Romania ALDE

Adina-Ioana Vălean

Country: Romania
Group: Alliance of Liberals and Democrats for Europe (ALDE)
Party: Partidul Naţional Liberal (PNL)

Member of Petitions
Member of Industry, Research and Energy
Substitute of Budgets

Overview Adina-Ioana Vălean

Amendments: 283
...stronger: 35
...weaker: 157
...neutral: 91

Amendments by Adina-Ioana Vălean

(14) This Regulation does not address issues of protection of fundamental rights and freedoms or the free flow of data related to activities which fall outside the scope of Union law, nor does it cover the processing of personal data by the Union institutions, bodies, offices and agencies, which are subject to Regulation (EC) No 45/2001, or the processing of personal data by the Member States when carrying out activities in relation to the common foreign and security policy of the Union.
(19) Any processing of personal data of data subjects residing in the Union in the context of the activities of an establishment of a controller or a processor in the Union should be carried out in accordance with this Regulation, regardless of whether the processing itself takes place within the Union or not. Establishment implies the effective and real exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in this respect.
(20) In order to ensure that individuals are not deprived of the protection to which they are entitled under this Regulation, the processing of personal data of data subjects residing in the Union by a controller not established in the Union should be subject to this Regulation where the processing activities are related to the offering of goods or services to such data subjects, or to the monitoring of the behaviour of such data subjects..
  Comment: May be in conflict with international law. Discuss this Rating
(21) In order to determine(21) It should be ascertained whether a processing activity can be considered to ‘monitor the behaviour’ of data subjects, it should be ascertained whether individuals are tracked involves tracking of individuals on the internet with data processing techniques which consist of applying a ‘profile’ to an individual, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.
(23) The principles of protection should apply to anyonly to specific information concerning an identified or identifiable person. To determine whether a person is identifiable, account should be taken of all the : (i) only of those means likely reasonably to be used either by the controller or by any other natural or legal person to identify the individual, and (ii) of the reasonably likeliness of a person being identified. The principles of data protection should not apply to data rendered anonymous in such a way that the data subject is no longer identifiable. from the data.
(23a) This Regulation recognises that pseudonymisation is in the benefit of all data subjects as, by definition, personal data is altered so that it of itself cannot be attributed to a data subject without the use of additional data. By this, controllers should be encouraged to the practice of pseudonymising data.
(24) When using online services, individuals may be associated with online identifiers provided by their devices, applications, tools and protocols, such as Internet Protocol addresses or cookie identifiers. This may leave traces which, combined with unique identifiers and other information received by the servers, may be used to create profiles of the individuals and identify them. It follows that identification numbers, location data, online identifiers or other specific factors as such need not necessarily be considered as personal data in all circumstances.
  Comment: Intention unclear Discuss this Rating
(25) Consent should be given explicitlyunambiguously by any appropriate method within the context of the product or service being offered enabling a freely given specific and informed indication of the data subject’s wishes, either by a statement or by a clear affirmative action by the data subject, ensuring that individuals are aware that they give their consent to the processing of personal data, including by ticking a box when visiting an Internet website or by any other statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of their personal data. Silence or inactivity should therefore not constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. If the data subject’s consent is to be given following an electronic request, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
(25a) This Regulation recognises that the pseudonymisation of data can help minimise the risks to privacy of data subjects. To the extent that a controller pseudonymises data, such processing should be considered justified as a legitimate interest of the controller.
(26) Personal data including genetic information relating to health should include in particular all data pertaining to the health status of a data subject; information about the registration of the individual for the provision of health services; information about payments or eligibility for healthcare with respect to the individual; a number, symbol or particular assigned to an individual to uniquely identify the individual for health purposes; any information about the individual collected in the course of the provision of health services to the individual; information derived from the testing or examination of a body part or bodily substance, including biological samples; identification of a person as provider of healthcare to the individual; or any information on e.g. a disease, disability, disease risk, medical history, clinical treatment, or the actual physiological or biomedical state of the data subject independent of its source, such as e.g. from a physician or other health professional, a hospital, a medical device, or an in vitro diagnostic test.
(26) Personal data relating to health should include in particular all personal data pertaining to the health status of a data subject; information about the registration of the individual for the provision of health services; information about payments or eligibility for healthcare with respect to the individual; a number, symbol or particular assigned to an individual to uniquely identify the individual for health purposes; any information about the individual collected in the course of the provision of health services to the individual; information personal data derived from the testing or examination of a body part or , bodily substance, including biological samples or biological sample; identification of a person as provider of healthcare to the individual; or any information on e.g. a disease, disability, disease risk, medical history, clinical treatment, or the actual physiological or biomedical state of the data subject independent of its source, such as e.g. from a physician or other health professional, a hospital, a medical device, or an in vitro diagnostic test.
(28) A group of undertakings should cover a controlling undertaking and its controlled undertakings, whereby the controlling undertaking should be the undertaking which can exercise a dominant influence over the other undertakings by virtue, for example, of ownership, financial participation or the rules which govern it or the power to have personal data protection rules implemented. A group of undertakings may nominate a single main establishment in the Union.
  Comment: Allows "Forum Shopping" Discuss this Rating
(29a) The same personal data can have different significance depending on the context of and the risks represented by its processing. Controllers should therefore implement appropriate technical and organisational measures and procedures in respect to the context of and the risks represented by the data processing.
(30) Any processing of personal data should be lawful, fair and transparent in relation to the individuals concerned. In particular, the specific purposes for which the data are processed should be explicit and legitimate and determined at the time of the collection of the data. The data should be adequate, relevant and limited to the minimum necessary for the purposes for which the data are processed; this requires in particular ensuring that the data collected are not excessive and that the period for which the data are stored is limited to a strict minimum. Personal data should only be processed if the purpose of the processing could not be fulfilled by other means. Every reasonable step should be taken to ensure that personal data which are inaccurate are rectified or deleted. In order to ensure that the data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review.
(34) Consent should not provide a valid legal ground for the processing of personal data, where there is a clear imbalance between the data subject and the controller. This is especially the case where the data subject is in a situation of dependence from the controller, among others, where personal data are processed by the employer of employees’ personal data in the employment context. Where the controller is a public authority, there would be an imbalance only in the specific data processing operations where the public authority can impose an obligation by virtue of its relevant public powers and the consent cannot be deemed as freely given, taking into account the interest of the data subject.
(38) The legitimate interests of a controller , or the third party or parties in whose interest the data is processed, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding. This would need careful assessment in particular where the data subject is a child, given that children deserve specific protection. The data subject should have the right to object the processing, on grounds relating to their particular situation and free of charge. To ensure transparency, the controller should be obliged to explicitly inform the data subject on the legitimate interests pursued and on the right to object, and also be obliged to document these legitimate interests. Given that it is for the legislator to provide by law the legal basis for public authorities to process data, this legal ground should not apply for the processing by public authorities in the performance of their tasks.
(40) The processing of personal data for other purposes should be only allowed where the processing is compatible with those purposes for which the data have been initially collected, in particularsuch as where the processing is necessary for historical, statistical or scientific research purposes. Where the other purpose is not compatible with the initial one for which the data are collected, the controller should obtain the consent of the data subject for this other purpose or should base the processing on another legitimate ground for lawful processing, in particular where provided by Union law or the law of the Member State to which the controller is subject. In any case, the application of the principles set out by this Regulation and in particular the information of the data subject on those other purposes should be ensured.
(47) Modalities should be provided for facilitating the data subject’s exercise of their rights provided by this Regulation, including mechanisms to request, free of charge, in particular access to data, rectification, erasure and to exercise the right to object. The controller should be obliged to respond to requests of the data subject within a fixed deadline and give reasons, in case he does not comply with the data subject’s request.
(48) The principles of fair and transparent processing require that the data subject should be informed in particular of the existence of the processing operation and its purposes, how long the data the estimated period of time for which the will be stored, on the existence of the right of access, rectification or erasure and on the right to lodge a complaint. Where the data are collected from the data subject, the data subject should also be informed whether they are obliged to provide the data and of the consequences, in cases they do not provide such data.
(51) Any person should have the right of access to personal data which has been collected concerning them, and to exercise this right easily, in order to be aware and verify the lawfulness of the processing. Every data subject should therefore have the right to know and obtain communication in particular for what purposes the personal data are processed, for what period, which recipients receive the personal data, what is the logic of the personal data that are undergoing the processing and what might be, at least when based on profiling, the consequences of such processing. This right should not adversely affect the rights and freedoms of others, including trade secrets or intellectual property and in particular the copyright protecting the software. However, the result of these considerations should not be that all information is refused to the data subject.
(52) The controller should use all reasonable measures within the context of the product or service being provided, or otherwise within the context of the relationship between the controller and the data subject, and the sensitivity of the personal data being processed to verify the identity of a data subject that requests access, in particular in the context of online services and online identifiers. A controller should not retain nor be forced to gather personal data for the unique purpose of being able to react to potential requests.
