair its independence and that it has its own public annual budgets, which may form part of the overall State or national budget.
Recitals
(118) The fact that the supervisory authorities are independent should not mean that they are not subject to any control or monitoring mechanism with regard to their expenditure or that they cannot be subject to judicial review.
(120) Each supervisory authority should be provided with financial resources, staff, premises and an infrastructure as necessary for the effective performance of its tasks, including those related to mutual assistance and cooperation with other supervisory authorities throughout the Union. Each supervisory authority should have its own public annual budget, which may be part of the overall state or national budget.
Article 53 General conditions for the members of the Supervisory Authority
(1. Member States shall provide that each member of their supervisory authorities shall be appointed through a transparent procedure as follows
by the parliament, by the government, by the head of state, or by an independent body entrusted with the appointment under the law of the Member State.
(2) Each member shall have the necessary qualifications, experience and expertise, in particular in the field of personal data protection, to perform its duties and exercise its powers.
(3. The term of office of a member shall end when his or her term of office expires or when he or she resigns or is compulsorily retired in accordance with the law of the Member State concerned.
(4) A member shall be removed from office only if he or she has committed serious misconduct or no longer fulfills the requirements for the performance of his or her duties.
Recitals
(121) The general requirements for the member or members of the Supervisory Authority should be laid down by legislation of each Member State and should in particular provide that those members are appointed through a transparent procedure either by the Parliament, the Government or the Head of State of the Member State, on a proposal from the Government, a member of the Government, the Parliament or a Chamber of Parliament, or by an independent body entrusted with the appointment under the law of the Member State. In order to ensure the independence of the supervisory authority, its members should perform their duties with integrity, refrain from any action incompatible with the duties of their office and should not, during their term of office, engage in any other occupation, whether gainful or not, which is incompatible with their office. The supervisory authority should have its own staff, selected by the supervisory authority itself or by an independent body established under the law of the Member State, who should be subject exclusively to the direction of the member or members of the supervisory authority.
Article 54 Establishment of the supervisory authority
(1. Each Member State shall provide by law for the following:
a) the establishment of any supervisory authority;
b) the necessary qualifications and other requirements for appointment as a member of each supervisory authority;
c) the rules and procedures for the appointment of the member or members of each supervisory authority;
d) the term of office of the member or members of each supervisory authority of at least four years; this shall not apply to the first term of office after May 24, 2016, which may be shorter for some of the members if a staggered appointment is necessary to preserve the independence of the supervisory authority;
e) the question of whether and, if so, how often the member or members of each supervisory authority may be reappointed;
f) the conditions relating to the duties of the member or members and the staff of each supervisory authority, the prohibitions of acts, professional activities and remuneration during and after the term of office that are incompatible with these duties, and the rules for termination of employment.
(2. The member or members and the staff of each supervisory authority shall, in accordance with Union or Member State law, observe professional secrecy with regard to all confidential information which has come to their knowledge in the course of the performance of their duties or the exercise of their powers, both during and after their term of office. During that period of office or service, that obligation of secrecy shall apply in particular to infringements of this Regulation reported by natural persons.
Section 2 Responsibility, Duties and Powers
Article 55 Competence
(1. Each supervisory authority shall be competent to carry out the tasks and exercise the powers conferred on it by this Regulation within the territory of its own Member State.
Where the processing is carried out by public authorities or private bodies on the basis of Article 6(1)(c) or (e), the supervisory authority of the Member State concerned shall be competent. In that case, Article 56 shall not apply.
(3) The supervisory authorities shall not be competent to supervise processing operations carried out by courts in the course of their judicial activities.
Recitals
(122) Each supervisory authority should be competent to exercise the powers and carry out the tasks conferred on it by this Regulation within the territory of its Member State. This should apply in particular to the following:
processing in the course of the activities of an establishment of the controller or processor in the territory of their Member State, the processing of personal data by public authorities or private bodies acting in the public interest, processing activities which have an impact on data subjects on their territory, or processing activities of a controller or processor not established in the Union, provided that they are targeted at data subjects residing on their territory. This should also include handling complaints from a data subject, conducting investigations into the application of this Regulation and promoting information to the public on the risks, rules, safeguards and rights relating to the processing of personal data.
(128) The rules on the lead authority and the cooperation and consistency mechanism should not apply where the processing is carried out by public authorities or private bodies in the public interest. In such cases, the supervisory authority of the Member State where the public authority or private body is established should be the only supervisory authority competent to exercise the powers conferred on it by this Regulation.
Article 56 Competence of the lead supervisory authority
(Without prejudice to Article 55, the supervisory authority of the main establishment or the single establishment of the controller or processor shall be the competent lead supervisory authority for the cross-border processing carried out by that controller or processor in accordance with the procedure referred to in Article 60.
(By way of derogation from paragraph 1, each supervisory authority shall be competent to deal with a complaint lodged with it or a possible infringement of this Regulation if the subject matter relates only to an establishment in its Member State or significantly affects data subjects only of its Member State.
(In the cases referred to in paragraph 2 of this Article, the supervisory authority shall without delay inform the lead supervisory authority of the matter. Within a period of three weeks after being informed, the lead supervisory authority shall decide whether or not to deal with the case in accordance with the procedure referred to in Article 60, taking into account whether or not the controller or processor has an establishment in the Member State whose supervisory authority has informed it.
(4. If the lead supervisory authority decides to deal with the case, the procedure laid down in Article 60 shall apply. The supervisory authority which has informed the lead supervisory authority may submit a draft decision to the latter. The lead supervisory authority shall take the utmost account of that draft when preparing the draft decision referred to in Article 60(3).
(5) If the lead supervisory authority decides not to deal with the case itself, the supervisory authority which informed the lead supervisory authority shall deal with the case in accordance with Articles 61 and 62.
(6) The lead supervisory authority shall be the single point of contact of controllers or processors for issues related to cross-border processing carried out by that controller or processor.
Recitals
(124) Where the processing of personal data takes place in the context of the activities of an establishment of a controller or processor in the Union and the controller or processor has establishments in more than one Member State or where the processing activity in the context of the activities of a single establishment of a controller or processor in the Union has or is likely to have a significant impact on data subjects in more than one Member State, the supervisory authority for the main establishment of the controller or processor or for the single establishment of the controller or processor should act as lead authority. is likely to have such an impact, the supervisory authority for the main establishment of the controller or processor or for the single establishment of the controller or processor should act as the lead authority. It should cooperate with the other authorities concerned because the controller or processor has an establishment on the territory of its Member State, because the processing has a significant impact on data subjects residing on its territory or because a complaint has been lodged with them. Also, where a data subject not residing in the Member State concerned has lodged a complaint, the supervisory authority to which the complaint has been lodged should also be a supervisory authority concerned. The Board should be able to issue guidance – as part of its tasks in relation to issuing guidance on all issues related to the application of this Regulation – in particular on the criteria to be taken into account when determining whether the processing in question has a significant impact on data subjects in more than one Member State and what constitutes a relevant and well-founded objection.
(125) The lead authority should be entitled to adopt binding decisions on measures exercising the powers conferred on it under this Regulation. In its capacity as lead authority, that supervisory authority should ensure the close involvement and coordination of the supervisory authorities concerned in the decision-making process. Where it is decided to reject the complaint of the data subject in whole or in part, that decision should be adopted by the supervisory authority with which the complaint was lodged.
(127) Any supervisory authority other than the lead supervisory authority should be competent in local cases where the controller or processor has establishments in more than one Member State but the subject-matter of the specific processing concerns only processing activities in one Member State and only data subjects in that one Member State, for example where the processing concerns personal data of employees in the specific employment context of one Member State. In such cases, the supervisory authority should inform the lead supervisory authority of the matter without delay. Following its notification, the lead supervisory authority should decide whether it will deal with the case in accordance with the provisions on cooperation between the lead supervisory authority and other supervisory authorities concerned under the provision on cooperation between the lead supervisory authority and other supervisory authorities concerned (hereinafter “Cooperation and coherence procedures”) or whether the supervisory authority which informed it should settle the case at local level. In doing so, the lead supervisory authority should take into account whether the controller or processor has an establishment in the Member State whose supervisory authority has informed it, so that decisions are effectively enforced against the controller or processor. If the lead supervisory authority decides to settle the case itself, the supervisory authority which informed it should have the possibility to submit a draft decision, which the lead supervisory authority should take into account to the greatest extent possible when preparing its draft decision under this cooperation and consistency procedure.
(130) Where the supervisory authority with which the complaint has been lodged is not the lead supervisory authority, the lead supervisory authority should cooperate closely with the supervisory authority with which the complaint has been lodged in accordance with the provisions of this Regulation on cooperation and consistency. In such cases, the lead supervisory authority should take the utmost account of the position of the supervisory authority with which the complaint has been lodged, which should retain the power to conduct investigations on the territory of its own Member State in coordination with the competent supervisory authority, when taking measures intended to produce legal effects, including the imposition of fines.
(131) Where another supervisory authority should act as the lead supervisory authority for the processing activities of the controller or processor, but the specific subject matter of a complaint or the possible breach concerns only the processing activities of the controller or processor in the Member State where the complaint was lodged or the possible breach was discovered, and the matter does not have or is not likely to have a significant impact on data subjects in other Member States, the supervisory authority to which a complaint was lodged or which discovered or was otherwise informed of situations constituting possible breaches of this Regulation should has been otherwise informed about it, should attempt to reach an amicable settlement with the controller; if this proves unsuccessful, it should exercise the full range of its powers. This should include: processing specifically on the territory of the Member State of the supervisory authority or with regard to data subjects on the territory of that Member State; processing in the context of an offer of goods or services specifically targeted at data subjects on the territory of the Member State of the supervisory authority; or processing which must be assessed in the light of the relevant legal obligations under the law of the Member States.
