Germany Greens/EFA

Jan Philipp Albrecht

Country: Germany
Group: The Greens – European Free Alliance (Greens/EFA)
Party: Bündnis 90/Die Grünen (Grünen)

Member of Civil Liberties, Justice and Home Affairs
Substitute of Legal Affairs

Overview Jan Philipp Albrecht

Amendments: 371
...stronger: 202
...weaker: 37
...neutral: 132

Amendments by Jan Philipp Albrecht

(4) The economic and social integration resulting from the functioning of the internal market has led to a substantial increase in cross-border flows. The exchange of data between economic and social, public and private actors across the Union increased. National authorities in the Member States are being called upon by Union law to cooperate and exchange personal data so as to be able to perform their duties or carry out tasks on behalf of an authority in another Member State. Member States have a positive obligation under the European Convention for the protection of Human Rights and Fundamental Freedoms (ECHR) to ensure that such data flows are appropriately regulated.
(5) Rapid technological developments and globalisation have brought new challenges for the protection of personal data. The scale of data sharing and collectingcollection has increased spectacularly. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities. Individuals increasingly make personal information available publicly and globally. Technology has transformed both the economy and social life, and requires to further improved legal safeguards which will facilitate the free flow of data within the Union and the transfer to third countries and international organisations, while ensuring a high level of the protection of personal data.
(6) These developments require building a strong and more coherent data protection framework in the Union, backed by strong enforcement, given the importance to create the trust that will allow the digital economy to develop across the internal market. Individuals should have control of their own personal data and legal . Legal and practical certainty for individuals, economic operators and public authorities should be reinforced.
(7) The objectives and principles of Directive 95/46/EC remain sound, but itthis has not prevented fragmentation in the way data protection is implemented across the Union, legal uncertainty and a widespread public perception that there are significant risks for the protection of individuals associated notably with online activity. Differences in the level of protection of the rights and freedoms of individuals, notably to the right to the protection of personal data, with regard to the processing of personal data afforded in the Member States may prevent the free flow of personal data throughout the Union and inevitably lead to breaches of the fundamental rights to privacy and data protection. These differences may therefore constitute an obstacle to the pursuit of economic activities at the level of the Union, distort competition and impede authorities in the discharge of their responsibilities under Union law. This difference in levels of protection is due to the existence of differences in the implementation and application of Directive 95/46/EC.
(9) Effective protection of personal data throughout the Union requires strengthening and detailing the rights of data subjects and the obligations of those who process and determine the processing of personal data, but also equivalent powers and technical and operational capacity for monitoring and ensuring compliance with the rules for the protection of personal data and equivalent sanctions for offenders in the Member States.
(11) In order to ensure a consistent level of protection for individuals throughout the Union and to prevent divergences hampering the free movement of data within the internal market, a Regulation is necessary to provide legal certainty and transparency for economic operators, including micro, small and medium-sized enterprises, and to provide individuals in all Member States with the same level of legally enforceable rights and obligations and responsibilities for controllers and processors, to ensure consistent monitoring of the processing of personal data, and equivalent sanctions in all Member States as well as effective co-operation by the supervisory authorities of different Member States. To Where demonstrably necessary and without undermining either the protection of personal data or single market principles, to take account of the specific situation of micro, small and medium-sized enterprises, this Regulation includes a number of derogations. In addition, the Union institutions and bodies, Member States and their supervisory authorities are encouraged to take account of the specific needs of micro, small and medium-sized enterprises in the application of this Regulation. The notion of micro, small and medium-sized enterprises should draw upon Commission Recommendation 2003/361/EC of 6 May 2003 concerning the definition of micro, small and medium- sized enterprises.
(14) This Regulation does not address issues of protection of fundamental rights and freedoms or the free flow of data related to activities which fall outside the scope of Union law, nor does it cover the processing of personal data by the Union institutions, bodies, offices and agencies, which are subject to Regulation (EC) No 45/2001, or the processing of personal data by the Member States when carrying out activities in relation of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the common foreign and security policy of the Union. JustificationThis amendment seeks to ensure consistency between the Regulation and the laws regulating EU institutions, bodies and agencies, such as Regulation (EC) No 45/2001 but equally of all the EU agencies that currently have their own data protection regulations, leading to a patchwork of rules that makes it very hard for the data subject to exercise its rights. See related Articles 2(b), 89a.processing of personal data by the Community institutions and bodies and on the free movement of such data, or the processing of personal data by the Member States when carrying out activities in relation to the common foreign and security policy of the Union. In order to ensure a coherent data protection framework, Regulation (EC) No 45/2001 should be brought into line with this Regulation. Or. en
  Comment: Intention unclear. Discuss this Rating
(15) This Regulation should not apply to processing of personal data by a natural person, which areis exclusively personal or domestic, such as correspondence and , the holding of addresses, and without any gainful interest and thus without any connection with or the personal use of certain electronic services. The exemption should not apply where the processing of personal data is done in pursuit of a professional or commercial activityobjective. The exemption nature of the personal data processed and whether it is available to a definite or indefinite number of persons shall be taken into account in determining whether the processing falls within the exemption. The exemption should also not apply to controllers or processors which provide the means for processing personal data for such personal or domestic activities.
(16) The protection of individuals with regard to the processing of personal data by competent public authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data, is subject of a specific legal instrument at Union level. Therefore, this Regulation should not apply to the processing activities for those purposes. However, data processed by public authorities under this Regulation when used for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties should be governed by the more specific legal instrument at Union level (Directive XX/YYY).
(17) (17) The limitations on liablility under the Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain aspects of information society services, in particular electronic commerce, in the Internal Market (Directive on Electronic Commerce) are horizontal in nature and therefore apply to relevant activities of all information society service providers. This Regulation establishes the rules for the processing of personal data while the Directive 2000/31/EC sets out the conditions by which an information service provider is liable for third party infringements of the law. In the interests of legal certainty, the clear and distinct roles of the two instruments need to be consistently respected. This Regulation should be without prejudice to the application of Directive 2000/31/EC, in particular of the liability rules of intermediary service providers in Articles 12 to 15 of that Directive.
(18) This Regulation allows the principle of public access to official documents to be taken into account when applying the provisions set out in this Regulation. Personal data in documents held by a public authority or public body may be disclosed by that authority or body in accordance with Union or Member State law regarding public access to official documents, if it is necessary for reconciling the right to data protection with the right of public access to official documents and constitutes a fair balance of the various interests involved.
(20) In order to ensure that individuals are not deprived of the protection to which they are entitled under this Regulation, the processing of personal data of data subjects residing in the Union by a controller not established in the Union should be subject to this Regulation where the processing activities are related to the offering of goods or services , including services offered free of charge, to such data subjects, or to the monitoring of the behaviour of such data subjects.
(21) In order to determine whether a processing activity can be considered to ‘monitor the behaviour’ of data subjects, it should be ascertained whether individuals are tracked on the internet with or through other means, or if other data about them is collected, including from public registers and announcements in the Union that are accessible from outside of the Union, including with the intention to use, or potential of subsequent use of data processing techniques which consist of applying a ‘profile’ to an individual, ’, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.
(23) The principles of protection should apply to any information concerning an identified or identifiable person. To determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the individual. The principles of data protection This Regulation should not apply to data rendered anonymous in anonymous data, meaning any data that can not be related, directly or indirectly, alone or in combination with associated data, to a natural person or where establishing such a way that the data subject is no longer identifiable.relation would require a disproportionate amount of time, expense, and effort, taking into account the state of the art in technology at the time of the processing and the possibilities for development during the period for which the data will be processed.
(24) When using online services, individuals may be associated with one or more online identifiers provided by their devices, applications, tools and protocols, such as Internet Protocol addresses or , cookie identifiers. This may and other unique identifiers. Since such identifiers leave traces which, combined with unique identifiers and other information received by the servers, may be used to create profiles of the individuals and identify them. It follows that identification numbers, location data, online identifiers or other specific factors as such need not necessarily and can be used to single out natural persons, this Regulation should be applicable to processing involving such data, unless those identifiers demonstrably do no relate to natural persons, such as for example the IP addresses used by companies, which cannot be considered as 'personal data in all circumstances.' as defined in this Regulation.
(29) Children deserve specific protection of their personal data, as they may be less aware of risks, consequences, safeguards and their rights in relation to the processing of personal data. To determine when an individual is a child, this Regulation should take over the definition laid down by the UN Convention on the Rights of the Child. No reference to child protection in this Regulation should be understood as an implicit instruction that protection of the personal data of adults should be treated with less care than would have been the case if the reference was not included.
(31) In order for processing to be lawful, personal data should be processed on the basis of the specific, informed and explicit consent of the person concerned or some other legitimate basis, laid down by law, either in this Regulation or in other Union or Member State law as referred to in this Regulation.
(32) Where processing is based on the data subject's consent, the controller should have the burden of proving that the data subject has given the consent to the processing operation. In particular in the context of a written declaration on another matter, safeguards should ensure that the data subject is aware that and to what extent consent is given. To comply with the principle of data minimisation, the burden of proof should not be understood as requiring the positive identification of data subjects unless necessary.
(33) In order to ensure free consent, it should be clarified that consent does not provide a valid legal ground where the individual has no genuine and free choice and is subsequently not able to refuse or withdraw consent without detriment. The use of default options which the data subject is required to modify to object to the processing, such as pre-ticked boxes, does not express free consent.
(34) Consent should not provide a valid legal ground for the processing of personal data, where there is a clear imbalance between the data subject and the controller. This is especially the case where the data subject is in a situation of dependence from the controller, among others, where personal data are processed by the employer of employees' personal data in the employment context, where the processor or controller is in a dominant market position with respect to the products or services offered to the data subject or where a unilateral and non- essential change in terms of service gives a data subject no option other than to accept the change or abandon an online resource in which they have invested significant time. Where the controller is a public authority, there would be an imbalance only in the specific data processing operations where the public authority can impose an obligation by virtue of its relevant public powers and the consent cannot be deemed as freely given, taking into account the interest of the data subject.
(36) Where processing is carried out in compliance with a legal obligation to which the controller is subject or where processing is necessary for the performance of a task carried out in the public interest or in the exercise of an official authority, the processing should have a legal basis in Union law, or in a Member State law which meets the requirements of the Charter of Fundamental Rights of the European Union for any limitation of the rights and freedoms. It is also for Union or national law to determine whether the controller performing a task carried out in the public interest or in the exercise of official authority should be a public administration or another natural or legal person governed by public law, or by private law such as a professional association.
(38) The (38) In exceptional circumstances, the legitimate interests of a controller may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding. This would need careful assessment in particular where the data subject is a child, given that children deserve specific protection. The data subject should have the right to object the processing, on grounds relating to their particular situation and free of charge. To ensure transparency, the controller should be obliged to explicitly inform the data subject on the legitimate interests pursued and on the right to object, and also be obliged to document these legitimate interests. Given that it is for the legislator to provide by law the legal basis for public authorities to process data, this legal ground should not apply for the processing by public authorities in the performance of their tasks.
(39) The processing of data to the extent strictly necessary for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted data, and the security of the related services offered by, or accessible via, these networks and systems, by public authorities, Computer Emergency Response Teams – CERTs, Computer Security Incident Response Teams – CSIRTs, providers of electronic communications networks and services and by providers of security technologies and services, in specific incidents, constitutes a legitimate interest of the concerned data controller. This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems. The processing of personal data to restrict abusive access to and use of publicly available network or information systems, such as the blacklisting of Media Access Control (MAC) addresses or electronic mail addresses by the operator of the system, also constitutes a legitimate interest.
(39a) The enforcement of legal claims against a data subject, such as debt collection or civil damages and remedies, constitutes a legitimate interest, provided the legal claim was established prior to the collection and processing of personal data. The same principle also applies to the prevention or limitation of damages through the data subject suffered by the controller, for example to prevent payment default.
(39b) The interests and fundamental rights of the data subject override the interest of the data controller where personal data are processed in circumstances where data subjects do not expect further processing, for instance when a data subject enters a search query, composes and sends an electronic mail or uses another electronic private messaging service. Any processing of such data, other than for the purposes of performing the service requested by the data subject, should not be considered in the legitimate interest of the controller.
(41) Personal data which are, by their nature, particularly sensitive and vulnerable in relation to fundamental rights or privacy, deserve specific protection. Such data should not be processed, unless the data subject gives his explicit and informed consent. However, derogations from this prohibition should be explicitly provided for in respect of specific needs, in particular where the processing is carried out in the course of legitimate activities by certain associations or foundations the purpose of which is to permit the exercise of fundamental freedoms. by the data subjects in question.
(42) Derogating from the prohibition on processing sensitive categories of data should also be allowed if done by a law, and subject to suitable safeguards, so as to protect personal data and other fundamental rights, where grounds of public interest so justify and in particular for health purposes, including public health and social protection and the management of health-care services, especially in order to ensure the quality and cost-effectiveness of the procedures used for settling claims for benefits and services in the health insurance system, or for historical, statistical and scientific research purposes..
(45) If the data processed by a controller do not permit the controller to identify or single out a natural person, the data controller should not be obliged to acquire additional information in order to identify the data subject for the sole purpose of complying with any provision of this Regulation. In case of a request for access, the controller should be entitled to ask the data subject for further information to enable the data controller to locate the personal data which that person seeks.
(45a) The right to the protection of personal data is based on the right of the data subject to exert the control over the personal data that are being processed. To this end the data subject should be granted clear and unambiguous rights to the provision of transparent, clear and easily understandable information regarding the processing of his or her personal data, the right of access, rectification and erasure of their personal data, the right to data portability and the right to object to profiling. Moreover the data subject should have also the right to lodge a complaint with regard to the processing of personal data by a controller or processor with the competent data protection authority and to bring legal proceedings in order to enforce his or her rights as well as the right to compensation and damages resulting of an unlawful processing operation or from an action incompatible with this Regulation. The provisions of this Regulation should strengthen, clarify, guarantee and where appropriate, codify those rights.
(47) Modalities should be provided for facilitating the data subject’s exercise of their rights provided by this Regulation, including mechanisms to request,obtain free of charge, in particular access to data, rectification, erasure and to exercise the right to object. The controller should be obliged to respond to requests of the data subject within a fixed deadline and give reasons, in case he does not cannot comply with the data subject's request.
(50) However, it is not necessary to impose this obligation where the data subject already disposes of this information, or where the recording or disclosure of the data is expressly laid down by law, or where the provision of information to the data subject proves impossible or would involve disproportionate efforts. The latter could be particularly the case where processing is for historical, statistical or scientific research purposes; in this regard, the number of data subjects, the age of the data, and any compensatory measures adopted may be taken into consideration.
