United Kingdom ECR

Timothy Kirkhope

Country: United Kingdom
Group: European Conservatives and Reformists (ECR)
Party: Conservative Party (CON)

Member of Civil Liberties, Justice and Home Affairs
Substitute of Culture and Education

Overview Timothy Kirkhope

Amendments: 128
...stronger: 9
...weaker: 75
...neutral: 44

Amendments by Timothy Kirkhope

2. This Regulation applies to the as far as legally possible and is compatible with the legal system of a third country, the processing of personal data of data subjects residing in the Union by a controller not established in the Union, where the processing activities are related to:
(8) ‘the data subject’s consent’ means any freely given specific, informed and explicit, specific and informed, contract or indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed;
(a) processed lawfully, fairly and in a proportionate and transparent manner in relation to the data subject;
(b) collected for specified, explicitclear and legitimate purposes and not further processed in a way incompatible with those purposes;
(fa) processing is necessary in the interest of public safety, the welfare, safety, or health of an individual in line with fundamental rights and freedom;
5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the conditions referred to in point (f) of paragraph 1 for various sectors and data processing situations, including as regards the processing of personal data related to a child.
2. If the data subject's consent is to be given in the context of a written declaration which also concerns another concerns an entirely new, separate or unrelated matter, the requirement to give consent must be presented distinguishable in its appearance from this other matter.
4. Consent shall not provide a legal basis for the processing, where there is a significant imbalance between the position of the data subject and the controller.
1. For the purposes of this Regulation, in relation to the offering of information society services directly to a child, the processing of personal data of a child below the age of 13 years shall only be lawful if and to the extent that consent is given or authorised by the child's parent or custodian. The controller shall make reasonable efforts to obtain verifiable consent, taking into consideration available technology.
2. Paragraph 1 shall not affect the general contract law of Member States such as the rules on the validity, formation or effect of a contract in relation to a child.
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the methods to obtain verifiable consent referred to in paragraph 1. In doing so, the Commission shall consider specific measures for micro, small and medium-sized enterprises.
4. The Commission may lay down standard forms for specific methods to obtain verifiable consent referred to in paragraph 1. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
4a. Every child must be free to say what they think and to seek and receive all kinds of information, as long as it is within the law.
  Comment: Intention unclear. Discuss this Rating
4b. Every child has the right to privacy. The law should protect the child's private, family and home life.
4c. Every child has the right to reliable information. This should be information that children can understand. Member State Government's must help protect children from materials that could harm them.
  Comment: Intention unclear. Discuss this Rating
(c) processing is necessary to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving consent; or
(d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other non-profit-seeking body or association with a political, philosophical, religious or trade- union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the data are not disclosed outside that body without the consent of the data subjects; or
(j) processing of data relating to criminal convictions or related security measures is carried out either under the control of official authority or when the processing is necessary for compliance with a legal or regulatory obligation to which a controller is subject, or for the performance of a task carried out for important public interest reasons, and in so far as authorised by Union law or Member State law providing for adequate safeguards. A complete Any register of criminal convictions shall be kept only under the control of official authority.
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria, conditions and appropriate safeguards for the processing of the special categories of personal data referred to in paragraph 1 and the exemptions laid down in paragraph 2.
If the data processed by a controller do not permit the controller to identify a natural person, the controller shall not be obliged to acquire additional information in order to identify the data subject for the sole purpose of complying with any provision of this Regulation.
1. The controller shall have transparent and easily accessible policies as laid out in a code of practice with regard to the processing of personal data and for the exercise of data subjects' rights.
  Comment: Intention unclear. Discuss this Rating
2. The controller shall provide any information and any communication make available information relating to the processing of personal data to the data subject in an intelligible form, using clear and plain language, adapted to the data subject, in particular for any information addressed specifically to a child.
1. The controller shall establish procedures for providing the information referred to in Article 14 and for the exercise of the rights of data subjects referred to in Article 13 and Articles 15 to 19. The controller shall provide in particular mechanisms for facilitating the request for the actions referred to in Article 13 and Articles 15 to 19. Where personal data are processed by automated means, the controller shall also provide means for requests to be made electronically.
