United Kingdom ALDE

Baroness Sarah Ludford

Country: United Kingdom
Group: Alliance of Liberals and Democrats for Europe (ALDE)
Party: Liberal Democrats Party (LD)

Member of Civil Liberties, Justice and Home Affairs
Substitute of Foreign Affairs

Overview Baroness Sarah Ludford

Amendments: 132
...stronger: 14
...weaker: 84
...neutral: 34

Amendments by Baroness Sarah Ludford

(23) The principles of protection should apply only to any specific information concerning an identified or identifiable person. To determine whether a person is identifiable, account should be taken of all theonly those means likely reasonably to be used either by the controller or by any other natural or legal person to identify the individual and of the reasonable likelihood of a person being identified. The principles of data protection should not apply to data rendered anonymous in such a way that the data subject is no longer identifiable.or not yet identifiable from the data.
(25) Consent should be given explicitly by any appropriate method enabling a freely given specific and informed indication of the data subject’s wishes, either by a statement or by a clear affirmative action by the data subject, ensuring that individuals are aware that they give their consent to the processing of personal data, including by ticking a box when visiting an Internet website or by any other statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of their personal data. The act of seeking and agreeing to specific healthcare treatment should be considered as consent within the meaning of Articles 4(8) and 6(1)(a) to the processing of personal health data related to that specific treatment and as meeting the burden of proof under Article 7(1), without preventing Member States from maintaining existing more stringent national rules in this regard. Silence or inactivity should therefore not constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. If the data subject’s consent is to be given following an electronic request, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
(40) The processing of personal data for other purposes should be only allowed where the processing is compatible with those purposes for which the data have been initially collected, in particularsuch as where the processing is necessary for historical, statistical or scientific research purposes. Where the other purpose is not compatible with the initial one for which the data are collected, the controller should obtain the consent of the data subject for this other purpose or should base the processing on another legitimate ground for lawful processing, in particular where provided by Union law or the law of the Member State to which the controller is subject. In any case, the application of the principles set out by this Regulation and in particular the information of the data subject on those other purposes should be ensured.
(53) Any person should have the right to have personal data concerning them rectified and a ‘right to be forgotten’ where the retention of such data is not in compliance with this Regulation. In particular, data subjects should have the right that their personal data are erased and no longer processed, where the data are no longer necessary in relation to the purposes for which the data are collected or otherwise processed, where data subjects have withdrawn their consent for processing or where they object to the processing of personal data concerning them or where the processing of their personal data otherwise does not comply with this Regulation. This right is particularly relevant, when the data subject has given their consent as a child, when not being fully aware of the risks involved by the processing, and later wants to remove such personal data especially on the Internet. However, the further retention of the data should be allowed where it is necessary for historical, statistical and scientific research purposes, for reasons of public interest in the area of public healthhealth purposes in accordance with Article 81, for exercising the right of freedom of expression, when required by law or where there is a reason to restrict the processing of the data instead of erasing them.
(2a) ‘pseudonymised data’ means any personal data that has been altered so that it cannot be attributed to a data subject without the use of additional data which is subject to separate and distinct technical and organisational controls to ensure such non-attribution;
  Comment: Dependent on the attached consequences, but exceptions for pseudonymous data are always leading to less protection. Discuss this Rating
(2b) ‘anonymised data’ or ‘data rendered anonymous’ means personal data that has been modified in a way that the information can no longer be attributed to an identifiable natural person;
(8) ‘the data subject’s consent’ means any freely given specific, informed and explicit and informed indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed;
(b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes; further processing of data for health, historical, statistical, or scientific purposes shall not be considered as incompatible subject to compliance with the conditions in Article 81 or Article 83 as appropriate;
(ea) protected against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures;
(eb) afford appropriate safeguards when processed outside the EEA. Such processing will remain the responsibility of the controller;
(c) processing is necessary for compliance with a legal obligation or regulatory rule or industry code of practice, either domestically or internationally, to which the controller is subject;
(f) processing is necessary for the purposes of the legitimate interests pursued by a controller, such as to detect crime or to prevent crime, fraud, loss or harm or to meet the legitimate expectations of the data subject in the efficient delivery of the service, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks.
  Comment: Depends on the interpretation of "legitimate interests". Compared to others this AM seems rather strong. Discuss this Rating
(ba) internationally recognised regulations, rules, guidance, standards and/or industry codes of practice relevant to the business of the controller.
3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal., or legitimate processing post consent such as record retention or health, historical, statistical or scientific research.
4. Consent shall not provide a legal basis for the processing, where there is a significant imbalance or coercive relationship between the position of the data subject and the controller. The patient-healthcare provider relationship is not considered a significantly imbalanced or coercive relationship.
1. The controller shall establish procedures for providing the information referred to in Article 14 and for the exercise of the rights of data subjects referred to in Article 13 and Articles 15 to 19. The controller shall provide in particular mechanisms for facilitating the request for the actions referred to in Article 13 and Articles 15 to 19. Where personal data are processed by automated means, the controller shall also provide means for requests to be made electronically.
