Regulation Proposal

Below you can scroll through the current (secret) version of Chapters I to III (most important part) of the new data protection regulation. If you are interested in Recitals and other Chapters you can download a complied version of the whole state of play here (900KB).

The Council is working on a proposal of the Commission. Strikes show removed text compared to the Commission proposal. Underlined sections were added by the Council. All changes are marked in red (weaker law), green (stronger law) and grey (neutral, only technical or unclear changes).

Bx clicking on the change, you can find out which country was for or against the change and thereby strengthened or weakened data protection laws in Europe. We also marked when changes are likely to be below the current 1995 Directive and linked changes to “major issues” in the current debate, to give you further background information.




CHAPTER I

GENERAL PROVISIONS

ARTICLE 1
SUBJECT MATTER AND OBJECTIVES

1. This Regulation lays down rules relating to the protection of individuals with regard to the processing of personal data and rules relating to the free movement of personal data.

2. This Regulation protects the fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.

2a.Member States may maintain or introduce more specific provisions to adapt the application of the rules of this Regulation with regard to the processing of personal data for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or for other specific processing situations as provided for in Article 6(1)(c) and (e) by determining more precisely specific requirements for the processing and other measures to ensure lawful and fair processing including for other specific processing situations as provided for in Chapter IX.

3. The free movement of personal data within the Union shall neither be restricted nor prohibited for reasons connected with the protection of individuals with regard to the processing of personal data.





ARTICLE 2
MATERIAL SCOPE

1. This Regulation applies to the processing of personal data wholly or partly by automated means, and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.

2. This Regulation does not apply to the processing of personal data:

(a) in the course of an activity which falls outside the scope of Union law, in particular concerning national security;

(b) by the Union institutions, bodies, offices and agencies;

(c) by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V the Treaty on European Union;

(d) by a natural person without any gainful interest in the course of its own exclusively a personal or household activity;

(e) by competent public authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences and, for these purposes, safeguarding of public security, or the execution of criminal penalties.

3. This Regulation shall be without prejudice to the application of Directive 2000/31/EC, in particular of the liability rules of intermediary service providers in Articles 12 to 15 of that Directive.





ARTICLE 3
TERRITORIAL SCOPE

1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union.

2. This Regulation applies to the processing of personal data of data subjects residing in the Union by a controller not established in the Union, where the processing activities are related to:

(a) the offering of goods or services, irrespective of whether a payment by the data subject is required, to such data subjects in the Union; or

(b) the monitoring of their behaviour as far as their behaviour takes place within the European Union.

3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where the national law of a Member State applies by virtue of public international law.





ARTICLE 4
DEFINITIONS

For the purposes of this Regulation:

(1) 'data subject' means an identified natural person or a natural person 'personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly by means reasonably likely to be used by the controller or by any other natural or legal person, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

(2) 'personal data' means any information relating to a data subject;

(3) 'processing' means any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, or erasure or destruction;

(3a)'restriction of processing' means the marking of stored personal data with the aim of limiting their processing in the future;

(3b)Pseudonymisation” means a processing of personal data by the controller in which all attributes revealing the identity of a natural person have been replaced with another attribute by the visible use of applications or measures, in a way that, without knowledge of the attribution system which is kept separately and subject to distinct technical and organizational measures, the information can no longer be attributed to an identified or identifiable person, or can be attributed to such person only with the investment of a disproportionate amount of time, expense and manpower.

(4) 'filing system' means any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis;

(5) 'controller' means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes, conditions and means of the processing of personal data; where the purposes, conditions and means of processing are determined by Union law or Member State law, the controller or the specific criteria for his nomination may be designated by Union law or by Member State law;

(6) 'processor' means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;

(7) 'recipient' means a natural or legal person, public authority, agency or any other body other than the data subject, the data controller or the data processor to which the personal data are disclosed; however regulatory bodies and authorities which may receive personal data in the exercise of their official functions shall not be regarded as recipients;

(8) 'the data subject's consent' means any freely-given, specific, and informed and explicit indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed;

  1. 'personal data breach' means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

(10) 'genetic data' means all personal data, of whatever type, concerning the relating to the genetic characteristics of an individual which are inherited or acquired during early prenatal development that have been inherited or acquired, resulting from an analysis of a biological sample from the individual in question;

(11) 'biometric data' means any personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of an individual which allow their allows or confirms the unique identification of that individual, such as facial images, or dactyloscopic data;

(12) 'data concerning health' means any information which relates datarelated to the physical or mental health of an individual, or to the provision of health services to the individual which reveal information about his or her health status;

(12a) 'profiling' meansa form of automated processing of personal data intended to use a profile to evaluate personal aspects relating to a natural person, in particular to analyse and predict aspects concerning performance at work, economic situation, health, personal preferences, or interests, reliability or behaviour, location or movements;

(12b) profile’ means a set of data characterising a category of individuals that is intended to be applied to a natural person;

(13) ‘main establishment’ means as regards the controller, the place of its establishment in the Union where the main decisions as to the purposes, conditions and means of the processing of personal data are taken; if no decisions as to the purposes, conditions and means of the processing of personal data are taken in the Union, the main establishment is the place where the main processing activities in the context of the activities of an establishment of a controller in the Union take place. As regards the processor, 'main establishment' means the place of its central administration in the Union;

‘main establishment’ means

- as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented , in this case the establishment having taken such decisions shall be considered as the main establishment.

