I

 

(Legislative)

 

REGULATIONS

REGULATION (EU) 2016/679 EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016

on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC (Regulations

 

General on the protection of data)

(Text with EEA relevance)

THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION Having regard to the Treaty on the Functioning of the European Union, and in particular Article 16, having regard to the European Commission, After transmission of the draft legislative act to the national parliaments, after consulting the economic and social Committee (1), after consulting the Committee of the regions (2), acting in accordance with the ordinary legislative procedure (3), Whereas:

 

(1) The protection of individuals with regard to the processing of personal data is a fundamental right. Article 8, paragraph 1, of the Charter of Fundamental Rights of the European Union (hereinafter referred to as "Charter") and Article 16, paragraph 1, of the Treaty on the Functioning of the European Union provide that any has the right to protection of personal data concerning him.

 

(2) The principles and rules governing the protection of individuals with regard to the processing of personal data concerning them should, whatever the nationality or residence of such natural persons, respect their fundamental rights and freedoms, in particularly their right to protection of personal data. This Regulation aims to contribute to the achievement of an area of ​​freedom, security and justice and of an economic union, to economic and social progress, consolidation and convergence of economies within the internal market, the well-being of individuals.

 

(3) Directive 95/46 / EC of the European Parliament and of the Council (4) is intended to harmonize the protection of fundamental rights and freedoms of individuals with regard to the processing activities and to ensure the free flow of data to character staff between Member States.

 

(1) OJ C 229, 31.7.2012, p. 90.

 

(2) OJ C 391, 12/18/2012, p. 127.

 

(3) Position of the European Parliament of 12 March 2014 (not yet published in the Official Journal) and Position of the Council at first reading of 8 April 2016 (not yet published in the Official Journal). Position of the European Parliament of 14 April 2016.

 

(4) Directive 95/46 / EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ L 281, 23.11.1995, p. 31).

 

(4) The processing of personal data should be designed to serve humanity. The right to protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced with other fundamental rights, in accordance with the principle of proportionality. This Regulation respects all fundamental rights and observes the freedoms and principles recognized by the Charter enshrined in the Treaties, in particular, respect for private and family life, home and communications, protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, freedom of enterprise, the right to an effective remedy and to a fair trial,

 

(5) The economic and social integration resulting from the functioning of the internal market has led to a substantial increase in cross-border flows of personal data. personal data exchange between public and private stakeholders, including individuals, associations and businesses, intensified throughout the Union. The Union law called the national authorities of the Member States to cooperate and exchange personal data, to be able to fulfill their tasks or perform tasks on behalf of an authority in a another member State.

 

(6) The rapid development of technology and globalization have created new challenges for the protection of personal data. The extent of the collection and sharing of personal data has increased substantially. The technologies allow both private businesses and public authorities to use the personal data as never before in the course of their activities. Increasingly, individuals make information about them available publicly and on a global level. Technology has transformed both the economy and social relations, and should further facilitate the free flow of personal data within the Union and their transfer to third countries and international organizations,

 

(7) These changes require strong data protection framework and coherent in the EU, together with a rigorous implementation of the rules, because it is important to build confidence that will allow the digital economy to develop in the throughout the internal market. Individuals should have control of personal data concerning them. Safety as a legal practice that should be strengthened for individuals, economic operators and public authorities.

 

(8) Where this Regulation provides that the right of a Member State may clarify the rules or limitations contained therein, Member States may incorporate elements of this Regulation within their rights to the extent necessary to ensure the consistency and to make national provisions comprehensible to the persons to whom they apply.

 

(9) If it is satisfactory as regards its objectives and principles of Directive 95/46 / EC was unable to avoid fragmentation of the implementation of data protection in the EU, a legal uncertainty and the widespread feeling in the public that significant risks to the protection of individuals remain, particularly with regard to the online environment. The differences in the level of protection of the rights and freedoms of natural persons, in particular the right to protection of personal data, with regard to the processing of personal data in the Member States may prevent the free flow of these data throughout the Union. These differences may therefore constitute an obstacle to exercise of economic activities in the Union, distort competition and impede authorities to fulfill their obligations under EU law. These differences in the level of protection resulting from the existence of differences in the implementation and application of Directive 95/46 / EC.

 

(10) To ensure a consistent and high level of protection of individuals and to remove the obstacles to personal data flows within the EU, the level of protection of the rights and freedoms of individuals with regard to the processing of such data should be equivalent in all Member States. It is therefore necessary to ensure a coherent and consistent application of fundamental rules of protection of rights and freedoms of individuals with regard to the processing of personal data throughout the Union. Regarding the treatment of personal data necessary for compliance with a legal obligation, the performance of a task of public interest or in the exercise of public authority vested in the controller, it is necessary to allow Member States to maintain or introduce national provisions intended to further clarify the rules of this Regulation. Along with the general and horizontal legislation on Data Protection implementing Directive 95/46 / EC, there is, in the Member States, several specific sectoral legislation in areas which require more detailed provisions. This Regulation also allows Member States some leeway to clarify its rules, including with regard to the processing of special categories of personal data (hereinafter referred to as "sensitive data"). In this respect, this regulation does

 

(11) Effective protection of personal data throughout the Union requires strengthening and clarifying the rights of data subjects and the obligations of those who perform and determine the processing of personal data, as well as provide in the Member States, equivalent powers of surveillance and monitoring compliance with rules on the protection of personal data and equivalent sanctions for violations.

 

(12) Article 16, paragraph 2 of the Treaty on the Functioning of the European Union mandated the European Parliament and the Council to set the rules on the protection of individuals with regard to the processing of data to character staff and rules on the free movement of personal data.

 

effective cooperation between the supervisory authorities of different Member States. For the internal market working properly, it is necessary that the free movement of personal data within the Union is neither restricted nor prohibited for reasons of protection of individuals with regard to the data processing personal. To reflect the specific situation of micro, small and medium enterprises, this Regulation includes a derogation for organizations with fewer than 250 employees regarding record keeping. The institutions and bodies of the Union and the Member States and their control authorities are also encouraged to consider the specific needs of micro, small and medium enterprises in the context of the application of this Regulation. To define the concept of micro, small and medium enterprises, it should be based on Article 2 of the Annex to Recommendation 2003/361 / EC (1).

 

(14) The protection afforded by this Regulation should apply to individuals regardless of their nationality or place of residence, regarding the processing of their personal data. This Regulation does not cover the processing of personal data concerning legal persons, in particular companies with legal personality, including the name, legal form and address of the corporation.

 

(15) To avoid creating a serious risk of circumvention, the protection of individuals should be technologically neutral and should not depend on the techniques used. It should apply to personal data processing using automated processes as well as manual processing, if the personal data contained in or intended to be contained in a file. The files or sets of files as well as their covers, which are not structured according to specific criteria, should not fall within the scope of this Regulation.

 

(16) This Regulation does not apply to issues of protection of fundamental rights and freedoms or the free flow of personal data for activities that fall outside the scope of EU law, such that activities related to national security. This Regulation does not apply to the processing of personal data by Member States in the context of their activities relating to foreign policy and security policy of the Union.

 

(17) Regulation (EC) No 45/2001 of the European Parliament and of the Council (2) applies to the processing of personal data by the institutions, bodies and agencies of the Union. Regulation (EC) No 45/2001 and other applicable legal acts of the Union said processing of personal data should be adapted to the principles and rules laid down in this Regulation and applied in the light of this Regulation. To establish a framework to protect data solid and consistent in the Union, it should, after the adoption of this Regulation to make the necessary adaptations to Regulation (EC) No 45/2001 so as -ci apply simultaneously with this Regulation.

 

(18) This Regulation does not apply to personal data processing carried out by a natural person in strictly personal or household activities, and therefore unrelated to

 

(1) Commission Recommendation of 6 May 2003 concerning the definition of micro, small and medium enterprises [C (2003) 1422] (OJ L 124, 20.5.2003, p. 36).

 

(2) Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (OJ L 8, 12.1.2001, p. 1).

 

professional or commercial activity. The personal or household activity could include the exchange of correspondence and the holding of an address book, or use of social networks and online activities that take place within the framework of these activities. However, this Regulation applies to controllers or to subcontractors who provide the means to process personal data for such personal or household activity.

 

(19) The protection of individuals with regard to the processing of personal data by competent authorities for the purpose of prevention and detection of crime, investigation and prosecution in the matter or execution of penalties criminal, including protection against threats to public safety and the prevention of such threats and the free movement of such data is subject to specific legal act of the Union. This Regulation should therefore not apply to the processing activities for those purposes. However, personal data processed by public authorities under this Regulation should, when used for these purposes, be governed by a legal act of the Union more specific, namely Directive (EU) 2016/680 of the European Parliament and of the Council (1). Member States may entrust the competent authorities within the meaning of Directive (EU) 2016/680 missions that are not necessarily made for purposes of prevention and detection of crime, investigation and prosecution in the matter or execution of criminal penalties, including protection against threats to public safety and the prevention of such threats, so that the treatment of personal data for these other purposes, provided it falls within the scope application of EU law falls within the scope of this Regulation.

 

Regarding the treatment of personal data by the competent authorities for purposes within the scope of application of this Regulation, Member States should be able to maintain or introduce more specific provisions to adapt the rules of this Regulation . These provisions can more accurately determine the specific requirements of the processing of personal data by the competent authorities for these other purposes, taking into account the constitutional structure, organization and administration of the Member State concerned. When the processing of personal data by private entities falls within the scope of this Regulation, it should be possible for Member States, under certain conditions, limit by law certain obligations and rights when such a restriction constitutes a necessary and proportionate in a democratic society for important specific interests such as public security and the prevention and detection of crime, the investigation and prosecution of criminal offenses or the execution of criminal penalties, including protection against threats to public safety and the prevention of such threats. This is relevant, for example, as part of the fight against money laundering or activities of forensic laboratories.

 

(20) While this Regulation applies, among others, the activities of courts and other judicial authorities, the Union law or the law of Member States could specify the processing operations and procedures regarding treatment personal data by the courts and other judicial authorities. The competence of the supervisory authorities should not extend to the processing of personal data carried out by the courts in the exercise of their judicial function, in order to preserve the independence of the judiciary in the performance of his judicial duties, including when making decisions. It should be possible to give control of the data processing operations to specific organs in the

 

(21) This Regulation is without prejudice to the application of Directive 2000/31 / EC of the European Parliament and of the Council (2), including the intermediary service providers' liability provided for in Articles 12 to 15. This Directive aims to ensure the proper functioning of the internal market by ensuring the free movement of services of the information society among Member States.

 

(22) Any processing of personal data held within the activities of an establishment of a controller or a sub-contractor on the EU territory should be in accordance with this Regulation, the treatment itself takes place or not in the Union. The establishment implies the effective and real exercise of activity through stable device. The legal form of such a device, whether a branch or a subsidiary with legal personality, is not decisive in this respect.

 

(1) Directive (EU) 2016/680 of the European Parliament and the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data by competent authorities for the purpose of prevention and detection criminal offenses, investigation and prosecution in the matter or the execution of criminal penalties, and the free movement of such data and repealing framework decision 2008/977 / JHA (see page 89 of this Official Journal ).

 

(2) Directive 2000/31 / EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of the services of the information society, in particular electronic commerce, in the Internal Market ( 'Directive on trade e ") (OJ L 178, 17.7.2000, p. 1).

 

(23) To ensure that an individual is not excluded from the protection to which it is entitled under this regulation, the processing of personal data relating to the persons concerned who are in the Union by a controller or a subcontractor who is not established in the Union should be subject to this Regulation where the processing activities are related to the supply of goods or services to these people, a payment is required or not. To determine whether such a controller or subcontractor provides goods or services to persons concerned who are in the Union, it should determine if it is clear that the controller or subcontractor intends to provide services to the people concerned in one or more Member States of the Union. While the mere accessibility of the website manager of the treatment, a subcontractor or an intermediary in the Union, an email address or other contact details, or the use of a language generally used in the third country where the controller is established is not sufficient to establish that intention, factors such as the use of a language or a commonly used currency in one or more Member States, with the possibility of order goods and services in that language or reference customers or users that are in the Union, can make clear that the data controller intends to

 

(24) The processing of personal data of persons concerned who are in the Union by a controller or a subcontractor who is not established in the EU should also be subject to this Regulation when said treatment is related to the monitoring of the behavior of these people to the extent that it is their behavior within the Union. To determine whether a processing activity can be considered a monitoring of the behavior of the persons concerned, it is necessary to establish whether individuals are tracked on the internet, including the future use of data processing techniques personal data that consist of a profiling of an individual, in particular to make decisions concerning or

 

(25) Where the law of a Member State applies by virtue of international law, this Regulation should also apply to a controller not established in the Union, for example, which is from the diplomatic or consular representation of a member State.

 

(26) It is appropriate to apply the principles governing data protection to any information concerning an identified or identifiable natural person. The personal data that has been a pseudonymisation and that could be attributed to an individual through the use of additional information should be considered as information about an identifiable individual. To determine if an individual is identified, it should consider all the means reasonably likely to be used by the controller or by any other person to identify the individual directly or indirectly, such as targeting. To establish whether the means are reasonably likely to be used to identify an individual, it should take into consideration all the objective factors, such as cost of identification and the time required for it, taking into account the technology available at the time of treatment and changing them. There is therefore no need to apply the principles governing data protection to anonymous information, ie information not relating to an identified or identifiable natural person, or rendered anonymous personal data so that the person concerned is not or no longer identifiable. This Regulation applies therefore not treating such anonymous information, including statistical and research purposes. it should take into consideration all the objective factors, such as cost of identification and the time required for it, taking into account available when processing technologies and the evolution of these. There is therefore no need to apply the principles governing data protection to anonymous information, ie information not relating to an identified or identifiable natural person, or rendered anonymous personal data so that the person concerned is not or no longer identifiable. This Regulation applies therefore not treating such anonymous information, including statistical and research purposes. it should take into consideration all the objective factors, such as cost of identification and the time required for it, taking into account available when processing technologies and the evolution of these. There is therefore no need to apply the principles governing data protection to anonymous information, ie information not relating to an identified or identifiable natural person, or rendered anonymous personal data so that the person concerned is not or no longer identifiable. This Regulation applies therefore not treating such anonymous information, including statistical and research purposes. such as the costs of identification and the time required for it, taking into account available when processing technologies and the evolution of these. There is therefore no need to apply the principles governing data protection to anonymous information, ie information not relating to an identified or identifiable natural person, or rendered anonymous personal data so that the person concerned is not or no longer identifiable. This Regulation applies therefore not treating such anonymous information, including statistical and research purposes. such as the costs of identification and the time required for it, taking into account available when processing technologies and the evolution of these. There is therefore no need to apply the principles governing data protection to anonymous information, ie information not relating to an identified or identifiable natural person, or rendered anonymous personal data so that the person concerned is not or no longer identifiable. This Regulation applies therefore not treating such anonymous information, including statistical and research purposes. There is therefore no need to apply the principles governing data protection to anonymous information, ie information not relating to an identified or identifiable natural person, or rendered anonymous personal data so that the person concerned is not or no longer identifiable. This Regulation applies therefore not treating such anonymous information, including statistical and research purposes. There is therefore no need to apply the principles governing data protection to anonymous information, ie information not relating to an identified or identifiable natural person, or rendered anonymous personal data so that the person concerned is not or no longer identifiable. This Regulation applies therefore not treating such anonymous information, including statistical and research purposes.

 

(27) This Regulation does not apply to personal data of the deceased. Member States may adopt rules on the treatment of personal data of the deceased.

 

(28) Pseudonymisation of personal data can reduce risks for the people concerned and help controllers and subcontractors to fulfill their obligations in terms of data protection. The introduction of explicit pseudonymisation in this Regulation is not intended to exclude any other measure of data protection.

 

(29) To encourage pseudonymisation in the processing of personal data, pseudonymisation measures should be possible in a single controller, while allowing a general analysis, when it has taken technical measures and organizational measures to ensure, for the treatment concerned that this regulation is implemented, and that the additional information to assign personal data to a specific person concerned are kept separately. The data controller who processes personal data should indicate the persons authorized to this effect in a same controller.

 

(30) Natural persons may be associated, by the devices, applications, tools and protocols they use, online identifiers such as IP addresses and cookies connection ( "cookies") or other identifiers, for example of radio frequency identification tags. These identifiers can leave traces, especially when combined with unique identifiers and other information received by the servers can be used to create profiles of individuals and identify them.

 

(31) Public authorities to whom personal data are communicated in accordance with a legal requirement for the exercise of their official functions, such as tax and customs authorities, financial investigation cells, independent administrative authorities or authorities financial market regulators and oversight of securities markets should not be regarded as recipients if they receive personal data that are necessary to conduct a special investigation in the public interest, in accordance with law the Union or the law of a member State. The communication requests by public authorities should always be in writing, be motivated and be occasional, and they should not be on an entire file or lead to the interconnection of files. The processing of personal data by public authorities in question should be conducted in compliance with applicable rules on data protection based on the purposes of the processing.

 

(32) Consent should be given a clear positive act by which the person manifests in a free, specific, informed and unequivocal agree to the processing of personal data concerning, for example by means of a written statement, including electronic, or oral statement. This could be done in particular by checking a box when viewing a website, opting for some technical parameters for the information society services or by another statement or other behavior indicating clearly the context in which the person concerned accepts the proposed treatment of its personal data. It can not therefore be any consent in the event of silence, boxes checked by default or inactivity. The consent given should apply to all processing activities or the same purposes. When treatment has several purposes, consent should be given for all of them. If the consent of the person concerned is given following an application submitted electronically, this request must be clear and concise and should not unnecessarily disrupt the use of the service for which it is granted.

 

(33) Often, it is not possible to fully understand the purpose of the processing of personal data for purposes of scientific research at the time of data collection. Therefore, individuals should be able to give their consent regarding certain areas of scientific research, while respecting ethical accepted standards of scientific research. The persons concerned should be able to give their consent only in respect of certain areas of research or of parts of research projects, since the intended purpose permits.

 

(34) The genetic data should be defined as personal data about heritable genetic or acquired characteristics of an individual, resulting from the analysis of a biological sample from the individual in question, including an analysis of chromosomes , deoxyribonucleic acid (DNA) or ribonucleic acid (RNA), or another element analysis to obtain equivalent information.

 

(35) The personal data concerning health should include all data pertaining to the health status of a data subject that reveal information about the physical or mental health of past, present or future the person concerned. This includes information about the individual collected at registration of this individual to receive health care services or in the provision of services within the meaning of Directive 2011/24 / EU of the European Parliament and Council (1) for the benefit of the individual; a number, symbol or a specific element assigned to an individual to uniquely identify for health purposes; information obtained during testing or examination of a body part or a bodily substance, including from genetic data and of biological samples; and information regarding, for example, disease, disability, disease risk, medical history, clinical treatment or physiological or biomedical state of the person concerned, regardless of its source, whether it comes by example a doctor or other health care professional, a hospital, a medical device or a diagnostic test in vitro.

 

(36) The main establishment of a controller in the Union should be the place of central administration in the Union, unless the decisions as to the purposes and means of processing personal data are taken another establishment of the controller in the Union, which

 

(1) Directive 2011/24 / EU of the European Parliament and of the Council of 9 March 2011 on the application of patients' rights in cross-border healthcare (OJ L 88, 4.4.2011, p. 45).

 

If the other establishment should be considered the main establishment. The main establishment of a controller in the Union should be determined according to objective and should assume the criteria effective and real exercise of management activities determining the main decisions as to the purposes and means of processing in within a stable device. This criterion should not depend on whether the processing takes place there. The presence and use of technical and personal data processing technologies means or processing activities do not, in themselves, a main establishment and are therefore no determining criteria for a Main building. The principal place of dealing-in should be the place of central administration in the Union or, if it does not have a central administration in the Union, where takes place the bulk of the processing activities in 'Union. When the controller and the sub-contractor are both concerned, the authority of member state control in which the controller has its main establishment should remain the supervisory authority competent head of queue, but the subcontractor of the supervisory authority should be considered a supervisory authority concerned and the supervisory authority should participate in the cooperation procedure provided for by this Regulation. In any case, the supervisory authorities of the Member States in which the contractor-in has one or more establishments should not be regarded as supervisory authorities concerned when the draft decision relates only to the controller. When the treatment is performed by a group of companies, the principal office of the company that controls should be considered the main establishment of the group of companies, except when the purposes and means of processing are determined by another company.

 

(37) A group of undertakings should cover a company that exercises control and its controlled companies, the first to be one that can exercise a dominant influence over other companies because, for example, possession of capital, of financial participation or the rules which govern it, or the authority to enforce the rules on the protection of personal data. A company that controls the processing of personal data in companies affiliated to it should be considered as forming with them a group of companies.

 

(38) Children deserve specific protection with regard to their personal data because they may be less aware of risks, consequences and relevant guarantees and rights related to the processing of personal data. This specific protection should, in particular, apply to the use of personal data relating to children character marketing purposes or for creating personality profiles or user and collection of personal data relating to children during the use of services offered directly to a child. The consent of the holder of parental responsibility should not be necessary in the context of prevention or counseling services offered directly to a child.

 

(39) Any processing of personal data should be fair and lawful. The fact that personal data about individuals is collected, used, consulted or treated in another way and the extent to which these data are or will be processed should be transparent with regard to the individuals concerned. The principle of transparency requires that all information and communication on the processing of these personal data are easily accessible, easy to understand, and formulated in clear and simple terms. This applies in particular to the information provided to data subjects on the identity of the controller and the purposes of the processing and for other information to ensure fairness and transparency in respect of the individuals concerned and their right to obtain confirmation and communication of personal data the about which are the subject of a treatment. Individuals should be informed of the risks, rules, safeguards and rights to the processing of personal data and how to exercise their rights regarding this treatment. In particular, the specific purposes of the processing of personal data should be explicit and legitimate and determined at the collection of personal data. Personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in particular, to ensure that the data retention period be limited to the bare minimum. Personal data should only be processed if the purpose of the processing can not be reasonably achieved by other means. To ensure that the data are not kept longer than necessary, time limits should be set by the controller for erasure or for a periodic review. It should take all reasonable steps to ensure that personal data that are inaccurate are rectified or deleted.

 

(40) To be lawful, the processing of personal data should be based on the consent of the data subject or based on any other basis legitimate statutory or in this Regulation

 

or in another provision of national law or EU law, as provided for in this Regulation, including the need to respect the legal obligation to which the controller is subject, or the need to perform a contract which the data subject is a party or to take pre-contractual measures at the request of the person concerned.

 

(41) Where this Regulation refers to the legal basis or in legislation, does not necessarily mean that the adoption of a legislative act by a parliament is required, without prejudice to the obligations under the order Constitution of the member State concerned. However, this legal basis or the legislation should be clear and precise and its application should be predictable for those who, in accordance with the case law of the Court of Justice of the European Union (hereinafter referred to as "Court of Justice") and the European Court of human rights.

 

(42) When the processing is based on the consent of the data subject, the controller should be able to prove that the person has consented to the processing operation. In particular, in the context of a written declaration on another matter, safeguards should exist to ensure that the person is aware of consent and scope. Under Directive 93/13 / EEC (1), a declaration prior written consent by the data controller should be provided in a comprehensible and easily accessible form, and formulated in clear and simple terms, and should not contain no unfair term. For consent to be informed, the person should know at least the identity of the controller and the purposes of processing which are for personal data. The consent should not be considered to have been freely given if the person concerned has no real freedom of choice or is not able to refuse or withdraw consent without suffering.

 

(43) To ensure that the consent is given freely, it is that it does not constitute a valid legal basis for processing personal data in a particular case where there is a clear imbalance between the data subject and the controller, especially when the controller is a public authority and that it is unlikely that consent was given freely given all the circumstances of this particular situation. Consent is deemed not to have been so freely given separate consent can not be given to different processing operations of personal data although this is appropriate in this case, or the execution of a contract including the provision of a service,

 

(44) The treatment should be considered lawful where it is required as part of a contract or intent to contract.

 

(45) When the processing is performed in accordance with a legal obligation to which the controller is subject or is necessary for the performance of a mission of public interest or in the exercise of public authority , treatment should have a basis in EU law or the law of a member State. This Regulation does not require specific legal provisions for each individual treatment. A legal provision may be enough to found several processing operations based on a legal obligation to which the controller is subject or where processing is necessary for the performance of a task of public interest or in the exercise of 'public authority. It should also belong to the Union law or the law of a Member State to determine the purpose of processing. Moreover, this law could specify the terms of this Regulation governing the lawfulness of the processing of personal data, establish specifications to determine the controller, the type of personal data undergoing processing, the persons concerned, the entities to which personal data can be communicated, limitations to the purpose, the shelf life and other measures to ensure lawful and fair processing. It should also belong to the Union law or the law of a Member State to determine whether the controller performing a mission

 

(46) The personal data processing should be considered lawful where it is necessary to protect an essential interest in the life of the individual or that of another person

 

(1) Directive 93/13 / EEC of 5 April 1993 on unfair terms in contracts concluded with consumers (OJ L 95, 21.4.1993, p. 29).

 

physical. The treatment of personal data based on the vital interests of another individual should in principle take place when treatment clearly can not be based on a different legal basis. Some types of treatment can be justified by both important reasons of public interest and the vital interests of the data subject, such as when the processing is necessary for humanitarian purposes, including to monitor outbreaks and spread, or in cases of humanitarian emergencies, including natural disasters and manmade.

 

(47) The legitimate interests of the data controller, including a controller to whom the personal data can be communicated, or a third party may provide a legal basis for processing, unless interests or fundamental rights and freedoms of the data subject prevail, given the reasonable needs of individuals based on their relationship with the controller. Such legitimate interest may, for example, when there exist a relevant and appropriate relationship between the data and the person responsible for treatment in situations such as those where the person is a client of the controller or his service . In any event, the existence of a legitimate interest should be carefully evaluated, in particular to determine whether a person concerned can reasonably be expected at the time and in the context of the collection of personal data, that they do subject to a treatment for a particular purpose. Interest and fundamental rights of the person concerned may, in particular, rely on the interest of the data controller when personal data are processed in circumstances where the persons concerned are not reasonably expect to further processing. Since it is for the legislature to provide by law the legal basis for the processing of personal data by public authorities, the legal basis should not s' apply to the treatment by public authorities in fulfilling their missions. The treatment of personal data strictly necessary for the purposes of fraud prevention is also a legitimate interest of the controller concerned. The treatment of personal data for marketing purposes can be considered as being made in response to a legitimate interest.

 

(48) The controllers that are part of a group of companies or institutions affiliated to a central body may have a legitimate interest in transmitting personal data within the group of companies for internal administrative purposes including the processing of personal data relating to customers or employees. The general principles governing the transfer of personal data, within a group of companies, a company located in a third country are not jeopardized.

 

providers of electronic communications networks and services and security technology and service providers, is a legitimate interest of the data controller concerned. It could be, for example, to prevent unauthorized access to electronic communications networks and malicious code distribution and stopping attacks "denial of service" and damage affecting communication systems computer and electronic.

 

(50) The personal data processing for purposes other than those for which the personal data was collected initially should be allowed only if it is compatible with the purposes for which personal data were originally collected. In this case, no separate legal basis which has allowed the collection of personal data is required. If treatment is necessary for the performance of a mission of public interest or in the exercise of official authority vested in the controller, the Union law or the law of a Member State may determine and specify the tasks and purposes for which further processing should be considered compatible and lawful. Further processing for archival purposes in the public interest, to scientific or historical research or statistical purposes should be considered compatible lawful processing operation. The legal basis provided for by Union law or the law of a Member State with regard to the processing of personal data may also be the legal basis for further processing. To determine whether the purposes of further processing are compatible with those for which the personal data were originally collected, the controller, having met all requirements related to the lawfulness of the initial treatment should be considered include: any link between these aims and objectives of the planned further processing; the context in which personal data were collected, in particular the reasonable expectations of those concerned, based on their relationship with the controller, on the subsequent use of said data; the nature of the character data staff; the consequences for the people concerned the planned further processing; and the existence of appropriate guarantees both in the initial treatment and the expected further processing. subsequent use of said data; the nature of the character data staff; the consequences for the people concerned the planned further processing; and the existence of appropriate guarantees both in the initial treatment and the expected further processing. subsequent use of said data; the nature of the character data staff; the consequences for the people concerned the planned further processing; and the existence of appropriate guarantees both in the initial treatment and the expected further processing.

 

When the subject has given his consent or that treatment is based on the EU law or the law of a Member State constitutes a necessary and proportionate in a democratic society to ensure, in particular, important goals of general public interest, the controller should be allowed to perform further processing of personal data regardless of compatibility purposes. In any event, the application of the principles of this Regulation and, in particular, information of the person concerned about these other aims and rights, including the right to object to the processing, should be ensured. The fact that the controller, reveal the existence of possible criminal offenses or threats to public safety and to transmit to a competent authority the personal data concerned in individual cases or in several cases relating to the same offense or same threats to public safety should be considered in the legitimate interest of the controller. However, this transmission in the legitimate interest of the controller or the further processing of personal data should be prohibited when the treatment is inconsistent with an obligation of confidentiality legal, professional or any other obligation of confidentiality binding.