2. The controller shall inform the data subject without delay and, at the latest within one month of receipt of the request, excessive delay whether or not any action has been taken pursuant to Article 13 and Articles 15 to 19 and shall provide the requested information. This period may be prolonged for a further month, if several data subjects exercise their rights and their cooperation is necessary to a reasonable extent to prevent an unnecessary and disproportionate effort on the part of the controller. The information shall be given in writing. Where the data subject makes the request in electronic form, the information shall be provided in electronic form, unless otherwise requested by the data subject.
3. If the controller refuses todoes not take action on the request of the data subject, the controller shall inform the data subject of the reasons for the refusal and on the possibilities of lodging shall have the right to lodge a complaint towith the supervisory authority and seeking a judicial remedy..
4a. The following shall apply to requests under Article 15: (a) the controller may charge a fee for providing the relevant information. Such a fee shall not be excessive; (b) no obligation to provide the relevant information shall apply until the controller has received the following; (i) any fee required in accordance with (a) above; and (ii) any information as to the identity of the person making a request as the controller may reasonably require. (c) where a data controller has previously complied with a request by an individual, the data controller is not obliged to comply with a subsequent identical or similar request under that section by that individual unless a reasonable interval has elapsed between compliance with the previous request and the making of the current request; (d) the controller must have regard to any guidance issued under Article 38 in deciding: (i) whether a subsequent request is identical or similar to a previous request; (ii) whether a reasonable interval has elapsed between compliance with the previous request and the making of the current request.
5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and conditions for the manifestly excessive requests and the fees referred to in paragraph 4.
6. The Commission may lay down standard forms and specifying standard procedures for the communication referred to in paragraph 2, including the electronic format. In doing so, the Commission shall take the appropriate measures for micro, small and medium- sized enterprises. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
1. Where personal data relating to a data subject are collected, the controller shall provide or make readily available to the data subject with at least the following information:
(b) the purposes of the processing purpose or purposes for which the personal data are intended, including the contract terms and general conditions where the processing is based on point (b) of Article 6(1) and the legitimate interests pursued by the controller where the processing is based on point (f) of Article 6(1); to be processed; and
(c) the period for which the personal data will be stored;
(g) where applicable, that the controller intends to transfer to a third country or international organisation and on the level of protection afforded by that third country or international organisation by reference to an adequacy decision by the Commission;
(h) any further information necessary to guarantee fair processing in respect of which is necessary, having regard to the specific circumstances in which the data subject, having regard to the specific circumstances in which the personal data are collected.are or are to be processed, to enable processing in respect of the data subject to be fair.
  Comment: No other meaning. Discuss this Rating
2. Where the personal data are collected from the data subject, the controller shall inform the data subject, in addition to the information referred to in paragraph 1, whether the provision of personal data is obligatory or voluntary, as well as the possible consequences of failure to provide such data.
2a. In deciding on further information which is necessary to make the processing fair under 1(d), controllers must have regard to any relevant guidance under Article 38.
3. Where the personal data are not collected from the data subject, the controller shall inform the data subject, in addition to the information referred to in paragraph 1, from which source the personal data originate.
4. The controller shall provide the information referred to in paragraphs 1, 2 and 3: (a) at the time when the personal data are obtained from the data subject; or (b) where the personal data are not collected from the data subject, at the time of the recording or within a reasonable period after the collection, having regard to the specific circumstances in which the data are collected or otherwise processed, or, if a disclosure to another recipient is envisaged, and at the latest when the data are first disclosed.
4a. Article 14 shall not apply where: (a) the data subject already has the information; (b) the provision of such information proves impossible or would involve a disproportionate effort; (c) obtaining or disclosure is found in Union or Member State law; (d )where the data originate from publicly available sources; (e) where the data must remain confidential in accordance with a legal provision or on account of the overriding justified interests of a third party.
5. Paragraphs 1 to 4 shall not apply, where: (a) the data subject has already the information referred to in paragraphs 1, 2 and 3; or (b) the data are not collected from the data subject and the provision of such information proves impossible or would involve a disproportionate effort; or (c) the data are not collected from the data subject and recording or disclosure is expressly laid down by law; or (d) the data are not collected from the data subject and the provision of such information will impair the rights and freedoms of others, as defined in Union law or Member State law in accordance with Article 21.
(da) the data consists of information in respect of which a claim to legal professional privilege, or equivalent professional secrecy provisions could be maintained under national law or rules established by national competent bodies.
(da) the data are processed for health, historical, statistical or scientific research purposes subject to the conditions and safeguards referred to in Articles 81 or 83 as appropriate, and the provision of such information proves impossible or would involve a disproportionate effort.
6. In the case referred to in point (b) of paragraph 5, the controller shall provide appropriate measures to protect the data subject's legitimate interests.
7. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria for categories of recipients referred to in point (f) of paragraph 1, the requirements for the notice of potential access referred to in point (g) of paragraph 1, the criteria for the further information necessary referred to in point (h) of paragraph 1 for specific sectors and situations, and the conditions and appropriate safeguards for the exceptions laid down in point (b) of paragraph 5. In doing so, the Commission shall take the appropriate measures for micro, small and medium-sized- enterprises.
8. The Commission may lay down standard forms for providing the information referred to in paragraphs 1 to 3, taking into account the specific characteristics and needs of various sectors and data processing situations where necessary. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
1. The 1. Subject to Article 12(4), the data subject shall have the right to obtain from the controller at any time, on request, confirmation as to whether or not personal data relating to the data subject are being processed. Where such personal data are being processed, the controller shall provide the following information:the following information from the controller:
1a. Where a data controller cannot comply with the request without disclosing information relating to another individual who can be identified from that information, he is not obliged to comply with the request unless: (a) the other individual has consented to the disclosure of the information to the person making the request; or (b) it is reasonable in all the circumstances to comply with the request without the consent of the other individual.
1b. In paragraph (1) the reference to information relating to another individual includes a reference to information identifying that individual as the source of the information sought by the request; and that paragraph is not to be construed as excusing a data controller from communicating so much of the information sought by the request as can be communicated without disclosing the identity of the other individual concerned, whether by the omission of names or other identifying particulars or otherwise. In determining for the purposes of this paragraph whether it is reasonable in all the circumstances to comply with the request without the consent of the other individual concerned, regard shall be had, in particular, to: (a) any duty of confidentiality owed to the other individual; (b) any steps taken by the data controller with a view to seeking the consent of the other individual; (c) whether the other individual is capable of giving consent; and (d) any express refusal of consent by the other individual.
  Comment: Consequences unclear. Discuss this Rating
(d) the period for which the personal data will be stored;
(h) the significance and envisaged consequences of such processing, at least in the case of measures referred to in Article 20.(h) where the processing by automatic means of personal data of which that individual is the data subject for the purpose of evaluating matters relating to him such as, for example, his performance at work, his creditworthiness, his reliability or his conduct, has constituted or is likely to constitute the sole basis for any decision significantly affecting him, to be informed by the data controller of the logic involved in that decision-taking.
2a. There shall be no right of access in accordance with paragraphs 1 and 2 when data within the meaning of Article 14(5)(da) are concerned, except if the data subject is empowered to lift the secrecy in question and acts accordingly.
2b. In complying with requests under this Article, data controllers shall take account of any relevant guidance.
  Comment: Intention unclear. Discuss this Rating
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the communication to the data subject of the content of the personal data referred to in point (g) of paragraph 1.
4. The Commission may specify standard forms and procedures for requesting and granting access to the information referred to in paragraph 1, including for verification of the identity of the data subject and communicating the personal data to the data subject, taking into account the specific features and necessities of various sectors and data processing situations. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
1. The data subject shall have the right to obtain , as appropriate, from the controller the erasure of personal data relating to them and the abstention from further dissemination of such data, especially in relation to personal data which are made available by the data subject while he or she was a child, where one of the following grounds applies:
(d) the processing of the data does not comply with this Regulation for other reasons.
2. Where the controller referred to in paragraph 1 has made the personal data public, it shall take all reasonable steps, including technical measures, in relation to data for the publication of which the controller is responsible, to inform third parties which are processing such data, that a data subject requests them to erase any links to, or copy or replication of that personal data. Where the controller has authorised a third party publication of personal data, the controller shall be considered responsible for that publication.
(b) for reasons of public interest in the area of public health in health purposes in accordance with Article 81;
(ba) for maintaining medical records for prevention, medical diagnosis, treatment, palliative care, clinical trials, patient registries, and other health research and medical innovation purposes;
(d) for compliance with a or to avoid a breach of a legal obligation to retain the personal data by Union or Member State law to which the controller is subject; Member State laws shall meet an objective of public interest, respect the essence of the right to the protection of personal data and be proportionate to the legitimate aim pursued;
(b) the controller no longer needs the personal data for the accomplishment of its task but they have to be maintained for purposes of proof;the purpose of defending legal claims;
(c) other public interests of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation matters and the protection of market stability and integrity;;
(fa) legal professional privilege and lawyer-client confidentiality.