(51) Any person should have the right of access to data which has been collected concerning them, and to exercise this right easily, in order to be aware and verify the lawfulness of the processing. Every data subject should therefore have the right to know and obtain communication in particular for what purposes the data are processed, for what period, which recipients receive the data, what is the logic of the data that are undergoing the processing and what might be, at least when based on profiling, the consequences of such processing. This right should not adversely affect the rights and freedoms of others, including trade secrets or intellectual property and in particular , such as in relation to the copyright protecting the software. However, the result of these considerations should not be that all information is refused to the data subject.
  Comment: Intention unclear. Discuss this Rating
(52) The controller should use all reasonable measures to verify the identityauthenticity of a data subject that requests accesssubject access request, in particular in the context of online services and online identifiers. A controller should not retain personal data for the unique purpose of being able to react to potential requests.
(53) Any person should have the right to have personal data concerning them rectified and a 'right to erasure and to be forgotten' where the retention of such data is not in compliance with this Regulation. In particular, data subjects should have the right that their personal data are erased and no longer processed, where the data are no longer necessary in relation to the purposes for which the data are collected or otherwise processed, where data subjects have withdrawn their consent for processing or where they object to the processing of personal data concerning them or where the processing of their personal data otherwise does not comply with this Regulation. This right is particularly relevant, when the data subject has given their consent as a child, when not being fully aware of the risks involved by the processing, and later wants to remove such personal data especially on the Internet. However, the further retention of the data should be allowed where it is necessary for historical, statistical and scientific research purposes, for reasons of public interest in the area of public health, for exercising the right of freedom of expression, when required by law or where there is a reason to restrict the processing of the data instead of erasing them.
(54) To strengthen the 'right to erasure and to be forgotten' in the online environment, the right to erasure should also be extended in such a way that a controller who has made the personal data public without legal justification should be obliged to inform third parties which are processing such data that a data subject requests them to erase any links to, or copies or replications of that personal data. To ensure this information, the controller should take all reasonable steps, including technical measures, in relation to data for the publication of which the controller is responsible. In relation to a third party publication of personal data, the controller should be considered responsible for the publication, where the controller has authorised the publication by the third party.take all necessary steps to have the data erased, but without prejudice to the right of the data subject to claim compensation.
(55) To further strengthen the control over their own data and their right of access, data subjects should have the right, where personal data are processed by electronic means and in a structured and commonly used format, to obtain a copy of free of charge the data concerning them also in commonly used , interoperable, and where possible open source electronic format. The data subject should also be allowed to transmit those data, which they have provided, from one automated application, such as a social network, into another one. This should apply where the data subject provided the data to the automated processing system, based on their consent or in the performance of a contractProviders of information society services should not make the transfer of those data mandatory for the provision of their services. Social networks should be encouraged as much as possible to store data in a way which permits efficient data portability for data subjects.
(57) Where personal data are processed for the purposes of direct marketingone or more specific purposes, the data subject should have the right to object to such processing in advance, free of charge and in a manner that can be easily and effectively invoked.
(58) Every natural person should have the right not to be subject to a measure which is profiling or measures based on profiling by means of automated processing. However, such measure should be allowed when expressly authorised by law, carried out in the course of entering or performance of a contract, or when the data subject has given his consent. In any case, such processing should be subject to suitable safeguards, including specific information of the data subject and the right to obtain human intervention and that such measure should not concern a child.. Such measures should not lead to discrimination, concern children, or produce legal or significant effects for the data subject without human intervention.
(59) Restrictions on specific principles and on the rights of information, access, rectification and erasure or on the right to of access and data portability, the right to object, measures based on profiling, as well as on the communication of a personal data breach to a data subject and on certain related obligations of the controllers may be imposed by Union or Member State law, as far as necessary and proportionate in a democratic society to safeguard public security, including the protection of human life especially in response to natural or man made disasters, the prevention, investigation and prosecution of criminal offences or of breaches of ethics for regulated professions, other public interests of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, or the the protection of the data subject or the rights and freedoms of others. Those restrictions should be in compliance with requirements set out by the Charter of Fundamental Rights of the European Union and by the European Convention for the Protection of Human Rights and Fundamental Freedoms.
(60) Comprehensive responsibility and liability of the controller for any processing of personal data carried out by the controller or on the controller's behalf should be established in order to ensure accountability. In particular, the controller should ensure and be obligedable to demonstrate the compliance of each processing operation with this Regulation.
(61) The protection of the rights and freedoms of data subjects with regard to the processing of personal data require that appropriate technical and organisationalorganizational measures are taken, both at the time of the design of the processing and at the time of the processing itself, to ensure that the requirements of this Regulation are met. In order to ensure and demonstrate compliance with this Regulation, the controller should adopt internal policies and implement appropriate measures, which meet in particular the principles of data protection by design and data protection by default. The principle of data protection by design require data protection to be embedded within the entire life cycle of the technology, from the very early design stage, right through to its ultimate deployment, use and final disposal. The principle of data protection by default requires privacy settings on services and products which should by default comply with the general principles of data protection, such as data minimisation and purpose limitation.
(63) Where a controller not established in the Union is processing personal data of data subjects residing in the Union whose processing activities are related to the offering of goods or services to such data subjects, or to the monitoring their behaviourof such data subjects, the controller should designate a representative, unless the controller is established in a third country ensuring an adequate level of protection, or the controller is a small or medium sized an enterprise or a public authority or body or where the controller is only occasionally offering goods or services to such data subjects. The representative should act on behalf of the controller and may be addressed by any supervisory authority.
  Comment: Two sided. Discuss this Rating
(65) In order to demonstrate compliance with this Regulation, the controller or processor should document each processing operation in order to be able to provide sufficient information to the data subject. Each controller and processor should be obliged to co-operate with the supervisory authority and make this documentationat least this information, on request, available to it, so that it might serve for monitoring those processing operations.
(66) In order to maintain security and to prevent processing in breach of this Regulation, the controller or processor should evaluate the risks inherent to the processing and implement measures to mitigate those risks. These measures should ensure an appropriate level of security, taking into account the state of the art and the costs of their implementation in relation to the risks and the nature of the personal data to be protected. When establishing technical standards and organisational measures to ensure security of processing, the Commission should promote technological neutrality, interoperability and innovation should be promoted, and, where appropriate, cooperate with third countries.third countries should be encouraged.
(67) A personal data breach may, if not addressed in an adequate and timely manner, result in substantial economic loss and social harm, including identity fraud, to the individual concerned. Therefore, as soon as the controller becomes aware that such a breach has occurred, the controller should notify the breach to the supervisory authority without undue delay and, where feasible, within 2472 hours. Where this cannot achieved within 2472 hours, an explanation of the reasons for the delay should accompany the notification. The individuals whose personal data could be adversely affected by the breach should be notified without undue delay in order to allow them to take the necessary precautions. A breach should be considered as adversely affecting the personal data or privacy of a data subject where it could result in, for example, identity theft or fraud, physical harm, significant humiliation or damage to reputation. The notification should describe the nature of the personal data breach as well as recommendations as well as recommendations for the individual concerned to mitigate potential adverse effects. Notifications to data subjects should be made as soon as reasonably feasible, and in close cooperation with the supervisory authority and respecting guidance provided by it or other relevant authorities (e.g. law enforcement authorities). For example, the chance for data subjects to mitigate an immediate risk of harm would call for a prompt notification of data subjects whereas the need to implement appropriate measures against continuing or similar data breaches may justify a longer delay.
(73) Data protection impact assessments should be carried out by a public authority or public body if such an assessment has not already been made in the context of the adoption of the national law on which the performance of the tasks of the public authority or public body is based and which regulates the specific processing operation or set of operations in question.
(74) Where a data protection impact assessment indicates that processing operations involve a high degree of specific risks to the rights and freedoms of data subjects, such as excluding individuals from their right, or by the use of specific new technologies, the data protection officer or the supervisory authority should be consulted, prior to the start of operations, on a risky processing which might not be in compliance with this Regulation, and to make proposals to remedy such situation. Such consultation should equally take place in the course of the preparation either of a measure by the national parliament or of a measure based on such legislative measure which defines the nature of the processing and lays down appropriate safeguards.
(75) Where the processing is carried out in the public sector or where, in the private sector, processing is carried out by a large enterpriserelates to more than 500 data subjects per year, or where its core activities, regardless of the size of the enterprise, involve processing operations which require regular and systematic monitoring, a person should assist the controller or processor to monitor internal compliance with this Regulation. When establishing whether data about a large number of data subjects are processed, archived data that is restricted in such a way that they are not subject to the normal data access and processing operations of the controller and can no longer be changed should not be taken into account. Such data protection officers, whether or not an employee of the controller and whether or not performing that task full time, should be in a position to perform their duties and tasks independently. The data protection officer should in particular be consulted prior to the design, procurement, development and setting-up of systems for the automated processing of personal data, in order to ensure the principles of privacy by design and privacy by default.
(75a) The data protection officer should have at least the following qualifications: extensive knowledge of the substance and application of data protection law, including technical and organizational measures and procedures; mastery of technical requirements for privacy by design, privacy by default and data security; industry-specific knowledge in accordance with the size of the controller or processor and the sensitivity of the data to be processed; the ability to carry out inspections, consultation, documentation, and log file analysis; and the ability to work with employee representation. The controller should enable the data protection officer to take part in advanced training measures to maintain the specialized knowledge required to perform his or her duties.
(76) Associations or other bodies representing categories of controllers should be encouraged to draw up codes of conduct, within the limits of this Regulation, so as to facilitate the effective application of this Regulation, taking account of the specific characteristics of the processing carried out in certain sectors. Such codes should make the application of this Regulation clearer for the respective business sectors.
(77) In order to enhance transparency and compliance with this Regulation, the establishment of certification mechanisms, data protection seals and marks should be encouraged, allowing data subjects to quickly , reliably and verifiably assess the level of data protection of relevant products and services. Relates to Article 39 para 1Or. en
(80) The Commission may decide with effect for the entire Union that certain third countries, or a territory or a processing sector within a third country, or an international organisation, offer an adequate level of data protection, thus providing legal certainty and uniformity throughout the Union as regards the third countries or international organisations which are considered to provide such level of protection. In these cases, transfers of personal data to these countries may take place without needing to obtain any further authorisation.
(82) The Commission may equally recognise that a third country, or a territory or a processing sector within a third country, or an international organisation offers no adequate level of data protection. Consequently the transfer of personal data to that third country should be prohibited. In that case, provision should be made for consultations between the Commission and such third countries or international organisations.
(89) In any case, where the Commission has taken no decision on the adequate level of data protection in a third country, the controller or processor should make use of solutions that provide data subjects with a legally binding guarantee that they will continue to benefit from the fundamental rights and safeguards as regards processing of their data in the Union once this data has been transferred. That guarantee should include financial indemnification in cases of loss or unauthorised access or processing of the data and an obligation, regardless of national legislation, to provide full details of all access to the data by public authorities in the third country.
(92) The establishment of supervisory authorities in Member States, exercising their functions with complete independence, is an essential component of the protection on individuals with regard to the processing of their personal data. Member States may establish more than one supervisory authority, to reflect their constitutional, organisational and administrative structure. An authority shall have adequate financial and personal resources to fully carry out its role, taking into account the size of the population and the amount of personal data processing.
(94) Each supervisory authority should be provided with the adequate financial and human resources, paying particular attention to ensuring adequate technical and legal skills of staff, premises and infrastructure, which isare necessary for the effective performance of their tasks, including for the tasks related to mutual assistance and cooperationco-operation with other supervisory authorities throughout the Union.
(95) The general conditions for the members of the supervisory authority should be laid down by law in each Member State and should in particular provide that those members should be either appointed by the parliament or the government after consultation of the parliament of the Member State concerned taking due care to minimise the possibility of political interference, and include rules on the personal qualification of the members , the avoidance of conflicts of interest and the position of those members.
(97) Where the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union takes place in more than one Member State, one single supervisory authority should be competent for monitoring the activities ofact as the single contact point for the controller or processor throughout the Union and taking the related decisions, in order to increase the consistent application, provide legal certainty and reduce administrative burden for such controllers and processors.
(98) The competentlead authority, providing such one-stop shop, should be the supervisory authority of the Member State in which the controller or processor has its main establishment. The European Data Protection Board may designate the lead authority in certain cases on the request of a competent authority.
(101) Each supervisory authority should hear complaints lodged by any data subject or by association acting in the public interest and should investigate the matter. The investigation following a complaint should be carried out, subject to judicial review, to the extent that is appropriate in the specific case. The supervisory authority should inform the data subject or the association of the progress and the outcome of the complaint within a reasonable period. If the case requires further investigation or coordination with another supervisory authority, intermediate information should be given to the data subject.
(104) Each supervisory authority should have the right to participate in joint operations between supervisory authorities. The requested supervisory authority should be obliged to respond to the request in a defined time period. The European Data Protection Board should be able to coordinate such activities, where the supervisory authorities concerned so wish.
(106a) In order to ensure the consistent application of this Regulation, the European Data Protection Board may adopt a binding measure, if a two thirds majority of its members so decides.
(107) In order to ensure compliance with this Regulation, the Commission may adopt an opinion on this matter, or a decision, requiring the supervisory authority matters raised. The Commission may appeal to the Court of Justice of the European Union. It may request the Court to suspend its draft measure.the measure in the course of an urgency procedure, if necessary to avoid irreparable damage.
(110) At Union level, a European Data Protection Board should be set up. It should replace the Working Party on the Protection of Individuals with Regard to the Processing of Personal Data established by Directive 95/46/EC. It should consist of a head of a supervisory authority of each Member State and of the European Data Protection Supervisor. The Commission should participate in its activities. The European Data Protection Board should contribute to the consistent application of this Regulation throughout the Union, including by advising the Commission institutions of the European Union and promoting cooperation of the supervisory authorities throughout the Union, including the coordination of joint operations. The European Data Protection Board should act independently when exercising its tasks.
(112) Any body, organisation or association which aims to protects the rights and interests of data subjects in relation to the protection of their data and acting in the public interest which is constituted according to the law of a Member State should have the right to lodge a complaint with a supervisory authority or exercise the right to a judicial remedy on behalf of data subjects, or to lodge, independently of a data subject's complaint, an own complaint where it considers that a personal data breach has occurred.
(114) In order to strengthen the judicial protection of the data subject in situations where the competent supervisory authority is established in another Member State than the one where the data subject is residing, the data subject may request any body, organisation or association aiming to protect the rights and interests of data subjects in relation to the protection of their data acting in the public interest to bring on the data subject's behalf proceedings against that supervisory authority to the competent court in the other Member State.
(116) For proceedings against a controller or processor, the plaintiff should have the choice to bring the action before the courts of the Member States where the controller or processor has an establishment or where the data subject resides, unless the controller is a public authority of a Member State acting in the exercise of its public powers.
