Belgium ALDE

Louis Michel

Country: Belgium
Group: Alliance of Liberals and Democrats for Europe (ALDE)
Party: Mouvement Réformateur (MR)

Member of Civil Liberties, Justice and Home Affairs
Substitute of Development

Overview Louis Michel

Amendments: 229
...stronger: 22
...weaker: 158
...neutral: 49

Amendments by Louis Michel

(12) The protection afforded by this Regulation concerns natural persons, whatever their nationality or place of residence, in relation to the processing of personal data. With regard to the processing of data which concern legal persons and in particular undertakings established as legal personsundertakings, including the name and the form of the legal person and the contact details of the legal person, the protection of this Regulation should not be claimed by any person. This should also apply where the name of the legal person contains the names of one or more natural persons.
(21a) In order to determine whether a processing activity can be considered as relating to ‘the offering of goods or services’, it should be ascertained that the offer is clearly addressed and not only made accessible to data subjects in the Union. The possibilities of delivery in the EU, the language used as well as the domain name used may be taken into account. The notion should apply irrespective of whether a payment of the data subject is required.
(22a) The law of a Member State includes collective agreements in the labour market. A collective agreement in the labour market is an agreement between one or more representative employee organisation(s) and one or more representative employers organisation(s) or one or more employer(s). Such an agreement defines the collective and individual relationships (e.g. working conditions and salary) between employers and employees of all enterprises or of the enterprises of a specific sector of industry. It also fixes the rights and obligations of the parties to the agreement. A collective agreement in the labour market adds elements to employment law that are not foreseen by the employment act (Code de travail) or adapts general clauses of this employment act to the specific situation of the sector of industry involved. The collective agreement thus applies to every employee or to every employee of the sector of industry involved.
(23) The principles of protection should apply to any only to information concerning an identified or identifiable natural person. To determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the individual. A natural person should not be considered identifiable if identification requires a disproportionate amount of time, effort or material resources or if the controller has put in place the measures to prevent the information from fully identifying the natural person. The principles of data protection should not therefore apply to data where the data subject is not yet identifiable or data which is rendered anonymous in such a way that the data subject is no longer identifiable.not identifiable.
(24) When using online services, individuals may be associated with online identifiers provided by their devices, applications, tools and protocols, such as Internet Protocol addresses , internet ports or cookie identifiers. This may leave traces which, combined with unique identifiers and other information received by the servers, may be used to create profiles of the individuals and identify them. It follows that identification numbers, location data, online identifiers serial numbers of products, IP addresses, internet ports, International Mobile Equipment Identity codes of mobile telephones or other specific factorssuch identifiers as such need not necessarily be considered as personal data in all circumstances.
(25) Consent should be given explicitly by any appropriate method enabling a freely given specific and informed indication of the data subject’s wisheswill, either by a statement or by a clear affirmative an action by the data subject, ensuring that individuals are aware that they give their consent to the processing of personal data, including by using appropriate settings or by ticking a box when visiting an Internet website or by any other statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of their personal data. Silence or inactivity should therefore not constitute consent. Consent should cover covers all processing activities carried out for the same purpose or purposes. If the data subject’s consent is to be given following an electronic request, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
(26) Personal data relating to health should include in particular all data directly pertaining to the health status of a data subject; information about the registration of the individual for the provision of health services; information about payments or eligibility for healthcare with respect to the individual; a number, symbol or particular assigned to an individual to uniquely identify the individual for health purposes; any information about the individual collected in the course of the provision of health services to the individual; information derived from the testing or examination of a body part or bodily substance, including biological samples; identification of a person as provider of healthcare to the individual; or any information on e.g. a disease, disability, disease risk, medical history, clinical treatment, or the or the actual physiological or biomedical state of the data subject independent of its source, such as e.g. from a physician or other health professional, a hospital, a medical device, or an in vitro diagnostic test.
(33) In order to ensure free consent, it should be clarified that consent does not provide a valid legal ground where the individual has no genuine and free choice and is subsequently not able to refuse or withdraw consent without detriment. that has no legitimate reason. When personal data, which are processed on the basis of a data subject’s consent are necessary for the provision of a service or other benefit for the data subject, the withdrawal of the consent should constitute a ground for the termination or the non execution of a contract by the service provider.
(34) Consent should not provide a valid legal ground for the processing of personal data, where there is a clear imbalance between the data subject and the controller. This is especially the case where the data subject is in a situation of dependence from the controller, among others, where personal . There is no imbalance when the data are processed by the employer of employees’ personal data in the employment contextin the context of employment or risk protection. Where the controller is a public authority, there would be an imbalance only in the specific data processing operations where the public authority can impose an obligation by virtue of its relevant public powers and the consent cannot be deemed as freely given, taking into account the interest of the data subject.
(41) Personal data which are, by their nature, particularly sensitive and vulnerable in relation to fundamental rights or privacy, deserve specific protection. Such data should not be processed, unless the data subject gives his explicit consent. However, derogations from this prohibition Nevertheless, when processing personal data, account should be taken of the context in which the processing takes place. This means in particular that in order to fall under the scope of the prohibition, the processing of personal data concerning health should be explicitly provided for in respect of specific needs, in particular where intended to reveal information concerning health. In this regard, all explicit and implicit purposes of the processing is carried out in the course of legitimate activities by certain associations or foundations the purpose of which is to permit the exercise of fundamental freedoms.should be taken into account. It should suffice that one of the purposes of the processing consists of retrieving information concerning health for the prohibition to process the data to apply.
(42) (42) Such data should not be processed, unless the data subject gives his explicit consent. However, derogations from this prohibition should be explicitly provided for in respect of specific needs, in particular where the processing is carried out in the course of legitimate activities by certain associations or foundations the purpose of which is to permit the exercise of fundamental freedom. Derogating from the prohibition on processing sensitive categories of data should also be allowed if done by a law, and subject to suitable safeguards, so as to protect personal data and other fundamental rights, where grounds of public interest so justify and in particular for health purposes, including public health and , such as protection against serious transborder health threats or in order to ensure high quality and security standards including for medication or medical tools, and social protection and the management of health-care services, especially in order to ensure the quality and cost-effectiveness of the procedures used for settling claims for benefits and services in the health insurance system, or for historical, statistical and scientific research purposes.
(48) The principles of fair and transparent processing require that the data subject should be informed in particular of the existence of the processing operation and its purposes, how long the data will be stored, on the existence of the right of access, rectification or erasure and on the right to lodge a complaint. Where The level of detail of the information relating to the period for which the personal data will be stored may vary depending on the particular circumstances. Where it is possible, it may be expressed with a particular timing but otherwise, a reference to a term, such as prescription rules, will be enough. here the data are collected from the data subject, the data subject should also be informed whether they are obliged to provide the data and of the consequences, in cases they do not provide such data.