1. Each controller and processor and, if any, the controller's representative, shall maintain documentation of all processing operations under its responsibility. 2. The documentation shall contain at least the following information: (a) the name and contact details of the controller, or any joint controller or processor, and of the representative, if any; (b) the name and contact details of the data protection officer, if any; (c) the purposes of the processing, including the legitimate interests pursued by the controller where the processing is based on point (f) of Article 6(1); (d) a description of categories of data subjects and of the categories of personal data relating to them; (e) the recipients or categories of recipients of the personal data, including the controllers to whom personal data are disclosed for the legitimate interest pursued by them; (f) where applicable, transfers of data to a third country or an international organisation, including the identification of that third country or international organisation and, in case of transfers referred to in point (h) of Article 44(1), the documentation of appropriate safeguards; (g) a general indication of the time limits for erasure of the different categories of data; (h) the description of the mechanisms referred to in Article 22(3). 3. The controller and the processor and, if any, the controller's representative, shall make the documentation available, on request, to the supervisory authority. 4.The obligations referred to in paragraphs 1 and 2 shall not apply to the following controllers and processors: (a) a natural person processing personal data without a commercial interest; or (b) an enterprise or an organisation employing fewer than 250 persons that is processing personal data only as an activity ancillary to its main activities. 5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the documentation referred to in paragraph 1, to take account of in particular the responsibilities of the controller and the processor and, if any, the controller's representative. 6. The Commission may lay down standard forms for the documentation referred to in paragraph 1. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).Documentation deleted
1. The controller 1. Having regard to the state of technological development and the processor shall cost of implementation, the controller must implement appropriate technical and organisational measures to ensure a level of security appropriate in relation to the risks represented by the processing and the nature of the personal data to be protected, having regard to the state of the art and the costs of their implementation.processing personal data that is appropriate to: (a) the harm that might result from unauthorised or unlawful processing or accidental loss, destruction or damage as mentioned in Article 5(1)(ea), and (b) the nature and scope of the data to be processed.
2. The controller and the processor shall, following an evaluation of the risks, take the measures referred to in paragraph 1 to protect personal data against accidental or unlawful destruction or accidental loss and to prevent any unlawful forms of processing, in particular any unauthorised disclosure, dissemination or access, or alteration of personal data.2. In complying with the principle as set out at Article 5(1)(ea), a controller must consider any relevant guidance drawn up by the supervisory authority under Article 38.
  Comment: Intention unclear. Discuss this Rating
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and conditions for the technical and organisational measures referred to in paragraphs 1 and 2, including the determinations of what constitutes the state of the art, for specific sectors and in specific data processing situations, in particular taking account of developments in technology and solutions for privacy by design and data protection by default, unless paragraph 4 applies.
4. The Commission may adopt, where necessary, implementing acts for specifying the requirements laid down in paragraphs 1 and 2 to various situations, in particular to: (a) prevent any unauthorised access to personal data; (b) prevent any unauthorised disclosure, reading, copying, modification, erasure or removal of personal data; (c) ensure the verification of the lawfulness of processing operations. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 24 hours where there is a significant risk that the personal data breach will adversely affect the rights and freedoms of data subjects, the controller shall without undue delay after having become aware of it, notify the personal data breach to the supervisory authority. The notification to the supervisory authority shall be accompanied by a reasoned justification in cases where it is not made within 24 hours.
2a. In making the risk assessment, the controller should be required to have regard to factors including the nature of the data; whether the breach appears to be likely to cause substantial damage or substantial distress to the data subject or is otherwise likely to significantly prejudice the rights and freedoms of the data subject and the degree to which those risks are mitigated by the security measures which the controller has taken pursuant to Article 30.
3. The notification referred to in paragraph 1 must at least: (a) describe the nature of the personal data breach including the categories and number of data subjects concerned and the categories and number of data records concerned; (b) communicate the identity and contact details of the data protection officer or other contact point where more information can be obtained; (c) recommend measures to mitigate the possible adverse effects of the personal data breach; (d) describe the consequences of the personal data breach; (e) describe the measures proposed or taken by the controller to address the personal data breach.
3a. The national supervisory authority should provide guidance under Article 38 on the particular circumstances in which notification to the supervisory authority should take place. Furthermore, the level of detail and the specific information required when a controller notifies the supervisory authority of the data breach should be contained in guidance.
4. The controller shall document any personal data breaches, comprising the facts surrounding the breach, its effects and the remedial action taken. This documentation must enable the supervisory authority to verify compliance with this Article. The documentation shall only include the information necessary for that purpose.
5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for establishing the data breach referred to in paragraphs 1 and 2 and for the particular circumstances in which a controller and a processor is required to notify the personal data breach.
6. The Commission may lay down the standard format of such notification to the supervisory authority, the procedures applicable to the notification requirement and the form and the modalities for the documentation referred to in paragraph 4, including the time limits for erasure of the information contained therein. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
1. Where processing operations present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes, the controller or the processor acting on the controller's behalf shall carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment shall be sufficient to address a set of processing operations that present similar risks.
1a. Such a requirement shall not apply to: (a) micro small and medium-sized enterprises that process data only as an activity ancillary to their main activities; (b) all micro, small and medium-sized enterprises for the first three years after the enterprise was founded.
(c) (c) automated monitoring publicly accessible areas, especially when using optic-electronic devices (video surveillance) on a large scale;
2a. The supervisory authority shall establish and make public a list of the kind of processing for which a data protection impact assessment would be recommended. The supervisory authority shall communicate those lists to the European Data Protection Board.