Article 57 Tasks
(1. Without prejudice to other tasks set out in this Regulation, each supervisory authority within its territory shall
a) monitor and enforce the application of this regulation;
b) Raise awareness and educate the public about the risks, rules, safeguards and rights related to processing. Special attention will be paid to specific measures for children;
c) in accordance with the law of the Member State, advise the national parliament, government and other institutions and bodies on legislative and administrative measures to protect the rights and freedoms of natural persons with regard to processing;
d) Raise awareness among data controllers and processors of the obligations imposed on them by this Regulation;
e) provide, upon request, information to any data subject on the exercise of his or her rights under this Regulation and, where appropriate, cooperate with supervisory authorities in other Member States for this purpose;
f) deal with complaints lodged by a data subject or complaints lodged by a body, organization or association pursuant to Article 80, investigate the subject matter of the complaint to a reasonable extent and inform the complainant of the progress and outcome of the investigation within a reasonable period of time, in particular if further investigation or coordination with another supervisory authority is necessary;
g) cooperate with and provide assistance to other supervisory authorities, including through the exchange of information, to ensure the consistent application and enforcement of this Regulation;o
h) Conduct investigations into the application of this Regulation, including on the basis of information provided by another supervisory authority or another authority;
i) monitor relevant developments insofar as they have an impact on the protection of personal data, in particular the development of information and communication technology and business practices;
j) establish standard contractual clauses within the meaning of Article 28(8) and Article 46(2)(d);
k) establish and maintain a list of the types of processing for which a data protection impact assessment is to be carried out pursuant to Article 35(4);
l) Provide advice in relation to the processing operations referred to in Article 36(2);
m) promote the development of codes of conduct referred to in Article 40(1) and issue opinions on and approve such codes of conduct, which shall provide sufficient safeguards as referred to in Article 40(5);
n) encourage the establishment of data protection certification mechanisms and data protection seals and marks in accordance with Article 42(1) and endorse certification criteria in accordance with Article 42(5);
o) periodically review, as appropriate, the certifications issued pursuant to Article 42(7);
p) draft and publish the criteria for accreditation of a body for monitoring compliance with the rules of conduct pursuant to Article 41 and a certification body pursuant to Article 43;
q) carry out the accreditation of a body for monitoring compliance with the rules of conduct pursuant to Article 41 and a certification body pursuant to Article 43;
r) Approve contractual clauses and provisions referred to in Article 46(3);
s) approve binding internal rules in accordance with Article 47;
t) Contribute to the activities of the Committee;
u) internal records of infringements of this Regulation and measures taken pursuant to Article 58(2); and
v) perform any other task related to the protection of personal data.
(2) Each supervisory authority shall facilitate the submission of complaints referred to in paragraph (1)(f) by taking measures such as providing a complaint form that may also be completed electronically, without excluding other means of communication.
(3) The performance of the tasks of each supervisory authority shall be free of charge for the data subject and, if applicable, for the data protection officer.
(4) In the case of manifestly unfounded or – especially in the case of frequent repetition – excessive requests, the supervisory authority may charge a reasonable fee based on the administrative costs or refuse to act on the request. In this case, the supervisory authority shall bear the burden of proving the manifestly unfounded or excessive nature of the request.
Recitals
(132) Awareness-raising activities by supervisory authorities aimed at the public should include specific measures targeting controllers and processors, including micro, small and medium-sized enterprises, and natural persons, in particular in the education sector.
Article 58 Powers
(1) Each regulatory agency shall have all of the following investigative powers that permit it,
a) instruct the controller, processor and, where applicable, the controller’s or processor’s representative to provide all information necessary for the performance of their tasks,
b) Conduct investigations in the form of data protection reviews,
c) conduct a review of certifications issued under Article 42(7),
d) draw the attention of the controller or processor to an alleged breach of this Regulation,
e) obtain from the Controller and the Processor access to all personal data and information necessary for the performance of their tasks,
f) in accordance with Union procedural law or the procedural law of the Member State, to have access to the business premises, including all data processing facilities and equipment, of the controller and processor.
(2) Each regulatory agency shall have all of the following remedial powers that permit it,
a) warn a controller or processor that intended processing operations are likely to infringe this Regulation,
b) to warn a controller or a processor if it has violated this Regulation with processing operations,
c) instruct the controller or processor to comply with the data subject’s requests to exercise the rights to which he or she is entitled under this Regulation,
d) instruct the controller or processor to bring processing operations into compliance with this Regulation, as appropriate, in a specific manner and within a specific period of time,
e) instruct the data controller to notify the data subject of a personal data breach accordingly,
f) impose a temporary or permanent restriction on processing, including a ban,
g) order the rectification or erasure of personal data or the restriction of processing pursuant to Articles 16, 17 and 18 and the notification of such measures to the recipients to whom such personal data have been disclosed pursuant to Article 17(2) and Article 19,
h) revoke a certification or direct the certification body to revoke a certification granted under Articles 42 and 43, or direct the certification body not to grant a certification if the requirements for certification are not or are no longer met,
i) impose a fine in accordance with Article 83, in addition to or instead of measures referred to in this paragraph, depending on the circumstances of the case,
j) order the suspension of the transfer of data to a recipient in a third country or to an international organization.
(3) Each regulatory agency shall have all of the following approval powers and advisory powers that permit it,
a) in accordance with the prior consultation procedure referred to in Article 36, to advise the responsible person,
b) to issue opinions on any matter relating to the protection of personal data, on its own initiative or upon request, to the national parliament, the government of the Member State or, in accordance with the law of the Member State, to other institutions and bodies, as well as to the public,
c) authorize the processing pursuant to Article 36(5) if such prior authorization is required by the law of the Member State,
d) to give an opinion and approve draft codes of conduct in accordance with Article 40(5),
e) Certification bodies to be accredited in accordance with Article 43,
f) issue certifications and approve criteria for certification in accordance with Article 42(5),
g) establish standard data protection clauses in accordance with Article 28(8) and Article 46(2)(d),
h) Approve contract clauses pursuant to Article 46(3)(a),
i) Approve administrative arrangements pursuant to Article 46(3)(b)
j) approve binding internal rules in accordance with Article 47.
(4. The exercise of the powers conferred on the supervisory authority under this Article shall be subject to appropriate safeguards, including effective judicial remedies and due process, in accordance with Union law and the law of the Member State, in compliance with the Charter.
(5. Each Member State shall provide by law that its supervisory authority shall have the power to bring infringements of this Regulation to the attention of the judicial authorities and, where appropriate, to institute or otherwise participate in legal proceedings to enforce the provisions of this Regulation.
(6. Each Member State may provide by law that its supervisory authority shall have powers additional to those listed in paragraphs 1, 2 and 3. The exercise of these powers shall not impair the effective implementation of Chapter VII.
Recitals
(129) In order to ensure consistent monitoring and enforcement of this Regulation throughout the Union, the supervisory authorities should have the same tasks and effective powers in each Member State, including, in particular in the case of complaints by individuals, powers of investigation, remedial powers and powers to impose sanctions and authorizations and advisory powers, as well as, without prejudice to the powers of law enforcement authorities under the law of the Member States, the power to bring infringements of this Regulation to the attention of judicial authorities and to initiate judicial proceedings. This should also include the power to impose a temporary or definitive restriction on processing, including a ban. Member States may determine other tasks related to the protection of personal data under this Regulation. The powers of the supervisory authorities should be exercised impartially, fairly and within a reasonable time, in accordance with the appropriate procedural safeguards under Union and Member State law. In particular, any measure should be appropriate, necessary and proportionate with a view to ensuring compliance with this Regulation, taking into account the circumstances of each individual case, respecting the right of every person to be heard before any individual measure is taken which would have an adverse effect on that person, and avoiding unnecessary costs and excessive inconvenience for data subjects. Investigatory powers with regard to access to premises should be exercised in accordance with specific requirements in the procedural law of the Member States, such as the requirement of prior judicial authorization. Any legally binding measure of the supervisory authority should be issued in writing and it should be clear and unambiguous; the supervisory authority that issued the measure and the date on which the measure was issued should be indicated and the measure should be signed by the head or by a member of the supervisory authority authorized by him or her and should contain a justification for the measure and a reference to the right to an effective remedy. This should not preclude additional requirements under the procedural law of the Member States. The adoption of a legally binding decision requires that it be subject to judicial review in the Member State of the supervisory authority that adopted the decision.
Article 59 Activity report
Each supervisory authority shall draw up an annual report on its activities, which may include a list of the types of infringements reported and the types of measures taken pursuant to Article 58(2). These reports shall be sent to the national parliament, the government and other authorities designated under the law of the Member States. They shall be made available to the public, the Commission and the Committee.
Chapter VII Cooperation and coherence
Section 1 Cooperation
Article 60 Cooperation between the lead supervisory authority and the other supervisory authorities concerned
(1. The lead supervisory authority shall cooperate with the other supervisory authorities concerned in accordance with this Article, endeavoring to reach consensus. The lead supervisory authority and the supervisory authorities concerned shall exchange among themselves all relevant information.
(2. The lead supervisory authority may at any time request assistance from other supervisory authorities concerned in accordance with Article 61 and carry out joint actions in accordance with Article 62, in particular to carry out investigations or monitor the implementation of a measure in relation to a controller or a processor established in another Member State.
(3. The lead supervisory authority shall, without undue delay, provide the other supervisory authorities concerned with the relevant information on the matter. It shall without delay submit a draft decision to the other supervisory authorities concerned for their opinion and take due account of their views.
(4. If one of the other supervisory authorities concerned raises an authoritative and reasoned objection to that draft decision within four weeks of being consulted in accordance with paragraph 3 of this Article and the lead supervisory authority does not join the authoritative and reasoned objection or considers that the objection is not authoritative or not reasoned, the lead supervisory authority shall initiate the consistency procedure referred to in Article 63 for the matter.
(5) If the lead supervisory authority intends to join the authoritative and reasoned objection, it shall submit a revised draft decision to the other supervisory authorities concerned for their opinion. The revised draft decision shall be subjected to the procedure under paragraph 4 within two weeks.
(If none of the other supervisory authorities concerned objects to the draft decision submitted by the lead supervisory authority within the period specified in paragraphs 4 and 5, the lead supervisory authority and the supervisory authorities concerned shall be deemed to agree with the draft decision and shall be bound by it.
(7. The lead supervisory authority shall adopt the decision and notify it to the main or single establishment of the controller or processor, as the case may be, and shall inform the other supervisory authorities concerned and the Board of the decision in question, including a summary of the relevant facts and reasons. The supervisory authority to which a complaint has been lodged shall inform the complainant of the decision.
(8) If a complaint is rejected or dismissed, the supervisory authority to which the complaint was filed shall, notwithstanding paragraph (7), issue the decision, notify the complainant thereof and inform the person responsible.
