Germany EPP

Axel Voss

Country: Germany
Group: European People's Party (EPP)
Party: Christlich Demokratische Union Deutschlands (CDU)

Member of Civil Liberties, Justice and Home Affairs
Substitute of Petitions
Substitute of Legal Affairs

Overview Axel Voss

Amendments: 330
...stronger: 38
...weaker: 189
...neutral: 103

Amendments by Axel Voss

(15) This Regulation should not apply to processing of personal data by a natural person, which are exclusively personal or domestic, such as correspondence and the holding of addresses, and without any gainful interest and thus or a private sale and without any connection with a professional or commercial activity. The exemption should also not apply to controllers or processors which provide the means for processing personal data for such personal or domestic activities., irrespective of the number of persons the data are made available to.
(15a) This Regulation should not apply to processing personal data by small enterprises which are using personal data exclusively for its own business such as offers and invoices. If there is no risk for the processed personal data that no one else than the enterprise itself is handling the data there is no need for an additional protection than securing the data for access. This exemption should not apply for Articles 15, 16 and 17.
(23a) This regulation recognises that pseudonymisation is in the benefit of all data subjects as, by definition, personal data is altered so that it of itself cannot be attributed to a data subject without the use additional data. By this, controllers should be encouraged to the practice of pseudonymising data.
  Comment: Overall the concept of "pseudonymisation" leads to less rights for users, even though such data is still "personal data". Discuss this Rating
(24) When using online services, individuals may be associated with online identifiers provided by their devices, applications, tools and protocols, such as Internet Protocol addresses or cookie identifiers. This may leave traces which, combined with unique identifiers and other information received by the servers, may be used to create profiles of the individuals and identify them. It follows that a study should be undertaken, on a case-by-case basis and in accordance with technological developments, of whether identification numbers, location data, online identifiers or other specific factors as such need not necessarily be considered as personal data in all circumstances.
(25) Consent should be given explicitlyunambiguously by any appropriate method enabling a freely given specific and informed indication of the data subject’s wishes, either by a statement or by a clear affirmative action by the data subject, ensuring that individuals are aware that they give their consent to the processing of personal data, including by ticking a box when visiting an Internet website or by any other statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of their personal data. Silence or inactivity should therefore not constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. If the data subject’s consent is to be given following an electronic request, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided. The information provided in order for children to express the consent should be given in a clear and age-appropriate language, in a way that it would be easy to understand for a child above the age of 13.
(25) Consent should be given explicitlyunambiguously by any appropriate method within the context of the product or the service being offered enabling a freely given specific and informed indication of the data subject’s wishes, either by a statement or by a clear affirmative action by the data subject, ensuring that individuals are aware that they give their consent to the processing of personal data, including by ticking a box when visiting an Internet website or by any other statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of their personal data. Silence or inactivity should therefore not constitute consent. This nevertheless leaves the provisions of 2002/58/EC untouched which state that under certain circumstances consent can be expressed via appropriate settings in the user’s device. Consent should cover all processing activities carried out for the same purpose or purposes. If the data subject’s consent is to be given following an electronic request, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
(26) Personal data relating to health should include in particular all personal data pertaining to the health status of a data subject including genetic information; information about the registration of the individual for the provision of health services; information about payments or eligibility for healthcare with respect to the individual; a number, symbol or particular assigned to an individual to uniquely identify the individual for health purposes; any information about the individual collected in the course of the provision of health services to the individual; information personal data derived from the testing or examination of a body part or , bodily substance, including biological samples or biological sample; identification of a person as provider of healthcare to the individual; or any information on e.g. a disease, disability, disease risk, medical history, clinical treatment, or the actual physiological or biomedical state of the data subject independent of its source, such as e.g. from a physician or other health professional, a hospital, a medical device, or an in vitro diagnostic test.
(27) The (27) Where a controller or a processor has multiple establishments in the Union, including but not limited to cases where the controller or the processor is a group of undertakings, the main establishment of a controller in the Union for the purposes of this Regulation should be determined according to objective criteria and should imply the effective and real exercise of management activities determining the main decisions as to the purposes, conditions and means of processing through stable arrangements. This criterion should not depend whether the processing of personal data is actually carried out at that location; the presence and use of technical means and technologies for processing personal data or processing activities do not, in themselves, constitute such main establishment and are therefore nonot determining criteria for a main establishment. The main establishment of the processor should be the place of its central administration A group of undertakings may nominate a single main establishment in the Union.
  Comment: Allows "Forum Shopping" Discuss this Rating
(29) Children deserve specific protection of their personal data, as they may be less aware of risks, consequences, safeguards and their rights in relation to the processing of personal data and they are also vulnerable consumers. To determine when an individual is a child, this Regulation should take over the definition laid down by the UN Convention on the Rights of the Child. In particular, child-friendly language should be used to ensure the right of consent for children above the age of 13.
(29) Children deserve specific protection of their personal data, as they may be less aware of risks, consequences, safeguards and their rights in relation to the processing of personal data. To determine when Such protection is particularly important in the context of social networks. For the purpose of this regulation a child should be defined as an individual is under the age of 18. Where data processing is based on the data subject’s consent in relation to the offering of information society services directly to a child, this Regulation should take over the definition laid down by the UN Convention on the Rights of the Child.the regulation should differentiate between children above the age of 13 and children under the age of 13 who require a higher level of protection to the extent that consent is given or authorised by the child’s parent or custodian.
(31) In order for processing to be lawful, personal data should be processed on the basis of the consent of the person concerned or some other legitimate basis, laid down by law, either in this Regulation or in other Union or Member State law as referred to in this Regulation. The allowance of a controller to process personal data should include the allowance to process personal data with other joint controllers and to allow personal data to be processed by a processor established in or outside the European Union.
(34) Consent should not provide a valid legal ground for the processing of personal data, where there is a clear imbalance between the data subject and the controller. This is especially the case where the data subject is in a situation of dependence from the controller, among others, where personal data are processed by the employer of employees’ personal data in the employment context. Where the controller is a public authority, there would be an imbalance only in the specific data processing operations where the public authority can impose an obligation by virtue of its relevant public powers and the consent cannot be deemed as freely given, taking into account the interest of the data subject.
(36) Where processing is carried out in compliance with a legal obligation to which the controller is subject or where processing is necessary for the performance of a task carried out in the public interest or in the exercise of an official authority, the processing should have a legal basis in Union law, or in a Member State law which meets the requirements of the Charter of Fundamental Rights of the European Union for any limitation of the rights and freedoms. It is also for Union or national law to determine whether the controller performing a task carried out in the public interest or in the exercise of official authority should be a public administration or another natural or legal person governed by public law, or by private law such as a professional association. The data processing may also be performed on the basis of agreements under collective labour law. Agreements under collective labour law are agreements concluded between employers or their representatives and representatives of employees or between these parties and a State entity at national, sectoral or firm level.
(38) The legitimate interests of a controller or the third party to which the data have been transferred may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding. This would need careful assessment in particular where the data subject is a child, given that children deserve specific protection. The data subject should have the right to object the processing, on grounds relating to their particular situation and free of charge. To ensure transparency, the controller should be obliged to explicitly inform the data subject on the legitimate interests pursued and on the right to object, and also be obliged to document these legitimate interests. Given that it is for the legislator to provide by law the legal basis for public authorities to process data, this legal ground should not apply for the processing by public authorities in the performance of their tasks.
(38) The legitimate interests of a controller or the third party to which the data have been transferred may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding. This would need careful assessment in particular where the data subject is a child, given that children deserve specific protection. The data subject should have the right to object the processing, on grounds relating to their particular situation and free of charge. To ensure transparency, the controller should be obliged to explicitly inform the data subject on the legitimate interests pursued and on the right to object, and also be obliged to document these legitimate interests. Given that it is for the legislator to provide by law the legal basis for public authorities to process data, this legal ground should not apply for the processing by public authorities in the performance of their tasks.
(40) The processing of personal data for other purposes should be only allowed where the processing is compatible with those purposes for which the data have been initially collected, in particular where the processing is necessary for historical, statistical or scientific research purposes. Where the other purpose is not compatible with the initial one for which the data are collected, the controller should obtain the consent of the data subject for this other purpose or should base the processing on another legitimate ground for lawful processing, in particular where provided by Union law or the law of the Member State to which the controller is subject. In any case, the application of the principles set out by this Regulation and in particular the information of the data subject on those other purposes should be ensured..
(41) Personal data which are, by their nature, particularly sensitive and vulnerable in relation to fundamental rights or privacy, deserve specific protection. Such data should not be processed, unless the data subject gives his explicit consent. However, derogations from this prohibition should be explicitly provided for in respect of specific needs, in particular where the processing is carried out in the course of entering into or performance of a contract with the data subject or in the course of legitimate activities by certain associations or foundations the purpose of which is to permit the exercise of fundamental freedoms.
(51) Any person should have the right of access to data which has been collected concerning them, and to exercise this right easily, in order to be aware and verify the lawfulness of the processing. Every data subject should therefore have the right to know and obtain communication in particular for what purposes the data are processed, for what periodthe criteria which may be used to determine for how long the data will be stored for each purpose, which recipients receive the data, what is the logic of the data that are undergoing the processing and what might be, at least when based on profiling, the consequences of such processing. This right should not adversely affect the rights and freedoms of others, including trade secrets or intellectual property and in particular the copyright protecting the software. However, the result of these considerations should not be that all information is refused to the data subject.
(53) Any person should have the right to have personal data concerning them rectified and a ‘the right to be forgotten’ have such personal data erased where the retention of such data is not in compliance with this Regulation. In particular, data subjects should have the right that their personal data are erased and no longer processed, where the data are no longer necessary in relation to the purposes for which the data are collected or otherwise processed, where data subjects have withdrawn their consent for processing or where they object to the processing of personal data concerning them or where the processing of their personal data otherwise does not comply with this Regulation. This right is particularly relevant, when the data subject has given their consent as a child, when not being fully aware of the risks involved by the processing, and later wants to remove such personal data especially on the Internet. However, the further retention of the data should be allowed where it is necessary for historical, statistical and scientific research purposes, for reasons of public interest in the area of public healthhealth purposes in accordance with Article 81, for exercising the right of freedom of expression, when required by law or where there is a reason to restrict the processing of the data instead of erasing them. Also, the right to erasure should not apply when the retention of personal data is necessary for the performance of a contract with the data subject, or when there is a regulatory requirement to retain this data, or for the prevention of financial crime.
(53) Any person should have the right to have personal data concerning them rectified and a ‘the right to be forgotten’ have such personal data erased where the retention of such data is not in compliance with this Regulation. In particular, data subjects should have the right that their personal data are erased and no longer processed, where the data are no longer necessary in relation to the purposes for which the data are collected or otherwise processed, where data subjects have withdrawn their consent for processing or where they object to the processing of personal data concerning them or where the processing of their personal data otherwise does not comply with this Regulation. This right is particularly relevant, when the data subject has given their consent as a child, when not being fully aware of the risks involved by the processing, and later wants to remove such personal data especially on the Internet. However, the further retention of the data should be allowed where it is necessary for historical, statistical and scientific research purposes, for reasons of public interest in the area of public healthhealth purposes in accordance with Article 81, for exercising the right of freedom of expression, when required by law or where there is a reason to restrict the processing of the data instead of erasing them. Also, the right to erasure should not apply when the retention of personal data is necessary for the performance of a contract with the data subject, or when there is a regulatory requirement to retain this data, or for the prevention of financial crime.