2. The controller shall inform the data subject without undue delay and, at the latest within one month 30 working days of receipt of the request, whether or not any action has been taken pursuant to Article 13 and Articles 15 to 19 and shall provide the requested information. This period may be prolonged for a further month30 working days, if several data subjects exercise their rights and their cooperation is necessary to a reasonable extent to prevent an unnecessary and disproportionate effort on the part of the controller. The information shall be given in writing. Where the data subject makes the request in electronic form, the information shall be provided in electronic form, or in case the information would be incomplete or inaccurate. The information shall be given in the medium in which it was requested unless otherwise requested by the data subject.
3. If the controller refuses todoes not take action on the request of the data subject, the controller shall inform the data subject of the data subject shall have the right to ask the controller for the reasons for the refusalinaction and on the possibilities of lodging a complaint to the supervisory authority and seeking a judicial remedy.
4. The information and the actions taken on requests referred to in paragraph 1 shall be either free of charge or at a maximum, sufficient to cover the administrative costs of handling, particularly with regard to repeat or bulk requests. Where requests are manifestly excessive, in particular because of with the aim of causing disruption, inconvenience or financial burden due to their repetitive character, the controller may charge a fee for providing the information or taking the action requested, or the controller may not take the action requested. In that case, the controller shall bear the burden of proving the manifestly excessive character of the request.
5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and conditions for the manifestly excessive requests and the fees referred to in paragraph 4.
6. The Commission may lay down standard forms and specifying standard procedures for the communication referred to in paragraph 2, including the electronic format. In doing so, the Commission shall take the appropriate measures for micro, small and medium- sized enterprises. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
1. Where personal data relating to a data subject are collected, the controller shall provide the data subject with at least the following information: (a) the identity and the contact details of the controller and, if any, of the controller's representative and of the data protection officer; (b) the purposes of the processing for which the personal data are intended, including the contract terms and general conditions where the processing is based on point (b) of Article 6(1) and the legitimate interests pursued by the controller where the processing is based on point (f) of Article 6(1); (c) the period for which the personal data will be stored; (d) the existence of the right to request from the controller access to and rectification or erasure of the personal data concerning the data subject or to object to the processing of such personal data; (e) the right to lodge a complaint to the supervisory authority and the contact details of the supervisory authority; (f) the recipients or categories of recipients of the personal data; (g) where applicable, that the controller intends to transfer to a third country or international organisation and on the level of protection afforded by that third country or international organisation by reference to an adequacy decision by the Commission; (h) any further information necessary to guarantee fair processing in respect of the data subject, having regard to the specific circumstances in which the personal data are collected.
1a. Where personal data relating to a data subject is collected from the data subject, the controller shall at the time when personal data are obtained, provide the data subject with the following information: (a) the identity and the contract details of the controller and, if any, of the controller's representative and of the data protection officer; (b) the purpose of the processing for which the personal data are intended, including the contract terms and general conditions. Further information shall be provided at the request of the data subject, which would include the following information: (a) the period for which the personal data will be stored; (b) the existence of the right to request from the controller access to and rectification or erasure of the personal data concerning the data subject or to object to the processing of such personal data; (c) the right to lodge a complaint to the supervisory authority and the contact details of the supervisory authority; (d) the recipients or categories of recipients of the personal data; (e) where applicable, that the controller intends to transfer to a third country or international organisation and on the level of protection afforded by that third country or international organisation by reference to an adequacy decision by the Commission; (f) any further information necessary to guarantee fair processing in respect of the data subject, having regard to the specific circumstances in which the personal data are collected.
3. Where the personal data are not collected from collected would have potentially harmful consequences or is wholly unrelated to the data subject, the controller shall inform the data subject, in addition to the information referred to in paragraph 1, from which source the personal data originate.
6. In the case referred to in point (b) of paragraph 5, the controller shall provide appropriate measures undertake the necessary actions and protections in their activities to protect the data subject's legitimate interests.
  Comment: Intention unclear. Discuss this Rating
7. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria for categories of recipients referred to in point (f) of paragraph 1, the requirements for the notice of potential access referred to in point (g) of paragraph 1, the criteria for the further information necessary referred to in point (h) of paragraph 1 for specific sectors and situations, and the conditions and appropriate safeguards for the exceptions laid down in point (b) of paragraph 5. In doing so, the Commission shall take the appropriate measures for micro, small and medium-sized- enterprises.