- as regards a processor with establishments in more than one Member State, the place of its central administration in the Union and, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;

(14) 'representative' means any natural or legal person established in the Union who, explicitly designated by the controller acts and may be addressed by any supervisory authority and other bodies in the Union instead of in writing pursuant to Article 25, represents the controller with regard to the obligations of the controller under this Regulation;

(15) 'enterprise' means any entity natural or legal person engaged in an economic activity, irrespective of its legal form, thus including natural or legal persons, partnerships or associations regularly engaged in an economic activity;

(16) 'group of undertakings' means a controlling undertaking and its controlled undertakings;

(17) 'binding corporate rules' means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State of the Union for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings or group of enterprises engaged in a joint economic activity;

(18) child' means any person below the age of 18 years;

(19) 'supervisory authority' means an independent public authority which is established by a Member State in accordance with pursuant to Article 46;

(19a) ‘concerned supervisory authority ’ means

- a supervisory authority which is concerned by the processing because:

a) the controller or processor is established on the territory of the Member State of that supervisory authority;

b) data subjects residing in this Member State are substantially/essentially affected or likely to be substantially/essentially affected by the processing; or

c) the underlying complaint has been lodged to that supervisory authority.





(19b) “transnational processing of personal data” means either:

(a) processing which takes place in the context of the activities of an establishment in more than one Member State of a controller in the Union and the controller or processor is established in more than one Member State; or

(b) processing which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect10 data subjects in more than one Member State.

(19c) “relevant and reasoned objection” means: an objection as to whether there is an infringement of this Regulation or not, or, as the case may be, whether the envisaged action in relation to the controller or processor is in conformity with the Regulation. The objection shall be accompanied by an analysis of the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and where applicable, the free flow of personal data.

(20)'Information Society service' means any service as defined by Article 1 (2) of Directive 98/34/EC of the European Parliament and of the Council of 22 June 1998 laying down a procedure for the provision of information in the field of technical standards and regulations and of rules on Information Society services.

(21)‘international organisation’ means an organisation and its subordinate bodies governed by public international law or any other body which is set up by, or on the basis of, an agreement between two or more countries;





CHAPTER II

PRINCIPLES

ARTICLE 5

PRINCIPLES RELATING TO PERSONAL DATA PROCESSING

  1. Personal data must be:

(a) processed lawfully, fairly and in a transparent manner in relation to the data subject;

(b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes; further processing of personal data for archiving purposes in the public interest or scientific, statistical or historical purposes shall in accordance with Article 83 not be considered incompatible with the initial purposes;

(c) adequate, relevant and limited to the minimum necessary not excessive in relation to the purposes for which they are processed; they shall only be processed if, and as long as, the purposes could not be fulfilled by processing information that does not involve personal data;

(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the data will be processed solely for archiving purposes in the public interest or scientific, statistical, or historical research purposes in accordance with the rules and conditions of Article 83 and if a periodic review is carried out to assess the necessity to continue the storage; subject to implementation of the appropriate technical and organisational measures required by the Regulation in order to safeguard the rights and freedoms of data subject;

(ee) processed in a manner that ensures appropriate security of the personal data.

(f) processed under the responsibility and liability of the controller, who shall ensure and demonstrate for each processing operation the compliance with the provisions of this Regulation.

  1. The controller shall be responsible for compliance with paragraph 1.





ARTICLE 6
LAWFULNESS OF PROCESSING

1. Processing of personal data shall be lawful only if and to the extent that at least one of the following applies:

(a) the data subject has given unambiguous consent to the processing of their personal data for one or more specific purposes;

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

(c) processing is necessary for compliance with a legal obligation to which the controller is subject;

(d) processing is necessary in order to protect the vital interests of the data subject or of another person;

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(f) processing is necessary for the purposes of the legitimate interests pursued by a the controller, or by a third party; except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.

2. Processing of personal data which is necessary for purposes of archiving purposes in the public interest, or for historical, statistical or scientific research purposes shall be lawful subject also to the conditions and safeguards referred to in Article 83.

3. The basis of for the processing referred to in points (c) and (e) of paragraph 1 must be provided for in established in accordance with:

(a) Union law, or

(b) the national law of the Member State to which the controller is subject.

The law of the Member State must meet an objective of public interest or must be necessary to protect the rights and freedoms of others, respect the essence of the right to the protection of personal data and be proportionate to the legitimate aim pursued.

The purpose of the processing shall be determined in this legal basis or as regards the processing referred to in point (e) of paragraph 1, be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. This legal basis may contain specific provisions to adaptthe application of rules of this Regulation, inter alia the general conditions governing the lawfulness of data processing by the controller, the type of data which are subject to the processing, the data subjects concerned; the entities to, and the purposes for which the data may be disclosed; the purpose limitation; storage periods andprocessing operations and processing procedures, including measures to ensure lawful and fair processing, including for other specific processing situations as provided for in Chapter IX.

3a. In order to ascertain whether a purpose of further processing is compatible with the one for which the data are initially collected, the controller shall take into account, unless the data subject has given consent, inter alia:

(a) any link between the purposes for which the data have been collected and the purposes of the intended further processing;

(b) the context in which the data have been collected;

(c) the nature of the personal data; in particular whether special categories of personal data, pursuant to Article 9;

(d) the possible consequences of the intended further processing for data subjects;

(e) the existence of appropriate safeguards.

4. Only where the purpose of further processing is not compatibleincompatible with the one for which the personal data have been collected, the further processing must have a legal basis at least in one of the grounds referred to in points (a) to (e) of paragraph 1. This shall in particular apply to any change of terms and general conditions of a contract. Further processing for incompatible purposes on grounds of legitimate interests of the controller or a third party shall be lawful if these interests override the interests of the data subject.