 

(51) Personal data which are, by nature, particularly sensitive from the point of view of fundamental freedoms and rights deserve special protection because the context in which they are processed could lead to significant risks for these rights and freedoms. These personal data should include personal data revealing racial or ethnic origin, provided that the use of the term "racial origin" in this regulation does not imply that the EU adheres to theories which attempt to determine the existence of separate human races. The photo processing should not automatically be considered to be a treatment of special categories of personal data, since they do fall within the definition of biometric data when processed by a specific technical method for identifying or single sign of a natural person. Such personal data should not be treated unless it is allowed in specific cases provided for in this Regulation, given that the law of a Member State may specific provisions relating to data protection to adapt the rules of this Regulation in order to meet a legal obligation or for the performance of a task of public interest or in the exercise of public authority vested in the controller. In addition to specific requirements for this treatment, the general principles and other rules of this Regulation should apply, particularly regarding the conditions of lawfulness of processing. Exceptions to the general prohibition of treating these special personal data categories should be explicitly provided, including where the person concerned gives explicit consent or to meet specific needs, especially when the treatment is carried out in the framework legitimate activities of certain associations or foundations whose purpose is to permit the exercise of fundamental freedoms. in particular regarding the conditions for lawful processing. Exceptions to the general prohibition of treating these special personal data categories should be explicitly provided, including where the person concerned gives explicit consent or to meet specific needs, especially when the treatment is carried out in the framework legitimate activities of certain associations or foundations whose purpose is to permit the exercise of fundamental freedoms. in particular regarding the conditions for lawful processing. Exceptions to the general prohibition of treating these special personal data categories should be explicitly provided, including where the person concerned gives explicit consent or to meet specific needs, especially when the treatment is carried out in the framework legitimate activities of certain associations or foundations whose purpose is to permit the exercise of fundamental freedoms.

 

(52) Exceptions to the prohibition of processing special categories of personal data should also be allowed when the Union law or the law of a Member State provides, and subject to appropriate safeguards, so to protect personal data and other fundamental rights, when the public interest to include the processing of personal data in the field of labor law and the right to social protection, including pensions, and safety purposes, monitoring and health alert, prevention and control of communicable diseases and other serious health threats. These exemptions are possible for health purposes, including public health and management of health care services, especially to ensure the quality and efficiency of procedures for settling claims for benefits and services in the health insurance plan, or for archival in the public interest, for the purpose of scientific or historical research or statistical purposes. A derogation should further allow the processing of these personal data, if necessary for the establishment, exercise or defense of legal claims, either as part of judicial, administrative or court. or for archival purposes in the public interest, for the purpose of scientific or historical research or statistical purposes. A derogation should further allow the processing of these personal data, if necessary for the establishment, exercise or defense of legal claims, either as part of judicial, administrative or court. or for archival purposes in the public interest, for the purpose of scientific or historical research or statistical purposes. A derogation should further allow the processing of these personal data, if necessary for the establishment, exercise or defense of legal claims, either as part of judicial, administrative or court.

 

(53) The special categories of personal data that deserve greater protection should be processed for health-related purposes where this is necessary to achieve these goals for the benefit of individuals and society as a whole, particularly in the context of the management of services and health care systems and social protection, including treatment by the national management and health central government authorities, these data for the quality control, information managers and general supervision, at national and local level, the health care system or social protection and in order toensure continuity of health care or social protection and border healthcare or safety purposes, monitoring and health alert, or for archival purposes in the public interest, for scientific research purposes or historical or statistical purposes, on the basis of Union law or the law of the Member States which must meet an objective of public interest and for

 

Studies conducted in the public interest in the field of public health. This Regulation should therefore provide for harmonized conditions for the processing of special categories of personal data relating to health, to meet specific needs, especially when the processing of such data is performed for certain health-related purposes by persons subject to a legal obligation of professional secrecy. The Union law or the law of the Member States should provide for specific and appropriate measures to protect the fundamental rights and personal data of individuals. Member States should be allowed to maintain or introduce additional conditions, including limitations, regarding the processing of genetic data, biometric data or health data. However, this should not impede the free flow of personal data within the EU when these conditions apply to cross-border processing of such data.

 

(54) The processing of special categories of personal data may be necessary for reasons of public interest in the fields of public health, without consent of the person concerned. Such treatment should be appropriate and specific measures to protect the rights and freedoms of natural persons. In this context, the notion of 'public health' should be interpreted as defined in Regulation (EC) No 1338/2008 of the European Parliament and of the Council (1), namely all the health-related elements, namely health status, morbidity and disability included, the determinants having an effect on that health status, health care needs, on health care resources, the provision of health care, universal access to health care, health expenditure and financing, and the causes of death. Such data concerning health treatments for reasons of public interest should not result that personal data are processed for other purposes by third parties, such as employers or insurance companies and banks.

 

(55) In addition, the treatment of personal data by public authorities in order to achieve the objectives, under constitutional law or international public law, religious associations officially recognized is done for reasons of public interest.

 

(56) Where, as part of activities related to the elections, the functioning of the democratic system in a Member State requires that political parties compile personal data relating to political views of people, processing of such data may be permitted for reasons of public interest, provided that appropriate safeguards are provided.

 

(57) If the staff that treats data do not allow him to identify an individual, the controller should not be required to obtain additional information to identify the person for the sole purpose to respect a provision of this Regulation. However, the controller should not refuse the additional information provided by the person concerned to facilitate the exercise of his rights. The identification should include the identification number of a person concerned, for example through an authentication mechanism such as the same identifiers used by the person to connect to the online service provided by the controller.

 

(58) The principle of transparency requires that any information addressed to the public or the person is concise, easily accessible and easy to understand, and formulated in clear and simple terms and, in addition, where applicable, illustrated using visuals. Such information could be provided in electronic form, eg via a website when directed to the public. This is especially true in situations where the multiplication of actors and the complexity of the technologies used make it difficult for the individual to know and understand whether concerning personal data is collected, by whom and for what purpose, as in the case of online advertising. Children deserve specific protection,

 

(59) Modalities should be provided to facilitate the exercise by the person concerned of the rights conferred by this Regulation, including how to request and, if necessary, to obtain free, especially, the access to personal data and rectification or erasure, and the exercise of a right to object. The controller should also provide the means to submit applications electronically, especially when personal data are being processed electronically. The controller should be required to respond to requests from the person concerned as soon as possible and at the latest within a month and motivate his response when al '

 

(1) Regulation (EC) No 1338/2008 of the European Parliament and of the Council of 16 December 2008 on Community statistics on public health and health and safety at work (OJ L 354, 31.12.2008, p. 70).

 

(60) The principle of fair and transparent processing require that the data subject is informed of the existence of the processing operation and its purposes. The controller should provide the person concerned any other information necessary to ensure fair treatment and transparent, taking into account the specific circumstances and context in which personal data is processed. In addition, the person concerned should be informed of the existence of profiling and the consequences of it. When personal data are collected from the data subject, it is important that it also knows that it is obliged to provide these personal data and be informed of the consequences which it s' exposed if it does not provide. This information can be provided together with standardized icons to provide a good overview, easily visible, understandable and clearly legible, the intended treatment. When the icons are submitted electronically, they should be machine readable.

 

(61) The information on the processing of personal data relating to the person concerned should be supplied at the time the data are collected from him or, if personal data are obtained from another source, in a reasonable time depending on the circumstances of each case. Where personal data may be legitimately disclosed to another recipient, it is appropriate that the person concerned be informed of when such personal data are disclosed for the first time said recipient. When it intends to process personal data for purposes other than those for which they were collected, the controller should, prior to further processing, provide the person concerned information about the other purpose and any other necessary information. Where the origin of personal data could not be communicated to the person concerned because several sources were used, general information should be provided.

 

(62) However, it is not necessary to impose the obligation to provide information where the data subject already has this information, when the recording or disclosure of personal data is expressly provided by law or when the communication of information to the data subject proves impossible or would require a disproportionate effort. This could be the case in particular when it comes to treatment for archival purposes in the public interest, for the purpose of scientific or historical research or statistical purposes. In this regard, should be considered the number of people involved, the age of the data, and any relevant safeguards adopted.

 

(63) A person concerned should have the right to access personal data that has been collected about him and to exercise this right easily and at reasonable intervals, to be aware of treatment and to check lawfulness. This includes the right of the persons concerned access to data concerning their health, for example the data in their medical records containing information such as diagnosis, examination results, assessments by treating physicians and any treatment or interventions administered. Consequently, any person concerned should have the right to know and to be informed, in particular, the purposes of processing personal data, if possible duration of treatment of these personal data, the identity of the recipients of these personal data, the logic behind their possible automated processing and the consequences that this treatment may have, at least in case of profiling. Where possible, the controller should be able to give remote access to a secure system that allows the individual to directly access the personal data concerning them. This right should not prejudice the rights or freedoms of others, including trade secrets or intellectual property, including copyright protecting the software. However, these considerations should not lead to refuse any communication of information to the person concerned.

 

(64) The controller should take all reasonable steps to verify the identity of a data subject that requests access to data, particularly in the context of services and online identifiers. A controller should not retain personal data for the sole purpose of being able to respond to any requests.

 

(65) Les personnes concernées devraient avoir le droit de faire rectifier des données à caractère personnel les concernant, et disposer d'un «droit à l'oubli» lorsque la conservation de ces données constitue une violation du présent règlement ou du droit de l'Union ou du droit d'un État membre auquel le responsable du traitement est soumis. En particulier, les personnes concernées devraient avoir le droit d'obtenir que leurs données à caractère personnel soient effacées et ne soient plus traitées, lorsque ces données à caractère personnel ne sont plus nécessaires au regard des finalités pour lesquelles elles ont été collectées ou traitées d'une autre manière, lorsque les personnes concernées ont retiré leur consentement au traitement ou lorsqu'elles s'opposent au traitement de données à caractère personnel les concernant, ou encore lorsque le traitement de leurs données à caractère personnel ne respecte pas d'une autre manière le présent règlement. Ce droit est pertinent, en particulier, lorsque la personne concernée a donné son consentement à l'époque où elle était enfant et n'était pas pleinement consciente des risques inhérents au traitement, et qu'elle souhaite par la suite supprimer ces données à caractère personnel, en particulier sur l'internet. La personne concernée devrait pouvoir exercer ce droit nonobstant le fait qu'elle n'est plus un enfant. Toutefois, la conservation ultérieure des données à caractère personnel devrait être licite lorsqu'elle est nécessaire à l'exercice du droit à la liberté d'expression et d'information, au respect d'une obligation légale, à l'exécution d'une mission d'intérêt public ou relevant de l'exercice de l'autorité publique dont est investi le responsable du traitement, pour des motifs d'intérêt public dans le domaine de la santé publique, à des fins archivistiques dans l'intérêt public, à des fins de recherche scientifique ou historique ou à des fins statistiques, ou à la constatation, à l'exercice ou à la défense de droits en justice.

 

(66) To strengthen the 'right to be forgotten "digital, the right to erasure should also be extended so that the controller which has made public personal data is required to inform the controllers who process the personal data that should erase any links to this data, or any copy or reproduction thereof. In doing so, this controller should take reasonable steps, given the available technology and resources available to it, including technical measures to inform data controllers who process personal data of the request made by the person concerned.

 

(67) The methods to limit the processing of personal data could include, among others, to temporarily move the selected data to another processing system, to make the selected personal data inaccessible to users, or to temporarily withdraw published data from a website. In automated files, limiting the processing should in principle be ensured by technical means so that personal data will not be subject to subsequent treatment operations and can not be changed. The fact that the processing of personal data is restricted should be stated clearly in the file.

 

(68) To further strengthen the control they exercise over their own data, individuals should also have the right, where personal data are being processed automatically, receive personal data the for, they provided to the controller, in a structured format, commonly used machine-readable, interoperable, and to transmit it to another controller. It should encourage controllers to develop interoperable formats enabling data portability. This right should apply where the data subject has provided the personal data on the basis of consent or where the processing is necessary for the performance of a contract. It should not apply where the processing is based on legal grounds other than consent or performance of a contract. By its nature, this right should not be exercised against the controllers that process personal data in the exercise of their public tasks. It should therefore not apply when the processing of data personal character is necessary for compliance with a legal obligation to which the controller is subject or performance of a mission of public interest or in the exercise of official authority vested in the controller. The right of the person concerned to transmit or receive personal data concerning him should not create, for controllers, obligation to adopt or maintain treatment systems that are technically compatible. When in a set of personal data, many people are concerned, the right to receive personal data should be without prejudice to the rights and freedoms of other persons concerned in accordance with this Regulation. Moreover, this right should not prejudice the right of the person concerned to obtain the erasure of personal data or limitations of this right as provided for in this Regulation and should not, in particular, lead to the erasure of personal data relating to the person that has been provided by it for the performance of a contract, insofar and as long as these personal data are necessary for the performance of this contract. If technically possible, the person concerned should have the right to obtain the data to be transmitted directly to a controller to another.

 

(69) Where personal data may be processed so legally because the processing is necessary for the performance of a task of public interest or in the exercise of official authority vested in the controller treatment, or because of the legitimate interests of the controller or a third party, those concerned should still have the right to object to the processing of any personal data relating to their particular situation. It should be up to the controller to prove that his compelling legitimate interests prevail over the interests or fundamental rights and freedoms of the data subject.

 

(70) Where personal data are processed for marketing purposes, the individual should have the right at any time and without charge, to object to this treatment, including profiling since it is related to such exploration, be it an initial or subsequent treatment. This right should be explicitly brought to the attention of the person concerned and presented clearly and separately from other information.

 

(71) The person concerned should have the right not to be a decision that may include a measure involving the evaluation of certain personal aspects relating to it, which is taken on the sole basis for treatment automated and produces legal effects concerning him or, similarly, the significantly affect, such as the automatic rejection of an online credit application or online recruitment practices without any human intervention. This type of treatment includes "profiling" which consists of any form of treatment automated personal data to evaluate personal aspects relating to a natural person, including to analyze or predict aspects of the job performance of the person concerned , economic status, health, preferences or personal areas of interest, reliability or behavior, or location and movements, since it produces legal effects concerning the individual in question or that it affects similarly significantly. However, decision making based on such treatment, including profiling, should be allowed when expressly authorized by Union law or the law of a Member State to which the controller is subject, there including for purposes of control and prevent fraud and tax evasion in accordance with the rules, standards and recommendations of the EU institutions and national supervisory bodies and ensure the safety and reliability of a service provided by the controller, or necessary for the conclusion or performance of a contract between the data subject and the controller, or if the data subject has given his explicit consent. In any case, treatment of this type should be accompanied by appropriate safeguards, which should include specific information on the person and the right to obtain human intervention, to express his point of view, to get an explanation of the decision taken at the end of this type of evaluation and to challenge the decision. This measure should not concern a child. or if the data subject has given his explicit consent. In any case, treatment of this type should be accompanied by appropriate safeguards, which should include specific information on the person and the right to obtain human intervention, to express his point of view, to get an explanation of the decision taken at the end of this type of evaluation and to challenge the decision. This measure should not concern a child. or if the data subject has given his explicit consent. In any case, treatment of this type should be accompanied by appropriate safeguards, which should include specific information on the person and the right to obtain human intervention, to express his point of view, to get an explanation of the decision taken at the end of this type of evaluation and to challenge the decision. This measure should not concern a child. an explanation regarding the decision taken at the end of this type of evaluation and to challenge the decision. This measure should not concern a child. an explanation regarding the decision taken at the end of this type of evaluation and to challenge the decision. This measure should not concern a child.

 

against individuals based on racial or ethnic origin, political opinions, religion or beliefs, trade union membership, genetic status or health status, or sexual orientation, or that result in measures producing such an effect. Decision making and automated profiling based on specific categories of personal data should only be permitted under specific conditions.

 

(72) Profiling is subject to the rules of this Regulation governing the processing of personal data, for example the legal basis of the treatment or the principles of data protection. The European Committee for data protection established by this Regulation (hereinafter referred to as "Committee") should be able to issue guidelines in this regard.

 

including social protection, public health and humanitarian purposes. It must be that those limitations meet the requirements set out in the Charter and by the European Convention for the Protection of Human Rights and Fundamental Freedoms.

 

(74) It is necessary to establish the liability of the controller for any processing of personal data he makes himself or established on its behalf. It is important, in particular, that the data controller is obliged to implement appropriate and effective measures and be able to demonstrate the conformity of processing operations with this Regulation, including the effectiveness of measures. These measures should take into account the nature, scope, context and purposes of the processing and the risk that it poses to the rights and freedoms of individuals.

 

(75) The risks to the rights and freedoms of natural persons, including the likelihood and severity varies, may result from personal data processing that is likely to cause physical damage, material or moral damage in especially: when treatment may result in discrimination, theft or identity fraud, to financial loss, a loss of reputation, loss of confidential data protected by professional secrecy to a reversal unauthorized pseudonymisation the process or other economic harm or significant social; when individuals could be deprived of their rights and freedoms or prevented from exercising control over their data to character personnel; when the processing concerns personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and genetic data, health data or data regarding the sex life or data relating to criminal convictions and breaches, or to related security measures; when personal aspects are evaluated, particularly in the context of the analysis or prediction of items about the job performance, the economy, health, preferences or personal areas of interest, reliability or behavior, the location or movement to create or use individual profiles; when the processing relates to personal data relating to vulnerable individuals, particularly children; or where the treatment involves a large volume of personal data and affects a significant number of people involved.

 

(76) It is necessary to determine the probability and severity of the risk to the rights and freedoms of the data based on the nature, scope, context and purposes of the processing. Risk should be an objective assessment as to whether the data processing operations involve risk or high risk.

 

(77) Guidance on the implementation of appropriate measures and demonstration by the controller or the subcontractor's compliance with this Regulation, particularly as regards the identification of treatment risks, their assessment in terms of origin, nature, probability and severity, and identification of best practices to mitigate risk, could be provided including through codes of conduct approved of approved certifications and guidelines given by the committee or directions given by a delegate to data protection. The Committee may also issue guidelines on processing operations considered unlikely to

 

(78) The protection of the rights and freedoms of individuals with regard to the processing of personal data requires the adoption of appropriate technical and organizational measures to ensure that the requirements of this Regulation are met. To be able to demonstrate compliance with this Regulation, the controller should adopt internal policies and implement measures that respect in particular the principles of data protection by design and protection default data. Such measures could include, among others, to minimize the processing of personal data, to pseudonymiser personal data as soon as possible, to ensure transparency regarding the functions and processing of personal data, to enable the person to control the processing of the data, allowing the controller to implement security features or improve . During the development, design, selection and use of applications, services and products based on processing of personal data or processing personal data to fulfill their functions, should encourage product manufacturers, service providers and application producers to consider the right to data protection when developing and designing such products, services and applications, with due regard to the state of knowledge, to ensure that data controllers and subcontractors are able to fulfill their obligations in terms of data protection. The principles of data protection by design and default protection of data should also be considered in the context of public procurement.

 

(79) The protection of the rights and freedoms of data subjects, as well as the responsibility of data controllers and subcontractors, including in the framework of monitoring carried out by the supervisory authorities and measures taken by them requires a clear division of responsibilities under this Regulation, including where the controller determines the purposes and means of the processing jointly with other controllers or where a processing operation is carried out on behalf of a data controller.

 

cause a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing, or if the controller is a public authority or public body. The representative should act on behalf of the controller or the subcontractor and can be contacted by any regulatory authority. The representative should be specifically designated by a written mandate from the controller or the attending-as to act on his behalf regarding the obligations under this regulation. The appointment of the representative shall not affect the responsibilities of the controller or the subcontractor under this regulation. This representative should fulfill its tasks under the mandate received from the controller or the subcontractor, including cooperation with the competent supervisory authorities regarding any action taken to ensure compliance with this Regulation. The designated representative should be subject to enforcement procedures in case of non-compliance with this Regulation by the controller or the subcontractor.

 

(81) Afin que les exigences du présent règlement soient respectées dans le cadre d'un traitement réalisé par un sous- traitant pour le compte du responsable du traitement, lorsque ce dernier confie des activités de traitement à un sous-traitant, le responsable du traitement ne devrait faire appel qu'à des sous-traitants présentant des garanties suffisantes, notamment en termes de connaissances spécialisées, de fiabilité et de ressources, pour la mise en œuvre de mesures techniques et organisationnelles qui satisferont aux exigences du présent règlement, y compris en matière de sécurité du traitement. L'application par un sous-traitant d'un code de conduite approuvé ou d'un mécanisme de certification approuvé peut servir à démontrer le respect des obligations incombant au responsable du traitement. La réalisation d'un traitement par un sous-traitant devrait être régie par un contrat ou un autre acte juridique au titre du droit de l'Union ou du droit d'un État membre, liant le sous-traitant au responsable du traitement, définissant l'objet et la durée du traitement, la nature et les finalités du traitement, le type de données à caractère personnel et les catégories de personnes concernées, en tenant compte des tâches et responsabilités spécifiques du sous-traitant dans le cadre du traitement à effectuer et du risque pour les droits et libertés de la personne concernée. Le responsable du traitement et le sous-traitant peuvent choisir de recourir à un contrat particulier ou à des clauses contractuelles types, qui sont adoptées soit directement par la Commission soit par une autorité de contrôle conformément au mécanisme de contrôle de la cohérence, puis par la Commission. Après la réalisation du traitement pour le compte du responsable du traitement, le sous-traitant devrait, selon le choix du responsable du traitement, renvoyer ou supprimer les données à caractère personnel, à moins que le droit de l'Union ou le droit d'un État membre auquel le sous-traitant est soumis n'exige la conservation des données à caractère personnel.

 

(82) In order to demonstrate compliance with this Regulation, the controller or the attending subtitle should keep records for processing activities under its responsibility. Each controller and subcontractors should be required to cooperate with the supervisory authority and make those records available to it, on request, they serve for control of processing operations.

 

(83) To ensure safety and prevent any treatment in violation of this regulation, it is important that the controller or the processor evaluates the inherent risks of treatment and implement measures to mitigate such as encryption. These measures should ensure an appropriate level of security, including confidentiality, given the state of knowledge and the costs of implementation to the risks and nature of personal data protection. As part of the risk assessment data security, it should take into account the risks of the treatment of personal data, such as the destruction, loss or alteration, unauthorized disclosure of personal data transmitted,

 

(84) In order to better ensure the application of this Regulation where the processing operations are likely to generate a high risk to the rights and freedoms of natural persons, the controller should take responsibility to conduct an impact assessment on the protection of data to assess, in particular, the origin, nature, the peculiarity and the severity of the risk. It should take into account the results of this analysis to determine the appropriate action to demonstrate that the processing of personal data complies with these regulations. When The analysis of

 

(85) A violation of personal character data risk if we do not intervene in time and properly, causing the concerned individuals physical damage, material or moral damage such as loss of control over their personal data or restriction of their rights, discrimination, theft or identity theft, financial loss, unauthorized reversal pseudonymisation procedure, a loss of reputation, loss of data confidentiality personal data protected by trade secret or any other economic harm or significant social. Consequently, as soon as the controller learns that a violation of personal data has occurred, it should notify to the supervisory authority as soon as possible and, where possible, 72 hours at the latest after having read, unless he can demonstrate, under the principle of accountability, it is unlikely that the violation in question creates a risk to the rights and freedoms of individuals. If such notification may not take place within this period of 72 hours, the notification should be accompanied by reasons for the delay and the information can be provided in installments without further undue delay. it is unlikely that the violation in question creates a risk to the rights and freedoms of individuals. If such notification may not take place within this period of 72 hours, the notification should be accompanied by reasons for the delay and the information can be provided in installments without further undue delay. it is unlikely that the violation in question creates a risk to the rights and freedoms of individuals. If such notification may not take place within this period of 72 hours, the notification should be accompanied by reasons for the delay and the information can be provided in installments without further undue delay.

 

(86) The controller should report a violation of personal data to the person concerned as soon as the breach is likely to generate a high risk to the rights and freedoms of the individual so that it can take the precautions. Communication should describe the nature of the violation of personal data and make recommendations for the individual concerned to mitigate potential adverse effects. It is appropriate that such communications to those concerned are carried out as quickly as reasonably possible and in close cooperation with the supervisory authority, in compliance with the directions given by it or by other competent authorities, such as law enforcement authorities. For example, the need to mitigate an immediate risk of harm could warrant quickly address a communication to those concerned, while the need to implement appropriate measures to prevent the continued violation of personal data or the occurrence similar violations may warrant more time for communication.

 

(87) should be checked if all appropriate organizational and technical protection measures have been implemented to establish immediately whether a violation of personal data has occurred and to quickly inform the supervisory authority and the person concerned . It should establish that the notification has been made in a timely manner, especially in view of the nature and severity of the violation of personal data and its consequences and adverse effects for the person concerned. Such notification may bring a supervisory authority to intervene in accordance with its duties and powers established by this Regulation.

 

(88) In setting detailed rules concerning the form and the procedures for reporting violations of personal data, it should take due account of the circumstances of the breach, including the fact that personal data or were not protected by appropriate technical protection measures, effectively limiting the likelihood of identity fraud or other forms of abuse. Moreover, these rules and procedures should take into account the legitimate interests of law enforcement authorities where early disclosure could unnecessarily hamper the investigation of the circumstances of the violation of personal data.

 

(89) Directive 95/46 / EC provided for a general obligation to notify data processing of personal data to the supervisory authorities. This obligation creates an administrative and financial burden, without having systematically helped to improve the protection of personal data. These general obligations irrespective notification should therefore be abolished and replaced by effective procedures and mechanisms rather targeting the types of processing operations that may cause a high risk to the rights and freedoms of natural persons, because of their nature, their scope, their context and their purposes. These types of processing operations can include those that include,

 

(90) In such cases, an impact assessment on data protection should be performed by the controller, prior to treatment, to assess the probability and severity of the particular high risk, given the nature, scope, context and purposes of the processing and sources of risk. This impact analysis should include, in particular, measures, safeguards and mechanisms envisaged to mitigate this risk, ensure the protection of personal data and demonstrate compliance with this regulation.

 

(91) This should apply especially to large scale processing operations that aim to address a considerable amount of personal data at regional, national or supranational, which may affect a large number of persons concerned and are likely to generate a high risk, for example, because of their sensitive nature, when, in accordance with the state of technological knowledge, a new technique is applied on a large scale, and other processing operations that generate a high risk to the rights and freedoms of data subjects, especially when, because of these operations,

 

it is more difficult for them to exercise their rights. An impact assessment on data protection should also be performed when personal data are processed to make decisions relating to specific individuals as a result of a systematic and thorough evaluation of own personal aspects to individuals on the basis of profiling such data or as a result of the processing of special categories of personal data, biometric data or data relating to criminal convictions and breaches, or to related security measures . An impact assessment on data protection is still required for the large scale monitoring publicly accessible areas, especially when optoelectronic devices are used, or any other transaction for which the supervisory authority considers that the treatment is likely to generate a high risk to the rights and freedoms of data subjects, particularly because " they prevent these people from exercising any right or benefit from a service or contract, or because they are carried out systematically at scale. The treatment of personal data should not be considered large scale if the processing concerns personal data of patients or clients by a doctor, another health professional or a lawyer practicing individually. In such cases, an analysis of

 

(92) There are instances where it may be reasonable and economical to expand the scope of the impact assessment for the protection of data beyond a single project, such as public authorities or agencies government intend to introduce a common application or processing platform or where several controllers plan to create an application or shared processing environment to an entire sector or professional segment, or a widely used cross-activity.

 

(93) At the time of the adoption of the law of a Member State which establishes the missions of public authority or public body concerned and regulates the operation or set of processing operations specific, Member States may consider that such an analysis is necessary prior to processing activities.

 

(94) If the outcome of an impact assessment regarding data protection that in the absence of safeguards, security measures and mechanisms to mitigate the risk, the treatment would cause a high risk to human and freedoms of natural persons and that the controller believes that the risk can be mitigated by reasonable means taking account of available technical and cost of implementation, it should consult the supervisory authority before the start of processing operations. Some types of treatment and the extent and frequency of treatments are likely to generate such a high risk and may also cause damage or impair the rights and freedoms of an individual. The supervisory authority should respond to the request for consultation within a specified period. However, the lack of response from the supervisory authority within the time limit should be without prejudice to any action on their part conducted as part of its duties and powers under this Regulation, including the power to forbidden processing operations. As part of this consultation process, the results of an impact assessment regarding data protection achieved regarding the treatment in question may be submitted to the supervisory authority, including measures intended to mitigate the risk to the rights and freedoms of natural persons. supervisory authority within the time limit should be without prejudice to any action on their part conducted as part of its duties and powers under this Regulation, including the power to ban the processing operations. As part of this consultation process, the results of an impact assessment regarding data protection achieved regarding the treatment in question may be submitted to the supervisory authority, including measures intended to mitigate the risk to the rights and freedoms of natural persons. supervisory authority within the time limit should be without prejudice to any action on their part conducted as part of its duties and powers under this Regulation, including the power to ban the processing operations. As part of this consultation process, the results of an impact assessment regarding data protection achieved regarding the treatment in question may be submitted to the supervisory authority, including measures intended to mitigate the risk to the rights and freedoms of natural persons.

 

(95) The sub-contractor should assist the controller, if necessary and upon request, to ensure compliance with the obligations arising from the conduct of impact analyzes relating to data protection and the prior consultation of authority control.

 

(96) The supervisory authority should also be consulted at the stage of preparation of a law or regulation which provides for the treatment of personal data, to ensure that the planned treatment complies with this Regulation and in particular , mitigating the risk it entails for the person concerned.

 

a person with specialized knowledge of legislation and practices in data protection should assist the controller or the processor to verify compliance, internally, of this Regulation. In the private sector, the core activities of the controller related to its core business and not only concern the processing of personal data as an auxiliary activity. The required level of expertise should be determined in particular according a controller related to its core business and not only concern the processing of personal data as an auxiliary activity. The required level of expertise should be determined in particular according a controller related to its core business and not only concern the processing of personal data as an auxiliary activity. The required level of expertise should be determined in particular according

 

performed the data processing operations and the required protection for personal data processed by the controller or the processor. Such delegates to data protection, whether or not employees of the controller, should be able to perform their duties and tasks independently.