8. The Commission may lay down standard forms for providing the information referred to in paragraphs 1 to 3, taking into account the specific characteristics and needs of various sectors and data processing situations where necessary. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the communication to the data subject of the content of the personal data referred to in point (g) of paragraph 1.
4. The Commission may specify standard forms and procedures for requesting and granting access to the information referred to in paragraph 1, including for verification of the identity of the data subject and communicating the personal data to the data subject, taking into account the specific features and necessities of various sectors and data processing situations. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
The data subject shall have the right to obtain from the controller the rectification of personal data relating to them which are inaccurate. The data subject shall have the right to obtain completion of incomplete personal data, including by way of supplementing a corrective statement..
1. The data subject shall have the right to obtainrequest from the controller , and pursue, the erasure of personal data relating to them and the abstention from further dissemination of such data, especially in relation to personal data which are made available by the data subject while he or she was a child, where one of the following grounds applies:
2. Where the controller referred to in paragraph 1 has made the personal data public, it shall take all reasonable steps, including technical measures, in relation to data for the publication of which the controller is responsible, to inform third parties which are processing such data, that a data subject requests them to erase any links to, or copy or replication of that personal data. Where the controller has authorised a third party publication of personal data, the controller shall be considered responsible for that publication.
(ea) if in the legitimate interest of data controllers maintaining data so long as it does not cause prejudice or harm to the data subject, their rights or interests.
8. Where the erasure is carried out, the controller shall not otherwise process such personal data.
1. The data subject shall have the right, where personal data are processed by electronic means and in a structured and commonly used format, to obtain from the controller a copy of data undergoing processing in an electronic and structured format which is commonly used and allows for further use by the data subject., in so far as it does not breach the intellectual property rights or legitimate private trade practices of the data controller.
3. The Commission may specify the electronic format referred to in paragraph 1 and the technical standards, modalities and procedures for the transmission of personal data pursuant to paragraph 2. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
1. The data subject shall have the right to object to processing, on grounds relating to their particular situation, at any time to the processing of personal data which is based on points (d), (e) and (f) of Article 6(1), unless the controller demonstrates compelling legitimate grounds for the processing which override the interests or fundamental rights and freedoms of the data subject.
2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object free of charge to processing to the processing of their personal data for such marketing. This right shall be explicitly offered to the data subject in an intelligible and clear manner and shall be clearly distinguishable from other information.
3. Where an objection is upheld pursuant to paragraphs 1 and 2, the controller shall no longer use or otherwise process the personal data concerned.
1. Every natural person shall have the right not to be subject to a measure which produces legal effects concerning this natural person or significantly affects this natural person, and which is based solely on automated processing intended to evaluate certain personal aspects relating to this natural person or to analyse or predict in particular the natural person's performance at work, economic situation, location, health, personal preferences, reliability or behaviour., without prejudice to legal and legitimate forms of profiling in commercial use or for the purpose of the prevention, investigation or prosecution of criminal activity.
4. In the cases referred to in paragraph 2, the information to be provided by the controller under Article 14 shall include information as to the existence of processing for a measure of the kind referred to in paragraph 1 and the envisaged effects of such processing on the data subject..
(c) other public interests of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation matters and the protection of market stability and integrity;;
(da) the protection of international relations;
1. The controller shall adopt policies and implement appropriate measures to ensure and be able to demonstrate that the processing of personal data is performed in compliance with the data protection principles laid out in this Regulation., and that the intended outcome is achieved for data subjects.
2. The measures provided for in paragraph 1 shall in particular include:may include measures such as:
3. The controller shall implement mechanisms to ensure the verification of the effectiveness of the measures referred to in paragraphs 1 and 2. If proportionate, this verification shall be carried out by independent internal or external auditors.
4. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of specifying any further criteria and requirements for appropriate measures referred to in paragraph 1 other than those already referred to in paragraph 2, the conditions for the verification and auditing mechanisms referred to in paragraph 3 and as regards the criteria for proportionality under paragraph 3, and considering specific measures for micro, small and medium-sized-enterprises.
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of specifying any further criteria and requirements for appropriate measures and mechanisms referred to in paragraph 1 and 2, in particular for data protection by design requirements applicable across sectors, products and services.