(53a) A data subject should always have the option to give broad consent for his or her data to be used for historical, statistical or scientific research purposes, and to withdraw consent at any time.
(58) Every natural and legal person should have the right not to be subject to a measure which is based on profiling by means of automated processing. However, such measure and which produces legal effects concerning that natural or legal person or significantly affects that natural or legal person. Actual effects should be comparable in their intensity to legal effects to fall under this provision. This is not the case for measures relating to commercial communication, like for example in the field of customer relationship management or customer acquisition. However, a measure based on profiling by automated data processing and which produces legal effects concerning a natural or legal person or significantly affects a natural person should be allowed when expressly authorised by law, carried out in the course of entering or performance of a contract, or when the data subject has given his consent. In any case, such processing should be subject to suitable safeguards, including specific information of the data subject and the right to obtain human intervention and that such measure should not concern a child.
(58) Every natural and legal person should have the right not to be subject to a measure which is based on profiling by means of automated processing. However, such measure and which produces legal effects concerning that natural or legal person or significantly affects that natural or legal person. Actual effects should be comparable in their intensity to legal effects to fall under this provision. This is not the case for measures relating to commercial communication, like for example in the field of customer relationship management or customer acquisition. However, a measure based on profiling by automated data processing and which produces legal effects concerning a natural or legal person or significantly affects a natural person should be allowed when expressly authorised by law, carried out in the course of entering or performance of a contract, or when the data subject has given his consent. In any case, such processing should be subject to suitable safeguards, including specific information of the data subject and the right to obtain human intervention and that such measure should not concern a child.
(62) The protection of the rights and freedoms of data subjects as well as the responsibility and liability of controllers and processor, also in relation to the monitoring by and measures of supervisory authorities, requires a clear attribution of the responsibilities under this Regulation, including where a controller determines the purposes, conditions and means of the processing jointly with other controllers or where a processing operation is carried out on behalf of a controller.
(62a) Exchanges of data between the entity responsible and a party processing data under contract do not constitute communication of data which is subject to the further preconditions for admissibility laid down in the regulation. The joint responsibility arising from a contractual agreement and the uniform level of protection created thereby guarantees careful treatment of personal data. Entities responsible and parties processing data under contract should therefore not be regarded as recipients.
(65) In order to demonstrate compliance with this Regulation, the controller or processor should document each processing operation under its responsibility. Each controller and processor should be obliged to co-operate with the supervisory authority and make this documentation, on request, available to it, so that it might serve for monitoring those processing operations.
(67) A personal data breach may, if not addressed in an adequate and timely manner, result in substantial economic loss and social harm, including identity fraud, to the individual concerned. Therefore, as soon as the controller becomes aware that such a breach has occurred, the controller should notify the breach to the supervisory authority without undue delay and, where feasible, within 24 hours. Where this cannot achieved within 24 hoursa reasonable time period, an explanation of the reasons for the delay should accompany the notification. The individuals whose personal data could be adversely affected by the breach should be notified without undue delay in order to allow them to take the necessary precautions. A breach should be considered as adversely affecting the personal data or privacy of a data subject where it could result in, for example, identity theft or fraud, physical harm, significant humiliation or damage to reputation. The notification should describe the nature of the personal data breach as well as recommendations as well as recommendations for the individual concerned to mitigate potential adverse effects. Notifications to data subjects should be made as soon as reasonably feasible, and in close cooperation with the supervisory authority and respecting guidance provided by it or other relevant authorities (e.g. law enforcement authorities). For example, the chance for data subjects to mitigate an immediate risk of harm would call for a prompt notification of data subjects whereas the need to implement appropriate measures against continuing or similar data breaches may justify a longer delay.
(74a) The data protection organisation or the data protection officer monitors the processing of personal data by the controller and the processor in order to advise the controller and the processor on compliance with this Regulation; he or she thereby should assist in ensuring that the rights and freedoms of the data subjects are unlikely to be adversely affected by the processing operations.
(74b) Data protection organisations or data protection officers act independently, which means that they do not receive instructions as regards the exercise of their function as authority assigned for data protection. The data protection organisation or the data protection officer should directly report to the management of the controller or the processor.
(77) In order to enhance transparency and compliance with this Regulation, the establishment of certification mechanisms, data protection seals and marks should be encouraged, allowing data subjects to quickly assess the level of data protection of relevant products and services. After a certification procedure certified enterprises would be classified in having sufficient data protection guarantees installed for appropriate technical security and organisational measures and procedures regarding the requirements of this Regulation to ensure the protection of the right of the data subject.
(87) These derogations should in particular apply to data transfers required and necessary for the protection of important grounds of public interest, for example in cases which should include international data transfers on the basis of international data transfers between agreements or arrangements to third country authorities for example such as competition authorities, tax or customs administrations, financial supervisory authorities, between services competent for social security matters, between bodies responsible for fighting fraud in sports, or to competent authorities for the prevention, investigation, detection and prosecution of criminal offences. Transferring personal data for such important grounds of public interest should only be used for occasional transfers. In each and every case, a careful assessment of all circumstances of the transfer should be to be carried out.
(112) Any body, organisation or association which aims to protects the rights and interests of data subjects in relation to the protection of their data and is constituted according to the law of a Member State should have the right to lodge a complaint with a supervisory authority or exercise the right to a judicial remedy on behalf of data subjects, or to lodge, independently of a data subject’s complaint, an own complaint where it considers that a personal data breach has occurred.
(114) In order to strengthen the judicial protection of the data subject in situations where the competent supervisory authority is established in another Member State than the one where the data subject is residing, the data subject may request any body, organisation or association aiming to protect the rights and interests of data subjects in relation to the protection of their data to bring on the data subject’s behalf proceedings against that supervisory authority to the competent court in the other Member State.
(118) Any damage which a person may suffer as a result of unlawful processing should be compensated by the controller or processor, who may be exempted from liability if they prove that they are not responsible for the damage, in particular where he establishes fault on the part of the data subject or in case of force majeure.
(121) The processing of personal data solely for journalistic purposes, or for the purposes of artistic or literary expression should qualify for exemption from the requirements of certain provisions of this Regulation in order to reconcile the right to the protection of personal data with the right to freedom of expression, and notably the right to receive and impart information, as guaranteed in particular by Article 11 of the Charter of Fundamental Rights of the European Union. This should apply in particular to processing of personal data in the audiovisual field and in news archives and press libraries. Therefore, Member States should adopt legislative measures, which should lay down exemptions and derogations which are necessary for the purpose of balancing these fundamental rights. Such exemptions and derogations should be adopted by the Member States on general principles, on the rights of the data subject, on controller and processor, on the transfer of data to third countries or international organisations, on the independent supervisory authorities and on co-operation and consistency. This should not, however, lead Member States to lay down exemptions from the other provisions of this Regulation. In order to take account of the importance of the right to freedom of expression in every democratic society, it is necessary to interpret notions relating to that freedom, such as journalism, broadly. Therefore, Member States should classify activities as ‘journalistic’ for the purpose of the exemptions and derogations to be laid down under this Regulation if the object of these activities is the disclosure to the public of information, opinions or ideas, irrespective of the medium which is used to transmit them. They should not be limited to media undertakings and may be undertaken for profit-making or for non- profit making purposes.
(123a) The processing of personal data concerning health, as a special category of data, may be necessary for reasons of historical, statistical or scientific research. Therefore this Regulation should ensure that the harmonisation of conditions provided for the processing of personal data concerning health, subject to specific and suitable safeguards so as to protect the fundamental rights and the personal data of individuals, do not act as a barrier to translational, clinical and public health research.
(124) The general principles on the protection of individuals with regard to the processing of personal data should also be applicable to the employment context. Therefore, in order to regulate the processing of employees' personal data in the employment context, Member States should be able, within the limits of this Regulation, to adopt by law specific rules for the processing of personal data in the employment sector. By virtue of collective agreements (wage agreements, company agreements and agreements with committees of senior staff), the provisions of the regulation may be disregarded.
(134) Directive 95/46/EC should be repealed by this Regulation. However, Commission decisions adopted and authorisations by supervisory authorities based on Directive 95/46/EC should remain in force. This should be also valid for international agreements or arrangements between the EU or a Member state with a third country especially when Directive 95/46/EC was already in force.
(b) by the Union institutions, bodies, offices and agencies;
(d) by a natural person without any gainful interest in the course of its own exclusively personal or household activity;for a purpose which cannot be attributed either to his trade or to his self-employed professional activity;
(da) by small enterprises in the course of its own exclusively activity and strict and exclusively internal use.
(ea) for historical, statistical and scientific research purposes;
(ea) by churches and religious associations or communities;
(eb) made by the employer as part of the treatment of employee personal data in the employment context;
(ec) which have been rendered anonymous;
1. This Regulation applies to the processing of personal data of data subjects residing in the Union in the context of the activities of an establishment of a controller or a processor in the Union.
(a) the offering of goods or services and services in the Union to such data subjects in the Union, including services provided without financial costs to the individual; or
  Comment: Services eliminated, financial costs included. Discuss this Rating
3. This Regulation applies to the processing of personal data by a controller which is not established in the Union, but in a place where the national law of a Member State applies by virtue of public international law.
(1) ‘data subject’ means an identified natural person or a natural person who can be identified, directly or indirectly, by means reasonably likely to be used by the controller or by any other natural or legal person working together with the controller, in particular by reference to an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person; and who is not acting in his/her professional capacity;
(2a) ‘pseudonymous data’ means any personal data that has been collected, altered or otherwise processed so that it of itself cannot be attributed to a data subject without the use of additional data which is subject to separate and distinct technical and organisational controls to ensure such non attribution, or that such attribution would require a disproportionate amount of time, expense and effort;
  Comment: Dependent on the attached consequences, but exceptions for pseudonymous data are always leading to less protection. Discuss this Rating
(2b) ‘anonymous data’ means any personal data that has been collected, altered or otherwise processed in such a way that it can no longer be attributed to a data subject; anonymous data shall not be considered personal data;
(2c) ‘identification number’ means any numeric, alphanumeric or similar code typically used in the online space, excluding codes assigned by a public or state controlled authority to identify a natural person as an individual;
(5) ‘controller’ means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes, conditions and means of the processing of personal data; where the purposes, conditions and means of processing are determined by Union law or Member State law, the controller or the specific criteria for his nomination may be designated by Union law or by Member State law;
(8) ‘the data subject’s consent’ means any freely given specific, informed and explicitunambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed; Silence or inactivity does not in itself indicate acceptance;
(10) ‘genetic data’ means all data, of whatever type, concerning the characteristicsinformation on the hereditary characteristics, or alteration thereof, of an individual which are inherited or acquired during early prenatal development;identified or identifiable person, obtained through nucleic acid analysis;
  Comment: Intention unclear. Discuss this Rating
(13) ‘main establishment’ means as regards the controller, the place of its establishment in the Union where the main decisions as to the purposes, conditions and means of the processing of personal data are taken; if no decisions as to the purposes, conditions and means of the processing of personal data are taken in the Union, the main establishment is the place where the main processing activities in the context of the activities of an establishment of a controller in the Union take place. As regards the processor, ‘main establishment’ means the place of its central administration in the Union;the location as determined by the data controller or data processor on the basis of the following transparent and objective criteria: the location of the group’s European headquarters, or, the location of the company within the group with delegated data protection responsibilities, or, the location of the company which is best placed (in terms of management function, administrative capability etc) to address and enforce the rules as set out in this Regulation, or, the place where the main decisions as to the purposes of processing are taken for the regional group;
(13a) ‘competent supervisory authority’ means the supervisory authority which shall be solely competent for the supervision of a controller in accordance with Article 51(2), (3) and (4);
(14) ‘representative’ means any natural or legal person established in the Union who, explicitly designated by the controller, acts and mayshall be addressed by any the competent supervisory authority and other bodies in the Union instead of the controller, with regard to the obligations of the controller under this Regulation;
(17) ‘binding corporate rules’ means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State of the Union for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings; in or outside the Union;
(18) ‘child’ means any person below the age of 18 years;13 years;
(19) ‘supervisory authority’ means a public authority which is established by a Member State in accordance with Article 46.(19) Does not affect the English version.