3. The assessment shall contain at least a general description of the envisaged processing operations, an assessment assess the likelihood of the risks to the processing operation giving rise to harm to the fundamental rights and freedoms of data subjects, the measures envisaged to address the risks, safeguards, or any other person, and the seriousness of any such harm, and explain the measures the controller intends to take to mitigate the chance of that harm or its seriousness, including the security measures and mechanisms to ensure the other safeguards and mechanisms the controller intends to put in place to ensure protection of personal data and to demonstrate compliance in accordance with this Regulation, taking into account the rights and legitimate interests of data subjects and other persons concerned.
4. The controller shall seek the views of data subjects or their representatives on the intended processing, without prejudice to the protection of commercial or public interests or the security of the processing operations.
6. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and conditions for the processing operations likely to present specific risks referred to in paragraphs 1 and 2 and the requirements for the assessment referred to in paragraph 3, including conditions for scalability, verification and auditability. In doing so, the Commission shall consider specific measures for micro, small and medium- sized enterprises.
7. The Commission may specify standards and procedures for carrying out and verifying and auditing the assessment referred to in paragraph 3. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
1. The controller or the processor as the case may be shall obtain an authorisation from the supervisory authority prior to the processing of personal data, in order to ensure the compliance of the intended processing with this Regulation and in particular to mitigate the risks involved for the data subjects where a controller or processor adopts contractual clauses as provided for in point (d) of Article 42(2) or does not provide for the appropriate safeguards in a legally binding instrument as referred to in Article 42(5) for the transfer of personal data to a third country or an international organisation.
1. The controller or the processor as the case may be shall obtain an authorisation from 1. Where an impact assessment has been undertaken in accordance with Article 33, the controller must consult the supervisory authority prior to the processing of personal data, in order to ensure the compliance of the intended processing with this Regulation and in particular to mitigate the risks involved for the data subjects where a controller or processor adopts contractual clauses as provided for in point (d) of Article 42(2) or does not provide for the appropriate safeguards in a legally binding instrument as referred to in Article 42(5) for the transfer of personal data to a third country or an international organisation.in accordance with this Article if, despite the measures envisaged in the impact assessment to ensure protection of personal data, the controller considers that it is likely that the intended processing would result in serious harm to fundamental rights and freedoms of data subjects.
1a. In making that assessment, the controller must have regard to factors including: the nature, scope and purposes of the intended processing; the measures envisaged in the impact assessment to address those risks; the state of the art and the costs of implementation.
3. Where the supervisory authority is of the opinion that the intended processing does referred to in paragraph 2 would not comply with this Regulation, in particular where risks are insufficiently identified or mitigated, it shall prohibit the it shall within a maximum period of 6 weeks following the request for consultation make appropriate recommendations to the data controller. This period may be extended for a further month, taking into account the complexity of the intended processing and make appropriate proposals to remedy such incompliance.. Where the extended period applies, the controller of processor shall be informed within one month of receipt of the request of the reasons for the delay.
4. The supervisory authority shall establish and make public a list of the processing operations which are subject to prior consultationfor which prior consultation would be recommended pursuant to point (b) of paragraph 2. The supervisory authority shall communicate those lists to the European Data Protection Board.
5. Where the list provided for in paragraph 4 involves processing activities which are related to the offering of goods or services to data subjects in several Member States, or to the monitoring of their behaviour, or may substantially affect the free movement of personal data within the Union, the supervisory authority shall apply the consistency mechanism referred to in Article 57 prior to the adoption of the list.European Data Protection Board shall produce guidance to ensure consistent application, taking into account the specific circumstances of Member States.
1. The controller and the processor shall consider whether to designate a data protection officer in any case where:
1a. In considering whether to appoint a data protection officer, a controller or processor must have regard to factors including the nature, scope and purposes of the processing, the risks for the fundamental rights and freedoms of data subjects that may arise from it, the other measures it proposes to take in order to comply with this Regulation and cost- effectiveness.
1b. Member States may provide in national law for controllers or processors to be required to appoint a data protection officer for the purposes of this Regulation. In doing so, Member States must at least consider the factors referred to in paragraph 1a. Any such measures shall be notified to the European Commission.
3. Where the controller or the processor is a public authority or body, the a single data protection officer may be designated for several of its entitiessuch authorities or bodies, taking account of thetheir organisational structure of the public authority or body.and size.
5. The controller or processor shall designate the data protection officer on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and ability to fulfil the tasks referred to in Article 37. The necessary level of expert knowledge shall be determined in particular according to the data processing carried out and the protection required for the personal data processed by the controller or the processor.
6. The controller or the processor shall ensure that any other professional duties of the data protection officer are compatible with the person's tasks and duties as data protection officer and do not result in a conflict of interests.
7. The controller or the processor shall designate a data protection officer for a period of at least two years. The data protection officer may be reappointed for further terms. During their term of office, the data protection officer may only be dismissed, if the data protection officer no longer fulfils the conditions required for the performance of their duties.
11. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the core activities of the controller or the processor referred to in point (c) of paragraph 1 and the criteria for the professional qualities of the data protection officer referred to in paragraph 5.
2. The controller or processor shall ensure that the data protection officer performs the duties and tasks independently and does not receive any instructions as regards the exercise of the function. The data protection officer shall directly report to the management of the controller or the processor.
Tasks of the data protection officer 1. The controller or the processor shall entrust the data protection officer at least with the following tasks: (a) to inform and advise the controller or the processor of their obligations pursuant to this Regulation and to document this activity and the responses received; (b) to monitor the implementation and application of the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, the training of staff involved in the processing operations, and the related audits; (c) to monitor the implementation and application of this Regulation, in particular as to the requirements related to data protection by design, data protection by default and data security and to the information of data subjects and their requests in exercising their rights under this Regulation; (d) to ensure that the documentation referred to in Article 28 is maintained; (e) to monitor the documentation, notification and communication of personal data breaches pursuant to Articles 31 and 32; (f) to monitor the performance of the data protection impact assessment by the controller or processor and the application for prior authorisation or prior consultation, if required pursuant Articles 33 and 34; (g) to monitor the response to requests from the supervisory authority, and, within the sphere of the data protection officer's competence, co-operating with the supervisory authority at the latter's request or on the data protection officer's own initiative; (h) to act as the contact point for the supervisory authority on issues related to the processing and consult with the supervisory authority, if appropriate, on his/her own initiative. 2. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for tasks, certification, status, powers and resources of the data protection officer referred to in paragraph 1.Article 37 deleted
2. Associations and other bodies representing categories of controllers or processors in one Member State which intend to draw up codes of conduct or to amend or extend existing codes of conduct may submit them to an opinion of the supervisory authority in that Member State. The supervisory authority may give an opinion whether the draft code of conduct or the amendmentprocessing under the code is in compliance with this Regulation. The supervisory authority shall seek the views of data subjects or their representatives on these drafts.
1. The Member States , professional bodies and the Commission shall encourage, in particular at European level, the establishment of data protection certification mechanisms and of data protection seals and marks, allowing data subjects to quickly assess the level of data protection provided by controllers and processors. The data protection certifications mechanisms shall contribute to the proper application of this Regulation, taking account of the specific features of the various sectors and different processing operations.
2. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the data protection certification mechanisms referred to in paragraph 1, including conditions for granting and withdrawal, and requirements for recognition within the Union and in third countries.
3. The Commission may lay down technical standards for certification mechanisms and data protection seals and marks and mechanisms to promote and recognize certification mechanisms and data protection seals and marks. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 87(2).
Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation may only take place if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation., without prejudice to decisions adopted by the Commission on the basis of Article 25(6) or Article 26(4) of Directive 95/46/EC or authorisations by a supervisory authority on the basis of Article 26(2) of Directive 95/46/EC.
(c) the international commitments the third country or international organisation in question has entered into., in particular any legally binding conventions or instruments under human rights law or international law.
4a. The Commission shall adopt and make public binding procedures for reaching decisions concerning the adequacy of protection, which shall contain at least the following information: (a) the procedures by which a third country, territory, a processing sector within that third country (which can be represented by an association or group of data controllers or data processors), or an international or regional organisation may request that an adequacy decision be issued; (b) the steps of the decision-making procedure, including time limits within which each step must be completed; (c) the rights of the party or parties that have requested an adequacy decision to present their case in the various steps of the procedure; (d) how interested parties (including individuals, consumer organisations, academic experts, government entities, data controllers and processors, and others) may express their opinion concerning the proposed decision. The Commission shall either approve or refuse an application for a decision regarding the adequacy of protection within one year of its submission.
(db) the measures referred to in Article 81 for health purposes or Article 83 for historical, statistical or scientific research purposes.
4. Where a transfer is based on the relevant safeguards are provided for on the basis of contractual clauses as referred to in point (d) of paragraph 2 of this Article the controller or processor shall obtain prior authorisation ensure compliance of the contractual clauses according to point (a) of Article 34(1) from the intended processing with this Regulation and mitigate any risks involved for the data subject. The supervisory authority. If the transfer is related to processing activities which concern shall support the compliance of the Regulation by providing guidance and advice under this provision. If the processing concerns data subjects in another Member State or other Member States, or substantially affect the free movement of personal data within the Union, the supervisory authority shall apply the consistency mechanism referred to in Article 57.EDPB shall provide guidance to ensure consistent application of the Regulation, taking into account the specific circumstances of individual Member States.