4. The Commission may lay down technical standards for the requirements laid down in paragraph 1 and 2. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
1. In the situation referred to in Article 3(2), the controller shall designate a representative in the Union. to act as a facilitator between the data subject, the data protection supervisor and the third country data controller.
  Comment: Intention unclear. Discuss this Rating
2. This obligation shall not apply to: (a) a controller established in a third country where the Commission has decided that the third country ensures an adequate level of protection in accordance with Article 41; or (b) an enterprise employing fewer than 250 persons; or (c) a public authority or body; or (d) a controller offering only occasionally goods or services to data subjects residing in the Union.
3. The representative shall be established in one of those Member States where the data subjects whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, reside.
4. The designation of a representative by the controller shall be without prejudice to legal actions which could be initiated against the controller itself.
4. If a processor processes personal data other than as instructed by the controller, the processor shall be considered to be a controller in respect of that processing and shall be subject to the rules on joint controllers laid down in Article 24.
5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the responsibilities, duties and tasks in relation to a processor in line with paragraph 1, and conditions which allow facilitating the processing of personal data within a group of undertakings, in particular for the purposes of control and reporting.
1. Each controller and processor and, if any, the controller's representative, shall maintain documentation of all processing operations under its responsibility. regarding data handling practices, including what purpose data processing is being carried out for and for which data controller.
2. The documentation shallshould contain at least the following information:
3. The controller and the processor and, if any, the controller's representative, shall make the documentation available, on request, to the supervisory authority. However, equal emphasis and significance must be placed on good practice and compliance and not just the completion of documentation.
(a) a natural person processing personal data without a commercial interest; or
(b) an enterprise or an organisation employing fewer than 250500 persons that is processing personal data only as an activity ancillary to its main activities.
1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 24 hours 10 working days after having become aware of it, or when sufficient and conclusive information regarding the data breach can be obtained, shall notify the personal data breach to the supervisory authority. The notification to the supervisory authority shall be accompanied by a reasoned justification in cases where it is not made within 24 hours.10 working days.
2. Pursuant to point (f) of Article 26(2), the processor shall alert and inform the controller immediately as a matter of urgency after the establishment of a personal data breach.
4. The controller shall document any personal data breaches without undue delay when asked to be provided, comprising the facts surrounding the breach, its effects and the remedial action taken. This documentation must enable the supervisory authority to verify compliance with this Article. The documentation shall only include the information necessary for that purpose.
1. When the personal data breach is likely to adversely affect have an adverse affect to the protection of the personal data or privacy of the data subject with respect to proportionality, the controller shall, after the notification referred to in Article 31, communicate the personal data breach to the data subject without undue delay.
5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements as to the circumstances in which a personal data breach is likely to adversely affect the personal data referred to in paragraph 1.
6. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and conditions for the processing operations likely to present specific risks referred to in paragraphs 1 and 2 and the requirements for the assessment referred to in paragraph 3, including conditions for scalability, verification and auditability. In doing so, the Commission shall consider specific measures for micro, small and medium- sized enterprises.
7. The Commission European Data Protection Board in contact with the Supervisory Authority may specify standards and procedures and guidance for carrying out and verifying and auditing the assessment referred to in paragraph 3. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
1. The controller or the processor as the case may be shall obtain an authorisation from the supervisory authority prior to the processing of personal data, in order to ensure the compliance of the intended processing with this Regulation and in particular to mitigate the risks involved for the data subjects where a controller or processor adopts contractual clauses as provided for in point (d) of Article 42(2) or does not provide for the appropriate safeguards in a legally binding instrument as referred to in Article 42(5) for the transfer of personal data to a third country or an international organisation.
2. The controller or processor acting on the controller's behalf shall consult the supervisory authority prior to the processing of personal data in order to ensure the compliance of the intended processing with this Regulation and in particular to mitigate the risks involved for the data subjects where: (a) a data protection impact assessment as provided for in Article 33 indicates that processing operations are by virtue of their nature, their scope or their purposes, likely to present a high degree of specific risks; or (b) the supervisory authority deems it necessary to carry out a prior consultation on processing operations that are likely to present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope and/or their purposes, and specified according to paragraph 4.
3. Where the supervisory authority is of the opinion that the intended processing does not comply with this Regulation, in particular where risks are insufficiently identified or mitigated, it shall prohibit the intended processing and make appropriate proposals to remedy such incompliance.