(121) The processing of personal data solely for journalistic purposes, or for the purposes of artistic or literary expression should qualify for exemption from the requirements of certain provisions of this Regulation(121) Whenever necessary, exemptions or derogations from the requirements of certain provisions of this Regulation for the processing of personal data should be possible in order to reconcile the right to the protection of personal data with the right to freedom of expression, and notably the right to receive and impart information, as guaranteed in particular by Article 11 of the Charter of Fundamental Rights of the European Union. This should apply in particular to processing of personal data in the audiovisual field and in news archives and press libraries. Therefore, Member States should adopt legislative measures, which should lay down exemptions and derogations which are necessary for the purpose of balancing these fundamental rights. Such exemptions and derogations should be adopted by the Member States on general principles, on the rights of the data subject, on controller and processor, on the transfer of data to third countries or international organisations, on the independent supervisory authorities and on co-operation and consistency. This should not, however, lead Member States to lay down exemptions from the other provisions of this Regulation. In order to take account of the importance of the right to freedom of expression in every democratic society, it is necessary to interpret notions relating to that freedom, such as journalism, broadly. Therefore, Member States should classify activities as "journalistic" for the purpose of the exemptions and derogations to be laid down under this Regulation if the object of these activities is the disclosure to the public of information, opinions or ideas, irrespective of the medium which is used to transmit them. They should not be limited to media undertakings and may be undertaken for profit-making or for non- profit making purposes.
(122) The processing of personal data concerning health, as a special category of data which deserves higher protection, may often be justified by a number of legitimate reasons for the benefit of individuals and society as a whole, in particular in the context of ensuring continuity of cross- border healthcare. Therefore this Regulation should provide for harmonised conditions for the processing of personal data concerning health, subject to specific and suitable safeguards so as to protect the fundamental rights and the personal data of individuals. This includes the right for individuals to have access to their personal data concerning their health, for example the data in their medical records containing such information as diagnosis, examination results, assessments by treating physicians and any treatment or interventions provided.
(124) The general principles on the protection of individuals with regard to the processing of personal data should also be applicable to the employment and the social security context. Therefore, in order to regulate the processing of employees' personal data in the employment context, Member States should be able, within the limits of in accordance with this Regulation, to adopt by law specific rules for the processing of personal data in the employment sector.
(129) In order to fulfil the objectives of this Regulation, namely to protect the fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data and to ensure the free movement of personal data within the Union, the power to adopt acts in accordance with Article 290 of the Treaty on the Functioning of the European Union should be delegated to the Commission. In particular, delegated acts should be adopted in respect of lawfulness of processing; specifying the criteria and conditions in relation to the consent of a child; processing of special categories of datatechnical standars to give consent; specifyng conditions of icon-based mode for provision of information; specifying the criteria and conditions for manifestly excessive requests and fees for exercising the rights of the data subject; criteria and requirements for the information to the data subject and in relation to the right of access; the right to be forgotten and to erasure; measures based on profiling; criteria and requirements in relation tofor verification of the responsibility of the controller and to data protection by design and by default; a processor; ; criteria and requirements for the documentation and the security of processing; criteria and requirements for establishing a personal data breach and for its notification to the supervisory authority, and on the circumstances where a personal data breach is likely to adversely affect the data subject; the criteria and conditions for processing operations requiring a data protection impact assessment; the criteria and requirements for determining a high degree of specific risks which require prior consultation; designation and tasks of the data protection officer; codes of conduct; criteria and requirements for certification mechanisms; criteria and requirements for transfers by way of binding corporate rules; transfer derogationsthe adequate level of protection afforded by a third country or an international organisation; administrative sanctions; processing for health purposes; processing in the employment context and processing for historical, statistical and scientific research purposes. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level in particular with the European Data Protection Board. The Commission, when preparing and drawing-up delegated acts, should ensure a simultaneous, timely and appropriate transmission of relevant documents to the European Parliament and Council.
(130) In order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission for: specifying standard forms in relation to the processing of personal data of a child; standard procedures and forms for exercising the rights of data subjects; standard forms for the information to the data subject; standard forms and procedures in relation to the right of access; the right to data portability; standard forms in relation to the responsibility of the controller to data protection by design and by default and to the documentation; specific requirements for the security of processing; the the standard format and the procedures for the notification of a personal data breach to the supervisory authority and the communication of a personal data breach to the data subject; standards and procedures for a data protection impact assessment; forms and procedures for prior authorisation and prior consultation; technical standards and mechanisms for certification; the adequate level of protection afforded by a third country or a territory or a processing sector within that third country or an international organisation; disclosures not authorized by Union law; mutual assistance; joint operations; decisions under the consistency mechanismforms for prior authorisation and prior consultation; standard form for notification of decision of third country requesting disclosure of the the personal date; format and procedures for the exchange of information by electronic means on binding corporate rules;decisions under the consistency mechanism. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level in particular with the European Data Protection Board. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by the Member States of the Commission's exercise of implementing powers. In this context, the Commission should consider specific measures for micro, small and medium- sized enterprises.
(131) The examination procedure should be used for the adoption of specifying standard procedures and forms in relation to the consent of a child; standard procedures and forms for exercising the rights of data subjects; standard forms for the information to the data subject; standard forms and procedures in relation to the right of access the right to data portability; standard forms in relation to the responsibility of the controller to data protection by design and by default and to the documentation; specific requirements for the security of processing; the the standard format and the procedures for the notification of a personal data breach to the supervisory authority and the communication of a personal data breach to the data subject; standards and procedures for a data protection impact assessment; forms and procedures forms for prior authorisation and prior consultation; technical standards and mechanisms for certification; the adequate level of protection afforded by a standard form for notification of decision of third country or a territory or a processing sector within that third country or an international organisation; disclosures not authorized by Union law; mutual assistance; joint operations; requesting disclosure of the personal data; format and procedures for the exchange of information by electronic means on binding corporate rules;decisions under the consistency mechanism, given that those acts are of general scope.
(132) The Commission should adopt immediately applicable implementing acts where, in duly justified cases relating to a third country or a territory or a processing sector within that third country or an international organisation which does not ensure an adequate level of protection and relating to matters communicated by supervisory authorities under the consistency mechanism, imperative grounds of urgency so require.
(134) Directive 95/46/EC should be repealed by this Regulation. However, Commission decisions adopted and authorisations by supervisory authorities based on Directive 95/46/EC should remain in force. Commission decisions and authorisations by supervisory authorities relating to transfers of personal data to third countries should remain in force for a transition period of two years.
(135a) This Regulation does not apply to the processing of personal data carried out by European Union institutions, bodies, offices and agencies, which is governed by different legal instruments, particularly Regulation (EC) No° 45/2001 of the European Parliament and of the Council of 18 December 2000. As a result, this Regulation does not remedy the existing lack of comprehensiveness of the data protection legal rules in the European Union and the uneven level of protection of the rights of data subjects. Since Article 8 of the EU Charter and Article 16 TFEU imply that the fundamental right to the protection of personal data should be ensured in a consistent and homogeneous manner throughout the Union, Union institutions, bodies, offices and agencies should be subject to the same rules as laid down in this Regulation, and the Commission should present appropriate legal proposals before (date of application of this Regulation) reviewing the legal framework applicable to the processing of personal data by Union institutions, bodies, offices and agencies when carrying out their activities in order to bring it into line with the provisions/principles of this Regulation.
(139) In view of the fact that, as underlined by the Court of Justice of the European Union, the right to the protection of personal data is not an absolute right, but must be considered in relation to its function in society and be balanced with other fundamental rights, in accordance with the principle of proportionality, this Regulation respects all fundamental rights and observes the principles recognised in the Charter of Fundamental Rights of the European Union as enshrined in the Treaties, notably the right to respect for private and family life, home and communications, the right to the protection of personal data, the freedom of thought, conscience and religion, the freedom of expression and information, the freedom to conduct a business, the right to an effective remedy and to a fair trial as well as cultural, religious and linguistic diversity. In particular, the jurisdiction of the courts of Member States, of the Court of Justice of the European Union and of the European Court of Human Rights should be respected.
(a) in the course of an activity which falls outside the scope of Union law, in particular concerning national security;;
(d) by a natural person without any gainful interest in the course of its own exclusively personal or household activity;
(e) by competent public authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties.
2. This Regulation applies to the processing of personal data of data subjects residing in the Union by a controller not established in the Union, where the processing activities are related to:aimed at:
(a) the offering of goods or services to such data subjects in the Union, irrespective of whether payment is required for theose goods or services; or
(b) the monitoring of their behaviour.such data subjects.
(1) 'data subject' means an identified natural person or a natural person who can be identified or singled out, directly or indirectly, alone or in combination with associated data, by means reasonably likely to be used by the controller or by any other natural or legal person, in particular by reference to an identification numbera unique identifier, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity , social or gender identity or sexual orientation of that person;
(2a) 'pseudonym' means a unique identifier which is specific to one given context and which does not permit the direct identification of a natural person, but allows the singling out of a data subject;
(3a) 'transfer' means any communication of personal data, actively made available to a limited number of identified parties, with the knowledge or intention of the sender to give the recipient access to the personal data;
(3b) 'profiling' means any form of automated processing of personal data intended to evaluate certain personal aspects relating to a natural person or to analyse or predict in particular that natural person’s performance at work, economic situation, location, health, personal preferences, reliability or behaviour;
(6a) 'producer' means a natural or legal person, public authority, agency or any other body which creates automated data processing or filing systems designed for the processing of personal data by data controllers and data processors;
(8) 'the data subject's consent' means any freely given specific, informed and explicit indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed; for one or more specific purposes;
(9) 'personal data breach' means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
1. Personal data mustshall be: (a) processed lawfully, fairly and in a transparent manner in relation to the data subject; (transparency);
(b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes; (purpose limitation);
(c) adequate, relevant, and limited to the minimum necessary in relation to the purposes for which they are processed; they shall only be processed if, and as long as, the purposes could not be fulfilled by processing anonymous information that does not involve personal data; (data minimisation);
(d) accurate and kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay; (integrity);
(e) kept in a form which permits identification or singling out of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the data will be processed solely for historical, statistical or scientific research purposes in accordance with the rules and conditions of Article 83 and if a periodic review is carried out to assess the necessity to continue the storage; (storage minimisation);
(ea) processed in a way that effectively allows the data subject to exercise his or her rights as described in Articles 11 to 21 (intervenability);
(f) processed under the responsibility and liability of the controller, who shall ensure and be able to demonstrate for each processing operation the compliance with the provisions of this Regulation. (accountability).
1a. Processing of personal data shall be organised and carried out in a way that ensures compliance with the principles referred to in paragraph 1; producers, data controllers and data processors shall take technical and operational measures to ensure such compliance in the design, set-up, and operation of automatic data processing or filing systems.
(f) processing is necessary for the purposes of the legitimate interests pursued by a controller, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks.
1a. If none of the legal grounds for the processing of personal data referred to in paragraph 1 apply, processing of personal data shall be lawful if and to the extent that it is necessary for the purposes of the legitimate interests pursued by the controller, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data. The data controller shall in that case inform the data subject about the data processing explicitly and separately. The controller shall also publish the reasons for believing that its interests override the interests or fundamental rights and freedoms of the data subject. This paragraph shall not apply to processing carried out by public authorities in the performance of their tasks.
1b. The legitimate interests of the controller as referred to in paragraph 1a override the interests or fundamental rights and freedoms of the data subject, as a rule, if (a) processing of personal data takes place as part of the exercise of the right to freedom of expression, the media and the arts, within the limits of Union or national law; (b) processing of personal data is necessary for the enforcement of the legal claims of the data controller or of third parties on behalf of whom the data controller is acting in relation to a specific identified data subject, or for preventing or limiting damage by the data subject to the controller; (c) the data subject has provided personal data to the data controller on the legal ground referred to in point (b) of paragraph 1, and the personal data are used for direct marketing for its own and similar products and services and are not transferred, and the data controller is clearly identified to the data subject; (d) processing of personal data takes place in the context of professional business-to-business relationships and the data were collected from the data subject for that purpose; (e) processing of personal data is necessary for registered non-profit associations, foundations and charities, recognised as acting in the public interest under Union or national law, for the sole purpose of collecting donations.
  Comment: Seems to be overall stronger than most other definitions. Discuss this Rating
1c. The interests or fundamental rights and freedoms of the data subject as referred to in paragraph 1a override the legitimate interest of the controller, as a rule, if: (a) the processing causes a serious risk of damage to the data subject; (b) special categories of data as referred to in paragraph 1 of article 9, location data, or biometric data are processed; (c) the data subject can reasonably expect, on the basis of the context of the processing, that his or her personal data will only be processed for a specific purpose or treated confidentially, unless the data subject concerned has been informed specifically and separately about the use of his or her personal data for purposes other than the performance of the service; (d) personal data are processed in the context of profiling; (e) personal data is made accessible for a large number of persons or large amounts of personal data about the data subject are processed or combined with other data; (f) the processing of personal data may adversely affect the data subject, in particular because it can lead to defamation or discrimination; or (g) the data subject is a child.
  Comment: Seems to be overall stronger than most other definitions. Discuss this Rating
4. Where the purpose of further processing is not compatible with the one for which the personal data have been collected, the processing must have a legal basis at least in one of the grounds referred to in points (a) to (e) of paragraph 1. This shall in particular apply to any change of terms and general conditions of a contract.
5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the conditions referred to in point (f) of paragraph 1 for various sectors and data processing situations, including as regards the processing of personal data related to a child.
2a. If the data subject's consent is to be given in the context of the use of information society services where personal data are processed only in the form of pseudonyms, consent may be given by automated means using a technical standard with general validity in the Union in accordance with paragraph 4c, which allows the data subject to clearly express his or her wishes without collecting identification data.
4a. Consent looses its effectiveness as soon as the processing of personal data is no longer necessary for carrying out the purpose for which they were collected.
4b. The execution of a contract or the provision of a service may not be made conditional on the consent to the processing or use of data that is not necessary for the execution of the contract or the provision of the service pursuant to Article 6(1)(b).
4c. The Commission shall be empowered to adopt, after requesting an opinion from the European Data Protection Board, delegated acts in accordance with Article 86 for the purpose of further specifying the requirements and conditions for technical standards referred to in paragraph 2a, and for declaring that a technical standard is in line with this Regulation and has general validity within the Union.
1. For the purposes of this Regulation, in relation to the offering of information societygoods or services directly to a child, the processing of personal data of a child below the age of 13 years shall only be lawful if and to the extent that consent is given or authorised by the child's parent or custodianlegal representative. The controller shall make reasonable efforts to obtain verifiable consent, taking into consideration available technology. The methods to obtain verifiable consent shall not lead to the further processing of personal data which would otherwise not be necessary.