(9. Where the lead supervisory authority and the supervisory authorities concerned agree to reject or dismiss parts of the complaint and to take action in respect of other parts of that complaint, a separate decision shall be adopted on that matter for each of those parts. The lead supervisory authority shall adopt the decision for the part concerning action in respect of the controller, notify it to the main or only establishment of the controller or processor in the territory of its Member State and inform the complainant thereof, while the supervisory authority responsible for the complainant shall adopt the decision for the part concerning the rejection or dismissal of that complaint and notify it to that complainant and inform the controller or processor thereof.
(10. After being informed of the decision of the lead supervisory authority pursuant to paragraphs 7 and 9, the controller or processor shall take the necessary measures to bring the processing activities of all its establishments in the Union into compliance with the decision. The controller or processor shall notify the lead supervisory authority of the measures taken to comply with the decision, which shall in turn notify the other supervisory authorities concerned.
(11) If – in exceptional cases – a supervisory authority concerned has reason to believe that there is an urgent need to act to protect the interests of data subjects, the urgency procedure under Article 66 shall apply.
(12. The lead supervisory authority and the other supervisory authorities concerned shall provide each other with the information required under this Article by electronic means using a standardized format.
Recitals
(126) The decision should be jointly agreed by the lead supervisory authority and the supervisory authorities concerned and should be addressed to the main establishment or the single establishment of the controller or processor and should be binding on the controller and the processor. The controller or processor should take the necessary measures to ensure compliance with this Regulation and the implementation of the decision notified by the lead supervisory authority to the main establishment of the controller or processor with regard to the processing activities in the Union.
Article 61 Mutual assistance
(1. The supervisory authorities shall provide each other with relevant information and mutual assistance in order to implement and apply this Regulation consistently and shall make arrangements for effective cooperation. Mutual assistance shall in particular cover requests for information and supervisory measures, such as requests for prior authorizations and prior consultation, inspections and investigations.
(2) Each supervisory authority shall take all appropriate measures to comply with a request from another supervisory authority without undue delay and at the latest within one month of receipt of the request. This may include, in particular, providing relevant information on the conduct of an investigation.
(3) Requests for assistance shall contain all necessary information, including the purpose and justification of the request. The information provided shall be used solely for the purpose for which it was requested.
(4) The requested supervisory authority shall refuse the request only if
a) it is not competent for the subject matter of the request or for the measures it is to carry out, or
b) responding to the request would be contrary to this Regulation or to Union law or the law of the Member States to which the supervisory authority receiving the request is subject.
(5. The requested supervisory authority shall inform the requesting supervisory authority of the results or, as the case may be, of the progress of the measures taken to comply with the request. The requested supervisory authority shall explain the reasons for refusing the request in accordance with paragraph 4.
(6. The requested supervisory authorities shall, as a rule, provide the information requested by another supervisory authority by electronic means using a standardized format.
(7) Requested supervisory authorities shall not charge fees for measures taken on the basis of a request for assistance. The supervisory authorities may agree among themselves on rules to reimburse each other in exceptional cases for special expenses incurred as a result of mutual assistance.
8. Where a requested supervisory authority does not provide the information referred to in paragraph 5 within one month of receipt of the request from another supervisory authority, the requesting supervisory authority may take a provisional measure within the territory of its Member State in accordance with Article 55(1). In that case, the need for urgent action referred to in Article 66(1) shall be deemed to require a binding decision of the Committee adopted under the urgency procedure referred to in Article 66(2).
(9. The Commission may, by means of implementing acts, specify the form and procedures for mutual assistance under this Article and the arrangements for the electronic exchange of information between supervisory authorities and between supervisory authorities and the Board, in particular the standardized format referred to in paragraph 6 of this Article. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 93(2).
Recitals
(133) The supervisory authorities should assist each other in the performance of their duties and provide mutual assistance in order to ensure consistent application and enforcement of this Regulation in the internal market. A supervisory authority which has requested mutual assistance may adopt a provisional measure if it has not received a reply from the requested supervisory authority within one month of receipt of the request for mutual assistance by the requested supervisory authority.
Article 62 Joint actions by supervisory authorities
(1. The supervisory authorities shall, where appropriate, conduct joint operations, including joint investigations and joint enforcement operations, involving members or staff of the supervisory authorities of other Member States.
(2. Where the controller or processor has establishments in more than one Member State or where the processing operations are likely to have a significant impact on a substantial number of data subjects in more than one Member State, the supervisory authority of each of those Member States shall be entitled to participate in the joint actions. The supervisory authority competent pursuant to Article 56(1) or (4) shall invite the supervisory authority of each of those Member States to participate in the joint actions and shall respond without delay to the request of a supervisory authority to participate.
(3. A supervisory authority may, in accordance with the law of the Member State and with the approval of the assisting supervisory authority, delegate powers, including investigatory powers, to the members or staff of the assisting supervisory authority involved in the joint operations or, to the extent permitted by the law of the Member State of the inviting supervisory authority, allow the members or staff of the assisting supervisory authority to exercise their investigatory powers in accordance with the law of the Member State of the assisting supervisory authority. Those investigative powers may only be exercised under the direction and in the presence of the members or staff of the inviting supervisory authority. The members or staff of the assisting supervisory authority shall be subject to the law of the Member State of the inviting supervisory authority.
(Where, in accordance with paragraph 1, staff of a supporting supervisory authority are on mission in another Member State, the Member State of the host supervisory authority shall assume responsibility for their actions, including liability for any damage caused by them during their mission, in accordance with the law of the Member State on whose territory the mission takes place.
(5. The Member State in whose territory the damage was caused shall make good such damage in the same way as it would have had to make good such damage if its own officials had caused it. The Member State of the assisting supervisory authority whose staff have caused damage to a person in the territory of another Member State shall reimburse that other Member State for the total amount of compensation paid by it to the persons entitled.
(Without prejudice to the exercise of its rights vis-à-vis third parties and with the exception of paragraph 5, each Member State shall refrain, in the case referred to in paragraph 1, from claiming from other Member States the amount of the damage suffered referred to in paragraph 4.
(7. Where joint action is envisaged and a supervisory authority does not comply with the obligation referred to in the second sentence of paragraph 2 of this Article within one month, the other supervisory authorities may take interim measures within the territory of their Member State in accordance with Article 55. In that case, the need for urgent action referred to in Article 66(1) shall be deemed to require an opinion adopted under the urgency procedure or a binding decision of the Committee adopted under the urgency procedure referred to in Article 66(2).
Recitals
(134) Each supervisory authority should, where appropriate, participate in joint actions by other supervisory authorities. The requested supervisory authority should be required to respond to the request within a specified period of time.
Section 2 Coherence
Article 63 Coherence procedure
In order to contribute to the consistent application of this Regulation throughout the Union, the supervisory authorities shall cooperate with each other and, where appropriate, with the Commission through the consistency mechanism described in this section.
Recitals
(135) In order to ensure the consistent application of this Regulation throughout the Union, a procedure to ensure consistent application of the law (consistency mechanism) should be established for cooperation between supervisory authorities. That procedure should apply, in particular, where a supervisory authority intends to adopt a measure intended to produce legal effects in relation to processing operations which produce significant effects for a substantial number of data subjects in several Member States. It should also apply where a supervisory authority concerned or the Commission requests that the matter be dealt with under the consistency mechanism. This procedure should be without prejudice to other measures that the Commission may take in the exercise of its powers under the Treaties.
(136) When applying the consistency mechanism, the Board should, if so decided by a majority of its members or if requested by another supervisory authority concerned or by the Commission, issue an opinion within a specified period. The Committee should also be given the power to adopt legally binding decisions in the event of disputes between supervisory authorities. To that end, it should, in principle, adopt legally binding decisions by a two-thirds majority of its members in clearly identified cases where supervisory authorities take conflicting positions on the facts of the case, in particular on the question of whether there has been an infringement of this Regulation, in particular in the context of the cooperation procedure between the lead supervisory authority and the supervisory authorities concerned.
(138) The application of this procedure should be a condition for the legality of a measure taken by a supervisory authority to produce legal effects in cases where it is mandatory. In other cases of cross-border relevance, the cooperation procedure between the lead supervisory authority and the supervisory authorities concerned should apply and the supervisory authorities concerned may provide assistance and carry out joint actions on a bilateral or multilateral basis without recourse to the consistency mechanism.
Article 64 Opinion Committee
(1. The Committee shall deliver an opinion where the competent supervisory authority intends to adopt any of the following measures. For that purpose, the competent supervisory authority shall send the draft decision to the Committee when it is
a) serves to adopt a list of processing operations subject to the requirement of a data protection impact assessment pursuant to Article 35(4),
b) a matter referred to in Article 40(7) and thus concerns whether a draft code of conduct or an amendment or addition to a code of conduct complies with this Regulation,
c) serves to approve the criteria for accreditation of a body referred to in Article 41(3) or a certification body referred to in Article 43(3),
d) serves to establish standard data protection clauses pursuant to Article 46(2)(d) and Article 28(8),
e) serves to approve contractual clauses in accordance with Article 46(3)(a), or
f) serves the adoption of binding internal rules within the meaning of Article 47.
(2. Any supervisory authority, the Chair of the Committee or the Commission may request that a matter of general application or with implications in more than one Member State be examined by the Committee in order to obtain an opinion, in particular where a competent supervisory authority fails to comply with the obligations to provide assistance under Article 61 or to take joint action under Article 62.
(3) In the cases referred to in paragraphs (1) and (2), the Committee shall issue an opinion on the matter referred to it, unless it has already issued an opinion on the same matter. This opinion shall be adopted within eight weeks by a simple majority of the members of the Committee. This period may be extended by a further six weeks, taking into account the complexity of the matter. With regard to the draft decision referred to in paragraph 1, which shall be communicated to the members of the Committee in accordance with paragraph 5, a member who has not objected within a reasonable period indicated by the Chair shall be deemed to have approved the draft decision.
(The supervisory authorities and the Commission shall, without undue delay, transmit electronically to the Board, using a standardized format, all relevant information, including, as appropriate, a brief statement of the facts, the draft decision, the reasons why such action is necessary and the views of other supervisory authorities concerned.