(19a) ‘financial crime’ means criminal offences in connection with organised crime, racketeering, terrorism, terrorist financing, trafficking in human beings, migrant smuggling, sexual exploitation, trafficking in narcotic drugs and psychotropic substances, illegal arms trafficking, trafficking in stolen goods, corruption, bribery, fraud, counterfeiting currency, counterfeiting and piracy of products, environmental offences, kidnapping, illegal restraint and hostage- taking, robbery, theft, smuggling, offences related to taxation, extortion, forgery, piracy, insider trading and market manipulation.
  Comment: Exceptions form law attached. Discuss this Rating
(19a) ‘blocking’ means marking stored personal data in order to restrict their further processing;
(d) accurate and where necessary kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;undue delay;
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the data will be processed solely for historical, statistical or scientific research purposes in accordance with the rules and conditions of Article Articles 81 and 83 and if a periodic review is carried out to assess the necessity to continue the storage;
(f) processed under the responsibility and liability of the controller, who shall ensure and demonstrate for each processing operation the compliance , if required to do so, demonstrate compliance of the controller’s processing with the provisions of this Regulation. to the supervisory authority having competence under Article 51(2).
(b) processing is necessary for the performance or execution of a contract or of collective agreements and company- level agreements, to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation or contractual obligation based in Union or national law of a Member State, regulatory rule, guidance, industry code of practice, either domestically or internationally or for a permission of supervisory requirement or a different legal rule to which the controller is subject; including the requirements of supervisory authorities;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;, the group of companies of which the controller is a member or any other member of that group of companies is subject
(da) processing of data necessary to ensure network and information security;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or the third party to whom the data is transferred;
(f) processing is necessary for the purposes of the legitimate interests pursued by , or on behalf of a controller, or a processor, or by a third party or parties in whose interest the data is processed, including for the security of processing, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject issuch as in the case of processing data pertaining to a child. This The interest or fundamental rights and freedoms of the data subject shall not apply to override processing carried out by public authorities in the performance of their tasks.
(fa) the data are collected from public registers lists or documents accessible by everyone;
(fb) processing is necessary for fraud detection and prevention purposes according to applicable financial regulation or established industry, or professional body, codes of practice;
(fc) processing is limited to pseudonymised data, where the data subject is adequately protected and the recipient of the service is given a right to object pursuant to Article 19(3);
(fd) processing is necessary for the purpose of anonymisation or pseudonymisation of personal data;
  Comment: Grading based on overall concept of exceptions for such data. Discuss this Rating
(fe) processing is necessary for legitimate internal purposes of groups of undertakings and where the interests of the data subjects concern are sufficiently addressed by internal data protection provisions or equivalent code of conducts as referred to Article 38c;
2a. Processing of pseudonymised data to safeguard the legitimate interests pursued by a controller shall be lawful, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks.
2a. Processing of pseudonymised data to safeguard the legitimate interests pursued by a controller shall be lawful, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks.
(ba) international conventions to which the Union or a Member State is a party.
These provisions may regulate details of the lawfulness of processing, particularly as regards data controllers, the purpose of processing and purpose limitation, the nature of the data and the data subjects, processing measures and procedures, recipients, and the duration of storage.
  Comment: Intention unclear. Discuss this Rating
4. Where the purpose of further processing is not compatible with the one for which the personal data have been collected, the processing must have a legal basis at least in one of the grounds referred to in points (a) to (e) of paragraph 1. This shall in particular apply to any change of terms and general conditions of a contract.
5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the conditions referred to in point (f) of paragraph 1 for various sectors and data processing situations, including as regards the processing of personal data related to a child.
5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the conditions referred to in point (f) of paragraph 1 for various sectors and data processing situations, including as regards the processing of personal data related to a child.
2. If the data subject's consent is to be given in the context of a written or an electronic declaration which also concerns another matter, the requirement to give consent must be presented distinguishable in its appearance from this other matter.
4. Consent shall not provide a legal basis for the processing, where there is a significant imbalance between the position of the data subject and the controller.
1. For the purposes of this Regulation, in relation to the offering of information society services directly to a child, the processing of personal data of a child below the age of 13 years shall only be lawful if and to the extent that consent is given or authorised by the child's parent or custodian. , without prejudice of Article 6(1). The controller shall make reasonable efforts to obtain provide notice and obtain meaningful, verifiable consent, (e.g. by obtaining the consent from the email address of the parent or the custodian), taking into consideration available technology.
1a. For the purposes of this Regulation, in relation to the offering of information society services directly to a child, the processing of personal data of a child below the age of 18 years shall only be lawful if and to the extent that consent is given or authorised by the child's parent or custodian, using the parent or custodian's email address. The controller shall make reasonable efforts to obtain verifiable consent, taking into consideration available technology.
1a. The information provided in order to express the consent should be given in a clear and age-appropriate language, in a way that would be easy to understand for the child above the age of 13 years.
1b. The methods to obtain meaningful consent shall not lead to additional processing of personal data of the child concerned.
1b. The methods to obtain meaningful consent shall not lead to additional processing of personal data of the child concerned.
1c. Where services referred to in paragraph 1 are particularly appropriate and suitable for a child and have been notified and are controlled by the relevant national authorities, the requirements referred to in paragraph 1 do not apply.
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the methods to obtain verifiable consent referred to in paragraph 1. In doing so, the Commission shall consider specific measures for micro, small and medium-sized enterprises.
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the methods to obtain verifiable consent referred to in paragraph 1. In doing so, the Commission shall consider specific measures for micro, small and medium-sized enterprises.
1. The processing of personal data, revealing race or ethnic origin, political opinions, religion or beliefs, trade-union membership, and the processing of genetic data or data concerning health or sex life or criminal convictions , criminal offences, including offences and matters which have not lead to conviction, significant social problems, or related security measures shall be prohibited.
(aa) processing is necessary for the performance or execution of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller in the field of employment law or collective agreements on the labour market in so far as it is authorised by Union law or Member State law providing for adequate safeguards; or
(f) processing is necessary for the establishment, exercise or defence of legal claims or the legally justified fulfilment of claims of third parties affected; or
(h) processing of data concerning health is necessary for health purposes , including for historical, statistical or scientific research and subject to the conditions and safeguards referred to in Article 81; or
(ha) processing is limited to pseudonymised data, where the data subject is adequately protected and the recipient of the service is given a right to object pursuant to Article 19(3) and the processing is necessary for the purpose of the legitimate interest pursued by the controller or a third party.
(ja) processing of data concerning health is necessary for private social protection, especially by providing income security or tools to manage risks that are in the interests of the data subject and his or her dependants and assets, or by enhancing inter-generational equity by means of distribution.
(jb) processing is necessary for legitimate internal purposes of groups of undertakings and where the interests of the data subjects concern are sufficiently addressed by internal data protection provisions or equivalent code of conducts as referred to in Article 38c.
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria, conditions and appropriate safeguards for the processing of the special categories of personal data referred to in paragraph 1 and the exemptions laid down in paragraph 2.
If the data processed by a controller do not permit the controller or a processor to identify a natural person, in particular when rendered anonymous or pseudononymous the controller shall not be obliged to process or acquire additional information in order to identify the data subject for the sole purpose of complying with any provision of this Regulation.
2. The controller shall inform the data subject without delay and, at the latest within one month of receipt of the request, whether or not any action has been taken pursuant to Article 13 and Articles 15 to 19 and shall provide the requested information. This period may be prolonged for a further month, if several data subjects exercise their rights and their cooperation is necessary to a reasonable extent to prevent an unnecessary and disproportionate effort on the part of the controller. The information shall be given in writing. Where the data subject makes the request in electronic form, the information shall be provided in electronic form, unless otherwise requested by the data subject.
5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and conditions for the manifestly excessive requests and the fees referred to in paragraph 4.
6. The Commission may lay down standard forms and specifying standard procedures for the communication referred to in paragraph 2, including the electronic format. In doing so, the Commission shall take the appropriate measures for micro, small and medium- sized enterprises. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
Rights in relation to recipientsNotification requirement in the event of rectification and erasure
  Comment: Only Title changed. Discuss this Rating
1. Where personal data relating to a data subject are collected, the controller shall provide the data subject with at least the following information:. The following paragraphs do not apply to small enterprises in the course of their own activity and for data which is strictly and exclusively for their internal use.
(a) the identity and the contact details of the controller and, if any, of the controller's representative and of the data protection officer;;
(b) the purposes of the processing for which the personal data are intended, including the contract terms and general conditions where the processing is based on point (b) of Article 6(1) and the legitimate interests pursued by the controller where the processing is based on point (f) of Article 6(1);;
(c) the period for which the personal data will be stored;
(d) the existence of the right to request from the controller access to and rectification or erasure of the personal data concerning the data subject orand to object to the processing of such personal data;
(e) the right to lodge a complaint to the supervisory authority and the contact details of the supervisory authority;
(h) any further information necessary to guarantee fair processing in respect of the data subject, having regard to the specific circumstances in which the personal data are collected.
2. Where the personal data are collected from the data subject, the controller shall inform the data subject, in addition to the information referred to in paragraph 1, whether the provision of personal data is obligatory or voluntary, as well as the possible consequences of failure to provide such data..
3. Where the personal data are not collected from the data subject, the controller shall inform the data subject, in addition to the information referred to in paragraph 1, from which source the personal data originate. except where the data originate from a publicly available source or where the transfer is provided by law or the processing is used for purposes relating to the professional activities of the person concerned.
(b) where the personal data are not collected from the data subject, at the time of the recording or within a reasonable period after the collection, having regard to the specific circumstances in which the data are collected or otherwise processed, or, if a disclosure to another recipient is envisaged, and at the latest when the data are first disclosed.; or, if the data shall be used for communication with the person concerned, at the latest at the time of the first communication to that person.
(b) the data are not collected from the data subject or the data processes do not allow the verification of identity and the provision of such information proves impossible or would involve a disproportionate effort such as by generating excessive administrative burden, especially when the processing is carried out by a SME; or
(c) the data are not collected from the data subject and (c) recording or disclosure is expressly laid down by law; or
(d) the data are not collected from the data subject and the provision of such information will impair the rights and freedoms of others, as defined in Union law or Member State law in accordance with Article 21.; or
(da) the data originates from publicly available sources; or
(db) the data must be kept secret in accordance with legislation or by virtue of their nature, particularly because of a legitimate overriding interest of a third party.
(dc) the data are processed in the exercise of his profession by, or are entrusted or become known to, a person who is subject to an obligation of professional secrecy regulated by the State or to a statutory obligation of secrecy.
7. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria for categories of recipients referred to in point (f) of paragraph 1, the requirements for the notice of potential access referred to in point (g) of paragraph 1, the criteria for the further information necessary referred to in point (h) of paragraph 1 for specific sectors and situations, and the conditions and appropriate safeguards for the exceptions laid down in point (b) of paragraph 5. In doing so, the Commission shall take the appropriate measures for micro, small and medium-sized- enterprises.