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purposeEuropean Data Protection Board shall be entrusted with the task of further specifying the criteria and requirements for the methods to obtain verifiable consent referred to in paragraph 1. In doing so, the Commission shall consider specific measures for micro, small and medium- sized enterprises., in accordance with Article 66.
4. The Commission may lay down standard forms for specific methods to obtain verifiable consent referred to in paragraph 1. Those implementing acts shall be adopted after requesting an opinion from the European Data Protection Board, in accordance with the examination procedure referred to in Article 87(2).
1. The processing of personal data, revealing race or ethnic origin, political opinions, religion or beliefs, philosophical beliefs, sexual orientation or gender identity, trade-union membership and activities, and the processing of genetic data or data concerning health or sex life or criminal convictions, or related security measures shall be prohibited.
(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller in the field of employment law in so far as it is authorised by Union law or Member State law providing for adequate safeguards for the fundamental rights and the interests of the data subject; or
(g) processing is necessary for the performance of a task carried out in the public interest, on the basis of Union law, or Member State law which shall provide for suitable measures to safeguard the data subject's legitimate interestsfundamental rights and the interests of the data subject; or
(j) processing of data relating to criminal convictions or related security measures is carried out under the control of official authority when the processing is necessary for compliance with a legal or regulatory obligation to which a controller is subject, or for the performance of a task carried out for important public interest reasons, and in so far as authorised by Union law or Member State law providing for adequate safeguards for the fundamental rights and interests of the data subject. A complete register of criminal convictions shall be kept only under the control of official authority.
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purposeEuropean Data Protection Board shall be entrusted with the task of further specifying the criteria, conditions and appropriate safeguards for the processing of the special categories of personal data referred to in paragraph 1 and the exemptions laid down in paragraph 2., in accordance with Article 66.
If the data processed by a controller do not permit the controller to identify or single out a natural person, or consist only of data relating to pseudonyms, the controller shall not be obliged to acquire additional information in order to identify the data subject for the sole purpose of complying with any provision of this Regulation.
2a. Information for data subjects shall be provided in a format offering data subjects the information needed to understand their position and make decisions in an appropriate way. Therefore the controller shall provide and communicate its data protection policies through an easily understandable icon- based mode of description for the different types of data processing, their conditions and consequences. Full information shall be available on request in accordance with Article 14.
2b. The Commission shall be empowered to adopt after requesting an opinion of The European Data Protection Board, delegated acts in accordance with Article 86 for the purpose of further specifying the icon-based mode of description referred to in paragraph 3 concerning the nature of the processing, duration of storage, transfer or erasure of data by establishing icons or other instruments in order to provide information in a standardised way.
4. The information and the actions taken on requests referred to in paragraph 1 shall be free of charge. Where requests are manifestly excessive, in particular because of their repetitive character, the controller may charge a reasonable fee for providing the information or taking the action requested, or the controller may not take the action requested. In that case, the controller shall bear the burden of proving the manifestly excessive character of the request.
5. The Commission shall be empowered to adopt , after requesting an opinion the European Data Protection Board, delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and conditions for the manifestly excessive requests and the fees referred to in paragraph 4.
6. The Commission may lay down standard forms and specifying standard procedures for the communication referred to in paragraph 2, including the electronic format. In doing so, the Commission shall take the appropriate measures for micro, small and medium-sized enterprises. Those implementing acts shall be adoptedThose implementing acts shall be adopted, after adopting an opinion of the European Data Protection Board, in accordance with the examination procedure referred to in Article 87(2).
6a. The European Data Protection Board shall be entrusted with the task of further specifying the criteria and conditions for manifestly excessive requests as referred to in paragraph 4, in accordance with Article 66.
Rights in relation to recipients The controller shall communicate any rectification or erasure carried out in accordance with Articles 16 and 17 to each recipient to whom the data have been disclosedtransferred, unless this proves impossible or involves a disproportionate effort. The controller shall inform the data subject about those third parties.
  Comment: Two sided. Discuss this Rating
(a) the identity and the contact details of the controller and, if any, of the controller's representative and , of the data protection officer; and of joint controllers; in the case of joint controllers, an indication of their respective roles and responsibilities;
(aa) the category of personal data collected and processed;
(b) the purposes of the processing for which the personal data are intended, including the contract terms and general conditions where the processing is based on point (b) of Article 6(1) and the legitimate interests pursued by the controller where the processing is based on point (f) paragraphs 1a and 1b of Article 6(1);;
(bb) the reasons for believing that its interests override the interests or fundamental rights and freedoms of the data subject pursuant to in Article 6 (1a);
(f) the recipients or categories of recipients of of the personal data;
(g) where applicable, that the controller intends to transfer the data to a third country or international organisation and on the level of protection afforded by that third country or international organisation by reference to an adequacy decision by the Commission;, or in case of transfers referred to in Article 42, Article 43, or point (h) of Article 44(1), by reference to the appropriate safeguards and the means to obtain a copy of them;
(ga) where applicable, information about the existence of profiling, of measures based on profiling, and of mechanisms to object to profiling;
(gb) intelligible information about the logic involved in any automated processing;
(ha) the rights and mechanisms to oppose or avoid the processing of the personal data.
7. The Commission shall be empowered to adopt after request, after requesting an opinion of the European Data protectionProtection Board, delegated acts in accordance with Article 86 for the purpose of further specifying the criteria for categories of recipients referred to in point (f) of paragraph 1, the requirements for the notice of potential access referred to in point (g) of paragraph 1, the criteria for the further information necessary referred to in point (h) of paragraph 1 for specific sectors and situations, and the conditions and appropriate safeguards for the exceptions laid down in point (b) of paragraph 5. In doing so, the Commission shall take the appropriate measures for micro, small and medium-sized- enterprises.enterprises.
8. The Commission mayshall lay down standard forms for providing the information referred to in paragraphs 1 to 3, taking into account the specific characteristics and needs of various sectors and data processing situations where necessary as well as the needs of the relevant stakeholders. Those implementing acts shall be adopted , after requesting an opinion of the European Protection Board, in accordance with the examination procedure referred to in Article 87(2).
1. The data subject shall have the right to obtain from the controller at any time, on request, in clear and plain language, confirmation as to whether or not personal data relating to the data subject are being processed. Where such personal data are being processed, the , and as to the existence of profiling and measures based on profiling in respect of the data subject the controller shall provide the following information:
(c) the recipients or categories of recipients to whom the personal data are to be or have been disclosed, in particular including to recipients in third countries;
(h) the significance and envisaged consequences of such processing, at least in the case profiling and of measures referred to in Article 20.based on profiling;
(ha) intelligible information about the logic involved in any automated processing;
(hb) in the event of disclosure of personal data to a public authority as a result of a public authority request, confirmation of the fact that such a request has been made, information about whether or not the request has been fully or partly complied with and an overview of the data that were requested or disclosed.
2. The data subject shall have the right to obtain from the controller communication of the personal data undergoing processing. Where the data subject makes the request in electronic form, the information shall be provided in electronic forman electronic and structured format which is commonly used and allows for further use by the data subject, unless otherwise requested by the data subject.
2a. Where the data subject has provided the personal data and the processing is based on consent or on a contract, the data subject shall have the right to transmit those personal data, where technically feasible and appropriate, and retained by an automated processing system, into another one, in an electronic format which is commonly used, without hindrance from the controller from whom the personal data are withdrawn.
2b. This Article shall be without prejudice to the obligation to delete data when no longer necessary under Article 5(1)(e).
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the communication to the data subject of the content of the personal data referred to in point (g) of paragraph 1.
4. The Commission may specify standard forms and procedures for requesting and granting access to the information referred to in paragraph 1, including for verification of the identity of the data subject and communicating the personal data to the data subject, taking into account the specific features and necessities of various sectors and data processing situations. Those implementing acts shall be adopted , after requesting an opinion of the European Protection Board, in accordance with the examination procedure referred to in Article 87(2).
1. The data subject shall have the right to obtain from the controller the erasure of personal data relating to them and the abstention from further dissemination of such data, especially in relation to personal data which are made available by the data subject while he or she was a child, where one of the following grounds applies:
2. Where the controller referred to in paragraph 1 has transferred or made the personal data public, it shall take all reasonable steps, including technical measures, in relation to data for the publication of which the controller is responsible, to inform third parties which are processing such data, that a data subject requests them to erase any links to, or copy or replication of that personal data. Where the controller has authorised a third party publication of personal data, the controller shall be considered responsible for that publication. without a justification based on Article 6(1), it shall take all necessary steps to have the data erased, without prejudice to Article 77.
2a. Any measures for erasure of published personal data shall respect the right to freedom of expression, as referred to in Article 80.
4. Instead of erasure, the controller shall restrict processing of personal data where:in such a way that it is not subject to the normal data access and processing operations of the controller and can not be changed anymore, where:
(d) the data subject requests to transmit the personal data into another automated processing system in accordance with Article 18(2).15(2) and 2a.
5. Personal data referred to in paragraph 4 may, with the exception of storage, only be processed for purposes of proof, or with the data subject's consent, or for the protection of the rights of another natural or legal person or for an objective of public interest.compliance with a legal obligation to process the personal data by the Union or national law to which the controller is subject.
9. The Commission shall be empowered to adopt , after requesting an opinion of the European Data Protection Board, delegated acts in accordance with Article 86 for the purpose of further specifying:
(b) the conditions for deleting links, copies or replications of personal data from publicly available communication services as referred to in paragraph 2;
Right to Data Portability 1. The data subject shall have the right, where personal data are processed by electronic means and in a structured and commonly used format, to obtain from the controller a copy of data undergoing processing in an electronic and structured format which is commonly used and allows for further use by the data subject. 2. Where the data subject has provided the personal data and the processing is based on consent or on a contract, the data subject shall have the right to transmit those personal data and any other information provided by the data subject and retained by an automated processing system, into another one, in an electronic format which is commonly used, without hindrance from the controller from whom the personal data are withdrawn. 3. The Commission may specify the electronic format referred to in paragraph 1 and the technical standards, modalities and procedures for the transmission of personal data pursuant to paragraph 2. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
1. The data subject shall have the right to object, on grounds relating to their particular situation, at any time to the processing of personal data which is based on points (d), (e) and (fe) of Article 6(1), unless the controller demonstrates compelling legitimate grounds for the processing which override the interests or fundamental rights and freedoms of the data subject.).
2. Where personal data are processed for direct marketing purposes,based on Article 6(1a), the data subject shall have the right to object free of charge in all cases to the processing of their personal data for such marketing. This right shall be explicitly offered to the data subject in an intelligible manner and , using clear and plain language, adapted to the data subject, in particular for any information addressed specifically to a child, and shall be clearly distinguishable from other information.
3. Where an objection is upheld pursuant to paragraphs 1 and 2, the controller shall no longer use or otherwise process erase the personal data concerned.
Measures based on profiling 1. Every natural person shall have the right not to be subject to a measure which produces legal effects concerning this natural person or significantly affects this natural person, and which is based solely on automated processing intended to evaluate certain personal aspects relating to this natural person or to analyse or predict in particular the natural person's performance at work, economic situation, location, health, personal preferences, reliability or behaviour.Profiling 1. The processing of personal data for the purposes of profiling, including in relation to the offering of electronic information and communication services, shall only be lawful if it:
2. Subject to the other provisions of this Regulation, a person may be subjected to a measure of the kind referred to in paragraph 1 only if the processing:
(a) is carried out in the course of the necessary for the entering into, or performance of, a contract, where the request for the entering into or the performance of the contract, lodged by the data subject, has been satisfied, or where suitable measures to safeguard the data subject's legitimate interests have been adduced, such as the right to obtain human intervention; or
(b) is expressly authorized by a Union or Member State law which also lays down suitable measures to safeguard the data subject's legitimate interests; orin accordance with this Article, or
3. Automated processing of personal data intended to evaluate certain personal aspects 2. Profiling activities relating to a natural person shall not be based solely on include or generate any data that fall under the special categories of personal data referred to in Article 9., except when falling within the exceptions listed in Article 9(2).
2a. Profiling that has the effect of discriminating against individuals on the basis of race or ethnic origin, political opinions, religion or beliefs, trade union membership, sexual orientation or gender identity, or that results in measures which have such effect, shall be prohibited.
2b. Profiling shall not be used to identify or single out children.
2c. Measures based on profiling which produce legal effects concerning the data subject or significantly affect the data subject shall not be based solely on automated processing.
4. In the cases referred to in paragraph 2, the information to be provided by the controller under Article 14 shall include information as to the existence of processing for a measure of the kind referred to in paragraph 1 and the envisaged effects of such processing on the data subject.
  Comment: Moved. Discuss this Rating
5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and conditions for suitable measures to safeguard the data subject's legitimate interests referred to in paragraph 2.
(c) other public interests of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation matters and the protection of market stability and integrity;;
(e) a monitoring, inspection or regulatory function connected, even occasionally, with the exercise of official authority in cases referred to in (a), (b), (c) and (d);
2. In particular, any legislative measure referred to in paragraph 1 must be necessary and proportionate in a democratic society and shall contain specific provisions at least as to : (a) the objectives to be pursued by the processing and; (b) the determination of the controller.; (c) the specific purposes and means of processing; (d) the categories of persons authorised to process the data; (e) the procedure to be followed for the processing; (f) the safeguards to prevent abuse; (g) the right of data subjects to be informed about the restriction.
(d) complying with the requirements for prior authorisation or prior consultation of the supervisory authority and the data protection officer pursuant to Article 34(1) and (2);
(ea) establishing transparent information and communication to and with the data subject pursuant to Article 11.
3. The controller shall implement mechanisms to ensure the verification of the be able to demonstrate the effectiveness of the measures referred to in paragraphs 1 and 2. If proportionate, this verification shall be carried out verified by independent internal or external auditors.
3a. The controller shall make public a summary of the measures taken pursuant to paragraphs 1 and 2.
4. The Commission shall be empowered to adopt , after requesting an opinion of the European Data Protection Board, delegated acts in accordance with Article 86 for the purpose of specifying any further criteria and requirements for appropriate measures referred to in paragraph 1 other than those already referred to in paragraph 2, the conditions for the verification and auditing mechanisms referred to in paragraph 3 and as regards the criteria for proportionality under paragraph 3, and considering specific measures for micro, small and medium-sized-enterprises. JustificationThe role of the Commission should be limited to further specifying the conditions for auditing mechanisms.Or. en
1. Having regard to the state of the art and the cost of implementation, the controller shall, both at the time of the determination of the purposes and means for processing and at the time of the processing itself, implement appropriate technical and organisational measures and procedures in such a way that the processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject., in particular with regard to the principles laid out in Article 5. Where the controller has carried out a data protection impact assessment pursuant to Article 33, the results shall be taken into account when developing those measures and procedures.