(53) Any person should have the right to have personal data concerning them rectified and a ‘right to be forgotten’ where the retention of such data is not in compliance with this Regulation. In particular, data subjects should have the right that their personal data are erased and no longer processed, where the data are no longer necessary in relation to the purposes for which the data are collected or otherwise processed, where data subjects have withdrawn their consent for processing or where they object to the processing of personal data concerning them or where the processing of their personal data otherwise does not comply with this Regulation. This right is particularly relevant, when the data subject has given their consent as a child, when not being fully aware of the risks involved by the processing, and later wants to remove such personal data especially on the Internet. However, the further retention of the data should be allowed where it is necessary for historical, statistical and scientific research purposes, for reasons of public interest in the area of public health, for exercising the right of freedom of expression, when required by law or where there is a reason to restrict the processing of the data instead of erasing them.
(54) To strengthen the ‘right to be forgotten’ in the online environment, the right to erasure should also be extended in such a way that a controller who has made the personal data public should be obliged to inform third parties which are processing such data that a data subject requests them to erase any links to, or copies or replications of that personal data. To ensure this information, the controller should take all reasonable steps, including technical measures, in relation to data for the publication of which the controller is responsible. In relation to a third party publication of personal data, the controller should be considered responsible for the publication, where the controller has authorised the publication by the third party.
(59) Restrictions on specific principles and on the rights of information, access, rectification and erasure or on the right to data portability, the right to object, measures based on profiling, as well as on the communication of a personal data breach to a data subject and on certain related obligations of the controllers may be imposed by Union or Member State law, as far as necessary and proportionate in a democratic society to safeguard public security, including the protection of human life especially in response to natural or man made disasters, the prevention, investigation and prosecution of criminal offences or of breaches of ethics for regulated professions, other public interests of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, or the protection of the data subject or the rights and freedoms of others. Those restrictions should be in compliance with requirements set out by the Charter of Fundamental Rights of the European Union and by the European Convention for the Protection of Human Rights and Fundamental Freedoms.
  Comment: Removal of the "Right to Data Portability" form the Law Discuss this Rating
(60) Comprehensive(60) Overall responsibility and liability of the controller for any processing of personal data carried out by the controller or on the controller’s behalf should be established in order to ensure accountability. In particular, the controller should ensure and be obliged to demonstrate the compliance of each processing operation with this Regulation.
(61) The (61) To meet consumer and business expectations around the protection of the rights and freedoms of data subjects with regard to the processing of personal data require that appropriate technical and , appropriate organisational measures are should be taken, both at the time of the design of the processing and at the time of the processing itself, to ensure that the requirements of this Regulation are met. In order to ensure and demonstrate compliance with this Regulation, the controller should adopt internal policies and implement appropriate measures, which meet in particular the principles of data protection by design and data protection by default.Measures having as an objective to increase consumer information and ease of choice should be encouraged, based on industry cooperation and favouring innovative solutions, products and services.
(62) The protection of the rights and freedoms of data subjects as well as the responsibility and liability of controllers and processor, also in relation to the monitoring by and measures of supervisory authorities, requires a clear attribution of the responsibilities under this Regulation, including where a controller determines the purposes, conditions and means of the processing jointly with other controllers or where a processing operation is carried out on behalf of a controller.
(63) Where a controller not established in the Union is processing personal data of data subjects residing in the Union whose processing activities are related to the offering of goods or services to such data subjects, or to the monitoring their behaviour, the , the controller should designate a representative, unless the controller is established in a third country ensuring an adequate level of protection, or the controller is a small or medium sized enterprise or a public authority or body or where the controller is only occasionally offering goods or services to such data subjects. The representative should act on behalf of the controller and may be addressed by any the competent supervisory authority.
  Comment: Potential conflict with international law. Discuss this Rating
(65) In order to demonstrate compliance with this Regulation, the controller or processor should document each processing operation under its responsibility. Each controller and processor should be obliged to co-operate with the supervisory authority and make this documentation, on request, available to it, so that it might serve for monitoring those processing operations.
(66) In order to maintain security and to prevent processing in breach of this Regulation, the controller or processor should evaluate the risks inherent to the processing and implement measures to mitigate those risks. These measures should ensure an appropriate level of security, taking into account the state of the art and the costs of their implementation in relation to the risks and the nature of the personal data to be protected. When establishing technical standards and organisational measures to ensure security of processing, the Commission should promote technological neutrality, interoperability and innovation, and, where appropriate, cooperate with third countries.
(67) A personal data breach may, if not addressed in an adequate and timely manner, result in substantial economic loss and social harm, including identity fraud, to the individual concerned. Therefore, as soon as the controller becomes aware that such a breach has occurred, the controller should notify the breach to the supervisory authority without undue delay and, where feasible, within 24 hours. Where this cannot achieved within 24 hours, an explanation of the reasons for the delay should accompany the notification. . The individuals whose personal data could be adversely affected by the breach should be notified without undue delay in order to allow them to take the necessary precautions. A breach should be considered as adversely affecting the personal data or privacy of a data subject where it could result in, for example, identity theft or fraud, physical harm, significant humiliation or damage to reputation. The notification should describe the nature of the personal data breach as well as recommendations as well as recommendations for the individual concerned to mitigate potential adverse effects. Notifications to data subjects should be made as soon as reasonably feasible, and in close cooperation with the supervisory authority and respecting guidance provided by it or other relevant authorities (e.g. law enforcement authorities). For example, the chance for data subjects to mitigate an immediate risk of harm would call for a prompt notification of data subjects whereas the need to implement appropriate measures against continuing or similar data breaches may justify a longer delay.
(70) Directive 95/46/EC provided for a general obligation to notify processing of personal data to the supervisory authorities. While this obligation produces administrative and financial burdens, it did not in all cases contribute to improving the protection of personal data. Therefore such indiscriminate general notification obligation should be abolished, and replaced by effective procedures and mechanism which focus instead on those processing operations which are likely to present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes. In such cases, a data protection impact assessment should be carried out by the controller or processor prior to the processing, which should include in particular the envisaged measures, safeguards and mechanisms for ensuring the protection of personal data and for demonstrating the compliance with this Regulation..
(71) This should in particular apply to newly established large scale filing systems, which aim at processing a considerable amount of personal data at regional, national or supranational level and which could affect a large number of data subjects.
(74) Where a data protection impact assessment indicates that processing operations involve a high degree of specific risks to the rights and freedoms of data subjects, such as excluding individuals from their right, or by the use of specific new technologies, the supervisory authority should be consulted, prior to the start of operations, on a risky processing which might not be in compliance with this Regulation, and to make proposals to remedy such situation. Such consultation should equally take place in the course of the preparation either of a measure by the national parliament or of a measure based on such legislative measure which defines the nature of the processing and lays down appropriate safeguards..
(75) Where the processing is carried out in the public sector or where, in the private sector, processing is carried out by a large enterprise, or where its core activities, regardless of the size of the enterprise, involve processing operations which require regular and systematic monitoring, a person or an organisation should assist the controller or processor to monitor internal compliance with this Regulation. Such data protection officers, whether or not an employee of the controller, or data protections organisations should be in a position to perform their duties and tasks independently.
(84) The possibility for the controller or processor to use standard data protection clauses adopted by the Commission or by a supervisory authority should neither prevent the possibility for controllers or processors to include the standard data protection clauses in a wider contract nor to add other clauses as long as they do not contradict, directly or indirectly, the standard contractual clauses adopted by the Commission or by a supervisory authority or prejudice the fundamental rights or freedoms of the data subjects. In some scenarios, it may be appropriate to encourage controllers and processors to provide even more robust safeguards via additional contractual commitments that supplement standard protection clauses.
(97) Where the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union takes place in more than one Member State, one single supervisory authority should be competent for monitoring the activities of the controller or processor throughout the Union and taking the related decisions, in order to increase the consistent application, provide legal certainty and reduce administrative burden for such controllers and processors.
(105) In order to ensure the consistent application of this Regulation throughout the Union, a consistency mechanism for co-operation between the supervisory authorities themselves and the Commission should be established. This mechanism should in particular apply where a the competent supervisory authority intends to take a measure as regards processing operations that are related to the offering of goods or services to data subjects in several Member States, , or to the monitoring such data subjects, or that might substantially affect the free flow of personal data. It should also apply where any supervisory authority or the Commission requests that the matter should be dealt with in the consistency mechanism. This mechanism should be without prejudice to any measures that the Commission may take in the exercise of its powers under the Treaties.
(120) In order to strengthen and harmonise administrative sanctions against infringements of this Regulation, each supervisory authority should have the power to sanction administrative offences. This Regulation should indicate these offences and the upper limit for the related administrative fines, which Administrative fines should be fixed in each individual case proportionate to the specific situation, with due regard in particular to the nature, gravity and duration of the breach, the procedures implemented in respect to the contexts of and risks represented by the data processing, the degree of responsibility of the natural or legal person and of previous breaches by this person, the degree of technical and organisational measures and procedures implemented, as well as the degree of cooperation with the supervisory authority. The consistency mechanism may also be used to cover divergences in the application of administrative sanctions.