5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the conditions referred to in point (f) of paragraph 1 for various sectors and data processing situations, including as regards the processing of personal data related to a child.





ARTICLE 7
CONDITIONS FOR CONSENT

1. The controller shall bear the burden of proof for the data subject's consent to the processing of their personal data for specified purposes. Where Article 6(1)(a) appliesthe controllershall be able to demonstrate that unambiguous consentwas given by the data subject.

1a. Where article 9(2)(a) applies, the controller shall be able to demonstrate that explicit consent was given by the data subject.

2. If the data subject's consent is to be given in the context of a written declaration which also concerns another matters, the requirement to give request for consent must be presented in a manner which is clearly distinguishable in its appearance from this the other matters,in an intelligible and easily accessible form, using clear and plain language.

3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof.

4. Consent shall not provide a legal basis for the processing, where there is a significant imbalance between the position of the data subject and the controller.





ARTICLE 8

PROCESSING OF PERSONAL DATA OF A CHILD CONDITIONS APPLICABLE TO CHILD'S CONSENT IN RELATION TO INFORMATION SOCIETY SERVICES

1. For the purposes of this RegulationWhere Article 6 (1)(a) applies, in relation to the offering of information society services directly to a child, the processing of personal data of a child below the age of 1314 years shall only be lawful if and to the extent that such consent is given or authorised by the child's parent or custodian guardian. holder of parental responsibility over the child. The controller shall make reasonable efforts to obtain verifiable verify in such cases that consent is given or authorisedby the holder of parental responsibility over the child the child's parent or guardian taking into consideration available technology.

2. Paragraph 1 shall not affect the general contract law of Member States such as the rules on the validity, formation or effect of a contract in relation to a child.

3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the methods to obtain verifiable consent referred to in paragraph 1. In doing so, the Commission shall consider specific measures for micro, small and medium-sized enterprises.

4. The Commission may lay down standard forms for specific methods to obtain verifiable consent referred to in paragraph 1. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).





ARTICLE 9
PROCESSING OF SPECIAL CATEGORIES OF PERSONAL DATA

1. The processing of personal data, revealing race racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of genetic data or data concerning health or sex life or criminal convictions or related security measures shall be prohibited.

2. Paragraph 1 shall not apply if one of the following applies and Article 6 is complied with:

(a) the data subject has given explicit consent to the processing of those personal data,subject to the conditions laid down in Articles 7 and 8, except where Union law or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject; or

(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and protection law in so far as it is authorised by Union law or Member State law or a collective agreementpursuant to Member State law providing for adequate safeguards; or

(c) processing is necessary to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving consent; or

(d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other non-profit-seeking body with a political, philosophical, religious or trade-union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the data are not disclosed outside that body without the consent of the data subjects; or

(e) the processing relates to personal data which are manifestly made public by the data subject; or

(f) processing is necessary for the establishment, exercise or defence of legal claims; or

(g) processing is necessary for the performance of a task carried out in for reasons of public interest, on the basis of Union law or Member State law which shall provide for suitable and specific measures to safeguard the data subject's legitimate interests; or

(h) processing of data concerning health is necessary for health purposes the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of care or treatment or the management of health-care systems serviceson the basis of Union law or Member State lawor pursuant to contract to which the data subject is party and subject to the conditions and safeguards referred to in Article 81 paragraph 4

(ha)processing of genetic data is necessary for purposes specified in points c),f), g), h) and hb) of this paragraph on the basis of Union or Member State law and subject to the conditions and safeguards referred to in paragraph 4;

(hb)processingis necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union law or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject data;

(i) processing is necessary for archiving purposes in the public interest or historical, statistical or scientific research purposes and subject to the conditions and safeguards referred to in Article 83

(j) processing of data relating to criminal convictions or related security measures is carried out either under the control of official authority or when the processing is necessary for compliance with a legal or regulatory obligation to which a controller is subject, or for the performance of a task carried out for important public interest reasons, and in so far as authorised by Union law or Member State law providing for adequate safeguards. A complete register of criminal convictions shall be kept only under the control of official authority.

3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria, conditions and appropriate safeguards for the processing of the special categories of personal data referred to in paragraph 1 and the exemptions laid down in paragraph 2.

4. Personal data referred to in paragraph 1 may on the basis of Union or Member State law be processed for the purposes referred to in points (h) and (ha) of paragraph 2 when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies; by another person also subject to an obligation of secrecy under Member State law or rules established by national competent bodies.

4a. In case a transfer of personal data referred to Article 44(1)(f) involves personal data concerning health such transfer can take place only subject to the condition that those data will be processed by a health professional subject to the obligation of professional secrecy under the law of the third State concerned or rules established by national competent bodies to the obligation of professional secrecy, or by another person also subject to an obligation of secrecy under the law of the third State concerned or rules established by national competent bodies.





ARTICLE 9A
PROCESSING OF DATA RELATING TO CRIMINAL CONVICTIONS AND OFFENCES

Processing of data relating to criminal convictions and offences or related security measures based on Article 6(1) may only be carried out either under the control of official authority or when the processing is authorised by Union law or Member State law providing for adequate safeguards for the rights and freedoms of data subjects. A complete register of criminal convictions may be kept only under the control of official authority.