1. The 1. Only the data subject shall have the right to obtain from the controller at any time, on request, confirmation as to whether or not personal data relating to the data subject are being processed. unless this request is manifestly excessive according to 12 (4). Where such personal data are being processed, the controller shall - so far as the data subject has not received - provide the following information:
(d) (d) if known the period for which the personal data will be stored;
2. The data subject shall have the right to obtain from the controller communication of the personal data undergoing processing. Where the data subject makes the request in electronic form, the information shall be provided in electronic form, unless otherwise requested by the data subject.
2a. Successors in right and title must be able to exercise the right of access to data in the event of the death of the data subject.
  Comment: AM might invade the data subjects privacy but gives more rights to users. Discuss this Rating
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the communication todata subject shall have the right, where personal data are processed by electronic means and in a structured and commonly used format, to obtain from the controller a copy of data which were provided by the data subject itself and that undergoing processing in an electronic and structured format which is commonly used and allows for further use by the data subject of the content of the personal data referred to in point (g) of paragraph 1.. This right shall not restrict rights of others as trade secrets or intellectual property rights. This does not apply on the processing of anonymised and pseudonymised data, insofar as the data subject is not sufficiently identifiable on the basis of such data or identification would require the controller to undo the process of pseudonymisation.
3a. There shall be no right to information where: (a) data are involved which a person bound by professional secrecy is required to protect; (b) data must be kept secret in accordance with legislation or by virtue of their nature, particularly because of the overriding interest of a third party; (c) the public entity responsible has ascertained in relation to the entity responsible that disclosure of the data would endanger public safety or order; (d) data comprise trade secrets.
Paragraph 1 shall not apply to pseudonymous data.
Successors in right and title must be able to exercise the right of rectification in the event of the death of the data subject.
Right to be forgotten and to erasureerasure
1. The data subject shall have the right to obtain from the controller the erasure of personal data relating to them and the abstention from further dissemination of such data, especially in relation to personal data which are made available by the data subject while he or she was a childitself, where one of the following grounds applies:
(a) the data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; and the legally mandatory minimum retention period has expired;
1a. Successors in right and title must be able to exercise the right of erasure in the event of the death of the data subject.
  Comment: Two sided. Discuss this Rating
2. Where the controller referred to in paragraph 1 has made the personal data public, it shall take all reasonable steps, including technical measures, in relation to data for the publication of which the controller is responsible, to inform third parties which are processing such data, that a data subject requests them to erase any links to, or copy or replication of that personal data. Where the controller has authorised a third party publication of personal data, the controller shall be considered responsible for that publication. Anonymised data, pseudonymised data and encrypted data are exempted, where compliance with this provision would require the controller to undo the process of anonymisation, pseudonymisation or encryption.
(b) for reasons of public interest in the area of public health in accordance with Article 81;health proposes in accordance with Article 81 and for maintaining medical records and other health research purposes;
(d) for compliance with a legal obligation to retain the personal data by Union or Member State law to which the controller is subject; Member State laws shall meet an objective of public interest, respect the essence of the right to the protection of personal data and be proportionate to the legitimate aim pursued;contract to which the data subject is party or for compliance with a legal obligation or other requirements of a supervisory body or other legal requirements to retain the personal data by Union or Member State law to which the controller is subject;
(ea) for prevention or detection of fraud or other financial crime, confirming identity or determining creditworthiness.
4. Instead of erasure, the controller shall restrict processing of personal data where:data shall be blocked where:
(b) the controller no longer needs the personal data for the accomplishment of its task but they have to be maintained for purposes of proof; or for compliance with legal record obligations;
(da) or, on account of the particular type of storage, erasure would be impossible or would involve disproportionate efforts.
5. Personal data referred to in paragraph 4 may, with the exception of storage, only be processed for purposes of proof or for compliance with legal record obligations, or with the data subject's consent, or for the protection of the rights of another natural or legal person or for an objective of public interest.
Article 18 Right to data portability 1. The data subject shall have the right, where personal data are processed by electronic means and in a structured and commonly used format, to obtain from the controller a copy of data undergoing processing in an electronic and structured format which is commonly used and allows for further use by the data subject. 2. Where the data subject has provided the personal data and the processing is based on consent or on a contract, the data subject shall have the right to transmit those personal data and any other information provided by the data subject and retained by an automated processing system, into another one, in an electronic format which is commonly used, without hindrance from the controller from whom the personal data are withdrawn. 3. The Commission may specify the electronic format referred to in paragraph 1 and the technical standards, modalities and procedures for the transmission of personal data pursuant to paragraph 2. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object free of charge to the processing of their personal data for such marketing. This right shall be explicitly offered to the data subject in an intelligible manner and shall be clearly distinguishable from other information. This right shall include a right to object to the collection and use of personal data obtained through online tracking of the data subject's preferences and behaviour across websites. Where a data subject expresses this right to object through technical means, such as a browser setting, controllers and processors shall respect such objection, consistent with technical industry standards, and must obtain the consent of the data subject to process personal data derived from online tracking for marketing purposes. Consent to online tracking shall enable persistent online tracking across all websites unless such consent is subsequently revoked by the data subject.
3. Where an objection is upheld pursuant to paragraphs 1 and 2,, 2 and 3a the controller shall no longer use or otherwise process the personal data concerned.
3a. Where pseudonymised data is processed pursuant to Article 6(1) the data subject shall have the right to object free of charge. This right shall be offered to the data subject in an intelligible manner and shall be clearly distinguishable from other information.
1. Every natural persondata subject shall have the right not to be subject to a measure processing of personal data which produces adverse legal effects concerning this natural person or significantlydata subject or comparably affects this natural person, and which is based solely on automated processing intended to evaluate certain personal aspects relating to this natural persondata subject or to analyse or predict in particular the natural persondata subject's performance at work, economic situation, location, health, personal preferences, reliability or behaviour.
(b) is expressly authorized by a Union or Member State law legal basis which also lays down suitable measures to safeguard the data subject's legitimate interests; or
(ca) is limited to pseudonymised data. Such pseudonymised data must not be collated with data on the bearer of the pseudonym. Article19(3a) shall apply correspondingly.
3. Automated processing of personal data intended to evaluate certain personal aspects relating to a natural person shall not be based solely on the special categories of personal data referred to in Article 9. unless the data subject has given consent.
3a. In any case, children should not be subject to measures of profiling, as referred to in paragraph 1.
5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and conditions for suitable measures to safeguard the data subject's legitimate interests referred to in paragraph 2.
RestrictionsExtensions and restrictions
1. Union or Member State law may extend or restrict by way of a legislative measure the scope of the obligations and rights provided for in points (a) to (e) of Article 5 and Articles 11 to 20 and Article 32, when such a an extension or restriction constitutes a necessary and proportionate measure in a democratic society to safeguard:
(ba) in cases where pseudonymised data is used;
3. The controller shall implement mechanisms to ensure the verification of the effectiveness of the measures referred to in paragraphs 1 and 2. If proportionate, this verification shall be carried out by independent internal or external auditors.
4. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of specifying any further criteria and requirements for appropriate measures referred to in paragraph 1 other than those already referred to in paragraph 2, the conditions for the verification and auditing mechanisms referred to in paragraph 3 and as regards the criteria for proportionality under paragraph 3, and considering specific measures for micro, small and medium-sized-enterprises.
1. Having regard to the state of the art and , the cost of implementation and international best practices, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures and procedures in such a way that the processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject. Notwithstanding, the controller should only be burdened with measures that are proportionate to the risk of data processing reflected by the nature of the personal data to be processed.
2. The controller shall implement mechanisms for ensuring that, by default, only those personal data are processed which are necessary for each specific purpose of the processing and are especially not collected or retained beyond the minimum necessary for those purposes, both in terms of the amount of the data and the time of their storage. In particular, those mechanisms shall ensure that by default personal data are not made accessible to an indefinite number of individuals.2. Such measures and procedures shall: (a) take due account of existing technical standards and regulations in the area of public safety and security (b) follow the principle of technology, service and business model neutrality (c) be based on global industry-led efforts and standards (d) take due account of international developments.
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of specifying any further criteria and requirements for appropriate measures and mechanisms referred to in paragraph 1 and 2, in particular for data protection by design requirements applicable across sectors, products and services.
Where a controller determines the purposes, conditions and means of the processing of personal data jointly with others, the joint controllers shall determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the procedures and mechanisms for exercising the rights of the data subject, by means of an arrangement between them.
2. The carrying out of processing by a processor shall be governed by a contract or other legal act binding the processor to the controller and stipulating in particular that the processor shall:. The controller and the processor shall be free to determine respective roles and responsibilities with respect to the requirements of this Regulation and shall provide for the following:
(d) enlist another processor only with the prior permission of the controller;
(e) insofar as this is possible given the nature of the processing, create in agreement with the controller the necessary technical and organisational requirements for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III;
(f) assist the controller in ensuring compliance with the obligations pursuant to Articles 30 to 34;
(g) hand over all results to the controller after the end of the processing and not process the personal data otherwise;
(h) make available to the controller and the supervisory authority on request all information necessary to control compliance with the obligations laid down in this Article.
3. The controller and the processor shall document in writing the controller's instructions and the processor's obligations referred to in paragraph 2. In this case the requirements of Chapter II are complied for the processor if the controller complies the requirements.
5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the responsibilities, duties and tasks in relation to a processor in line with paragraph 1, and conditions which allow facilitating the processing of personal data within a group of undertakings, in particular for the purposes of control and reporting.
1. Each controller and processor and, if any, the controller's representative, shall maintain documentation of all processing operations under its responsibility.
(ga) where the processor processes personal data in a third country a general indication of the national obligations of the law in the third country;
3. The controller and the processor and, if any, the controller's representative, shall make the documentation available, on request, to the supervisory authority.
4. The obligations referred to in paragraphs 1 and 2, 2 and 3 shall not apply to the following controllers and processors:
5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the documentation referred to in paragraph 1, to take account of in particular the responsibilities of the controller and the processor and, if any, the controller's representative.
1. The controller and the processor shall implement appropriate technical and organisational measures , including pseudonymisation, to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected, having regard to the state of the art and the costs of their implementation.
2a. The legal obligations, as referred to in paragraphs 1 and 2, which would require processing of personal data to the extent strictly necessary for the purposes of ensuring network and information security, constitute a legitimate interest pursued by or on behalf of a data controller or processor, as referred to in Article 6(1)(f).
4. The Commission may adopt, where necessary, implementing acts for specifying the requirements laid down in paragraphs 1 and 2 to various situations, in particular to: (a) prevent any unauthorised access to personal data; (b) prevent any unauthorised disclosure, reading, copying, modification, erasure or removal of personal data; (c) ensure the verification of the lawfulness of processing operations. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 24 hours after having become aware of it, notify the relating to special categories of personal data, personal data which are subject to professional secrecy, personal data relating to criminal offences or to the suspicion of a criminal act or personal data breach to the supervisory authority. The notification to the supervisory authority shall be accompanied by a reasoned justification in cases where it is not made within 24 hours.relating to bank or credit card accounts, which seriously threaten the rights or legitimate interests of the data subject, the controller shall without undue delay notify the personal data breach to the supervisory authority.
2. Pursuant to point (f) of Article 26(2), the 2. The processor shall alert and inform the controller immediately after the establishment of a personal data breach.
5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for establishing the data breach referred to in paragraphs 1 and 2 and for the particular circumstances in which a controller and a processor is required to notify the personal data breach.