(51) Any person should have the right of access to personal data which has been collected concerning them, and to exercise this right easily, in order to be aware and verify the lawfulness of the processing. Every data subject should therefore have the right to know and obtain communication in particular for what purposes the personal data are processed, for what period, which recipients receive the personal data, what is the logic of the personal data that are undergoing the processing and what might be, at least when based on profiling, the consequences of such processing. This right should not adversely affect the rights and freedoms of others, including , for example, trade secrets such as algorithms used, protection of network and information security or intellectual property and in particular the copyright protecting the software. However, the result of these considerations should not be that all information is refused to the data subject.
(55) To further strengthen the control over their own data and their right of access, data subjects should have the right, where personal data are processed by electronic means and in a structured and commonly used format, to obtain a copy of the data concerning them also in commonly used electronic format. The data subject should also be allowed to transmit those data, which they have provided, from one automated application, such as a social network, into another one. This should apply where the data subject provided the data to the automated processing system, based on their consent or in the performance of a contract.
(58) Every natural person should have the right not to be subject to a measure which is based on profiling by means of automated processing. However, such measure and which produces legal effects concerning that natural person or significantly affects that natural person. Actual effects should be comparable in their intensity to legal effects to fall under this provision. This is not the case for measures relating to commercial communication, like for example in the field of customer relationship management or customer acquisition. However, a measure based on profiling by automated data processing and which produces legal effects concerning a natural person or significantly affects a natural person should be allowed when expressly authorised by law, carried out in the course of entering or performance of a contract, or when the data subject has given his consent. In any case, such processing should be subject to suitable safeguards, including specific information of the data subject and the right to obtain human intervention and that such measure should not concern a child.
(62) The protection of the rights and freedoms of data subjects as well as the responsibility and liability of controllers and processor, also in relation to the monitoring by and measures of supervisory authorities, requires a clear attribution of the responsibilities under this Regulation, including where a controller determines the purposes, conditions and means of the processing jointly with other controllers or where a processing operation is carried out on behalf of a controller.
(65) In order to demonstrate compliance with this Regulation, the controller or processor should document each processing operationshould maintain a description of processing operations under its responsibility. Each controller and processor should be obliged to co-operate with the supervisory authority and make this documentation, on request, available to it, so that it might serve for monitoring those processing operations.
(74) Where a data protection impact assessment indicates that processing operations involve a high degree of specific risks to the rights and freedoms of data subjects, such as excluding individuals from their right, or by the use of specific new technologies, the supervisory authority should be consulted, prior to the start of operations, on a risky processing which might not be in compliance with this Regulation, and to make proposals to remedy such situation. Such consultation should equally take place in the course of the preparation either of a measure by the national parliament or of a measure based on such legislative measure which defines the nature of the processing and lays down appropriate safeguards.
(87) These derogations should in particular apply to data transfers required and necessary for the protection of important grounds of public interest, for example in cases of international data transfers between competition authorities, tax or customs administrations, financial supervisory authorities, between services competent for social security matters, between bodies responsible for fighting against match-fixing and fraud in sport, or to competent authorities for the prevention, investigation, detection and prosecution of criminal offences.
(124a) The regulation shall be applied in the respect of sport specificity as recognized by Article 165 TFEU, taking into account that due to it societal role sports serves public interests.
(ea) by sport organisations for the purposes of prevention, detection and investigation of any violations of sports integrity linked with match fixing and doping;
(1) ‘data subject’ means an identified natural person or a natural person who can be identified, directly or indirectly, by means reasonably likely to be used by the controller or by any other natural or legal person, in particular by reference to an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person;. A natural person shall not be considered identifiable if identification requires a disproportionate amount of time, effort or material resources;
(2) ‘personal data’ means any information relating to a data subject; where this information is identifiable as concerning the data subject; information which dot not allow for identification of a data subject and information which would not allow for such identification without a disproportionate amount of time, effort or material resources shall not be considered as personal data;
(5) ‘controller’ means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes, conditions and means of the processing of personal data; where the purposes, conditions and means of processing are determined by Union law or Member State law, the controller or the specific criteria for his nomination may be designated by Union law or by Member State law;
(8) ‘the data subject’s consent’ means any freely given specific, informed and explicit indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action and informed expression of will, either by a statement, an action or a specific conduct, which, in view of the context and circumstances at the time consent is required, signifies the data subject’s agreement to personal data relating to them being processed;the processing of the personal data;
(9) ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed; when such personal data has not been rendered unintelligible to any person who is not authorized to access it and where such a breach causes or is likely to cause a significant adverse effect on the privacy of the data subject;
(12) ‘data concerning health’ means any information which directly relates to the physical or mental health of an individual, or to the provision of health services to the individual;;
(b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes;, where the purpose of further processing is not compatible with the one for which the personal data have been collected, the processing must have a legal basis at least in one of the grounds referred to in Article 6(1)(a) to (f), as well as respect all other dispositions of this Regulation;
(c) adequate, relevant, and limited to the minimum necessary not excessive in relation to the purposes for which they are processed; they shall only be processed if, and as long as, the purposes could not be fulfilled by processing information that does not involve personal data;
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the data will be processed solely for historical, statistical or scientific research purposes in accordance with the rules and conditions of Article 83 and if a periodic review is carried out to assess the necessity to continue the storage; and technical and organizational measures are put in place to limit access to the data only for the purposes of historical, statistical and scientific research;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;or the group of undertakings of which the controller is a member or any other member thereof is subject;
(f) processing is necessary for the purposes of the legitimate interests pursued by a controller or controllers or by a third party or parties to whom the data are disclosed, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks.
(fa) processing is necessary in order to ensure availability, reliability, confidentiality and security of the information and communications systems, in particular where this is necessary to discharge the controller's obligations under law, contract or under internal policies, aimed at complying with such obligations;
(fb) processing is necessary for the establishment, exercise or defence of legal claims;
  Comment: Is usually embraced as a "legitimate interest". Discuss this Rating
2. Processing of personal data which is necessary for the purposes of historical, statistical or scientific research shall be lawful subject to the conditions and safeguards referred to in Article 83.
4. Where the purpose of further processing is not compatible with the one for which the personal data have been collected, the processing must have a legal basis at least in one of the grounds referred to in points (a) to (e) of paragraph 1. This shall in particular apply to any change of terms and general conditions of a contract.
5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the conditions referred to in point (f) of paragraph 1 for various sectors and data processing situations, including as regards the processing of personal data related to a child.
2. If the data subject's consent is to be given in the context of a written declaration which also concerns another matter, the requirement to give consent must be presented distinguishable in its appearance from this other matter.
3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. nor shall it affect the lawfulness of processing of data based on other grounds referred to in Article 6(1).
4. Consent shall not provide a legal basis for the processing, where there is a significant imbalance between the position of the data subject and the controller. There shall be no significant imbalance when the data are processed in the context of employment or contracts protecting against risk.
