Regulation Proposal
Below you can scroll through the current (secret) version of Chapters I to III (most important part) of the new data protection regulation. If you are interested in Recitals and other Chapters you can download a complied version of the whole state of play here (900KB).
The Council is working on a proposal of the Commission. Strikes show removed text compared to the Commission proposal. Underlined sections were added by the Council. All changes are marked in red (weaker law), green (stronger law) and grey (neutral, only technical or unclear changes).
Bx clicking on the change, you can find out which country was for or against the change and thereby strengthened or weakened data protection laws in Europe. We also marked when changes are likely to be below the current 1995 Directive and linked changes to “major issues” in the current debate, to give you further background information.
CHAPTER I
ARTICLE 1
SUBJECT MATTER AND
OBJECTIVES
1. This Regulation lays down rules relating to the protection of individuals with regard to the processing of personal data and rules relating to the free movement of personal data.
2. This Regulation protects the
fundamental rights and freedoms of natural persons and in particular
their right to the protection of personal data.
2a.Member States may maintain or introduce more specific provisions to adapt the application of the rules of this Regulation with regard to the processing of personal data for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or for other specific processing situations as provided for in Article 6(1)(c) and (e) by determining more precisely specific requirements for the processing and other measures to ensure lawful and fair processing including for other specific processing situations as provided for in Chapter IX.
3. The free movement of personal data within the Union shall neither be restricted nor prohibited for reasons connected with the protection of individuals with regard to the processing of personal data.
ARTICLE
2
MATERIAL SCOPE
1. This Regulation applies to the processing of personal data wholly or partly by automated means, and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.
2. This Regulation does not apply to the processing of personal data:
(a) in the course of an activity which
falls outside the scope of Union law,
in particular concerning national security;
(b) by
the Union institutions, bodies, offices and agencies;
(c) by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V the Treaty on European Union;
(d) by a natural person without
any gainful interest
in the course of its
own exclusively a
personal or household activity;
(e) by competent public authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences and, for these purposes, safeguarding of public security, or the execution of criminal penalties.
3. This
Regulation shall be without prejudice to the application of Directive
2000/31/EC, in particular of the liability rules of intermediary
service providers in Articles 12 to 15 of that Directive.
ARTICLE 3
TERRITORIAL SCOPE
1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union.
2. This Regulation applies to the processing of personal data of data subjects residing in the Union by a controller not established in the Union, where the processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment by the data subject is required, to such data subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the European Union.
3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where the national law of a Member State applies by virtue of public international law.
ARTICLE 4
DEFINITIONS
For the purposes of this Regulation:
(1) 'data
subject' means an identified natural person or a natural person
'personal data' means
any information relating to an identified or identifiable natural
person ('data subject'); an identifiable person is one
who can be identified, directly or indirectly by
means reasonably likely to be used by the controller or by any other
natural or legal person,
in particular by reference to an
identifier such as a name,
an identification number, location data, online identifier or to one
or more factors specific to the physical, physiological, genetic,
mental, economic, cultural or social identity of that person.
(2) 'personal
data' means any information relating to a data subject;
(3) 'processing' means any operation or
set of operations which is performed upon personal data or sets of
personal data, whether or not by automated means, such as collection,
recording, organization, structuring, storage, adaptation or
alteration, retrieval, consultation, use, disclosure by transmission,
dissemination or otherwise making available, alignment or
combination,
or erasure
or destruction;
(3a)'restriction of processing' means the marking of stored personal data with the aim of limiting their processing in the future;
(3b) “Pseudonymisation” means a processing of personal data by the controller in which all attributes revealing the identity of a natural person have been replaced with another attribute by the visible use of applications or measures, in a way that, without knowledge of the attribution system which is kept separately and subject to distinct technical and organizational measures, the information can no longer be attributed to an identified or identifiable person, or can be attributed to such person only with the investment of a disproportionate amount of time, expense and manpower.