1. When the personal data breach is likely to adversely affect the protection of the personal data or privacy , the privacy, the right or the legitimate interests of the data subject, the controller shall, after the notification referred to in Article 31, communicate the personal data breach to the data subject without undue delay. A breach should be considered as adversely affecting the personal data or privacy of a data subject where it could result in, for example, identity theft or fraud, physical harm, significant humiliation or damage to reputation.
3. The communication of a personal data breach to the data subject shall not be required if the controller demonstrates to the satisfaction of the supervisory authority that it data breach has not produced significant harm and the controller has implemented appropriate technological protection measures, and that those measures were applied to the data concerned by the personal data breach. Such technological protection measures shall render the data unintelligible , unusable or anonymised to any person who is not authorised to access it.access to it.
1. Where processing operations present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes, the controller or the processor acting on the controller's behalf shall carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. An impact assessment is not necessary where: (a) the processing is a legal obligation; or (b) a consent of the data subject is given; or (c) Article 6(1)(b) or Article 38a applies.
(a) (a) respecting the exceptions of Article 20(2)(c) and Article 21 a systematic and extensive evaluation of personal aspects relating to a natural person or for analysing or predicting in particular the natural person's economic situation, location, health, personal preferences, reliability or behaviour, which is based on automated processing and on which measures are based that produce legal effects concerning the individual or significantly negative affect the individual;
c) monitoring publicly accessible areas, especially when using optic-electronic devices (video surveillance) on a large scale;
3a. If the controller or the processor has designated a data protection organisation or a data protection officer, he/she should be involved in the impact assessment proceeding.
4. The controller shall seek the views of data subjects or their representatives on the intended processing, without prejudice to the protection of commercial or public interests or the security of the processing operations.
4. The controller shall seek the views of data subjects or their representatives on the intended processing, without prejudice to the protection of commercial or public interests or the security of the processing operations.
6. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and conditions for the processing operations likely to present specific risks referred to in paragraphs 1 and 2 and the requirements for the assessment referred to in paragraph 3, including conditions for scalability, verification and auditability. In doing so, the Commission shall consider specific measures for micro, small and medium- sized enterprises.
3. Where the competent supervisory authority is of the opinion that the intended processing does not comply with this Regulation, in particular where risks are insufficiently identified or mitigated, it shall prohibit the intended processing and make appropriate proposals to remedy such incompliance.
8. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for determining the high degree of specific risk referred to in point (a) of paragraph 2.
Designation of the data protection officerorganisation or data protection officer
1. The controller and the processor shall designate a data protection organisation or data protection officer in any case where:
(c) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects. Core activities should be defined as activities where 50% of the annual turnover resulting from the sale of data or revenue is gained from the use of this data. In relation to data protection, dataprocessing activities which do not represent more than 50% of companies’ turnover shall be considered ancillary.
2. In the case referred to in point (b) of paragraph 1, a group of undertakings may appoint a single data protection officer.organisation or data protection officer.
2. In the case referred to in point (b) of paragraph 1, a group of undertakings may appoint a single data protection officer. A corporate group may also appoint a single data protection officer for one or more processing operations by several organisations within it.
2a. In the case referred to in paragraph 1(b) Articles 33 and 34 do not apply.
3. Where the controller or the processor is a public authority or body, the data protection organisation or data protection officer may be designated for several of its entities, taking account of the organisational structure of the public authority or body.
4. In cases other than those referred to in paragraph 1, the controller or processor or associations and other bodies representing categories of controllers or processors may designate a data protection officer.organisation or a data protection officer.
4a. Where the controller belongs to a professional body or a body of controllers from the same sector, he may appoint a data protection officer duly mandated by the body concerned.
5. The controller or processor shall designate the data protection organisation or data protection officer on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and ability to fulfil the tasks referred to in Article 37. The necessary level of expert knowledge shall be determined in particular according to the data processing carried out and the protection required for the personal data processed by the controller or the processor.
6. The controller or the processor shall ensure that any other professional duties of the data protection organisation or the data protection officer are compatible with the person's tasks and duties as data protection officer and do not result in a conflict of interests.
6a. The data protection officer can either be an employee of the controller or processor or he/she can likewise be an external service provider.
7. The controller or the processor shall designate a data protection officer for a period of at least two years. The data protection officer may be reappointed for further terms. During their term of office, the data protection officer may only be dismissed, if the data protection officer no longer fulfils the conditions required for the performance of their duties.
7. The controller or the processor shall designate a data protection officer for a period of at least two years at a suitable hierarchical level. The data protection officer may be reappointed for further terms. During their term of office, the data protection officer may only be dismissed, if the data protection officer no longer fulfils the conditions required for the performance of their duties.
8. The data protection officer may be employed by the controller or processor, or fulfil his or her tasks on the basis of a service contract.
9. The controller or the processor shall communicate the name and contact details of the data protection organisation or the data protection officer to the supervisory authority and to the public.
10. Data subjects shall have the right to contact the data protection organisation or the data protection officer on all issues related to the processing of the data subject's data and to request exercising the rights under this Regulation.
11. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the core activities of the controller or the processor referred to in point (c) of paragraph 1 and the criteria for the professional qualities of the data protection officer referred to in paragraph 5.
Position of the data protection officerorganisation or the data protection officer
1. The controller or the processor shall ensure that the data protection organisation or the data protection officer is properly and in a timely manner involved in all issues which relate to the protection of personal data.
2. The controller or processor shall ensure that the data protection officer performs the duties and tasks independently and does not receive any instructions as regards the exercise of the function. The organisation or the data protection officer shall directly report to the management of the controller or the processor.performs the duties and tasks independently.
3. The controller or the processor shall support the data protection organisation or the data protection officer in performing the tasks and shall provide staff, premises, equipment and any other resources necessary to carry out the duties and tasks referred to in Article 37.
3a. The controller or the processor shall designate a data protection organisation or a data protection officer for an initial period of at least two years in case of a data protection organisation and for an initial period of at least four years in case of a data protection officer, as long as he/she is not an external service provider. In the least case the period for data protection organisations shall apply. The data protection organisations or data protection officers may be reappointed for further terms. During their term of office, the data protection officer may only be dismissed, if the data protection officer no longer fulfils the conditions required for the performance of their duties. These provisions do not apply in case of the voluntary engagement of a data protection organisation or a data protection officer as laid out in Article 38a of this Regulation.
3b. The data protection organisation or the data protection officer may be employed by the controller or processor, or fulfil his or her tasks on the basis of a service contract. The designation as a data protection organisation or a data protection officer does not necessarily require fulltime occupation of the respective organisation or employee.
Tasks of the data protection officerorganisation or the data protection officer
1. The controller or the processor shall entrust the data protection organisation or the data protection officer at least with the following tasks:
(a) to raise awareness, to inform and advise the controller or the processor of their obligations pursuant to this Regulation and to document this activity and the responses received;
(c) to monitor the implementation and application of this Regulation, in particular as to the requirements related to data protection by design, data protection by default and data security and to the information of data subjects and their requests in exercising their rights under this Regulation;incompliance with the Regulation;
(e) to monitor the documentation, notification and communication of develop processes to monitor, document, notify and communicate personal data breaches pursuant to Articles 31 and 32;
(f) to develop processes that monitor the performance of the data protection impact assessment by the controller or processor and the application for prior authorisation or prior consultation, if required pursuant Articles 33 and 34;
(g) to monitor the response to requests from the supervisory authority, and, within the sphere of the competence of the data protection officer's competenceorganisation or the data protection officer, co-operating with the supervisory authority at the latter's request or on the own initiative of the data protection officer's own initiative;organisation or the data protection officer;
2. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for tasks, certification, status, powers and resources of the data protection officer referred to in paragraph 1.
SELF-REGULATION, BINDING CORPORATE RULES, CODES OF CONDUCT AND CERTIFICATION
1. The Member States, the supervisory authorities and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper application of this Regulation, taking account of the specific features of the various data processing sectors, in particular in relation to: (a) fair and transparent data processing; (b) the collection of data; (c) the information of the public and of data subjects; (d) requests of data subjects in exercise of their rights; (e) information and protection of children; (f) transfer of data to third countries or international organisations; (g) mechanisms for monitoring and ensuring compliance with the code by the controllers adherent to it; (h) out-of-court proceedings and other dispute resolution procedures for resolving disputes between controllers and data subjects with respect to the processing of personal data, without prejudice to the rights of the data subjects pursuant to Articles 73 and 75. 2. Associations and other bodies representing categories of controllers or processors in one Member State which intend to draw up codes of conduct or to amend or extend existing codes of conduct may submit them to an opinion of the supervisory authority in that Member State. The supervisory authority may give an opinion whether the draft code of conduct or the amendment is in compliance with this Regulation. The supervisory authority shall seek the views of data subjects or their representatives on these drafts. 3. Associations and other bodies representing categories of controllers in several Member States may submit draft codes of conduct and amendments or extensions to existing codes of conduct to the Commission. 4. The Commission may adopt implementing acts for deciding that the codes of conduct and amendments or extensions to existing codes of conduct submitted to it pursuant to paragraph 3 have general validity within the Union. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 87(2). 5. The Commission shall ensure appropriate publicity for the codes which have been decided as having general validity in accordance with paragraph 4.
4. The Commission may adopt implementing acts for deciding that the codes of conduct and amendments or extensions to existing codes of conduct submitted to it pursuant to paragraph 3 have general validity within the Union. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 87(2).
Article 38a Promoting Self-Regulation 1. The Member States, the national and European supervisory authorities and the Commission shall encourage self- regulation instruments like binding corporate rules, code of conducts and certification or - in cases of companies which do not fall under the provision of Article 35 - the feature of the voluntarily designation of a data protection organisation or a data protection officer. 2. Single undertakings, multicorporate enterprises, industries, professional associations and other associations of every kind which represent specific groups of controllers or processors may submit drafts of the self-regulation instruments in paragraph 1. If the self- regulation instrument should only apply in a Member State the national supervisory authority in that Member State can be asked to confirm the compliance with this regulation. If the self-regulation instrument should apply in all Member States of the EU the European Data Protection Board can be asked to confirm the compliance with this Regulation. The national supervisory authority or the European Data Protection Board shall examine the compatibility of the submitted drafts with the applicable law on this data protection Regulation. If there is no reaction in a 3- month-period the self-regulation instrument is classified as in compliance with this Regulation. 3. If the self-regulation instrument provides an adequate proceeding in data protection issues of this Regulation, Article 14 (Information to the data subject), Article 28 (documentation), Article 33 (data protection impact assessment) and Article 34 (prior authorisation and prior consultation) shall not apply.