(5) The chair of the committee shall immediately inform by electronic means
a) using a standardized format, the members of the Committee and the Commission of any pertinent information it has received. To the extent necessary, the secretariat of the committee shall provide translations of the pertinent information; and
b) as the case may be, the supervisory authority referred to in paragraphs 1 and 2 and the Commission of the opinion and shall make it public.
(6) The competent supervisory authority shall not adopt the draft decision referred to in paragraph 1 before the expiry of the period referred to in paragraph 3.
(The Supervisory Authority referred to in paragraph 1 shall take the utmost account of the opinion of the Committee and shall notify its Chair electronically, using a standardized format, within two weeks of receipt of the opinion, whether it will maintain or amend the draft decision and, where appropriate, shall transmit the amended draft decision.
8. Where, within the period referred to in paragraph 7 of this Article, the supervisory authority concerned informs the Chair of the Committee, stating the relevant reasons, that it intends not to follow the opinion of the Committee in whole or in part, Article 65(1) shall apply.
Article 65 Dispute settlement by the Committee
(1) In order to ensure the proper and uniform application of this Ordinance in individual cases, the Committee shall issue a binding decision in the following cases:
a) where, in a case referred to in Article 60(4), a supervisory authority concerned has raised an authoritative and reasoned objection to a draft decision of the lead authority or the lead authority has rejected such objection as not authoritative or not reasoned. The binding decision shall concern all matters which are the subject of the authoritative and reasoned objection, in particular whether there has been a breach of this Regulation;
b) if there are conflicting views as to which of the supervisory authorities concerned has jurisdiction over the head office,
c) where a competent supervisory authority does not seek the opinion of the Board in the cases referred to in Article 64(1) or does not follow the opinion of the Board pursuant to Article 64. In that case, any supervisory authority concerned or the Commission may refer the matter to the Committee.
(2) The decision referred to in paragraph 1 shall be adopted by a majority of two-thirds of the members of the Committee within one month of the matter being referred to it. This period may be extended by one additional month due to the complexity of the matter. The decision referred to in paragraph 1 shall be reasoned and communicated to the lead supervisory authority and all supervisory authorities concerned and shall be binding on them.
(If the Committee has been unable to adopt a decision within the time limits referred to in paragraph 2, it shall adopt its decision by a simple majority of the members of the Committee within two weeks of the expiry of the second month referred to in paragraph 2. In the event of a tie between the members of the Committee, the Chair shall have the casting vote.
(4) The supervisory authorities concerned shall not adopt a decision on the matter submitted to the Committee before the expiry of the deadlines referred to in paragraphs 2 and 3.
(5. The Chair of the Committee shall inform the supervisory authorities concerned of the decision referred to in paragraph 1 without delay. It shall inform the Commission thereof. The decision shall be published on the website of the Board without delay after the supervisory authority has notified the final decision referred to in paragraph 6.
(The lead supervisory authority or, where applicable, the supervisory authority to which the complaint has been lodged shall take the final decision on the basis of the decision referred to in paragraph 1 of this Article without undue delay and no later than one month after the European Data Protection Board has notified its decision. The lead supervisory authority or, where applicable, the supervisory authority to which the complaint has been lodged shall inform the Board of the date on which its final decision is notified to the controller or processor or the data subject. The final decision of the supervisory authorities concerned shall be adopted in accordance with Article 60(7), (8) and (9). The final decision shall refer to the decision referred to in paragraph 1 and shall specify that the decision referred to in paragraph 1 of this Article shall be published on the Board’s website in accordance with paragraph 5. The final decision shall be accompanied by the decision referred to in paragraph 1 of this _article.
Article 66 Emergency procedure
(In exceptional circumstances, a supervisory authority concerned may, by way of derogation from the consistency procedure referred to in Articles 63, 64 and 65 or the procedure referred to in Article 60, immediately adopt interim measures with a defined duration of no more than three months, intended to have legal effect on its territory, if it considers that there is an urgent need to act in order to protect the rights and freedoms of data subjects. The supervisory authority shall, without undue delay, inform the other supervisory authorities concerned, the Board and the Commission of those measures and the reasons for their adoption.
(2) If a supervisory authority has taken a measure pursuant to paragraph (1) and considers that definitive measures must be adopted urgently, it may request an opinion or a binding decision of the Committee under the urgent procedure, stating its reasons.
(3) Any supervisory authority may request an opinion or, as the case may be, a binding decision of the Committee under the urgent procedure, giving reasons, including for the urgent need for action, if a competent supervisory authority has not taken an appropriate measure to protect the rights and freedoms of data subjects despite the urgent need for action.
By way of derogation from Rules 64(3) and 65(2), an opinion or a binding decision adopted under the urgency procedure referred to in paragraphs 2 and 3 shall be adopted within two weeks by a simple majority of the members of the Committee.
Recitals
(137) There may be an urgent need to act to protect the rights and freedoms of data subjects, in particular where there is a risk of a significant impediment to the enforcement of a data subject’s right. A supervisory authority should therefore be able to adopt duly justified provisional measures within its territory with a fixed duration of no more than three months.
Article 67 Exchange of information
The Commission may adopt implementing acts of general scope laying down the arrangements for the electronic exchange of information between supervisory authorities and between supervisory authorities and the Board, in particular the standardized format referred to in Article 64. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 93(2).
Section 3 European Data Protection Board
Article 68 European Data Protection Board
(1) The European Data Protection Board (hereinafter “Committee”) shall be established as a body of the Union having legal personality.
(2) The Committee shall be represented by its Chair.
(3. The Board shall be composed of the head of a supervisory authority of each Member State and the European Data Protection Supervisor or their respective representatives.
(4. Where more than one supervisory authority in a Member State is responsible for supervising the application of the provisions adopted pursuant to this Regulation, a common representative shall be designated in accordance with the law of that Member State.
(5) The Commission shall be entitled to participate in the activities and meetings of the Committee without the right to vote. The Commission shall appoint a representative. The Chair of the Committee shall inform the Commission about the activities of the Committee.
(6. In the cases referred to in Article 65, the European Data Protection Supervisor shall be entitled to vote only on decisions which concern principles and rules applicable to the Union institutions, bodies, offices and agencies and which are consistent in substance with the principles and rules laid down in this Regulation.
Recitals
(139) In order to promote the uniform application of this Regulation, the Committee should be established as an independent Union body. In order to achieve its objectives, the Committee should have legal personality. The Committee should be represented by its Chair. It should replace the Working Party on the Protection of Individuals with regard to the Processing of Personal Data established by Directive 95/46/EC. It should be composed of the head of a supervisory authority of each Member State and the European Data Protection Supervisor or their respective representatives. The Commission should participate in the Committee’s deliberations without voting rights and the European Data Protection Supervisor should have specific voting rights. The Board should contribute to the consistent application of the Regulation throughout the Union, advise the Commission in particular on the level of protection in third countries or international organizations, and promote cooperation between supervisory authorities in the Union. The Board should act independently in the performance of its tasks.
Article 69 Independence
(1) The Committee shall act independently in the performance of its duties or in the exercise of its powers under Articles 70 and 71.
Without prejudice to the requests of the Commission pursuant to Article 70(1)(b) and (2), the Committee shall not seek or take instructions in the performance of its functions or in the exercise of its powers.
Article 70 Tasks of the Committee
(1. The Committee shall ensure the uniform application of this Regulation. To that end, the Committee shall, on its own initiative or, where appropriate, at the request of the Commission, carry out in particular the following activities:
a) monitoring and ensuring the proper application of this Regulation in the cases referred to in Articles 64 and 65, without prejudice to the tasks of the national supervisory authorities;
b) Advise the Commission on all matters relating to the protection of personal data in the Union, including any proposals to amend this Regulation;
c) Advise the Commission on the format and procedures for the exchange of information between controllers, processors and supervisory authorities regarding binding internal data protection rules;
d) Provide guidance, recommendations and best practices on procedures for the erasure, pursuant to Article 17(2), of links to personal data or copies or replications of such data from publicly available communications services;
e) Consider, on its own initiative, at the request of one of its members, or at the request of the Commission, matters relating to the application of this Regulation and provide guidance, recommendations, and best practices for the purpose of ensuring uniform application of this Regulation;
f) Provide guidance, recommendations and best practices, as referred to in point (e) of this paragraph, to further define the criteria and conditions for the profiling-based decisions referred to in Article 22(2);
g) Provide guidance, recommendations and best practices in accordance with subparagraph (e) of this paragraph on the identification of personal data breaches and the determination of promptness for the purposes of Article 33(1) and (2), and on the specific circumstances in which the controller or processor shall notify the personal data breach;
h) Provide guidance, recommendations and best practices, as referred to in point (e) of this paragraph, on the circumstances in which a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons within the meaning of Article 34(1);
i) Provide guidance, recommendations and best practices, as referred to in point (e) of this paragraph, to further specify the criteria and requirements for transfers of personal data listed in Article 47 that are based on binding internal data protection rules of controllers or processors and the further necessary requirements for the protection of personal data of data subjects listed therein;
j) Provide guidelines, recommendations, and best practices, as referred to in subparagraph (e) of this paragraph, to further define the criteria and conditions for transfers of personal data pursuant to Article 49(1);
k) Develop guidelines for supervisory authorities regarding the application of measures under Article 58(1), (2) and (3) and the setting of fines under Article 83;
l) Review the practical application of the guidelines, recommendations, and best practices identified in subparagraphs (e) and (f);
m) Provide guidance, recommendations, and best practices, as referred to in subparagraph (e) of this paragraph, to establish common procedures for the reporting by natural persons of violations of this Regulation pursuant to Article 54(2);
n) Promote the development of codes of conduct and the establishment of privacy certification schemes and privacy seals and marks in accordance with Articles 40 and 42;
o) Accreditation of certification bodies and their periodic review pursuant to Article 43 and maintenance of a public register of accredited bodies pursuant to Article 43(6) and of accredited controllers or processors established in third countries pursuant to Article 42(7);
p) Clarification of the requirements referred to in Article 43(3) with regard to the accreditation of certification bodies under Article 42;
q) Issuing an opinion for the Commission on the certification requirements under Article 43(8);
r) Issuing an opinion for the Commission on the pictorial symbols referred to in Article 12(7);
s) issue an opinion for the Commission on the adequacy of the level of protection provided in a third country or international organization, including on the assessment of whether the third country, territory, specific sector(s) in that third country or international organization no longer provides an adequate level of protection. To that end, the Commission shall provide the Committee with all necessary documentation, including correspondence with the government of the third country, territory or specific sector or international organization;
t) issuing opinions under the consistency procedure referred to in Article 64(1) on draft decisions of supervisory authorities, on matters submitted in accordance with Article 64(2) and for the adoption of binding decisions in accordance with Article 65, including the cases referred to in Article 66;
u) Promote cooperation and effective bilateral and multilateral exchange of information and best practices among regulators;
v) Promote training programs and facilitate staff exchanges among supervisors and, where appropriate, with supervisors of third countries or with international organizations;
w) Promote the exchange of expertise and documentation on data protection regulations and practices with data protection supervisory authorities around the world;
x) issuing opinions on the rules of conduct drawn up at Union level pursuant to Article 40(9); and
y) Maintaining a publicly accessible electronic registry of decisions of regulatory agencies and courts regarding issues addressed through the consistency process.