ARTICLE 10
PROCESSING NOT
REQUIRING IDENTIFICATION

1. If the data processed by purposes for which a controller do not permit the controller to identify a natural person processes personal data do not require the identification of a data subject by the controller, the controller shall not be obliged to acquire additional information nor to engage in additional processing in order to identify the data subject for the sole purpose of complying with any provision of this Regulation.

2. Where, in such cases the controller is not in a position to identify the data subject, articles 15, 16, 17, 17a, 17b and 18 do not apply except where the data subject, for the purpose of exercising his or her rights under these articles, provides additional information enabling his or her identification.





CHAPTER III

RIGHTS OF THE DATA SUBJECT

SECTION 1
TRANSPARENCY AND MODALITIES

ARTICLE 11
TRANSPARENT INFORMATION AND COMMUNICATION

1.The controller shall have transparent and easily accessible policies with regard to the processing of personal data and for the exercise of data subjects' rights.

2.The controller shall provide any information and any communication relating to the processing of personal data to the data subject in an intelligible form, using clear and plain language, adapted to the data subject, in particular for any information addressed specifically to a child.





ARTICLE 12
PROCEDURES AND MECHANISMS TRANSPARENT INFORMATION, COMMUNICATION AND MODALITIES FOR EXERCISING THE RIGHTS OF THE DATA SUBJECT

1. The controller shall establish procedures for providing the take appropriate measures to provide any information referred to in Articles 14 and for the exercise of the rights of data subjects referred to in Article 13 and Articles 15 to 19. 14a and any communication under Articles 15 to 19 and 32 relating to the processing of personal data to the data subject in an intelligible and easily accessible form, using clear and plain language. The controller shall provide in particular mechanisms for facilitating the request for the actions referred to in Article 13 and Articles 15 to 19. Where personal data are processed by automated means, the controller shall also provide means for requests to be made electronically. The information shall be provided in writing, or where appropriate, electronically or by other means.

1a. The controller shall facilitate the exercise of data subject rights under Articles 15 to 19.

2. The controller shall inform provide the information referred to in Articles 14a and 15 and information on action taken on a request under Articles 16 to 19 to the data subject without undue delay and at the latest within one month of receipt of the request ,whether or not any action has been taken pursuant to Article 13 and Articles 15 to 19 and shall provide the requested information. This period may be prolonged extended for a further two months, if several data subjects exercise their rights and their cooperation is necessary to a reasonable extent to prevent an unnecessary and disproportionate effort on the part of the controller. The information shall be given in writing.Where the data subject makes the request in electronic form, the information shall be provided in electronic form, unless otherwise requested by the data subject. when necessary, taking into account the complexity of the request and the number of requests. Where the extended period applies, the data subject shall be informed within one month of receipt of the request of the reasons for the delay.

3. If the controller refuses does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for refusal not taking action and on the possibilitiesy of lodging a complaint to the a supervisory authority and seeking a judicial remedy.

4. The Information and the actions taken on requests referred to in paragraph 1 shall be free of charge provided under Articles 14 and 14a and any communication under Articles 16 to 19 and 32 shall be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may charge a fee for providing the information or taking the action requested, or the controller may not take the action requested refuse to act on the request. In that case, the controller shall bear the burden of proving demonstrating the manifestly unfounded or excessive character of the request.

4a.Without prejudice to Article 10, where the controller has reasonable doubts concerning the identity of the individual making the request referred to in Articles 15 to 19, the controller may request the provision of additional information necessary to confirm the identity of the data subject.

5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and conditions for the manifestly excessive requests and the fees referred to in paragraph 4.

6. The Commission may lay down standard forms and specifying standard procedures for the communication referred to in paragraph 2, including the electronic format. In doing so, the Commission shall take the appropriate measures for micro, small and medium-sized enterprises. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).





ARTICLE 13
RIGHTS IN RELATION TO RECIPIENTS

The controller shall communicate any rectification or erasure carried out in accordance with Articles 16 and 17 to each recipient to whom the data have been disclosed, unless this proves impossible or involves a disproportionate effort.





SECTION 2
INFORMATION AND ACCESS TO DATA

ARTICLE 14
INFORMATION TO
BE PROVIDED WHERE THE DATA ARE COLLECTED FROM THE DATA SUBJECT

1. Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with at least the following information:

(a) the identity and the contact details of the controller and, if any, of the controller's representative and ; the controller may also include the contact details of the data protection officer, if any;

(b) the purposes of the processing for which the personal data are intended; including the contract terms and general conditions where the processing is based on point (b) of Article 6(1) and the legitimate interests pursued by the controller where the processing is based on point (f) of Article 6(1);

(c) the period for which the personal data will be stored;

(d) the existence of the right to request from the controller access to and rectification or erasure of the personal data concerning the data subject or to object to the processing of such personal data;

(e) the right to lodge a complaint to the supervisory authority and the contact details of the supervisory authority;

(f) the recipients or categories of recipients of the personal data;

(g) where applicable, that the controller intends to transfer to a third country or international organisation and on the level of protection afforded by that third country or international organisation by reference to an adequacy decision by the Commission;

(h) any further information necessary to guarantee fair processing in respect of the data subject, having regard to the specific circumstances in which the personal data are collected.