1. The processing of personal data, revealing race or ethnic origin, political opinions, religion or beliefs, trade-union membership, and the processing of genetic data or data concerning health or sex life or criminal convictions or related security measures and the processing of personal data intended to reveal information concerning health shall be prohibited.
(d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association , organisations active in the labour market or any other non-profit-seeking body with a political, philosophical, religious , sporting or trade- union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the data are not disclosed outside that body without the consent of the data subjects; or
(g) processing is necessary for the performance of a task carried out in the public interest, on the basis of Union law, or Member State law which shall provide for suitable measures to safeguard the data subject's legitimate interests; or
(h) processing of data personal data intended to reveal information concerning health is necessary for health purposes and purposes of preventative or occupational medicine, medical diagnosis, the provision of care or treatment or the management of health-care services, where those data are processed by a health professional subject to the conditions and safeguards referred to in Article 81obligation of professional secrecy or another person also subject to an equivalent obligation of confidentiality under Member State law or rules established by national competent bodies; or
(j) processing of personal data relating to offences, criminal convictions or related security measures is carried out either under the control of official authority or when the processing is necessary for compliance with a legal or regulatory obligation to which a controller is subject, or for the performance of a task carried out for important public interest reasons, and in so far as authorised by Union law or Member State law providing for adequate safeguards. A complete register of criminal convictions shall be kept only under the control of official authority.
(ja) processing is necessary for sole purpose of complying with or giving effect to equal opportunity rights of individuals or for the promotion of inclusion and diversity within the workforce of the controller or the group of undertakings of which the controller is a member.
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria, conditions and appropriate safeguards for the processing of the special categories of personal data referred to in paragraph 1 and the exemptions laid down in paragraph 2.
If the data processed by a controller do not permit the controller , through means used by the controller, to identify a natural person, the controller shall not be obliged to acquire additional information in order to identify the data subject for the sole purpose of complying with any provision of this Regulation.
  Comment: Likely to be deployed when refusing the rights of data subjects. Discuss this Rating
1. The controller shall establish procedures for providing the information referred to in Article 14 and for the exercise of the rights of data subjects referred to in Article 13 and Articles 15 to 19. The controller shall provide in particular mechanisms for facilitating the request for the actions Where the data subject wishes to exercise the rights referred to in Article 13 and Articles 15 to 19. Where personal data are processed by automated means, - 19 he shall make a request to this effect to the controller shall also provide means for requests to be made electronically.by a personally signed or otherwise comparable verified document.
2. The controller shall inform the data subject without delay and, at the latest within one month of receipt of the request, excessive delay, whether or not any action has been taken pursuant to Article 13 and Articles 15 to 19 and shall provide the requested information. This period may be prolonged for a further month, if several data subjects exercise their rights and their cooperation is necessary to a reasonable extent to prevent an unnecessary and disproportionate effort on the part of the controller. The information shall be given in writing. Where the data subject makes the request in electronic form, the information shall be provided in electronic form, unless otherwise requested by the data subject., electronic means included.
4. The information and the actions taken on requests referred to in paragraph 1 shall be free of charge. Where requests are manifestly excessive, in particular because of their repetitive character,, except for the costs actually bore by the controller may charge a fee for providing the information or taking the action requested, or the controller may not take the action requested. In that caseto handle the requests. Where requests are vexatious or manifestly excessive, in particular because of their repetitive character, the controller shall bear the burden of proving the manifestly excessive character of the request.may refuse to take the action requested.
5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and conditions for the manifestly excessive requests and the fees referred to in paragraph 4.
6. The Commission may lay down standard forms and specifying standard procedures for the communication referred to in paragraph 2, including the electronic format. In doing so, the Commission shall take the appropriate measures for micro, small and medium- sized enterprises. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
(a) the identity and the contact details of the controller and, if any, of the controller's representative and of the data protection officer; or, if significant, the identity and contact details of the group of undertakings and its data protection officer;
(b) the purposes of the processing for which the personal data are intended, including the contract terms and general conditions where the processing is based on point (b) of Article 6(1) and the legitimate interests pursued by the controller where the processing is based on point (f) of Article 6(1);;
(c) the period for which the personal data will be stored;
(d) the existence of the right to request from the controller access to and rectification , to be forgotten or erasure of the personal data concerning the data subject or to object to the processing of such personal data; or to obtain data portability;
(f) (f) where applicable, the recipients or categories of recipients of the personal data; outside the controller or the group of undertakings of which the controller is member;
(g) where applicable, that the controller intends to transfer to a third country or international organisation and on the level of protection afforded by that third country or international organisation by reference to an adequacy decision by the Commission;;
(h) any further information necessary to guarantee fair processing in respect of the data subject, having regard to the specific circumstances in which the personal data are collected.
3. Where the personal data are not collected from the data subject, the controller shall inform the data subject, in addition to the information referred to in paragraph 1, from which categories of source the personal data originate., except where the data originate from a publicly available source or where the transfer is provided by law or the processing is used for purposes relating to the professional activities of the person concerned.
(b) where the personal data are not collected from the data subject, at the time of the recording or within a reasonable period after the collection, having regard to the specific circumstances in which the data are collected or otherwise processed, or, if a disclosure to another recipient is envisaged, and at the latest when the data are first disclosed., or, if the data shall be used for communication with the person concerned, at the latest at the time of the first communication to that person.
(a) the data subject has already or can be reasonably expected to know the information referred to in paragraphs 1, 2 and 3; or
(c) the data are not collected from the data subject and recordingobtaining or disclosure is expressly laid down by law to which the controller is subject, which provides appropriate measures to protect the data subject's legitimate interests, considering the risks represented by the processing and the nature of the personal data; or
(da) the information or part of the information referred to in Article 14(1) to (3) is likely to serious impair the ensuring of network and information security. From the moment that the information is not anymore likely to serious impair the achievement of network and information security, the data subject shall be informed without delay.
7. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria for categories of recipients referred to in point (f) of paragraph 1, the requirements for the notice of potential access referred to in point (g) of paragraph 1, the criteria for the further information necessary referred to in point (h) of paragraph 1 for specific sectors and situations, and the conditions and appropriate safeguards for the exceptions laid down in point (b) of paragraph 5. In doing so, the Commission shall take the appropriate measures for micro, small and medium-sized- enterprises.
8. The Commission may lay down standard forms for providing the information referred to in paragraphs 1 to 3, taking into account the specific characteristics and needs of various sectors and data processing situations where necessary. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
(h) the significance and envisaged consequences of such processing, at least in the case of measures referred to in Article 20.(h) in the case of decisions referred to in Article 20, knowledge of the logic involved in any automatic data processing, the significance and envisaged consequences of such processing.
2. The data subject shall have the right to obtain from the controller communication of the personal data undergoing processing. Where the data subject makes the request in electronic form, the information shall be provided in electronic form, unless otherwise requested by the data subject.