(129) In order to fulfil the objectives of this Regulation, namely to protect the fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data and to ensure the free movement of personal data within the Union, the power to adopt acts in accordance with Article 290 of the Treaty on the Functioning of the European Union should be delegated to the Commission. In particular, delegated acts should be adopted in respect of lawfulness of processing; specifying the criteria and conditions in relation to the consent of a child; processing of special categories of data; specifying the criteria and conditions for manifestly excessive requests and fees for exercising the rights of the data subject; criteria and implementing the provisions of this Regulation, it should be ensured that no mandatory requirements for the information to the data subject and in relation to the right of access; the right to be forgotten and to erasure; measures based on profiling; criteria and requirements in relation to the responsibility of the controller and to data protection by design and by default; a processor; criteria and requirements for the documentation and the security of processing; criteria and requirements for establishing a personal data breach and for its notification to the supervisory authority, and specific technical features are imposed on products and services, including terminal or other electronic communications equipment, which could impede the placing of equipment on the circumstances where a personal data breach is likely to adversely affect the data subject; the criteria and conditions for processing operations requiring a data protection impact assessment; the criteria and requirements for determining a high degree of specific risks which require prior consultation; designation and tasks of the data protection officer; codes of conduct; criteria and requirements for certification mechanisms; criteria and requirements for transfers by way of binding corporate rules; transfer derogations; administrative sanctions; processing for health purposes; processing in the employment context and processing for historical, statistical and scientific research purposes. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level. The Commission, when preparing and drawing-up delegated acts, should ensure a simultaneous, timely and appropriate transmission of relevant documents to the European Parliament and Council.market and the free circulation of such equipment in and between Member States.
  Comment: Result depends on other changes. Intention unclear. Discuss this Rating
(130) In order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission for: specifying standard forms in relation to the processing of personal data of a child; standard procedures and forms for exercising the rights of data subjects; standard forms for the information to the data subject; standard forms and procedures in relation to the right of access; the right to data portability; standard forms in relation to the responsibility of the controller to data protection by design and by default and to the documentation; specific requirements for the security of processing; the standard format and the procedures for the notification of a personal data breach to the supervisory authority and the communication of a personal data breach to the data subject; standards and procedures for a data protection impact assessment; forms and procedures for prior authorisation and prior consultation; technical standards and mechanisms for certification; the adequate level of protection afforded by a third country or a territory or a processing sector within that third country or an international organisation; disclosures not authorized by Union law; mutual assistance; joint operations; decisions under the consistency mechanism. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by the . In implementing the provisions of this Regulation, it should be ensured that no mandatory requirements for specific technical features are imposed on products and services, including terminal or other electronic communications equipment, which could impede the placing of equipment on the market and the free circulation of such equipment in and between Member States of the Commission’s exercise of implementing powers46 . In this context, the Commission should consider specific measures for micro, small and medium- sized enterprises..
  Comment: Result depends on other changes. Intention unclear. Discuss this Rating
(139) In view of the fact that, as underlined by the Court of Justice of the European Union, the right to the protection of personal data is not an absolute right, but must be considered in relation to its function in society and the actual and potential advances in science, health and technology and be balanced with other fundamental rights, in accordance with the principle of proportionality, this Regulation respects all fundamental rights and observes the principles recognised in the Charter of Fundamental Rights of the European Union as enshrined in the Treaties, notably the right to respect for private and family life, home and communications, the right to the protection of personal data, the freedom of thought, conscience and religion, the freedom of expression and information, the freedom to conduct a business, the right to property and in particular the protection of intellectual property the right to an effective remedy and to a fair trial as well as cultural, religious and linguistic diversity.
1. This Regulation applies to the processing of personal data wholly or partly by automated means, without discrimination between such processing means, and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.
(d) by a natural person without any gainful interest , who does not make the data accessible to an indefinite number of people in the course of its own exclusively personal or household activity;
(ea) made by the employer as part of the treatment of employee personal data in the employment context
(ea) which have been rendered anonymous within the meaning of Article 4(2c);
1. This Regulation applies to the processing of personal data of data subjects residing in the Union in the context of the activities of an establishment of a controller or a processor in the Union.
2. This Regulation applies to the processing of personal data of data subjects residing in the Union by a controller not established in the Union, where the processing activities are related to: (a) the offering of goods or services to such data subjects or a processor not established in the Union; or (b) the monitoring of their behaviour..
  Comment: May be in conflict with international law. Discuss this Rating
3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where the national law of a Member State applies by virtue of public international law.
(1) ‘data subject’ means an identified natural person or a natural person who can be identified, directly or indirectly, by means reasonably likely to be used by the controller or by any other natural or legal person, working together with the controller, in particular by reference to an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person; and who is not acting in his/her professional capacity;
(2) ‘personal data’ means any information data specifically relating to a data subject; whose specific identity can be identified, directly or indirectly by the controller or by any other natural or legal person, working together with the controller;
(2a) ‘identification number’ means any numeric, alphanumeric or similar code typically used in the online space, excluding codes assigned by a public or state controlled authority to identify a natural person as an individual;
(2b) ‘pseudonymous data’ means any personal data that has been collected, altered or otherwise processed so that it of itself cannot be attributed to a data subject without the use of additional data which is subject to separate and distinct technical and organisational controls to ensure such non-attribution;
  Comment: Dependent on the attached consequences, but exceptions for pseudonymous data are always leading to less protection. Discuss this Rating
(2c) ‘anonymous data’ means any personal data that has been collected, altered or otherwise processed in such a way that it can no longer be attributed to a data subject;
(5) ‘controller’ means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes, conditions and means of the processing of personal data; where the purposes, conditions and means of processing are determined by Union law or Member State law, the controller or the specific criteria for his nomination may be designated by Union law or by Member State law;
(7a) ‘third party’ means any natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or the processor, are authorized to process the data;
  Comment: Depends on consequences. Discuss this Rating
(8) ‘the data subject’s consent’ means any freely given specific, informed and explicitunambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed;
(9) ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
(10) ‘genetic data’ means all data, of whatever type, concerning the characteristicsinformation on the hereditary characteristics, or alteration thereof, of an individual which are inherited or acquired during early prenatal development;identified or identifiable person, obtained through nucleic acid analysis;
  Comment: Intention unclear. Discuss this Rating
(11) ‘biometric data’ means any personal data relating to the physical, physiological or behavioural characteristics of an individual which allow their unique identification, such as facial images, or dactyloscopic data;
(12) ‘data concerning health’ means any informationpersonal data which relates to the physical or mental health of an individual, or to the provision of health services to the individual;
(13a) ‘competent supervisory authority’ means the supervisory authority which shall be solely competent for the supervision of a controller in accordance with Article 51(2), (3) and (4);
(14) ‘representative’ means any natural or legal person established in the Union who, explicitly designated by the controller, acts and may be addressed by any supervisory authority and other bodies in the Union instead of the controllerinstead of the controller and shall only be addressed by the competent supervisory authority, with regard to the obligations of the controller under this Regulation;
(18) ‘child’ means any person below the age of 18 years;13 years;
(19a) ‘financial crime’ means criminal offences in connection with organised crime, racketeering, terrorism, terrorist financing, trafficking in human beings, migrant smuggling, sexual exploitation, trafficking in narcotic drugs and psychotropic substances, illegal arms trafficking, trafficking in stolen goods, corruption, bribery, fraud, counterfeiting currency, counterfeiting and piracy of products, environmental offences, kidnapping, illegal restraint and hostage- taking, robbery, theft, smuggling, offences related to taxation, extortion, forgery, piracy, insider trading and market manipulation.
  Comment: Exceptions attached lead to less protection. Discuss this Rating
(b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatibleirreconcilable with those purposes;
(d) accurate and where necessary kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;undue delay;
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the data will be processed solely for historical, statistical or scientific research purposes in accordance with the rules and conditions of Article 83 and if a periodic review is carried out to assess the necessity to continue the storage;
(c) processing is necessary for compliance with a legal obligation , regulatory rule, guidance, industry code of practice, either domestically or internationally to which the controller is subject; including the requirements of supervisory authorities;
(da) processing of data necessary to ensure network and information security;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or in the third party to which the data are transferred;
(f) processing is necessary for the purposes of the legitimate interests pursued by a controller, except where such interests are overridden by the the controller or by the third party or parties to whom the data are disclosed and the legitimate expectations of the data subject based on his or her relationship with the controller, taking into account the interests or rights and freedoms of the controller to conduct a business as well as the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks.
(fa) processing is limited to pseudonymous data and the recipient of the service is given a right to object pursuant to Article 19(3);
(fb) the data are collected from public registers, lists or documents accessible by everyone;
(fc) processing is necessary for the purpose of pseudonymisation or anonymisation of personal data;
  Comment: Grading based on overall concept of exceptions for such data. Discuss this Rating
(fd) processing is necessary for the purposes of ensuring the ability of a network or an information system to resist accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity or confidentiality of stored or transmitted data and the security of the related services offered by or accessible via these networks and systems;
2. Processing 2. Subsequent processing of personal data which is necessary for the purposes of historical, statistical or scientific research shall be lawful subject to the conditions and safeguards referred to in Article 83.
The law of the Member State must meet an objective of public interest or must be necessary to protect the rights and freedoms of others, . The law of the Member State must also respect the essence of the right to the protection of personal data and this regulation and international treatises that the Member State has decided to follow. Finally the Member State is obliged to evaluate and decide if national legislation is and be proportionate to the legitimate aim pursued. or if a legitimate aim could be achieved using less privacy invasive solutions.
4. Where the purpose of further processing is not compatible with the one for which the personal data have been collected, the processing must have a legal basis at least in one of the grounds referred to in points (a) to (ef) of paragraph 1. This shall in particular apply to any change of terms and general conditions of a contract.