1a.In addition to the information referred to in paragraph 1, the controller shall provide the data subject with such further information necessary to ensure fair and transparent processing in respect of the data subject, having regard to the specific circumstances and context in which the personal data are processed:

(b) where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller;

(c) the recipients or categories of recipients of the personal data;

(d) where applicable, that the controller intends to transfer personal data to a recipient in a third country or international organisation; and on the level of protection afforded by that third country or international organisation by reference to an adequacy decision by the Commission;

(e) the existence of the right to request from the controller access to and rectification or erasure of the personal data or restriction of processing of personal data concerning the data subject and to object to the processing of such personal data;

(f) the right to lodge a complaint to the a supervisory authority [and the contact details of the supervisory authority];

(g) whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as the possible consequences of failure to provide such data; and

(h) the existence of automated decision making including -profiling referred to in Article 20(1) and (3) and information concerning the processing , as well as the significance and the envisaged consequences of such processing for the data subject.

2. Where the personal data are collected from the data subject, the controller shall inform the data subject, in addition to the information referred to in paragraph 1, whether the provision of personal data is obligatory or voluntary, as well as the possible consequences of failure to provide such data.

3.Where the personal data are not collected from the data subject, the controller shall inform the data subject, in addition to the information referred to in paragraph 1, from which source the personal data originate.

4.The controller shall provide the information referred to in paragraphs 1, 2 and 3:

(a) at the time when the personal data are obtained from the data subject; or

(b) where the personal data are not collected from the data subject, at the time of the recording or within a reasonable period after the collection, having regard to the specific circumstances in which the data are collected or otherwise processed, or, if a disclosure to another recipient is envisaged, and at the latest when the data are first disclosed.

5. Paragraphs 1 to 4 shall not apply, where:

(a)the data subject has already the information referred to in paragraphs 1, 2 and 3; or

(b) the data are not collected from the data subject and the provision of such information proves impossible or would involve a disproportionate effort; or

(c)the data are not collected from the data subject and recording or disclosure is expressly laid down by law; or

(d) the data are not collected from the data subject and the provision of such information will impair the rights and freedoms of others, as defined in Union law or Member State law in accordance with Article 21.

Paragraphs 1 and 1a shall not apply where and insofar as the data subject already has the information.

6.In the case referred to in point (b) of paragraph 5, the controller shall provide appropriate measures to protect the data subject's legitimate interests.

7.The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria for categories of recipients referred to in point (f) of paragraph 1, the requirements for the notice of potential access referred to in point (g) of paragraph 1, the criteria for the further information necessary referred to in point (h) of paragraph 1 for specific sectors and situations, and the conditions and appropriate safeguards for the exceptions laid down in point (b) of paragraph 5. In doing so, the Commission shall take the appropriate measures for micro, small and medium-sized-enterprises.

8.The Commission may lay down standard forms for providing the information referred to in paragraphs 1 to 3, taking into account the specific characteristics and needs of various sectors and data processing situations where necessary. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).





ARTICLE 14 A

INFORMATION TO BE PROVIDED WHERE THE DATA HAVE NOT BEEN OBTAINED FROM THE DATA SUBJECT

1.Where personal data have not been obtained from the data subject, the controller shall provide the data subject with the following information:

(a)the identity and the contact details of the controller and, if any, of the controller's representative; the controller may also include the contact details of the data protection officer, if any;

(b)the purposes of the processing for which the personal data are intended.

2.In addition to the information referred to in paragraph 1, the controller shall provide the data subject with such further information necessary to ensure fair and transparent processing in respect of the data subject, having regard to the specific circumstances and context in which the personal data are processed:

(a)the categories of personal data concerned;

(c)where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller;

(d)the recipients or categories of recipients of the personal data;

(e)the existence of the right to request from the controller access to and rectification or erasure of the personal data concerning the data subject and to object to the processing of such personal data;

(f)the right to lodge a complaint to a supervisory authority;

(g)the origin of the personal data, unless the data originate from publicly accessible sources;

(h)the existence of automated decision making including profiling referred to in Article 20(1) and (3) and information concerning the processing, as well as the significance and the envisaged consequences of such processing for the data subject.

3.The controller shall provide the information referred to in paragraphs 1 and 2:

(a)within a reasonable period after obtaining the data, having regard to the specific circumstances in which the data are processed, or

(b)if a disclosure to another recipient is envisaged, at the latest when the data are first disclosed.

4.Paragraphs 1 to 3 shall not apply where and insofar as:

(a)the data subject already has the information; or

(b)the provision of such information proves impossible or would involve a disproportionate effort or is likely to render impossible or to seriously impair the achievement of the purposes of the processing; in such cases the controller shall take appropriate measures to protect the data subject's legitimate interests; or

(c)obtaining or disclosure is expressly laid down by Union or Member State law to which the controller is subject, which provides appropriate measures to protect the data subject's legitimate interests; or

(d)where the data originate from publicly available sources; or

(e)where the data must remain confidential in accordance with a legal provision in Union or Member State law or because of the overriding legitimate interests of another person.





ARTICLE 15
RIGHT OF ACCESS FOR THE DATA SUBJECT

1. The data subject shall have the right to obtain from the controller at any time, on request, reasonable intervals and free of charge confirmation as to whether or not personal data subject concerning him or her are being processed. and where such personal data are being processed the controller shall provide access to the data and the following information:

(a) the purposes of the processing;

(b) the categories of personal data concerned;

(c) the recipients or categories of recipients to whom the personal data are to be or have been or will be disclosed, in particular to recipients in third countries;

(d) where possible, the envisaged period for which the personal data will be stored;

(e) the existence of the right to request from the controller rectification or erasure of personal data concerning the data subject or to object to the processing of such personal data;

(f) the right to lodge a complaint to the a supervisory authority and the contact details of the supervisory authority;

(g) communication of the personal data undergoing processing and of where the personal data are not collected from the data subject, any available information as to their source;

(h) in the case of automated decision making including profiling referred to in Article 20(1) and (3), knowledge of the logic involved in any automated data processing as well as the significance and envisaged consequences of such processing, at least in the case of measures referred to in Article 20.