5. Where the appropriate safeguards with respect to the protection of personal data are not provided for in a legally binding instrument, the controller or processor shall obtain prior authorisation for the transfer, or a set of transfers, or for provisions to be inserted into administrative arrangements providing the basis for such transfer. Such authorisation by the supervisory authority shall be in accordance with point (a) of Article 34(1).for example in a memorandum of understanding, the controller shall ensure compliance of the intended processing with this Regulation and mitigate any risks involved for the data subject. The supervisory authority shall support the compliance of the Regulation by providing guidance and advice under this provision. If the transfer is related to processing activities which concern processing concerns data subjects in another Member State or other Member States, or substantially affect the free movement of personal data within the Union, the supervisory authority shall apply the consistency mechanism referred to in Article 57EDPB shall provide guidance to ensure consistent application of the Regulation, taking into account the specific circumstances of individual Member States. Authorisations by a supervisory authority on the basis of Article 26(2) of Directive 95/46/EC shall remain valid, until amended, replaced or repealed by that supervisory authority.
1. A supervisory authority shall in accordance with the consistency mechanism set out in Article 58 approve binding corporate rules, provided that they1. Where appropriate safeguards are provided through binding corporate rules data controllers shall ensure compliance with the Regulation by providing that BCRs: (a) are legally binding and apply to and are enforced by every member within the controller's or processor's group of undertakings, and include their employees; (b) expressly confer enforceable rights on data subjects; (c) fulfil the requirements laid down in paragraph 2. The supervisory authority shall support the compliance of this Regulation by providing guidance and advice under this provision.
(h) the transferprocessing is necessary for the purposes of the legitimate interests pursued by the controller or the processor, which cannot be qualified as frequent or massive, and where the controller or processor has assessed all the circumstances surrounding the data transfer operation or the set of data transfer operations and based on this assessment has adduced appropriate safeguards with respect to the protection of personal data, where necessary.
(ha) the personal data has been anonymised;
(hb) the personal data has been pseudonymised, and the key and the data are kept separately, and contractual clauses forbid the controller to access the key.
3. The supervisory authority shall not be competent to supervise processing operations of courts acting in their judicial capacity.: (a) by a judge; or (b) by a person acting on the instructions or on behalf of a judge; or (c) for the purpose of exercising judicial functions including functions of appointment, discipline, administration or leadership of judges.
(ja) provide micro, small and medium sized enterprise processors and controllers with a comprehensive list of their responsibilities and obligations in accordance with this Regulation.
Article 60 Suspension of a draft measure 1. Within one month after the communication referred to in Article 59(4), and where the Commission has serious doubts as to whether the draft measure would ensure the correct application of this Regulation or would otherwise result in its inconsistent application, the Commission may adopt a reasoned decision requiring the supervisory authority to suspend the adoption of the draft measure, taking into account the opinion issued by the European Data Protection Board pursuant to Article 58(7) or Article 61(2), where it appears necessary in order to: (a) reconcile the diverging positions of the supervisory authority and the European Data Protection Board, if this still appears to be possible; or (b) adopt a measure pursuant to point (a) of Article 62(1). 2. The Commission shall specify the duration of the suspension which shall not exceed 12 months. 3. During the period referred to in paragraph 2, the supervisory authority may not adopt the draft measure.
1. Each supervisory authority shall be empowered to impose administrative sanctions in accordance with this Article. The administrative sanctions available to supervisory authorities must include at least financial penalties and other administrative sanctions such as warnings and recommendations for remedial action, including in relation to technical and organisational measures.
2. The2. An administrative sanction shall be in eachevery individual case effective, proportionate and dissuasive. The amount In deciding on the nature, scope and seriousness of the administrative fine shall be fixed with due sanction to apply the supervisory authority shall have regard to the all the circumstances and, in particular: (a) the nature, gravity and duration of the breach, the intentional or negligent character of the infringement, the degree of responsibility of the natural or legal person and of previous breaches by this person, the technical and organisational measures and procedures implemented pursuant to Article 23 and the ; (b) whether the breach was deliberate; (c) whether reasonable steps were taken to prevent it; (d) whether the breach did or is likely to cause substantial harm or substantial prejudice to the fundamental rights and freedoms of a data subject, or substantial distress to a data subject; (e) any steps taken to mitigate the consequences of a breach, including the degree of co-operationcooperation with the supervisory authority in order to remedy the breach. or its consequences; (f) any previous breaches.
3. In case of a first and non-intentional non-compliance with this Regulation, a warning in writing may be given and no sanction imposed, where: (a) a natural person is processing personal data without a commercial interest; or (b) an enterprise or an organisation employing fewer than 250 persons is processing personal data only as an activity ancillary to its main activities.
3a. A supervisory authority may, in particular, decide that it is appropriate to apply a sanction other than a financial penalty if the nature, scope or purposes of the processing activities are such that the activity is unlikely to represent risks for the fundamental rights of a data subject.