5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the conditions referred to in point (f) of paragraph 1 for various sectors and data processing situations, including as regards the processing of personal data related to a child.
3. The 3. Without prejudice to the data subject 's existing contractual obligations, the data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. It is lawful that the withdrawal of consent might result in the termination of the relationship with the controller.
4. Consent shall not provide a legal basis for the processing, where there is a significant imbalance between the position of the data subject and the controller.
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the methods to obtain verifiable consent referred to in paragraph 1. In doing so, the Commission shall consider specific measures for micro, small and medium-sized enterprises.
4. The Commission may lay down standard forms for specific methods to obtain verifiable consent referred to in paragraph 1. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
1. The processing of personal data, revealing race or ethnic origin, political opinions, religion or beliefs, trade-union membership, significant social problems and the processing of genetic data or data concerning health or sex life or criminal convictions or related security measures shall be prohibited.
(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller in the field of employment law in so far as it is authorised by Union law or Member State law or collective agreements on the labour market providing for adequate safeguards; or
(d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association , organizations on the labour market or any other non-profit-seeking body with a political, philosophical, religious or trade- union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the data are not disclosed outside that body without the consent of the data subjects; or
(j) processing of data relating to criminal convictions or related security measures is carried out either subject to the conditions and safeguards referred to in Article 83a or under the control of official supervision of a supervisory authority or when the processing is necessary for compliance with a or to avoid a breach of a legal or regulatory obligation or collective agreements on the labour market to which a controller is subject, or for the performance of a task carried out for important public interest reasons, and in so far as authorised by Union law or Member State law providing for adequate safeguards. A complete register of criminal convictions shall be kept only under the control of official authority.
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria, conditions and appropriate safeguards for the processing of the special categories of personal data referred to in paragraph 1 and the exemptions laid down in paragraph 2.
If the data processed by a controller do not permit the controller to identify a natural person, in particular when rendered anonymous or pseudonymous, the controller shall not be obliged to acquire additional information in order to identify the data subject for the sole purpose of complying with any provision of this Regulation.
2. The controller shall provide any information and any communication relating to the processing of personal data to the data subject in an intelligible form, using clear and plain language, adapted to the data subject, in particular for any information addressed specifically to a child.
Article 11a Article 12 of Directive 2002/58/EC and Articles 20 and 21(3)(e) of Directive 2002/22/EC are an application of the data subjects' right to transparent information and communication which requires that the controller informs data subjects of their rights with respect to the use of their personal information and draws attention to the presence of systems which have been developed in accordance with the principles of privacy by design.
  Comment: Intention unclear. Discuss this Rating
1. The controller shall establish procedures for providing the information referred to in Article 14 and for the exercise of the rights of data subjects referred to in Article 13 and Articles 15 to 19. The controller shall provide in particular mechanisms for facilitating the request for the actions referred to in Article 13 and Articles 15 to 19. Where personal data are processed by automated means, the controller shallmay also provide means for requests to be made electronically.
2. The controller shall inform the data subject without delay and, at the latest within one month of receipt of the request, whether or not any action has been taken pursuant to Article 13 and Articles 15 to 19 and shall provide the requested information. This period may be prolonged for a further month, if several data subjects exercise their rights and their cooperation is necessary to a reasonable extent to prevent an unnecessary and disproportionate effort on the part of the controller. The information shall be given in writing. Where the data subject makes the request in electronic form, the information shallmay be provided in electronic form, unless otherwise requested by the data subject. or unless the controller has reason to believe that providing the information in electronic form would create a significant risk of fraud.
4. The information and the actions taken on requests referred to in paragraph 1 shall be free of charge. Where requests are manifestly excessive, in particular because of their repetitive character or their complexity, the controller may charge a fee for providing the information or taking the action requested, or the controller may not take that reflects the administrative costs for providing the information or taking the action requested. In that case, the controller shall bear the burden of proving the manifestly excessive character of the request.
5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and conditions for the manifestly excessive requests and the fees referred to in paragraph 4.
6. The Commission may lay down standard forms and specifying standard specify standard procedures for the communication referred to in paragraph 2, including the electronic format. In doing so, the Commission shall take the appropriate measures for micro, small and medium- sized enterprises. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
(c) the estimated period for which the personal data will be stored;
3. Where the personal data are not collected from the data subject, the controller shall inform the data subject, in addition to the information referred to in paragraph 1, from which source the personal data originate., except where the data originate from a publicly available source or where the transfer is provided for by law.
(da) the data are processed by, are entrusted or become known to a person subject to legal professional privilege, professional secrecy regulated by the Member State, a statutory obligation of secrecy in the exercise of his profession or any like obligation not to reveal such data.
7. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria for categories of recipients referred to in point (f) of paragraph 1, the requirements for the notice of potential access referred to in point (g) of paragraph 1, the criteria for the further information necessary referred to in point (h) of paragraph 1 for specific sectors and situations, and the conditions and appropriate safeguards for the exceptions laid down in point (b) of paragraph 5. In doing so, the Commission shall take the appropriate measures for micro, small and medium-sized- enterprises.
1. The data subject shall have the right to obtain from the controller at any time, on request, confirmation as to whether or not personal data relating to the data subject are being processed. Where such personal data are being processed, With the exception of data being used for historical, statistical or scientific research purposes the controller shall provide the following information: when person data are being processed:
(d) the estimated period for which the personal data will be stored;
(h) the significance and envisaged consequences of such processing, at least in the case of measures referred to in Article 20..
2a. The data subject shall have the right to obtain from the controller of the data source at any time, on request, confirmation as to whether or not personal data relating to the data subject are being processed to a research data base.
2a. There shall be no right of access in accordance with paragraphs 1 and 2 when data within the meaning of Article 14(5) (da) are concerned, except if the data subject is empowered to lift the secrecy in question and acts accordingly.
2b. Where a data controller cannot comply with the request without disclosing information relating to another individual who can be identified from that information, it is not obliged to comply with the request, unless: (a) the other individual has explicitly consented to the disclosure of the information to the person making the request; or (b) it is reasonable in all the circumstances to comply with the request without the consent of the other individual.
4. The Commission may specify suggest standard forms and specify procedures for requesting and granting access to the information referred to in paragraph 1, including for verification of the identity of the data subject and communicating the personal data to the data subject, taking into account the specific features and necessities of various sectors and data processing situations. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
Right to be forgotten and to erasureerasure
(a) the data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; and are not required to pursue legal claims or when the legally mandatory minimum retention period has expired;
(b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or when the retention storage period consented to has expired, and where there is no other legal ground for the processing or storage of the data;
(ca) a court based in the Union has ruled as final and absolute that the data concerned must be erased;
1a. The controller shall take all reasonable steps to communicate any erasure to each legal entity to whom the data have been disclosed.
1b. The application of paragraph 1 shall be dependent upon the ability of the data controller to verify the identity of the data subject requesting the erasure.
2. Where the controller referred to in paragraph 1 has made the personal data public, it shall take all reasonable steps, including technical measures, in relation to data for the publication of which the controller is responsible, to inform third parties legal entities to whom the original controller had authorised to further process personal data and which are processing such data, that a data subject requests them to erase any links to, or copy or replication of that personal data. Where the controller has authorised a third party publication of The controller will not be responsible for the personal data, the controller shall be considered responsible for that publication. that the data subject has made public.
3. The controller shall carry out the erasure without undue delay, except to the extent that the retention and dissemination of the personal data is necessary:
(b) for reasons of public interest in the area of public health and public health purposes in accordance with Article 81;
(ea) for prevention or detection of fraud, confirming identity, and/or determining creditworthiness, or ability to pay.
6a. Requests for the rectification, erasure or blocking of data shall not prejudice processing that is necessary to secure, protect and maintain the resiliency of one or more information systems. In addition, the right of rectification and/or erasure or personal data shall not apply to any personal data that is required to be maintained by legal obligation or to protect the rights of the controller, processor or third parties.
9. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying: (a) the criteria and requirements for the application of paragraph 1 for specific sectors and in specific data processing situations; (b) the conditions for deleting links, copies or replications of personal data from publicly available communication services as referred to in paragraph 2; (c) the criteria and conditions for restricting the processing of personal data referred to in paragraph 4.
Right to data portabilityobtain data
1. The 1. Where the data subject shall have the right, has provided the personal data and where personal data are processed by electronic means and in a structured and commonly used format, , the data subject shall have the right to obtain from the controller a copy of data undergoing processing the provided personal data in an electronic and structured format which is commonly used and allows for further use by the data subject., without hindrance from the controller from whom the personal data are withdrawn.
2. Where the data subject has provided the personal data and the processing is based on consent or on a contract, the data subject shall have the right to transmit those personal data and any other information provided by the data subject and retained by an automated processing system, into another one, in an electronic format which is commonly used, without hindrance from the controller from whom the personal data are withdrawn.
3. The Commission may specify the electronic format referred to in paragraph 1 and the technical standards, modalities and procedures for the transmission of personal data pursuant to paragraph 2. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).electronic format, related functionalities and procedures for the transmission of personal data pursuant to paragraph 2, shall be determined by the controller by reference to the most appropriate industry standards available or as defined by industry stakeholders or standardisation bodies. The Commission shall promote and assist industry, stakeholders and standardisation bodies in the mapping and adoption of technical standards, modalities and procedures for the transmission of personal data pursuant to paragraph 2.