 

(98) It is necessary to encourage associations or other bodies representing categories of controllers or subcontractors to develop codes of conduct, within the limits of this Regulation, so as to facilitate effective implementation, given the specific treatments performed in some sectors and the specific needs of micro, small and medium enterprises. These codes of conduct could, in particular, define the obligations of controllers and subcontractors, given the risk that the treatment may lead to the rights and freedoms of individuals.

 

(99) When developing a code of conduct, or in its modification or extension, associations and other bodies representing categories of controllers or subcontractors should consult interested parties, including those concerned when possible, and consider the contributions submitted and the views expressed in response to these consultations.

 

(100) In order to promote transparency and compliance with this regulation, the establishment of certification mechanisms, labels and brands in terms of data protection should be promoted to enable people to quickly assess the level data protection offered by the products and services in question.

 

(101) The flow of personal data to and from countries outside the EU and international organizations are necessary for the development of international trade and international cooperation. The increase in these flows has created new issues and new concerns regarding the protection of personal data. However, it is important that when personal data are transferred from the Union to controllers, subcontractors or other recipients in third countries or international organizations, the level of protection of individuals guaranteed in Union by this Regulation is not compromised, including in the case of subsequent transfers of personal data from the third country or international organization to data controllers or subcontractors in the same third country or a third country different, or another international organization . In any event, transfers to third countries and international organizations may only take place in full respect of this Regulation. A transfer could take place if, subject to the other provisions of this Regulation, the provisions of this Regulation regarding the transfer of personal data to third countries or international organizations are met by the controller or sub -traitant. international organization of data controllers or subcontractors in the same third country or a third country different, or another international organization. In any event, transfers to third countries and international organizations may only take place in full respect of this Regulation. A transfer could take place if, subject to the other provisions of this Regulation, the provisions of this Regulation regarding the transfer of personal data to third countries or international organizations are met by the controller or sub -traitant. international organization of data controllers or subcontractors in the same third country or a third country different, or another international organization. In any event, transfers to third countries and international organizations may only take place in full respect of this Regulation. A transfer could take place if, subject to the other provisions of this Regulation, the provisions of this Regulation regarding the transfer of personal data to third countries or international organizations are met by the controller or sub -traitant. transfers to third countries and international organizations can not take place in full respect of this Regulation. A transfer could take place if, subject to the other provisions of this Regulation, the provisions of this Regulation regarding the transfer of personal data to third countries or international organizations are met by the controller or sub -traitant. transfers to third countries and international organizations can not take place in full respect of this Regulation. A transfer could take place if, subject to the other provisions of this Regulation, the provisions of this Regulation regarding the transfer of personal data to third countries or international organizations are met by the controller or sub -traitant.

 

(102) This Regulation is without prejudice to international agreements concluded between the Union and third countries to regulate the transfer of personal data including appropriate safeguards for the benefit of those involved. Member States may conclude international agreements involving the transfer of personal data to third countries or international organizations insofar as such agreements do not affect this Regulation or any other provision of EU law and provide an appropriate level of protection of fundamental rights of the persons concerned.

 

(103) The Commission may decide with effect throughout the Union, a third country, territory or sector in a third country or international organization provides an adequate level of data protection, ensuring and legal certainty and uniformity throughout the Union as regards the third country or international organization that is deemed to offer this level of protection. In this case, the personal data transfers to that third country or international organization can take place without the need to get another authorization. The Commission may also decide, after notifying the third country or international organization and having provided full justification, to revoke the decision.

 

(104) In view of the fundamental values ​​on which the Union is founded, in particular the protection of human rights, the Commission should, in its assessment of a third country, territory or in a given sector in a third country, take into account how a given third country respects the rule of law, guarantees access to justice and observes the international rules and standards in the field of human rights and its legislation general and sectoral, including legislation on public security, defense and national security and public order and criminal law. When adopting, in respect of a territory or a specific sector in a third country, a decision on adequacy, necessary to take into account clear and objective criteria, such as specific processing activities and the scope of the applicable legal standards and legislation in force in the third country. The third country should provide safeguards to ensure an adequate level of protection equivalent to essentially one that is guaranteed in the Union, particularly

 

when personal data are processed in one or more specific areas. Specifically, the third country should ensure effective independent monitoring of data protection and provide for cooperation mechanisms with the data protection authorities of the Member States and the persons concerned should be granted effective and enforceable rights and the effective opportunities to administrative and judicial redress.

 

(105) In addition to the international commitments the third country or international organization, the Commission should take into account the obligations arising from participation in the third country or international organization to multilateral or regional systems, particularly as regards the protection of personal data, as well as the implementation of these obligations. It should in particular take into account the accession of third countries to the Council of Europe Convention of 28 January 1981 for the protection of individuals with regard to automatic processing of personal data and its protocol. In assessing the level of protection provided by third countries or international organizations, the Commission should consult the Committee.

 

(106) The Commission should monitor the operation of the decisions on the level of protection afforded by a third country, territory or sector determined in a third country or an international organization, and monitor the operation of the decisions adopted on the basis of Article 25, paragraph 6, or Article 26, paragraph 4 of Directive 95/46 / EC. In its decisions of adequacy, the Commission should provide for a periodic review of their operation mechanism. This periodic review should be conducted in consultation with the third country or international organization in question and consider all developments of interest in the third countries or in the international organization. For the purposes of monitoring and implementation of periodic reviews, the Commission should take into consideration the observations and conclusions of the European Parliament and of the Council and other relevant bodies and sources. The Commission should assess the operation of the said decisions within a reasonable time and provide any relevant conclusions to the committee within the meaning of Regulation (EU) No 182/2011 of the European Parliament and of the Council (1) established under this Regulation, the European Parliament and the Council.

 

(107) The Commission may find that a third country, territory or sector in a third country or an international organization does not ensure an adequate level of data protection. Consequently, the transfer of personal data to that third country or international organization should be prohibited, unless the requirements of this Regulation to transfers subject to appropriate safeguards, including binding corporate rules and exemptions for specific situations are met. In this case, it would be appropriate to provide for consultations between the Commission and the third country or international organization in question. The Commission should inform in time the third country or

 

(108) In the absence of adequacy decision, the controller or the sub-contractor should take measures to compensate for the lack of data protection in third countries through appropriate guarantees for the individual . These guarantees may include use of binding corporate rules, standard clauses for data protection adopted by the Commission standard clauses for data protection adopted by a supervisory authority or contractual clauses authorized by a supervisory authority. These safeguards should ensure compliance with the requirements of data protection and the rights of the persons concerned in an appropriate manner to treatment within the EU, including existence of enforceable rights of the individual and effective remedies, including the right to effective administrative or judicial action and introduce an action for damages in the Union or in a third country. These guarantees should focus in particular on the general principles concerning the processing of personal data and the principles of data protection by design and data protection by default. Transfers may also be made by public authorities or public bodies with public authorities or public bodies in third countries or international organizations with corresponding duties or functions, including on the basis of provisions to be included in the administrative arrangements, such as a memorandum of understanding providing for binding and effective rights for the individuals concerned. The authorization of the competent supervisory authority should be obtained when these guarantees are provided in the administrative arrangements which are not legally binding.

 

(109) The ability of controllers and subcontractors to use standard clauses for data protection adopted by the Commission or by a supervisory authority should not prevent

 

(1) Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by Member States for the exercise of implementing powers (OJ L 55, 28.2.2011, p. 13).

 

to include these clauses in a wider contract, such as a contract between the subcontractor and another subcontractor, nor to add other clauses or additional collateral, provided that these do not contradict not, directly or indirectly, the standard contractual clauses adopted by the Commission or by a supervisory authority and do not affect the fundamental rights and freedoms of the persons concerned. The controllers and subcontractors should be encouraged to provide additional guarantees through contractual commitments that would complement the clauses of protection.

 

(110) A group of companies or group of companies engaged in a joint economic activity is likely to resort to binding corporate rules approved for its international transfers from the Union to the entities of the same group of companies, or the same group of companies engaged in a joint economic activity, provided that the rules of business include all the essential principles and enforceable rights to ensure appropriate safeguards for transfers or categories of data transfers personal data.

 

(111) It should be possible transfers in certain circumstances where the data subject has given his explicit consent, where the transfer is occasional and necessary as part of a contract or legal action, that it whether a judicial, administrative or court, including proceedings before regulatory agencies. It should also be made for the possibility of transfers when important reasons of public interest established by the Union law or the law of a Member State require, or where the transfer is made from a register established by law and intended for consultation by the public or persons having a legitimate interest. In this last case,

 

(112) Such exceptions should apply in particular to data transfers required and necessary for important reasons of public interest, for example in cases of international data exchange between competition authorities, tax authorities or customs between authorities financial Supervisory between services responsible for social security or for public health, for example for the purpose of contact tracing of people with contagious diseases or to reduce and / or eliminate doping in sport . The transfer of personal data should also be considered lawful where it is necessary to protect an essential interest to protect the vital interests, including physical or life integrity, of the person or another person, if the person is unable to give consent. In the absence of a decision on adequacy, the Union law or the law of a Member State may, for important reasons of public interest expressly set limits on the transfer of special categories of data to a third country or an international organization. Member States should notify such provisions to the Commission. Any transfer to an international humanitarian organization of personal data of a data subject who is physically or legally incapable of giving his consent, in order to

 

(113) Transfers can be described as non-recurring and affect only a limited number of people affected could be authorized for the purposes of legitimate interests pursued by the controller when those interests prevail over the interests or fundamental rights and freedoms of the data subject and the controller when assessed all the circumstances surrounding the data transfer. The controller should pay particular attention to the nature of personal data, the purpose and duration of the treatment or operations planned and the situation in the country, the third country the country of final destination, and should provide appropriate safeguards to protect fundamental rights and freedoms of individuals with regard to the processing of their personal data. Such transfers should be possible only in residual cases in which no other transfer patterns are applicable. For purposes of historical or scientific research or statistical purposes, it is necessary to take into account the legitimate expectations of society for the advancement of knowledge. The controller should inform the supervisory authority concerned and the transfer person. Such transfers should be possible only in residual cases in which no other transfer patterns are applicable. For purposes of historical or scientific research or statistical purposes, it is necessary to take into account the legitimate expectations of society for the advancement of knowledge. The controller should inform the supervisory authority concerned and the transfer person. Such transfers should be possible only in residual cases in which no other transfer patterns are applicable. For purposes of historical or scientific research or statistical purposes, it is necessary to take into account the legitimate expectations of society for the advancement of knowledge. The controller should inform the supervisory authority concerned and the transfer person.

 

(114) In any event, if the Commission did not rule on the adequacy of the level of data protection in a third country, the controller or the sub-contractor should adopt solutions that guarantee to persons concerned enforceable and effective rights regarding the processing of their data in the EU once this data has been transferred, so that those persons continue to benefit the fundamental rights and guarantees.

 

(115) Some third countries enact laws, regulations and other legal acts that seek to directly regulate the processing activities carried out by individuals and legal entities that are within the competence of Member States. There may be decisions of courts or administrative authorities of third countries that require a controller or a processor that transfers or discloses personal data, which are not based on an international agreement, such as a mutual legal assistance treaty in force between the applicant and third countries the Union or a member State. The extraterritorial application of these laws, regulations and other legal acts may be contrary to international law and an obstacle to the protection of individuals guaranteed in the Union by this Regulation. The transfers should only be authorized when the conditions set by this Regulation to transfers to third countries are met. This may be the case, among others, where disclosure is necessary for important reasons of public interest recognized by the law of the Union or of a Member State to which the controller is subject.

 

(116) Where personal data crossing the external borders of the Union, it may increase the risk that individuals can not exercise their rights to data protection, including protection from the use or unlawful disclosure of such information. Similarly, the supervisory authorities may be faced with the impossibility of examining complaints or investigate the activities outside their borders. Their efforts to work together on cross-border context may also be hampered by insufficient powers at their disposal for the prevention or remedy, the heterogeneity of legal regimes and practical obstacles such as lack of resources. Consequently, it is necessary to foster closer cooperation between the supervisory authorities of data protection, to help them exchange information and carry out investigations with their international counterparts. In order to develop international cooperation mechanisms to facilitate and develop international mutual assistance to implement the legislation on protection of personal data, the Commission and the supervisory authorities should exchange information and cooperate as part of activities related to the exercise of their powers with the competent authorities in third countries on a reciprocal basis and in accordance with this Regulation. to help them exchange information and carry out investigations with their international counterparts. In order to develop international cooperation mechanisms to facilitate and develop international mutual assistance to implement the legislation on protection of personal data, the Commission and the supervisory authorities should exchange information and cooperate as part of activities related to the exercise of their powers with the competent authorities in third countries on a reciprocal basis and in accordance with this Regulation. to help them exchange information and carry out investigations with their international counterparts. In order to develop international cooperation mechanisms to facilitate and develop international mutual assistance to implement the legislation on protection of personal data, the Commission and the supervisory authorities should exchange information and cooperate as part of activities related to the exercise of their powers with the competent authorities in third countries on a reciprocal basis and in accordance with this Regulation.

 

(117) The establishment of supervisory authorities in the Member States, authorized to perform their tasks and powers in complete independence, is an essential component of the protection of individuals with regard to the processing of personal data . Member States should be able to set up several control authorities according to their constitutional structure, organizational and administrative.

 

(118) The independence of the supervisory authority should not mean that they can be subject to control mechanisms or monitoring of their financial management nor to judicial review.

 

(119) Where a Member State establishes several supervisory authorities, it should establish by law mechanisms for ensuring the effective participation of those authorities in the control mechanism of coherence. It should in particular designate the supervisory authority which serves as a single point of contact, enabling effective participation of those authorities in the mechanism to ensure quick and easy cooperation with other supervisory authorities, the Committee and the Commission.

 

(120) It is appropriate that each control authority has the financial and human resources, as well as premises and infrastructure necessary for the proper performance of its tasks, including those related to mutual assistance and cooperation with other supervisory authorities throughout the Union. Each authority should have its own annual public budget, which may be part of the overall national budget or a federal entity.

 

(121) The general conditions applicable to (x) member (s) of the supervisory authority should be established by law in each Member State and should provide in particular that these members are appointed through a transparent procedure by the Parliament, the government or the head of a member State of the State, on the proposal of the Government or a member of the government or parliament or house of parliament, or by an independent body that has been charged under the law of a member State ,. To ensure the independence of the supervisory authority, it is appropriate that the member or members of this act with integrity, to refrain from any action incompatible with their duties and exercise for the duration of their mandate , incompatible occupation, whether gainful or not.

 

(122) Each supervisory authority should be competent in the territory of the Member State to which it belongs to carry out the tasks and powers conferred on it in accordance with this Regulation. This should cover in particular the treatment in the context of activities of an establishment of the controller or the subcontractor on the Member State's territory which it belongs, the processing of personal data carried out by authorities public or private organizations acting in the public interest, affecting the treatment of the persons concerned on the member State's territory to which it belongs, or the processing performed by a controller or a subcontractor who is not established in the Union where treatment is concerned persons residing in the territory of the Member State to which it belongs. This should include in particular the processing of claims by those affected, conducting investigations on the application of this Regulation and the public awareness of the risks, rules, safeguards and rights to the processing of personal data.

 

(123) It is appropriate that the supervisory authorities monitor the implementation of provisions under this Regulation and contribute to what this application is consistent throughout the EU, in order to protect individuals in regard to the processing of their personal data and to facilitate the free flow of data within the internal market. To this end, supervisory authorities should cooperate with each other and with the Commission no agreement should be concluded between the Member States on providing mutual assistance or on such cooperation.

 

It should cooperate with other authorities concerned if the controller or the sub-contractor has an establishment in the territory of the Member State to which they belong, in case the concerned persons residing in the territory to which they belong are significantly affected or if a claim is made to them. Furthermore, when a person does not reside in that Member State has lodged a complaint with the supervisory authority of which the latter was introduced should be a supervisory authority concerned. As part of its tasks related to the publication of guidelines on any matter concerning the application of this Regulation, the Committee should be able to publish guidelines concerning in particular

 

(125) The lead authority should be empowered to adopt binding decisions on measures to implement the powers conferred upon it under this Regulation. As a leading authority, the supervisory authority should closely involve supervisors involved in decision making and ensure close coordination in this framework. When it is decided to reject, in whole or in part, the complaint lodged by the person concerned, this decision should be adopted by the supervisory authority to which the claim was introduced.

 

(126) The decision should be taken jointly by the lead supervisor and the supervisory authorities, be sent to the principal or sole establishment of the controller or the subcontractor and be binding on the head of processing and outsourcing. The controller or the processor should take measures to ensure compliance with this Regulation and the implementation of the decision notified by the lead supervisor at the principal office of the controller or sub -traitant regarding processing activities in the EU.

 

(127) Each supervisory authority which does not serve as lead supervisory authority should be competent to deal with local scope cases when the controller or the attending-as is established in several Member States but that the subject of specific treatment refers only to a processing in a single member State and relates only to the persons concerned that one member State, for example when it comes to dealing with personal data relating to employees in the context of own labor relations a member State. In these cases, the supervisor should immediately inform the lead supervisor of the question. After being informed, the leading supervisory authority should decide whether to treat the case under the provision on the cooperation between the lead supervisor and the other supervisory authorities concerned (hereinafter referred to as "one-stop mechanism") or if the supervisor who informed should handle the case locally. In deciding whether treat the case, the lead supervisory authority should consider if there is an establishment of the controller or the attending-as in the Member State of the supervisory authority that the informed, to ensure the effective enforcement of a decision with regard to the controller or the subcontractor. When the lead supervisory authority decides lead supervisor and the other supervisory authorities concerned (hereinafter referred to as "one-stop mechanism"), or if the supervisor who informed should handle the case locally. In deciding whether treat the case, the lead supervisory authority should consider if there is an establishment of the controller or the attending-as in the Member State of the supervisory authority that the informed, to ensure the effective enforcement of a decision with regard to the controller or the subcontractor. When the lead supervisory authority decides lead supervisor and the other supervisory authorities concerned (hereinafter referred to as "one-stop mechanism"), or if the supervisor who informed should handle the case locally. In deciding whether treat the case, the lead supervisory authority should consider if there is an establishment of the controller or the attending-as in the Member State of the supervisory authority that the informed, to ensure the effective enforcement of a decision with regard to the controller or the subcontractor. When the lead supervisory authority decides she decides if she will treat the case, the lead supervisory authority should consider if there is an establishment of the controller or the attending-as in the Member State of the supervisory authority who informed to ensure the effective enforcement of a decision with regard to the controller or the subcontractor. When the lead supervisory authority decides she decides if she will treat the case, the lead supervisory authority should consider if there is an establishment of the controller or the attending-as in the Member State of the supervisory authority who informed to ensure the effective enforcement of a decision with regard to the controller or the subcontractor. When the lead supervisory authority decides

 

handle the case, the supervisor who informed should have the opportunity to submit a draft decision, including the lead supervisory authority should take into full account when formulating its draft decision in under this one-stop mechanism.

 

(128) The rules on the lead supervisor and the one-stop mechanism should not apply where the processing is carried out by public authorities or private organizations in the public interest. In this case, the only competent control authority to exercise the powers conferred upon it under this Regulation should be the Member State's supervisory authority in which public or private organization authority is established.

 

(129) In order to ensure enforcement of this regulation and control its application consistently throughout the Union, the supervisory authorities should have in each Member State, the same mission and the same effective powers, including investigative powers, the power to take corrective action and to impose sanctions and to authorize and issue advisory opinions, especially in case of complaint lodged by individuals and without prejudice to the powers of the prosecuting authorities under the law of a member State the power to bring violations of this Regulation to the attention of judicial authorities and legal proceedings. These powers should also include that of impose a temporary restriction or definitive treatment, including a ban. Member States may specify other tasks related to the protection of personal data in application of this Regulation. The powers of supervisory authorities should be exercised in accordance with appropriate procedural safeguards provided by the law of the Union and the law of the Member State, in an impartial and fair manner and within a reasonable time. Any measures should in particular be appropriate, necessary and proportionate to ensure compliance with this regulation, the circumstances of the case, respect the right of everyone to be heard before any individual decision is likely to harm it and avoid unnecessary costs and excessive inconvenience for those concerned. The investigative powers regarding access to facilities should be exercised in accordance with specific requirements of the procedural law of the Member States, such as the obligation to obtain prior judicial authorization. Any legally binding measure taken by the supervisory authority should be in writing, be clear and unambiguous, indicate which supervisory authority took the action and the date, be signed by the leader or a member that the supervisory authority has approved explain the reasons underlying the measure and indicate the right to an effective remedy. This should not exclude additional requirements under the procedural law of the Member States. If a legally binding decision is adopted, it may lead to judicial control in the Member State of the supervisory authority which adopted it.

 

(130) When the supervisory authority with which the complaint has been submitted is not the lead supervisor, the lead supervisory authority should closely cooperate with the supervisory authority from which the claim was submitted in accordance with provisions on cooperation and consistency provided by this Regulation. In such cases, the lead supervisor should, when adopting measures to produce legal effects, including measures to impose administrative fines to take the utmost account of the opinion of supervisory authority with which the complaint was submitted, which should remain competent to carry out any investigation on the territory of the

 

otherwise such situations should seek a settlement with the controller and, if unsuccessful, exercise all its powers. This should include: specific treatments that are carried out on the territory of the Member State of the supervisory authority or that relate to the persons concerned within the territory of that Member State; treatments performed as part of a supply of goods or services specifically targeting those involved lying on the Member State's territory to which the supervisory authority; or treatments that should be evaluated in the light of the relevant legal obligations under the law of a Member State.

 

(132) Awareness activities organized by them for public inspection authorities should include specific measures to controllers and subcontractors, including micro, small and medium enterprises, as well as people physical, particularly in the educational setting.

 

(133) The supervisory authorities should assist each other in fulfilling their missions and assist each other in order to enforce this regulation and control its application consistently in the domestic market. A supervisor who uses mutual assistance may adopt an interim measure if it does not receive a response to its request for mutual assistance within one month of receipt of the request for mutual assistance the other supervisory authority.

 

(134) Each supervisory authority should, if necessary, participate in joint operations with supervisors. The requested supervisory authority should be required to respond to the request within a specified period.

 

(135) In order to ensure consistent application of this Regulation throughout the Union, it is necessary to establish a coherence control mechanism for cooperation between supervisory authorities. This mechanism should in particular apply where a supervisory authority intends to adopt a measure intended to produce legal effects with regard to processing operations that significantly affect a significant number of subjects in several Member States. It should also apply where a supervisory authority concerned or the Commission requests that the matter be addressed as part of the consistency mechanism. This mechanism should be without prejudice to any measures the Commission may take in the

 

(136) As part of the application of the consistency mechanism, the committee should issue an opinion within a specified period, if a majority of its members so decides or if it receives a request direction by a supervisory authority concerned or the Commission. The committee should also be empowered to adopt legally binding decisions in disputes between supervisors. To this end, it should take in principle by a majority of two thirds of its members, legally binding decisions in cases clearly defined, in case of divergent views among the supervisory authorities, including through the mechanism of cooperation between the lead supervisor and the supervisory authorities, the substance of the

 

(137) It may be necessary to intervene urgently to protect the rights and freedoms of data subjects, in particular when the danger exists that the exercise of the right of a person concerned could be significantly impeded. Therefore, a supervisory authority should be able to adopt, on its territory, duly justified provisional measures and a specific validity period which should not exceed three months.

 

(138) The application of such a mechanism should condition the lawfulness of a measure intended to produce legal effects taken by a supervisory authority in cases where this is compulsory. In other cases with a cross-border dimension, the cooperation mechanism between the lead supervisor and the supervisory authorities should be applied, and mutual assistance and joint operations could be implemented between supervisory authorities concerned, on a bilateral or multilateral basis, without the play of the consistency mechanism.

 

(139) In order to promote consistent application of this Regulation, the Committee should be established as an independent body of the EU. To achieve its objectives, the Committee should be endowed with legal personality. It should be represented by its President. It should replace the protective group of individuals with regard to the processing of personal data established by Directive 95/46 / EC. It should consist of the head of a supervisory authority of each Member State and the European Data Protection Supervisor or their respective representatives. The Commission should participate in the committee without voting rights and the European Data Protection Supervisor should have special voting rights. The Committee should contribute to the consistent application of this Regulation throughout the Union, including advising the Commission, in particular regarding the level of protection in third countries or international organizations, and promoting the cooperation of supervisory authorities in whole of the Union. The committee should carry out its tasks independently.

 

(140) Le comité devrait être assisté par un secrétariat assuré par le Contrôleur européen de la protection des données. Pour s'acquitter de ses tâches, le personnel du Contrôleur européen de la protection des données chargé des missions que le présent règlement confie au comité ne devrait recevoir d'instructions que du président du comité et devrait être placé sous l'autorité de celui-ci.

 

(141) Every individual should have the right to lodge a complaint with a single supervisory authority, particularly in the Member State where it has its habitual residence, and have the right to an effective judicial remedy pursuant to Article 47 of the Charter if it considers that the rights under this Regulation are being violated or if the supervisor does not respond to his complaint, refuses or rejects, in whole or in part, or if it is not then that action is necessary to protect the rights of the individual. The investigation following a complaint should be conducted under judicial control in the appropriate measures required by the case. The supervisory authority should inform the data subject of progress and outcome of the claim within a reasonable time. If the case requires further investigation or coordination with another supervisory authority, intermediate information should be provided to the person concerned. To facilitate the introduction of claims, each supervisory authority should take measures such as the provision of a claim form which can be completed electronically, without other means of communication are excluded.

 

(142) When a person concerned considers that the rights conferred by this Regulation are violated, it should have the right to appoint an agency, organization or non-profit association formed under the law of a Member State whose statutory aims of public interest and which is active in the field of the protection of personal data, for it introduces a complaint on his behalf with a supervisory authority, has the right to appeal judicial in the name of the persons concerned or, if provided for by the law of a member State, has the right to obtain redress for those affected. A Member State may provide that organization, that organization or association has the right to lodge a complaint in that Member State, regardless of any mandate given by a data subject, and has the right to an effective judicial remedy if it has reason to believe that the rights of a person concerned were violated because treatment of personal data held in violation of this Regulation. This organization, that organization or association can not be allowed to claim compensation on behalf of a data subject, the mandate given by the person concerned. a relevant person have been violated because the processing of personal data held in violation of this Regulation. This organization, that organization or association can not be allowed to claim compensation on behalf of a data subject, the mandate given by the person concerned. a relevant person have been violated because the processing of personal data held in violation of this Regulation. This organization, that organization or association can not be allowed to claim compensation on behalf of a data subject, the mandate given by the person concerned.

 

(143) Any natural or legal person is entitled to appeal for annulment of the decisions of the committee before the Court of Justice in accordance with Article 263 of the Treaty on the Functioning of the European Union. Once they receive such decisions, the supervisory authorities wishing to challenge must do so within two months of notification to them was made in accordance with Article 263 of the Treaty on the functioning of the European Union. When the committee's decisions relate directly and individually a controller, a subcontractor or the author of the complaint, they can bring an action for annulment of those decisions within two months of their publication on the website of the Committee, in accordance with Article 263 of the Treaty on the Functioning of the European Union. Notwithstanding the right provided for in Article 263 of the Treaty on the Functioning of the European Union, any natural or legal person should have an effective legal remedy before the competent national court against a decision of an authority control which produces legal effects concerning him. Such a decision concerns in particular the exercise by the supervisory authority, powers of investigation, the adoption of corrective measures and approval or refusal or rejection of claims. However, the right to an effective judicial remedy does not cover the measures taken by the supervisory authorities that are not legally binding, such as emitted opinion or advice provided by a supervisory authority. Proceedings against a supervisory authority should be brought before the courts of the Member State on whose territory the supervisory authority is established and be conducted in accordance with procedural law of that Member State. These courts should have full jurisdiction, including that of examining all questions of fact and law relevant to the issue before them. such that the emitted opinion or advice provided by a supervisory authority. Proceedings against a supervisory authority should be brought before the courts of the Member State on whose territory the supervisory authority is established and be conducted in accordance with procedural law of that Member State. These courts should have full jurisdiction, including that of examining all questions of fact and law relevant to the issue before them. such that the emitted opinion or advice provided by a supervisory authority. Proceedings against a supervisory authority should be brought before the courts of the Member State on whose territory the supervisory authority is established and be conducted in accordance with procedural law of that Member State. These courts should have full jurisdiction, including that of examining all questions of fact and law relevant to the issue before them.

 

When a claim has been rejected or refused by a supervisory authority, the author of the claim may bring an action before the courts of that Member State. As part of the judicial remedies relating to the application of this Regulation, the national courts consider that a decision on the matter is necessary to enable them to give their judgment can or, in the case provided for in Article 267 of the Treaty on the functioning of the European Union should ask the Court of justice to give a preliminary ruling on the interpretation of EU law, including this Regulation. Further, when a decision to a supervisory authority implementing the committee's decision is challenged before a national court and the validity of the decision of the committee is concerned, that national court has no power to invalidate the decision of the Committee and should, in all if it considers that a decision is invalid, refer the question of validity to the Court of justice under Article 267 of the Treaty on the functioning of the European Union as it has been interpreted by the Court of justice. However, a national court may not refer a question concerning the validity of a decision of the committee at the request of a natural or legal person who has had the opportunity to bring an action for annulment of that decision,

 

(144) When a court hearing an action against a decision by a supervisory authority has reason to believe that actions concerning the same treatment, for example on the same object, made by the same controller or the same subcontractor, or the same cause, are brought before a competent court of another member State, she should contact the other court to confirm the existence of such related actions. If related actions are pending before a court

 

another Member State, any court other than that which was first seized may stay its proceedings or may, at the request of the parties, decline jurisdiction in favor of the court first if it is jurisdiction to entertain the action concerned and the law governing it allows you to group these related actions. Are deemed related, actions that are so closely related point that it is expedient to hear and judge the same time to prevent from being rendered irreconcilable decisions resulting from separate proceedings.