employees; (b) expressly confer enforceable rights on data subjects; (c) fulfil the requirements laid down in paragraph 2. 2. The Article 38b Binding corporate rules 1. The competent supervisory authority shall authorize through a single act of approval binding corporate rules shall at least specify: (a) the structure and contact details of the for a group of undertakings and its members; (b) the data transfers or set of transfers, including the categories of personal data, the type of processing and its purposes, the type of data subjects affected and the identification of the third country or countries in question; (c) their. These rules will allow multiple intercompany international transfers in and out of Europe, provided that they: (a) are legally binding nature, both internally and externally; (d) the general data protection principles, in particular purpose limitation, data quality, legal basis for the processing, processing of sensitive personal data; measures to ensure data security; and the requirements for onward transfers to organisations which are not bound by the policies; (e) the rights of data subjects and the means to exercise these rights, including the right not to be subject to a measure based on profiling in accordance with Article 20, the right to lodge a complaint before the competent supervisory authority and before the competent courts of the Member States in accordance with Article 75, and to obtain redress and, where appropriate, compensation for a breach of the binding corporate rules; (f) the acceptance by the controllerand apply to and are enforced by every member within the controller's or processor established on the territory of a Member State of liability for any breaches of the binding corporate rules by any member of the 's group of undertakings not established in the Union; the controller or the processor may only be exempted from this liability, in whole or in part, if he proves that that member is not responsible for the event giving rise to the damage; (g) how the information on the binding corporate rules, in particular on the provisions referred to in points (d), (e) and (f) of this paragraph is provided to the data subjects in accordance with Article 11; (h) the tasks of the data protection officer designated in accordance with Article 35, including monitoring within the group of undertakings the compliance with the , and include their of information by electronic means between controllers, processors and supervisory authorities for binding corporate rules, as well as monitoring the training and complaint handling; (i) the mechanisms within the group of undertakings aiming at ensuring the verification of compliance with the binding corporate rules; (j) the mechanisms for reporting and recording changes to the policies and reporting these changes to the supervisory authority; (k) the co-operation mechanism with the supervisory authority to ensure compliance by any member of the group of undertakings, in particular by making available to the supervisory authority the results of the verifications of the measures referred to in point (i) of this paragraph. 3. The Commissionmeaning of this Article. Those implementing acts shall be empowered to adopt delegated acts adopted in accordance with Article 86 for the purpose of further specifying the criteria and requirements for binding corporate rules within the meaning of this Article, in particular as regards the criteria for their approval, the application of points (b), (d), (e) and (f) of paragraph 2 to binding corporate rules adhered to by processors and on further necessary requirements to ensure the protection of personal data of the data subjects concerned. 4. The Commission may specify the format and procedures for the exchangethe examination procedure set out in Article 87(2).
(h) out-of-court proceedings and other dispute resolution procedures for resolving disputes between controllers and data subjects with respect to the processing of personal data, without prejudice to the rights of the data subjects pursuant to Articles 73 and 75. 2. Associations and other bodies representing categories of controllers or processors in one Member State which intend to draw up Article 38c Codes of conduct 1. The Member States, the supervisory authorities and the Commission shall encourage the drawing up of codes of conduct or to amend or extend existing codes of conduct may submit them to an opinion intended to contribute to the proper application of this Regulation, taking account of the supervisory authority in that Member State. The supervisory authority may give an opinion whether the draft code of conduct or the amendment is in compliance with this Regulation. The supervisory authority shall seek the viewsspecific features of the various data processing sectors, in particular in relation to: (a) fair and transparent data processing; (b) the collection of data subjects or their representatives on these drafts. 3. Associations and other bodies representing categories of controllers in several Member States may submit draft codes of conduct and amendments or extensions to existing codes of conduct to the Commission. 4. The Commission may adopt implementing acts for deciding that the codes of conduct and amendments or extensions to existing codes of conduct submitted to it pursuant to paragraph 3 have general validity within the Union. Those implementing acts shall be adopted in accordance ; (c) the information of the public and of data subjects; (d) requests of data subjects in exercise of their rights; (e) information and protection of children; (f) transfer of data to third countries or international organisations; (g) mechanisms for monitoring and ensuring compliance with the examination procedure set out in Article 87(2). 5. The Commission shall ensure appropriate publicity for the codes which have been decided as having general validity in accordance with paragraph 4.code by the controllers adherent to it;
1. The Member States and the Commission shall encourage, in particular at European level, the establishment of data protection certification mechanisms and of data protection seals and marks, allowing data subjects to quickly assess the level of data protection provided by controllers and processors. The data protection certifications mechanisms shall contribute to the proper application of this Regulation, taking account of the specific features of the various sectors and different processing operations. The responsibility for a corresponding certification act should be transferred to independent and qualified auditors. Such an auditor shall be: (a) accredited by a national supervisory authority; and (b) be responsible for the rewarding process of a corresponding privacy certificate; and (c) liable for consequences resulting in the inadequate reward of the data protection certificate.
2. The Commission shall be empowered after consultation of the stakeholders (European Data Protection Board, national data protection authorities, industry and non-governmental organisations) to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the data protection certification mechanisms referred to in paragraph 1, including conditions for granting and withdrawal, and requirements for recognition within the Union and in third countries. The Commission shall also be empowered after consultation of the stakeholders (European Data Protection Board, national data protection authorities, industry and non-governmental organisations) to adopt delegated acts in accordance with Article 86 for the purpose of further defining the accreditation requirements for auditors.
TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES , GROUP OF UNDERTAKINGS OR INTERNATIONAL ORGANISATIONS
Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country , internal of a group of undertakings or to an international organisation may only take place if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country , in a group of undertakings or an international organisation to another third country or to another international organisation.
1. A transfer may take place where the international agreements or arrangements between the EU or a Member State with a third country are in force or the Commission has decided that the third country, or a territory or a processing sector within that third country, or the international organisation in question ensures an adequate level of protection. Such transfer shall not require any further authorisation.
6a. The adequacy decision by the Commission pursuant to this Article may be reconsidered when the level of protection in the third country are not longer exist.
8a. International agreements or arrangements between the EU or a Member state with a third country are considered as adequate in the sense of this article.
1. Where the Commission has taken no decision pursuant to Article 41, a controller or processor may transfer personal data to a third country , to a branch abroad of a group of undertakings or an international organisation only if the controller or processor has adduced appropriate safeguards with respect to the protection of personal data in a legally binding instrument.
(a) binding corporate rules in accordance with Article 4338b; or
(b) standard data protection clauses , between the controller or processor and the recipient, that can be a sub-processor, of the data outside the EEA, which may include standard terms for onward transfers outside the EEA, adopted by the Commission. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2); or
(c) standard data protection clauses , between the controller or processor and the recipient, that can be a sub-processor, of the data outside the Union, which may include standard terms for onward transfers outside the Union, adopted by a supervisory authority in accordance with the consistency mechanism referred to in Article 57 when declared generally valid by the Commission pursuant to point (b) of Article 62(1); or
(da) contractual clauses between the controller or processor and the recipient of the data that supplement standard data protection clauses as referred to in points (b) and (c) of paragraph 2 of this Article, and are authorised by the competent supervisory authority in accordance with paragraph 4;
(db) for historical, statistical or scientific purposes, the measures referred to in Article 83(4);
3. A transfer based on standard data protection clauses or binding corporate rules as referred to in points (a), (b), (c), (d), (da) or (cdb) of paragraph 2 shall not require any further authorisation.
4. Where a transfer is based on contractual clauses as referred to in point (d) or (da) of paragraph 2 of this Article the controller or processor shall obtain prior authorisation of the contractual clauses according to point (a) of Article 34(1) from the competent supervisory authority. If the transfer is related to processing activities which concern data subjects in another Member State or other Member States, or or substantially affect the free movement of personal data within the Union, the competent supervisory authority shall apply the consistency mechanism referred to in Article 57.
4a. A controller or processor may choose to base transfers on standard data protection clauses as referred to the relevant provisions in paragraph 2 of this Article, and to offer in addition to these standard clauses supplemental, legally binding commitments that apply to transferred data. In such cases, these additional commitments shall be subject to prior consultation with the competent supervisory authority and shall supplement and not contradict, directly or indirectly, the standard clauses. Member States, supervisory authorities and the Commission shall encourage the use of supplemental and legally binding commitments by offering a data protection seal, mark or mechanism, adopted pursuant to Article 39, to controllers and processors who adopt these heightened safeguards.
4b. To encourage the use of supplemental contractual clauses as referred to the relevant provisions of paragraph 2 of this Article, competent authorities may offer a data protection seal, mark or mechanism, adopted pursuant to Article 39, to controllers and processors who adopt these safeguards.
Transfers by way of binding corporate 1. A supervisory authority shall in accordance with the consistency mechanism set out in Article 58 approve binding corporate rules, provided that they: (a) are legally binding and apply to and are enforced by every member within the controller’s or processor's group of undertakings, and include their employees (b) expressly confer enforceable rights on data subjects; (c) fulfil the requirements laid down in paragraph 2. 2. The binding corporate rules shall at least specify: (a) the structure and contact details of the group of undertakings and its members; (b) the data transfers or set of transfers, including the categories of personal data, the type of processing and its purposes, the type of data subjects affected and the identification of the third country or countries in question; (c) their legally binding nature, both internally and externally; (d) the general data protection principles, in particular purpose limitation, data quality, legal basis for the processing, processing of sensitive personal data; measures to ensure data security; and the requirements for onward transfers to organisations which are not bound by the policies; (e) the rights of data subjects and the means to exercise these rights, including the right not to be subject to a measure based on profiling in accordance with Article 20, the right to lodge a complaint before the competent supervisory authority and before the competent courts of the Member States in accordance with Article 75, and to obtain redress and, where appropriate, compensation for a breach of the binding corporate rules; (f) the acceptance by the controller or processor established on the territory of a Member State of liability for any breaches of the binding corporate rules by any member of the group of undertakings not established in the Union; the controller or the processor may only be exempted from this liability, in whole or in part, if he proves that that member is not responsible for the event giving rise to the damage; (g) how the information on the binding corporate rules, in particular on the provisions referred to in points (d), (e) and (f) of this paragraph is provided to the data subjects in accordance with Article 11; (h) the tasks of the data protection officer designated in accordance with Article 35, including monitoring within the group of undertakings the compliance with the binding corporate rules, as well as monitoring the training and complaint handling; (i) the mechanisms within the group of undertakings aiming at ensuring the verification of compliance with the binding corporate rules; (j) the mechanisms for reporting and recording changes to the policies and reporting these changes to the supervisory authority; (k) the co-operation mechanism with the supervisory authority to ensure compliance by any member of the group of undertakings, in particular by making available to the supervisory authority the results of the verifications of the measures referred to in point (i) of this paragraph. 3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for binding corporate rules within the meaning of this Article, in particular as regards the criteria for their approval, the application of points (b), (d), (e) and (f) of paragraph 2 to binding corporate rules adhered to by processors and on further necessary requirements to ensure the protection of personal data of the data subjects concerned. 4. The Commission may specify the format and procedures for the exchange of information by electronic means between controllers, processors and supervisory authorities for binding corporate rules within the meaning of this Article. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 87(2).deleted rules
  Comment: Must be read together with other AMs on international transfer. Discuss this Rating
1. A 1. The competent supervisory authority shall in accordance with the consistency mechanism set out in Article 58 approve binding corporate rulesauthorize through a single act of approval binding corporate rules for a group of undertakings. These rules will allow multiple intracompany international transfers in and out of Europe, provided that they:
(a) are legally binding and apply to and are enforced by every member within the controller's or processor's group of undertakings and their external subcontractors, and include their employees;
(a) the structure and contact details of the group of undertakings and its members;, and their external subcontractors;
(b) the data transfers or set of transfers, including the categories of personal data, the type of processing and its purposes, the type of data subjects affected and where appropriate the identification of the third country or countries in question;
Article 43a Transfers by way of binding corporate rules The provisions of Article 38b shall apply accordingly.
DerogationsOther legitimate grounds for international transfers
1. In the absence of an adequacy decision pursuant to Article 41 or of ; or where the Commission decides that a third country, or a territory or a processing sector within that third country, or an international organisation does not ensure an adequate level of protection in accordance with Article 41(5); or in the absence of appropriate safeguards pursuant to Article 42, a transfer or a set of transfers of personal data to a third country or an international organisation may take place only on condition that:
(h) the transfer is necessary for the purposes of the legitimate interests pursued by the controller or the processor, which cannot be qualified as frequent or massive, and where the controller or processor has assessed all the circumstances surrounding the data transfer operation or the set of data transfer operations and based on this assessment adduced appropriate safeguards with respect to the protection of personal data, where necessary.