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the communication to the data subject of the content of the personal data referred to in point (g) of paragraph 1.
4. The Commission may specify standard forms and procedures for requesting and granting access to the information referred to in paragraph 1, including for verification of the identity of the data subject and communicating the personal data to the data subject, taking into account the specific features and necessities of various sectors and data processing situations. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
4a. The information or part of the information to be provided for in Article 15(1) and 15(2) does not have to be delivered when the delivery of information could seriously impair the securing, protecting and maintaining the resiliency of one or more information systems, unless these interests are overridden by the interest of fundamental rights and freedoms of the data subject. From the moment that the information is not anymore likely to seriously impair the achievement of the network and information security, the controller shall grant the data subject access to the information without delay.
The data subject shall have the right to obtain from the controller the rectification of personal data relating to them which are objectively inaccurate. The data subject shall have the right to obtain completion of incomplete personal data, including by way of supplementing a corrective statement. and the right to include a supplementing statement for rectification of data which, in the data subject's opinion, are inaccurate.
  Comment: Intention unclar. Discuss this Rating
The rights provided for in Article 16(1) do not apply when the data are processed for historical, statistical or scientific purposes and the rectification is likely to render impossible or seriously impair the achievement of the historical, statistical or scientific purposes.
1. The data subject shall have the right to obtain from the controller the erasure of personal data relating to them and the abstention from further dissemination of such data, especially in relation to personal data which are made available by . There is no other legal ground for processing than the data subject while he or she was a child, where 's consent and one of the following grounds applies:
(b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or when the storage period consented to has expired, and where there is no other legal ground for the processing of the data;);
(ba) when the storage period consented to has expired;
(c) the data subject objects has successfully objected to the processing of personal data pursuant to Article 19;
2. Where the controller referred to in paragraph 1 has made the personal data public, it shall take all reasonable steps, including technical measures, in relation to data for the publication of which the controller is responsible, to inform third parties which are processing such data, that a data subject requests them to erase any links to, or copy or replication of that personal data. Where the controller has authorised a third party publication of personal data, the controller shall be considered responsible for that publication.
3. The controller shall carry out the erasure without undue delay, except to the extent that the retention of the personal data is necessary:
(d) for compliance with a legal obligation including the requirements of supervisory authorities to retain the personal data by Union or Member State law to which the controller is subject; Member State laws shall meet an objective of public interest, respect the essence of the right to the protection of personal data and be proportionate to the legitimate aim pursued;
(a) their accuracy is contested by the data subject, for a period enabling the controller to verify the accuracy of the data;
(b) the controller no longer needs the personal data for the accomplishment of its task but they (b) data have to be maintained for purposes of proof;
  Comment: Intention unclear. Discuss this Rating
(d) the data subject requests to transmit the personal data into another automated processing system in accordance with Article 18(2).
7. The controller shall implement mechanisms to ensure that the time limits established for the erasure of personal data and/or for a periodic review of the need for the storage of the data are observed.
9. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying: (a) the criteria and requirements for the application of paragraph 1 for specific sectors and in specific data processing situations; (b) the conditions for deleting links, copies or replications of personal data from publicly available communication services as referred to in paragraph 2; (c) the criteria and conditions for restricting the processing of personal data referred to in paragraph 4.
1. The data subject shall have the right, where personal data are processed by electronic means and in a structured and commonly used format, to obtain from the controller a copy of data undergoing processing in an electronic and structured format which is commonly used and allows for further use by the data subject.
2. Where the data subject has provided the personal data and the processing is based on consent or on a contract, the data subject shall have the right to transmit those personal data and any other information provided by the data subject and retained by an automated processing system, into another one, in an electronic format which is commonly used, without hindrance from the controller from whom the personal data are withdrawn.
3. The Commission may specify the electronic format referred to in paragraph 1 and the technical standards, modalities and procedures for the transmission of personal data pursuant to paragraph 2. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
1. The data subject shall have the right to object, on compelling legitimate grounds relating to theirhis particular situation, at any time to the processing of personal data relating to him which is based on points (d), (e) and (f) of Article 6(1), unless the controller demonstrates compelling legitimate grounds for the processing which override the interests or fundamental rights and freedoms of the data subject.).
2. Where personal data are processed or intended to be processed for direct marketing purposes, the data subject shall have at any time, without any further justification, the right to object free of charge to the processing of their personal data for such marketing. This right shall be explicitly offered to the data subject in an intelligible manner and shall be clearly distinguishable from other information.
Measures based on profilingautomated processing
1. Every natural person shall have the right not to be subject to a measuredecision which produces legal effects concerning this natural person or significantly and significantly negatively affects this natural person, and which is based solely on automated processing intended to evaluate certain personal aspects relating to this natural person or to analyse or predict in particular the natural person's performance at work, economic situation, location, health, personal preferences, reliability or behaviour. or reliability.
2. Subject to the other provisions of this Regulation, a person may be subjected to a measuredecision of the kind referred to in paragraph 1 only if the processing:
(b) is expressly authorized by necessary to comply with a Union or Member State law which also lays down suitable measures to safeguard the data subject's legitimate interests; or
(ca) is carried out in the purpose of monitoring and prevention of frauds; or
(cb) is carried out based on well-founded suspicion of committing a crime to the detriment of the controller; or
(cc) is carried out for the purpose of assessing risk and credit worthiness, assuring safety and reliability of services provided by a controller; or
(cd) is necessary to pursue controller's legitimate interest in accordance with Article 6(1)(ja); or
(ce) is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the personal data are disclosed; or
(cf) is necessary for the purposes of the legitimate interests of the controller or the third party or parties to whom the profiles or data are disclosed, except where such interests are overridden by the fundamental rights and freedoms of the data subjects; or
(cg) is necessary in the vital interests of the data subject.
4. In the cases referred to in paragraph 2, the information to be provided by the controller under Article 14 shall include information as to the existence of processing for a measuredecision of the kind referred to in paragraph 1 and the envisaged effects of such processing on the data subject..
5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and conditions for suitable measures to safeguard the data subject's legitimate interests referred to in paragraph 2.
2a. Articles 11 to 20 shall not apply where the processing of personal data is necessary to enable the controller to comply with other legal, regulatory and professional obligations especially in respect of prevention of money laundering and/or terrorist financing.
Where a controller determines the purposes, conditions and means of the processing of personal data jointly with others, the joint controllers shall determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the procedures and mechanisms for exercising the rights of the data subject, by means of an arrangement between them.
2. This obligation shall not apply to: (a) a controller established in a third country where the Commission has decided that the third country ensures an adequate level of protection in accordance with Article 41; or (b) an enterprise employing fewer than 250 persons; or (c) a public authority or body; or (d) a controller offering only occasionally goods or services to data subjects residing in the Union.