 

(145) As regards the actions against a controller or a processor, the plaintiff should have the choice to bring the action before the courts of the Member States where the controller or sub-contractor has an establishment or in the member State in which the person resides, unless the controller is a public authority of a member State in the exercise of its public powers.

 

(146) The controller or under-treating should repair any damage an individual may suffer due to treatment in violation of this Regulation. The controller or sub-contractor should be exempt from liability if he proves that the damage is not attributable to it. The notion of damage should be interpreted broadly in the light of the case law of the Court of Justice, in a way that takes full account of the objectives of this Regulation. This is without prejudice to any action for damages based on a breach of other rules of Union law or the law of a Member State. Treatment in violation of this Regulation also includes treatment in violation of delegated acts and implementation adopted pursuant to this Regulation and the right of a Member State specifying the rules of this Regulation. The persons concerned should receive full and effective compensation for the damage suffered. When controllers or sub-contractors involved in the same process, each controller or each subcontractor should be held accountable for all the damage. However, when controllers and subcontractors are involved in the same judicial procedure under the law of a Member State, the repair can be distributed according to the share of responsibility of each controller or each sub - contractor in the damage caused by the treatment, provided that the damage suffered by the person concerned is fully and effectively repaired. Every controller or any subcontractor who repaired the damage completely may subsequently appeal against other controllers and subcontractors who participated in the same treatment.

 

(147) Where this Regulation provides for specific rules of jurisdiction, especially regarding procedures for judicial remedies, including those aimed at obtaining redress against a controller or a processor, the jurisdiction rules Terms such as those provided for in Regulation (EU) no 1215/2012 of the European Parliament and of the Council (1), should not prejudice the application of such specific jurisdictional rules.

 

(148) In order to strengthen the enforcement of this regulation, sanctions including administrative fines should be imposed for any violation of this Regulation, in addition to or in place appropriate measures imposed by the supervisory authority under this Regulation. In case of minor violation or the penalty that may be imposed is a disproportionate burden for an individual, a reprimand can be addressed rather than a fine. However, it should duly take into account the nature, severity and duration of the breach, the intentional breach character and measures taken to mitigate the damage suffered, the degree of fault or breach relevant committed previously, how the supervisor became aware of the violation, respect the measures ordered against the controller or the subcontractor on the implementation of a code of conduct, and any other aggravating or mitigating circumstances. The application of sanctions, including administrative fines should be subject to appropriate procedural safeguards in accordance with general principles of EU law and the Charter, including the right to effective judicial protection and due process.

 

(149) Member States should be able to determine the rules on penalties for violations of this Regulation, including breaches of the national provisions adopted pursuant to and within the limits of this Regulation. These criminal penalties may also allow the entry of profits made in breach of this Regulation. However, the application of criminal penalties for violation of these national provisions and the application of administrative sanctions should not result in the violation of the ne bis in idem as interpreted by the Court of Justice.

 

(150) In order to strengthen and harmonize administrative sanctions for violations of this Regulation, each supervisory authority should have the power to impose administrative fines. The present

 

(1) Regulation (EU) No 1215/2012 of the European Parliament and of the Council of 12 December 2012 on jurisdiction and the recognition and enforcement of judgments in civil and commercial matters (OJ L 351, 20.12.2012, p. 1).

 

Regulation should specify the violations, the maximum and administrative fines fixing criteria which they are subject, which should be fixed by the competent supervisory authority in each case, taking into account all the characteristics of each case and with due regard, in particular, the nature, severity and duration of the breach and its consequences, as well as measures taken to ensure compliance with obligations under the Regulation and to prevent or mitigate the consequences of the violation. Where administrative fines are imposed on a company, this term must, to this end, be understood as a company in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European Union. Where administrative penalties are imposed on persons who are not a company, the supervisory authority should take into account when considering what would be the appropriate amount of the fine, the general level of income in the Member State and that the economic situation of the person concerned. It can also be resorted to the consistency mechanism to promote consistent application of administrative fines. It should be up to Member States to determine whether and to what extent the public authorities should be subject to administrative fines. The application of an administrative fine or the fact of giving a warning does not affect the exercise of other powers of the supervisory authorities or the application of

 

(151) The legal systems of Denmark and Estonia fail to impose administrative fines as provided for in this Regulation. The rules relating to administrative fines can be applied so that, in Denmark, the fine imposed by the competent national courts as a criminal penalty and Estonia, the fine is imposed by the supervisory authority as part of a misdemeanor procedure, provided that such application of the rules in these Member States have an equivalent effect on administrative fines imposed by the supervisory authorities. This is why the competent national courts should take into account the recommendation of the supervisory authority which is responsible for the fine.

 

(152) Where this Regulation does not harmonize administrative sanctions or, if necessary in other circumstances, for example in case of serious infringements of this Regulation, Member States should implement a system that provides for effective, proportionate and dissuasive. The nature of these penalties, criminal or administrative, should be determined by the law of the Member States.

 

(153) The right of Member States should balance the rules governing freedom of expression and information, including journalistic expression, academic, artistic or literary, and the right to protection of personal data under this Regulation. In the treatment of personal data solely for journalistic purposes or for purposes of academic expression, artistic or literary, necessary to provide for derogations or exemptions from some provisions of this regulation if necessary to reconcile the right to the protection of personal data and the right to freedom of expression and information enshrined in Article 11 of the Charter. This should be the case of treatment of personal data in the audiovisual field and in news archives documents and libraries of the press. Accordingly, Member States should adopt legislation that set the exemptions and derogations necessary for ensuring a balance between these fundamental rights. Member States should adopt such exemptions and derogations in relation to the general principles, the rights of the data subject, the controller and the processor, the transfer of personal data to third countries or organizations international, independent supervisory authorities, cooperation and consistency, as well as special situations of data processing. When these exemptions or exceptions differ from one Member State to another, the law of the Member State whose manager reports to the treatment should apply. To reflect the importance of the right to freedom of expression in a democratic society, it is necessary to retain a broad interpretation of the concepts relating to that freedom, such as journalism.

 

(154) This Regulation allows taking into account, in applying the principle of public access to official documents. Public access to official documents can be considered as being in the public interest. The personal data contained in documents held by a public authority or public body should be made public by that authority or that body if this is provided for by Union law or the law of the Member State notes the public authority or public body. These legal provisions should balance public access to official documents and the reuse of public sector information, on one hand, and the right to protection of personal data, on the other hand, and can therefore provide the necessary reconciliation with the right to protection of personal data under this Regulation. In this context, it is meant by "public authorities and public bodies," all authorities or other bodies governed by the law of a Member State concerning access to documents. Directive 2003/98 / EC of the European Parliament and of

 

Council (1) leaves intact and in no way affects the level of protection of individuals with regard to the processing

 

(1) Directive 2003/98 / EC of the European Parliament and of the Council of 17 November 2003 on the reuse of public sector information (OJ L 345, 31.12.2003, p. 90).

 

of personal data under the provisions of Union law and the law of the Member States and in particular does not alter the rights and obligations under this Regulation. In particular, the directive should not apply to documents to which access is excluded or limited access policy enforcement for reasons of protection of personal data, and the parties of documents available under the said rules contain personal data where the reuse is required by law to be incompatible with the legislation on the protection of individuals with regard to the processing of personal data.

 

(155) The right of Member States or collective agreements, including "enterprise agreements" may establish specific rules for processing of employee personal data in the context of labor relations, including the conditions under which the personal data in the context of labor relations can be treated on the basis of consent of the employee, for recruitment, execution of the employment contract, including compliance with the obligations laid down by law or by collective agreements, management, planning and organization of labor, equality and diversity in the workplace, health and safety, and for the purposes ofexercise and enjoyment of rights and employment-related benefits, individually or collectively, as well as for the termination of the employment relationship.

 

(156) The processing of personal data for archival purposes in the public interest, for the purpose of scientific or historical research or statistical purposes should be subject to appropriate safeguards for the rights and freedoms of the data subject, under this regulation. These guarantees should enable the implementation of technical and organizational measures to ensure, in particular, the principle of data minimization. Further processing of personal data for archival purposes in the public interest, for the purpose of scientific or historical research or statistical purposes should be performed when the controller has evaluated the feasibility of achieve these goals through a data processing that do not allow or more to identify the persons concerned, provided that appropriate safeguards exist (eg pseudonymisation data). Member States should provide appropriate safeguards for the processing of personal data for archival purposes in the public interest, for the purpose of scientific or historical research or statistical purposes. Member States should be authorized to provide, under specific conditions and with appropriate safeguards for the people concerned, special provisions and exemptions regarding the requirements for information and rights to rectification, erasure, to forgetfulness, limitation of treatment, to data portability and the right of opposition when personal data are processed for archival purposes in the public interest, for the purpose of scientific or historical research or statistical purposes. The conditions and guarantees in question may include specific procedures for data subjects to exercise these rights if appropriate having regard to the purposes of the specific treatment concerned, as well as technical and organizational measures to minimize data processing personal data in accordance with the principles of proportionality and necessity. The treatment of personal data for scientific purposes should also respect other relevant legislation,

 

(157) Combining the information from the records, researchers can gain new knowledge of great interest in terms of widespread medical problems such as cardiovascular disease, cancer and depression. Based on the records, research results can be improved as they are based on a larger sample population. As part of the social sciences, research on the registry allows researchers to acquire essential knowledge about the long-term correlations between a number of social conditions such as unemployment and education and other conditions of life. The research results obtained in the using registers provide reliable knowledge and high quality that can be the basis for the development and implementation of a policy based on knowledge, improve the quality of life of a number of people and strengthen effectiveness of social services. To facilitate scientific research, personal data may be processed for purposes of scientific research subject to appropriate conditions and safeguards provided for in EU law or the law of Member States.

 

(158) Where personal data are processed for archival purposes, this Regulation should apply to this treatment, with the understanding that it should not apply to dead people. The public authorities or public or private organizations that keep archives in the public interest should be services that, under European Union law or the law of a Member State, have a legal obligation to collect, maintain, evaluate, organize, describe, communicate, develop, disseminate records that are to maintain permanently in the general public interest and provide access.

 

(159) Where personal data are processed for scientific research purposes, this Regulation should apply to this treatment. For the purposes of this Regulation, the processing of personal data for scientific research purposes should be interpreted broadly to cover, for example, the development and demonstration of technologies, basic research, applied research and research funded by the private sector. It should also take into account the objective of the Union mentioned in Article 179, paragraph 1 of the Treaty on the Functioning of the European Union of achieving a European Research Area. By "scientific research", it should also hear the studies in the public interest in the field of public health. To meet the specific personal data processing for scientific research purposes, special conditions should apply, in particular, regarding the publication or disclosure otherwise of personal data in the under purposes of scientific research. If the result of scientific research, particularly in the area of ​​health, for further action in the interest of the person concerned, the general rules of this Regulation shall apply in respect of these measures. in particular regarding the publication or disclosure otherwise of personal data in the context of the aims of scientific research. If the result of scientific research, particularly in the area of ​​health, for further action in the interest of the person concerned, the general rules of this Regulation shall apply in respect of these measures. in particular regarding the publication or disclosure otherwise of personal data in the context of the aims of scientific research. If the result of scientific research, particularly in the area of ​​health, for further action in the interest of the person concerned, the general rules of this Regulation shall apply in respect of these measures.

 

(160) Where personal data are processed for historical research, this Regulation should apply to this treatment. This should also include historical research and research for genealogical purposes, provided that this Regulation should not apply to deceased persons.

 

(161) For the purposes of participation consent for scientific research in the clinical trials, the relevant provisions of Regulation (EU) No 536/2014 of the European Parliament and of the Council (1) should apply.

 

(162) Where personal data are processed for statistical purposes, this Regulation should apply to this treatment. The Union law or the law of the Member States should, within the limits of this Regulation, determine the statistical content, checking for data access and adopt special provisions for the treatment of personal data to statistical purposes and appropriate steps to protect the rights and freedoms of the individual and to maintain statistical confidentiality. By "statistical purposes" means any transaction collection and personal data processing necessary for statistical surveys or production of statistical results. These statistical results can also be used for different purposes, including scientific research. The statistics imply that purpose the result of processing for statistical purposes does not constitute personal data but aggregated data, and that this or these personal data are not used in support of measures or decisions an individual in particular.

 

(163) The confidential information which the statistical authorities of the EU and Member States gather to develop European and national official statistics should be protected. European statistics should be developed, produced and disseminated in accordance with the statistical principles set out in Article 338, paragraph 2 of the Treaty on the Functioning of the European Union, and national statistics should also respect the right of Member States. Regulation (EC) No 223/2009 of the European Parliament and of the Council (2) contains other special provisions relating to European statistics covered by secrecy.

 

(164) As regards the powers of the supervisory authorities to obtain from the controller or the subcontractor access to personal data and access to their premises, Member States may adopt by the law, within the limits of this Regulation, specific rules to ensure the obligation of professional secrecy or other equivalent obligations of secrecy, to the extent that this is necessary to reconcile the right to the protection of personal data and the obligation of professional secrecy. This is without prejudice to existing obligations of Member States in the adoption of rules of professional secrecy when the EU law requires.

 

(165) This Regulation respects and does not prejudice the status enjoyed, under constitutional law, churches and religious associations or communities in the Member States, as recognized by Article 17 of Treaty on the functioning of the European Union.

 

(166) In order to fulfill the objectives of this Regulation, namely to protect the fundamental rights and freedoms of natural persons, and in particular their right to protection of personal data, and ensure

 

(1) Regulation (EU) No 536/2014 of the European Parliament and the Council of 16 April 2014 relating to clinical trials of drugs for human use, and repealing Directive 2001/20 / EC (OJ L 158, 27.5.2014, p. 1).

 

(2) Regulation (EC) No 223/2009 of the European Parliament and of the Council of 11 March 2009 on European statistics and repealing Regulation (EC, Euratom) No 1101/2008 of the European Parliament and of the Council on the transmission to the statistical Office of the European Communities of statistical information covered by professional secrecy, Regulation (EC) No 322/97 on Community statistics, and Council decision 89/382 / EEC, Euratom establishing a statistical program Committee European communities (OJ L 87, 31.3.2009, p. 164).

 

free movement of such data within the Union should be delegated to the Commission the power to adopt acts in accordance with Article 290 of the Treaty on the Functioning of the European Union. In particular, delegated acts should be adopted regarding the criteria and requirements for certification mechanisms, information in the form of standard icons and the procedures governing the provision of these icons. It is particularly important that the Commission carry out appropriate consultations during its preparatory work, including at expert level. It should, when preparing and drawing up delegated acts,

 

(167) In order to ensure uniform conditions for the implementation of this Regulation, it should confer implementing powers on the Commission where this Regulation provides. Those powers should be exercised in accordance with Regulation (EU) No 182/2011. In this context, the Commission should consider specific measures for micro, small and medium enterprises.

 

(168) Given the general nature of the acts concerned, it is appropriate to use the examination procedure for the adoption of implementing acts regarding the contractual clauses between controllers and subcontractors and between subcontractors; codes of conduct; technical standards and certification systems; adequate level of protection afforded by a third country, territory or sector in that third country or an international organization; the clauses of protection; formats and procedures for the exchange of information electronically between controllers, contractors and supervisors regarding the binding corporate rules; mutual assistance;

 

(169) The Commission should adopt immediately applicable implementing acts where the evidence available shows that a third country, territory or sector in that third country or international organization does not offer a level of protection adequate and compelling of urgency so require.

 

(170) Since the objective of this Regulation, namely to ensure an equivalent level of protection of individuals and the free flow of personal data throughout the Union, can not be sufficiently achieved by Member States but can, because of the scale or effects of the action, be better achieved at Union level, that it may take measures in accordance with the subsidiarity principle enshrined in Article 5 of the Treaty on European Union. Accordance with the principle of proportionality set out in that Article, this Regulation does not go beyond what is necessary to achieve those objectives.

 

(171) Directive 95/46 / EC should be repealed by this Regulation. The treatments already in progress at the date of application of this Regulation should be brought into line with it within two years after its entry into force. When treatment is based on a consent under Directive 95/46 / EC, it is not necessary that the person again gives its consent if the way in which consent was given meets the conditions set out in this Regulation, so that the controller can continue treatment after the date of application of this Regulation.

 

(172) The European Data Protection Supervisor was consulted in accordance with Article 28, paragraph 2 of Regulation (EC) No 45/2001 and delivered an opinion on 7 March 2012 (1).

 

(173) This Regulation should apply to all aspects of the protection of fundamental rights and freedoms with regard to the processing of personal data which are not subject to specific obligations with the same objective set out in Directive 2002/58 / EC of the European Parliament and of the Council (2), including obligations of the controller and the rights of individuals. To clarify the relationship between this Regulation and Directive 2002/58 / EC, that Directive should be amended accordingly. After the adoption of this Regulation, it should review Directive 2002/58 / EC, in particular to ensure consistency with this Regulation

 

(1) OJ C 192, 30.6.2012, p. 7.

 

(2) Directive 2002/58 / EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ L 201, 31.7.2002, p. 37).

 

HAVE ADOPTED THIS REGULATION:

 

CHAPTER I

 

General provisions

First article

 

Purpose and Objectives

This Regulation establishes rules on the protection of individuals with regard to the processing of personal data and rules on the free movement of such data.

This Regulation protects the fundamental rights and freedoms of natural persons, and in particular their right to protection of personal data.

The free movement of personal data within the Union is neither restricted nor prohibited for reasons of protection of individuals with regard to the processing of personal data.

Article 2

 

Material scope

This Regulation applies to the processing of personal data, automated in whole or in part, as well as non-automated processing of personal data contained, or intended to be entered in a file.

This Regulation does not apply to the data processing of a personal nature:

a) as part of an activity which falls outside the scope of EU law;

 

b) by the Member States in the framework of activities falling within the scope of Chapter 2 of Title V of the Treaty on European Union;

 

c) by an individual in the context of a strictly personal or household activity;

 

d) by the competent authorities for the purpose of prevention and detection of crime, investigation and prosecution in the matter or the execution of criminal sanctions, including protection against threats to public safety and the prevention of such threats.

 

Regulation (EC) No 45/2001 applies to the processing of personal data by the institutions, bodies and agencies of the Union. Regulation (EC) No 45/2001 and other legal acts of Union law said treatment of personal data is adapted to the principles and rules of this Regulation in accordance with Article 98.

This Regulation shall apply without prejudice to Directive 2000/31 / EC, and in particular Articles 12 to 15 regarding liability of intermediary service providers.

Article 3

 

Territorial scope

This Regulation applies to the processing of personal data in the framework of the activities of an establishment of a controller or a sub-contractor in the territory of the Union, that the treatment takes place or not in the EU.

This Regulation applies to the processing of personal data relating to subjects who are on the territory of the Union by a controller or a subcontractor who is not established in the Union, when processing activities are related:

a) the supply of goods or services to such data subjects in the Union, a payment is required or not such persons; or

 

b) monitoring the behavior of these people, since it is a behavior that takes place within the Union.

 

3. This Regulation applies to the processing of personal data by a controller not established in the EU but in a place where the law of a Member State applies by virtue of international law public.

 

Article 4 Definitions

For purposes of this Regulation, by:

 

1) "personal data" any information relating to an identified or identifiable natural person (hereinafter referred to as "data subject"); is deemed to be an "identifiable individual" an individual who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to his physical, physiological, genetic, mental, economic, cultural or social;

 

2) "treatment" means any operation or set of operations carried out or not using automated processes and applied to data or sets of personal data, such as collection, recording, organization , structuring, storage, adaptation or modification, retrieval, consultation, use, transmission through communication, the distribution, or otherwise making available, alignment or interconnection, limitation , erasure or destruction;

 

3) "limitation of treatment," maintained the personal data marking for limiting their processing in future;

 

4) 'profiling', all treatment automated personal data of using such personal data to evaluate certain personal aspects relating to a natural person, including to analyze or predict items about the job performance, the situation economic, health, personal preferences, interests, reliability, behavior, location or movement of such individual;

 

5) "pseudonyms" treatment of personal data in such a way that they can no longer be attributed to a specific person concerned without the need for additional information, provided that such additional information be kept separately and submitted to technical and organizational measures to ensure that personal data are not attributed to an identified or identifiable natural person;

 

6) "file" any structured set of personal data accessible according to specific criteria, whether centralized, decentralized or dispersed functionally or geographically;

 

7) "controller", the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of processing; where the purposes and means of the processing are determined by Union law or the law of a Member State, the controller may be described or the specific criteria for his nomination may be provided by the law of the Union or by the law of a member State;

 

8) "subcontractor" the natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;

 

9) 'recipient', the natural or legal person, public authority, agency or other organization that receives communication of personal data, whether or not a third. However, public authorities

 

who are likely to receive personal data communication in the framework of a mission of special investigation in accordance with Union law or the law of a Member State are not regarded as recipients; the processing of such data by public authorities in question complies with the applicable rules on data protection based on the purposes of the processing;

 

10) "third party" means a natural or legal person, public authority, service or body other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or the processor, are authorized to process personal data;

 

11) "consent" of the person concerned, any manifestation of will, freely given specific, informed and unequivocal in which the person concerned agrees, by a statement or by a clear affirmative act, that personal data relating to them the being processed;

 

12) "violation of personal data," a breach of security leading to accidental or unlawful manner, destruction, loss, alteration, unauthorized disclosure of personal data transmitted, stored or processed by Alternatively, or unauthorized access to such data;

 

13) "genetic data", personal data relating to inherited genetic or acquired characteristics of an individual which give unique information about the physiology and health status of the individual and resulting in particular from an analysis of a biological sample from the individual in question;

 

14) "biometric data", personal data resulting from specific technical processing relating to the physical, physiological or behavioral an individual that allow or confirm its unique identification, such as facial images or data fingerprint;

 

15) "health data", personal data relating to the physical or mental health of an individual, including the provision of health care services, which reveal information about the health status of this person;

 

16) "principal establishment"

 

a) regarding a controller established in several Member States, the location of its head office in the Union, unless decisions on the purposes and means of personal data processing are taken in another establishment of the controller in the Union and that the institution has the power to enforce these decisions, in which case the institution which has taken such decisions is considered the main facility;

 

b) regarding a subcontractor established in several Member States, the place of central administration in the Union or, if the subcontractor does not have a central administration in the Union, the establishment of subcontractor in the Union which runs most of the processing activities carried out as part of activities within a sub-contractor, since the contractor-in is subject to specific obligations under this Regulation;

 

17) "representative" means a natural or legal person established within the Union designated by the controller or the processor in writing, under Article 27, which represents regarding their respective obligations under this Regulation;

 

18) "enterprise", a natural or legal person exercising an economic activity, whatever its legal form, including partnerships or associations regularly engaged in economic activities;

 

19) "group of companies", a company that controls and companies it controls;

 

20) "binding corporate rules", the internal rules relating to the protection of personal data applied by a controller or a sub-processor established in the territory of a Member State for transfers or for a set transfer of data to a personal character controller or a processor established in a third country or countries within a group of companies or group of companies engaged in a joint economic activity;

 

21) "supervisory authority", an independent public authority which is established by a Member State under

 

section 51;

 

22) "supervisory authority concerned," a supervisory authority that is concerned with the treatment of personal data because:

 

a) the data controller or under-treating is established in the territory of the Member State of that supervisory authority over;

 

b) the relevant persons resident in that Member State control authority are significantly affected by treatment or may be; or

 

c) a claim has been submitted to the supervisor;

 

23) "cross-border treatment,"

 

a) personal data processing that takes place in the Union in the framework of activities of institutions in several Member States of a controller or a subcontractor when the controller or the sub- processor is established in several Member States; or

 

b) personal data processing that takes place in the Union in the framework of activities of a single establishment of a controller or a subcontractor, but which significantly affects or may affect essentially of those concerned in several Member States;

 

24) "relevant objections and motivated", an objection to a draft decision as to whether there is a violation of this Regulation or if the proposed action concerning the controller or the subcontractor meets this Regulation, which clearly demonstrates the importance of the risks of the draft decision for the fundamental rights and freedoms of the persons concerned and, if necessary, the free flow of personal data within the Union;

 

25) "service of the Information Society", a service within the meaning of Article 1, paragraph 1 b) of Directive (EU) 2015/1535 of the European Parliament and of the Council (1);

 

26) "international organization", an international organization and bodies of public international law contained in it, or any other body which is created by an agreement between two or more countries, or under such an agreement.

 

CHAPTER II

 

Principles

Article 5

 

Principles for the Treatment of personal data

Personal data must be:

a) lawfully processed, fair and transparent in relation to the person concerned (lawfulness, fairness, transparency);

 

b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes; further processing for archival purposes in the public interest, for the purpose of scientific or historical research or statistical purposes is not considered, in accordance with Article 89, paragraph 1, as incompatible with the original purposes (Restriction the purposes);

 

c) adequate, relevant and limited to what is necessary for the purposes for which they are processed (data minimization);

 

d) accurate and, where necessary, kept up to date; all reasonable steps must be taken to ensure that personal data which are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (accuracy);

 

(1) Directive (EU) 2015/1535 of the European Parliament and the Council of 9 September 2015 providing an information procedure in the field of technical regulations and rules on services of the information society (OJ L 241, 17.9.2015, p. 1).

 

e) kept in a form which permits identification of data subjects for no longer than that necessary for the purposes for which they are processed; the personal data may be retained for longer periods to the extent that they will be processed exclusively for archival purposes in the public interest, for the purpose of scientific or historical research or statistical purposes in accordance with Article 89 , paragraph 1, provided that are implemented appropriate technical and organizational measures required by this Regulation to ensure the rights and freedoms of the data subject (conservation restriction);

 

f) treated to ensure adequate security of personal data, including protection against unauthorized or unlawful processing and against loss, destruction or damage from accidents, using technical measures or appropriate organizational (integrity and confidentiality);

 

2. The controller is responsible for compliance with paragraph 1 and is able to demonstrate that the latter is respected (responsibility).

 

Article 6

 

Lawfulness of processing

The treatment is permitted only if and to the extent that at least one of the following conditions is true:

a) the data subject has consented to the processing of his personal data for one or more specific purposes;

 

b) the processing is necessary for the execution of a contract to which the data subject is party or performance to take steps at the request of the latter;

 

c) processing is necessary for compliance with a legal obligation to which the controller is subject;

 

d) processing is necessary to protect the vital interests of the data subject or of another individual;

 

e) processing is necessary for the performance of a mission of public interest or in the exercise of official authority vested in the controller;

 

f) processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, unless overridden by the interests or the rights and freedoms fundamental to the person requiring protection of personal data, including when the person is a child.

 

Point f) of the first paragraph does not apply to the treatment by public authorities in carrying out their missions.

 

Member States may maintain or introduce more specific provisions to adapt the rules of this Regulation in respect of the treatment in order to comply with paragraph 1, c) and e), determining more precisely the specific requirements for the treatment and other measures to ensure lawful and fair processing, including in other special situations treatment as provided for in chapter IX.

The basis of the treatment referred to in paragraph 1, c) and e) is defined by: a) the right of the Union; or

b) the right of the Member State to which the controller is subject.

 

The goals of treatment are defined in the legal basis or, with regard to the treatment mentioned in paragraph 1 e) are necessary for the performance of a task of public interest or in the exercise of public authority vested in the controller. This legal basis may contain specific provisions to adapt the rules of this regulation, among others: the general conditions governing the lawfulness of processing by the controller; the types of data that are the subject of treatment; the people concerned; entities to which personal data may be communicated and the purposes for which they may be; purpose limitation; retention periods; and operations and procedures for treatment, including measures to ensure lawful and fair processing, such as those provided in other special situations treatment as provided for in Chapter IX. The Union law or the law of Member States has an objective of public interest and is proportionate to the legitimate aim pursued.

 

4. When treatment for a purpose other than that for which the data was collected is not based on the consent of the person concerned or the Union law or the law of a Member State which is a measure necessary and proportionate in a democratic society for the objectives referred to in Article 23, paragraph 1, the controller to determine if treatment for any other purpose is compatible with the purpose for which the personal data were originally collected, takes account, among others:

 

a) the possible existence of a link between the purposes for which personal data were collected and the purposes of the subsequent proposed treatment;

 

b) the context in which personal data were collected, in particular as regards the relationship between the people involved and the controller;

 

c) the nature of personal data, especially if the treatment involves special categories of personal data, under Article 9, or whether personal data relating to criminal convictions and to offenses are dealt with under Article 10;

 

d) the potential consequences of further treatment envisaged for the persons concerned;

 

e) the existence of appropriate guarantees, which may include encryption or pseudonyms.

 

Article 7

 

Conditions for consent

In cases where the processing is based on consent, the controller is able to demonstrate that the person concerned has given his consent to the processing of personal data concerning him.

If the consent of the person concerned is given in the context of a written declaration which also concerns other issues, the consent shall be submitted in a form that clearly distinguishes these other issues in an understandable form and readily accessible and formulated in clear and simple terms. No part of this statement is a violation of this regulation is binding.