(2) The Commission, when seeking the advice of the Committee, may specify a time limit, taking into account the urgency of the matter.
(The Committee shall forward its opinions, guidelines, recommendations and best practices to the Commission and to the Committee referred to in Article 93 and shall make them public.
(4. The Committee shall, where appropriate, consult interested parties and give them the opportunity to comment within a reasonable period. Without prejudice to Article 76, the Committee shall make the results of the consultation available to the public.
Article 71 Reporting
(1. The Board shall draw up an annual report on the protection of individuals with regard to processing in the Union and, where appropriate, in third countries and international organizations. The report shall be made public and sent to the European Parliament, the Council and the Commission.
The annual report shall include a review of the practical application of the guidelines, recommendations and best practices referred to in Article 70(1)(l) and of the binding decisions referred to in Article 65.
Article 72 Procedure
(1) Unless otherwise provided in this Regulation, the Committee shall take its decisions by a simple majority of its members.
(2) The Committee shall adopt its rules of procedure by a majority of two-thirds of its members and shall determine its working methods.
Article 73 Chair
(1) The Committee shall elect a chairperson and two vice-chairpersons from among its members by a simple majority.
(2) The term of office of the Chairman and his two deputies shall be five years; they may be re-elected once.
Article 74 Tasks of the Chair
(1) The Chair shall have the following duties:
a) Convene meetings of the Committee and prepare agendas,
b) Transmission of the decisions of the Article 65 Committee to the lead supervisory authority and the supervisory authorities concerned,
c) Ensure timely execution of the Committee’s tasks, particularly those related to the consistency process under Rule 63.
(2) The Committee shall determine the division of duties between the Chairman and his deputies in its rules of procedure.
Article 75 Secretariat
(1. The Committee shall be assisted by a secretariat provided by the European Data Protection Supervisor.
(2) The Secretariat shall perform its duties exclusively on the instructions of the Chair of the Committee.
(3. The staff of the European Data Protection Supervisor involved in the performance of the tasks entrusted to the Board under this Regulation shall be subject to different reporting obligations than the staff involved in the performance of the tasks entrusted to the European Data Protection Supervisor.
(Where appropriate, the Board and the European Data Protection Supervisor shall draw up and publish a memorandum of understanding for the application of this Article, setting out the conditions of their cooperation and applicable to the staff of the European Data Protection Supervisor involved in the performance of the tasks entrusted to the Board under this Regulation.
(5) The Secretariat shall provide analytical, administrative, and logistical support to the Committee.
(6) The Secretariat shall be responsible in particular for
a) the day-to-day business of the committee,
b) communication between the members of the Committee, its Chair and the Commission,
c) communication with other institutions and with the public,
d) the use of electronic means for internal and external communication,
e) the translation of relevant information,
f) the preparation and follow-up of the meetings of the Committee,
g) preparing, drafting and publishing opinions, decisions on the settlement of disputes between supervisory authorities and other documents adopted by the Committee.
Recitals
(140) The Board should be assisted by a secretariat provided by the European Data Protection Supervisor. The staff of the European Data Protection Supervisor involved in the performance of the tasks entrusted to the Board under this Regulation should perform those tasks exclusively in accordance with the instructions of, and report to, the Chair of the Board.
Article 76 Confidentiality
(1) The deliberations of the Committee shall be confidential in accordance with its rules of procedure if the Committee deems it necessary.
(Access to documents submitted to members of the Committee, experts and representatives of third parties shall be governed by Regulation (EC) No 1049/2001 of the European Parliament and of the Council (21).
Chapter VIII Remedies, liability and sanctions
Article 77 Right to complain to a supervisory authority
(1. Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her residence, place of work or the place of the alleged infringement, if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.
(2) The supervisory authority to which the complaint has been filed shall inform the complainant of the status and results of the complaint, including the possibility of a judicial remedy under Article 78.
Recitals
(141) Every data subject should have the right to lodge a complaint with a single supervisory authority, in particular in the Member State of his or her habitual residence, and to seek an effective judicial remedy in accordance with Article 47 of the Charter, where he or she considers that his or her rights under this Regulation have been infringed or where the supervisory authority fails to act on a complaint, rejects or refuses a complaint in part or in whole, or fails to act despite the need to protect the rights of the data subject. The investigation following a complaint should be as broad as appropriate in the individual case, subject to judicial review. The supervisory authority should inform the data subject of the progress and outcome of the complaint within a reasonable period of time. If further investigation or coordination with another supervisory authority is necessary, the data subject should be informed of the interim status. Each supervisory authority should take measures to facilitate the submission of complaints, such as providing a complaint form that can also be completed electronically, without excluding other means of communication.
Article 78 Right to effective judicial remedy against a supervisory authority
(1) Any natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning him, without prejudice to any other administrative or extrajudicial remedy.
(Any data subject shall have the right to an effective judicial remedy, without prejudice to any other administrative or extrajudicial remedy, if the supervisory authority competent pursuant to Articles 55 and 56 has not dealt with a complaint or has not informed the data subject within three months of the status or outcome of the complaint lodged pursuant to Article 77.
(3. Proceedings against a supervisory authority shall be brought before the courts of the Member State in which the supervisory authority is established.
(In the event of proceedings against the decision of a supervisory authority preceded by an opinion or decision of the Committee under the consistency procedure, the supervisory authority shall forward such opinion or decision to the court.
Recitals
(143) Any natural or legal person shall have the right to bring an action before the Court of Justice for the annulment of a decision of the Board, under the conditions laid down in Article 263 TFEU. As addressees of such decisions, the supervisory authorities concerned wishing to challenge those decisions must bring an action pursuant to Article 263 TFEU within two months of their notification. Where decisions of the Board directly and individually affect a controller, a processor or the complainant, those persons may bring an action for annulment in accordance with Article 263 TFEU within two months of the publication of the relevant decisions on the Board’s website. Without prejudice to that right under Article 263 TFEU, any natural or legal person should have the right to an effective judicial remedy before the competent national court against a decision of a supervisory authority which produces legal effects vis-à-vis that person. Such a decision concerns, in particular, the exercise by the supervisory authority of powers of investigation, redress and authorisation, or the rejection or dismissal of complaints. However, the right to an effective judicial remedy does not cover legally non-binding measures taken by the supervisory authorities, such as opinions or recommendations issued by it. Proceedings against a supervisory authority should be brought before the courts of the Member State where the supervisory authority is established and should be conducted in accordance with the procedural law of that Member State. Those courts should have unlimited jurisdiction, which includes the competence to examine all issues of fact and law relevant to the dispute before them. Where a complaint has been rejected or dismissed by a supervisory authority, the complainant may bring an action before the courts of the same Member State.
In the context of judicial remedies relating to the application of this Regulation, national courts which consider that a decision on the matter is necessary to enable them to give judgment may, or, in the cases referred to in Article 267 TFEU, must, request the Court of Justice to give a preliminary ruling on the interpretation of Union law, which includes this Regulation. Furthermore, if a decision of a supervisory authority to implement a decision of the Board is challenged before a national court and the validity of the decision of the Board is called into question, that national court does not have the power to annul the decision of the Board but, in accordance with Article 267 TFEU as interpreted by the Court of Justice, must refer the question of validity to the Court of Justice if it considers the decision to be void. However, a national court may not refer questions of the validity of the Committee’s decision to the Court of Justice at the request of a natural or legal person if that person has had an opportunity to bring an action for annulment of that decision – in particular if he or she was directly and individually concerned by the decision – but has not availed himself or herself of that opportunity within the time limit laid down in Article 263 TFEU.
Article 79 Right to an effective judicial remedy against controllers or processors
(1. Without prejudice to any available administrative or judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, every data subject shall have the right to an effective judicial remedy if he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data not in compliance with this Regulation.
(2. Actions against a controller or a processor shall be brought in the courts of the Member State where the controller or processor has an establishment. Alternatively, such actions may also be brought in the courts of the Member State where the data subject is domiciled, unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers.
Recitals
(145) In proceedings against controllers or processors, it should be left to the plaintiff to decide whether to bring proceedings before the courts of the Member State where the controller or processor has an establishment or of the Member State where the data subject is domiciled, except where the controller is an authority of a Member State acting in the exercise of its public powers.
(147) To the extent that this Regulation contains specific rules on jurisdiction, in particular with regard to proceedings for a judicial remedy, including damages, against a controller or processor, the general rules on jurisdiction, such as those contained in Regulation (EU) No 1215/2012 of the European Parliament and of the Council (13), should not prevent the application of those specific rules.
Article 80 Representation of data subjects
(The data subject shall have the right to instruct a non-profit body, organization or association, duly constituted in accordance with the law of a Member State, whose statutory objectives are in the public interest and which is active in the field of the protection of the rights and freedoms of data subjects with regard to the protection of their personal data, to lodge a complaint on his or her behalf, to exercise on his or her behalf the rights referred to in Articles 77, 78 and 79 and to exercise the right to compensation for damages referred to in Article 82, where provided for in the law of the Member States.
(Member States may provide that any body, organization or association referred to in paragraph 1 of this Article shall have the right to lodge a complaint with the supervisory authority competent pursuant to Article 77 and to exercise the rights referred to in Articles 78 and 79, independently of any mandate given by the data subject in that Member State, where it considers that the rights of a data subject under this Regulation have been infringed as a result of a processing operation.