(c) take all required measures pursuant to Article 30;
(d) enlist (d) determine the conditions for enlisting another processor only with the , such as the need of specific or general prior permission of the controller;, or the need of written agreement imposing the same obligations on the subprocessor as are imposed on the processor under this regulation;
(e) insofar as this is possible given the nature of the processing, create in agreement with the controller the necessary technical and organisational requirements for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III;
(f) assist the controller in ensuring compliance with the obligations pursuant to Articles 30 to 34;
(g) hand over all results to the controller after the end of the processing and not process the personal data otherwise;
(h) make available to the controller and the supervisory authority all information necessary to control compliance with the obligations laid down in this Article.
4. If a processor processes personal data other than as instructed by the controller, the processor shall be considered to be a controller in respect of that processing and shall be subject to the rules on joint controllers laid down in Article 24..
5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the responsibilities, duties and tasks in relation to a processor in line with paragraph 1, and conditions which allow facilitating the processing of personal data within a group of undertakings, in particular for the purposes of control and reporting.
1. Each controller and processor and, if any, the controller's representative, shall maintain documentation of all processing operations the main categories of processing under its responsibility.
2. The2. Such documentation shall contain at least the following information:
(a) the name and contact details of the controller, or any joint controller or processor, and of the representative, if any;
(b) the name and contact details of the data protection organisation or data protection officer, if any;
(c) the generic purposes of the processing, including the legitimate interests pursued by the controller where the processing is based on point (f) of Article 6(1);;
(e) the recipients or categories of recipients of the personal data, including the controllers to whom personal data are disclosed for the legitimate interest pursued by them;
(f) where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in case of transfers referred to in point (h) of Article 44(1), the documentation of appropriate safeguards;a reference to safeguards employed;
(g) a general indication of the time limits for erasure of or data retention policy applicable to the different categories of data;
(h) the description of the mechanisms referred to in Article 22(3).
3. The controller and the processor and, if any, the controller's representative, shall make the documentation available, on request, to the supervisory authority.
3a. In the case of a group of undertakings where each data controller within the group of undertakings carries out substantively the same type of processing operation, only one set of documentation shall be kept at group level.
3b. Where a controller engages a processor, the controller shall be responsible for maintaining the documentation referred to in Article 28(1) and can require the processor to provide assistance in compiling the information.
4. The obligations referred to in paragraphs 1 and 2 shall not apply to the following controllers and processors::
5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the documentation referred to in paragraph 1, to take account of in particular the responsibilities of the controller and the processor and, if any, the controller's representative.
6. The 6. To ensure harmonized requirements within the Union, the Commission may lay down standard forms for the documentation referred to in paragraph 1. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 24 hours after having become aware of it, notify the personal data breach to the supervisory authority. The notification to the supervisory authority shall be accompanied by a reasoned justification in cases where it is not made within 24 hours. which causes or is likely to cause significant adverse effect on the privacy of the data subject, the controller shall after having become aware, fully investigated and confirmed it, without undue delay, notify the personal data breach to the supervisory authority.
3. The notification referred to in paragraph 1 must at least:if possible:
(b) communicate the identity and contact details of the data protection officer controller or other contact point where more information can be obtained;
3a. The notification referred to in paragraph 1 shall not be required if the controller or the processor has implemented appropriate technological measures, which were applied to the data concerned by the personal data breach, such as measures which render the data unintelligible to any person who is not authorised to access it.
4. The controller shall document any personal data breachesdata breaches referred to in paragraph 1, comprising the facts surrounding the breach, its effects and the remedial action taken. This documentation must enable the supervisory authority to verify compliance with this Article. The documentation shall only include the information necessary for that purpose.
5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for establishing the data breach referred to in paragraphs 1 and 2 and for the particular circumstances in which a controller and a processor is required to notify the personal data breach.
6. The Commission may lay down the standard format of such notification to the supervisory authority, the procedures applicable to the notification requirement and the form and the modalities for the documentation referred to in paragraph 4, including the time limits for erasure of the information contained therein. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
1. When the personal data breach causes or is likely to adversely affect the protectioncause significant adverse effect on the privacy of the personal data or privacy data subject and minimizing of the data subjectharm requires action by data subjects, the controller shall, after the notification referred to in Article 31, communicate the personal data breach to the data subject without undue delay. unless this is disproportionally difficult. When communication to data subjects would risk causing further serious harm to the protection of the personal data or privacy of the data subject, the controller may, after consulting with the supervisory authority, delay communication to data subjects until such risk no longer prevails.
  Comment: Two sided. Discuss this Rating
3. The communication of a personal data breach to the data subject shall not be required if the controller demonstrates to the satisfaction of the supervisory authority that it has implemented appropriate technological protection measures, and that those measures were applied to the data concerned by the personal data breach. Such technological protection measures shall have the purpose to render the data unintelligible to any person who is not authorised to access it.them, taking into account the nature of the data, the state of the art and the cost.
5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements as to the circumstances in which a personal data breach is likely to adversely affect the personal data referred to in paragraph 1.
6. The Commission may lay down the format of the communication to the data subject referred to in paragraph 1 and the procedures applicable to that communication. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
1. Where processing operations present specific high degree of risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes, the controller or the processor acting on or when the DPA decides that a privacy impact assessment is necessary, the controller's behalf shall carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.
2. The following processing operations in particular are likely to present specific high degree of risks referred to in paragraph 1:
(a) (a) taking into account the exceptions of Article 20(2)(c) and the restrictions of Article 21, a systematic and extensive evaluation of personal aspects relating to a natural person or for analysing or predicting in particular the natural person's economic situation, location, health, personal preferences, reliability or behaviouror reliability, which is solely based on automated processing and on which measuresdecisions are based that produce legal effects concerning the individual or significantlyadversely affect the individual;fundamental rights of a data subject in a significantly negative manner;
(c) monitoring publicly accessible areas, especially when using optic-electronic devices (video surveillance) on a large scale;involving the use of specific techniques such as facial recognition, or not answering to the reasonable expectations of the general public;
(e) other processing operations for which the consultation of the supervisory authority is required pursuant to point (b) of Article 34(2).
3. The assessment shall contain at least a general description of the envisaged processing operations, an assessment of the risks to the rights and freedoms of data subjects, the measures envisaged to address the risks, safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation, taking into account the rights and legitimate interests of data subjects and other persons concerned.
4. The controller shall seek the views of data subjects or their representatives on the intended processing, without prejudice to the protection of commercial or public interests or the security of the processing operations.
5. Where the controller is a public authority or body and where the processing results from a legal obligation pursuant to point (c) of Article 6(1) providing for rules and procedures pertaining to the processing operations and regulated by Union or Member State law, paragraphs 1 to 4 shall not apply, unless Member States deem it necessary to carry out such assessment prior to the processing activities.
6. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and conditions for the processing operations likely to present specific risks referred to in paragraphs 1 and 2 and the requirements for the assessment referred to in paragraph 3, including conditions for scalability, verification and auditability. In doing so, the Commission shall consider specific measures for micro, small and medium- sized enterprises.
7. The Commission may specify standards and procedures for carrying out and verifying and auditing the assessment referred to in paragraph 3. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
1. The controller or the processor as the case may be shall obtain an authorisation from the supervisory authority prior to the processing of personal data, in order to ensure the compliance of the intended processing with this Regulation and in particular to mitigate the risks involved for the data subjects where a controller or processor adopts contractual clauses as provided for in point (d) of Article 42(2) or does not provide for the appropriate safeguards in a legally binding instrument as referred to in Article 42(5) for the transfer of personal data to a third country or an international organisation.
1a. Member States may submit by law the processing of personal data by public or private institutions who execute a task of public interest, such as the contribution to the application of the social security or to the execution of public health, to the prior authorization, in order to avoid processing which gravely affects the data subject's fundamental rights.
2. The controller or processor acting on the controller's behalf shall consult the supervisory authority prior to the processing of personal data in order to ensure the compliance of the intended processing with this Regulation and in particular to mitigate the risks involved for the data subjects where: (a) a data protection impact assessment as provided for in Article 33 indicates that processing operations are by virtue of their nature, their scope or their purposes, likely to present a high degree of specific risks; or (b) the supervisory authority deems it necessary to carry out a prior consultation on processing operations that are likely to present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope and/or their purposes, and specified according to paragraph 4.
3. Where the competent supervisory authority is of the opinion determines in accordance with its powers that the intended processing does not comply with this Regulation, in particular where risks are insufficiently identified or mitigated, it shall prohibit the intended processing and make appropriate proposals to remedy such incompliance. Such a decision shall be subject to appeal in a competent court and it may not be enforceable while being appealed unless the processing results to immediate serious harm suffered by data subjects.
4. The supervisory authority shall establish and make public a list of the processing operations which are subject to prior consultation pursuant to point (b) of paragraph 2. The supervisory authority shall communicate those lists to the European Data Protection Board.
5. Where the list provided for in paragraph 4 involves processing activities which are related to the offering of goods or services to data subjects in several Member States, or to the monitoring of their behaviour, or may substantially affect the free movement of personal data within the Union, the supervisory authority shall apply the consistency mechanism referred to in Article 57 prior to the adoption of the list.
6. The controller or processor shall provide the supervisory authority with the data protection impact assessment provided for in Article 33 and, on request, with any other information to allow the supervisory authority to make an assessment of the compliance of the processing and in particular of the risks for the protection of personal data of the data subject and of the related safeguards.
7. Member States shall consult the supervisory authority in the preparation of a legislative measure to be adopted by the national parliament or of a measure based on such a legislative measure, which defines the nature of the processing, in order to ensuredemonstrate the compliance of the intended processing with this Regulation and in particular to mitigate the risks involved for the data subjects.
8. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for determining the high degree of specific risk referred to in point (a) of paragraph 2.
9. The Commission may set out non mandatory standard forms and procedures for prior authorisations and consultations referred to in paragraphs 1 and 2, and standard forms and procedures for informing the supervisory authorities pursuant to paragraph 6. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
1. The controller and the processor shall designate 1. Member States shall encourage the designation of a data protection officer in any case where: (a) the processing is carried out by a public authority or body; or (b) the processing is carried out by an enterprise employing 250 persons or more; or (c) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects.by the data controller and the data processor and may require such designation in some cases provided for in their national legislation.
2. In the case referred to in point (b) of paragraph 1, a 2. A group of undertakings may appoint a single data protection officer.
4. In cases other than those referred to in paragraph 1, the controller or processor or associations and other bodies representing categories of controllers or processors may designate a data protection officer.
7. The controller or the processor shall designate a data protection officer for a period of at least two years. The data protection officer may be reappointed for further terms. During their term of office, the data protection officer may only be dismissed, if the data protection officer no longer fulfils the conditions required for the performance of their duties.
8. The data protection officer may be employed by the controller or processor, or fulfil his or her tasks on the basis of a service contract.
9. The controller or the processor shall communicate the name and contact details of the data protection officer to the supervisory authority and to the public.
2. The controller or processor shall ensure that the data protection officer performs the duties and tasks independently and does not receive any instructions as regards the exercise of the function. The data protection officer shall directly report to the management of the controller or the processor.
1. The controller or the processor shall entrust the determine the tasks to be performed by the data protection officer at least with the following tasks:organisation or the data protection officer in order to ensure compliance with this Regulation:
(a) to inform and advise the controller or the processor of their obligations pursuant to this Regulation and to document this activity and the responses received;;
(b) to monitor the implementation and application of the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, the training of staff involved in the processing operations, and the related audits;develop, support and monitor the implementation of measures referred to in Article 22;
(c) to monitor the implementation and application of compliance this Regulation, in particular as to the requirements related to data protection by design, data protection by default and data security and to the information of data subjects and their requests in exercising their rights under this Regulation;;
(d) to ensure that the documentation referred to in Article 28 is maintained;
(e) to monitor the documentation, notification and communication of personal data breaches pursuant to Articles 31 and 32;
(f) to monitor the performance of the data protection impact assessment by the controller or processor and the application for prior authorisation or prior consultation, if required pursuant Articles 33 and 34;
(g) to monitor the response to requests from the supervisory authority, and, within the sphere of the data protection officer's competence, co-operating with the supervisory authority at the latter's request or on the data protection officer's own initiative;
(h) to act as the contact point for the supervisory authority on issues related to the processing and consult with the supervisory authority, if appropriate, on his/her own initiative.
2. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for tasks, certification, status, powers and resources of the data protection officer referred to in paragraph 1.
3. Associations and other bodies representing categories of controllers in several Member States may submit draft codes of conduct and amendments or extensions to existing codes of conduct to the Commission.European Data Protection Board.
4. The Commission may adopt implementing acts for deciding that the codes of conduct and amendments or extensions to existing codes of conduct submitted to it pursuant to paragraph 3 have general validity within the Union. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 87(2).
1. Where the Commission has taken no decision pursuant to Article 41, a controller or processor may transfer personal data to a controller or processor in a third country or an international organisation only if the controller or processor has adduced appropriate safeguards with respect to the protection of personal data in a legally binding instrument.
(da) cooperation agreements or unilateral undertaking by public authorities.
2a. The appropriate safeguards referred to in paragraph 1 may also be provided by a single legally binding instrument between the processor and another processor that impose substantively the same obligations on the subprocessor as the EU standard data protection clauses adopted by the Commission where a processor is engaged by multiple controllers to carry out substantively similar processing operations in relation to their respective personal data and such personal data of multiple controllers are transferred to another processor in a third country by the processor and/or by the controller.