4. The supervisory authority shall establish and make public a list of the processing operations which are subject to prior consultation pursuant to point (b) of paragraph 2. The supervisory authority shall communicate those lists to the European Data Protection Board.may be referred for a high degree of specific risks, in such cases, processing shall be prohibited and data processors shall make appropriate proposals to remedy such compliance where the supervisory authority is of the opinion that the intended processing does not comply with this Regulation.
6. The controller or processor shall provide the supervisory authority with the data protection impact assessment provided for in Article 33 and, on request, with any other information to allow the supervisory authority to make an assessment of the compliance of the processing and in particular of the risks for the protection of personal data of the data subject and of the related safeguards.
7. Member States shallmay consult the supervisory authority in the preparation of a legislative measure to be adopted by the national parliament or of a measure based on such a legislative measure, which defines the nature of the processing, in order to ensure the compliance of the intended processing with this Regulation and in particular to mitigate the risks involved for the data subjects.
1. The controller and the processor shall designate a data protection officer responsible for data protection oversight and compliance in any case where:
(a) the processing is carried out by a public authority or body; or
(b) the processing is carried out by an enterprise employing 250500 persons or more; or
7. The controller or the processor shall designate a data protection officer for a period of at least two years. The data protection officer may be reappointed for further terms. During their term of office, the data protection officer may only be dismissed, if the data protection officer no longer fulfils the conditions required for the performance of their duties.
8. The data protection officer may be employed by the controller or processor, or fulfil his or her tasks on the basis of a service contract.
10. Data subjects shall have the right to contact the data protection officer on all issues related to the processing of the data subject's data and to request exercising the rights under this Regulation., and for them to take the first steps in rectifying the situation.
11. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the core activities of the controller or the processor referred to in point (c) of paragraph 1 and the criteria for the professional qualities of the data protection officer referred to in paragraph 5.
2. The controller or processor shall ensure that the data protection officer performs the duties and tasks independently and does not receive any instructions as regards the exercise of the function. The data protection officer shall directly report to the management of the controller or the processor.
1. The controller or the processor shall entrustensure the data protection officer at least with the following tasks: (a) to inform and advise the controller or the processor of their obligations pursuant to this Regulation and to document this activity and the responses received; (b) to monitor the implementation and application of the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, the training of staff involved in the processing operations, and the related audits; (c) to monitor the has a clear job description and code of conduct which explicitly lays out their data protection duties which they are entrusted to carry out, particularly the implementation and application of this Regulation, in particular as to the requirements related to data protection by design, data protection by default and data security and to the information of data subjects and their requests in exercising their rights under this Regulation; (d) to ensure that the documentation referred to in Article 28 is maintained; (e) to monitor the documentation, notification and communication of personal data breaches pursuant to Articles 31 and 32; (f) to monitor the performance of the data protection impact assessment by the controller or processor and the application for prior authorisation or prior consultation, if required pursuant Articles 33 and 34; (g) to monitor the response to requests from the supervisory authority, and, within the sphere of the data protection officer's competence, co-operating with the supervisory authority at the latter's request or on the data protection officer's own initiative; (h) to act as the contact point for the supervisory authority on issues related to the processing and consult and their role as liaison with the supervisory authority, if appropriate, on his/her own initiative..
1. The Member States, the supervisory authorities and the Commission shall encourage the drawing up of codes of conduct or the adoption of a code of conduct drawn up by a Supervisory Authority intended to contribute to the proper application of this Regulation, taking account of the specific features of the various data processing sectors, in particular in relation to:
3. Associations and other bodies representing categories of controllers in several Member States may submit draft codes of conduct and amendments or extensions to existing codes of conduct to the Commission.European Data Protection Board.
4. The Commission European Data Protection Board may adopt implementing acts for deciding that the codes of conduct and amendments or extensions to existing codes of conduct submitted to it pursuant to paragraph 3 have general validity within the Union. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 87(2).
5. The Commission European Data Protection Board shall ensure appropriate publicity for the codes which have been decided as having general validity in accordance with paragraph 4.
2. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the Supervisory Authorities and the European Data Protection Board shall lay down and specify criteria and requirements for the data protection certification mechanisms referred to in paragraph 1, including conditions for granting and withdrawal, and requirements for recognition within the Union and in third countries.