1a. Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 42 relating to the transfer.

1b.On request and without an excessive charge, the controller shall provide a copy ofthe personal data undergoing processing to the data subject.

2. The data subject shall have the right to obtain from the controller communication of the personal data undergoing processing. Where the data subject makes the request in electronic form, the information shall be provided in electronic form, unless otherwise requested by the data subject.

Where personal data supplied by the data subject are processed by automated means and in a structured and commonly used format, the controller shall, on request and without an excessive charge, provide a copy of the data concerning the data subject in that format to the data subject.

2a.The right to obtain a copy referred to in paragraphs 1b and 2 shall not apply where such copy cannot be provided without disclosing personal data of other data subjects.

3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the communication to the data subject of the content of the personal data referred to in point (g) of paragraph 1.

4. The Commission may specify standard forms and procedures for requesting and granting access to the information referred to in paragraph 1, including for verification of the identity of the data subject and communicating the personal data to the data subject, taking into account the specific features and necessities of various sectors and data processing situations. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).





SECTION 3

RECTIFICATION AND ERASURE

ARTICLE 16
RIGHT TO RECTIFICATION

The data subject shall have the right to obtain from the controller the rectification of personal data relating to them concerning him or her which are inaccurate. Having regard to the purposes for which data were processed, the data subject shall have the right to obtain completion of incomplete personal data, including by way of means of providing a supplementing supplementary a statement.





ARTICLE 17
RIGHT TO BE FORGOTTEN AND TO ERASURE

  1. The data subject shall have the right to obtain from the controller the erasure of personal data relating to them and the abstention from further dissemination of such data, especially in relation to personal data which are made available by the data subject while he or she was a child, The controller shall have the obligation to erase personal data without undue delay and the data subject shall have the right to obtain the erasure of personal datawithout undue delay where one of the following grounds applies:

(a) the data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

(b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1) or point (a) of Article 9(2) or when the storage period consented to has expired, and where there is no other legal ground for the processing of the data;

(c) the data subject objects to the processing of personal data pursuant to Article 19(1)and there are no overriding legitimate grounds for the processing or the data subject objects to the processing of personal data pursuant to Article 19(2);

(d) the processing of the data does not comply with this Regulation for other reasons. the data have been unlawfully processed;

(e) the data have to be erased for compliance with a legal obligation to which the controller is subject.

2. Where the controller referred to in paragraph 1 has made the personal data public, it shall take all reasonable steps, including technical measures, in relation to data for the publication of which the controller is responsible, to inform third parties which are processing such data, that a data subject requests them to erase any links to, or copy or replication of that personal data. Where the controller has authorised a third party publication of personal data, the controller shall be considered responsible for that publication.

2a. Where the controller referred to paragraph 1 has made the personal data public and is obliged pursuant to paragraph 1 to erase the data, the controller, taking account of available technology and the cost of implementation, it shall take all reasonable steps, including technical measures, in relation to data for the publication of which the controller is responsible, to inform third parties controllers which are processing such the data, that a data subject requests them to erase any links to, or copy or replication of that personal data. Where the controller has authorised a third party publication of personal data, the controller shall be considered responsible for that publication.

3. The controller shall carry out the erasure without delay, except Paragraphs 1 and 2a shall not apply to the extent that the retention processing of the personal data is necessary:

(a) for exercising the right of freedom of expression in accordance with Article 80;

(b) for compliance with a legal obligation to retain process the personal data by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; Member State laws shall meet an objective of public interest, respect the essence of the right to the protection of personal data and be proportionate to the legitimate aim pursued;

(c) for reasons of public interest in the area of public health in accordance with Article 81;

(d) for archiving purposes in the public interest or for historical, statistical and research scientific purposes in accordance with Article [83];

(e) in the cases referred to in paragraph 4

(g) for the establishment, exercise or defence of legal claims.

4. Instead of erasure, the controller shall restrict processing of personal data where:

(a) their accuracy is contested by the data subject, for a period enabling the controller to verify the accuracy of the data;

(b) the controller no longer needs the personal data for the accomplishment of its task but they have to be maintained for purposes of proof;

(c) the processing is unlawful and the data subject opposes their erasure and requests the restriction of their use instead;

(d) the data subject requests to transmit the personal data into another automated processing system in accordance with Article 18(2).

5. Personal data referred to in paragraph 4 may, with the exception of storage, only be processed for purposes of proof, or with the data subject's consent, or for the protection of the rights of another natural or legal person or for an objective of public interest.

6.Where processing of personal data is restricted pursuant to paragraph 4, the controller shall inform the data subject before lifting the restriction on processing.

7. The controller shall implement mechanisms to ensure that the time limits established for the erasure of personal data and/or for a periodic review of the need for the storage of the data are observed.

8. Where the erasure is carried out, the controller shall not otherwise process such personal data.

9.The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying:

(a) the criteria and requirements for the application of paragraph 1 for specific sectors and in specific data processing situations;

(b)the conditions for deleting links, copies or replications of personal data from publicly available communication services as referred to in paragraph 2;

(c)the criteria and conditions for restricting the processing of personal data referred to in paragraph 4.





ARTICLE 17A
RIGHT TO RESTRICTION OF PROCESSING

1. The data subject shall have the right to obtain from the controller the restriction of the processing of personal data where:

(a)the accuracy of the data is contested by the data subject, for a period enabling the controller to verify the accuracy of the data;

(b)the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; or

(c)he or she has objected to processing pursuant to Article 19(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.