2. The controller shall implement mechanisms for ensuring 2. Where the data subject is given a choice regarding the processing of personal data, the controller shall ensure that, by default, only those personal data are processed which are necessary for each specific purpose of the processing and are especially not collected or retained beyond the minimum necessary for those purposes, both in terms of the amount of the data and the time of their storage. In particular, those mechanisms shall ensure that by default personal data are not made accessible to an indefinite number of individuals. and that data subjects are able to control the distribution of their personal data.
2a. Data processors and producers shall implement appropriate technical and organisational measures and procedures to ensure that their services and products allow controllers by default to meet the requirements of this Regulation, in particular those referred to in paragraph 1 and 2.
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purposeEuropean Data Protection Board shall be entrusted with the task of specifying any further criteria and requirements for appropriate measures and mechanisms referred to in paragraph 1 and 2paragraphs 1, 2, and 2a, in particular for data protection by design requirements applicable across sectors, products and services., in accordance with Article 66.
4. The Commission may lay down technical standards for the requirements laid down in paragraph 1 and 2. Those implementing acts shall be adopted , after requesting an opinion by the European Data Protection Board, in accordance with the examination procedure referred to in Article 87(2).
Where a controller determines the purposes, conditions and means of the processing of personal data jointly with others, the joint controllers shall determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the procedures and mechanisms for exercising the rights of the data subject, by means of an a written arrangement between them. Where such determination is lacking or is not sufficiently clear, the data subject may exercise his or her rights against any one of the controllers, who shall be jointly and severally liable.
(b) an enterprise employing processing personal data relating to fewer than 250 persons500 data subjects per year; or
3. The representative shall be established in one of those Member States where the data subjects whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, reside.as referred to in Article 3(2) reside.
(a) act only on instructions from the controller, in particular, where the transfer of the personal data used is prohibited;;
(ha) take into account the principle of data protection by design and by default.
5. The Commission shall be empowered to adopt delegated acts in accordance withArticle 86 for the purpose of further specifying the criteria and requirements for the responsibilities, duties and tasks in relation to a processor in line with paragraph 1, and conditions which allow facilitating the processing of personal data within a group of undertakings, in particular for the purposes of control and reporting.
1a. Where the processor is or becomes the determining part in relation to the purposes, means, or methods of data processing or does not act only on the instructions of the controller, it shall be considered a joint controller pursuant to Article 24.
  Comment: Intention unclear. Discuss this Rating
2. The documentation shall contain at least the following information: (a) the name and contact details of the controller, or any joint controller or processor, and of the representative, if any; (b) the name and contact details of the data protection officer, if any; (c) the purposes of the processing, including the legitimate interests pursued by the controller where the processing is based on point (f) of Article 6(1); (d) a description of categories of data subjects and of the categories of personal data relating to them; (e) the recipients or categories of recipients of the personal data, including the controllers to whom personal data are disclosed for the legitimate interest pursued by them; (f) where applicable, transfers of data to a third country or an international organisation, including the identification of that third country or international organisation and, in case of transfers referred to in point (h) of Article 44(1), the documentation of appropriate safeguards; (g) a general indication of the time limits for erasure of the different categories of data; (h) the description of the mechanisms referred to in Article 22(3).information listed in Article 14.
4. The obligations referred to in paragraphs 1 and 2 shall not apply to the following controllers and processors: (a) a a natural person processing personal data without a commercial interest; or.
(b) an enterprise or an organisation employing fewer than 250 persons that is processing personal data only as an activity ancillary to its main activities.
5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the documentation referred to in paragraph 1, to take account of in particular the responsibilities of the controller and the processor and, if any, the controller's representative.
6. The Commission may lay down standard forms for the documentation referred to in paragraph 1. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
1. The controller and the processor shall implement appropriate technical and organisational measures and procedures to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected, having regard to the state of the art and the costs of their implementation.
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purposeEuropean Data Protection Board shall be entrusted with the task of further specifying the criteria and conditions for the technical and organisational measures referred to in paragraphs 1 and 2, including the determinations of what constitutes the state of the art, for specific sectors and in specific data processing situations, in particular taking account of developments in technology and solutions for privacy by design and data protection by default, unless paragraph 4 applies., in accordance with Article 66.
4. The Commission may adopt, where necessary, implementing acts for specifying the requirements laid down in paragraphs 1 and 2 to various situations, in particular to: (a) prevent any unauthorised access to personal data;
(b) prevent any unauthorised disclosure, reading, copying, modification, erasure or removal of personal data;
(c) ensure the verification of the lawfulness of processing operations. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 2472 hours after having become aware of it, notify the personal data breach to the supervisory authority. The notification to the supervisory authority shall be accompanied by a reasoned justification in cases where it is not made within 24 hours.72 hours 2. Pursuant to point (f) of Article 26(2), the processor shall alert and inform the controller immediately after the establishment of a personal data breach. 3. The notification referred to in paragraph 1 must at least: ( :(a) describe the nature of the personal data breach including the categories and number of data subjects concerned and the categories and number of data records concerned; (b) communicate the identity and contact details of the data protection officer or other contact point where more information can be obtained; (c) recommend measures to mitigate the possible adverse effects of the personal data breach; (d) describe the consequences of the personal data breach; (e) describe the measures proposed or taken by the controller to address the personal data breach. 4. The controller shall document any personal data breaches, comprising the facts surrounding the breach, its effects and the remedial action taken. This documentation must enable the supervisory authority to verify compliance with this Article. The documentation shall only include the information necessary for that purpose. 4a. The supervisory authority shall keep a public register of the types of breaches notified
5. The Commission shall be empowered to adopt , after requesting an opinion of the European Data Protection Board, delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for establishing the data breach referred to in paragraphs 1 and 2 and for the particular circumstances in which a controller and a processor is required to notify the personal data breach.
6. The Commission may lay down the standard format of such notification to the supervisory authority, the procedures applicable to the notification requirement and the form and the modalities for the documentation referred to in paragraph 4, including the time limits for erasure of the information contained therein. Those implementing acts shall be adopted , after requesting an opinion of the European Data Protection Board, in accordance with the examination procedure referred to in Article 87(2).
1. When the personal data breach is likely to adversely affect the protection of the personal data or privacy of the data subject, for example in cases of identity theft or fraud, financial loss, physical harm, significant humiliation or damage to reputation, the controller shall, after the notification referred to in Article 31, communicate the personal data breach to the data subject without undue delay.
  Comment: Examples seem to be rather restrictive. Discuss this Rating
2. The communication to the data subject referred to in paragraph 1 shall describe the nature of the personal data breach and contain at least the information and the recommendations provided for in points (bArticle 31(3) and (c) of Article 31(3).information about the rights of the data subject, including redress.
5. The Commission shall be empowered to adopt , after requesting an opinion of the European Data Protection Board, delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements as to the circumstances in which a personal data breach is likely to adversely affect the personal data referred to in paragraph 1.
6. The Commission may lay down the format of the communication to the data subject referred to in paragraph 1 and the procedures applicable to that communication. Those implementing acts shall be adopted , after requesting an opinion of the European Data Protection Board, in accordance with the examination procedure referred to in Article 87(2).
(a) a systematic and extensive evaluation of personal aspects relating to a natural person or for analysing or predicting in particular the natural person's economic situation, location, health, personal preferences, reliability or behaviour, which is based on automated processing and on (a) profiling on which measures are based that produce legal effects concerning the individual or significantly affect the individual;
(c) monitoring publicly accessible areas, especially when using optic-electronic devices (video surveillance) on a large scale;or other sensory devices;
(d) personal data in large scale filing systems on children, genetic data or biometric data;(d) processing of special categories of data as referred to in Article 9(1), location data, biometric data, or data on children;
(da) where personal data are made accessible to a large number of persons or if high volumes of personal data about the data subject are processed or combined with other data;
(e) other processing operations for which the consultation of the data protection officer or supervisory authority is required pursuant to point (b) of Article 34(2).
3. The assessment shall contain at least a generalsystematic description of (a) the envisaged processing operations, and their necessity and proportionality in relation to the purpose, (b) an assessment of the risks to the rights and freedoms of data subjects, (c) the measures envisaged to address the risks, and minimise the volume of personal data which is processed, (d) safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation, taking into account the rights and legitimate interests of data subjects and other persons concerned.
4. The controller shall seek the views of data subjects or their representatives on the intended processing, without prejudice to the protection of commercial or public interests or the security of the processing operations..
5. Where the controller is a public authority or body and where the processing results from a legal obligation pursuant to point (c) of Article 6(1) providing for rules and procedures pertaining to the processing operations and regulated by Union law, paragraphs 1 to 4 shall not apply, unless Member States deem it necessary to carry out such assessment prior to the processing activities.
6. The Commission shall be empowered to adopt , after requesting an opinion of the European Data Protection Board, delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and conditions for the processing operations likely to present specific risks referred to in paragraphs 1 and 2 and the requirements for the assessment, referred to in paragraph 3, including conditions and procedures for scalability, verification and auditability. In doing so, the Commission shall consider specific measures for micro, small and medium- sized enterprises.
7. The Commission may specify standards and procedures for carrying out and verifying and auditing the assessment referred to in paragraph 3. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
1. The controller or the processor as the case may be shall obtain an authorisation from the supervisory authority prior to the processing of personal data, in order to ensure the compliance of the intended processing with this Regulation and in particular to mitigate the risks involved for the data subjects where a controller or processor adopts contractual clauses as provided for in point (d) of Article 42(2) or does not provide for the appropriate safeguards in a legally binding instrument as referred to where it transfers personal to a third country or an international organisation based on the derogations in Article 42(5) for the transfer of personal data to a third country or an international organisation.44(1)(g).
2. The controller or processor acting on the controller's behalf shall consult the data protection officer or the supervisory authority prior to the processing of personal data in order to ensure the compliance of the intended processing with this Regulation and in particular to mitigate the risks involved for the data subjects where:
(b) the data protection officer or the supervisory authority deems it necessary to carry out a prior consultation on processing operations that are likely to present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope and/or their purposes, and specified according to paragraph 4.
3a. Where the data protection officer has reasons to doubt that the intended processing complies with this Regulation, or where the data controller processes personal data in breach of a prohibition as referred to in paragraph 3, the data protection officer shall consult the supervisory authority.
4. The supervisory authority European Data Protection Board shall establish and make public a list of the processing operations which are subject to prior consultation pursuant to point (b) of paragraph 2. The supervisory authority shall communicate those lists to the European Data Protection Board.
5. Where the list provided for in paragraph 4 involves processing activities which are related to the offering of goods or services to data subjects in several Member States, or to the monitoring of their behaviour, or may substantially affect the free movement of personal data within the Union, the supervisory authority shall apply the consistency mechanism referred to in Article 57 prior to the adoption of the list.
8. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for determining the high degree of specific risk referred to in point (a) of paragraph 2.
9. The Commission may set out standard forms and procedures for prior authorisations and consultations referred to in paragraphs 1 and 2, and standard forms and procedures for informing the supervisory authorities pursuant to paragraph 6. Those implementing acts shall be adopted , after requesting an opinion of the European Data Protection Board, in accordance with the examination procedure referred to in Article 87(2).
(b) the processing is carried out by an enterprise employing 250 persons or more; ora legal person and relates to more than 500 data subjects per year.
(c) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring or profiling of data subjects.
(ca) the core activities of the controller or the processor consist of processing special categories of data pursuant to Article 9(1).
7. The controller or the processor shall designate a data protection officer for a period of at least two years. The data protection officer may be reappointed for further terms. four years. During their term of office, the data protection officer may only be dismissed, if the data protection officer no longer fulfils the conditions required for the performance of their duties.
9. The controller or the processor shall communicate the name and contact details of the data protection officer to the supervisory authority and to the public. Where a controller decides to not appoint a data protection officer, it shall communicate to the supervisory authority the reasons for its decision.
11. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purposeEuropean Data Protection Board shall be entrusted with the task of further specifying the criteria and requirements for the core activities of or the controller or the processor referred to in point (c) of paragraph 1 and the criteria for the professional qualities of the data protection officer referred to in paragraph 5., in accordance with Article 66.
2. The controller or processor shall ensure that the data protection officer performs the duties and tasks independently and does not receive any instructions as regards the exercise of the function. The data protection officer shall directly report to the be a direct subordinate of the head of the management of the controller or the processor.
3. The controller or the processor shall support the data protection officer in performing the tasks and shall provide all means, including staff, premises, equipment and any other resources necessary to carry out the duties and tasks referred to in Article 37., and to maintain his or her professional knowledge.
3a. Data protection officers shall be bound by secrecy concerning the identity of data subjects and concerning circumstances enabling data subjects to be identified, unless they are released from that obligation by the data subject. Where in the course of their activities data protection officers become aware of data for which the head of the data controller or a person employed by the data controller has the right to refuse to give evidence, that right shall also apply to data protection officers and their assistants.
(a) to inform and advise the controller or the processor of their obligations pursuant to this Regulation and , in particular with regards to technical and organisational measures and procedures, and to document this activity and the responses received;
(ha) to verify the compliance of processing under the prior consultation mechanism laid out in Article 34.
2. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purposeEuropean Data Protection Board shall be entrusted with the task of further specifying the criteria and requirements for tasks, certification, status, powers and resources of the data protection officer referred to in paragraph 1., in accordance with Article 66.
2. Associations and other bodies representing categories of controllers or processors in one Member State which intend to draw up codes of conduct or to amend or extend existing codes of conduct may submit them to an opinion of the supervisory authority in that Member State. The supervisory authority mayshall give an opinion in due time whether the draft code of conduct or the amendment is in compliance with this Regulation. The supervisory authority shall seek the views of data subjects or their representatives on these drafts.
4. The Commission may adopt implementing acts shall be empowered to adopt, after requesting an opinion of the European Data Protection Board, delegated acts in accordance with Article 86 for deciding that the codes of conduct and amendments or extensions to existing codes of conduct submitted to it pursuant to paragraph 3 are in line with this Regulation and have general validity within the Union. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 87(2).This delegated act shall confer enforceable rights on data subjects.
1a. The data protection certification mechanisms shall set down the formal procedure for the issue and withdrawal of a data protection seal or mark and ensure the financial and factual independence and proficiency in data protection of the issuing organisation. The criteria for certification, the individual results of a successful certification and an intelligible meaningful summary justification shall be made readily accessible to the public.
1b. The data protection certification mechanisms shall in particular ensure compliance with the principles set out in Article 5, 23 and 30, the obligations of the controller and the processor, and the data subject’s rights.
2. The Commission shall be empowered to adopt , after requesting an opinion of the European Data Protection Board, delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the data protection certification mechanisms referred to in paragraph 1, including conditions for granting and withdrawal, and requirements for recognition and promotion within the Union and in third countries.