3. The Commission Supervisory Authorities and the European Data Protection Board may lay down technical standards for certification mechanisms and data protection seals and marks and mechanisms to promote and recognize certification mechanisms and data protection seals and marks. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 87(2).
1. A transfer may take place where the European Data Protection Board in consultation with the Commission has decided that the third country, or a territory or a processing sector within that third country, or the international organisation in question ensures an adequate level of protection. Such transfer shall not require any further authorisation.
5. The Commission may decide that a third country, or a territory or a processing sector within that third country, or an international organisation does not ensure an adequate level of protection within the meaning of paragraph 2 of this Article, in particular in cases where the relevant legislation, both general and sectoral, in force in the third country or international organisation, does not guarantee effective and enforceable rights including effective administrative and judicial redress for data subjects, in particular for those data subjects residing in the Union whose personal data are being transferred. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2), or, in cases of extreme urgency for individuals with respect to their right to personal data protection, in accordance with the procedure referred to in Article 87(3).
1. Where the Commission has taken no decision pursuant to Article 41, a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has adduced appropriate safeguards with respect to the protection of personal data in a legally binding instrument..
5. Where the appropriate safeguards with respect to the protection of personal data are not provided for in a legally binding instrument, the controller or processor shall obtain prior authorisation for the transfer, or a set of transfers, or for provisions to be inserted into administrative arrangements providing the basis for such transfer. Such authorisation by the supervisory authority shall be in accordance with point (a) of Article 34(1). If the transfer is related to processing activities which concern data subjects in another Member State or other Member States, or substantially affect the free movement of personal data within the Union, the supervisory authority shall apply the consistency mechanism referred to in Article 57. Authorisations by a supervisory authority on the basis of Article 26(2) of Directive 95/46/EC shall remain valid, until amended, replaced or repealed by that supervisory authority.
(f) the acceptance by the controller or processor established on the territory of a Member State of of liability for any breaches of the binding corporate rules by any member of the group of undertakings not established in the Union; the controller or the processor may only be exempted from this liability, in whole or in part, if he proves that that member is not responsible for the event giving rise to the damage;
2. The members of the supervisory authority shall, in the performance of their duties, neither seek nor take instructions from anybody., and maintain complete independence and impartiality.
The members and the staff of the supervisory authority shall be subject, both during and after their term of office, to a duty of professional secrecy with regard to any confidential information which has come to their knowledge in the course of the performance of their official duties., whilst conducting their duties with independence and transparency as set out in the Regulation.
2. Where the processing of personal data takes place in the context of the activities of an establishment of a controller or a processor in the Union, and the controller or processor is established in more than one Member State, the supervisory authority of the main establishment of the controller or processor shall be competent for the supervision of shall decide in consultation with the European Data Protection Board which authority will supervise the processing activities of the controller or the processordata controllers and processors in all Member States, without prejudice to the provisions of Chapter VII of this Regulation.
(a) monitor and ensure the application of this Regulation;
(f) be consulted by Member State institutions and bodies on legislative and administrative measures relating to regarding the protection of individuals‘ rights and freedoms with regard to the processing of personal data;
6. Where requests are manifestly excessive, in particular due to their repetitive character, the supervisory authority may charge a fee or not take the action requested by the data subject. The supervisory authority shall bear the burden of proving , if requested, prove the manifestly excessive character of the request.
1. Before a supervisory authority adopts a measure referred to in paragraph 2, this supervisory authority shall communicate the draft measure to the European Data Protection Board and the Commission..
1. Within one month after the communication referred to in Article 59(4), and where the Commission has serious doubts as to whether the draft measure would ensure the correct application of this Regulation or would otherwise result in its inconsistent application, the Commission may adopt a reasoned decision requiring the supervisory authority to suspend the adoption of the draft measure, taking into account the opinion issued by the European Data Protection Board pursuant to Article 58(7) or Article 61(2), where it appears necessary in order to: (a) reconcile the diverging positions of the supervisory authority and the European Data Protection Board, if this still appears to be possible; or (b) adopt a measure pursuant to point (a) of Article 62(1). 2. The Commission shall specify the duration of the suspension which shall not exceed 12 months. 3. During the period referred to in paragraph 2, the supervisory authority may not adopt the draft measure.