(4) 'filing system' means any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis;
(5) 'controller'
means the natural or legal
person, public authority, agency or any other body which alone or
jointly with others determines the purposes,
conditions
and means of the processing of personal data; where the purposes,
conditions
and means of processing are determined by Union law or Member State
law, the controller or the specific criteria for his nomination may
be designated by Union law or by Member State law;
(6) 'processor' means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller;
(7) 'recipient' means a natural or legal person, public authority, agency or any other body other than the data subject, the data controller or the data processor to which the personal data are disclosed; however regulatory bodies and authorities which may receive personal data in the exercise of their official functions shall not be regarded as recipients;
(8) 'the data subject's consent' means
any freely-given, specific,
and
informed
indication of his or her wishes by which the data subject, either by
a statement or by a clear affirmative action, signifies agreement to
personal data relating to them being processed;
'personal data breach' means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
(10) 'genetic data' means all personal
data, of whatever type,
concerning the relating
to the genetic characteristics
of an individual which are
inherited or acquired during early prenatal development
that have been inherited or
acquired, resulting from an analysis of a biological sample from the
individual in question;
(11) 'biometric data' means any personal
data resulting from specific
technical processing relating
to the physical, physiological or behavioural characteristics of an
individual which allow
their allows or
confirms the
unique identification of that
individual, such as facial
images, or dactyloscopic data;
(12) 'data concerning health' means any
information which relates datarelated
to the physical or mental health of an individual,
or to the provision of health services to the individual which
reveal information about his or her health status;
(12a) 'profiling' meansa form of automated processing of personal data intended to use a profile to evaluate personal aspects relating to a natural person, in particular to analyse and predict aspects concerning performance at work, economic situation, health, personal preferences, or interests, reliability or behaviour, location or movements;
(12b) ‘profile’ means a set of data characterising a category of individuals that is intended to be applied to a natural person;
(13) ‘main
establishment’ means as regards the controller, the place of its
establishment in the Union where the main decisions as to the
purposes, conditions and means of the processing of personal data are
taken; if no decisions as to the purposes, conditions and means of
the processing of personal data are taken in the Union, the main
establishment is the place where the main processing activities in
the context of the activities of an establishment of a controller in
the Union take place. As regards the processor, 'main establishment'
means the place of its central administration in the Union;
‘main
establishment’ means
- as
regards a controller with establishments in more than one Member
State, the place of its central administration in the Union, unless
the decisions on the purposes and means of the processing of personal
data are taken in another establishment of the controller in the
Union and the latter establishment has the power to have such
decisions implemented , in this case the establishment having taken
such decisions shall be considered as the main establishment.
-
as regards a processor with establishments in more than one Member
State, the place of its central administration in the Union and, if
the processor has no central administration in the Union, the
establishment of the processor in the Union where the main processing
activities in the context of the activities of an establishment of
the processor take place to the extent that the processor is subject
to specific obligations under this Regulation;
(14) 'representative' means any natural
or legal person established in the Union who, explicitly
designated by the controller acts
and may be addressed by any supervisory authority and other bodies in
the Union instead of in
writing pursuant to Article 25,
represents
the controller with regard to the obligations of the controller under
this Regulation;
(15) 'enterprise' means any entity
natural or legal
person
engaged in an economic
activity, irrespective of its legal form, thus
including natural or legal
persons,
partnerships or associations regularly engaged in an economic
activity;
(16) 'group of undertakings' means a controlling undertaking and its controlled undertakings;
(17) 'binding corporate rules' means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State of the Union for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings or group of enterprises engaged in a joint economic activity;
(18) child'
means any person below the age of 18 years;
(19) 'supervisory authority' means an
independent
public authority which is established by a Member State in
accordance with pursuant
to
Article 46;
(19a)
‘concerned
supervisory
authority ’ means
-
a supervisory authority which is concerned by the processing because:
a)
the
controller or processor is established on the territory of the Member
State of that supervisory authority;
b)
data
subjects residing in this Member State are substantially/essentially
affected
or likely to be substantially/essentially
affected
by the processing; or
c)
the underlying complaint has been lodged to that supervisory
authority.
(19b)
“transnational processing of personal data” means either:
(a)
processing which takes place in the context of the activities of an
establishment in more than one Member State of a controller in the
Union and the controller or processor is established in more than one
Member State; or
(b)
processing which takes place in the context of the activities of a
single establishment of a controller or processor in the Union but
which substantially affects or is likely to substantially affect10
data subjects in more than one Member State.
(19c)
“relevant and reasoned objection” means: an objection as to
whether there is an infringement of this Regulation or not, or, as
the case may be, whether the envisaged action in relation to the
controller or processor is in conformity with the Regulation. The
objection shall be accompanied by an analysis of the significance of
the risks posed by the draft decision as regards the fundamental
rights and freedoms of data subjects and where applicable, the free
flow of personal data.
(20)'Information Society service' means any service as defined by Article 1 (2) of Directive 98/34/EC of the European Parliament and of the Council of 22 June 1998 laying down a procedure for the provision of information in the field of technical standards and regulations and of rules on Information Society services.
(21)‘international organisation’ means an organisation and its subordinate bodies governed by public international law or any other body which is set up by, or on the basis of, an agreement between two or more countries;
CHAPTER II
PRINCIPLES
PRINCIPLES RELATING TO PERSONAL DATA PROCESSING
Personal data must be:
(a) processed lawfully, fairly and in a transparent manner in relation to the data subject;
(b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes; further processing of personal data for archiving purposes in the public interest or scientific, statistical or historical purposes shall in accordance with Article 83 not be considered incompatible with the initial purposes;
(c) adequate, relevant and limited
to the minimum necessary not
excessive
in relation to the
purposes for which they are processed; they
shall only be processed if, and as long as, the purposes could not be
fulfilled by processing information that does not involve personal
data;
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
(e) kept in a form which permits
identification of data subjects for no longer than is necessary for
the purposes for which the personal data are processed; personal data
may be stored for longer periods insofar as the data will be
processed solely
for archiving purposes in the public interest or
scientific, statistical, or historical research
purposes in accordance
with
the rules and conditions of
Article 83 and
if a periodic review is carried out to assess the necessity to
continue the storage;
subject to implementation
of the appropriate technical and organisational measures required by
the Regulation in order to safeguard the rights and freedoms of data
subject;
(ee) processed in a manner that ensures appropriate security of the personal data.