1. The data subject shall have the right to object, on grounds relating to their particular situation, at any time to the processing of personal data which is based on points (d), (e) and (f) of Article 6(1), unless the controller demonstrates compelling legitimate grounds for the processing which override the interests or fundamental rights and freedoms of the data subject.).
3a. Where pseudonymous data is processed pursuant to Article 6 (1), the data subject shall have the right to object free of charge. This right shall be offered to the data subject in an intelligible manner and shall be clearly distinguishable from other information.
1. Every natural persondata subject shall have the right to request not to be subject to a measure which produces legal effects concerning this natural person or significantly adversely affects this natural person,data subject and which is based solely on automated processing of data intended to evaluate certain personal aspects relating to this natural person or to , analyse or predict in particular the natural personthe data subject's performance at work, economic situation, location, health, personal preferences, reliability or behaviour.
1b. Is based on the legitimate interests pursued by the data controller.
2. Subject to the other provisions of this Regulation, a person may be subjected to a measure of the kind referred to in paragraph 1 only if the processing: (a) is carried out in the course of the entering into, or performance of, a contract, where the request for the entering into or the performance of the contract, lodged by the data subject, has been satisfied or where suitable measures to safeguard the data subject's legitimate interests have been adduced, such as the right to obtain human intervention; or (b) is expressly authorized by a Union or Member State law which also lays down suitable measures to safeguard the data subject's legitimate interests; or (c) is based on the data subject's consent, subject to the conditions laid down in Article 7 and to suitable safeguards.
3. Automated processing of personal data intended to evaluate certain personal aspects relating to a natural person shall not be based solely on the special categories of personal data referred to in Article 9.
4. In the cases referred to in paragraph 2, the information to be provided by the controller under Article 14 shall include information as to the existence of processing for a measure of the kind referred to in paragraph 1 and the envisaged effects of such processing on the data subject.
5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and conditions for suitable measures to safeguard the data subject's legitimate interests referred to in paragraph 2.
1a. Parties on the labour market may restrict by way of a legislative measure the scope of the obligations and rights provided for in points (a) to (e) of Article 5 and Articles 11 to 20 and Article 32, when such a restriction have been agreed by national collective agreements to constitutes a necessary and proportionate measure.
(c) other public interests of the Union or of a Member State, in particularsuch as an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation matters and the protection of market stability and integrity;
2. In particular, any legislative measure referred to in paragraph 1 shall comply with the standards of necessity and proportionality in accordance with Article 1 and shall contain specific provisions at least as to the objectivespurposes to be pursued by the processing and the determination of the controller.
1. The controller shall adopt policies and implement appropriate measures to ensure and be able to demonstrate 1. Having regard to the state of the art, the nature of personal data processing and the type of the organization, both at the time of the determination of the means for processing and at the time of the processing itself, appropriate and demonstrable technical and organizational measures should be implemented in such a way that the processing of personal data is performed in compliance with this Regulation.will meet the requirements of this Regulation and ensures the protection of the rights of the data subject by design.
1a. Upon request by the competent data protection authority, the controller or processor shall demonstrate the existence of technical and organizational measures.
1b. A group of undertakings may apply joint technical and organizational measures to meet its obligations arising from the Regulation.
1c. This article does not apply to a natural person processing personal data without commercial interest.
2. The measures provided for in paragraph 1 shall in particular include:2. Such measures include, without limitation:
(a) keeping the documentation pursuant to Article 28;(a) independent management oversight of processing of personal data to ensure the existence and effectiveness of the technical and organizational measures;
  Comment: Intention unclear. Discuss this Rating
(b) implementing the data security requirements laid down in Article 30;a control management system, including the assignment of responsibilities, training of staff and adequate instructions;
  Comment: Intention unclear. Discuss this Rating
(c) performing a data protection impact assessment pursuant to Article 33;(c) existence of proper policies, instructions or other guidelines to guide data processing needed to comply with the Regulation as well as procedures and enforcement to make such guidelines effective;
  Comment: Intention unclear. Discuss this Rating
(d) complying with the requirements for prior authorisation or prior consultation of the supervisory authority pursuant to Article 34(1) and (2);(d) existence of proper planning procedures to ensure compliance and to address potentially risky processing of personal data prior to the commencement of the processing;
  Comment: Intention unclear. Discuss this Rating
(e) designating a data protection officer pursuant to Article 35(1).(e) the existence of appropriate documentation of data processing to enable compliance with the obligations arising from the Regulation;
(ea) the existence of adequately skilled data protection organization or data protection officer supported with adequate resources to oversee implementation of measures defined in this article and to monitor compliance with this Regulation, having particular regard to ensuring organizational independence of such data protection officer or organisation to prevent inappropriate conflicts of interest. Such a function may be fulfilled by way of a service contract;
(eb) the existence of proper awareness and training of the staff participating in data processing and decisions thereto of the obligations arising from this Regulation.
3. The controller shall implement mechanisms to ensure the verification of the effectiveness of the measures referred to in paragraphs 1 and 2. If proportionate, this verification shallmay be carried out by independent internal or external auditors.
4. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of specifying any further criteria and requirements for appropriate measures referred to in paragraph 1 other than those already referred to in paragraph 2, the conditions for the verification and auditing mechanisms referred to in paragraph 3 and as regards the criteria for proportionality under paragraph 3, and considering specific measures for micro, small and medium-sized-enterprises.
1. Having regard to the state of the art and , the cost of implementation and international best practices, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures and procedures in such a way that the processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.
  Comment: Intention unclear. Discuss this Rating
2. The controller shall implement mechanisms for ensuring that, by default, only those personal data are processed which are necessary for each specific purpose of the processing and are especially not collected or retained beyond the minimum necessary for those purposes, both in terms of the amount of the data and the time of their storage. In particular, those mechanisms shall ensure that by default personal data are not made accessible to an indefinite number of individuals.2. Such measures and procedures shall: (a) take due account of existing technical standards and regulations in the area of public safety and security; (b) follow the principle of technology, service and business model neutrality; (c) be based on global industry-led efforts and standards; (d) take due account of international developments.
2a. In implementing the provisions of this Regulation, it shall be ensured that no mandatory requirements for specific technical features are imposed on products and services, including terminal or other electronic communications equipment, which could impede the placing of equipment on the market and the free circulation of such equipment in and between Member States.
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of specifying any further criteria and requirements for appropriate measures and mechanisms referred to in paragraph 1 and 2, in particular for data protection by design requirements applicable across sectors, products and services.
4. The Commission may lay down technical standards for the requirements laid down in paragraph 1 and 2. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
Where a controller determines the purposes, conditions and means of the processing of personal data jointly with others, the joint controllers shall determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the procedures and mechanisms for exercising the rights of the data subject, by means of an arrangement between them. The arrangement shall duly reflect the joint controllers' respective effective roles and relationships vis-à-vis data subjects.
3. The representative shall be established in one of those Member States where the data subjects whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, reside.reside.
1. Where a processing operation is to be carried out on behalf of a controller and involves the processing of data that would permit the processor to reasonably identify the data subject, the controller shall choose a processor providing sufficient guarantees to implement appropriate technical and organisational measures and procedures in such a way that the processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject, in particular in respect of the technical security measures and organizational measures governing the processing to be carried out and shall ensure compliance with those measures.
2. The carrying out of processing by a processor shall be governed by a contract or other legal act binding the processor to the controller and stipulating in particular that the processor shall:. The controller and the processor shall be free to determine respective roles and responsibilities with respect to the requirements of this Regulation, and shall provide for the following:
(a) (a) the processor shall act only on instructions from the controller, in particular, where the transfer of the personal data used is prohibited;
(b) employ only staff who have committed themselves to confidentiality or are under a statutory obligation of confidentiality;
(d) enlist another processor only with the prior permission of the controller;
(e) insofar as this is possible given the nature of the processing, create in agreement with the controller the necessary and the processor's ability to assist with reasonable effort, an agreement as to the appropriate and relevant technical and organisational requirements for the fulfilmentwhich support the ability of the controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III;
(f) assist the controller in ensuring compliance (f) insofar as this is possible given the nature of processing, the information available to the processor and his ability to assist with reasonable effort, an agreement on how compliance will be ensured with the obligations pursuant to Articles 30 to 34;
(g) hand over all results to the controller after the end of the processing and , not process the personal data otherwise; and delete existing copies without prejudice to Union or Member State laws;
(h) make available to the controller and the supervisory authority all information necessary to control compliance with the obligations laid down in this Article.
3. The controller and the processor shall document in writing the controller's instructions and the processor's obligations referred to in paragraph 2.
4. If a processor processes personal data other than as instructed by the controller, the processor shall be considered to be a controller in respect of that processing and shall be subject to the rules on joint controllers laid down in Article 24.
5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the responsibilities, duties and tasks in relation to a processor in line with paragraph 1, and conditions which allow facilitating the processing of personal data within a group of undertakings, in particular for the purposes of control and reporting.
1. Each controller and processor and, if any, the controller's representative, shall maintain documentation of all processing operations under its responsibility.