4. The supervisory authority shallmay impose a fine up to 250 000 EUR, or in case of an enterprise up to 0,5 % of its annual worldwide turnover, to anyone who, intentionally or negligently:
5. The supervisory authority shallmay impose a fine up to 500 000 EUR, or in case of an enterprise up to 1 % of its annual worldwide turnover, to anyone who, intentionally or negligently:
6. The supervisory authority shallmay impose a fine up to 1 000 000 EUR or, in case of an enterprise up to 2 % of its annual worldwide turnover, to anyone who, intentionally or negligently:
1. Member States shall provide for exemptions or derogations from the provisions on the general principles in Chapter II, the rights of the data subject in Chapter III, on controller and processor in Chapter IV, on the transfer of personal data to third countries and international organisations in Chapter V, the independent supervisory authorities in Chapter VI and on co-operation and consistency in Chapter VII for and the provisions regarding processing concerning health and processing for historical, statistical and scientific research purposes in this chapter whenever this is necessary for the processing of personal data carried out solely for journalistic purposes or the purpose of artistic or literary expression in order to reconcile the right to the protection of personal data with the rules governing freedom of expression.
1a. The European Data Protection Board shall issue guidance on when exemptions or derogations in accordance with paragraph 1 may be necessary, after consultation with representatives of the press, authors and artists, data subjects and civil society organisations.
(c) other reasons of public interest in areas such as social protection, especially in order to ensure the quality and cost- effectiveness of the procedures used for settling claims for benefits and services in the health insurance system. and the provision of health services.
2. Processing 2. Without prejudice to any exemptions or derogations made under Article 80, processing of personal data concerning health which is necessary for historical, statistical or scientific research purposes, such as patient registries set up for improving diagnoses and differentiating between similar types of diseases and preparing studies for therapies, is subject to the conditions and safeguards referred to in Article 83.
  Comment: Intention unclear. Discuss this Rating
2a. Where the data subject is required to give consent for the processing of personal data relating to health, the option of broad consent should be available. Member States may in any case provide for exceptions to the requirement of consent for the use of personal data for research, as referred to in paragraph 2, with regard to research that serves a high public interest. Such exemptions for processing shall be subject to a requirement that it be carried out if reasonable using anonymised or pseudonymised data. Data must be anonymised or pseudonymised under the highest technical standards and all necessary measures shall be taken to prevent re-identification of the data subjects.
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying other reasons of public interest in the area of public health as referred to in point (b) of paragraph 1, as well as criteria and requirements for the safeguards for the processing of personal data for the purposes referred to in paragraph 1.
3a. A controller or processor may transfer personal data to a third country or an international organisation for health purposes if: (a) these purposes cannot reasonably be fulfilled by processing data which does not permit or not any longer permit the identification of the data subject; (b) the recipient does not reasonably have access to data enabling the attribution of information to an identified or identifiable data subject; and (c) contractual clauses between the controller or processor and the recipient of the data prohibit re-identification of the data subject and limit processing in accordance with the conditions and safeguards laid down in this Article.
3b. Within the limits of this Regulation, personal data may be processed for the purposes of a manufacturer's regulatory pre- and post-marketing obligations with respect to clinical evaluation of medical devices.
(b) data enabling the attribution of information to an identified or identifiable data subject is kept separately from the other information as long as these purposes can be fulfilled in this manner.
1a. Further processing of data for historical, statistical or scientific research purposes shall not be considered as incompatible with Article 5(1)(b) provided that the processing: (a) is subject to the conditions and safeguards of this Article; and (b) complies with all other relevant legislation.
(a) these purposes cannot be otherwise fulfilled reasonably be achieved by processing data which does not permit or not any longer permit the identification of the data subject; and
2a. Where the data subject is required to give his/her consent under this article, the option of broad consent should be available.
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the processing of personal data for the purposes referred to in paragraph 1 and 2 as well as any necessary limitations on the rights of information to and access by the data subject and detailing the conditions and safeguards for the rights of the data subject under these circumstances.
3a. A controller or processor may transfer personal data to a third country or an international organisation for historical, statistical or scientific research purposes if: (a) these purposes cannot reasonably be fulfilled by processing data which does not permit or not any longer permit the identification of the data subject; (b) the recipient does not reasonably have access to data enabling the attribution of information to an identified or identifiable data subject; and (c) contractual clauses between the controller or processor and the recipient of the data prohibit re-identification of the data subject and limit processing in accordance with the conditions and safeguards laid down in this Article.
3b. The provisions in this Article are without prejudice to exemptions or derogations which Member States should provide for under Article 80 in order to reconcile the right to the protection of personal data with the rules governing freedom of expression including as these relate to freedom of academic inquiry.
Article 83a Processing of criminal convictions data for the purpose of the prevention of financial crime Within the limits of this Regulation and in accordance with Article 9(2)(j), processing of personal data concerning criminal convictions or related security measures shall be permitted if it provides for appropriate measures to protect the data subject's fundamental rights and freedoms and is for: (a) the purposes of the prevention, investigation or detection of financial crime; or (b) reasons of public interest such as protecting against cross-border threats of financial crime, and in either case, must necessarily be carried out without the consent of the data subject being sought so as not to prejudice those purposes.