The person concerned has the right to withdraw consent at any time. The withdrawal does not affect the lawfulness of the processing based on consent made before the withdrawal. The person concerned shall be informed before giving consent. It is as simple as removing consent.

In determining whether consent is given freely, it is necessary to take the utmost account of the question, among others, if the performance of a contract, including the provision of a service, is subject consent to personal data processing is not necessary for the performance of the contract.

Article 8

Conditions applicable to the consent of children in regard to the information society services

 

Where Article 6, paragraph 1 a), applies in regard to the direct service of the information society for children, the processing of personal data relating to children is lawful when the child is at least 16 years. When the child is under 16, this treatment is permitted only if and to the extent that consent is given or authorized by the holder of parental responsibility for the child.

Member States may provide by law a lower age for these purposes provided that earlier age is not below 13 years.

 

The controller shall make reasonable efforts to verify, in such cases, the consent is given or authorized by the holder of parental responsibility for the child, given the technological means available.

Paragraph 1 shall not affect the general contract law of Member States, including the rules on the validity, formation or effect of a contract in respect of a child.

Article 9

 

Processing of special categories of personal data

The processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical or trade union membership and the processing of genetic data, biometric data in order to identify an individual uniquely, data concerning health or data regarding sexual life or sexual orientation of an individual are prohibited.

Paragraph 1 shall not apply if one of the following conditions is met:

a) the data subject has given explicit consent to the processing of such personal data for one or more specific purposes, unless the Union law or the law of the Member State provide that the prohibition in paragraph 1 can not be lifted by the data subject;

 

b) processing is necessary for the performance of obligations and exercise their own rights to the data or the data on labor law, social security and social protection in since this treatment is permitted by EU law, by the law of a member State or by a collective agreement under the law of a member State which provides appropriate safeguards for fundamental rights and interests of the person concerned;

 

c) the processing is necessary to protect the vital interests of the data subject or another person, if the person is in the physically or legally incapable of giving consent;

 

d) processing is carried out within the framework of its legitimate activities with appropriate safeguards by a foundation, association or any other non-profit organization and with a political, philosophical, religious or trade, provided that the processing relates exclusively to members or former members of that body or to persons with one regular contacts in connection with its purposes and that the personal data should not be disclosed outside the agency without the consent of the persons concerned ;

 

e) the processing relates to personal data which are manifestly made public by the data subject;

 

f) processing is necessary for the establishment, exercise or defense of legal claims or whenever the courts acting within their judicial function;

 

g) processing is necessary for reasons of substantial public interest, on the basis of Union law or the law of a Member State which must be proportionate to the objective pursued, to respect the essence of the right to data protection and provide for appropriate and specific measures to safeguard the fundamental rights and interests of the person concerned;

 

h) processing is necessary for preventive medicine or occupational medicine, appreciation of the worker's capacity for work, medical diagnostics, decision in health or social care, or management systems services and health care and social protection on the basis of EU law, the law of a member State or under a contract with a health care professional and subject to the conditions and guarantees referred to in paragraph 3;

 

i) the processing is necessary for reasons of public interest in the field of public health, such as protecting against serious cross-border threats to health, or in order to guarantee high standards of quality and safety of care health and medicine or medical devices, based on the law of the member State or Union law which provides appropriate and specific measures to safeguard the rights and freedoms of the data subject, including confidentiality ;

 

j) processing is necessary for archival purposes in the public interest, for the purpose of scientific or historical research or statistical purposes, in accordance with Article 89, paragraph 1, on the basis of EU law or the law of a member State must be proportionate to the objective pursued, to respect the essence of the right to data protection and provide for appropriate and specific measures to safeguard the fundamental rights and interests of the person concerned.

 

The personal referred to in paragraph 1 data may be treated for the purposes of paragraph 2, letter h), if these data are processed by a health professional subject to professional secrecy obligations under the law Union, the right of a member State or the rules adopted by the competent national bodies, or control, or by another person also subject to a duty of confidentiality under the law of the Union or the right a member State or the rules adopted by the competent national bodies.

Member States may maintain or introduce additional conditions, including limitations regarding the processing of genetic data, biometric data or health data.

Article 10

 

Processing of personal data relating to criminal convictions and offenses

The processing of personal data relating to criminal convictions and offenses or related security measures based on Article 6, paragraph 1, may only be performed under the control of official authority, or if treatment is allowed by Union law or the law of a member State which provides appropriate safeguards for the rights and freedoms of data subjects. Any complete register of criminal convictions may be kept only under the control of public authority.

 

Article 11

 

Treatment does not require identification

If the purposes for which personal data are processed impose or not impose more to the controller to identify a person concerned, it is not required to maintain, obtain or process additional information to identify the person for the sole purpose of compliance with this regulation.

When, in the cases referred to in paragraph 1 of this Article, the controller is able to demonstrate that it is not able to identify the person concerned, it shall inform the person concerned, if possible. In such cases, Articles 15 to 20 do not apply, unless the person provides, in order to exercise the rights under these items, additional information that can identify it.

CHAPTER III

 

Rights of the person concerned

 

section 1

 

Transparency and conditions

Article 12

Transparency of information and communications procedures for the exercise of the rights of the individual

 

The controller shall take appropriate measures to provide information under Articles 13 and 14 and to process any communications under Articles 15 to 22 and Article 34 regarding the processing to the data of a concise, transparent, comprehensive and easily accessible in clear and simple terms, especially for information specifically for a child. The information is provided in writing or by other means including, when appropriate, electronically. When the person concerned so requests, the information may be provided orally, provided that the identity of the person concerned is demonstrated by other means.

The controller facilitates the exercise of the rights granted to the person concerned under Article 15

at 22. In the cases referred to in Article 11, paragraph 2, the controller does not refuse to respond to the request of the person concerned to exercise the rights under sections 15 to 22, unless the controller demonstrates that he is not able to identify the person concerned.

 

The controller provides the data subject of information on measures taken in response to a request under Articles 15 to 22, as soon as possible and in any event within a period of one month the receipt of the request. If necessary, this period may be extended by two months, given the complexity and the number of applications. The controller shall inform the person concerned of the extension and postponement reasons within one month of receipt of the request. When the person concerned has his application in electronic form, the information is provided electronically when possible, unless the person concerned requests it otherwise.

If the controller does not respond to the request made by the person concerned, it informs it without delay and at the latest within one month from the receipt of the request the reasons for his inaction the possibility of lodging a complaint with a supervisory authority and court proceedings.

No payment is required to provide information under Articles 13 and 14 and to perform all communication and take any measures under Articles 15 to 22 and Article 34. When the demands of a data subject are manifestly unfounded or excessive, particularly because of their repetitive character, the controller can:

a) require the payment of reasonable fees that reflect the administrative costs of providing the information, make the statements or take the action requested; or

 

b) refuse to comply with these requests.

 

It is up to the controller to demonstrate clearly unfounded nature or excessive demand.

 

Without prejudice to Article 11, when the controller has reasonable doubts as to the identity of the individual making the request referred to in Articles 15 to 21, he may request that he be provided with additional information needed to confirm the identity of the person concerned.

The information to be communicated to the persons concerned pursuant to Articles 13 and 14 may be provided together with standardized icons to provide a good overview, easily visible, understandable and clearly legible, the intended treatment. When the icons are submitted electronically, they are machine-readable.

The Commission is empowered to adopt delegated acts in accordance with Article 92 in order to determine the information in the form of icons and the procedures governing the provision of standardized icons.

section 2

 

Information and access to personal data

Article 13

Disclosures when personal data are collected from the individual

 

1. Where personal data relating to a data subject are collected from this person, the controller provides it, when the data in question are obtained, the following information:

 

a) the identity and contact details of the controller and, where applicable, the representative of the controller

 

b) where appropriate, the delegate of coordinate data protection;

 

c) the purposes of processing which are for personal data and the legal basis for processing;

 

d) where the processing is based on Article 6, paragraph 1, item f) the legitimate interests pursued by the controller or by a third party;

 

e) the recipients or categories of recipients of personal data, if any; and

 

f) where appropriate, the fact that the data controller intends to make a transfer of personal data to a third country or an international organization, and the existence or absence of a decision adequacy made by the Commission or, in the case of transfers referred to in Article 46 or 47, or Article 49, paragraph 1, second paragraph, the reference to the appropriate or adequate safeguards and how to get one copy or where they have been made available;

 

2. In addition to the information referred to in paragraph 1, the controller provides the data subject, at the time the personal data are obtained, the following additional information is necessary to ensure fair treatment and transparent:

 

a) the retention period of personal data or, where that is not possible, the criteria used to determine this time;

 

b) the existence of the right to ask the controller access to personal data, rectification or erasure of these, or a limitation of the treatment on the person, or the right to s' object to the processing and the right to data portability;

 

c) the processing is based on Article 6, paragraph 1 a) or Article 9, paragraph 2 a), the existence of the right to withdraw consent at any time, without prejudice the lawfulness of processing based on consent made before the withdrawal of the latter;

 

d) the right to lodge a complaint with a supervisory authority;

 

e) information on whether the requirement of provision of personal data is a regulatory or contractual or it conditions the conclusion of a contract and if the person concerned is required to provide personal data as well as the possible consequences of not providing such data;

 

f) the existence of an automated decision-making, including a profile, referred to in Article 22, paragraphs 1 and 4, and, at least in such cases, useful information regarding the underlying logic and the importance and expected consequences of this treatment for the person concerned.

 

When it intends to conduct further processing of personal data for a purpose other than that for which the personal data was collected, the controller provides the prerequisite for the person concerned information about another purpose of this and other relevant information referred to in paragraph 2.

Paragraphs 1, 2 and 3 do not apply if and to the extent that the data subject already has that information.

Article 14

 

Disclosures when the personal data have not been collected from the person concerned

1. Where personal data have not been collected from the data subject, the controller provides to it the following information:

 

a) the identity and contact details of the controller and, where applicable, the representative of the controller;

 

b) where appropriate, the delegate of coordinate data protection;

 

c) the purposes of processing which are for personal data and the legal basis for processing;

 

d) the categories of personal data;

 

e) where appropriate, the recipients or categories of recipients of personal data;

 

f) where appropriate, the fact that the data controller intends to make a transfer of personal data to a recipient in a third country or an international organization, and the existence or absence of a adequacy decision made by the Board or, in the case of transfers referred to in Article 46 or 47, or Article 49, paragraph 1, second paragraph, the reference to the appropriate or adequate safeguards and ways to a copy or where they have been made available;

 

2. In addition to the information referred to in paragraph 1, the controller provides the data subject with the following information necessary to ensure fair treatment and transparent with regard to the person concerned:

 

a) the period for which the personal data will be kept or, where that is not possible, the criteria used to determine this time;

 

b) where the treatment is based on Article 6, paragraph 1, item f) the legitimate interests pursued by the controller or by a third party;

 

c) the existence of the right to ask the controller access to personal data, rectification or erasure of these, or a limitation of the treatment on the person, and the right of s 'oppose the processing and the right to data portability;

 

d) where the processing is based on Article 6, paragraph 1 a) or Article 9, paragraph 2 a), the existence of the right to withdraw consent at any time, without prejudice the lawfulness of processing based on consent made before the withdrawal of the latter;

 

e) the right to lodge a complaint with a supervisory authority;

 

f) the source from which personal data come and, if appropriate, an indication that they are coming or not publicly available sources;

 

g) the existence of an automated decision-making, including a profile, referred to in Article 22, paragraphs 1 and 4, and, at least in such cases, useful information regarding the underlying logic and the importance and expected consequences of this treatment for the person concerned.

 

The controller provides the information referred to in paragraphs 1 and 2:

a) within a reasonable time after receiving the personal data, but not exceeding one month, given the particular circumstances in which personal data is processed;

 

b) the personal data to be used for communication with the person concerned, at the latest at the time of the first call to that person; or

 

c) it is intended to communicate the information to another person, at the latest when the personal data are disclosed for the first time.

 

When it intends to conduct further processing of personal data for a purpose other than that for which the personal data was obtained, the controller provides the prerequisite for the person concerned information about another purpose of this and other relevant information referred to in paragraph 2.

Paragraphs 1 to 4 do not apply where and to the extent that:

a) the data subject already has this information;

 

b) the provision of such information proves impossible or would require a disproportionate effort, especially for the treatment for archival purposes in the public interest, for the purpose of scientific or historical research or statistical purposes subject to the conditions and guarantees referred to in Article 89, paragraph 1, or to the extent that the obligation referred to in paragraph 1 of this Article is likely to make impossible or seriously jeopardize the objectives of the treatment. In such cases, the controller shall take appropriate measures to protect the rights and freedoms and legitimate interests of the data subject, including making publicly available information;

 

c) obtaining or communicating information are expressly provided for by Union law or the law of the Member State to which the controller is subject to and provides for appropriate measures to protect legitimate interests of the person concerned; or

 

d) personal data must remain confidential under a duty of confidentiality regulated by EU law or the law of Member States, including a legal obligation of professional secrecy.

 

Article 15

 

Right of access of the person concerned

1. The person concerned has the right to obtain from the controller confirmation as is or personal data concerning him are processed and, when they are, access to such personal data as well as following information:

 

a) the purposes of the processing;

 

b) the categories of personal data;

 

c) the recipients or categories of recipients to whom personal data have been or will be provided, in particular the recipients that are established in third countries or international organizations;

 

d) where possible, the shelf life data considered personal character or, where that is not possible, the criteria used to determine this time;

 

e) the existence of the right to ask the controller rectification or erasure of personal data, or limitation of processing personal data relating to the person concerned, or the right to object to treatment;

 

f) the right to lodge a complaint with a supervisory authority;

 

g) where the personal data are not collected from the person concerned, any available information as to their source;

 

h) the existence of an automated decision-making, including a profile, referred to in Article 22, paragraphs 1 and 4, and, at least in such cases, useful information regarding the underlying logic and the importance and expected consequences of this treatment for the person concerned.

 

Where personal data are transferred to a third country or an international organization, the person has the right to be informed of appropriate safeguards, under Article 46 regarding the transfer.

The controller provides a copy of the personal data subject to treatment. The controller may require the payment of reasonable fees based on the administrative costs for any additional copies requested by the person concerned. When the person submits an application electronically, the information is provided in an electronic format in common use, unless the person concerned requests it otherwise.

The right to obtain a copy referred to in paragraph 3 shall not affect the rights and freedoms of others.

section 3

 

Rectif ication and erasure

Article 16

 

Right of rectification

The person concerned has the right to obtain from the controller, without delay, the rectification of the personal data that is inaccurate. Given the purposes of the processing, the data subject has the right to have incomplete personal data are completed, including providing an additional statement.

 

Article 17

 

Right to erase ( "right to be forgotten")

1. The person concerned has the right to obtain from the controller the erasure without delay, of personal data concerning him and the controller is obliged to delete such personal data in soon, when one of the following grounds applies:

 

a) personal data are no longer necessary to the purpose for which they were collected or processed in another way;

 

b) the data subject withdraws consent on which is based the treatment, in accordance with Article 6, paragraph 1 a) or Article 9, paragraph 2 a), and it does not exist other legal basis to treatment;

 

c) the data subject objects to the treatment under Article 21, paragraph 1, and there is no legitimate compelling reason for treatment, or the data subject objects to the treatment under Article 21, paragraph 2;

 

d) the personal data have been unlawfully processed;

 

e) personal data must be deleted to comply with a legal obligation, which is provided by Union law or the law of the Member State to which the controller is subject;

 

f) personal data were collected as part of the offer of Information Society services referred to in Article 8, paragraph 1.

 

When released the personal data and is required to erase under paragraph 1, the controller, given the available technology and the cost of implementation, takes reasonable measures, including technical, informing controllers who process the personal data that the data requested by erasing those responsible for the processing of any link to such personal data, or any copy or reproduction them.

Paragraphs 1 and 2 do not apply to the extent that this is necessary:

a) the exercise of the right to freedom of expression and information;

 

b) to comply with a legal obligation that requires treatment under the law of the Union or by the law of the Member State to which the controller is subject, or to perform a mission of public interest or in the exercise of official authority vested in the controller;

 

c) for reasons of public interest in the field of public health, in accordance with Article 9, paragraph 2 h) and i), and Article 9, paragraph 3;

 

d) for archival purposes in the public interest, for the purpose of scientific or historical research or statistical purposes in accordance with Article 89, paragraph 1, to the extent that the right referred to in paragraph 1 is likely to make it impossible or seriously jeopardize the objectives of the treatment; or

 

e) for the establishment, exercise or defense of legal rights.

 

Article 18

 

Right to limitation of the processing

1. The person concerned has the right to obtain from the controller limitation processing when one of the following applies:

 

a) the accuracy of personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the data to character personnel;

 

b) the processing is unlawful and the data subject opposes their erasure and demands instead limiting their use;

 

c) the controller no longer needs the personal data for processing but they are still necessary for the person for the establishment, exercise or defense of legal rights;

 

d) the person objected to the treatment under Article 21, paragraph 1, during the audit of the question whether the legitimate reasons pursued by the controller prevail over those of the individual concerned.

 

When treatment was limited under paragraph 1, these personal data may not, except for conservation, be treated with the consent of the person concerned, or for the establishment, exercise or rights of legal defense or to protect the rights of another person or entity, or for important reasons of public interest of the Union or of a member State.

A person concerned who obtained the limitation of treatment under paragraph 1 shall be informed by the controller before the limitation of treatment is lifted.

Article 19

Notification requirement regarding rectification or personal data erasure or restriction of processing

 

The controller notifies each recipient to whom the personal data have been disclosed of any rectification or erasure of personal data or limitations of the processing performed in accordance with Article 16, Article 17, paragraph 1, and in Article 18, unless this proves impossible or requires a disproportionate effort. The controller provides the data subject information about these recipients if it so requests.

 

Article 20

 

Right to data portability

1. The persons concerned have the right to receive the staff on that data were provided to the controller, in a structured format, commonly used machine-readable, and have the right to transmit the data to a another controller without the controller to which the personal data were communicated are an obstacle when:

 

a) the processing is based on consent under Article 6, paragraph 1 a) or Article 9, paragraph 2 a), or on a contract pursuant to Article 6 paragraph 1 b); and

 

b) the treatment is performed using automated processes.

 

When the person concerned exercises his right to portability of data application of paragraph 1, it has the right to obtain the personal data are transmitted directly from a controller to another, where technically possible.

The exercise of the right referred to in paragraph 1 of this article shall be without prejudice to Article 17. This law does not apply to the processing necessary for the performance of a mission of public interest or of 'exercise of official authority vested in the controller.

The right referred to in paragraph 1 shall not affect the rights and freedoms of others.

section 4

 

Right of opposition and making automated individual decision

Article 21

 

Right of opposition

The person concerned has the right to object at any time, for reasons relating to his particular situation to the processing of personal data concerning based on Article 6, paragraph 1, point e) or f) including profiling based on these provisions. The controller no longer processes the personal data, unless it demonstrates that there are legitimate and imperative reasons for treatment which prevail over the interests and rights and freedoms of the data subject or for the establishment, exercise or defense of legal rights.

When personal data are processed for marketing purposes, the data subject has the right to object at any time to the processing of personal data relating to such prospecting purposes, including profiling insofar where it is linked to such exploration.

When the data subject objects to the processing for marketing purposes, personal data is not processed for those purposes.

At the latest at the time of the first communication with the person, the right referred to in paragraphs 1 and 2 is explicitly brought to the attention of the person concerned and is presented clearly and separately from other information.

As part of the use of information society services, and notwithstanding Directive 2002/58 / EC, the person concerned can exercise his right to object to using automated processes using technical specifications.

When personal data are processed for scientific or historical research or statistical purposes in accordance with Article 89, paragraph 1, the person concerned has the right to oppose, for reasons of his situation particular, the processing of personal data concerning him, unless the treatment is necessary for the performance of a public interest mission.

Article 22

 

automated individual decision, including profiling

The person concerned has the right not to be subject to a decision based solely on automated processing, including profiling, producing legal effects concerning him or significantly affects similarly.

Paragraph 1 shall not apply where the decision:

a) is necessary for the conclusion or performance of a contract between the data subject and the controller;

 

b) is authorized by Union law or the law of the Member State to which the controller is subject and which also provides for appropriate measures to safeguard the rights and freedoms and legitimate interests of the data subject; or

 

c) based on explicit consent of the person concerned.

 

In the cases referred to in paragraph 2 a) and c), the controller shall implement appropriate measures to safeguard the rights and freedoms and legitimate interests of the person concerned, at least the right of the data subject obtain human intervention on the part of the controller, to express his views and to challenge the decision.

The decisions referred to in paragraph 2 may be based on specific categories of personal data referred to in Article 9, paragraph 1, unless Article 9, paragraph 2 a) or g), does s' applies and that appropriate measures to safeguard the rights and freedoms and legitimate interests of the person concerned are in place.

section 5

 

limitations

Article 23

 

limitations

1. Union law or the law of the Member State where the controller or sub-contractor is subject can, through legislative measures, limiting the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, and Article 5 insofar as the provisions of the law in question correspond to the rights and obligations provided for in Articles 12 to 22 when such a restriction respects the essence of freedoms and fundamental rights and constitutes a necessary and proportionate in a democratic society for a) national security;

 

b) national defense;

 

c) public security;

 

d) prevention and detection of crime and the investigation and prosecution in the matter or the execution of criminal penalties, including protection against threats to public safety and the prevention of such threats;

 

e) other important objectives of the Union of general public interest or of a Member State, in particular an important economic or financial interests of the Union or of a Member State, including monetary, budgetary and tax, public health and social security;

 

f) protection of the independence of the judiciary and of judicial proceedings;

 

g) preventing and detecting breaches of ethics regulated professions, as well as the investigation and prosecution in the subject;

 

h) a control mission linked inspection or regulation, even occasionally, with the exercise of official authority in cases referred to in points a) to e) and g);

 

i) protection of the data subject or the rights and freedoms of others;

 

j) the execution of requests for civil law.

 

2. In particular, any legislative measure referred to in paragraph 1 contains specific provisions, at least, if applicable:

 

a) the purposes of the processing or treatment of categories;

 

b) the categories of personal data;

 

c) the extent of the introduced limitations;

 

d) safeguards to prevent abuse or unlawful access or transfer;

 

e) the determination of the data or categories of data controllers;

 

f) retention periods and applicable guarantees, taking into account the nature, scope and purpose of the processing or treatment categories;

 

g) the risk to the rights and freedoms of data subjects; and

 

h) the right of the persons concerned to be informed of the restriction, unless it would interfere with the purpose of limitation.

 

CHAPTER IV

 

The controller and subcontractor

 

section 1

 

General obligations

Article 24

 

Responsibility of the controller

Given the nature, scope, context and purposes of the processing and risk, including the likelihood and severity varies, for the rights and freedoms of natural persons, the controller shall implement measures appropriate technical and organizational to ensure and be able to demonstrate that the treatment is performed in accordance with this Regulation. These measures are reviewed and updated as necessary.

Where proportionate in relation to the processing activities, the measures referred to in paragraph 1 include the implementation of appropriate policies for the protection of data by the controller.

The application of a code of conduct approved as provided for in Article 40 or approved certification schemes as provided for in Article 42 can serve as an element to demonstrate compliance with the obligations of the controller.

Article 25

 

Data protection by design and data protection by default

Given the state of knowledge, cost of implementation and the nature, scope, context and purposes of the processing and risk, including the likelihood and severity varies, as this treatment for the rights and freedoms of natural persons, the controller implements both at the time of determining the means of treatment at the time of the treatment itself, technical measures and appropriate organizational, such as pseudonyms, which are intended to implement the principles on data protection, such as data minimization, effectively and to match the treatment of guarantees needed to meet the requirements of this Regulation and to protect the rights of the individual .

The controller implements appropriate technical and organizational measures to ensure that, by default, only the personal data that are necessary in each specific purpose of the processing are processed. This applies to the amount of collected personal data, to the extent of their processing, storage life and accessibility. In particular, these measures ensure that, by default, the personal data are not made accessible to an indefinite number of individuals without the intervention of the individual concerned.

A certification scheme approved under section 42 can serve as an element to demonstrate compliance with the requirements of paragraphs 1 and 2 of this Article.

Article 26

 

joint controllers

When two or more controllers jointly determine the purposes and means of processing, they are responsible joint treatment. Officials joint processing transparently define their respective responsibilities in order to ensure compliance with the requirements of this Regulation, in particular as regards the rights of the individual, and their respective obligations regarding the communication of information under Articles 13 and 14, by agreement between them, unless and to the extent where their duties are defined by Union law or the law of the member State in which controllers are subjected. A point of contact for people concerned can be designated in the agreement.

The agreement referred to in paragraph 1 properly reflects the roles of managers joint treatment and their relationships vis-à-vis the persons concerned. The outline of the agreement are available to the person concerned.

Regardless of the terms of the agreement referred to in paragraph 1, the person concerned may exercise the rights under this Regulation in respect of and against each of the controllers.

Article 27

 

Representatives of controllers or subcontractors who are not established in the Union

Where Article 3, paragraph 2, applies, the controller or the processor shall designate in writing a representative in the Union.

The obligation in paragraph 1 of this Article shall not apply to:

a) a treatment that is casual, that does not involve a large-scale processing of special categories of data referred to in Article 9, paragraph 1, or a personal data processing relating to criminal convictions and to offenses referred to in Article 10, and that is not likely to cause a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing; or

 

b) a public authority or a public body;

 

The representative is established in a Member State in which there are individuals whose personal data are subject to a treatment related to the supply of goods or services, or whose conduct is the subject of 'a trace.

The representative is appointed by the controller or the processor to be the person to whom, in particular, supervisory authorities and the persons concerned must be addressed, in addition to or instead of the controller or the sub- attending to all matters relating to the treatment, in order to ensure compliance with this regulation.

The designation of a representative by the controller or sub-contractor is without prejudice to legal actions which could be initiated against the controller or the processor itself.

Article 28

 

Subcontractor

Lorsqu'un traitement doit être effectué pour le compte d'un responsable du traitement, celui-ci fait uniquement appel à des sous-traitants qui présentent des garanties suffisantes quant à la mise en œuvre de mesures techniques et organisationnelles appropriées de manière à ce que le traitement réponde aux exigences du présent règlement et garantisse la protection des droits de la personne concernée.

The subcontractor does not recruit another subcontractor without the prior written consent, specific or general, of the controller. In the case of a general written consent, notify the subcontractor responsible for processing any planned changes concerning the addition or replacement of other subcontractors, giving the controller the opportunity to object against these changes.

Treatment with a sub-contractor is governed by a contract or other legal act under Union law or the law of a Member State, which binds the contractor in respect of the controller defines the purpose and duration of treatment, the nature and purpose of the processing, the type of personal data and the categories of persons concerned and the obligations and rights of the controller. This contract or other legal act provides inter alia that the subcontractor:

a) only processes personal data on documented instruction from the controller, including with regard to the personal data transfers to a third country or an international organization, unless it is required to 'y proceed under the law of the member State or the Union law which the sub-contractor is subject; in this case, informed the subcontractor responsible for processing this legal requirement before treatment, unless the law in question prohibits such information for important reasons of public interest;

 

b) ensure that persons authorized to process personal data undertake to respect confidentiality or be subject to appropriate legal obligation of confidentiality;

 

c) take all the measures required under Article 32;

 

d) meets the conditions referred to in paragraphs 2 and 4 to hire another subcontractor;

 

e) take into account the nature of the treatment, using the controller, through technical and organizational measures, to the extent possible, to fulfill its obligation to comply with requests including those involved in the capture to exercise their rights under chapter III;

 

f) using the controller to ensure compliance with obligations under Articles 32 to 36, given the nature of the treatment and the information available to the contractor;

 

g) according to the choice of the controller, delete all personal data or refer to the data after the provision of services relating to the treatment, and destroy existing copies, unless the law of the Union or the right of the member State does not require the retention of data in character personnel;

 

and

 

h) provides the controller with all necessary information to demonstrate compliance with the obligations under this section and to allow audits, including inspections by the controller or another auditor to mandated, and help these audits.

 

With regard to item h) of the first paragraph, the contractor shall inform the controller immediately if he believes an instruction constitutes a breach of this Regulation or other provisions of Union law or the law of Member States relating to data protection.

 

When a subcontractor hires another subcontractor to carry out specific processing activities on behalf of the controller, the same obligations on data protection as those laid down in the contract or other legal act between the head treatment and the contractor in accordance with paragraph 3, are placed on the other subcontractor by contract or through other legal act under Union law or the law of a member State, in particular with regard to sufficient guarantees for the implementation of appropriate technical and organizational measures so that the treatment meets the requirements of this Regulation. When that other contractor does not fulfill its obligations of data protection,

The application by a subcontractor, a code of conduct approved as provided for in Article 40 or an approved certification mechanism as provided for in Article 42 can serve as an element to demonstrate the existence of adequate safeguards in accordance with paragraphs 1 and 4 of this Article.

Without prejudice to a particular contract between the controller and the contractor, the contract or other legal act referred to in paragraphs 3 and 4 of this Article may be based, in whole or in part, on contractual clauses referred to in paragraphs 7 and 8 of this Article, including when part of a certification issued to the controller or the subcontractor under Articles 42 and 43.

The Commission may establish contractual clauses for the issues referred to in paragraphs 3 and 4 of this Article and in accordance with the examination procedure referred to in Article 93, paragraph 2.

A supervisory authority may adopt contractual clauses for the issues referred to in paragraphs 3 and 4 of this Article and in accordance with the consistency mechanism referred to in Article 63.

The contract or other legal act referred to in paragraphs 3 and 4 is in written form, including in electronic format.