1a. The obligation made to the controller shall not apply to SMEs processing data only as an activity ancillary to the sale of goods or services. Ancillary activity should be defined as business or non- trade activity that is not associated with the core activities of a firm. In relation to data protection, data processing activities which do not represent more than 50% of company's turnover shall be considered ancillary.
(c) the purposes of the processing, including the legitimate interests pursued by the controller where the processing is based on point (f) of Article 6(1);
(d) a description of categories of data subjects and of the categories of personal data relating to them;
(e) the recipients or categories of recipients of the personal data, including the controllers to whom personal data are disclosed for the legitimate interest pursued by them;
(f) where applicable, transfers of data to a third country or an international organisation, including the identification of that third country or international organisation and, in case of transfers referred to in point (h) of Article 44(1), the documentation of appropriate safeguards;
(g) a general indication of the time limits for erasure of the different categories of data;
(h) the description of the mechanisms referred to in Article 22(3).
3. The controller and the processor and, if any, the controller's representative, shall make the documentation available, on request, to the supervisory authority.
4. The obligations referred to in paragraphs 1 and 2 shall not apply to the following controllers and processors::
5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the documentation referred to in paragraph 1, to take account of in particular the responsibilities of the controller and the processor and, if any, the controller's representative.
5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the documentation referred to in paragraph 1, to take account of in particular the responsibilities of the controller and the processor and, if any, the controller's representative.
1. The controller and the processor and, if any, the representative of the controller, shall co-operate, on request, with the supervisory authority in the performance of its duties, in particular by providing the information referred to in point (a) of Article 53(2) and by granting access as provided in point (b) of that paragraph. The controller and the processor and, if any, the representative of the controller, shall make the documentation available, on the basis of a request outlining the reasons for requiring access to the documents, to the supervisory authority.
1. The controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected, having regard to the state of the art and the costs of their implementation.
2a. The legal obligations, as referred to in paragraphs 1 and 2, which would require processing of personal data to the extent strictly necessary for the purposes of ensuring network and information security, constitute a legitimate interest pursued by, or on behalf of a data controller or processor.
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and conditions for the technical and organisational measures referred to in paragraphs 1 and 2, including the determinations of what constitutes the state of the art, for specific sectors and in specific data processing situations, in particular taking account of developments in technology and solutions for privacy by design and data protection by default, unless paragraph 4 applies.
4. The Commission may adopt, where necessary, implementing acts for specifying the requirements laid down in paragraphs 1 and 2 to various situations, in particular to: (a) prevent any unauthorised access to personal data; (b) prevent any unauthorised disclosure, reading, copying, modification, erasure or removal of personal data; (c) ensure the verification of the lawfulness of processing operations. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 24 hours after having become aware of it, notify when the breach is likely to adversely affect the protection of the personal data breach to the supervisory authority. The notification to the supervisory authority shall be accompanied by a reasoned justification in cases where it is not made within 24 hours.or the privacy of the data subject, the controller shall without undue delay notify the personal data breach to the supervisory authority.
2. Pursuant to point (f) of Article 26(2), the processor shall alert and inform the controller immediately without undue delay after the establishmentidentification of a personal data breach. that is likely to produce adverse legal effects to the protection of the personal data or the privacy of the data subject.
(e) describe the measures proposed or taken by the controller to address the personal data breach. and/or mitigate its effects.
4. The controller shall document any personal data breaches, comprising the facts surrounding the breach, its effects and the remedial action taken. This documentation must be sufficient to enable the supervisory authority to verify compliance with this Article. The documentation shall only include the information necessary for that purpose.
6. The Commission may lay down the standard format of such notification to the supervisory authority, and the procedures applicable to the notification requirement and the form and the modalities for the documentation referred to in paragraph 4, including the time limits for erasure of the information contained therein. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).filing of reports.
Article 32a Communication of a personal data breach to other organisations A controller that communicates a personal data breach to a data subject pursuant to Article 32 may notify another organisation, a government institution or a part of a government institution of the personal data breach if that organisation, government institution or part may be able to reduce the risk of the harm that could result from it or mitigate that harm. Such notifications can be done without informing the data subject if the disclosure is made solely for the purposes of reducing the risk of the harm to the data subject that could result from the breach or mitigating that harm.
1. Where processing operations present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes, the controller or the processor acting on the controller's behalf shall carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment shall be sufficient to address a set of processing operations that present similar risks.
1a. SMEs shall only be required to perform an impact assessment after their 3rd year of incorporation if data processing is deemed as a core activity of their business. That is, where sale or revenue from processing makes up for 50% of the SMEs revenue.
(a) a systematic and extensive evaluation of personal aspects relating to a natural person or for analysing or predicting in particular the natural person's economic situation, location, health, personal preferences, reliability or behaviour, which is based on automated processing and on which measures are based that produce adverse legal effects concerning the individual or significantly affect the individual;to the privacy of the data subject;
(b) information on sex life, health, political opinions, religious beliefs, criminal convictions, race and ethnic origin or for the provision of health care, epidemiological researches, or surveys of mental or infectious diseases, where the data are processed for taking measures or decisions regarding specific individuals on a large scale;
4. The controller shall seek the views of data subjects or their representatives on the intended processing, without prejudice to the protection of commercial or public interests or the security of the processing operations.
4. The controller shall seek the views of data subjects or their representatives on the intended processing, without prejudice to the protection of commercial or public interests or the security of the processing operations.
6. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and conditions for the processing operations likely to present specific risks referred to in paragraphs 1 and 2 and the requirements for the assessment referred to in paragraph 3, including conditions for scalability, verification and auditability. In doing so, the Commission shall consider specific measures for micro, small and medium- sized enterprises.
7. The Commission may specify standards and procedures for carrying out and verifying and auditing the assessment referred to in paragraph 3. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
Prior authorisation and prior consultationPrior consultation
1. The controller or the processor as the case may be shall obtain an authorisation from the supervisory authority prior to the processing of personal data, in order to ensure the compliance of the intended processing with this Regulation and in particular to mitigate the risks involved for the data subjects where a controller or processor adopts contractual clauses as provided for in point (d) of Article 42(2) or does not provide for the appropriate safeguards in a legally binding instrument as referred to in Article 42(5) for the transfer of personal data to a third country or an international organisation.
2. The controller or processor acting on the controller's behalf shallmay consult the supervisory authority prior to the processing of personal data in order to ensure the compliance of the intended processing with this Regulation and in particular to mitigate the risks involved for the data subjects where:
(ba) a controller adopts contractual clauses as provided for in point (d) of Article 42(2) or does not provide for the appropriate safeguards in a legally binding instrument as referred to in Article 42(5) for the transfer of personal data to a third country or an international organisation.
3. Where the competent supervisory authority is of the opinion determines in accordance with its power that the intended processing does not comply with this Regulation, in particular where risks are insufficiently identified or mitigated, it shall prohibit the intended processing and make appropriate proposals to remedy such incompliance. Such a decision shall be subject to appeal in a competent court and it may not be enforceable while being appealed unless the processing results to immediate serious harm suffered by data subjects.
4. The supervisory authority shall establish and make public a list of the processing operations which are subject to prior consultation pursuant to point (b) of paragraph 2. The supervisory authority shall communicate those lists to the European Data Protection Board.
6. The controller or processor shall provide the supervisory authority , on request, with the data protection impact assessment provided for in pursuant to Article 33 and, on request, with any other information to allow the supervisory authority to make an assessment of the compliance of the processing and in particular of the risks for the protection of personal data of the data subject and of the related safeguards.
8. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for determining the high degree of specific risk referred to in point (a) of paragraph 2.
9. The Commission may set out standard forms and procedures for prior authorisations and consultations referred to in paragraphs 1 and paragraph 2, and standard forms and procedures for informing the supervisory authorities pursuant to paragraph 6. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
1. The controller and the processor shall designate a data protection organisation or data protection officer in any case where:
(c) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects. Core activities should be defined as activities where 50% of the annual turnover resulting from the sale of data or revenue is gained from this data. In relation to data protection, data processing activities which do not represent more than 50% of company's turnover shall be considered ancillary.
2. In the case referred to in point (b) of paragraph 1, a 2. A group of undertakings may appoint a single data protection officer.organisation or data protection officer.
3. Where the controller or the processor is a public authority or body, the data protection organisation or data protection officer may be designated for several of its entities, taking account of the organisational structure of the public authority or body.
6. The controller or the processor shall ensure that any other professional duties of the data protection organisation or data protection officer are compatible with the person's tasks and duties as data protection officer and do not result in a conflict of interests.
7. The controller or the processor shall designate a data protection officer for a period of at least two years. The data protection officer may be reappointed for further terms. During their term of office, the data protection officer may only be dismissed, if the data protection officer no longer fulfils the conditions required for the performance of their duties.
10. Data subjects shall have the right to contact the data protection organisation or data protection officer on all issues related to the processing of the data subject's data and to request exercising the rights under this Regulation.
11. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the core activities of the controller or the processor referred to in point (c) of paragraph 1 and the criteria for the professional qualities of the data protection officer referred to in paragraph 5.
1. The controller or the processor shall ensure that the data protection organisation or data protection officer is properly and in a timely manner involved in all issues which relate to the protection of personal data.
2. The controller or processor shall ensure that the data protection organisation or data protection officer performs the duties and shall perform his or her tasks independently and does not receive any instructions as regards the exercise of the function. The data protection officer shall directly report to the executive management of the controller or the processor.