3. A transfer based on standard data protection clauses or binding corporate rules as referred to in points (a), (b) or (c) of paragraph 2 shall , a single legally binding document as referred to in paragraph 3 or between groups of undertakings with binding corporate rules shall be deemed to comply with paragraph 1 of this Article and shall not require any further authorisation.consultation with, submission to, approval or authorisation by supervisory authorities.
5. Where the public authorities make use of appropriate safeguards with respect to the protection of personal data but these are not provided for in a legally binding instrument, the controller or processor as mentioned in paragraph 2 sub d a), they shall obtain prior authorisation for the transfer, or a set of transfers, or for provisions to be inserted into administrative arrangements providing the basis for such transfer. Such authorisation by the supervisory authority shall be in accordance with point (a) of Article 34(1). If the transfer is related to processing activities which concern data subjects in another Member State or other Member States, or substantially affect the free movement of personal data within the Union, the supervisory authority shall apply the consistency mechanism referred to in Article 57. Authorisations by a supervisory authority on the basis of Article 26(2) of Directive 95/46/EC shall remain valid, until amended, replaced or repealed by that supervisory authority.
1. A supervisory authority shall in accordance with the consistency mechanism set out 1. Controllers and/or processors that wish to provide appropriate safeguards by binding corporate rules as referred to in Article 58 approve 42(2)(a) shall notify the appropriate supervisory authorities of the existence of their binding corporate rules, and the supervisory authorities shall be deemed to have approved the binding corporate rules provided that they:
(a) are legally binding and apply to and are enforced by every member within the controller's or processor's group of undertakings and their subcontractors that is included in the scope of the binding corporate rules, and include their employees;
(a) the structure and contact details of the group of undertakings and its members; and their subcontractors;
(h) the tasks of the data protection officer designated in accordance with Article 35, including monitoring within the group of undertakings the compliance with the binding corporate rules, as well as monitoring the training and complaint handling;;
2a. Where a processor wishes to provide appropriate safeguards by binding corporate rules as referred to in Article 42(2)(a), the matters referred to in Article 43(2)(a) to (k): (a) shall only apply to the extent they are applicable to the processor and are relevant to the data subject; and (b) can be specified in relation to each controller.
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for binding corporate rules within the meaning of this Article, in particular as regards the criteria for their approval, the application of points (b), (d), (e) and (f) of paragraph 2 to binding corporate rules adhered to by processors and on further necessary requirements to ensure the protection of personal data of the data subjects concerned.
4. The Commission may specify the format and procedures for the exchange of information by electronic means between controllers, processors and supervisory authorities for binding corporate rules within the meaning of this Article. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 87(2).
(h) the transfer is necessary for the purposes of the legitimate interests pursued by the controller or the processor, which cannot be qualified as frequent or massive, and where the controller or processor has assessed all the circumstances surrounding the data transfer operation or the set of data transfer operations and based on this assessment adduced appropriate safeguards authorized by a supervisory authority with respect to the protection of personal data, where necessary.
1. Member States shall provide that the members of the supervisory authority must be appointed either by the parliament or the government of the Member State concerned.
4. A member may be dismissed or deprived of the right to a pension or other benefits in its stead by the competent national court, if the member if he no longer fulfils the conditions required for the performance of the duties or is guilty of serious misconduct.his duties as member of the supervisory authority.
(fa) decide in which cases a Privacy Impact Assessment referred to in Article 33 needs to be carried out, in particular when it is consulted by Member State institutions and bodies on legislative and administrative measures relating to the protection of individuals' rights and freedoms with regard to the processing of personal data;
(a) to notify the controller or the processor of an alleged breach of the provisions governing the processing of personal data, and, where appropriate, order the controller or the processor to remedy that breach, in a specific manner, in order to improve the protection of the data subject; or, where necessary, oblige the controller to communicate the personal data breach to the data subject;
7. The European Data Protection Board shall issue an opinion on the matter, if the European Data Protection Board so decides by simple majority of its members or any supervisory authority or the Commission so requests within onetwo week after the relevant information has been provided according to paragraph 5. The opinion shall be adopted within onetwo month by simple majority of the members of the European Data Protection Board. The chair of the European Data Protection Board shall inform, without undue delay, the supervisory authority referred to, as the case may be, in paragraphs 1 and 3, the Commission and the supervisory authorityauthorities competent under Article 51 of the opinion and make it public.
8. The supervisory authority referred to in paragraph 1 and the supervisory authorityauthorities competent under Article 51 (1) shall take account of the opinion of the European Data Protection Board and shall within two weeks after the information on the opinion by the chair of the European Data Protection Board, electronically communicate to the chair of the European Data Protection Board and to the Commission whether it maintains or amends its draft measure and, if any, the amended draft measure, using a standardised format.
3. During the period referred to in paragraph 1, the draft measure shall not be adopted by the supervisory authority.
4. Where the supervisory authority concerned intends not to follow the opinion of the Commission, it shall inform the Commission and the European Data Protection Board thereof within the period referred to in paragraph 1 one month and provide a justification. In this case the draft measure shall not be adopted for one further month.reasoned justification. This reasoned justification shall be made publicly available.
4a. Where the Commission has adopted an opinion in accordance with paragraph 1, the supervisory authority concerned shall take the utmost account of the Commission's opinion and inform the Commission and the European Data Protection Board whether it intends to maintain or amend its draft measure.
Article 60 Suspension of a draft measure 1. Within one month after the communication referred to in Article 59(4), and where the Commission has serious doubts as to whether the draft measure would ensure the correct application of this Regulation or would otherwise result in its inconsistent application, the Commission may adopt a reasoned decision requiring the supervisory authority to suspend the adoption of the draft measure, taking into account the opinion issued by the European Data Protection Board pursuant to Article 58(7) or Article 61(2), where it appears necessary in order to: (a) reconcile the diverging positions of the supervisory authority and the European Data Protection Board, if this still appears to be possible; or (b) adopt a measure pursuant to point (a) of Article 62(1). 2. The Commission shall specify the duration of the suspension which shall not exceed 12 months. 3. During the period referred to in paragraph 2, the supervisory authority may not adopt the draft measure.
(ga) examine codes of conduct and amendments or extensions to existing codes of conduct submitted to it pursuant to Article 38(3).
2. Any body, organisation or association which aims to protect data subjects‘ rights and interests concerning the protection of their personal data and has been properly constituted according to the law of a Member State shall have the right to lodge a complaint with a supervisory authority in any Member State on behalf of one or more data subjects if it considers that a data subject's rights under this Regulation have been infringed as a result of the processing of personal data.
3. Independently of a data subject's complaint, any body, organisation or association referred to in paragraph 2 shall have the right to lodge a complaint with a supervisory authority in any Member State, if it considers that a personal data breach has occurred.
1. Any body, organisation or association referred to in Article 73(2) shall have the right to exercise the rights referred to in Articles 74 and 75 on behalf of one or more data subjects.