3.Where processing of personal data has been restricted under paragraph 1, such data may, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest.

4.A data subject who obtained the restriction of processing pursuant to paragraph 1 shall be informed by the controller before the restriction of processing is lifted.





ARTICLE 17B
NOTIFICATION OBLIGATION REGARDING RECTIFICATION, ERASURE OR RESTRICTION

The controller shall communicate any rectification, erasure or restriction of processing carried out in accordance with Articles 16, 17(1) and 17a to each recipient to whom the data have been disclosed, unless this proves impossible or involves a disproportionate effort.





ARTICLE 18
RIGHT TO DATA PORTABILITY

1. The data subject shall have the right, where personal data are processed by electronic means and in a structured and commonly used format, to obtain from the controller a copy of data undergoing processing in an electronic and structured format which is commonly used and allows for further use by the data subject.

2. Where tThe data subject has provided the personal data and the processing is based on consent or on a contract, the data shall have the right to transmit those the personal data and any other information provided by the data subject and retained by an automated processing system, into another one, in an electronic format which is concerning him or herwhichhe or she has provided to a controller to another controller in a commonly used and machine-readable format without hindrance from the controller from whom the personal data are withdrawn. to which the data have been provided to, where

(a)the processing is based on consent or on a contract pursuant to points (a) and (b) of Article 6 (2) or point (a) of Article 9 (2); and

(b)the processing is carriedout by automated means.

2a.The exercise of this right shall be without prejudice to Article 17.

2aa.The right referred to in paragraph 2 shall be without prejudice to intellectual property rights in relation to the processing of the those personal data.

3. The Commission may specify the electronic format referred to in paragraph 1 and technical standards, modalities and procedures for the transmission of personal data pursuant to paragraph 2. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).





SECTION 4

RIGHT TO OBJECT AND PROFILING

ARTICLE 19
RIGHT TO OBJECT

1. The data subject shall have the right to object, on reasoned grounds relating to their his or her particular situation, at any time to the processing of personal data concerning him or her which is based on point (d), (e) and (f) of Article 6(1); the personal data shall no longer be processed unless the controller demonstrates compelling legitimate grounds for the processing which override the interests or fundamental rights and freedoms of the data subject.

1a.Where an objection is upheld pursuant to paragraph 1, the controller shall no longer process the personal data concerned except for the establishment, exercise or defence of legal claims.

2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object free of charge at any time to the processing of personal data concerning him or her for such marketing. This right shall be explicitly offered brought to the attention of the data subject in an intelligible manner and shall be presented clearly distinguishable and separately from any other information.

2a.Where the data subject objects to the processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

3.Where an objection is upheld pursuant to paragraphs 1 and 2, the controller shall no longer use or otherwise process the personal data concerned.





ARTICLE 20
MEASURES BASED ON PROFILING

1. Every natural person The data subject shall have the right not to be subject to a measure which decision evaluating personal aspects relating to him or her, which is based solely onautomated processing, including profiling, and produces legal effects concerning this natural person or significantly affects this natural person, and which is based solely on automated processing intended to evaluate certain personal aspects relating to this natural person or to analyse or predict in particular the natural person's performance at work, economic situation, location, health, personal preferences, reliability or behaviour him or her or significantly affects him or her.

1a. Subject to the other provisions of this Regulation, a person may be subjected to a measure of the kind A data subject may be subject to a decision referred to in paragraph 1 only if the processing it

(a) is carried out in the course of the necessary for entering into, or performance of, a contract where the request for the entering into or the performance of the contract, lodged by the data subject, has been satisfied or where suitable measures to safeguard the data subject's legitimate interests have been adduced, such as the right to obtain human intervention between the data subject and a data controller or

(b) is expressly authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's legitimate interests; or

(c) is based on the data subject's explicit consent, subject to the conditions laid down in Article 7 and to suitable safeguards.

1b. In cases referred to in paragraph 1a) the data controller shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, such as the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision:

2. Subject to the other provisions of this Regulation, a person may be subjected to a measure of the kind referred to in paragraph 1 only if the processing:

(a) is carried out in the course of the entering into, or performance of, a contract, where the request for the entering into or the performance of the contract, lodged by the data subject, has been satisfied or where suitable measures to safeguard the data subject's legitimate interests have been adduced, such as the right to obtain human intervention; or

(b) is expressly authorized by a Union or Member State law which also lays down suitable measures to safeguard the data subject's legitimate interests; or

(c) is based on the data subject's consent, subject to the conditions laid down in Article 7 and to suitable safeguards.

3. Automated processing of personal data intended to evaluate certain personal aspects relating to a natural person shall not be based solely on the special categories of personal data referred to in Article 9.

Decisions referred to in paragraph 1a shall not be based on special categories of personal data referred to in Article 9(1), unless points (a) or (g) of Article 9(2) apply and suitable measures to safeguard the data subject's legitimate interests are in place.

4. In the cases referred to in paragraph 2, the information to be provided by the controller under Article 14 shall include information as to the existence of processing for a measure of the kind referred to in paragraph 1 and the envisaged effects of such processing on the data subject.

5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and conditions for suitable measures to safeguard the data subject's legitimate interests referred to in paragraph 2.