Recitals
(142) Data subjects who consider that their rights under this Regulation have been infringed should have the right to instruct bodies, organizations or associations established in accordance with the law of a Member State, which are not-for-profit and whose statutory objectives are in the public interest and which are active in the field of the protection of personal data, to lodge a complaint on their behalf with a supervisory authority or to seek judicial remedy or to exercise the right to compensation where provided for in the law of the Member States. Member States may provide that such bodies, organizations or associations should have the right to lodge their own complaint, independently of being mandated by a data subject in the Member State concerned, and the right to an effective judicial remedy where they have reason to believe that the rights of the data subject have been infringed as a result of processing not in compliance with this Regulation. Such bodies, organizations or associations may not be allowed to claim damages on behalf of a data subject, regardless of the mandate of a data subject.
Article 81 Suspension of proceedings
(Where a competent court in a Member State becomes aware of proceedings on the same subject matter relating to processing by the same controller or processor which are pending before a court in another Member State, it shall contact that court in order to ascertain that such proceedings exist.
(2. Where proceedings on the same subject matter relating to processing by the same controller or processor are pending before a court in another Member State, any court seised subsequently may stay the proceedings pending before it.
(3) Where such proceedings are pending at first instance, any court subsequently seised may also, on application by a party, decline jurisdiction if the court first seised has jurisdiction over the actions in question and the joinder of the actions is permitted under its law.
Recitals
(144) Where a court seised of proceedings against a decision of a supervisory authority has reason to believe that proceedings concerning the same processing – for instance on the same subject matter in relation to processing by the same controller or processor or in relation to the same claim – are pending before a competent court in another Member State, it should contact that court in order to ascertain that such related proceedings exist. Where related proceedings are pending before a court in another Member State, any court other than the court first seised may stay its proceedings or, at the request of one of the parties, may also decline jurisdiction in favor of the court first seised if that court, other than the court first seised, has jurisdiction over the proceedings in question and the joinder of such related proceedings is permitted under its law. Proceedings shall be deemed to be related if they are so closely connected that it is expedient to hear and determine them together to avoid irreconcilable judgments in separate proceedings.
Article 82 Liability and right to compensation
(1) Any person who has suffered material or non-material damage due to a breach of this Regulation shall be entitled to compensation from the controller or from the processor.
(2) Each controller involved in a processing shall be liable for the damage caused by a processing not in compliance with this Regulation. A processor shall be liable for the damage caused by a processing operation only if it has failed to comply with its obligations under this Regulation specifically imposed on processors or has acted in disregard of or against the lawfully given instructions of the controller.
(3) The person responsible or the processor shall be exempted from liability under paragraph 2 if he proves that he is not responsible in any respect for the circumstance by which the damage occurred.
(4) Where more than one controller or more than one processor or both a controller and a processor are involved in the same processing and they are responsible for damage caused by the processing pursuant to paragraphs (2) and (3), each controller or processor shall be liable for the entire damage in order to ensure effective compensation for the data subject.
(5) If a data controller or processor has paid full compensation for the damage suffered pursuant to paragraph 4, such data controller or processor shall be entitled to recover from the other data controllers or processors involved in the same processing the part of the compensation corresponding to their share of responsibility for the damage under the conditions set forth in paragraph 2.
6. Legal proceedings to invoke the right to compensation shall be brought before the courts having jurisdiction under the law of the Member State referred to in Article 79(2).
Recitals
(146) The controller or processor should compensate for damage caused to a person as a result of processing that does not comply with this Regulation. The controller or processor should be exempted from liability if it proves that it is not in any way responsible for the damage. The concept of damage should be interpreted broadly in the light of the case law of the Court of Justice in a way that is fully consistent with the objectives of this Regulation. This is without prejudice to claims for damages based on infringements of other provisions of Union or Member State law. Processing that is not in compliance with this Regulation includes processing that is not in compliance with delegated and implementing acts adopted pursuant to this Regulation and legislation of the Member States clarifying provisions of this Regulation. Data subjects should receive full and effective compensation for the damage suffered. Where controllers or processors are involved in the same processing, each controller or processor should be held liable for the entire damage. However, where they are involved in the same processing in accordance with the law of the Member States, they may be held liable in proportion to the responsibility borne by each controller or processor for the damage caused by the processing, provided that it is ensured that the data subject receives full and effective compensation for the damage suffered. Any controller or processor who has paid full compensation for the damage may subsequently initiate recourse proceedings against other controllers or processors involved in the same processing.
Article 83 General conditions for the imposition of fines
(Each supervisory authority shall ensure that the imposition of fines under this Article for infringements of this Regulation pursuant to paragraphs 5 and 6 is effective, proportionate and dissuasive in each case.
(2) Fines shall be imposed in addition to, or in lieu of, measures under Article 58(2)(a) to (h) and (i), depending on the circumstances of each case. In deciding on the imposition of a fine and on its amount, due consideration shall be given to the following in each individual case:
a) The nature, gravity and duration of the breach, taking into account the nature, scope or purposes of the processing in question, as well as the number of data subjects affected by the processing and the extent of the damage suffered by them;
b) Intentionality or negligence of the violation;
c) any measures taken by the controller or processor to mitigate the damage caused to the data subjects;
d) Degree of responsibility of the controller or processor, taking into account the technical and organizational measures taken by them in accordance with Articles 25 and 32;
e) any relevant previous infringements by the controller or processor;
f) Extent of cooperation with the supervisory authority to remedy the violation and mitigate its potential adverse effects;
g) Categories of personal data affected by the breach;
h) How the breach came to the attention of the supervisory authority, in particular whether and, if so, to what extent the controller or processor notified the breach;
i) Compliance with the measures previously ordered under Article 58(2) against the controller or processor concerned in relation to the same subject matter, if such measures have been ordered;
j) Compliance with approved codes of conduct under Article 40 or approved certification procedures under Article 42; and
k) any other aggravating or mitigating circumstances in the particular case, such as financial benefits obtained directly or indirectly as a result of the breach or losses avoided.
(3) If a controller or a processor intentionally or negligently infringes more than one provision of this Regulation in the same or related processing operations, the total amount of the fine shall not exceed the amount for the most serious infringement.
(4) For violations of the following provisions, in accordance with paragraph (2), fines of up to EUR 10,000,000 or, in the case of an enterprise, up to 2 % of its total annual worldwide turnover for the preceding fiscal year, whichever is greater, shall be imposed:
a) the obligations of controllers and processors under Articles 8, 11, 25 to 39, 42 and 43;
b) the duties of the certification body according to Articles 42 and 43;
c) the obligations of the monitoring body pursuant to Article 41(4).
(5) For violations of the following provisions, in accordance with paragraph (2), fines shall be imposed up to EUR 20,000,000 or, in the case of an enterprise, up to 4 % of its total annual worldwide turnover for the preceding fiscal year, whichever is greater:
a) the principles for processing, including the conditions for consent, in accordance with Articles 5, 6, 7 and 9;
b) the rights of the data subject under Articles 12 to 22;
c) the transfer of personal data to a recipient in a third country or to an international organization in accordance with Articles 44 to 49;
d) all obligations under the legislation of the Member States adopted under Chapter IX;
e) Failure to comply with an order or temporary or permanent restriction or suspension of data transfer by the supervisory authority pursuant to Article 58(2) or failure to grant access in breach of Article 58(1).
(6) Failure to comply with an instruction of the Supervisory Authority pursuant to Article 58(2) shall be subject to fines of up to EUR 20,000,000 or, in the case of an undertaking, up to 4 % of its total annual worldwide turnover in the preceding financial year, whichever is higher, in accordance with paragraph 2 of this Article.
7. Without prejudice to the supervisory authorities’ remedial powers under Article 58(2), each Member State may lay down rules on whether and to what extent administrative fines may be imposed on public authorities and public bodies established in that Member State.
(8. The exercise by a supervisory authority of its own powers under this Article shall be subject to adequate procedural safeguards in accordance with Union and Member State law, including effective judicial remedies and due process.
(9. Where the legal order of a Member State does not provide for fines, this Article may be applied in such a way that the fine is initiated by the competent supervisory authority and imposed by the competent national courts, while ensuring that such remedies are effective and have the same effect as fines imposed by supervisory authorities. In any event, the fines imposed shall be effective, proportionate and dissuasive. The Member States concerned shall communicate to the Commission by 25 May 2018 the provisions of national law which they adopt pursuant to this paragraph and, without delay, any subsequent amending law or amendment thereto.
Recitals
(148) In order to enhance consistent enforcement of the provisions of this Regulation, sanctions, including fines, should be imposed for infringements of this Regulation in addition to, or instead of, the appropriate measures imposed by the supervisory authority pursuant to this Regulation. In the case of a minor infringement or if fines likely to be imposed would impose a disproportionate burden on a natural person, a warning may be issued instead of a fine. However, due account should be taken of the nature, gravity and duration of the breach, the intentional nature of the breach, the measures taken to mitigate the damage caused, the degree of responsibility or any previous breach, the manner in which the breach came to the attention of the supervisory authority, compliance with the measures ordered against the controller or processor, compliance with rules of conduct and any other aggravating or mitigating circumstance. There should be adequate procedural safeguards for the imposition of sanctions, including fines, in accordance with the general principles of Union law and the Charter, including the right to effective judicial protection and a fair trial.
(149) Member States should be able to lay down the criminal sanctions applicable to infringements of this Regulation, including infringements of national provisions adopted pursuant to and within the limits of this Regulation. These criminal sanctions may also allow for the confiscation of the profits obtained from the infringements of this Regulation. However, the imposition of criminal sanctions for violations of such national provisions and of administrative sanctions should not lead to a violation of the principle of “ne bis in idem” as it has been interpreted by the Court.
(150) In order to harmonize the administrative sanctions for infringements of this Regulation and to make them more effective, each supervisory authority should have the power to impose fines. This Regulation should specify the infringements as well as the upper limit of the corresponding fines and the criteria for setting them, such fines to be set by the competent supervisory authority in each individual case taking into account all specific circumstances and in particular the nature, gravity and duration of the infringement and its consequences, as well as the measures taken to ensure compliance with the obligations under this Regulation and to prevent or mitigate the consequences of the infringement. Where fines are imposed on undertakings, the term “.Company” should be understood in the sense of Articles 101 and 102 TFEU. Where fines are imposed on persons other than undertakings, the supervisory authority should take into account the general level of income in the Member State concerned and the economic situation of the persons when considering the appropriate amount for the fine. The consistency mechanism can also be used to promote consistent application of fines. Member States should be able to determine whether and to what extent fines can be imposed on public authorities. Even if supervisory authorities have already imposed fines or issued a warning, they may exercise their other powers or impose other sanctions in accordance with this Regulation.