Without prejudice to Articles 82, 83 and 84, if in violation of this regulation, a contractor determines the purposes and means of processing, it is considered as a controller as regards treatment.

Article 29

 

Treatment performed under the authority of the controller or the subcontractor

The contractor and any person acting under the authority of the controller or in that of the subcontractor who has access to personal data, can not process these data except on instructions from the treatment, except as required by Union law or the law of a member State.

 

Article 30

 

Register of processing operations

1. Each controller and, where applicable, the representative of the controller, maintain records of processing activities carried out under their responsibility. This register contains the following information:

 

a) the name and contact details of the controller and, if appropriate, the head joint treatment, representative of the data and delegate data protection; b) the purposes of the processing;

 

c) a description of the categories of persons concerned and the categories of personal data;

 

d) the categories of recipients to whom personal data have been or will be provided, including the recipients in third countries or international organizations;

 

e) where appropriate, the personal data transfers to a third country or an international organization, including the identification of that third country or international organization and, in the case of transfers as referred to in Article 49 paragraph 1, second subparagraph, the documents attesting to the existence of appropriate safeguards;

 

f) as far as possible, the time frame for erasure of the different categories of data;

 

g) to the extent possible, a general description of the technical and organizational security measures referred to in Article 32, paragraph 1.

 

2. Each contractor and, where applicable, the representative of the sub-contractor shall maintain a register of all categories of processing operations performed on behalf of the controller, including:

 

a) the name and contact details of the subcontractors and every controller on whose behalf the sub-contractor is and, if applicable, the names and contact information of the representative of the controller or the sub- processing and those of the delegate data protection;

 

b) processing categories made on behalf of each controller;

 

c) if any, personal data transfers to a third country or an international organization, including the identification of that third country or international organization and, in the case of transfers as referred to in Article 49 paragraph 1, second subparagraph, the documents attesting to the existence of appropriate safeguards;

 

d) to the extent possible, a general description of the technical and organizational security measures referred to in Article 32, paragraph 1.

 

The records referred to in paragraphs 1 and 2 are presented in written form, including electronic form.

The controller or the processor and, where appropriate, their representatives put the register available to the supervisory authority on request.

The obligations under paragraphs 1 and 2 shall not apply to a company or organization to a spot less than 250 employees, unless the treatment they perform is likely to pose a risk to the rights and freedoms of data subjects, if it is not casual or if it shall include information on special categories of data referred to in Article 9, paragraph 1, or of personal data relating to criminal convictions and offenses referred to in Article 10.

Article 31

 

Cooperation with the supervisory authority

The controller and the processor and, where appropriate, their representatives cooperate with the supervisory authority at the request of the latter in the performance of its duties.

 

section 2

 

Security of personal data à.caractère

Article 32

 

Security of processing

1. Given the state of knowledge, cost of implementation and the nature, scope, context and purpose of the processing and risk, including the likelihood and severity vary, for rights and freedoms of natural persons, the controller and the sub-contractor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including among others, as needed:

 

a) pseudonymisation and encryption of personal data;

 

b) means to ensure the confidentiality, integrity, availability and constant resilience of systems and processing services;

 

c) means for restoring the availability of personal data and access to them in a timely manner in case of physical or technical failure;

 

d) a procedure to test, analyze and evaluate regularly the effectiveness of technical and organizational measures to ensure the safety of the treatment.

 

In assessing the appropriate security level, it is particularly given the risks of treatment, resulting in particular from destruction, loss, alteration, unauthorized disclosure of personal data transmitted and stored or processed in another way, or unauthorized access to such data, accidentally or illicit.

The application of a code of conduct approved as provided for in Article 40 or an approved certification mechanism as provided for in Article 42 can serve as an element to demonstrate compliance with the requirements set out in paragraph 1 of this Article .

The controller and the processor are taking steps to ensure that any individual acting under the authority of the controller or in that of the subcontractor who has access to personal data, do not treat except on instructions from the controller, unless being obliged by EU law or the law of a member State.

Article 33

 

Notification to the supervisory authority of a breach of personal data

In case of violation of personal data, the data controller shall notify the violation in question to the competent supervisory authority in accordance with Article 55, as soon as possible and, if possible, 72 hours at the latest after in having read, unless the violation in question is not likely to cause a risk to the rights and freedoms of individuals. When notifying the supervisory authority does not take place within 72 hours, it is accompanied by reasons for the delay.

The contractor shall notify the controller any breach of personal data as soon as possible after becoming aware.

The notification referred to in paragraph 1 shall, at a minimum:

a) describe the nature of the violation data including personal character, if possible, the categories and the approximate number of people affected by the breach and the categories and the approximate number of data records with personal character concerned;

 

b) communicate the name and coordinates of the delegate to the protection of data or other contact point from which additional information can be obtained;

 

c) describe the likely consequences of the violation of personal data;

 

d) describe the measures taken or the data controller intends to take to remedy the violation of personal data, including, where appropriate, measures to mitigate the possible negative consequences.

 

If and to the extent that it is not possible to provide all the information together, the information can be communicated in installments without further undue delay.

The controller document any violation of personal data, stating the facts of the violation of personal data, its effects and the measures taken to address them. The documentation thus constituted allows the supervisory authority to verify compliance with this section.

Article 34

 

Communication to the person concerned a breach of personal data

When a breach of personal data is likely to generate a high risk to the rights and freedoms of an individual, the manager communicates treatment violation of personal data to the person concerned without delay.

The communication to the person referred to in paragraph 1 of this article describes in clear and simple terms the nature of the violation of personal data and contain at least the information and measures referred to in Article 33, paragraph 3, b), c) and d).

The communication to the person referred to in paragraph 1 is not required if either of the following conditions is met:

a) the controller has implemented appropriate technical and organizational protection measures and those measures were applied to the personal data affected by the breach, in particular measures that make personal data unintelligible to any person who is not authorized to access it, such as encryption;

 

b) the data controller has taken further measures to ensure that the risk to the rights and freedoms of data referred to in paragraph 1 is more likely to materialize;

 

c) it would require a disproportionate effort. In this case, it is rather made a public communication or a similar measure for data subjects to be informed as effectively.

 

4. If the controller has not already communicated to the person concerned the violation of personal data concerning him, the supervisory authority may, after considering whether the violation of personal data is likely to generate high risk, require the data controller that performs this communication or decide that any of the conditions referred to in paragraph 3 is satisfied.

 

section 3

 

Impact analysis on the protection given and prior consultation

Article 35

 

Impact analysis on data protection

When a type of treatment, particularly the use of new technologies, and considering the nature, scope, context and purpose of the processing, is likely to generate a high risk to the rights and freedoms of individuals, the controller performs, prior to treatment, an analysis of the impact of processing operations envisaged on the protection of personal data. A single analysis may include a set of similar processing operations that present high risks similar.

In carrying out an impact assessment for the protection of data, the controller board asks the delegate to data protection, if such a representative has been appointed.

The impact assessment for the protection of data referred to in paragraph 1 shall in particular be required in the following cases:

a) the systematic and extensive evaluation of personal aspects of individuals, which is based on automated processing, including profiling, and on the basis of which decisions are made producing legal effects with regard to an individual or significantly affects similarly;

 

b) treatment of large-scale special categories of data referred to in Article 9, paragraph 1, or personal data relating to criminal convictions and offenses referred to in Article 10; or

 

c) large-scale systematic monitoring a public area.

 

The established control authority and publishes a list of the types of processing operations for which an impact assessment regarding data protection is required in accordance with paragraph 1. The authority shall control these lists to the committee referred to section 68.

The supervisory authority may also establish and publish a list of the types of processing operations for which no impact assessment regarding data protection is required. The supervisor shall submit it to the committee.

Before adopting the lists mentioned in paragraphs 4 and 5, applies competent supervisory authority of the consistency mechanism referred to in Article 63, when these lists include processing activities related to the supply of goods or services to the persons concerned or the monitoring of their behavior in several Member States, or may significantly affect the free flow of personal data within the EU.

The analysis contains at least:

a) a systematic description of the envisaged processing operations and purposes of the processing, including, where appropriate, the legitimate interests pursued by the controller;

 

b) an assessment of the necessity and proportionality of processing operations to the purpose;

 

c) an assessment of risks to the rights and freedoms of data subjects in accordance with paragraph 1; and

 

d) the measures envisaged to address risks, including guarantees, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation, taking account of the rights and legitimate interests the persons concerned and other people affected.

 

Compliance by data controllers or subcontractors concerned, approved codes of conduct referred to in Article 40 is properly taken into account when assessing the impact of processing operations performed by those responsible for processing or subcontractors, in particular for the purpose of impact assessment regarding data protection.

If necessary, the controller shall seek the opinion of the persons concerned or their representatives about the planned treatment, without prejudice to the protection of general or commercial interests or security of processing operations.

When the treatment carried out pursuant to Article 6, paragraph 1, point c) or e), has a legal basis in EU law or the law of the Member State to which the controller is subject, that regulates the right specific processing operation or all of the processing operations in question and that an impact analysis on data protection has already been performed as part of a general impact analysis performed in connection with the adoption of the legal basis in question, subsections 1 to 7 do not apply, unless the Member States consider it necessary to conduct such an analysis before processing activities .

If necessary, the controller conducts a review to assess whether the treatment is performed in accordance with the impact assessment for the protection of data, at least when there is a change of the risk from operations treatment.

Article 36

 

prior consultation

The controller consults beforehand supervisor when the treatment impact assessment for the protection of data carried out under Article 35 shows that treatment would present a high risk if the controller does not take measures to mitigate the risk.

When the supervisor believes that the proposed treatment referred to in paragraph 1 would be a violation of this Regulation, especially when the controller has not sufficiently identified or mitigated risk, the supervisor provides in writing, within a maximum period of eight weeks from receipt of the consultation request, a written notice to the data controller and, if necessary, to the subcontractor, and can make use of the powers referred to in Article 58. This period may be extended by six weeks, depending on the complexity of the proposed treatment. The supervisor informs the controller and, if necessary, the contractor of the extension of time and the reasons for the delay in a period of one month of receipt of the consultation request. These periods may be suspended until the supervisor has obtained the information requested for the purposes of consultation.

When the controller consults the application control authority of paragraph 1, it communicates:

a) if applicable, the responsibilities of the controller, joint managers and subcontractors involved in the processing, especially for the treatment within a group of companies; b) the purposes and ways of treatment envisaged;

 

c) the measures and the safeguards to protect the rights and freedoms of data subjects under this Regulation;

 

d) if applicable, the delegate of coordinate data protection;

 

e) Impact analysis on the data protection pursuant to section 35; and

 

f) any other information that the application control authority.

 

Member States shall consult the supervisory authority as part of the development of a legislation proposal to be adopted by a national parliament, or regulatory action based on such legislation, which relates to treatment.

Notwithstanding paragraph 1, the right of Member States may require that data controllers consult the supervisory authority and obtain prior authorization regarding the processing performed by a controller as part of a mission of interest public exerted by it, including treatment as part of social protection and public health.

section 4

 

Delegate for Data Protection

Article 37

 

Delegate Designation Data Protection

1. The controller and the subcontractor shall in any event a delegate to data protection when:

 

a) the processing is carried out by a public authority or public body, except the courts acting in their judicial capacity;

 

b) the core activities of the controller or the attending-sous consist of processing operations which, because of their nature, their scope and / or their purposes, require regular and systematic monitoring of large-scale people concerned; or

 

c) the core activities of the controller or the subcontractor consist of a large-scale processing of special categories of data referred to in Article 9 and personal data relating to criminal convictions and the offenses referred to Article 10.

 

A group of companies may appoint one delegate to data protection provided that a delegate to data protection is easily reachable from each place of business.

When the controller or the attending-as is a public authority or public body, only one delegate to data protection can be designated to several authorities or bodies of this type, given their organizational structure and size.

In cases other than those referred to in paragraph 1, the controller or the processor or associations and other bodies representing categories of controllers or subcontractors may designate or, if the law of the Union or the right of a member State requires, are required to appoint a delegate to data protection. The delegate for data protection can act to these associations and other bodies representing data controllers or subcontractors.

The delegate to the protection of data is designated on the basis of professional qualities and, in particular, its specialized knowledge of the law and practice in data protection and ability to perform the tasks referred to in Article 39.

The delegate for data protection can be a staff member of the controller or the subcontractor or perform its duties on the basis of a service contract.

The controller or the processor publish delegate details to data protection and inform the supervisory authority.

Article 38

 

Executive Function in Data Protection

The controller and the processor shall ensure that the delegate to data protection is associated, in a manner appropriate and timely to all questions relating to the protection of personal data.

The controller and the processor helps the delegate to data protection to carry out the tasks referred to in Article 39 by providing the necessary resources to perform these tasks, as well as access to personal data and operations processing, and allowing it to maintain its expertise.

The controller and the processor shall ensure that the delegate to data protection receives no instructions regarding the missions. The delegate for data protection can not be removed from office or penalized by the controller or the subcontractor for the performance of its duties. The Chief Data Protection reports directly to the highest level of management of the controller or the subcontractor.

Individuals may contact the delegate to data protection on all matters relating to the processing of their personal data and the exercise of their rights under this Regulation.

The delegate for data protection is subject to professional secrecy or a duty of confidentiality regarding the performance of its tasks in accordance with Union law or the law of the Member States.

The Chief Data Protection can perform other missions and tasks. The controller or the processor shall ensure that these missions and tasks entail no conflict of interest.

Article 39

 

Delegate tasks to data protection

The delegate assignments to data protection are at least the following:

a) to inform and advise the controller or the subcontractor and employees who process on their obligations under this Regulation and other provisions of Union law or the law of the Member States for data protection;

 

b) monitor compliance with this Regulation, other provisions of Union law or Member State law on data protection and the internal rules of the controller or the attending-in for data protection personal data, including with regard to the division of responsibility, awareness and training of personnel involved in processing operations, and audits relating thereto;

 

c) provide advice, upon request, regarding the impact assessment on the protection of data and verify the execution of it under Article 35;

 

d) cooperate with the supervisory authority;

 

e) act as contact point for the supervisory authority on issues related to the treatment, including prior consultation referred to in Article 36, and shall consult, as appropriate, on any other subject.

 

2. The Chief Data Protection takes due account, in the fulfillment of its duties, the risk associated with processing operations in view of the nature, scope, context and purposes of the processing.

 

section 5

 

Codes of conduct and certif ication

Article 40

 

Codes of conduct

The Member States, the supervisory authorities, the Committee and the Commission shall encourage the development of codes of conduct intended to contribute to the proper application of this Regulation, given the specificity of the different treatment areas and specific needs of micro, small and medium enterprises.

Associations and other bodies representing categories of controllers or subcontractors may develop codes of conduct, modify or extend, for the purpose of defining the modalities for implementing this Regulation, such as:

a) fair processing and transparent;

 

b) the legitimate interests pursued by the controllers in specific contexts; c) collection of personal data;

 

d) pseudonymisation of personal data;

 

e) the information provided to the public and the persons concerned;

 

f) the rights of the persons concerned;

 

g) the information provided to the children and the protection afforded to children and how to obtain the consent of the holders of parental responsibility for the child;

 

h) measures and procedures referred to in Articles 24 and 25 and measures to ensure security of processing referred to in Article 32;

 

i) notification to the supervisory authorities of violations of personal data and disclosure of such breaches to data subjects;

 

j) the transfer of personal data to third countries or international organizations; or

 

k) procedures and other extrajudicial dispute resolution procedures to resolve disputes between controllers and data subjects regarding the treatment, without prejudice to the rights of data subjects under Articles 77 and 79.

 

In addition to their application by the controllers or subcontractors subject to these regulations, codes of conduct that are approved under paragraph 5 of this Article and that are of general application under paragraph 9 of this Article may also be implemented by data controllers or subcontractors that are not subject to this regulation under Article 3, to provide appropriate guarantees in the context of personal data transfers to third countries or an international organization under the conditions referred to in Article 46, paragraph 2 e). These controllers or subcontractors are binding commitment and with binding through contractual instruments or

The code of conduct referred to in paragraph 2 of this article includes mechanisms to the agency referred to in Article 41, paragraph 1, compulsorily to monitoring compliance with its provisions by controllers or subcontractors undertake to apply without prejudice to the tasks and powers of the supervisory authority which has jurisdiction under Article 55 or 56.

Associations and other bodies referred to in paragraph 2 of this Article which intend to develop a code of conduct or to amend or extend an existing code of conduct submit the draft code, the changes or extension to the authority of control which has jurisdiction under Article 55. the supervisory authority shall give an opinion on whether the draft code, modification or extension respects these regulations and approves the draft code, amendment or this extension if it considers that it has sufficient appropriate safeguards.

When the draft code, modification or extension is approved in accordance with paragraph 5, and when the code of conduct in question is not about processing activities in several Member States, authority control records and publishes code conduct.

When the code of conduct project involves processing activities in several Member States, the supervisory authority which has jurisdiction under Article 55 shall submit the draft code, amendment or extension prior approval, according to procedure referred to in Article 63 committee, which gives an opinion on whether the draft code, modification or extension comply with this Regulation or, in the situation referred to in paragraph 3 of this Article, s' it provides appropriate safeguards.

When the notice referred to in paragraph 7 confirms that the draft code, modification or extension comply with this Regulation or, in the situation referred to in paragraph 3 provides appropriate safeguards, the committee submits its opinion to the Commission.

The Commission may, by means of implementing acts, the Code of Conduct, approved the modification or extension have been submitted pursuant to paragraph 8 of this article are of general application within the Union . These acts shall be adopted in accordance with the examination procedure referred to in Article 93, paragraph 2.

The Commission shall ensure appropriate publicity for the codes approved she decided they are of general application in accordance with paragraph 9.

The committee keep a record of all codes of conduct, alterations and extensions approved and makes them available to the public by any appropriate means.

Article 41

 

Tracking codes approved

Without prejudice to the tasks and powers of the supervisory authority under Articles 57 and 58, the monitoring of compliance of the code of conduct under Article 40 can be made by an organization that has a level appropriate expertise in light of the object code and is approved for that purpose by the competent supervisory authority.

An organization referred to in paragraph 1 may be authorized to monitor compliance with a code of conduct when this organization:

a) demonstrate to the satisfaction of the competent authority for control, independence and expertise in relation to the object code;

 

b) established procedures that allow it to assess whether the controllers and subcontractors concerned satisfy the conditions for applying the code to monitor compliance with its provisions and periodically review its operation;

 

c) established procedures and structures to deal with complaints about violations of the code or the way the code was or is applied by a controller or a processor, and to make these transparent procedures and structures to respect of the persons concerned and the public; and

 

d) demonstrated to the satisfaction of the competent supervisory authority, its tasks and missions will involve no conflict of interest.

 

The competent supervisory authority shall submit the draft of an organism accreditation criteria referred to in paragraph 1 of this Article the enforcement committee of the consistency mechanism referred to in Article 63.

Without prejudice to the tasks and powers of the competent supervisory authority and the provisions of Chapter VIII, a body referred to in paragraph 1 of this Article shall, subject to appropriate safeguards, appropriate measures in case of violation of the code by a responsible treatment or a subcontractor, and may in particular suspend or exclude the controller or the contractor concerned for the application of the code. It shall inform the competent supervisory authority of such measures and the reasons why they were taken.

The competent supervisory authority shall revoke the certification of an organization referred to in paragraph 1 if the conditions for approval are not or are no longer fulfilled or if the measures taken by the body is a violation of this regulation.

This section does not apply to the treatment by public authorities and public bodies.

Article 42

 

certification

The Member States, the supervisory authorities, the Committee and the Commission shall encourage, in particular at the Union level, the establishment of certification mechanisms regarding data protection as well as labels and brands on the matter, in order to demonstrate that the processing operations by data controllers and subcontractors comply with this Regulation. The specific needs of micro, small and medium enterprises are considered.

In addition to the application by the controllers or subcontractors subject to this Regulation, certification mechanisms, labels or data protection related brands approved under paragraph 5 of this Article may be established for demonstrate that data controllers or subcontractors that are not subject to this regulation under Article 3 provide adequate safeguards in the context of personal data transfers to a third country or international organization in the conditions referred to in Article 46, paragraph 2, point f). These controllers or subcontractors take the binding and enforceable commitment through contractual instruments or other legally binding instruments,

Certification is voluntary and accessible through a transparent process.

A certificate under this section diminishes the responsibility of the controller or the subcontractor regarding the compliance with this Regulation and without prejudice to the tasks and powers of supervisory authorities which have jurisdiction under Article 55 or 56.

Certification under this Article is issued by the certification bodies referred to in Article 43 or by the competent supervisory authority on the basis of criteria approved by the competent supervisory authority pursuant to Article 58, paragraph 3 or by the Committee pursuant to Article 63. When the criteria are approved by the committee, it can lead to a common certification, the European data protection label.

The controller or the contractor who submits his treatment certification mechanism provides the certification body referred to in Article 43 or, where appropriate, the competent supervisory authority all information as well as access to its processing activities, which are necessary to complete the certification process.

The certification is issued to a controller or a sub-contractor for a maximum of three years and may be renewed under the same conditions as applicable requirements continue to be met. Certification is removed, if necessary, by the certification bodies referred to in Article 43 or by the competent supervisory authority where the requirements for certification are not or no longer met.

The committee set a register of all certification schemes and labels or data protection related brands and makes them available to the public by any appropriate means.

Article 43

 

Certification Bodies

1. Without prejudice to the tasks and powers of the supervisory authority under Articles 57 and 58, certification bodies with an appropriate level of expertise in data protection issue and renew certification after having informed the supervisory authority for it to exercise the necessary powers conferred on it under Article 58, paragraph 2 h). Member States shall ensure that these certification bodies are accredited by one of the following or both:

 

a) the supervisory authority which has jurisdiction under Article 55 or 56;

 

b) the national accreditation body appointed pursuant to Regulation (EC) No 765/2008 of the European Parliament and of the Council (1) in accordance with EN-ISO / IEC 17065/2012 and the additional requirements established by the supervisory authority which has jurisdiction under Article 55 or 56.

 

2. The certification bodies referred to in paragraph 1 are authorized under that paragraph until they have:

 

a) demonstrate to the satisfaction of the competent authority for control, independence and expertise with regard to the purpose of certification;

 

(1) Regulation (EC) No 765/2008 of the European Parliament and of the Council of 9 July 2008 setting out the requirements for accreditation and market surveillance for the marketing of products and repealing Regulation (EEC) No 339 / 93 (OJ L 218, 13.8.2008, p. 30).

 

b) committed to respect the criteria referred to in Article 42, paragraph 5, and approved by the supervisory authority which has jurisdiction under Article 55 or 56 or the Committee, under the section 63;

 

c) set up procedures for the issuance of the periodic inspection and the withdrawal of a certification labels and marks for data protection;

 

d) established procedures and structures to deal with complaints about violations of certification or how certification has been or is applied by a controller or a processor, and to make these procedures and transparent structures the individuals concerned and the public; and

 

e) demonstrated to the satisfaction of the competent supervisory authority, that their tasks and missions involve no conflict of interest.

 

The accreditation of certification bodies referred to in paragraphs 1 and 2 of this article is based on criteria approved by the supervisory authority which has jurisdiction under Article 55 or 56 or by the Committee under Article 63. in case of approval under paragraph 1, item b) of this Article, the requirements complement those provided for in Regulation (EC) No 765/2008 and the technical rules that describe the methods and procedures certification bodies.

The certification bodies referred to in paragraph 1 are responsible to make the appropriate assessment leading to the award of certification or withdrawal of the certification, without prejudice to the responsibility of the controller or the attending-as regarding the compliance with this Regulation. The approval is issued for a maximum of five years and may be renewed on the same terms as the certification body meets the requirements set out in this Article.

The certification bodies referred to in paragraph 1 shall notify the competent supervisory authorities the reasons for the issue or withdrawal of the certification requested.

The requirements of paragraph 3 of this Article and criteria referred to in Article 42, paragraph 5, are published by the supervisory authorities in an easily accessible form. Supervisors also transmit these requirements and criteria to the committee. The committee set a record in all certification mechanisms and data protection related labels and makes them available to the public by any appropriate means.

Without prejudice to Chapter VIII, the competent authority or control the national accreditation body shall revoke the approval of a certification body application of paragraph 1 of this Article if the conditions for approval are not or are no met or if the measures taken by the certification body is a violation of this regulation.

The Commission is empowered to adopt delegated acts in accordance with Article 92 in order to specify the requirements to be considered in regard to data protection matters certification mechanisms referred to in Article 42, paragraph 1 .

The Commission may adopt implementing acts to lay down technical standards for certification mechanisms, labels and brands for data protection, and the mechanisms for the promotion and recognition of these mechanisms certification, labels and brands. These acts shall be adopted in accordance with the examination procedure referred to in Article 93, paragraph 2.

CHAPTER V

 

personal data transfers to third countries or international organizations

Article 44

 

General principle applicable to transfers

A transfer to a third country or an international organization of personal data which are or are intended to be subject to treatment after such transfer can take place if, subject to the other provisions of this Regulation the conditions defined in this chapter are met by the controller and the processor, including for onward transfers of personal data from the third country or international organization to another third country or another international organization. All provisions of this Chapter are applied so that the level of protection of individuals guaranteed by this Regulation is not compromised.

 

Article 45

 

Transfers based on an adequacy finding

A transfer of personal data to a third country or an international organization may take place where the Commission found by decision that the third country, territory, or one or more areas identified in that third country, or organization international in question ensures an adequate level of protection. Such a transfer does not require specific authorization.

In assessing the adequacy of the protection level, the Commission considers in particular the following:

a) the rule of law, respect for human rights and fundamental freedoms, the relevant legislation, both general and sectoral, including concerning public security, defense, national security and criminal law and access of public authorities to personal data, as well as the implementation of that legislation, the rules on data protection, professional rules and security measures, including rules on transfer future of personal data to another third country or to another international organization are observed in the third country or international organization in question, jurisprudence,and the effective and enforceable rights enjoyed by the persons concerned and the administrative and judicial remedies that can effectively introduce the subjects whose personal data are transferred;

 

b) the existence and effective functioning of one or more independent supervisory authorities in the third country, or to which an international organization is subject, responsible for ensuring compliance with data protection rules and have them apply, including by appropriate application of those rules powers to assist and advise those involved in the exercise of their rights and to cooperate with the supervisory authorities of the Member States; and

 

c) the international commitments the third country or international organization in question, or other obligations of legally binding agreements or instruments as well as its participation in multilateral or regional systems, particularly as regards the protection of personal data.

 

The Commission, after assessing the adequacy of the level of protection, may, by way of implementing acts, a third country, territory, or one or more specific sectors in a third country or an international organization, ensures an adequate level of protection within the meaning of paragraph 2 of this Article. The implementing act provides for a periodic review mechanism, at least every four years, taking into account all relevant developments in third countries or in the international organization. The implementing act specifies its territorial scope and sector and, where applicable, the names or control authorities referred to in paragraph 2, point b) of this Article. The implementing act shall be adopted in accordance with the procedure

The Commission is, permanently, developments in third countries and in international organizations that could affect the functioning of the decisions adopted pursuant to paragraph 3 of this Article and the decisions adopted on the basis of Article 25 paragraph 6 of Directive 95/46 / EC.

When the information available shows, especially at the end of the review referred to in paragraph 3 of this Article, that a third country, territory, or one or more specific sectors in a third country or an international organization ensures a more adequate level of protection within the meaning of paragraph 2 of this Article, the Commission, if necessary, repeal, modify or suspend the decision referred to in paragraph 3 of this Article by means of implementing acts without retroactive effect. These acts shall be adopted in accordance with the examination procedure referred to in Article 93, paragraph 2.

On duly justified imperative grounds of urgency the Commission shall adopt immediately applicable implementing acts in accordance with the procedure referred to in Article 93, paragraph 3.

 

The Commission shall consult with the third country or international organization in order to remedy the situation giving rise to the decision under paragraph 5.

A decision adopted pursuant to paragraph 5 of this Article is without prejudice of personal data transfers to third countries, territories or one or more areas identified in that third country or international organization in question, carried out in applying the sections 46 to 49.

The Commission shall publish in the Official Journal of the European Union and on its website a list of third countries, territories and areas identified in third countries and international organizations for which it was found by decision a level adequate protection is or is not ensured.

The decisions adopted by the Commission on the basis of Article 25, paragraph 6 of Directive 95/46 / EC remain in effect until amended, replaced or repealed by a Commission decision adopted pursuant to paragraph 3 or 5 of this article.

Article 46

 

Transfers subject to appropriate safeguards

In the absence of a decision under Article 45, paragraph 3, the controller or the processor may transfer personal data to a third country or an international organization if it has planned appropriate safeguards and provided that the persons concerned have enforceable rights and effective remedies.

The appropriate safeguards referred to in paragraph 1 may be provided, without it requires special authorization from a supervisor, by:

a) an instrument legally binding and enforceable between public authorities or bodies;

 

b) binding corporate rules pursuant to Article 47;

 

c) clauses data protection adopted by the Commission in accordance with the examination procedure referred to in Article 93, paragraph 2;

 

d) clauses data protection adopted by a supervisory authority and approved by the Commission in accordance with the examination procedure referred to in Article 93, paragraph 2;

 

e) a code of conduct approved in accordance with Article 40, accompanied by a binding commitment and binding made by the controller or the processor in the third country to apply appropriate safeguards, including with respect the rights of the persons concerned; or

 

f) an approved certification scheme in accordance with Article 42, accompanied by a binding commitment and binding made by the controller or the processor in the third country to apply appropriate safeguards, including with respect the rights of the persons concerned.