SECTION 5

Restrictions

ARTICLE 21

RESTRICTIONS

1. Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in points (a) to (e) of Article 5 and Articles 1112 to 20 and Article 32, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 20, when such a restriction constitutes a necessary and proportionate measure in a democratic society to safeguard:

(aa)national security;

(ab)defence;

(a) public security;

(b) the prevention, investigation, detection and prosecution of criminal offences and, for these purposes, safeguarding of public security, or the execution of criminal penalties;

(c) other important objectives of general public interests of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including, monetary, budgetary and taxation matters, public health and social security, and the protection of market stability and integrity;

(ca)the protection of judicial independence and judicial proceedings;

(d) the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions;

(e) a monitoring, inspection or regulatory function connected, even occasionally, with the exercise of official authority in cases referred to in (a), (b), (c) and (d);

(f) the protection of the data subject or the rights and freedoms of others.

(g) the enforcement of civil law claims.

2. In particular aAny legislative measure referred to in paragraph 1 shall contain specific provisions at least, where relevant as to the objectives to be pursued by the processing and the determination of the controller the purposes of the processing or categories of processing, the categories of personal data, the scope of the restrictions introduced, thespecification of the controller or categories of controllers , the storage period and the applicable safeguards taking into account of the nature, scope and purposes of the processing and the risks for the rights and freedoms of data subjects.



SECTION 5
CODES OF CONDUCT AND CERTIFICATION

ARTICLE 38
CODES OF CONDUCT

1. The Member States, the supervisory authorities, the European Data Protection Board and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper application of this Regulation, taking account of the specific features of the various data processing sectors in particular in relation to: and the specific needs of micro, small and medium-sized enterprises.

1a.Associations and other bodies representing categories of controllers or processors may prepare codes of conduct, or amend or extend such codes, for the purpose ofspecifying the application of provisions of this Regulation, such as:

(a) fair and transparent data processing;

(aa)the legitimate interests pursued by controllers in specific contexts;

(b) the collection of data;

(bb)the pseudonymisation of personal data;

(c) the information of the public and of data subjects;

(d) requests of data subjects in exercise of their rights; the exercise of the rightsof data subjects;

(e) information and protection of children and the way to collect the parent’s and guardian’s consent;

(ee) measures and procedures referred to in Articles 22 and 23 and measures to ensure security of processing referred to in Article 30;

(ef)notification of personal data breaches to supervisory authorities and communication of such breaches to data subjects;

(f) transfers of data to third countries or international organisations.

(g)mechanisms for monitoring and ensuring compliance with the code by the controllers adherent to it;

(h) out-of-court proceedings and other dispute resolution procedures for resolving disputes between controllers and data subjects with respect to the processing of personal data, without prejudice to the rights of the data subjects pursuant to Articles 73 and 75.

1ab.In addition to adherence by controller or processor subject to the regulation, codes of conduct approved pursuant to paragraph 2 may also be adhered to by controllers or processors that are not subject to this Regulation according to Article 3 in order to provide appropriate safeguards within the framework of personal data transfers to third countries or international organisations under the terms referred to in Article 42(2)(d). Such controllers or processors shall make binding and enforceable commitments, via contractual instruments or otherwise, to apply those appropriate safeguards including as regards data subjects’ rights.

1b.Such a code of conduct shall contain mechanisms which enable the body referred to in paragraph 1 of article 38a to carry out the mandatory monitoring of compliance with its provisions by the controllers or processors which undertake to apply it, without prejudice to the tasks and powers of the supervisory authority which is competent pursuant to Article 51 or 51a.

2. Associations and other bodies representing categories of controllers or processors in one Member State referred to in paragraph 1a which intend to draw up prepare a codes of conduct, or to amend or extend an existing code, shall submit them the draft code to an opinion of the supervisory authority in that Member State. The supervisory authority may give an opinion whether the draft code of conduct or the amendment is in compliance with this Regulation. The supervisory authority shall seek the views of data subjects or their representatives on these drafts the supervisory authoritywhich is competent pursuant to Article 51. The supervisory authority shall give an opinion on whether the draft code, or amended or extended code, is in compliance with this Regulation and shall approve such draft, amended or extended code if it finds that it provides sufficient appropriate safeguards.

2a.Where the opinion referred to in paragraph 2 confirms that the code of conduct, or amended or extended code, is in compliance with this Regulation and the code is approved, and if the code of conduct does not relate to processing activities in several Member States, the supervisory authority shall register the code and publish the details thereof.

2b.Where the draft code of conduct relates to processing activities in several Member States, the supervisory authority competent pursuant to Article 51 shall, before approval, submit it in the procedure referred to in Article 57 to the European Data Protection Board which shall give an opinion on whether the draft code, or amended or extended code, is in compliance with this Regulation or, in the situation referred to in paragraph 1ab, provides appropriate safeguards.

3. Associations and other bodies representing categories of controllers in several Member States may submit draft codes of conduct and amendments or extensions to existing codes of conduct to the Commission. Where the opinion referred to in paragraph 2b confirms that the code of conduct, or amended or extended code, is in compliance with this Regulation, or, in the situation referred to in paragraph 1ab, provides appropriate safeguards ,the European Data Protection Board shall submit its opinion to the Commission.

4. The Commission may adopt implementing acts for deciding that the codes of conduct and amendments or extensions to existing approved codes of conduct submitted to it pursuant to paragraph 3 have general validity within the Union. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 87(2).

5. The Commission shall ensure appropriate publicity for the approved codes which have been decided as having general validity in accordance with paragraph 4.

5a.The European Data Protection Board shall collect all approved codes of conduct and amendments thereto in a register and shall make them publicly available through any appropriate means, such as through the European E-Justice Portal.