3. The controller or the processor shall support the data protection organisation or data protection officer in performing the tasks and shall provide staff, premises, equipment and any other resources necessary to carry out the duties and tasks referred to in Article 37.
1. The controller or the processor shall entrust the data protection organisation or the data protection officer at least with the following tasks:
(c) to monitor the implementation and application of this Regulation, in particular as to the requirements related to data protection by design, data protection by default and data security and to the information of data subjects and their requests in exercising their rights under this Regulation;compliance with the Regulation;
(f) to monitor the performance of the data protection impact assessment by the controller or processor and the application for prior authorisation or prior consultation, if required pursuant Articles 33 and 34;
2. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for tasks, certification, status, powers and resources of the data protection officer referred to in paragraph 1.
2. Associations and other bodies representing categories of controllers or processors in one Member State which intend to draw up codes of conduct or to amend or extend existing codes of conduct may submit them to an opinion of the supervisory authority in that Member State. The supervisory authority may shall without undue delay give an opinion whether the draft code of conduct or the amendment is in compliance with this Regulation. The supervisory authority shall seek the views of data subjects or their representatives on these drafts.
1. The Member States and the Commission shall work with controllers, processors and other stakeholders to encourage, in particular at European level, the establishment of data protection certification mechanisms and of data protection seals and marks, allowing data subjects to quickly assess the level of data protection provided by controllers and processors. The data protection certifications mechanisms shall contribute to the proper application of this Regulation, taking account of the specific features of the various sectors and different processing operations.
1a. The data protection certifications mechanisms shall be voluntary, affordable, and available via a process that is transparent and not unduly burdensome. These mechanisms shall also be technology neutral and capable of global application and shall contribute to the proper application of this Regulation, taking account of the specific features of the various sectors and different processing operations.
2. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the data protection certification mechanisms referred to in paragraph 1, including conditions for granting and withdrawal, and requirements for recognition within the Union and in third countries., provided such measures are technology neutral.
3. The Commission may lay down technical standards for certification mechanisms and data protection seals and marks and mechanisms to promote and recognize certification mechanisms and data protection seals and marks. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 87(2).
7. The Commission shall publish in the Official Journal of the European Union and on its website a list of those third countries, territories and processing sectors within a third country and international organisations where it has decided that an adequate level of protection is or is not ensured.
1. Where the Commission has taken no decision pursuant to Article 41, a or decides that a third country, or a territory or a processing sector within that third country, or an international organisation does not ensure an adequate level of protection in accordance with Article 41(5), a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has adduced appropriate safeguards with respect to the protection of personal data in a legally binding instrument.
(da) contractual clauses between the controller or processor and the recipient of the data that supplement standard data protection clauses as referred to in points (b) and (c) of paragraph 2 of this Article, and are authorised by the competent supervisory authority in accordance with paragraph 4;
(db) for historical, statistical or scientific purposes, the measures referred to in Article 83(4).
3. A transfer based on standard data protection clauses or binding corporate rules as referred to in points (a), (b), (c) or (ce) of paragraph 2 shall not require any further authorisation.
4. Where a transfer is based on contractual clauses as referred to in point (d) of paragraph 2 of this Article the controller or processor shall obtain prior authorisation of the contractual clauses according to point (a) of Article 34(1) from the competent supervisory authority. If the transfer is related to processing activities which concern data subjects in another Member State or other Member States, or substantially affect the free movement of personal data within the Union, the competent supervisory authority shall apply the consistency mechanism referred to in Article 57.
4a. A controller or processor may choose to base transfers on standard data protection clauses as referred to in points (b) and (c) of paragraph 2 of this Article, and to offer in addition to these standard clauses supplemental, legally binding commitments that apply to transferred data. In such cases, these additional commitments shall be subject to prior consultation with the competent supervisory authority and shall supplement and not contradict, directly or indirectly, the standard clauses. Member States, supervisory authorities and the Commission shall encourage the use of supplemental and legally binding commitments by offering a data protection seal, mark or mechanism, adopted pursuant to Article 39, to controllers and processors who adopt these heightened safeguards.
1. A supervisory authority shall in accordance with the consistency mechanism set out in Article 58 approve binding corporate rulesauthorise through a single act of approval binding corporate rules for a group of undertakings, provided that they:
(a) are legally binding and apply to and are enforced by every member within the controller's or processor's group of undertakings and their external subcontractors, and include their employees;
(a) the structure and contact details of the group of undertakings and its members; and their external subcontractors;
1. In the absence of an adequacy decision pursuant to Article 41 or of ; or where the Commission decides that a third country, or a territory or a processing sector within that third country, or an international organisation does not ensure an adequate level of protection in accordance with Article 41(5); or in the absence of appropriate safeguards pursuant to Article 42, a transfer or a set of transfers of personal data to a third country or an international organisation may take place only on condition that:
5. The public interest referred to in point (d) of paragraph 1 must be recognised in international conventions, in Union law or in the law of the Member State to which the controller is subject.
1a. Insofar as competent professional supervisory bodies for persons subject to legal professional privilege or professional secrecy exist at the time of the entry into force of the present Regulation, these bodies may establish the supervisory authority in respect of data processing by those over whom they exercise professional supervision.
2. Where the processing of personal data takes place in the context of the activities of an establishment of a controller or a processor in the Union, and the controller or processor is established in more than one Regulation applies by virtue of Article 3(1), the competent supervisory authority will be the supervisory authority of the Member State, the supervisory authority of or territory where the main establishment of the controller or processor shall be competent for the supervision of the processing activities of the controller or the processor in all Member States, subject to the Regulation is established. Disputes should be decided upon in accordance with the consistency mechanism set out in Article 58, and this without prejudice to the other provisions of Chapter VII of this Regulation.
2a. Where the Regulation applies by virtue of Article 3(2), the competent supervisory authority will be the supervisory authority of the Member State or territory where the controller has designated a representative in the Union pursuant to Article 25.
2b. Where the Regulation applies to several controllers or/and processors within the same group of undertakings by virtue of Article 3(1) and (2), only one supervisory authority will be competent and it will be determined in accordance with Article 51(2).
3. The competent supervisory authority shall, upon request, advise any data subject in exercising the rights under this Regulation and, if appropriate, co-operate with the supervisory authorities in other Member States to this end.
1. Each 1. The competent supervisory authority shall have the power:
Each The competent supervisory authority shall have the investigative power to obtain from the controller or the processor:
3. Each 3. The competent supervisory authority shall have the power to bring violations of this Regulation to the attention of the judicial authorities and to engage in legal proceedings, in particular pursuant to Article 74(4) and Article 75(2).
4. Each 4. The competent supervisory authority shall have the power to sanction administrative offences, in particular those referred to in Article 79(4), (5) and (6).
1. Supervisory authorities shall provide each other relevant information and mutual assistance in order to implement and apply this Regulation in a consistent manner, and shall put in place measures for effective co- operation with one another. Mutual assistance shall cover, in particular, information requests and supervisory measures, such as requests to carry out prior authorisations and consultations, inspections and prompt information on the opening of cases and ensuing developments where data subjects in several Member States are likely to be affected by processing operations.cause legal effects to the detriment of the data subjects.
2. Each supervisory authority shall take all appropriate measures required to reply to the request of another supervisory authority without delay and no later than one month after having received the request. Such measures may include, in particular, the transmission of relevant information on the course of an investigation or enforcement measures to bring about the cessation or prohibition of processing operations that have been proven contrary to this Regulation.
1. Before a the competent supervisory authority adopts a measure referred to in paragraph 2, this competent supervisory authority shall communicate the draft measure to the European Data Protection Board and the Commission.
4. In order to ensure correct and consistent application of this Regulation, the Commission may request , acting on its own behalf, and shall at the request of a stakeholder, request that any matter shall be dealt with in the consistency mechanism.
8. The competent supervisory authority referred to in paragraph 1 and the supervisory authority competent under Article 51 shall take account of the opinion of the European Data Protection Board and shall within two weeks after the information on the opinion by the chair of the European Data Protection Board, electronically communicate to the chair of the European Data Protection Board and to the Commission whether it maintains or amends its draft measure and, if any, the amended draft measure, using a standardised format.
4. Where the supervisory authority concerned intends not to follow the opinion of the Commission, it shall inform the Commission and the European Data Protection Board thereof within the period referred to in paragraph 1 and provide a justification. In this case the draft measure shall not be adopted for one further month.
1. In exceptional circumstances, where a supervisory authority considers that there is an urgent need to act in order to protect the interests of data subjects, in particular a data subject within their competent supervisory, when the danger exists that the enforcement of a right of a data subject could be considerably impeded by means of an alteration of the existing state or for averting major disadvantages or for other reasonstrough a clear data breach or an unjustified inaction by the competent supervisory authority, by way of derogation from the procedure referred to in Article 58, it may immediately adopt provisional measures with a specified period of validity. The supervisory authority shall, without delay, communicate those measures, with full reasons, to the competent supervisory authority, the European Data Protection Board , the Commission and to the Commission.controller or processor.