3. The Commission may lay down technical standards for certification mechanisms and data protection seals and marks and mechanisms to promote and recognize certification mechanisms and data protection seals and marks. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 87(2).
1. A transfer may take place where the Commission has decided that the third country, or a territory or a processing sector within that third country, or the international organisation in question ensures an adequate level of protection. Such transfer shall not require any further authorisation.
(a) the rule of law, relevant legislation in force, both general and sectoral, including concerning public security, defence, national security and criminal law, the professional rules and security measures which are complied with in that country or by that international organisation, as well as effective and enforceable rights including effective administrative and judicial redress for data subjects, in particular for those data subjects residing in the Union whose personal data are being transferred;
(b) the existence and effective functioning of one or more independent supervisory authorities in the third country or international organisation in question responsible for ensuringenforcing compliance with the data protection rules including sufficient sanctioning powers, for assisting and advising the data subjects in exercising their rights and for co-operation with the supervisory authorities of the Union and of Member States; and
3. The Commission may shall be empowered to adopt delegated acts in accordance with Article 86 to decide that a third country, or a territory or a processing sector within that third country, or an international organisation ensures an adequate level of protection within the meaning of paragraph 2. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
4. The implementingdelegated act shall specify its geographical and sectoral territorial application, and, where applicable, identify the supervisory authority mentioned in point (b) of paragraph 2.
4a. The Commission shall, on an ongoing basis, monitor developments that could affect the fulfilment of the elements listed in paragraph 2 in third countries and international organisations concerning which delegated act pursuant to paragraph 3 has been adopted.
5. The Commission may shall be empowered to adopt delegated acts in accordance with Article 86 to decide that a third country, or a territory or a processing sector within that third country, or an international organisation does not ensure an adequate level of protection within the meaning of paragraph 2 of this Article, in particular in cases where the relevant legislation, both general and sectoral, in force in the third country or international organisation, does not guarantee effective and enforceable rights including effective administrative and judicial redress for data subjects, in particular for those data subjects residing in the Union whose personal data are being transferred. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2), or, in cases of extreme urgency for individuals with respect to their right to personal data protection, in accordance with the procedure referred to in Article 87(3).
6. Where the Commission decides pursuant to paragraph 5, any transfer of personal data to the third country, or a territory or a processing sector within that third country, or the international organisation in question shall be prohibited, without prejudice to Articles 42 to 44. At the appropriate time, the Commission shall enter into consultations with the third country or international organisation with a view to remedying the situation resulting from the Decision made pursuant to paragraph 5 of this Article.
6a. Prior to adopting a delegated act as referred to in paragraph 3 or 5, the Commission shall request the European Data Protection Board to provide an opinion on the adequacy of the level of protection. To that end, the Commission shall provide the European Data Protection Board with all necessary documentation, including correspondence with the government of the third country, territory or international organisation.
8. Decisions adopted by the Commission on the basis of Article 25(6) or Article 26(4) of Directive 95/46/EC shall remain in force, until amended, replaced or repealed by the Commission. until two years after the entry into force of this Regulation.
1.1. Where the Commission has taken no decision pursuant to Article 41, a controller or processor may not transfer personal data to a third country , territory or an international organisation only if unless the controller or processor has adduced appropriate safeguards with respect to the protection of personal data in a legally binding instrument.
1a. Those appropriate safeguards shall, at least: (a) guarantee the observance of the principles of personal data processing as established in Article 5; (b) safeguard data subject rights as established in Chapter III and provide for effective redress mechanisms; (c) ensure the observance of the principles of privacy by design and by default as established in Article 23; (d) guarantee the existence of a data protection officer pursuant to Section 4 of Chapter IV.
(b) standard data protection clauses adopted by the Commission. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2); or
5. Where the appropriate safeguards with respect to the protection of personal data are not provided for in a legally binding instrument, the controller or processor shall obtain prior authorisation for the transfer, or a set of transfers, or for provisions to be inserted into administrative arrangements providing the basis for such transfer. Such authorisation by the supervisory authority shall be in accordance with point (a) of Article 34(1). If the transfer is related to processing activities which concern data subjects in another Member State or other Member States, or substantially affect the free movement of personal data within the Union, the supervisory authority shall apply the consistency mechanism referred to in Article 57. 5. Authorisations by a supervisory authority on the basis of Article 26(2) of Directive 95/46/EC shall remain valid, for two years after the entry into force of this Regulation, or until amended, replaced or repealed by that supervisory authority.
(b) expressly confer enforceable rights on data subjects; and are transparent for data subjects;
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purposeEuropean Data Protection Board shall be entrusted with the task of further specifying the criteria and requirements for binding corporate rules within the meaning of this Article, in particular as regards the criteria for their approval, the application of points (b), (d), (e) and (f) of paragraph 2 to binding corporate rules adhered to by processors and on further necessary requirements to ensure the protection of personal data of the data subjects concerned., in accordance with Article 66.
4. The Commission may specify the format and procedures for the exchange of information by electronic means between controllers, processors and supervisory authorities for binding corporate rules within the meaning of this Article. Those implementing acts shall be adopted , after requesting an opinion of the European Data Protection Board, in accordance with the examination procedure set out in Article 87(2).
Transfers not authorised by Union law 1. Any judgments of a court or tribunal or any decision of an administrative authority of a third country requiring a controller or processor to transfer personal data shall only be recognised or be enforceable on the basis of, and Article 43a Data Protection Board, in accordance with, a mutual assistance treaty or an international agreement in force between the requesting third country and the Union or a Member State. 2. Where a judgment of a court or tribunal or a decision of an administrative authority of a third country requests a controller or processor to disclose personal data, the controller or processor and, if any, the controller's representative, shall notify the competent supervisory authority of the request without undue delay and shall obtain prior authorisation for the transfer by the supervisory authority in accordance with Article 34(1). 3. The supervisory authority shall assess the compliance of the requested disclosure with this Regulation and in particular whether the disclosure is necessary and legally required in accordance with points (d) and (e) of paragraph 1 and paragraph 5 of Article 44. 4. The supervisory authority shall inform the competent national authority of the request. The controller or processor shall also inform the data subject of the request and of the authorisation by the supervisory authority. 5. The Commission may adopt an implementing act laying down the standard format of the notifications to the supervisory authority referred to in paragraph 2 and the information of the data subject referred to in paragraph 4 as well as the procedures applicable to the notification and information. Those implementing acts shall be adopted, after requesting an opinion of the European the examination procedure referred to in Article 87(2).
(g) the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, to the extent that the conditions laid down in Union or Member State law for consultation are fulfilled in the particular case and the controller or processor as the case may be has obtained prior authorisation for the transfer or set of transfers by the supervisory authority in accordance with Article 34; or
(h) the transfer is necessary for the purposes of the legitimate interests laid down in paragraphs 1a to 1c of Article 6, pursued by the controller or the processor, which cannot be qualified as frequent or massive, and where the controller or processor has assessed all the circumstances surrounding the data transfer operation or the set of data transfer operations and based on this assessment adduced appropriate safeguards with respect to the protection of personal data, where necessary.
7. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purposeEuropean Data Protection Board shall be entrusted with the task of further specifying 'important grounds of public interest' within the meaning of point (d) of paragraph 1 as well as the the criteria and requirements for appropriate safeguards referred to in point (h) of paragraph 1., in accordance with Article 66.
Article 45a Report by the Commission The Commission shall submit to the European Parliament and the Council at regular intervals, starting not later than four years after the date referred to in Article 91(1), [entry into force of this Regulation] a report on the application of Articles 40 to 45. For that purpose, the Commission may request information from the Member States and supervisory authorities, which shall be supplied without undue delay. The report shall be made public.
5. Each Member State shall ensure that the supervisory authority is provided with the adequate human, technical and financial resources, premises and infrastructure necessary for the effective performance of its duties and powers, including those to be carried out in the context of mutual assistance, co-operation and participation in the European Data Protection Board. The adequacy of the resources shall be determined in the light of the size of the population and the volume of processing of personal data.
7a. Each Member State shall ensure that the supervisory authority shall only be accountable to the national parliament for reasons of budgetary control.
7b. Each Member State shall ensure that the supervisory authority shall only be accountable to the national parliament for reasons of budgetary control in accordance with Article 66.
1. Member States shall provide that the members of the supervisory authority must be appointed either by the parliament or the government , after consultation of the parliament, of the Member State concerned.
- 1a. Each supervisory authority shall be competent to supervise all data processing operations on the territory of its own Member State, or where the personal data of residents of that Member State are processed, without prejudice to Article 54a.
  Comment: New Concept. Overall consequence unclear. Discuss this Rating
1. Each supervisory authority shall exercise, on the territory of its own Member State, the powers conferred on it in accordance with this Regulation., without prejudice to Article 74.
2. Where the processing of personal data takes place in the context of the activities of an establishment of a controller or a processor in the Union, and the controller or processor is established in more than one Member State, the supervisory authority of the main establishment of the controller or processor shall be competent for the supervision of the processing activities of the controller or the processor in all Member States, without prejudice to the provisions of Chapter VII of this Regulation.
  Comment: New Concept. Overall consequence unclear. Discuss this Rating
(b) hear complaints lodged by any data subject, or by an association representing that data subject in accordance with Article 73, investigate, to the extent appropriate, the matter and inform the data subject or the association of the progress and the outcome of the complaint within a reasonable period, in particular if further investigation or coordination with another supervisory authority is necessary;
(d) conduct investigations , inspections, and audits, either on its own initiative or on the basis of a complaint or on request of another supervisory authority, and inform the data subject concerned, if the data subject has addressed a complaint to this supervisory authority, of the outcome of the investigations within a reasonable period;
6. Where requestscomplaints are manifestly excessive, in particular due to their repetitive character, the supervisory authority may charge a fee or not take the action requested by the data subjectreasonable fee. The supervisory authority shall bear the burden of proving the manifestly excessive character of the request.complaint.
4. Each supervisory authority shall have the power to sanction administrative offences, in particular those referred to in accordance with Article 79(4), (5) and (6)..
4a. Those powers shall be exercised in an effective, proportionate and dissuasive manner.
Each supervisory authority must draw up an annual a report on its activities at least every two years. The report shall be presented to the national parliament and shall be made be available to the public, the Commission and the European Data Protection Board.
Article 54a Lead Authority 1. Where the processing of personal data takes place in the context of the activities of an establishment of a controller or a processor in the Union, and the controller or processor is established in more than one Member State, or where personal data of the residents in several Member States are processed, the supervisory authority of the main establishment of the controller or processor shall act as a single contact point for the controller or processor. 2. The lead authority shall ensure coordination with the authorities involved at any stage of supervisory proceedings against a controller or a processor within the meaning of paragraph 1. For that purpose it shall in particular submit any relevant information and consult the other authorities before it adopts a measure intended to produce legal effects vis-à-vis a controller or a processor within the meaning of paragraph 1. The lead authority shall take the utmost account of the opinions of the authorities involved. 3. The European Data Protection Board shall at the request of a competent authority designate a single contact for the controller or processor and ensure coordination with the other supervisory authorities involved, in case where: (a) it is unclear from the facts of the case or where the competent authorities do not agree on which supervisory authority shall act as single contact point; (b) the controller is not established in the Union, but residents of different Member States are affected by processing operations within the scope of this Regulation. 4. The lead authority shall not adopt a measure under paragraph 2 if an involved authority within the meaning of paragraph 1 objects to the measure within a period of three weeks after submission of the draft measure by the lead authority. In that case, the issue shall be dealt with by the European Data Protection Board in accordance with the procedure set out in Article 58.
  Comment: New Concept. Overall consequence unclear. Discuss this Rating
1. Supervisory authorities shall provide each other relevant information and mutual assistance in order to implement and apply this Regulation in a consistent manner, and shall put in place measures for effective co- operation with one another. Mutual assistance shall cover, in particular, information requests and supervisory measures, such as requests to carry out prior authorisations and consultations, inspections and prompt information on the opening of cases and ensuing developments where the controller or processor has establishments in several Member States or where data subjects in several Member States are likely to be affected by processing operations. The lead authority as defined in Article 54a shall ensure the coordination with involved supervisory authorities and shall act as the single contact point for the controller or processor.
  Comment: New Concept. Overall consequence unclear. Discuss this Rating
(a) it is not competent for the request or for the activities it is requested to undertake; or
10. The Commission European Data Protection Board may specify the format and procedures for mutual assistance referred to in this article and the arrangements for the exchange of information by electronic means between supervisory authorities, and between supervisory authorities and the European Data Protection Board, in particular the standardised format referred to in paragraph 6. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
2. In cases where the controller or processor has establishments in several Member States or where data subjects in several Member States are likely to be affected by processing operations, a supervisory authority of each of those Member States shall have the right to participate in the joint investigative tasks or joint operations, as appropriate. The competent supervisory authority lead authority as defined in Article 54a shall invite the supervisory authority of each of those Member States to take part in the respective joint investigative tasks or joint operations and respond to the request of a supervisory authority to participate in the operations without delay. The lead authority shall act as the single contact point for the controller or processor.
  Comment: New Concept. Overall consequence unclear. Discuss this Rating
5. Where a supervisory authority does not comply within one month with the obligation laid down in paragraph 2, the other supervisory authorities shall be competent to take a provisional measure on the territory of its Member State in accordance with Article 51(1).2).
(a) relates to processing activities which are related to the offering of goods or services to data subjects in several Member States, or to the monitoring of their behaviourdata subjects in several Member States; or
(c) aims at adopting a list of the processing operations subject to prior consultation pursuant to Article 34(5); or
3. Any supervisory authority or the European Data Protection Board may request that any matter shall be dealt with in the consistency mechanism, in particular where a supervisory authority does not submit a draft measure referred to in paragraph 2 or does not comply with the obligations for mutual assistance in accordance with Article 55 or for joint operations in accordance with Article 56., or where a competent supervisory authority does not agree with the draft measure proposed by the lead authority, pursuant Article 54a(5).
7. The European Data Protection Board shall issue an opinion on the matter, if the European Data Protection Board so decides by simple majority of its members or any supervisory authority or the Commission so requests within one weektwo weeks after the relevant information has been provided according to paragraph 5. The opinion shall be adopted within one monthtwo months by simple majority of the members of the European Data Protection Board. The chair of the European Data Protection Board shall inform, without undue delay, the supervisory authority referred to, as the case may be, in paragraphs 1 and 3, the Commission and the supervisory authorityauthorities competent under Article 51(1) of the opinion and make it public.
8. The supervisory authority referred to in paragraph 1 and the supervisory authorityauthorities competent under Article 51(1) shall take the utmost account of the opinionopinions of the European Data Protection Board and shall within two weeks after the information on the opinion by the chair of the European Data Protection Board, electronically communicate to the chair of the European Data Protection Board and to the Commission whether it maintains or amends its draft measure and, if any, the amended draft measure, using a standardised format.