 

Subject to authorization by the competent supervisory authority, appropriate safeguards referred to in paragraph 1 may also be provided in particular by:

a) contractual clauses between the controller or the processor and the controller, the contractor or recipient of personal data in the third country or international organization; or

 

b) arrangements to incorporate into administrative arrangements between public authorities or public bodies which provide effective and enforceable rights for data subjects.

 

The supervisory authority applies to the consistency mechanism referred to in Article 63 in the cases referred to in paragraph 3 of this Article.

The authorizations granted by a Member State or a supervisory authority on the basis of Article 26, paragraph 2 of Directive 95/46 / EC remain valid until amended, replaced or repealed, if necessary, said control authority. The decisions adopted by the Commission on the basis of Article 26, paragraph 4 of Directive 95/46 / EC remain in effect until amended, replaced or repealed, if necessary, by a Commission decision adopted pursuant to paragraph 2 of this Article.

Article 47

 

Binding corporate rules

1. The competent supervisory authority approves binding corporate rules in accordance with the consistency mechanism referred to in Article 63, provided that:

 

a) these rules are legally binding, and are implemented by all concerned the group of companies or group of companies engaged in a joint economic activity, including their employees;

 

b) they expressly give the persons concerned enforceable rights regarding the processing of their data in character personnel; and

 

c) they meet the requirements set out in paragraph 2.

 

The binding corporate rules mentioned in paragraph 1 shall specify at least:

a) the structure and details of the group of companies or group of companies engaged in a joint economic activity and each of their entities;

 

b) transfers or all data transfers, including the categories of personal data, the type of processing and its purposes, the type of affected persons concerned and the name of the third country in question;

 

c) their legally binding, both internally and externally;

 

d) the application of the general principles relating to data protection, including the purpose limitation, data minimization, limiting data retention periods, data quality, data protection from the design and protection of default data, the legal basis for processing, processing of special categories of personal data, measures to ensure data security, as well as subsequent transfers requirements to organizations that are not related by binding corporate rules;

 

e) the rights of the persons concerned with regard to the treatment and the means to exercise these rights, including the right not to be subject to decisions based solely on automated processing, including profiling, in accordance with Article 22, the right to lodge a complaint with the competent supervisory authority and before the competent courts of the Member States in accordance with Article 79 and to obtain redress and, if necessary, compensation for violation of rules binding corporate;

 

f) acceptance by the controller or processor established on the territory of a Member State of the commitment of responsibility for any violation of the binding corporate rules by any entity not established in the 'Union; the controller or the processor can not be exempt, in whole or in part, of this liability if it proves that the damage of the generator is not attributable to the entity;

 

g) how the information on the binding corporate rules, in particular regarding the elements mentioned in d), e) and f) of this paragraph are provided to data subjects, in addition to information under Articles 13 and 14;

 

h) duties by any delegate to data protection, designated in accordance with Article 37, or any other person or entity responsible for monitoring compliance with the binding corporate rules within the corporate group, or group of companies engaged in a joint economic activity, and monitoring of training and claims processing;

 

i) claim procedures;

 

j) the mechanisms within the group of companies or group of companies engaged in a joint economic activities to ensure that the monitoring of compliance with BCRs. These mechanisms include audits on data protection and procedures to ensure that corrective measures will be taken to protect the rights of the individual. The results of this monitoring should be communicated to the person or entity referred to in point h) and the administration of the company board that controls the group of companies or group of companies engaged in a joint economic activity, and should be made available to the competent supervisory authority on request;

 

k) mechanisms to communicate and record the changes to the rules and to communicate these changes to the supervisory authority;

 

l) the mechanism of cooperation with the supervisory authority set up to ensure compliance by all entities of the group of companies or group of companies engaged in a joint economic activity, including making available the control authority of the results of controls measures referred to in point j);

 

m) mechanisms to communicate to the competent supervisory authority all the legal obligations that an entity of the group of companies or group of companies engaged in a joint economic activity, is subject to a third country which are likely have a material adverse effect on the guarantees provided by the binding corporate rules; and

 

n) the appropriate training in data protection for staff with permanent or regular access to personal data.

 

3. The Commission may, for binding corporate rules within the meaning of this section, specify the form of information exchange between controllers, contractors and supervisors, as well as procedures thereto. These acts shall be adopted in accordance with the examination procedure referred to in Article 93, paragraph 2.

 

Article 48

 

Transfers or unauthorized disclosures by EU law

Any decision of a court or administrative authority of a third country requiring a controller or a processor that transfers or discloses personal data can not be recognized or enforced in any manner only if it is based on an international agreement, such as a mutual legal assistance treaty in force between the requesting third countries and the Union or a member State, without prejudice to other transfer patterns under this chapter.

 

Article 49

 

Exemptions for specific situations

If no decision on adequacy under Article 45, paragraph 3, or of appropriate safeguards pursuant to Article 46, including binding corporate rules, a transfer or a set of data transfers personal data to a third country or an international organization may not take place at one of the following conditions:

a) the data subject has given explicit consent to the proposed transfer, after being informed of the risks that this transfer could have for her because of the lack of adequacy decision and appropriate safeguards;

 

b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation to take steps at the request of the data subject;

 

c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;

 

d) the transfer is necessary for important reasons of public interest;

 

e) the transfer is necessary for the establishment, exercise or defense of legal rights;

 

f) the transfer is necessary to protect the vital interests of the data subject or other persons, when the person is in the physically or legally incapable of giving consent;

 

g) the transfer is made from a register which according to Union law or the law of a Member State, is intended to provide information to the public and is open to public consultation in general or any person with a legitimate interest, but only to the extent that the conditions for consultation in the Union law or the law of the member State are met in this case.

 

appropriate guarantees regarding the protection of personal data. The controller shall inform the transfer of supervisory authority. In addition to providing the information referred to in Articles 13 and 14, the controller shall inform the data subject of the transfer and the legitimate interests pursued by it.

 

A transfer under paragraph 1, the first paragraph g), does not cover all or personal data on entire categories of personal data contained in the register. When the register is intended for consultation by persons with a legitimate interest, the transfer is done at the request of those persons or if they are addressed.

Points a), b) and c) of the first subparagraph of paragraph 1 and the second paragraph of paragraph 1 shall not apply to activities of public authorities in the exercise of their public powers.

The public interest referred to in paragraph 1, subparagraph d), is recognized by the Union law or the law of the Member State to which the controller is subject.

If no decision on adequacy, Union law or the law of a Member State may, for important reasons of public interest expressly set limits on the transfer of specific categories of personal data to a third country or an international organization. Member States shall notify such provisions to the Commission.

The controller or the subcontractor documented in the records referred to in Article 30, the evaluation and the appropriate safeguards referred to in paragraph 1, second paragraph of this article.

Article 50

 

International cooperation in the field of protection of personal data

The Commission and the supervisory authorities have, with regard to third countries and international organizations, appropriate measures:

 

a) develop mechanisms for international cooperation to facilitate the effective implementation of the legislation on the protection of personal data;

 

b) assist each other internationally in the implementation of the legislation on the protection of personal data, including the notification, the transmission of claims, the investigative assistance and exchange of information, subject to appropriate safeguards for the protection of personal data and other fundamental rights and freedoms;

 

c) the involvement of interested stakeholders in discussion and activities aimed at developing international cooperation in the field of application of the legislation on data protection to personal character;

 

d) promote the exchange and documentation of the legislation and practices in the protection of personal data, including with regard to jurisdictional disputes with third countries.

 

CHAPTER VI

 

independent supervisory authorities

 

section 1

 

Independent status

Article 51

 

Control Authority

Each Member State shall provide that one or more independent public authorities are responsible for monitoring the implementation of this Regulation to protect the fundamental rights and freedoms of individuals with regard to the processing and facilitating the free flow of data to character staff within the Union (hereinafter referred to as "supervisory authority").

Each authority contributes to the consistent application of this Regulation throughout the Union. To that end, the supervisory authorities shall cooperate with the Commission in accordance with Chapter VII.

Where a Member State establishes several supervisory authorities, it means that representing these authorities in the committee and defines the mechanism to ensure compliance by the other authorities, the rules relating to the consistency mechanism referred to in Article 63.

Each Member State shall notify the Commission the legal provisions adopted under this chapter, at the latest on 25 May 2018 and, without delay, any subsequent amendment affecting them.

Article 52

 

Independence

Each authority exercises independently the tasks and powers conferred on it in accordance with this Regulation.

In the exercise of their duties and powers under this Regulation, or the members of each control authority remain free from any external influence, whether directly or indirectly, and neither seek nor take instructions anyone.

The member or members of each supervisory authority shall refrain from any action incompatible with their duties and during their term of office, not engage in any incompatible occupation, whether gainful or not.

Each Member State shall ensure that each supervisor has the human, technical and financial as well as local and infrastructure necessary for the effective performance of its duties and powers, including when it must act within the framework of mutual assistance, cooperation and participation in committee.

Each Member State shall ensure that each supervisor chooses and has its own agents, which are under the exclusive orders of the Member of the supervisory authority concerned.

Each Member State shall ensure that each supervisory authority is subject to financial control which does not threaten its independence and it has its own annual public budget, which may be part of the overall national budget or a federal entity .

Article 53

 

general conditions applicable to members of the supervisory authority

Member States shall provide that each member of their supervisory authorities appointed through a transparent procedure by: - ​​their parliament;

- their government;

 

- their head of state; or

 

- an independent body to make the appointment under the law of the Member State

 

Each member has the qualifications, experience and skills, particularly in the field of protection of personal data, to exercise its functions and powers.

The duties of a member shall end on the expiry of his term, in case of resignation or making compulsory retirement under the law of the Member State concerned.

A member can only be removed from office only if he has committed serious misconduct or if he no longer fulfills the conditions required for the performance of his duties.

Article 54

 

Rules for the establishment of the supervisory authority

Each Member State shall, by law, all of the following:

a) the creation of each control authority;

 

b) the qualifications and eligibility requirements for being appointed a member of each control authority;

 

c) the rules and procedures for the appointment of the members of each control authority;

 

d) the term of office of members of each control authority, which can not be less than four years, except for the first mandate after 24 May 2016, part of which can be of a shorter duration where necessary to protect the independence of the supervisory authority by means of a staggered appointment procedure;

 

e) renewable or non of office of the members of each supervisor and, if applicable, the number of terms;

 

f) conditions and obligations of members and officers of each control authority, prohibitions of activities incompatible jobs and benefits with them, even after the end of their mandate, and rules governing the termination of employment.

 

2. The member or members and agents of each supervisory authority are subject, in accordance with Union law or the law of the Member States, professional secrecy regarding any confidential information they obtain in the performance of their duties or their powers, including after the end of their mandate. During the term of their mandate, confidentiality applies particularly to reporting by individuals for violations of this Regulation.

 

section 2

 

Competence, functions and powers

Article 55

 

Skill

Each supervisory authority is competent to perform the tasks and powers vested in it under this Regulation in the territory of the Member State to which it belongs.

When the treatment is carried out by public or private organizations authorities acting on the basis of Article 6, paragraph 1, point c) or e), the Member State's supervisory authority concerned is competent. In this case, Article 56 is not applicable.

The supervisory authorities are not competent to control the processing operations performed by the courts in the exercise of their judicial function.

Article 56

 

Jurisdiction of the lead supervisor

Without prejudice to Article 55, the principal establishment control of the authority or the unique property of the controller or the attending-as is competent to act as lead supervisory authority regarding the treatment border made by the controller or subcontractor, in accordance with the procedure provided for in Article 60.

Notwithstanding paragraph 1, each supervisory authority is competent to handle a complaint lodged with it or any breach of this Regulation, if its object relates only to an establishment in the Member State to which it belongs or significantly affect the individuals concerned in that member State only.

In the cases referred to in paragraph 2 of this Article, inform the control authority without delay the lead supervisor of the question. Within three weeks of when it was informed, the lead supervisor decides whether to treat or not the case in accordance with the procedure laid down in Article 60, considering whether or not an establishment of the controller or the subcontractor in the control authority of the member State which has informed.

If the lead supervisory authority decides to handle the case, the procedure provided for in Article 60 applies. The supervisor who informed the lead supervisory authority may submit to him a draft decision. The lead supervisor shall take full account of this when the project develops the draft decision referred to in Article 60, paragraph 3.

When the lead supervisory authority decides not to handle the case, the supervisor who informed the accordance with sections 61 and 62.

The lead supervisor is the sole representative of the controller or the subcontractor for the cross-border processing performed by the controller or subcontractor.

Article 57

 

Missions

1. Without prejudice to other missions planned under this Regulation, each supervisory authority in its territory:

 

a) monitors the implementation of this Regulation and ensures compliance therewith;

 

b) promote public awareness and understanding of risks, rules, safeguards and rights to treatment. The activities specifically for children are the subject of special attention;

 

c) advises, under the law of the Member State, the national parliament, the government and other agencies and bodies on legislative and administrative measures for the protection of rights and freedoms of individuals with regard to the processing ;

 

d) promote awareness of data controllers and subcontractors regarding their obligations under this Regulation;

 

e) provides, on request, to any person concerned information on the exercise of rights under this Regulation and, if necessary, cooperate to this end, with the other supervisory authorities Member States;

 

f) deals with complaints lodged by a data subject or by an agency, organization or association in accordance with Article 80 discusses the subject of the claim, to the extent necessary, and notify the author of the claim the progress and outcome of the investigation within a reasonable time, in particular if further investigation or coordination with another supervisory authority is necessary;

 

g) cooperate with other supervisory authorities, including by sharing information, and provides mutual assistance in this framework to ensure consistent application of this Regulation and the measures taken to ensure compliance;

 

h) conducts surveys on the application of this Regulation, including on the basis of information received from another supervisor or another public authority;

 

i) following the relevant, developments insofar as they affect the protection of personal data, especially in the field of information technology and communication and business practices;

 

j) adopt provisions Standard contract referred to in Article 28, paragraph 8, and Article 46, paragraph 2 d);

 

k) establishes and maintains a list in connection with the obligation to conduct an impact assessment on data protection under Article 35, paragraph 4;

 

l) provides guidance on the processing operations referred to in Article 36, paragraph 2;

 

m) encourages the development of codes of conduct pursuant to Article 40, paragraph 1, give an opinion and approve codes of conduct that provide adequate safeguards, in accordance with Article 40, paragraph 5;

 

n) encourage the establishment of certification mechanisms, labels and brands for data protection pursuant to Article 42, paragraph 1, and approves the application certification criteria of Article 42, paragraph 5;

 

o) shall, where appropriate, the periodic review of certifications in accordance with Article 42, paragraph 7;

 

p) prepare and publish an organization's accreditation criteria for follow-up of codes of conduct pursuant to Article 41 and an application certification body section 43;

 

q) shall approve of a body monitoring codes pursuant to section 41 and an application certification body section 43;

 

r) permits contractual clauses and provisions referred to in Article 46, paragraph 3;

 

s) approve binding corporate rules pursuant to Article 47;

 

t) contribute to the Committee's activities;

 

u) keep internal records of violations of this Regulation and the measures taken in accordance with Article 58, paragraph 2; and

 

v) perform any other task pertaining to the protection of personal data.

 

Each authority facilitates the introduction of the complaints referred to in paragraph 1 f), by measures such as the provision of a claim form that can be filled electronically, without other means of communication are excluded.

The fulfillment of the missions of each supervisory authority is free to the person concerned and, where applicable, for the delegate to data protection.

When requests are manifestly unfounded or excessive, in particular because of their repetitive character, the supervisory authority may require the payment of a reasonable fee based on administrative costs or refuse to comply with the request. It is up to the supervisor to demonstrate clearly unfounded nature or excessive demand.

Article 58

 

Powers

Each authority has all of the following powers of investigation:

a) order the controller and the subcontractor, and, where applicable, the representative of the controller or the subcontractor, to provide any information it needs to accomplish its tasks;

 

b) conduct investigations as audits on data protection;

 

c) conduct a review of certifications issued pursuant to Article 42, paragraph 7;

 

d) notify the controller or the subcontractor an alleged violation of this Regulation;

 

e) obtain from the controller and the subcontractor access to all personal data and to all information necessary to perform its tasks;

 

f) get access to all premises of the controller and the sub-contractor, including any installation and any processing means, in accordance with Union law and procedural law of the Member States.

 

Each authority has the power to adopt all of the following corrective measures:

a) notify a controller or a sub-contractor of the fact that the proposed processing operations are likely to violate the provisions of this Regulation;

 

b) call to order a controller or a processor when processing operations have resulted in a violation of the provisions of this Regulation;

 

c) order the controller or the subcontractor to fulfill the requests made by the person concerned to exercise its rights under this Regulation;

 

d) order the controller or the subcontractor to the processing operations in accordance with the provisions of this Regulation, if any, and specifically within a specified period;

 

e) direct the controller to communicate to the person concerned a data breach in nature personnel;

 

f) impose a temporary or permanent restrictions, including a prohibition of the treatment;

 

g) order the rectification or erasure of personal data or limitation of treatment pursuant to Articles 16, 17 and 18 and the notification of such actions to the recipients to whom the personal data have been disclosed under the Article 17, paragraph 2, and Article 19;

 

h) withdraw certification or order the certification body to withdraw a certification issued under sections 42 and 43, or order the certification body not to grant certification if the requirements for certification are not or longer fulfilled;

 

i) impose an administrative fine pursuant to Article 83, in addition to or instead of the measures referred to in this paragraph, based on the characteristics of each case;

 

j) order the suspension of data flows sent to a receiver located in a third country or an international organization.

 

3. Each authority has all the powers of authorization and all subsequent advisory powers:

 

a) advise the controller according to the prior consultation referred to in Article 36;

 

b) issue, on its own initiative or upon request, advice to the attention of the national parliament, the government of the Member State or under the law of the Member State, other institutions and agencies and the public on any matter concerning the protection of personal data;

 

c) authorize the treatment referred to in Article 36, paragraph 5, if the law of the Member State requiring such prior authorization;

 

d) give an opinion on codes of conduct projects and approve it under Article 40, paragraph 5;

 

e) accredit certification bodies application of Article 43;

 

f) issuing certifications and approve certification requirements in accordance with Article 42, paragraph 5;

 

g) adopt clauses data protection under Article 28, paragraph 8, and Article 46, paragraph 2, point d);

 

h) to authorize contractual clauses referred to in Article 46, paragraph 3 a);

 

i) authorize the administrative arrangements referred to in Article 46, paragraph 3, b);

 

j) approve binding corporate rules pursuant to Article 47.

 

The exercise of the powers in the application of this Article supervisory authority is subject to appropriate safeguards, including the right to an effective judicial remedy and due process under the law of the Union and the right Member States under the Charter.

Each Member State shall, by law, that his supervisor has the power to bring violations of this Regulation to the attention of judicial authorities and, if necessary, take legal action in one way or another, to enforce the provisions of this Regulation.

Each Member State may, by law, that his supervisor has additional powers to those specified in paragraphs 1, 2 and 3. The exercise of these powers does not hinder the operation of Chapter VII.

Article 59

 

Activity reports

Each authority shall prepare an annual report on its activities, which may include a list of the types of violations reported and the types of measures taken in accordance with Article 58, paragraph 2. These reports are forwarded to the national parliament, the government and other authorities designated by the law of the member State. They are made available to the public, the Commission and the Committee.

 

CHAPTER VII

 

Cooperation and consistency

 

section 1

 

Cooperation

Article 60

 

Cooperation between the lead supervisor and the other supervisory authorities concerned

The lead supervisor shall cooperate with other supervisory authorities concerned pursuant to this section by trying to reach a consensus. The lead supervisor and the supervisory authorities concerned shall exchange all relevant information.

The lead supervisor may at any time request to other supervisory authorities concerned to provide mutual assistance under Article 61 and can conduct joint operations in accordance with Article 62, in particular to make investigations or enforce a measure on a controller or a sub-processor established in another member State.

The lead supervisor shall, without delay, the information on the issue to other supervisory authorities concerned. It shall without delay submit a draft decision to the other supervisory authorities concerned to obtain their views and take due account of their views.

When other relevant formula supervisory authorities within four weeks after having been consulted in accordance with paragraph 3 of this Article, a relevant objection and motivated with regard to the draft decision, the head control authority file, if it does not follow the relevant objections and motivated or if it believes that this objection is irrelevant or motivated, refer the matter to the control mechanism of consistency referred to in Article 63.

When the authority leadership intends to follow control relevant and motivated objection formulated, it submits to the other supervisory authorities concerned a revised draft decision in order to obtain their opinion. This revised draft decision is subject to the procedure referred to in paragraph 4 within two weeks.

When no other supervisory authorities concerned has objected with regard to the draft decision submitted by the lead supervisor within the period referred to in paragraphs 4 and 5, the chief supervisor leading and supervisory authorities concerned shall be deemed to approve the draft decision and are bound by it.

The lead supervisor takes the decision, the principal shall notify the institution or the unique property of the controller or the subcontractor, as appropriate, and inform the other supervisory authorities concerned and the committee of the decision, including by providing a summary of the relevant facts and reasons. The supervisory authority to which a complaint has been submitted informs the decision the author of the complaint.

Notwithstanding paragraph 7, when a claim is denied or rejected, the supervisory authority with which the complaint has been submitted shall adopt the decision, shall notify the author of the complaint and inform the controller.

When the lead supervisor and the supervisory authorities agree to refuse or reject parts of a claim and act on other parts of this claim, a separate decision is adopted for each of the parties . The lead supervisor takes the decision for the part relating to shares on the controller, the principal shall notify the institution or the unique property of the controller or the subcontractor on the territory of the member State to which it belongs and inform the author of the complaint, while the author's supervisor of the complaint shall adopt the decision for the part concerning the refusal or rejection of this claim,

After being informed of the decision of the lead supervisory authority pursuant to paragraphs 7 and 9, the controller or the processor takes the necessary measures to ensure compliance with the decision regarding the activities treatment conducted in the context of all institutions in the Union. The controller or notify subcontractor measures taken to ensure compliance with the decision in the lead supervisor, who informs the other supervisory authorities concerned.

When, in exceptional circumstances, the supervisory authorities concerned has reason to consider it urgent to intervene to protect the interests of those affected, the emergency procedure referred to in Article 66 applies.

The lead supervisor and the other supervisory authorities concerned shall communicate electronically, using a standard form, the information required under this Article.

Article 61

 

mutual assistance

The supervisory authorities shall provide appropriate information and shall assist each other in order to implement and enforce these regulations consistently, and implement measures to cooperate effectively. Mutual assistance regarding such requests for information and control measures, such as requests for authorization and prior consultation, inspections and investigations.

Each authority shall take all appropriate measures to respond to a request of another supervisory authority as soon as possible and no later than one month after receipt of the request. Such measures may include, in particular, the transmission of useful information about the conduct of an investigation.

Requests for assistance contain all necessary information, including the purpose and reasons for the request. The information exchanged shall be used for the purposes for which it was requested.

A required supervisory authority may not refuse to comply with a request for assistance unless:

a) it is not competent to deal with the subject of the request or to take the measures it is required to perform; or

 

b) meet the demand would be a violation of this Regulation or the law of the Union or Member State law to which the supervisory authority which received the application is submitted.

 

The requested supervisory authority shall inform applicant supervisory authority of the results or, as applicable, of the progress of measures taken in response to the request. The requested supervisory authority shall explain the reasons for any refusal to comply with a request under paragraph 4.

Generally, the required control authorities communicate electronically, using a standard form, the information requested by other supervisory authorities.

Supervisors do not receive required no charge for any actions they take in response to a request for mutual assistance. The supervisory authorities may agree to rules for granting compensation to them for specific expenses resulting from the provision of mutual assistance in exceptional circumstances.

Where a supervisor does not provide the information referred to in paragraph 5 of this Article within one month of receipt of the request of another supervisory authority, requesting control authority may adopt a provisional measure on the territory of the member State to which it relates in accordance with Article 55, paragraph 1. in this case, the circumstances for considering the urgent need to intervene in accordance with Article 66, paragraph 1 are deemed to exist and require a binding decision of the emergency committee under Article 66, paragraph 2.

The Commission may, by means of implementing acts, specify the format and procedures for mutual assistance under this section, and the terms of the exchange of information by electronic means between supervisory authorities and between supervisors and the committee, in particular as regards the form referred to in paragraph 6 of this Article. These acts shall be adopted in accordance with the examination procedure referred to in Article 93, paragraph 2.

Article 62

 

Joint operations of supervisory authorities

lead supervisors, if necessary, joint operations, including by conducting joint investigations and taking joint repressive measures, involving members or other control authorities agents Member States.

When the controller or sub-contractor is established in several Member States or a significant number of people concerned in several Member States are likely to be significantly affected by processing operations, each supervisory authority of these States members have the right to participate in joint operations. The supervisory authority which has jurisdiction under Article 56, paragraph 1 or 4, invites each supervisory authority of the Member States concerned to take part in joint operations and responds promptly to any request for a supervisory authority wishing to participate.

A supervisory authority under the law of a Member State, and with the permission of the original control authority, confer powers, including powers of investigation, members or agents of authority original control participating in joint operations or accept, provided that the law of the member State to which the permits home supervisory authority that members or agents of the supervisory authority of originally exercise their investigative powers under the law of the member State of the original control authority. These powers survey can only be exercised under the authority and in the presence of members or agents of the host supervisory authority. The members or agents of the

When, pursuant to paragraph 1, the agents of the original inspection authority operating in another Member State, the Member State to which the host supervisor takes responsibility for their actions, including liability the damage they cause during the operations which they are responsible under the law of the member State in whose territory they operate.

The Member State in whose territory the damage was caused repair this damage under the conditions applicable to damage caused by its own officials. The Member State of the original control authority whose officers have caused damage to persons on the territory of another Member State shall reimburse to the other Member State the sums paid to beneficiaries .

Without prejudice to the exercise of its rights against third parties and subject to paragraph 5, each Member State shall refrain in the case provided for in paragraph 1, to ask another Member State reimbursement related to damages covered in paragraph 4.

When a joint operation is envisaged and a supervisory authority does not comply within a month, with the obligation specified in paragraph 2, second sentence of this article, other supervisory authorities may adopt a provisional measure on the territory of the member State in which it notes that according to Article 55. in this case, the circumstances for considering the urgent need to intervene in accordance with Article 66, paragraph 1 are presumed to be met and require an opinion or a binding decision of the emergency committee under Article 66, paragraph 2.

section 2

 

Consistency

Article 63

 

Mechanism for controlling the consistency

To contribute to the consistent application of this Regulation throughout the Union, the supervisory authorities shall cooperate and, where appropriate, with the Commission as part of the consistency mechanism established in this section.

 

Article 64

 

Opinion of the Committee

1. The Committee shall issue an opinion whenever a competent supervisory authority intends to adopt one of the following measures. To this end, the competent supervisory authority shall communicate the draft decision to the committee, when this project:

 

a) is to adopt a list of processing operations for which an impact assessment regarding data protection must be carried out pursuant to Article 35, paragraph 4;

 

b) concerns whether, under Article 40, paragraph 7, if a code of conduct project or a modification or extension of a code of conduct complies with these regulations;

 

c) aims to approve an organization's accreditation criteria pursuant to Article 41, paragraph 3, or a certification body in accordance with Article 43, paragraph 3;

 

d) aims to set clauses for data protection under Article 46, paragraph 2 d), and Article 28, paragraph 8;

 

e) aims to authorize contractual clauses referred to in Article 46, paragraph 3 a); or

 

f) aims to approve binding corporate rules within the meaning of Article 47.

 

Any supervisory authority, the committee chair or the Commission may request that any question of general application or producing effects in several Member States to be considered by the committee in order to obtain an opinion, particularly where a supervisory authority jurisdiction does not comply with obligations relating to mutual assistance in accordance with Article 61 or the obligations relating to joint operations in accordance with Article 62.

In the cases referred to in paragraphs 1 and 2, the committee issues an opinion on the question submitted to it, provided it has not already issued an opinion on the same issue. This opinion was adopted within eight weeks by a simple majority of committee members. This period may be extended by six weeks depending on the complexity of the issue. Regarding the draft decision referred to in paragraph 1 forwarded to the committee pursuant to paragraph 5, a Member who does not object within a reasonable deadline set by the President is deemed to approve the draft decision.

Supervisors and the Commission shall, as soon as the committee electronically, using a standard form, all relevant information, including, as applicable, a summary of the facts, the draft decision , the reasons necessitating the adoption of this measure and the views of other supervisory authorities concerned.

The committee chair promptly transmits electronically:

a) all relevant information made available to it to the members and the Commission, using a standard form. The Committee Secretariat shall, where appropriate, relevant information translations; and

 

b) the notice referred to the supervisory authority, as appropriate, in paragraphs 1 and 2, and the Commission, and published.

 

The competent supervisory authority does not adopt its draft decision referred to in paragraph 1 when the period referred to in paragraph 3 short.

The paragraph 1 under control authority shall take utmost account of the opinion of the committee and informed the president of the Committee electronically using a standard form, within two weeks of receipt of the opinion if it will keep or if it will modify its draft decision and, where applicable, its amended draft decision.

When the supervisory authority concerned shall inform the President of the Committee within the period referred to in paragraph 7 of this article that it does not intend to follow in whole or in part, the opinion of the committee, providing the relevant reasons, Article 65, paragraph 1 shall apply.