1. Any person who has suffered damage as a result of an unlawful processing operation or of an action incompatible with this Regulation shall have the right to receive compensation from the controller or the processor for the damage suffered.for the damage suffered. If a processor processes personal data for purposes other than as instructed by the controller, they may be held liable should any person suffer damage as a result of such processing.
2. Where more than one controller or processor is involved in the processing, each controller or processor shall be jointly and severally liable liable only to the extent that he is responsible for the entire amount of event giving rise to the damage. and that liability has not already been established in the determination or responsibilities envisaged in Article 24.
3. The controller or the processor may be exempted from this liability, in whole or in part, if the controller or the processor proves that they are not responsible for the event giving rise to the damage.
1. Each competent supervisory authority shall be empowered to impose administrative sanctions in accordance with this Article.
2. The administrative sanction shall be in each individual case effective, proportionate and dissuasive. The amount of the administrative fine shall be fixed with due regard to the nature, gravity and duration of the breach, the sensitivity of the personal data at issue, the intentional or negligent character of the infringement, the degree of harm or risk of significant harm created by the violation, the degree of responsibility of the natural or legal person and of previous breaches by this person, the technical and organisational measures and procedures implemented pursuant to Article 23 and the degree of co-operation with the supervisory authority in order to remedy the breach. While some discretion is granted in the imposition of such sanctions to take into account the circumstances outlined above and other facts specific to the situation, divergences in the application of administrative sanctions may be subject to review pursuant to the consistency mechanism. In setting an administrative fine, supervisory authorities shall also take into account fines, damages or other penalties previously imposed by a court or other body on the natural or legal person in respect of the violation issue. Aggravating factors that support administrative fines at the upper limits established in paragraphs 4 to 6 shall include in particular: (a) repeated violations committed in reckless disregard of applicable law; (b) refusal to cooperate with or obstruction of an enforcement process; and (c) violations that are deliberate, serious and likely to cause substantial damage. Mitigating factors which support administrative fines at the lower limits shall include: (a) measures having been taken by the natural or legal person to ensure compliance with relevant obligations; (b) genuine uncertainty as to whether the activity constituted a violation of the relevant obligations; (c) immediate termination of the violation upon knowledge; and (d) cooperation with any enforcement processes.
3. In case of a first and non-intentional non-compliance with this Regulation, a warning in writing may be given and no sanction imposed, where: (a) a natural person is processing personal data without a commercial interest; or (b) an enterprise or an organisation employing fewer than 250 persons is processing personal data only as an activity ancillary to its main activities..
4. The supervisory authority shallmay impose a fine up to 250 000 EUR, or in case of an enterprise up to 0,5 % of its annual worldwide turnover, to to anyone who, intentionally or negligently::
5. The supervisory authority shall impose imposes a fine up to 500 000 EUR, or in case of an enterprise up to 1 % of its annual worldwide turnover, to to anyone who, intentionally or negligently: intentionally:
(c) does not comply with the right to be forgotten or to erasure, or on websites or data within their control, or fails to put mechanisms in place to ensure that the time limits are observed or does not take all necessary steps to inform third parties that a data subjects requests to erase any links to, or copy or replication of the personal data pursuant Article 17;
(e) does not or not sufficiently determine the respective responsibilities with co- controllers pursuant to Article 24;
(f) does not or not sufficiently maintain the documentation pursuant to Article 28, Article 31(4), and Article 44(3);
6. The supervisory authority shallmay impose a fine up to 1 000 000 EUR or, in case of an enterprise up to 2 % of its annual worldwide turnover, to to anyone who, intentionally or negligently::
(e) does not adopt internal policies or does not implement appropriate measures for ensuring and demonstrating compliance pursuant to Articles 22, 23 and 30;
(f) does not designate a representative pursuant to Article 25;
(i) does not carry out a data protection impact assessment pursuant or processes personal data without prior authorisation or prior consultation of the supervisory authority pursuant to Articles 33 and 34;
7. 7. Where convincing evidence exists of continued negligence or gross negligence by organisations in the execution of their responsibilities under this Regulation or the failure of these sanctions to deter serious abuses that cannot be addressed under the current framework. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of updating the amounts or conditions of the administrative fines referred to in paragraphs 4, 5 and 6, taking into account the criteria referred to in paragraph 2.
1. Member States shall provide for exemptions or derogations from the provisions on the general principles in Chapter II, the rights 1. Chapter II (General principles), Chapter III (Rights of the data subject in Chapter III, on controller ), Chapter IV (Controller and processor in Chapter IV, on the transfer ), Chapter V (Transfer of personal data to third countries and international organisations in Chapter V, the independent ), Chapter VI (Independent supervisory authorities in Chapter VI and on co-operation and consistency in Chapter VII for ), Chapter VII (Cooperation and consistency) as well as Articles 73, 74, 76 and 79 of Chapter VIII (Remedies, liability and sanctions) shall not apply to the processing of personal data carried out solely for journalistic purposes or the purpose of artistic or literary expression in order to reconcile the right to the protection of personal data with the rules governing freedom of expression.
2. Each Member State shall notify to the Commission those provisions of its law which it has adopted pursuant to paragraph 1 by the date specified in Article 91(2) at the latest and, without delay, any subsequent amendment law or amendment affecting them.
Article 80a Member States may determine the conditions for processing a national identification number or any other identifier of general application.
Article 81 Processing of personal data concerning health 1. Within the limits of this Regulation and in accordance with point (h) of Article 9(2), processing of personal data concerning health must be on the basis of Union law or Member State law which shall provide for suitable and specific measures to safeguard the data subject's legitimate interests, and be necessary for: (a) the purposes of preventive or occupational medicine, medical diagnosis, the provision of care or treatment or the management of health-care services, and where those data are processed by a health professional subject to the obligation of professional secrecy or another person also subject to an equivalent obligation of confidentiality under Member State law or rules established by national competent bodies; or (b) reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety, inter alia for medicinal products or medical devices; or (c) other reasons of public interest in areas such as social protection, especially in order to ensure the quality and cost- effectiveness of the procedures used for settling claims for benefits and services in the health insurance system. 2. Processing of personal data concerning health which is necessary for historical, statistical or scientific research purposes, such as patient registries set up for improving diagnoses and differentiating between similar types of diseases and preparing studies for therapies, is subject to the conditions and safeguards referred to in Article 83. 3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying other reasons of public interest in the area of public health as referred to in point (b) of paragraph 1, as well as criteria and requirements for the safeguards for the processing of personal data for the purposes referred to in paragraph 1.
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the processing of personal data for the purposes referred to in paragraph 1 and 2 as well as any necessary limitations on the rights of information to and access by the data subject and detailing the conditions and safeguards for the rights of the data subject under these circumstances.
It shall apply from [two years from the date referred to in paragraph 1].] without prejudice to the use of personal data lawfully processed before that date.