(ha) the transfer is necessary for the purposes of the legitimate interests of the data subject especially when required or necessary for the entry of the third country.
5. The public interest referred to in point (d) of paragraph 1 must be recognised in Union law or in the law of the Member State to which the controller is subject., or in applicable international agreements or arrangements.
7. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying ‘important grounds of public interest’ within the meaning of point (d) of paragraph 1 as well as the criteria and requirements for appropriate safeguards referred to in point (h) of paragraph 1.
1. Each Member State shall provide that one or more public authorities area lead public supervisory authority responsible for monitoring the application of this Regulation and for contributing to its consistent application throughout the Union, in order to protect the fundamental rights and freedoms of natural persons in relation to the processing of their personal data and to facilitate the free flow of personal data within the Union. For these purposes, the supervisory authorities shall co-operate with each other and the Commission.
1. The supervisory authority shall act with complete independence in exercising the duties and powers entrusted to it., notwithstanding co-operative and consistency arrangements related to Chapter VII of this Regulation and within the legal and administrative limits of the own Member State.
Article 49a Professional supervision of persons subject to an obligation of professional secrecy Insofar as, when this regulation enters into force, entities exist which are responsible for the professional supervision of persons subject to an obligation of professional secrecy, these may establish the supervisory authority.
1. Each supervisory authority shall exercise, on the territory of its own Member State, the powers conferred on it in accordance with this Regulation. Data processing by a public authority are supervised only by the supervisory authority of that Member State.
2. Where the processing of personal data takes place in the context of the activities of an establishment of a controller or a processor in the Union, and Regulation applies by virtue of Article 3(1), the competent supervisory authority will be the supervisory authority of the Member State or territory where the main establishment of the controller or processor subject to the Regulation is established in more than one Member State, the supervisory authority of the main establishment of the controller or processor shall be competent for the supervision of the processing activities of the controller or the processor in all Member States, without prejudice to the provisions of Chapter VII of this Regulation.. Disputes should be decided upon in accordance with the consistency mechanism set out in article 58, and this without prejudice to the other provisions of Chapter VII of this Regulation. This provision also apply for legal entities of a group of undertakings, where these undertakings are located in more than one Member State.
2a. Where the Regulation applies by virtue of Article 3(2), the competent supervisory authority will be the supervisory authority of the Member State or territory where the controller has designated a representative in the Union pursuant to Article 25.
2b. Where the Regulation applies to several controllers and/ or processors with the same group of undertakings by virtue of Article 3(1) and (2), only one supervisory authority will be competent and it will be determined in accordance with Article 51(2).
3. The supervisory authority shall not be competent to supervise processing operations of courts acting in their judicial capacity. and not competent to supervise processing operations of controllers bound by obligations of professional secrecy.
(b) hear complaints lodged by any data subject, or by an association representing that data subject in accordance with Article 73, investigate, to the extent appropriate, the matter and inform the data subject or the association of the progress and the outcome of the complaint within a reasonable period, in particular if further investigation or coordination with another supervisory authority is necessary;
2a. Each supervisory authority shall together with the European Data Protection Board promote the awareness for controllers and processors on risks, rules, safeguards and rights in relation to the processing of personal data. This includes a register of sanctions and breaches. The register should enrol both all warnings and sanctions as detailed as possible and the resolving of breaches.
3. The competent supervisory authority shall, upon request, advise any data subject in exercising the rights under this Regulation and, if appropriate, co-operate with the supervisory authorities in other Member States to this end.
1. Each 1. Pursuant to Article 51 the competent supervisory authority shall have the power:
(d) to ensure the compliance with prior authorisations and prior consultations referred to in Article 34;
(ja) to inform the controller and/or the processor of the judicial remedies available against its decision.
Each Pursuant to Article 51 the competent supervisory authority shall have the investigative power to obtain from the controller or the processor:
3. Each 3. Pursuant to Article 51 the competent supervisory authority shall have the power to bring violations of this Regulation to the attention of the judicial authorities and to engage in legal proceedings, in particular pursuant to Article 74(4) and Article 75(2).
4. Each 4. Pursuant to Article 51 the competent supervisory authority shall have the power to sanction administrative offences, in particular those referred to in Article 79(4), (5) and (6).
processor and Article 54a Lead authority and consistency 1. The following procedure shall be the lead authority. 2. The lead authority shall see to coordination with the other supervisory authorities involved at every stage of the supervisory procedure. To that end it shall pass on all relevant information and shall consult the other supervisory authorities involved before taking any measures with legal consequences. The used where a data subject complains of a violation of his or her rights under this regulation in connection with the processing of personal data, or where the consistent application of this regulation needs to be ensured in accordance with Article 46: (a) Where a data subject is involved: the data subject’s relevant supervisory authority shall be the lead authority shall give full consideration to the opinions of the supervisory authorities involved. The lead authority shall also involve the Commission at all stages of the supervisory procedure. If the supervisory authorities involved, headed by the lead authority, together with the Commission, have found a common solution within four weeks, this solution shall be adopted without the European Data Protection Board needing to consider the matter. The data subject,; (b) Where no data subject is involved: Where the processing of personal data takes place in the context of the activities of an establishment of a controller or a processor in the Union, and the controller or processor is established in more than one Member State, or where personal data relating to persons resident in several Member States are being processed, the supervisory authority of the Member State in which the controller or the processor shall have available to them all the legal remedies set out in this regulation and all other remedies of general application. If the supervisory authorities involved, headed by the lead authority together with the Commission, have not found a common solution within four weeks, the matter shall be submitted to the European Data Protection Board. To that end the lead authority shall take the necessary steps in accordance with this regulation. 3processor has its main establishment shall be the sole contact point for the controller or within a further four weeks a solution in the framework of a delegated act, taking into consideration the opinion of the European Data Protection Board. If it does not do so, all those involved, including the legislator, shall have available to them all the legal remedies set out in this regulation and all other remedies of general application; this concerns in particular the data subject, the data controller and the processor. 4. If the European Data Protection Board, together with the Commission, has found a common solution within eight weeks, this solution shall be adopted. The data subject, the controller or the processor Parliament or the Council object to the substance of the delegated act using the procedure laid down for that purpose, the Commission shall launch a legislative initiative using the procedure laid down for that purpose. All those involved shall have available to them all the legal remedies set out in this regulation and all other remedies of general application. If the European Data Protection Board, together with the Commission, has not found a common solution within eight weeks; this concerns in particular the data subject, the Commission shall be empowered and required to proposedata controller and the processor.
1. Supervisory authorities shall provide each other relevant information and mutual assistance in order to implement and apply this Regulation in a consistent manner, and shall put in place measures for effective co- operation with one another. Mutual assistance shall cover, in particular, information requests and supervisory measures, such as requests to carry out prior authorisations and consultations, inspections and prompt information on the opening of cases and ensuing developments where data subjects in several Member States are likely to be affected by processing operations. The leading supervisory authority according to Article 51(2) ensures the coordination with the relevant authorities involved and acts as central contact point for the controller and processor.
2. Each supervisory authority shall take all appropriate measures required to reply to the request of another supervisory authority without delay and no later than one month after having received the request. Such measures may include, in particular, the transmission of relevant information on the course of an investigation or enforcement measures to bring about the cessation or prohibition of processing operations contrary to this Regulation.
4a. In cases covered by Article 55(4), the admissibility of the measure to which the request for assistance relates shall be determined in accordance with the law of the requesting authority; the lawfulness of providing assistance shall be determined in accordance with the law of the requested authority;
6. Supervisory authorities shall supply the information requested by other supervisory authorities by electronic means and within the shortest possible period of time, using a standardised format. Both the request and the electronic transfer of information shall be made using the Internal Market Information System.
7. No fee shall be charged to the requesting supervisory authority for any action taken following a request for mutual assistance.
8. Where a supervisory authority does not act within one month of the time limit referred to in paragraph 2 on request of another supervisory authority, the requesting supervisory authorities shall be competent to take a provisional measure on the territory of its Member State in accordance with Article 51(1) and shall submit the matter to the European Data Protection Board in accordance with the procedure referred to in Article 57. Where no definitive measure is yet possible because the assistance is not yet completed, the requesting supervisory authority may take interim measures under Article 53 in the territory of its Member State.
10. The Commission may specify the format and procedures for mutual assistance referred to in this article and the arrangements for the exchange of information by electronic means between supervisory authorities, and between supervisory authorities and the European Data Protection Board, in particular the standardised format referred to in paragraph 6. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
4. Supervisory authorities shall lay down the practical aspects of specific co- operation actions. in their rules of procedure. The rules of procedures shall be made public in the Official Journal of the European Union.
1. Before a the competent supervisory authority adopts a measure referred to in paragraph 2, this supervisory authority shall communicate the draft measure to the European Data Protection Board and the Commission.
(a) relates to processing activities of personal data which are related to the offering of goods or services to data subjects in several Member States, or to the monitoring of their behaviour; or when the controller or processor outside of the Union does not name a representative in the territory of the Union;
(f) aims to approve binding corporate rules within the meaning of Article 43.38b.
(fa) permits processing for research purposes in accordance with Article 81(3) and/or Article 83(3).
3. Any supervisory authority or the European Data Protection Board may request that any matter shall be dealt with in the consistency mechanism, in particular where a supervisorythe competent authority does not submit a draft measure referred to in paragraph 2 or does not comply with the obligations for mutual assistance in accordance with Article 55 or for joint operations in accordance with Article 56.
4. In order to ensure correct and consistent application of this Regulation, the Commission may request , acting on its own behalf, and shall at the request of a stakeholder, request that any matter shall be dealt with in the consistency mechanism.
6. The chair of the European Data Protection Board shall immediately without undue delay electronically inform the members of the European Data Protection Board and the Commission of any relevant information which has been communicated to it, using a standardised format. The chair of the European Data Protection Board shall provide translations of relevant information, where necessary.
8. The competent supervisory authority referred to in paragraph 1 and the supervisory authority competent under Article 51 shall take account of the opinion of the European Data Protection Board and shall within two weeks after the information on the opinion by the chair of the European Data Protection Board, electronically communicate to the chair of the European Data Protection Board and to the Commission whether it maintains or amends its draft measure and, if any, the amended draft measure, using a standardised format.
1. In exceptional circumstances, where a supervisory authority considers that there is an urgent need to act in order to protect the interests of data subjects, in particular when the danger exists that the enforcement of a right of a data subject could be considerably impeded by means of an alteration of the existing state or for averting major disadvantages or for other reasons, by way of derogation from the procedure referred to in Article 58, it may immediately adopt provisional measures with a specified period of validity. The supervisory authority shall, without delay, communicate those measures, with full reasons, to the European Data Protection Board and to the Commission., the Commission and the controller or processor concerned.
  Comment: No equal rights for data subject. Discuss this Rating
2. Where a supervisory authority has taken a measure pursuant to paragraph 1 and considers that final measures need urgently be adopted, it mayshall request an urgent opinion of the European Data Protection Board, giving reasons for requesting such opinionthe request, including for the urgency of final measures.