Article 65

 

Dispute resolution by the committee

1. In order to ensure correct and consistent application of this Regulation in the case, the committee adopt a binding decision in the following cases:

 

a) where, in the case referred to in Article 60, paragraph 4, a supervisory authority concerned has made a relevant objection and motivated in respect of a draft decision of the leader or supervisor the lead supervisor rejected the objection on the grounds that it is not relevant or substantiated. The binding decision on all matters that are the subject of relevant objections and motivated such as whether there is a violation of this Regulation;

 

b) when there are divergent views as to the relevant supervisory authority competent for the main facility;

 

c) where a supervisory authority does not require the committee's opinion in cases referred to in Article 64, paragraph 1, or does not follow the Committee's opinion issued under Article 64 . in this case, any of the supervisory authority or the Commission may refer the matter to committee.

 

The decision referred to in paragraph 1 is adopted by a two-thirds majority of the committee members within one month after the transmission of the question. This period may be extended by one month depending on the complexity of the issue. The decision referred to in paragraph 1 shall be substantiated and sent to the lead regulator and to all supervisory authorities concerned and is binding on them.

When the committee was not able to adopt a decision within the period referred to in paragraph 2, it shall adopt a decision, by a simple majority of its members, within two weeks following the expiry of two months referred in paragraph 2. in case of a tie vote in the committee, the voice of the president is dominating.

The supervisory authorities concerned do not adopt a decision on the matter before the committee under paragraph 1 where the deadlines specified in paragraphs 2 and 3 run.

The Committee Chairman shall, as soon as the decision referred to in paragraph 1 to the relevant supervisory authorities. It shall inform the Commission. The decision is published on the Committee's website immediately after the supervisory authority has notified the final decision referred to in paragraph 6.

The lead supervisor or, as applicable, the supervisory authority from which the complaint was lodged adopts its final decision on the basis of the decision referred to in paragraph 1 of this Article, as soon as possible and no later than one month after the committee has notified its decision. The lead supervisor or, as applicable, the supervisory authority with which the complaint has been submitted informs the date of Committee at which the final decision is notified, respectively, to the controller or sub -traitant and the person concerned. The final decision of the supervisory authorities concerned agreed to the conditions of Article 60, paragraphs 7, 8 and 9. The final decision refers to the decision referred to in paragraph 1 of this article and said that it will be published on the Committee's website in accordance with paragraph 5 of this Article. The decision referred to in paragraph 1 of this article is attached to the final decision.

Article 66

 

Emergency procedure

In exceptional circumstances, where a supervisory authority concerned considers it urgent to intervene to protect the rights and freedoms of data, it may, notwithstanding the control mechanism of consistency referred to in Articles 63, 64 and 65 or with the procedure referred to in Article 60, immediately adopt provisional measures to produce legal effects on its own territory and with a specified validity period not exceeding three months. The supervisory authority shall promptly communicate such measures and the reasons for their adoption to other supervisory authorities concerned, the committee and the Commission.

Where a supervisory authority has taken action under paragraph 1 and considers that final measures are urgently taken, it may request an urgent opinion or a binding decision of the emergency committee, motivating its request opinion or decision.

Any supervisory authority a reasoned request for an opinion or decision and in particular the urgency to intervene, asking the committee a notice of emergency or a binding decision of an emergency, as applicable, when authority competent control has not taken appropriate action in a situation where it is urgent to intervene to protect the rights and freedoms of data subjects.

Notwithstanding Article 64 paragraph 3 and Article 65, paragraph 2, the emergency notice or the binding decision of urgency referred to in paragraphs 2 and 3 of this Article shall be adopted within two weeks by a simple majority of committee members.

Article 67

 

Exchange of information

The Commission may adopt generally binding implementing acts to define the terms of the exchange of electronic information between supervisory authorities and between these authorities and the committee, including the standard form referred to in Article 64.

 

These acts shall be adopted in accordance with the examination procedure referred to in Article 93, paragraph 2.

 

section 3

 

European Committee for Data Protection

Article 68

 

European Committee for Data Protection

The European Committee for Data Protection (hereinafter referred to as "Committee") is established as a Union body and has legal personality.

The committee is represented by its President.

The committee consists of the head of each Member State supervisory authority and the European Data Protection Supervisor, or their respective representatives.

Where in a Member State, several supervisors are responsible for monitoring the application of this Regulation, a common representative is appointed in accordance with the law of that Member State.

The Commission has the right to participate in activities and committee meetings without voting rights. The Commission shall designate a representative. The Committee Chairman shall inform the Commission of the committee's activities.

In the cases referred to in Article 65, the European Data Protection Supervisor has no voting rights in respect of decisions concerning the principles and rules applicable to the institutions and bodies of the Union corresponding in substance to those set out in this Regulation.

Article 69

 

Independence

The Committee shall have the tasks and powers conferred on him pursuant to Articles 70 and 71 independently.

Without prejudice to the Commission's requests referred to in Article 70, paragraph 1 b) and Article 70, paragraph 2, the Committee shall neither seek nor take instructions from anyone in the performance of his tasks and powers.

Article 70

 

Missions Committee

1. The Committee shall ensure the consistent application of this Regulation. To this end, the Committee, on its own initiative or, where applicable, at the request of the Commission, has the following missions:

 

a) to monitor and ensure the proper application of this Regulation as provided in Articles 64 and 65, without prejudice to national supervisory authorities missions;

 

b) advise the Commission on any matter relating to the protection of personal data in the Union, including on any proposed amendment of this Regulation;

 

c) advise the Commission as regards the binding corporate rules, in the form of information exchange between controllers, contractors and supervisors, as well as the procedures that s relating thereto;

 

d) to issue guidelines, recommendations and best practices on procedures for removing links to personal data, copies or reproductions of them existing in the communication services available to the public and the provided for in Article 17, paragraph 2;

 

e) examine, on its own initiative, at the request of one of its members or at the request of the Commission any matter concerning the application of this Regulation and issue guidelines, recommendations and good practices to promote the consistent application of this Regulation;

 

f) to issue guidelines, recommendations and best practices in accordance with item e) of this paragraph, to further specify the criteria and conditions applicable to decisions based on profiling pursuant to Article 22, paragraph 2;

 

g) issue guidelines, recommendations and best practices in accordance with item e) of this paragraph, to establish violations of personal data, to determine the best time referred to in Article 33, paragraphs 1 and 2, and specify special circumstances in which a controller or a subcontractor is required to notify the data breach to nature personnel;

 

h) to issue guidelines, recommendations and best practices in accordance with item e) of this paragraph concerning the circumstances in which a breach of personal data is likely to generate a high risk to the rights and freedoms of natural persons as provided for in Article 34, paragraph 1;

 

i) issue guidelines, recommendations and best practices in accordance with item e) of this paragraph, in order to further specify the criteria and requirements for personal data transfers based on binding corporate rules applied by controllers and on binding corporate rules applied by subcontractors and for other requirements necessary to ensure data protection in personal character of the persons concerned under Article 47;

 

j) issue guidelines, recommendations and best practices in accordance with item e) of this paragraph, to further specify the criteria and requirements for personal data transfers on the basis of Article 49, paragraph 1;

 

k) to develop, for the benefit of supervisors, guidelines on the application of measures referred to in Article 58, paragraphs 1, 2 and 3, as well as setting administrative fines under the section 83;

 

l) to take stock of the practical application of guidelines, recommendations and best practices referred to in points e) and f);

 

m) to issue guidelines, recommendations and best practices in accordance with item e) of this paragraph, to establish common procedures for reporting by individuals for violations of this Regulation under Article 54 , paragraph 2;

 

n) encourage the development of codes of conduct and the establishment of certification schemes and labels and brands for data protection under Articles 40 and 42;

 

o) to conduct accreditation of certification bodies and periodic review of that approval under section 43 and to keep a public register of authorized institutions under Article 43, paragraph 6, and data controllers or subcontractors authorized established in third countries under Article 42, paragraph 7;

 

p) define the requirements referred to in Article 43, paragraph 3, for the purposes of accreditation of certification bodies provided for in Article 42;

 

q) to give the Commission an opinion on the certification requirements referred to in Article 43, paragraph 8;

 

r) to make the Commission an opinion on the icons referred to in Article 12, paragraph 7;

 

s) to make the Commission an opinion concerning the assessment of the adequacy of the level of protection afforded by a third country or international organization, including on the assessment of whether a third country, territory or one or more areas identified in that third country or international organization no longer provide adequate protection level. To this end, the Commission provides the committee with all the necessary documents, including correspondence with the government of third countries, in respect of that third country, or sector specific territory or international organization;

 

t) to issue opinions on the supervisory authorities of the draft decisions in accordance with the consistency mechanism referred to in Article 64, paragraph 1, on questions submitted under Article 64, paragraph 2, and to issue binding decisions under Article 65, including in the cases referred to in Article 66;

 

u) promoting cooperation and the effective bilateral and multilateral exchange of information and best practices between the supervisory authorities;

 

v) promote the development of joint training programs and facilitate personnel exchanges between the supervisory authorities and, where appropriate, with third-country supervisory authorities and international organizations;

 

w) to promote exchange with protection supervisory authorities of data from all countries, knowledge and documentation on legislation and practices on data protection;

 

x) to issue opinions on codes of conduct drawn up at EU level under Article 40, paragraph 9; and

 

y) of an electronic register, publicly accessible decisions taken by the supervisory authorities and courts on matters dealt with in the context of the consistency mechanism.

 

When the Commission requests advice to the committee, it may be mentioned a time, according to the urgency of the matter.

The Committee shall forward its opinions, guidelines, recommendations and best practices to the Commission and the Committee referred to in Article 93 and published.

The Committee shall consult, as appropriate, interested parties and allow them to comment within a reasonable time. It puts the results of the consultation procedure publicly available, without prejudice to Article 76.

Article 71

 

Reports

The Committee produces an annual report on the protection of individuals with regard to the processing in the EU and, where appropriate, in third countries and international organizations. The report is made public and communicated to the European Parliament, the Council and the Commission.

The present annual report including the assessment of the practical application of guidelines, recommendations and best practices referred to in Article 70, paragraph 1, point l) and binding decisions referred to in Article 65.

Article 72

 

Procedure

The Committee takes its decisions by a simple majority of its members, unless otherwise provided in this Regulation.

The Committee shall adopt its rules of procedure by a majority of two thirds of its members and determines its operating procedures.

Article 73

 

President

The Committee shall elect its chairman and two vice-presidents among its members by a simple majority.

The president and vice presidents are elected for a term of five years renewable once.

The president is responsible for:

Article 74 Tasks of the Chairman

a) convene meetings of the committee and set the agenda;

 

b) notify the decisions adopted by the Committee under Article 65 to the lead supervisor and the supervisory authorities concerned;

 

c) ensure the fulfillment, on schedule, of the committee's tasks, particularly regarding the consistency mechanism referred to in Article 63.

 

The Committee shall in its rules the division of tasks between the President and the Vice-Presidents.

Article 75

 

Secretariat

The committee has a secretariat, which is provided by the European Data Protection Supervisor.

The Secretariat shall perform its tasks under the sole authority of the chair.

The staff of the European Data Protection Supervisor who participates in the missions that this Regulation entrusts the committee is subject to a separate hierarchical structure from the staff involved in carrying out the tasks entrusted to the European Supervisor Data protection.

If necessary, the committee and the European Data Protection Supervisor shall establish and publish a draft agreement implementing this Article, laying down the modalities of their cooperation and applying to the European Data Protection Supervisor staff data protection involved in carrying out the tasks that this Regulation entrusted to the committee.

The Secretariat shall provide analytical, administrative and logistical support to the committee.

Secretariat is particularly responsible for:

a) the current management committee;

 

b) communication between committee members, its Chairman and the Commission;

 

c) communication with other institutions and the public;

 

d) the use of electronic means for the internal and external communication;

 

e) the translation of relevant information;

 

f) preparation and monitoring committee meetings;

 

g) the preparation, drafting and publication of opinions, decisions on the settlement of disputes between supervisory authorities and other texts adopted by the committee.

 

Article 76

 

confidentiality

When deemed necessary by the Committee, its deliberations are confidential, as provided its internal regulations.

Access to documents submitted to the committee, experts and representatives of third parties is governed by Regulation (EC) No 1049/2001 of the European Parliament and of the Council (1).

CHAPTER VIII

 

Remedies, liability and penalties

Article 77

 

Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, every data subject has the right to lodge a complaint with a supervisory authority, particularly in the Member State in which is habitual residence, place of work or where the violation has been committed, if it considers that the processing of personal data concerning a violation of this regulation.

The supervisory authority from which the complaint was lodged shall notify the author of the claim of the progress and outcome of the claim, including the possibility of a judicial remedy under Article 78.

Article 78

 

Right to an effective judicial remedy against a supervisory authority

Without prejudice to any other administrative or court, any natural or legal person has the right to seek effective judicial remedy against a legally binding decision of a supervisory authority is concerned.

Without prejudice to any other administrative or court, any person has the right to form an effective legal remedy when the supervisory authority which has jurisdiction under Articles 55 and 56 does not process a claim or does not inform the person concerned, within three months of the status or outcome of her complaint under Article 77.

Any action against a supervisory authority are brought in the courts of the Member State in whose territory the supervisory authority is established.

In the case of an action against a decision of a supervisory authority which was preceded by an opinion or decision of the committee as part of the consistency mechanism, the supervisor transmits opinion or decision in question the jurisdiction concerned.

Article 79

 

Right to an effective judicial remedy against a controller or a subcontractor

Without prejudice to any administrative or court remedies available to it, including the right to lodge a complaint with a supervisory authority under Article 77, each person has the right to an effective legal remedy if it considers that the rights conferred by this Regulation have been violated by a treatment of his personal data in violation of this Regulation.

Any action against a controller or a sub-contractor is brought before the courts of the Member State where the controller or sub-contractor has an establishment. Such action may also be brought in the courts of the Member State in which the person concerned has his habitual residence, unless the controller or the attending-as is a Member State of public authority in the exercise of its public powers.

(1) Regulation (EC) No 1049/2001 of the European Parliament and of the Council of 30 May 2001 regarding public access to European Parliament, Council and Commission documents (OJ L 145, 31.5.2001, p . 43).

 

Article 80

 

Representation of the people concerned

The person concerned has the right to appoint an agency, organization or non-profit association, which has been validly constituted under the law of a Member State whose statutory aims of public interest and is active in the field the protection of rights and freedoms of data subjects under the protection of personal data concerning them, for it introduces a complaint on his behalf, exercised on behalf of the rights referred to in Articles 77, 78 and 79 and undertakes for the right to obtain reparation referred to in Article 82 where the law of a member State provides.

Member States may provide that any body, organization or association referred to in paragraph 1 of this Article, regardless of any mandate from a person concerned has, in the Member State in question, the right to bring a complaint to the supervisory authority which has jurisdiction under Article 77 and exercise the rights under Articles 78 and 79 if it considers that the rights of a person concerned provided for in this Regulation have been violated by the treatment.

Article 81

 

Suspension of action

Where a competent court of a Member State has information that an action concerning the same subject has been brought in respect of a processing performed by the same controller and the same subcontractor and is pending before a court another member State, she contacts that court in the other member State to confirm the existence of such action.

When an action concerning the same subject has been brought in respect of a processing performed by the same controller and the same subcontractor and is pending before a court of another Member State, any jurisdiction other than the court first seised may stay its action.

When this action is pending before the courts of first instance, any court other than the court first seised may also decline jurisdiction, at the request of any party, provided that the court first seised has jurisdiction to hear the actions in question and that the law permits the consolidation.

Article 82

 

Right to compensation and liability

Anyone who has suffered material or moral damages due to a breach of these regulations has the right to obtain from the controller or the subcontractor repairing the damage suffered.

Every controller who participated in treatment is liable for damage caused by treatment in violation of this Regulation. A contractor is liable for the damage caused by the treatment if he has not fulfilled the obligations under this Regulation falling upon subcontractors or he acted outside instructions licit of the controller or contrary to them.

A controller or a sub-contractor is exempt from liability under paragraph 2, if he proves that the event which caused the damage is not attributable to it.

When multiple controllers or subcontractors or when, at once, a controller and a subcontractor involved in treatment and even when, under paragraphs 2 and 3, they are responsible for damage caused by treatment, each of the controllers or subcontractors shall be liable for the damage in full to ensure the person concerned an effective remedy.

When a controller or a sub-contractor, in accordance with paragraph 4, totally repaired the damage suffered, it is entitled to claim from the other controllers or subcontractors involved to the same treatment from the repair corresponding to their share of responsibility for the damage, in accordance with the requirements of paragraph 2.

The judicial action taken to exercise the right to seek redress are brought before the competent courts under the law of the Member State under Article 79, paragraph 2.

Article 83

 

Conditions for imposing administrative fines

Each watch supervisor that the administrative fines imposed under this section for the infringements of this Regulation referred to in paragraphs 4, 5 and 6 are, in each case effective, proportionate and dissuasive.

According to case-specific features, administrative fines are imposed in addition to or instead of the measures referred to in Article 58, paragraph 2 a) to h) and j). In deciding whether it should impose an administrative fine and to decide the amount of the administrative fine shall take due account, in each case, the following:

a) the nature, severity and duration of the infringement, given the nature, scope or purpose of the processing concerned and the number of affected persons concerned and the level of damage they have suffered;

 

b) the fact that the infringement was committed intentionally or negligently;

 

c) any action taken by the controller or the processor to mitigate the damage suffered by those affected;

 

d) the degree of responsibility of the controller or the subcontractor, given the technical and organizational measures they have implemented under Articles 25 and 32;

 

e) any relevant violation committed previously by the controller or the processor;

 

f) the degree of cooperation established with the supervisory authority to remedy the violation and to mitigate any negative effects;

 

g) the categories of personal data affected by the breach;

 

h) the manner in which the supervisor is aware of the breach, including whether and to what extent, the controller or the processor has reported the violation;

 

i) where measures referred to in Article 58, paragraph 2, were previously ordered against the controller or the contractor concerned for the same purpose, respect of those measures;

 

j) applying codes approved under Article 40 or certification mechanisms approved under Article 42; and

 

k) any other aggravating or mitigating circumstances applicable to the circumstances of the case, such as the financial benefits obtained or losses avoided, directly or indirectly, because of the violation.

 

If a controller or deliberately subcontractor violates or negligently several provisions of this Regulation, as part of the same transaction processing or related processing operations, the total amount of the administrative fine can not exceed the amount fixed for the most serious violations.

Violations of the following provisions shall be in accordance with paragraph 2 of administrative fines of up to 10 million EUR or, in the case of an enterprise up to 2% of turnover total annual worldwide last year, the highest amount being retained:

a) the obligations of the controller and the sub-contractor under sections 8, 11, 25 to 39, 42 and 43;

 

b) the obligations of the certification body under Articles 42 and 43;

 

c) the obligations of the body responsible for monitoring codes of conduct under Article 41, paragraph 4.

 

5. Violations of the following provisions shall be in accordance with paragraph 2 of administrative fines of up to 20 million EUR or, in the case of a company, up to 4% of sales total global annual sales last year, the highest amount being retained:

 

a) the basic principles of treatment, including the conditions for consent pursuant to Articles 5, 6, 7 and 9;

 

b) the rights which the persons concerned have under sections 12 to 22

 

c) personal data transfers to a receiver located in a third country or international organization under articles 44 to 49;

 

d) all obligations under the law of Member States adopted under Chapter IX;

 

e) non-compliance with an injunction, temporary or permanent limitation of processing or ordered the suspension of data flows by the supervisory authority pursuant to Article 58, paragraph 2, or the fact of not to grant access provided in violation of article 58, paragraph 1.

 

Non-compliance with an injunction issued by the supervisory authority pursuant to Article 58, paragraph 2, the subject, in accordance with paragraph 2 of this Article, an administrative fine of up to 20 million EUR or, in the case of a company, up to 4% of total global annual sales last year, the highest amount being retained.

Without prejudice to the powers of the supervisory authorities have in adoption of corrective measures under Article 58, paragraph 2, each Member State may establish rules determining whether and to what extent administrative fines can be imposed on public authorities and public bodies established on its territory.

The exercise by the supervisory authority of its powers under this article is subject to adequate procedural safeguards in accordance with Union law and the right of Member States, including effective judicial protection and due process .

If the legal system of a Member State does not provide for administrative penalties, this article can be applied so that the fine is determined by the competent supervisory authority and imposed by the competent national tribunals, while ensuring that these remedies be effective and have an equivalent effect to the administrative fines imposed by the supervisory authorities. In any case, the fines imposed are effective, proportionate and dissuasive. The Member States concerned shall notify the Commission the legal provisions they adopt under this subsection by 25 May 2018 and, without delay, any statutory provision or subsequent amending any subsequent amendment affecting them.

Article 84

 

sanctions

Member States shall determine other penalties applicable to infringements of this Regulation, particularly for violations that are not the subject of administrative fines provided for in Article 83, and shall take all measures necessary to ensure their implementation implemented. These sanctions are effective, proportionate and dissuasive.

Each Member State shall notify the Commission the legal provisions adopted under paragraph 1 no later than 25 May 2018 and, without delay any subsequent amendment affecting them.

CHAPTER IX

 

Arrangements for special situations Treatment

Article 85

 

Processing and freedom of expression and information

Member States reconcile, by law, the right to protection of personal data under this Regulation and the right to freedom of expression and information, including processing for journalistic purposes and for purposes academic expression, artistic or literary.

As part of the treatment carried out for journalistic purposes or for purposes of academic expression, artistic or literary, Member States shall provide for exemptions or derogations in Chapter II (principles), Chapter III (rights of the data subject) chapter IV (the controller and subcontractor), chapter V (transfer of personal data to third countries or international organizations), chapter VI (independent supervisory authorities), chapter VII (cooperation and consistency) and chapter IX (special situations treatment) if they are necessary to reconcile the right to the protection of personal data and freedom of expression and information.

Each Member State shall notify the Commission the legal rules they have adopted pursuant to paragraph 2 and without delay any statutory provision or any subsequent amendment subsequent amendment affecting them.

Article 86

 

Treatment and public access to official documents

The personal data contained in official documents held by a public authority or by a public body or a private body for the execution of a public purpose may be communicated by that authority or that body under the law of the Union or the law of the member State which is subject to public authority or public body, in order to reconcile the public's right of access to official documents and the right to protection of personal data under this Regulation.

 

Article 87

 

Treatment of national identification number

Member States may specify the specific conditions of the treatment of a national identification number or other identifier of general application. In this case, the national identification number or other identifier of general application is used only under appropriate safeguards for the rights and freedoms of the data subject adopted under this Regulation.

 

Article 88

 

Data processing in the context of labor relations

Member States may, by law or by collective agreements, more specific rules for the protection of rights and freedoms regarding the processing of employees' personal data in the context of labor relations, purposes, including, recruitment, execution of the employment contract, including compliance with the obligations established by law or by collective agreements, management, planning and organization of work, the equality and diversity in the workplace, health and safety, protection of property belonging to the employer or client for the purposes of the exercise and enjoyment of rights and benefits related to employment, individually or collectively, and thatfor the termination of the employment relationship.

These rules include appropriate and specific measures to protect human dignity, the legitimate interests and fundamental rights of the persons concerned, paying particular attention to the transparency of the process, the transfer of personal data within a group 'companies or group of companies engaged in a joint economic activity and control systems in the workplace.

Each Member State shall notify the Commission the legal provisions adopted under paragraph 1 no later than 25 May 2018 and, without delay any subsequent amendment affecting them.

Article 89

Guarantees and exemptions applicable to the treatment for archival purposes in the public interest, for the purpose of scientific or historical research or statistical purposes

 

Treatment for archival purposes in the public interest, for the purpose of scientific or historical research, or for statistical purposes is submitted in accordance with this Regulation, appropriate safeguards for the rights and freedoms of the data subject. These guarantees ensure the implementation of technical and organizational measures, in particular to ensure the principle of data minimization. These measures may include pseudonymisation, since these goals can be achieved in this way. Whenever these goals can be achieved through further processing does not allow more or identification of the persons concerned, it should proceed in this manner.

Where personal data are processed for the purpose of scientific or historical research or statistical purposes, the Union law or the law of a Member State may provide for exceptions to rights under Articles 15, 16, 18 and 21, subject to the conditions and guarantees referred to in paragraph 1 of this Article, to the extent that these rights might make impossible or seriously hamper the achievement of specific purposes and that such exemptions are necessary to achieve these aims.

When personal data are processed for archival purposes in the public interest, the Union law or the law of a Member State may provide for exceptions to rights under Articles 15, 16, 18, 19, 20 and 21, subject to the conditions and guarantees referred to in paragraph 1 of this Article, to the extent that these rights might make impossible or seriously hamper the achievement of specific purposes and that such exemptions are necessary to achieve these aims.

When treatment referred to in paragraphs 2 and 3 is at the same time another purpose, exemptions shall apply only to processing performed for the purposes referred to in those paragraphs.

Article 90

 

secrecy obligations

Member States may adopt specific rules to define the powers of the supervisory authorities referred to in Article 58, paragraph 1, e) and f) in respect of data controllers or subcontractors submitted, under Union law or the law of a member State or of the rules adopted by the competent national bodies, with an obligation of professional secrecy or other equivalent obligations of secrecy, where necessary and proportionate to reconcile the right to protection of personal data and the obligation of secrecy. These rules apply only in respect to personal data that the controller or sub-contractor has received or obtained in the course of

Each Member State shall notify the Commission the rules adopted under paragraph 1, no later than May 25, 2018, and without delay any subsequent amendment affecting them.

Article 91

 

existing rules of churches and religious associations in the field of data protection

Where in a Member State, churches and religious associations or communities apply, at the effective date of this Regulation, a comprehensive set of rules on the protection of individuals with regard to the treatment, they can continue to apply those rules provided that those measures comply with this Regulation.

Churches and religious associations which apply comprehensive set of rules in accordance with paragraph 1 of this Article are subject to the control of an independent supervisory authority, which may be specific, provided that it meets the requirements of Chapter VI of this regulation.

CHAPTER X

 

delegated acts and implementing acts

Article 92

 

Exercise of delegation

The power to adopt delegated acts conferred on the Commission subject to the conditions set out in this Article.

The delegation of power referred to in Article 12, paragraph 8, and Article 43, paragraph 8 shall be conferred on the Commission for an indefinite period from May 24, 2016.

The delegation of power referred to in Article 12, paragraph 8, and Article 43, paragraph 8 may be revoked at any time by the European Parliament or the Council. The revocation decision terminates the delegation of power specified therein. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It does not affect the validity of delegated acts already in force.

As soon as it adopts a delegated act, the Commission shall notify the European Parliament and the Council simultaneously.

A delegated act adopted pursuant to Article 12, paragraph 8, and Article 43, paragraph 8, comes into force if the European Parliament or the Council expressed no objections within three months of notification of that act to the European Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission of their intention not to raise objections. This period is extended by three months at the initiative of the European Parliament or the Council.

Article 93

 

Committee

The Commission is assisted by a committee. That committee is a committee within the meaning of Regulation (EU) No 182/2011.

Where reference is made to this paragraph, Article 5 of Regulation (EU) No 182/2011 applies.

Where reference is made to this paragraph, Article 8 of Regulation (EU) No 182/2011, in conjunction with Article 5 applies.

CHAPTER XI

 

Final provisions

Article 94

 

Repeal of Directive 95/46 / EC

Directive 95/46 / EC is repealed with effect from 25 May 2018.

References to the Directive shall be construed as references to this Regulation. References to personal protection group with regard to the processing of personal data established by Article 29 of Directive 95/46 / EC shall be construed as references to the European Committee for data protection established by the this Regulation.

Article 95

 

Relationship with Directive 2002/58 / EC

This Regulation does not impose additional obligations on natural or legal persons on treatment under the provision of electronic communications services available to the public on public communications networks within the Union with regard to aspects where they are subject to specific obligations with the same objective set out in Directive 2002/58 / EC.

 

Article 96

 

Relationship with previously concluded agreements

International agreements involving the transfer of personal data to third countries or international organizations that have been concluded by Member States before 24 May 2016 and who respect the EU law as applicable before that date remain in force until amended, replaced or revoked.

 

Article 97

 

Reports of the

No later than May 25, 2020 and every four years thereafter, the Commission presents to the European Parliament and the Council a report on the evaluation and review of this Regulation. These reports are published.

In the evaluations and reviews referred to in paragraph 1, the Commission shall, in particular, the implementation and operation of:

a) Chapter V on the transfer of personal data to third countries or international organizations, in particular with regard to decisions adopted under Article 45, paragraph 3 of this regulation, and decisions on the basis of Article 25, paragraph 6 of Directive 95/46 / EC;

 

b) Chapter VII on cooperation and consistency.

 

For the purposes of paragraph 1, the Commission may request information from the Member States and the supervisory authorities.

When making the assessments and reviews referred to in paragraphs 1 and 2, the Commission takes account of the positions and conclusions of the European Parliament, the Council and other relevant agencies or sources.

The Commission shall, if necessary, appropriate proposals to amend this Regulation, in particular taking into account the evolution of information technology and in the light of the progress of the information society status.

Article 98

 

Review other legal acts of the Union relating to data protection

The Commission shall, if necessary, legislative proposals to amend other legal acts of the Union relating to the protection of personal data, to ensure a uniform and consistent protection of individuals with regard to the treatment. This concerns in particular the rules on the protection of individuals with regard to the processing by institutions, bodies and agencies of the Union and on the free movement of such data.

 

Article 99

 

Entry into force and application

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

It is applicable from 25 May 2018.

This Regulation shall be binding in its entirety and directly applicable in all Member States.

 

Done at Brussels, 27 April 2016.

 

For the European Parliament

 

President

 

Mr SCHULZ

 

For the Council

 

President

 

JA Hennis-Plasschaert


No products

To be determined Shipping
0,00 € Total

Check out