(151) The legal systems of Denmark and Estonia do not allow the fines provided for in this Regulation. The rules on fines may be applied in such a way that the fine is imposed in Denmark by the competent national courts as a penalty and in Estonia by the supervisory authority in the context of misdemeanor proceedings, provided that such application of the rules in those Member States has the same effect as the fines imposed by the supervisory authorities. Therefore, the competent national courts should take into account the recommendation of the supervisory authority that initiated the fine. In any event, the fines imposed should be effective, proportionate and dissuasive.
Article 84 Penal sanctions
(Member States shall lay down the rules on other sanctions applicable to infringements of this Regulation, in particular to infringements not subject to a fine pursuant to Article 83, and shall take all measures necessary to ensure that they are implemented. Those penalties shall be effective, proportionate and dissuasive.
(Each Member State shall notify to the Commission by 25 May 2018 the provisions of law which it adopts pursuant to paragraph 1 and, without delay, any subsequent amendment affecting them.
Recitals
(152) To the extent that this Regulation does not harmonize administrative sanctions, or where it is necessary in other cases, such as serious infringements of this Regulation, Member States should apply a system providing for effective, proportionate and dissuasive sanctions. It should be regulated in the law of the Member States whether those sanctions are of a criminal or administrative nature.
Chapter IX Provisions for special processing situations
Article 85 Processing and Freedom of Expression and Information
(Member States shall, by law, reconcile the right to the protection of personal data under this Regulation with the right to freedom of expression and information, including processing for journalistic purposes and for scientific, artistic or literary purposes.
(For processing carried out for journalistic purposes or for scientific, artistic or literary purposes, Member States shall provide for derogations or exemptions from Chapter II (Principles), Chapter III (Rights of the data subject), Chapter IV (Controller and processor), Chapter V (Transfer of personal data to third countries or to international organizations), Chapter VI (Independent supervisory authorities), Chapter VII (Cooperation and consistency), and Chapter IX (Rules applicable to specific processing situations) where necessary to reconcile the right to the protection of personal data with the freedom of expression and information.
(Each Member State shall notify the Commission of the provisions of law which it has adopted pursuant to paragraph 2 and, without delay, of any subsequent amending law or amendment thereto.
Recitals
(153) In the law of the Member States, rules on freedom of expression and information, including by journalists, scientists, artists and/or writers, should be reconciled with the right to the protection of personal data under this Regulation. Derogations and exemptions from certain provisions of this Regulation should apply to the processing of personal data solely for journalistic purposes or for scientific, artistic or literary purposes, where this is necessary to reconcile the right to protection of personal data with the right to freedom of expression and information as guaranteed by Article 11 of the Charter. This should apply in particular to the processing of personal data in the audiovisual sector and in news and press archives. Member States should therefore adopt legislative measures regulating the derogations and exceptions necessary for the purpose of balancing these fundamental rights. Member States should adopt such derogations and exceptions in relation to the general principles, the rights of the data subject, the controller and processor, the transfer of personal data to third countries or to international organizations, the independent supervisory authorities, cooperation and consistency, and specific data processing situations. If these derogations or exceptions differ from one Member State to another, the law of the Member State to which the controller is subject should be applied. In order to take into account the importance of the right to freedom of expression in a democratic society, terms such as journalism that refer to this freedom must be interpreted broadly.
Article 86 Processing and public access to official documents
Personal data contained in official documents held by a public authority or a public body or by a private body for the performance of a task carried out in the public interest may be disclosed by the public authority or body in accordance with Union law or the law of the Member State to which the public authority or body is subject, in order to reconcile public access to official documents with the right to the protection of personal data under this Regulation.
Recitals
(154) This Regulation allows the principle of public access to official documents to be taken into account in its application. Public access to official documents can be considered as a public interest. Personal data contained in documents held by a public authority or a public body should be able to be publicly disclosed by that authority or body where provided for by Union law or by the law of the Member States to which it is subject. Such legislation should reconcile public access to official documents and the re-use of public sector information with the right to the protection of personal data and may therefore regulate the necessary consistency with the right to the protection of personal data under this Regulation. The reference to public authorities and public sector bodies in this context should include all public authorities or other bodies covered by the law of the relevant Member State on public access to documents. Directive 2003/98/EC of the European Parliament and of the Council (14) is without prejudice to, and in no way affects, the level of protection of individuals with regard to the processing of personal data under the provisions of Union and Member State law and, in particular, does not have the effect of modifying the rights and obligations set out in this Regulation. In particular, that Directive should not apply to documents to which access is prohibited or restricted under Member States’ access regimes for reasons of protection of personal data, or to parts of documents which are accessible under those regimes, where they contain personal data in respect of which legislation provides that their further use is incompatible with the law on the protection of individuals with regard to the processing of personal data.
Article 87 Processing of the national identification number
Member States may further specify the specific conditions under which a national identification number or other identifier of general application may be the subject of processing. In that case, the national identification number or other identifier of general application may only be used subject to appropriate safeguards for the rights and freedoms of the data subject under this Regulation.
Article 88 Data processing in the employment context
(1) Member States may, by law or by collective agreement, lay down more specific rules to ensure the protection of rights and freedoms with regard to the processing of personal data of employees in the employment context, in particular for the purposes of recruitment, performance of the employment contract, including the performance of obligations laid down by law or by collective agreement, management, planning and organization of work, equality and diversity at work, health and safety at work, protection of employers’ or clients’ property, as well as for purposes of claiming individual or collective rights and benefits related to employment and for purposes of termination of employment.
(2) These rules shall include appropriate and specific measures to safeguard human dignity, legitimate interests and fundamental rights of the data subject, in particular with regard to transparency of processing, transfer of personal data within a group of undertakings or a group of undertakings engaged in joint economic activity and workplace monitoring systems.
(Each Member State shall notify to the Commission by 25 May 2018 the provisions of law which it adopts pursuant to paragraph 1 and, without delay, any subsequent amendment affecting them.
Article 89 Safeguards and exemptions in relation to processing for archiving purposes in the public interest, scientific or historical research purposes and statistical purposes
(1. Processing for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes shall be subject to appropriate safeguards for the rights and freedoms of the data subject in accordance with this Regulation. Those safeguards shall ensure that technical and organizational measures are in place to ensure, in particular, respect for the principle of data minimization. These measures may include pseudonymization, where it is possible to fulfill these purposes in this way. In all cases where these purposes can be fulfilled by further processing in which the identification of data subjects is not or no longer possible, these purposes shall be fulfilled in this way.
(Where personal data are processed for scientific or historical research purposes or for statistical purposes, and subject to the conditions and safeguards referred to in paragraph 1 of this Article, Union or Member State law may provide for exceptions to the rights referred to in Articles 15, 16, 18 and 21 to the extent that those rights are likely to render impossible or seriously prejudice the achievement of the specific purposes and such exceptions are necessary for the achievement of those purposes.
(Where personal data are processed for archiving purposes in the public interest, and subject to the conditions and safeguards referred to in paragraph 1 of this Article, Union or Member State law may provide for exceptions to the rights referred to in Articles 15, 16, 18, 19, 20 and 21 to the extent that those rights are likely to render impossible or seriously prejudice the achievement of the specific purposes and such exceptions are necessary for the achievement of those purposes.
(4) If the processing referred to in paragraphs 2 and 3 serves another purpose at the same time, the exceptions shall apply only to the processing for the purposes referred to in those paragraphs.
Recitals
(156) The processing of personal data for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes should be subject to appropriate safeguards for the rights and freedoms of the data subject under this Regulation. Those safeguards should ensure that technical and organizational measures are in place to ensure, in particular, the principle of data minimization. Further processing of personal data for archiving purposes in the public interest, for scientific or historical research purposes, or for statistical purposes shall only take place after the controller has assessed the feasibility of fulfilling those purposes by processing personal data where the identification of data subjects is not or no longer possible, provided that appropriate safeguards are in place (such as the pseudonymization of personal data). Member States should provide appropriate safeguards in relation to the processing of personal data for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes. Member States should be allowed, under certain conditions and subject to appropriate safeguards for data subjects, to provide for clarifications and exemptions in relation to information requirements and the rights to rectification, erasure, to be forgotten, to restriction of processing, to data portability, and to object to the processing of personal data for archiving purposes in the public interest, for scientific or historical research purposes, or for statistical purposes. The conditions and safeguards in question may provide for specific procedures for the exercise of those rights by data subjects – where appropriate in view of the purposes pursued by the specific processing – and for technical and organizational measures to minimize the processing of personal data with regard to the principles of proportionality and necessity. The processing of personal data for scientific purposes should also comply with other relevant legislation, for example for clinical trials.
(157) By linking information from registries, researchers can gain new insights of great value regarding common diseases such as cardiovascular disease, cancer, and depression. The use of registries can yield better research results because they are based on a larger proportion of the population. In the social sciences, research using registries allows researchers to gain critical insights into the long-term association of a range of social circumstances, such as unemployment and education with other life circumstances. Research obtained through registries provides robust, high-quality evidence that can form the basis for the formulation and implementation of knowledge-based policies, improve the quality of life for large numbers of people, and improve the efficiency of social services. Therefore, in order to facilitate scientific research, personal data may be processed for scientific research purposes, subject to appropriate conditions and safeguards laid down in Union or Member State law.
(158) This Regulation should also apply to the processing of personal data for archiving purposes, noting that the Regulation should not apply to deceased persons. Public authorities or public or private bodies holding records of public interest should be under a legal obligation, in accordance with Union or Member State law, to acquire, preserve, evaluate, process, describe, communicate, promote, disseminate and provide access to records of enduring value for the general public interest. Member States should also be allowed to provide that personal data are further processed for archival purposes, for example, with a view to providing specific information related to political behavior under former totalitarian regimes, genocide, crimes against humanity, in particular the Holocaust, and war crimes.