(a) deciding on the correct application of this Regulation in accordance with its objectives and requirements in relation to matters communicated by supervisory authorities pursuant to Article 58 or 61, concerning a matter in relation to which a reasoned decision has been adopted pursuant to Article 60(1), or concerning a matter in relation to which a supervisory authority does not submit a draft measure and that supervisory authority has indicated that it does not intend to follow the opinion of the Commission adopted pursuant to Article 59;
1. The European Data Protection Board shall ensure the consistent application of this Regulation. To this effect, the European Data Protection Board shall, on its own initiative or at the request of the Commission or other stakeholders, in particular:
(b) examine, on its own initiative or on request of one of its members or on request of the Commission, the Commission or other stakeholders, any question covering the application of this Regulation and issue guidelines, recommendations and best practices addressed to the supervisory authorities in order to encourage consistent application of this Regulation;
4a. Where appropriate, the European Data Protection Board shall, in its execution of the tasks as outlined in Article 66, consult interested parties and give them the opportunity to comment within a reasonable period. The European Data Protection Board shall, without prejudice to Article 72, make the results of the consultation procedure publicly available.
2. The term of office of the chair and of the deputy chairpersons shall be five years and be renewable. Their appointment may be revoked by a decision of the European Parliament adopted by a two-thirds majority of the votes cast, representing a majority of its component Members.
2. Any body, organisation or association which aims to protect data subjects‘ rights and interests concerning the protection of their personal data and has been properly constituted according to the law of a Member State shall have the right to lodge a complaint with a supervisory authority in any Member State on behalf of one or more data subjects if it considers that a data subject's rights under this Regulation have been infringed as a result of the processing of personal data.
3. Independently of a data subject's complaint, any body, organisation or association referred to in paragraph 2 shall have the right to lodge a complaint with a supervisory authority in any Member State, if it considers that a personal data breach has occurred.
1. Each controller, processor or other natural or legal person shall have the right to a judicial remedy against decisions of a supervisory authority concerning them.
1. Any body, organisation or association referred to in Article 73(2) shall have the right to exercise the rights referred to in Articles 74 and 75 on behalf of one or more data subjects.
1. Any person who has suffered damage as a result of an unlawful processing operation or of an action incompatible with this Regulation shall have the right to receive compensation from the controller or the processor for the damage suffered.
2. Where more than one controller or processor is involved in the processing, each controller or processor shall be jointly and severally liable for the entire amount of the damage., notwithstanding the contractual agreement they might have concluded according to Article 24.
3. The controller or the processor may be exempted from this liability, in whole or in part, if the controller or the processor proves that they are not responsible for the event giving rise to the damage.
2. The administrative sanction shall be in each individual case effective, proportionate and dissuasive. The amount of the administrative fine shall be fixed with due regard to : (a) the nature, gravity and duration of the breach, ; (b) the intentional or negligent character of the infringement, the ; (c) the particular categories of personal data; (d) the degree of responsibility of the natural or legal person and of previous breaches by this person, ; (e) the degree of responsibility for data protection by technical and organisational measures and procedures especially pursuant to Articles 35, 38a, 38b, 38c, 39; (f) the technical and organisational measures and procedures implemented pursuant to Article 23 and ; and (g) the degree of co-operation with the supervisory authority in order to remedy the breach.
3. In case of a first and non-intentional non- compliance with this Regulation, a warning in writing may be given and no sanction imposed, where: (a) a natural person is processing personal data without a commercial interest; or (b) an enterprise or an organisation employing fewer than 250 persons is processing personal data only as an activity ancillary to its main activities. and if there is no data subject affected the supervisory authority shall find an agreement with the controller or processor concerned to resolve the non- compliance with this Regulation without a written warning or imposing a sanction. In case of a serious non-compliance with this Regulation, the supervisory authority should give at first a written warning including supposed measures to resolve the data breaches within a reasonable time without imposing a sanction. The supervisory authority may only impose a fine with regard to paragraph 2 of up to EUR 1 000 000 or, in the case of a company, of up to 2 % of its annual worldwide turnover, for not resolving the data breaches with measures given in a written warning or for repeated, deliberate breaches.
3. In case of a first and non-intentional non-non-compliance with this Regulation, a warning in writing may be given and no sanction imposed, where: (a) a natural person is processing personal data without a commercial interest; or (b) an enterprise or an organisation employing fewer than 250 persons is processing personal data only as an activity ancillary to its main activities..
4. The supervisory authority shall impose a fine up to 250 000 EUR, or in case of an enterprise up to 0,5 % of its annual worldwide turnover, to anyone who, intentionally or negligently: (a) does not provide the mechanisms for requests by data subjects or does not respond promptly or not in the required format to data subjects pursuant to Articles 12(1) and (2); (b) charges a fee for the information or for responses to the requests of data subjects in violation of Article 12(4).
5. The supervisory authority shall impose a fine up to 500 000 EUR, or in case of an enterprise up to 1 % of its annual worldwide turnover, to anyone who, intentionally or negligently: (a) does not provide the information, or does provide incomplete information, or does not provide the information in a sufficiently transparent manner, to the data subject pursuant to Article 11, Article 12(3) and Article 14; (b) does not provide access for the data subject or does not rectify personal data pursuant to Articles 15 and 16 or does not communicate the relevant information to a recipient pursuant to Article 13; (c) does not comply with the right to be forgotten or to erasure, or fails to put mechanisms in place to ensure that the time limits are observed or does not take all necessary steps to inform third parties that a data subjects requests to erase any links to, or copy or replication of the personal data pursuant Article 17; (d) does not provide a copy of the personal data in electronic format or hinders the data subject to transmit the personal data to another application in violation of Article 18; (e) does not or not sufficiently determine the respective responsibilities with co- controllers pursuant to Article 24; (f) does not or not sufficiently maintain the documentation pursuant to Article 28, Article 31(4), and Article 44(3); (g) does not comply, in cases where special categories of data are not involved, pursuant to Articles 80, 82 and 83 with rules in relation to freedom of expression or with rules on the processing in the employment context or with the conditions for processing for historical, statistical and scientific research purposes.
6. The supervisory authority shall impose a fine up to 1 000 000 EUR or, in case of an enterprise up to 2 % of its annual worldwide turnover, to anyone who, intentionally or negligently: (a) processes personal data without any or sufficient legal basis for the processing or does not comply with the conditions for consent pursuant to Articles 6, 7 and 8; (b) processes special categories of data in violation of Articles 9 and 81; (c) does not comply with an objection or the requirement pursuant to Article 19; (d) does not comply with the conditions in relation to measures based on profiling pursuant to Article 20; (e) does not adopt internal policies or does not implement appropriate measures for ensuring and demonstrating compliance pursuant to Articles 22, 23 and 30; (f) does not designate a representative pursuant to Article 25; (g) processes or instructs the processing of personal data in violation of the obligations in relation to processing on behalf of a controller pursuant to Articles 26 and 27; (h) does not alert on or notify a personal data breach or does not timely or completely notify the data breach to the supervisory authority or to the data subject pursuant to Articles 31 and 32; (i) does not carry out a data protection impact assessment pursuant or processes personal data without prior authorisation or prior consultation of the supervisory authority pursuant to Articles 33 and 34; (j) does not designate a data protection officer or does not ensure the conditions for fulfilling the tasks pursuant to Articles 35, 36 and 37; (k) misuses a data protection seal or mark in the meaning of Article 39; (l) carries out or instructs a data transfer to a third country or an international organisation that is not allowed by an adequacy decision or by appropriate safeguards or by a derogation pursuant to Articles 40 to 44; (m) does not comply with an order or a temporary or definite ban on processing or the suspension of data flows by the supervisory authority pursuant to Article 53(1); (n) does not comply with the obligations to assist or respond or provide relevant information to, or access to premises by, the supervisory authority pursuant to Article 28(3), Article 29, Article 34(6) and Article 53(2); (o) does not comply with the rules for safeguarding professional secrecy pursuant to Article 84.
7. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of updating the amounts of the administrative fines referred to in paragraphs 4, 5 and 6, taking into account the criteria referred to in paragraph 2.
1. Member States shall provide for exemptions or derogations from the provisions on the 1. Chapter II (general principles in Chapter II, ), Chapter III (the rights of the data subject in Chapter III, on), Chapter IV (the controller and processor in Chapter IV, on the ), Chapter V (transfer of personal data to third countries and international organisations in Chapter V, the independent supervisory authorities in Chapter VI and on co-operation and consistency in Chapter VII for ), Chapter VI (supervisory authorities), Chapter VII (cooperation and consistency) and Articles 73, 74, 76 and 79 of Chapters VIII (legal remedies, liability and penalties) and X shall not apply to the processing of personal data carried out solely for journalistic purposes or the purpose of artistic or literary expression in order to reconcile the right to the protection of personal data with the rules governing freedom of expression.
2. Each Member State shall notify to the Commission those provisions of its law which it has adopted pursuant to paragraph 1 by the date specified in Article 91(2) at the latest and, without delay, any subsequent amendment law or amendment affecting them.
(c) other reasons of public interest in areas such as social protection, especially in order to ensure the quality and cost- effectiveness of the procedures used for settling claims for benefits and services in the health insurance system. and the provision of health services.
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying other reasons of public interest in the area of public health as referred to in point (b) of paragraph 1, as well as criteria and requirements for the safeguards for the processing of personal data for the purposes referred to in paragraph 1.
Processing in the employment context 1. Within the limits of this Regulation, Member States may adopt by law specific rules regulating the processing of employees‘ personal data in the employment context, in particular for the purposes of the recruitment, the performance of the contract of employment, including discharge of obligations laid down by law or by collective agreements, management, planning and organisation of work, health and safety at work, and for the purposes of the exercise and enjoyment, on an individual or collective basis, of rights and benefits related to employment, and for the purpose of the termination of the employment relationship. 2. Each Member State shall notify to the Commission those provisions of its law which it adopts pursuant to paragraph 1, by the date specified in Article 91(2) at the latest and, without delay, any subsequent amendment affecting them. 3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the safeguards for the processing of personal data for the purposes referred to in paragraph 1.Article 82 deleted
1. Within the limits of this Regulation, personal 1. Personal data may be processed for historical, statistical or scientific research purposes only if:
(ba) the personal data is processed for the purpose of generating aggregate data reports, wholly composed of either anonymous data, pseudonymous data or both.
2a. Where the data subject is required to give his/her consent for the processing of medical data exclusively for public health research purposes, the option of broad consent may be available to the data subject for the purposes of epidemiological, translational and clinical research. Where personal data is collected for statistical and public health purposes, such data should be made anonymous immediately after the end of data collection, checking or matching operations, except if the identification data remain necessary for statistical, and public health purposes such as epidemiological, translational and clinical research.
(a) the data subject has given consent, subject to the conditions laid down in Article 7; or
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the processing of personal data for the purposes referred to in paragraph 1 and 2 as well as any necessary limitations on the rights of information to and access by the data subject and detailing the conditions and safeguards for the rights of the data subject under these circumstances.
1. Within the limits of this Regulation, Member States mayshall adopt specific rules to set out the investigative powers by the supervisory authorities laid down in Article 53(2) in relation to controllers or processors that are subjects under national law or rules established by national competent bodies to an obligation of professional secrecy or other equivalent obligations of secrecy, where this is necessary and proportionate to reconcile the right of the protection of personal data with the obligation of secrecy. These rules shall only apply with regard to personal data which the controller or processor has received from or has obtained in an activity covered by this obligation of secrecy.
2. Article 1(2) ), Article 2(b) and (c), Article 4(3), (4) and (5) and Articles 6 and 9 of Directive 2002/58/EC shall be deleted.
  Comment: Intention unclear. Discuss this Rating