8a. Where the lead authority pursuant to Article 54a intends not to follow the opinion of the European Data Protection Board, it shall inform the European Data Protection Board and the Commission thereof within one month and provide a reasoned justification.
  Comment: New Concept. Overall consequence unclear. Discuss this Rating
8b.In a case where the European Data Protection Board still objects to the measure of the supervisory authority as referred to in paragraph 9, it may adopt by a two thirds majority a measure which shall be binding upon the supervisory authority.
  Comment: New Concept. Overall consequence unclear. Discuss this Rating
Opinion by the Commission 1. Within ten weeks after a matter has been raised under Article 58, or at the latest within six weeks in the case of Article 61, the Commission may adopt, in order to ensure correct and consistent application of this Regulation, an opinion in relation to matters raised pursuant to Articles 58 or 61. 2. Where the Commission has adopted an opinion in accordance with paragraph 1, the supervisory authority concerned shall take utmost account of the Commission’s opinion and inform the Commission and the European Data Protection Board whether it intends to maintain or amend its draft measure. 3. During the period referred to in paragraph 1, the draft measure shall not be adopted by the supervisory authority. 4. Where the supervisory authority concerned intends not to follow the opinion of the Commission, it shall inform the Commission and the European Data Protection Board thereof within the period referred to in paragraph 1 and provide a justification. In this case the draft measure shall not be adopted for one further month.
Suspension of a draft measure 1. Within one month after the communication referred to in Article 59(4), and where the Commission has serious doubts as to whether the draft measure would ensure the correct application of this Regulation or would otherwise result in its inconsistent application, the Commission may adopt a reasoned decision requiring the supervisory authority to suspend the adoption of the draft measure, taking into account the opinion issued by the European Data Protection Board pursuant to Article 58(7) or Article 61(2), where it appears necessary in order to: (a) reconcile the diverging positions of the supervisory authority and the European Data Protection Board, if this still appears to be possible; or (b) adopt a measure pursuant to point (a) of Article 62(1). 2. The Commission shall specify the duration of the suspension which shall not exceed 12 months. 3. During the period referred to in paragraph 2, the supervisory authority may not adopt the draft measure.
  Comment: New Concept. Overall consequence unclear. Discuss this Rating
Article 61a Intervention by the Commission 1. Within ten weeks after a matter has been raised under Article 58, or at the latest within six weeks in the case of Article 61, the Commission may adopt, in order to ensure correct and consistent application of this Regulation, an opinion in relation to matters raised pursuant to Articles 58 or 61. 2. Where the Commission has adopted an opinion in accordance with paragraph 1, the supervisory authority concerned shall take the utmost account of the Commission’s opinion and inform the Commission and the European Data Protection Board whether it intends to maintain or amend its draft measure 3. Where the supervisory authority concerned intends not to follow the opinion of the Commission, it shall inform the Commission and the European Data Protection Board thereof within one month and provide a reasoned justification. This reasoned justification shall be made publicly available. 4. In the event of a decision of the European Data Protection Board pursuant to Article 58(8b), the Commission may appeal against it before the Court of Justice of the European Union on the basis of the Treaty on the Functioning of the European Union. .
  Comment: New Concept. Overall consequence unclear. Discuss this Rating
1. The Commission may adopt implementing acts for:, after requesting an opinion of the European Data Protection Board, for:
(a) deciding on the correct application of this Regulation in accordance with its objectives and requirements in relation to matters communicated by supervisory authorities pursuant to Article 58 or 61, concerning a matter in relation to which a reasoned decision has been adopted pursuant to Article 60(1), or concerning a matter in relation to which a supervisory authority does not submit a draft measure and that supervisory authority has indicated that it does not intend to follow the opinion of the Commission adopted pursuant to Article 59;
(c) specifying the format and procedures for the application of the consistency mechanism referred to in this section;
2. On duly justified imperative grounds of urgency relating to the interests of data subjects in the cases referred to in point (a) of paragraph 1, the Commission shall adopt immediately applicable implementing acts in accordance with the procedure referred to in Article 87(3). Those acts shall remain in force for a period not exceeding 12 months.
1. The European Data Protection Board shall ensure the consistent application of this Regulation. To this effect, the European Data Protection Board shall, on its own initiative or at the request of the European Parliament, Council and the Commission, in particular:
(a) advise the Commission European Institutions on any issue related to the protection of personal data in the Union, including on any proposed amendment of this Regulation;
(b) examine, on its own initiative or on request of one of its members or on request of the European Parliament, the Council or the Commission, any question covering the application of this Regulation and issue guidelines, recommendations and best practices addressed to the supervisory authorities in order to encourage consistent application of this Regulation;, including on the use of enforcement powers;
(da) take decisions on draft measures of a supervisory authority pursuant to Article 58 (8b);
(e) promote the co-operation and the effective bilateral and multilateral exchange of information and practices between the supervisory authorities;, including the coordination of joint operations and other joint activities, where it so decides at the request of one or several supervisory authorities;
(ga) give its opinion to the Commission in the preparation of delegated and implementing acts based on this Regulation;
(gb) give an opinion on codes of conduct drawn up at Union level.
2. Where the Commission requestsEuropean Parliament, the Council or the Commission request advice from the European Data Protection Board, it may lay out a time limit within which the European Data Protection Board shall provide such advice, taking into account the urgency of the matter.
1. The European Data Protection Board shall regularly and timely inform the Commission about the outcome of its activities. It shall draw up an annual report a report at least every two years on the situation regarding the protection of natural persons with regard to the processing of personal data in the Union and in third countries. The report shall include the review of the practical application of the guidelines, recommendations and best practices referred to in point (c) of Article 66(1).
1. The European Data Protection Board shall take decisions by a simple majority of its members., unless otherwise provided in its rules of procedure, and notwithstanding the procedure pursuant to paragraph 8b of Article 58.
1. The European Data Protection Board shall elect a chair and at least two deputy chairpersons from amongst its members. One deputy chairperson shall be the European Data Protection Supervisor, unless he or she has been elected chair.
2. The term of office of the chair and of the deputy chairpersons shall be fivefour years and be renewable.
1. The discussions of the European Data Protection Board shall be confidential., unless otherwise provided in the rules of procedure. The agendas of the meetings of the Board shall be made public.
2. Any body, organisation or association which aims to protect data subjects’ rights and interests concerning the protection of their personal data and acting in the public interest which has been properly constituted according to the law of a Member State shall have the right to lodge a complaint with a supervisory authority in any Member State on behalf of one or more data subjects if it considers that a data subject’s rights under this Regulation have been infringed as a result of the processing of personal data.
2. Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has its habitual residence, unless the controller is a public authority of aMember State acting in the exercise of its public powers.
1. Any body, organisation or association referred to in Article 73(2) shall have the right to exercise the rights referred to in Articles 74 and 75, 75 and 77 on behalf of one or more data subjects.
1. Any person who has suffered damage , including non-pecuniary loss, as a result of an unlawful processing operation or of an action incompatible with this Regulation shall have the right to receive compensation from the controller or the processor for the damage suffered.
2. Where more than one controller or processor is involved in the processing, each controller or processorthose controllers or processors shall be jointly and severally liable for the entire amount of the damage.
2a. In applying the penalties referred to in paragraph 1 Member States shall show full respect for the principle of ne bis in idem, meaning that penalties may not be imposed twice regarding the same infringement of this Regulation.
2. The administrative sanction shall be in each individual case effective, proportionate and dissuasive. The amount of the administrative fine shall be fixed with due regard to the nature, gravity and duration of the breach, the intentional or negligent character of the infringement, the degree of responsibility of the natural or legal person and of previous breaches by this person, the technical and organisational measures and procedures implemented pursuant to Article 23 and the degree of cooperation with the supervisory authority in order to remedy the breach.
2a. In order to determine the type, the level and the amount of the administrative sanction, the supervisory authority shall take into account all relevant circumstances, with due regard to the following criteria: (a) the nature, gravity and duration of the infringement, (b) the intentional or negligent character of the infringement, (c) the degree of responsibility of the natural or legal person and of previous infringements by this person, (d) the technical and organisational measures and procedures implemented pursuant to Articles 23 and 30, (e) the specific categories of personal data affected by the infringement (f) the repetitive nature of the infringement (g) the degree of harm suffered by data subjects, (h) the pecuniary interest leading to the infringement by the person responsible and the level of the profits gained or losses avoided by the person responsible, insofar as they can be determined, (i) the degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate the possible adverse effects of the infringement, and (j) the refusal to cooperate with or obstruction of inspections, audits and controls carried out by the supervisory authority pursuant to Article 53.
3. In case of a first and non-intentional non-compliance withbreach of this Regulation, a warning in writing may be given and no sanction imposed, where: (a) a natural person is processing personal data without a commercial interest; or (b) an enterprise or an organisation employing fewer than 250 persons is processing personal data only as an activity ancillary to its main activities..
4. The supervisory authority shall impose a fine up to that shall not exceed 250 000 EUR, or in case of an enterprise up to 0,5 % of its annual worldwide turnover, to anyone who, intentionally or negligently: (a) does not provide the mechanisms for requests by data subjects or does not respond promptly or not in the required format to data subjects pursuant to Articles infringes Article 12(1) and (2); (b) charges a fee for the information or for responses to the requests of data subjects in violation of Article 12(4).).
5. The supervisory authority shall impose a fine up to that shall not exceed 500 000 EUR, or in case of an enterprise up to 1 % of its annual worldwide turnover, to anyone who, intentionally or negligently: (a) does not provide the information, or does provide incomplete information, or does not provide the information in a sufficiently transparent manner, to the data subject pursuant to Article 11, Article infringes Articles 11, 12(3) and Article 14; (b) does not provide access for the data subject or does not rectify personal data pursuant to Articles 15 and 16 or does not communicate the relevant information to a recipient pursuant to Article 13; (c) does not comply with the right to be forgotten or to erasure, or fails to put mechanisms in place to ensure that the time limits are observed or does not take all necessary steps to inform third parties that a data subjects requests to erase any links to, or copy or replication of the personal data pursuant Article 17; (d) does not provide a copy of the personal data in electronic format or hinders the data subject to transmit the personal data to another application in violation of Article 18; (e) does not or not sufficiently determine the respective responsibilities with cocontrollers pursuant to Article 24; (f) does not or not sufficiently maintain the documentation pursuant to Article 28, Article 31(4), and Article 44(3); (g) does not comply, in cases where special categories of data are not involved, pursuant to Articles (4), 13, 14, 15, 16, 17, 18, 24, 28, 31(4), 44(3), 80, 82 and 83 with rules in relation to freedom of expression or with rules on the processing in the employment context or with the conditions for processing for historical, statistical and scientific research purposes., 83.
6. The supervisory authority shall impose a fine up to that shall not exceed 1 000 000 EUR or, in case of an enterprise up to 2 % of its annual worldwide turnover, to anyone who, intentionally or negligently: (a) processes personal data without any or sufficient legal basis for the processing or does not comply with the conditions for consent pursuant to Articles 6, 7 and 8; (b) processes special categories of data in violation of Articles 9 and 81; (c) does not comply with an objection or the requirement pursuant to Article 19; (d) does not comply with the conditions in relation to measures based on profiling pursuant to Article 20; (e) does not adopt internal policies or does not implement appropriate measures for ensuring and demonstrating compliance pursuant to Articles 22, 23 and 30; (f) does not designate a representative pursuant to Article 25; (g) processes or instructs the processing of personal data in violation of the obligations in relation to processing on behalf of a controller pursuant to Articles 26 and 27; (i) do(h) does not alert on or notify a personal data breach or does not timely or completely notify the data breach to the supervisory authority or to the data subject pursuant to Articles 31 and 32;es not carry out a data protection impact assessment pursuant or processes personal data without prior authorisation or prior consultation of the supervisory authority pursuant to Articles 33 and 34; (j) does not designate a data protection officer or does not ensure the conditions for fulfilling the tasks pursuant to Articles 35, 36 and 37; (k) misuses a data protection seal or mark in the meaning of Article 39; (l) carries out or instructs a data transfer to a third country or an international organisation that is not allowed by an adequacy decision or by appropriate safeguards or by a derogation pursuant to Articles 40 to 44; (m) does not comply with an order or a temporary or definite ban on processing or the suspension of data flows by the supervisory authority pursuant to Article 53(1); (n) does not comply with the obligations to assist or respond or provide relevant information to, or access to premises by, the supervisory authority pursuant to Article 28(3), Article 29, Article 34(6) and Article 53(2); (o) does not comply with the rules for safeguarding professional secrecy pursuant to Article 84. infringes the provisions of this Regulation other than those referred to in paragraphs 4 and 5.
6a. The European Data Protection Board shall regularly assess and ensure the consistency in sanctioning among the supervisory authorities, in accordance with Article 66.
7. The Commission shall be empowered to adopt , after requesting an opinion of the European Data Protection Board, delegated acts in accordance with Article 86 for the purpose of updating the absolute amounts of the administrative fines referred to in paragraphs 4, 5 and 6, taking into account the criteria referred to in paragraph 2. and the development of standard costs of living.
1. Member States shall provide for exemptions or derogations from the provisions on the general principles in Chapter II, the rights of the data subject in Chapter III, on controller and processor in Chapter IV, on the transfer of personal data to third countries and international organisations in Chapter V, the independent supervisory authorities in Chapter VI and on co-operation and consistency in Chapter VII for the processing of personal data carried out solely for journalistic purposes or the purpose of artistic or literary expression in order to reconcile the right to the protection of personal data with the rules governing freedom of expression.whenever this is necessary in order to reconcile the right to the protection of personal data with the rules governing freedom of expression in accordance with the Charter of Fundamental Rights of the European Union and its referral to the ECHR.
1. Within the limits of 1. In accordance with the rules set out in this Regulation and in accordance, in particular with point (h) of Article 9(2), processing of personal data concerning health must be on the basis of Union law or Member State law which shall provide for suitable and specific measures to safeguard the data subject's legitimate interestsinterests and fundamental rights, and be necessary for:
1a. When the purposes referred to in points (a) to (c) of paragraph 1 can be achieved without the use of personal data, such data shall not be used for those purposes.
2. Processing of personal data concerning health which is necessary for historical, statistical or scientific research purposes, such as patient registries set up for improving diagnoses and differentiating between similar types of diseases and preparing studies for therapies, is shall be permitted only with the consent of the data subject, and shall be subject to the conditions and safeguards referred to in Article 83.