1. In exceptional circumstances, where a supervisory authority considers that there is an urgent need to act in order to protect the interests of data subjects, in particular when the danger exists that the enforcement of a right of a data subject could be considerably impeded by means of an alteration of the existing state or for averting major disadvantages or for other reasons, by way of derogation from the procedure referred to in Article 58, it may immediately adopt provisional measures with a specified period of validity. The supervisory authority shall, without delay, communicate those measures, with full reasons, to the European Data Protection Board , the controller or processor concerned and to the Commission.
  Comment: No rights for data subjects. Discuss this Rating
2. Where a supervisory authority has taken a measure pursuant to paragraph 1 and considers that final measures need urgently be adopted, it mayit shall request an urgent opinion of the European Data Protection Board, giving reasons for requesting such opinionthe claim, including for the urgency of final measures.
1. The European Data Protection Board shall ensure the consistent application of this Regulation. To this effect, the European Data Protection Board shall, on its own initiative or , at the request of the Commission or other stakeholders, in particular:
(b) examine, on its own initiative or on request of one of its members or on request of the Commission, , the Commission or other stakeholders any question covering the application of this Regulation and issue guidelines, recommendations and best practices addressed to the supervisory authorities in order to encourage consistent application of this Regulation;
4a. Where appropriate, the European Data Protection Board shall, in its execution of the tasks as outlined in this Article, consult interested parties and give them the opportunity to comment within a reasonable period. The European Data Protection Board shall, without prejudice to Article 72, make the results of the consultation procedure publicly available.
1. Any person who has suffered damage as a result of an unlawful processing operation or of an action incompatible with this Regulation shall have the right to receive compensation from the controller or the processor for the damage suffered.
2. Where more than one controller or processor is involved in the processing, each controller or processor shall be jointly and severally liable for the entire amount of the damage., to the extent that liability has not been already established in the determination of responsibilities as referred to in Article 24.
3. The controller or the processor may be exempted from this liabilitythe liability under paragraph 2, in whole or in part, if the controller or the processor proves that they are not respective controller proves not to be responsible for the event giving rise to the damage.
1. Each 1. The competent supervisory authority shall be empowered to impose administrative sanctions in accordance with this Article.
2. The administrative sanction shall be in each individual case effective, proportionate and dissuasive. The amount of the administrative fine shall be fixed with due regard to the nature, gravity and duration of the breach, the sensitivity of the personal data at issue, the intentional or negligent character of the infringement, the degree of harm or risk of significant harm created by the violation, the degree of responsibility of the natural or legal person and of previous breaches by this person, the technical and organisational measures and procedures implemented pursuant to Article 23 and the degree of co-operation with the supervisory authority in order to remedy the breach. While some discretion is granted in the imposition of such sanctions to take into account the circumstances outlined above and other facts specific to the situation, divergences in the application of administrative sanctions may be subject to review pursuant to the consistency mechanism.
3. In case of a first and non-intentional non-compliance with this Regulation, a warning in writing may be given and no sanction imposed, where: (a) a natural person is processing personal data without a commercial interest; or (b) an enterprise or an organisation employing fewer than 250 persons is processing personal data only as an activity ancillary to its main activities.. The competent supervisory authority may impose a fine, in accordance with the amount of harm caused, up to EUR 1 000 000 for repeated, intentional breaches or, in the case of a company, of up to 1% of its annual worldwide turnover.
4. The supervisory authority shall impose a fine up to 250 000 EUR, or in case of an enterprise up to 0,5 % of its annual worldwide turnover, to anyone who, intentionally or negligently: (a) does not provide the mechanisms for requests by data subjects or does not respond promptly or not in the required format to data subjects pursuant to Articles 12(1) and (2); (b) charges a fee for the information or for responses to the requests of data subjects in violation of Article 12(4).
5. The supervisory authority shall impose a fine up to 500 000 EUR, or in case of an enterprise up to 1 % of its annual worldwide turnover, to anyone who, intentionally or negligently: (a) does not provide the information, or does provide incomplete information, or does not provide the information in a sufficiently transparent manner, to the data subject pursuant to Article 11, Article 12(3) and Article 14; (b) does not provide access for the data subject or does not rectify personal data pursuant to Articles 15 and 16 or does not communicate the relevant information to a recipient pursuant to Article 13; (c) does not comply with the right to be forgotten or to erasure, or fails to put mechanisms in place to ensure that the time limits are observed or does not take all necessary steps to inform third parties that a data subjects requests to erase any links to, or copy or replication of the personal data pursuant Article 17; (d) does not provide a copy of the personal data in electronic format or hinders the data subject to transmit the personal data to another application in violation of Article 18; (e) does not or not sufficiently determine the respective responsibilities with co- controllers pursuant to Article 24; (f) does not or not sufficiently maintain the documentation pursuant to Article 28, Article 31(4), and Article 44(3); (g) does not comply, in cases where special categories of data are not involved, pursuant to Articles 80, 82 and 83 with rules in relation to freedom of expression or with rules on the processing in the employment context or with the conditions for processing for historical, statistical and scientific research purposes.
6. The supervisory authority shall impose a fine up to 1 000 000 EUR or, in case of an enterprise up to 2 % of its annual worldwide turnover, to anyone who, intentionally or negligently: (a) processes personal data without any or sufficient legal basis for the processing or does not comply with the conditions for consent pursuant to Articles 6, 7 and 8; (b) processes special categories of data in violation of Articles 9 and 81; (c) does not comply with an objection or the requirement pursuant to Article 19; (d) does not comply with the conditions in relation to measures based on profiling pursuant to Article 20; (e) does not adopt internal policies or does not implement appropriate measures for ensuring and demonstrating compliance pursuant to Articles 22, 23 and 30; (f) does not designate a representative pursuant to Article 25; (g) processes or instructs the processing of personal data in violation of the obligations in relation to processing on behalf of a controller pursuant to Articles 26 and 27; (h) does not alert on or notify a personal data breach or does not timely or completely notify the data breach to the supervisory authority or to the data subject pursuant to Articles 31 and 32; (i) does not carry out a data protection impact assessment pursuant or processes personal data without prior authorisation or prior consultation of the supervisory authority pursuant to Articles 33 and 34; (j) does not designate a data protection officer or does not ensure the conditions for fulfilling the tasks pursuant to Articles 35, 36 and 37; (k) misuses a data protection seal or mark in the meaning of Article 39; (l) carries out or instructs a data transfer to a third country or an international organisation that is not allowed by an adequacy decision or by appropriate safeguards or by a derogation pursuant to Articles 40 to 44; (m) does not comply with an order or a temporary or definite ban on processing or the suspension of data flows by the supervisory authority pursuant to Article 53(1); (n) does not comply with the obligations to assist or respond or provide relevant information to, or access to premises by, the supervisory authority pursuant to Article 28(3), Article 29, Article 34(6) and Article 53(2); (o) does not comply with the rules for safeguarding professional secrecy pursuant to Article 84.
7. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of updating the amounts of the administrative fines referred to in paragraphs 4, 5 and 6, taking into account the criteria referred to in paragraph 2.
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying other reasons of public interest in the area of public health as referred to in point (b) of paragraph 1, as well as criteria and requirements for the safeguards for the processing of personal data for the purposes referred to in paragraph 1.
1. Within the limits of this Regulation, Member States or collective agreement among employers and employees may adopt by law specific rules regulating the processing of employees' personal data in the employment context, in particular for the purposes of the recruitment, the performance of the contract of employment, including discharge of obligations laid down by law or by collective agreements, management, planning and organisation of work, criminal conviction, health and safety at work, and for the purposes of the exercise and enjoyment, on an individual or collective basis, of rights and benefits related to employment, and for the purpose of the termination of the employment relationship.
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the safeguards for the processing of personal data for the purposes referred to in paragraph 1.
1. Within the limits of this Regulation, personal data may be processed for historical, statistical or scientific research purposes only if:
1a. Within the limits of this Regulation, especially this article, Member States may adopt specific regulations concerning the processing of personal data for scientific research purposes, in particular public health research.
1a. Further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible with Article 5(1)(b) provided that the processing: (a) is subject to the conditions and safeguards of this Article; and (b) complies with all other relevant legislation.
2a. A controller or processor may transfer personal data to a third country or an international organisation for historical, statistical or scientific purposes if: (a) these purposes cannot be otherwise fulfilled by processing data which does not permit or not any longer permit the identification of the data subject; (b) the recipient does not reasonably have access to data enabling the attribution of information to an identified or identifiable data subject; and (c) contractual clauses between the controller or processor and the recipient of the data prohibit re-identification of the data subject and limit processing in accordance with the conditions and safeguards laid down in this Article.
(ca) the personal data is processed for the purpose of generating aggregate data reports, wholly composed of either anonymous data, pseudonymous data or both.
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the processing of personal data for the purposes referred to in paragraph 1 and 2 as well as any necessary limitations on the rights of information to and access by the data subject and detailing the conditions and safeguards for the rights of the data subject under these circumstances.
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements , exempt technical requirements for the processing of personal data for the purposes referred to in paragraph 1 and 2 as well as any necessary limitations on the rights of information to and access by the data subject and detailing the conditions and safeguards for the rights of the data subject under these circumstances.
2. Article 1(2) ), Article 2(b) and (c), Article 4(3), (4) and (5) and Articles 6 and 9 of Directive 2002/58/EC shall be deleted.
  Comment: Intention unclear. Discuss this Rating