1. For the purposes of this Regulation, an enforceable measure of the supervisory authority of one Member State shall be enforced in all Member States concerned.
2. Where a supervisory authority does not submit a draft measure to the consistency mechanism in breach of Article 58(1) to (5), the measure of the supervisory authority shall not be legally valid and enforceable.
2. Without prejudice to requests by the Commission referred to in point (b) of paragraph 1 and in paragraph 2 of Article 66, the European Data Protection Board shall, in the performance of its tasks, neither seek nor take instructions from anybody.
1. The discussions of the European Data Protection Board shall be confidential. where necessary, whilst upholding the highest possible standards of transparency and openness as to its general work.
2. Documents submitted to members of the European Data Protection Board, experts and representatives of third parties shall be confidential, unless access is granted to those documents in accordance with Regulation (EC) No 1049/2001 or the European Data Protection Board otherwise makes them public.
1. Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority in any their own Member State if they consider that the or the Supervisory Authority in the Member State where the controller is established and where the processing of personal data relating to them does not comply with this Regulation.
2. Any body, organisation or association which aims to protect data subjects‘ rights and interests concerning the protection of their personal data and has been properly constituted according to the law of a Member State shall have the right to lodge a complaint with a supervisory authority in any Member State on behalf of one or more data subjects if it considers that with the consent of the data subject if a data subject's rights under this Regulation have been infringed as a result of the processing of personal data.
1. Each natural or legal person shall have the right to a judicial remedy against decisions of a supervisory authority concerning them.
2. Each data subject shall have the right to a judicial remedy obliging the supervisory authority to act on a complaint in the absence of a decision necessary to protect their rights, or where the supervisory authority does not inform the data subject within three months on the progress or outcome of the complaint pursuant to point (b) of Article 52(1).
3. Proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority is established.
4. A data subject which is concerned by a decision of a supervisory authority in another Member State than where the data subject has its habitual residence, may request the supervisory authority of the Member State where it has its habitual residence to bring proceedings on its behalf against the competent supervisory authority in the other Member State.
5. The Member States shall enforce final decisions by the courts referred to in this Article.
2. Where the controller has established a representative, any penalties shall be applied to the representative, without prejudice to any penalties which could be initiated against the controller.
2. The administrative sanction shall be in each individual case effective, proportionate and dissuasive. The amount of the administrative fine shall be fixed with due regard to reflect the nature, gravity and duration of the breach, the intentional or negligent character of the infringement, the degree of responsibility of the natural or legal person and of previous breaches by this person, the technical and organisational measures and procedures implemented pursuant to Article 23 and the degree of co-operation with the supervisory authority in order to remedy the breach.
3. In case of a first and non-intentional non-compliance with this Regulation, a warning in writing may be given and no sanction imposed, where: (a) a natural person is processing personal data without a commercial interest; or (b) an enterprise or an organisation employing fewer than 250 persons is processing personal data only as an activity ancillary to its main activities.
4. The supervisory authority shall impose a fine fines graded in relation to the seriousness and scale of the incident, as well as the harm or potential harm caused, the length of the breach, previous infringements and the response to the incident or incidents concerned, up to a maximum of 250 000 EUREU, or in case of an enterprise up to 0,5 % of its annual worldwide turnover, . Such infringements and fines may apply to anyone who, intentionally or negligently::
5. The supervisory authority shall impose a fine under the same criteria as listed in article 79 paragraph 4, for the more serious breaches, up to a maximum of 500 000 EUR, or in case of an enterprise up to 1 % of its annual worldwide turnover, to anyone who, intentionally or negligently::
6. The supervisory authority shall impose a fine under the same criteria as listed in Article 79(4) for the most serious breaches, up to a maximum of 1 000 000 EUR or, in case of an enterprise up to 2 % of its annual worldwide turnover, to anyone who, intentionally or negligently::
(b) data enabling the attribution of information to an identified or identifiable data subject where technically and practically possible is kept separately from the other information as long as these purposes can be fulfilled in this manner.
2. Bodies conducting historical, statistical or scientific research may publish or otherwise publicly disclose personal data only if: (a) the data subject has given consent, subject to the conditions laid down in Article 7; (b) the publication of personal data is necessary to present research findings or to facilitate research insofar as the interests or the fundamental rights or freedoms of the data subject do not override these interests; or (c) the data subject has made the data public.