(159) This Regulation should also apply to the processing of personal data for scientific research purposes. The processing of personal data for scientific research purposes within the meaning of this Regulation should be interpreted broadly to include processing for, for example, technological development and demonstration, fundamental research, applied research and privately funded research. In addition, it should take into account the objective of creating a European area of research as set out in Article 179(1) TFEU. The scientific research purposes should also include studies carried out in the public interest in the field of public health. In order to comply with the specificities of the processing of personal data for scientific research purposes, specific conditions should apply in particular as regards the publication or other disclosure of personal data in the context of scientific purposes. Where the results of scientific research, in particular in the area of public health, give rise to further measures in the interest of the data subject, the general rules of this Regulation should apply to those measures.
(160) This Regulation should also apply to the processing of personal data for historical research purposes. This should include historical research and research in the field of genealogy, noting that this Regulation should not apply to deceased persons.
(161) For the purposes of consent to participate in scientific research activities in the context of clinical trials, the relevant provisions of Regulation (EU) No 536/2014 of the European Parliament and of the Council (15) should apply.
(162) This Regulation should also apply to the processing of personal data for statistical purposes. Union or Member State law should determine, within the limits of this Regulation, the statistical content, access control, specifications for the processing of personal data for statistical purposes and appropriate measures to safeguard the rights and freedoms of data subjects and to ensure statistical confidentiality. Under the term “statistical purposes” means any operation of collection and processing of personal data necessary for the performance of statistical research and the production of statistical results. These statistical results may be further used for various purposes, including scientific research purposes. In the context of statistical purposes, it is understood that the results of processing for statistical purposes are not personal data, but aggregated data, and these results or personal data are not used for measures or decisions regarding individual natural persons.
(163) The confidential information collected by the Union and national statistical authorities for the production of official European statistics and official national statistics should be protected. European statistics should be developed, produced and disseminated in accordance with the statistical principles set out in Article 338(2) TFEU and national statistics should also comply with the law of the Member States. Regulation (EC) No 223/2009 of the European Parliament and of the Council (16 ) contains more detailed provisions on the confidentiality of European statistics.
Article 90 Confidentiality obligations
Member States may regulate the powers of the supervisory authorities referred to in points (e) and (f) of Article 58(1) in relation to controllers or processors who are subject to professional secrecy or an equivalent obligation of confidentiality under Union or Member State law or under an obligation imposed by the competent national authorities, to the extent necessary and proportionate to reconcile the right to the protection of personal data with the obligation of confidentiality. These rules shall apply only in relation to personal data obtained or collected by the controller or processor in the course of an activity subject to such a duty of confidentiality.
(Each Member State shall notify the Commission by 25 May 2018 of the provisions it adopts pursuant to paragraph 1 and shall notify it without delay of any subsequent amendment affecting them.
Recitals
(164) With regard to the powers of supervisory authorities to obtain from the controller or processor access to personal data or to its premises, Member States may, within the limits of this Regulation, regulate by law the protection of professional secrecy or other equivalent duties of confidentiality to the extent necessary to reconcile the right to the protection of personal data with a duty of professional secrecy. This is without prejudice to the existing obligations of Member States to adopt rules on professional secrecy where required by Union law.
Article 91 Existing data protection rules of churches and religious associations or communities
(Where a church or a religious association or community in a Member State applies comprehensive rules on the protection of individuals with regard to processing at the time of the entry into force of this Regulation, those rules may continue to apply provided that they are brought into line with this Regulation.
(2) Churches and religious associations or communities that apply comprehensive data protection rules pursuant to paragraph (1) shall be subject to supervision by an independent supervisory authority, which may be of a specific nature, provided that it meets the conditions set forth in Chapter VI.
Recitals
(165) In accordance with Article 17 TFEU, this Regulation respects and does not prejudice the status under existing constitutional law of churches and religious associations or communities in the Member States.
Chapter X Delegated and implementing acts
Article 92 Exercise of delegation
(1) The power to adopt delegated acts is conferred on the Commission subject to the conditions laid down in this Article.
The power to adopt delegated acts referred to in Articles 12(8) and 43(8) shall be conferred on the Commission for an indeterminate period of time from 24 May 2016.
3. The delegation of power referred to in Articles 12(8) and 43(8) may be revoked at any time by the European Parliament or by the Council. The decision of revocation shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. The decision of revocation shall not affect the validity of any delegated acts already in force.
(4. As soon as it adopts a delegated act, the Commission shall notify it simultaneously to the European Parliament and to the Council.
A delegated act adopted pursuant to Article 12(8) and Article 43(8) shall enter into force only if no objection has been expressed either by the European Parliament or the Council within a period of three months of notification of that act to the European Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. At the initiative of the European Parliament or the Council, that period shall be extended by three months.
Recitals
(166) In order to achieve the objectives of this Regulation, namely to protect the fundamental rights and freedoms of natural persons, and in particular their right to the protection of their personal data, and to ensure the free flow of personal data within the Union, the power to adopt acts in accordance with Article 290 TFEU should be delegated to the Commission. Delegated acts should be adopted in particular in relation to the criteria and requirements applicable to certification procedures, the information to be represented by standardized icons and the procedures for making those icons available. It is of particular importance that the Commission carry out appropriate consultations, including at expert level, as part of its preparatory work. The Commission, when preparing and drawing-up delegated acts, should ensure a simultaneous, timely and appropriate transmission of relevant documents to the European Parliament and to the Council.
(167) In order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission where provided for in this Regulation. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council. In this context, the Commission should consider specific measures for micro, small and medium-sized enterprises.
(170) Since the objective of this Regulation, namely to ensure an equivalent level of data protection for natural persons and the free flow of personal data in the Union, cannot be sufficiently achieved by the Member States but can rather, by reason of the scale or effects of the action, be better achieved at Union level, the Union may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union (TEU). In accordance with the principle of proportionality, as set out in that Article, this Regulation does not go beyond what is necessary in order to achieve that objective.
Article 93 Committee procedure
(1. The Commission shall be assisted by a committee. That committee shall be a committee within the meaning of Regulation (EU) No 182/2011.
(Where reference is made to this paragraph, Article 5 of Regulation (EU) No 182/2011 shall apply.
(Where reference is made to this paragraph, Article 8 of Regulation (EU) No 182/2011 shall apply in conjunction with Article 5 thereof.
Recitals
(168) For the adoption of implementing acts regarding standard contractual clauses for contracts between controllers and processors as well as between processors; codes of conduct; technical standards and procedures for certification; requirements for the adequacy of the level of data protection in a third country, a territory or a specific sector of that third country or in an international organization; standard safeguards; formats and procedures for the exchange of information between controllers, processors and supervisory authorities with regard to binding internal data protection rules; administrative assistance; and arrangements for the electronic exchange of information between supervisory authorities and between supervisory authorities and the Committee should the review procedure be applied.
Chapter XI Final Provisions
Article 94 Repeal of Directive 95/46/EC
(1) Directive 95/46/EC is repealed effective May 25, 2018.
(2. References to the repealed Directive shall be construed as references to this Regulation. References to the Working Party on the Protection of Individuals with regard to the Processing of Personal Data established by Article 29 of Directive 95/46/EC shall be construed as references to the European Data Protection Board established by this Regulation.
Recitals
(171) Directive 95/46/EC should be repealed by this Regulation. Processing operations that have already started at the date of application of this Regulation should be brought in line with it within two years of the entry into force of this Regulation. Where the processing operations are based on consent pursuant to Directive 95/46/EC, it is not necessary for the data subject to give consent again if the nature of the consent already given complies with the conditions laid down in this Regulation, so that the controller may continue the processing after the date of application of this Regulation. Commission decisions or decisions based on Directive 95/46/EC and authorizations of supervisory authorities shall remain in force until they are amended, replaced or repealed.
Article 95 Relationship with Directive 2002/58/EC
This Regulation does not impose additional obligations on natural or legal persons with regard to processing in connection with the provision of publicly available electronic communications services in public communications networks in the Union to the extent that they are subject to specific obligations laid down in Directive 2002/58/EC which pursue the same objective.
Recitals
(173) This Regulation should apply to all matters concerning the protection of fundamental rights and freedoms with regard to the processing of personal data which are not subject to the obligations laid down in Directive 2002/58/EC of the European Parliament and of the Council (18), which pursue the same objective, including the obligations of the controller and the rights of natural persons. In order to clarify the relationship between this Regulation and Directive 2002/58/EC, that Directive should be amended accordingly. Once this Regulation is adopted, Directive 2002/58/EC should be subject to a review, in particular to ensure consistency with this Regulation -.
Article 96 on agreements already concluded
International agreements involving the transfer of personal data to third countries or international organizations concluded by Member States before 24 May 2016 and which are in conformity with Union law in force before that date shall remain in force until amended, replaced or terminated.
Article 97 Commission reports
(By 25 May 2020, and every four years thereafter, the Commission shall submit to the European Parliament and to the Council a report on the evaluation and review of this Regulation. The reports shall be made public.
(2. As part of the evaluations and reviews referred to in paragraph 1, the Commission shall examine in particular the application and operation of
a) of Chapter V on the transfer of personal data to third countries or to international organizations, in particular with regard to the decisions adopted pursuant to Article 45(3) of this Regulation and the findings adopted pursuant to Article 25(6) of Directive 95/46/EC,
b) of Chapter VII on cooperation and consistency.
(For the purpose referred to in paragraph 1, the Commission may request information from Member States and supervisory authorities.
(In the assessments and reviews referred to in paragraphs 1 and 2, the Commission shall take into account the views and findings of the European Parliament, the Council and other relevant bodies or sources.
(5. The Commission shall, if necessary, submit appropriate proposals to amend this Regulation, taking into account, in particular, developments in information technology and progress in the information society.
Recitals
(172) The EDPS was consulted in accordance with Article 28(2) of Regulation (EC) No 45/2001 and issued an opinion on 7 March 2012 (17).
Article 98 Review of other Union acts on data protection
The Commission shall, where appropriate, submit legislative proposals to amend other Union acts relating to the protection of personal data in order to ensure consistent and coherent protection of natural persons with regard to the processing. This concerns in particular the rules on the protection of individuals with regard to the processing of such data by the Union institutions, bodies, offices and agencies and on the free movement of such data.
Article 99 Entry into force and application
(1. This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.
(2) It shall apply from May 25, 2018.