2a. Member States law may provide for exceptions to the requirement of consent for research, as referred to in paragraph 2, with regard to research that serves an exceptionally high public interests, if that research cannot possibly be carried out otherwise. The data in question shall be anonymised, or if that is not possible for the research purposes, pseudonymised under the highest technical standards, and all necessary measures shall be taken to prevent re-identification of the data subjects. Such processing shall be subject to prior authorisation of the competent supervisory authority, in accordance with Article 34(1).
3. The Commission shall be empowered to adopt , after requesting an opinion of the European Data Protection Board, delegated acts in accordance with Article 86 for the purpose of further specifying other reasons of public interest in the area of public health as referred to in point (b) of paragraph 1, as well as criteria and requirements for the safeguards for the processing of personal data for the purposes referred to in paragraph 1.
3a. Each Member State shall notify to the Commission those provisions of its law which it adopts pursuant to paragraph 1, by the date specified in Article 91(2) at the latest and, without delay, any subsequent amendment affecting them.
1. Within the limits of 1. In accordance with the rules set out in this Regulation, Member States may adopt by law specific rules regulating the processing of employees' personal data in the employment context, in particular for the purposes of the recruitment, the performance of the contract of employment, including discharge of obligations laid down by law or by collective agreements, management, planning and organisation of work, health and safety at work, and for the purposes of the exercise and enjoyment, on an individual or collective basis, of rights and benefits related to employment, and for the purpose of the termination of the employment relationship.
3. The Commission shall be empowered , after requesting an opinion from the European Data Protection Board, to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the safeguards for the processing of personal data for the purposes referred to in paragraph 1.
Article 82a Processing in the social security context 1. Member States may, in accordance with the rules set out in this Regulation, adopt specific legislative rules particularising the conditions for the processing of personal data by their public institutions and departments in the social security context if carried out in the public interest. 2. Each Member State shall notify to the Commission those provisions which it adopts pursuant to paragraph 1, by the date specified in Article 91(2) at the latest and, without delay, any subsequent amendment affecting them.
1. Within the limits of this Regulation, personal data not falling within the categories of data covered by Articles 8 and 9 may be processed for historical, statistical or scientific research purposes only if:
(b) data enabling the attribution of information to an identified or identifiable data subject is kept separately from the other information as long as these purposes can be fulfilled in this manner..
1a. Subject to the exception in paragraph 1b, data falling within the categories of data covered by Articles 8 and 9 may be processed for historical, statistical or scientific research only with the consent of the data subjects.
1b. Member States law may provide for exceptions to the requirement of consent for research, as referred to in paragraph 1a, with regard to research that serves an exceptionally high public interests, if that research cannot possibly be carried out otherwise. The data in question shall be anonymised, or if that is not possible for the research purposes, pseudonymised under the highest technical standards, and all necessary measures shall be taken to prevent re-identification of the data subjects. Such processing shall be subject to prior authorisation of the competent supervisory authority, in accordance with Article 34(1).
2. Bodies conducting historical, statistical or scientific research may publish or otherwise publicly disclose personal data only if: (a) the data subject has given consent, subject to the conditions laid down in Article 7; or
(b) the publication of personal data is necessary to present research findings or to facilitate research insofar as the interests or the fundamental rights or freedoms of the data subject do not override these interests; or JustificationResearch purposes should not override the interest of the data subject in not having his or her personal data published. See related Article 17(2).deleted Or. en
(c(b) the data subject has made the data public.
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the processing of personal data for the purposes referred to in paragraph 1 and 2 as well as any necessary limitations on the rights of information to and access by the data subject and detailing the conditions and safeguards for the rights of the data subject under these circumstances.
3a. Each Member State shall notify to the Commission those provisions which it adopts pursuant to paragraph 1b, by the date specified in Article 91(2) at the latest and, without delay, any subsequent amendment affecting them.
1. Within the limits of 1. In accordance with the rules set out in this Regulation, Member States, may adopt specific rules to set out the investigative powers by the supervisory authorities laid down in Article 53(2) in in relation to controllers or processors that are subjects under national law or rules established by national competent bodies to an obligation of professional secrecy or other equivalent obligations of secrecy, where this is necessary and proportionate to reconcile the right of the protection of personal data with the obligation of secrecy. These rules , to set out (a) the rights of data subjects laid down in Articles 11 to 20, in line with Article 21; (b) the investigative powers by the supervisory authorities laid down in Article 53(2). The specific rules referred to in paragraph 1 shall only apply with regard to personal data which the controller or processor has received from or has obtained in an activity covered by this obligation of secrecy.
  Comment: Unclear. Discuss this Rating
Article 85a Respect of human rights This Regulation shall not have the effect of modifying the obligation to respect fundamental rights and fundamental legal principles as enshrined in Article 6 of the TEU, and any obligations incumbent on judicial authorities in this respect shall remain unaffected.
2. The delegation of power referred to in Article 6(57(4c), Article 8(311(2b), Article 9(3), Article 12(5), Article 14(7), Article 15(3), Article 17(9), Article 20(6), Article 22(4), Article 23(3), Article 26(5), Article 28(5), Article 30(3), Article 31(5), Article 32(5), Article 336), Article 34(833(6), Article 35(1138(4), Article 37(2), Article 39(2), Article 4341(3), Article 44(741(5), Article 79, Article 81(3(7), Article 8281(3) and Article 8382(3) shall be conferred on the Commission for an indeterminate period of time from the date of entry into force of this Regulation.
3. The delegation of power referred to in Article 6(57(4c), Article 8(311(2b), Article 9(3), Article 12(5), Article 14(7), Article 15(3), Article 17(9), Article 20(6), Article 22(4), Article 23(3), Article 26(5), Article 28(5), Article 30(3), Article 31(5), Article 32(5), Article 336), Article 34(833(6), Article 35(1138(4), Article 37(2), Article 39(2), Article 4341(3), Article 44(741(5), Article 79, Article 81(3(7), Article 8281(3) and Article 8382(3) may be revoked at any time by the European Parliament or by the Council. A decision of revocation shall put an end to the delegation of power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force.
5. A delegated act adopted pursuant to Article 6(57(4c), Article 8(311(2b), Article 9(3), Article 12(5), Article 14(7), Article 15(3), Article 17(9), Article 20(6), Article 22(4), Article 23(3), Article 26(5), Article 28(5), Article 30(3), Article 31(5), Article 32(5), Article 336), Article 34(833(6), Article 35(1138(4), Article 37(2), Article 39(2), Article 4341(3), Article 44(741(5), Article 79, Article 81(3(7), Article 8281(3) and Article 8382(3) shall enter into force only if no objection has been expressed either by the European Parliament or the Council within a period of twofour months of notification of that act to the European Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by two months at the initiative of the European Parliament or the Council.
5a. The Commission shall adopt the delegated acts under Articles 17(9), 31(5), 32(5) and 33(6) by [six month prior to the date referred to in Article 91(2)]. The Commission may extend the deadline by 6 months.
3. Where reference is made to this paragraph, Article 8 of Regulation (EU) No 182/2011, in conjunction with Article 5 thereof, shall apply.
Article 89a Data processing by EU Institutions, bodies, offices and agencies The Commission shall present by the date specified in Article 91(2) at the latest and, without delay a proposal for the revision of the legal framework applicable to the processing of personal data by the Union institutions, bodies, offices and agencies, to bring them in line with this Regulation with a view to ensuring consistent and homogeneous legal rules relating to the fundamental right to the protection of personal data in the European Union.
(23) The principles of protection should apply to any information concerning an identified or identifiable person. To determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify or single out the individual. The principles of data protection This Regulation should not apply to data rendered anonymous in anonymous data, meaning any data that can not be related, directly or indirectly, alone or in combination with associated data, to a natural person or where establishing such a way that the data subject is no longer identifiable.relation would require a disproportionate amount of time, expense, and effort, taking into account the state of the art in technology at the time of the processing and the possibilities for development during the period for which the data will be processed.
(24) When using online or offline services, individuals may be associated with online one or more identifiers provided by their devices, applications, tools and protocols, protocols or other consumer goods, such as Internet Protocol addresses or , cookie identifiers. This may , RFID-tags and other unique identifiers. Since such identifiers leave traces which, combined with unique identifiers and other information received by the servers, may be used to create profiles of the individuals and identify them. It follows that identification numbers, location data, online identifiers or other specific factors as such need not necessarily and can be used to single out natural persons, this Regulation should be applicable to processing involving such data, unless those identifiers demonstrably do no relate to natural persons, such as for example the IP addresses used by companies, which cannot be considered as personal data in all circumstances.’ as defined in this Regulation.
1a. If none of the legal grounds for the processing of personal data referred to in paragraph 1 apply, processing of personal data shall be lawful if and to the extent that it is necessary for the purposes of the legitimate interests pursued by the controller, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data. The data controller shall in that case inform the data subject about the data processing explicitly and separately in accordance with Article 14(1). The controller shall also publish the reasons for believing that its interests override the interests or fundamental rights and freedoms of the data subject. This paragraph shall not apply to processing carried out by public authorities in the performance of their tasks.
1b. The legitimate interests of the controller as referred to in paragraph 1a override the interests or fundamental rights and freedoms of the data subject, as a rule and for example, if: (a) processing of personal data takes place as part of the exercise of the right to freedom of expression, the media and the arts, within the limits of Union or national law; (b) processing of personal data is necessary for the enforcement of the legal claims of the data controller or of third parties on behalf of whom the data controller is acting in relation to a specific identified data subject, or for preventing or limiting damage by the data subject to the controller; (c) the data subject has provided personal data to the data controller on the legal ground referred to in point (b) of paragraph 1, and the personal data are used for direct marketing for its own and similar products and services and are not transferred, and the data controller is clearly identified to the data subject; (d) processing of personal data takes place in the context of professional business-to-business relationships and the data were collected from the data subject for that purpose; (e) processing of personal data is necessary for registered non-profit associations, foundations and charities, recognised as acting in the public interest under Union or national law, for the sole purpose of collecting donations.
  Comment: Tending to be at least not weaker than most other definitions if read together with AM913. Discuss this Rating
1c. The interests or fundamental rights and freedoms of the data subject as referred to in paragraph 1a override the legitimate interest of the controller, as a rule and for example, if: (a) the processing causes a serious risk of damage to the data subject; (b) special categories of data as referred to Article 9(1), location data, or biometric data are processed; (c) the data subject can reasonably expect, on the basis of the context of the processing, that his or her personal data will only be processed for a specific purpose or treated confidentially, unless the data subject concerned has been informed specifically and separately about the use of his or her personal data for purposes other than the performance of the service; (d) personal data are processed in the context of profiling; (e) personal data is made accessible for a large number of persons or large amounts of personal data about the data subject are processed or combined with other data; (f) the processing of personal data may adversely affect the data subject, in particular because it can lead to defamation or discrimination; or (g) the data subject is a child.
  Comment: Tending to be at least not weaker than most other definitions if read together with AM908. Discuss this Rating
2a. If data is collected for processing after consent has been given solely by automated means in accordance with paragraph 2a and the pseudonyms are later unlawfully associated with other personal identifiers that do permit the direct identification of a data subject pursuant to Article 4(1), then this constitutes a personal data breach likely to adversely affect the protection of the privacy of the data subject. The breach notifications must be communicated in accordance with the procedures in Articles 31 and 32.
  Comment: The overall concept of "pseudonymous data" leads to weaker data protection. Discuss this Rating
4. Consent 4. As a rule, consent shall not provide a legal basis for the processing, where there is a significant imbalance between the position of the data subject and the controller.
Article 10a Education Union citizens and residents shall be educated by appropriate means about data protection, as an integral part of general media competence education. Competent Member States and Union institutions and bodies shall be tasked with supporting this.
(dc) the data are processed in the exercise of his profession by, or are entrusted or become known to, a person who is subject to an obligation of professional secrecy regulated by the State or to a statutory obligation of secrecy.
2. The data subject shall have the right to obtain from the controller communication of the personal data undergoing processing. Where the data subject makes the request in electronic form, the information shall be provided in electronic forman electronic and interoperable format allowing unhindered further use by the data subject, unless otherwise requested by the data subject.
2a. The right of access referred to in paragraphs 1 and 2 shall not apply where data pursuant to Article 14(5)(d) are affected.
3. The controller shall implement mechanisms to ensure the verification of the be able to demonstrate the effectiveness of the measures referred to in paragraphs 1 and 2. If proportionate, this verification shall be carried out verified by independent internal or external auditors. A certification pursuant to Article 39 shall be considered an adequate verification.
1. Having regard to the state of the art , the controller and the cost of implementation, the controller processor, if any, shall, both at the time of the determination of the purposes and means for processing and at the time of the processing itself, implement appropriate technical and organisational measures and procedures in such a way that the processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject., in particular with regard to the principles laid out in Article 5. Where the controller has carried out a data protection impact assessment pursuant to Article 33, the results shall be taken into account when developing those measures and procedures.
2. The controller shall implement mechanisms for ensuring 2. Where the data subject is given a choice regarding the processing of personal data, the controller and the processor, if any, shall ensure that, by default, only those personal data are processed which are necessary for each specific purpose of the processing and are especially not collected or retained beyond the minimum necessary for those purposes, both in terms of the amount of the data and the time of their storage. In particular, those mechanisms shall ensure that by default personal data are not made accessible to an indefinite number of individuals. and that data subjects are able to control the distribution of their personal data.
(h) make available to the controller and the supervisory authority all information necessary to control compliance with the obligations laid down in this Article. and allow on-site inspections.
1. The controller or the processor as the case may be shall obtain an authorisation from the supervisory authority prior to the processing of personal data according to Chapter V or if ordered by any other provision in this Regulation, in order to ensure the compliance of the intended processing with this Regulation and in particular to mitigate the risks involved for the data subjects where a controller or processor adopts contractual clauses as provided for in point (d) of Article 42(2) or does not provide for the appropriate safeguards in a legally binding instrument as referred to in Article 42(5) for the transfer of personal data to a third country or an international organisation.
1. Member States shall provide that the members of the supervisory authority must be appointed either by the parliament or the government after consultation of the parliament, or by the highest judicial authority of the Member State concerned.
2. Each supervisory authority shall promote the awareness of the public on risks, rules, safeguards and rights in relation to the processing of personal data and about appropriate means of protecting oneself. Activities addressed specifically to children shall receive specific attention.
(b) access to any of its premises, including to any data processing equipment and means, where there are reasonable grounds for presuming that an activity in violation of this Regulation is being carried out there..
2. Where more than one controller or processor is involved in the processing, each controller or processor shall be jointly and severally liable for the entire amount of the damage., unless they have an appropriate written agreement.
Article 80a Access to documents 1. Member States may provide in their national legislation for rules necessary to reconcile the right of access to documents with the principles in Chapter 2. 2. Each Member State shall notify to the Commission provisions of its law which it adopts pursuant to paragraph 1 by the date specified in Article 91(2) at the latest and, without delay, any subsequent amendment affecting them.