(f)
processed under the responsibility and liability of the controller,
who shall ensure and demonstrate for each processing operation the
compliance with the provisions of this Regulation.
ARTICLE 6
LAWFULNESS OF PROCESSING
1. Processing of personal data shall be lawful only if and to the extent that at least one of the following applies:
(a) the data subject has given
consent to the processing of their personal data for one or more specific purposes;(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject or of another person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the
purposes of the legitimate interests
pursued by a
the
controller,
or by a third party;
except where such interests are
overridden by the interests or fundamental rights and freedoms of the
data subject which require protection of personal data, in particular
where the data subject is a child. This
subparagraph
shall not
apply to processing carried out by public authorities in the
performance of their tasks.
2. Processing of personal data which is
necessary for purposes
of archiving
purposes in the public interest,
or for
historical, statistical or scientific research
purposes
shall be lawful subject also to the conditions and safeguards
referred to in Article 83.
3. The basis of
for
the processing referred to in points (c) and (e) of paragraph 1 must
be provided for in
established in accordance
with:
(a) Union law, or
(b) the
national
law of the Member State to which the controller is subject.
The
law of the Member State must meet an objective of public interest or
must be necessary to protect the rights and freedoms of others,
respect the essence of the right to the protection of personal data
and be proportionate to the legitimate aim pursued.
The purpose of the processing shall be
determined in this legal basis or as regards the processing referred
to in point (e) of paragraph 1, be necessary for the performance of a
task carried out in the public interest or in the exercise of
official authority vested in the controller. This legal basis may
contain specific provisions
to adaptthe application of rules of
this Regulation, inter
alia the general conditions governing the lawfulness of data
processing by the controller, the type of data which are subject to
the processing, the data subjects concerned; the entities to, and the
purposes for which the data may be disclosed; the purpose limitation;
storage periods andprocessing
operations and processing procedures, including measures to ensure
lawful and fair processing, including for other specific processing
situations as provided for in Chapter IX.
3a. In
order to ascertain whether a purpose of further processing is
compatible with the one for which the data are initially collected,
the controller shall take into account, unless
the data subject has given consent, inter
alia:
(a) any link between the purposes for
which the data have been collected and the purposes of the intended
further processing;
(b) the context in which the data have
been collected;
(c) the nature of the personal data;
in particular whether
special categories of personal data, pursuant to Article 9;
(d) the possible consequences of the
intended further processing for data subjects;
(e) the existence of appropriate safeguards.
4. Only
where the purpose of further
processing is not
compatibleincompatible
with the one for which the personal data have been collected, the
further
processing must have a legal basis at least in one of the grounds
referred to in points (a) to (e)
of paragraph 1. This
shall in particular apply to any change of terms and general
conditions of a contract.
Further processing for incompatible purposes on grounds of
legitimate interests of the controller or a third party shall be
lawful if these interests override the interests of the data
subject.
5. The
Commission shall be empowered to adopt delegated acts in accordance
with Article 86 for the purpose of further specifying the conditions
referred to in point (f) of paragraph 1 for various sectors and data
processing situations, including as regards the processing of
personal data related to a child.
ARTICLE 7
CONDITIONS FOR CONSENT
1. The
controller shall bear the burden of proof for the data subject's
consent to the processing of their personal data for specified
purposes. Where
Article 6(1)(a) appliesthe
controllershall
be able to demonstrate that unambiguous
consentwas given by the data
subject.
1a. Where article 9(2)(a) applies, the controller shall be able to demonstrate that explicit consent was given by the data subject.
2. If the data subject's consent is to be
given in the context of a written declaration which also concerns
another
matters,
the requirement to give
request for
consent must be presented in a
manner which is clearly
distinguishable in its
appearance
from this the
other matters,in an intelligible and easily
accessible form, using clear and plain language.
3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof.
4. Consent
shall not provide a legal basis for the processing, where there is a
significant imbalance between the position of the data subject and
the controller.
ARTICLE 8
PROCESSING OF PERSONAL DATA
OF A CHILD CONDITIONS
APPLICABLE TO CHILD'S CONSENT IN RELATION TO INFORMATION SOCIETY
SERVICES
1. For
the purposes of this RegulationWhere
Article 6 (1)(a) applies,
in relation to the offering of information society services directly
to a child, the processing of personal data of a child below the age
of 1314
years
shall only be lawful if and
to the extent that such
consent is given or authorised by the child's
parent or custodian guardian.
holder of parental responsibility over the child.
The controller shall make reasonable efforts to obtain
verifiable verify in
such cases that
consent is given or
authorisedby
the holder of parental
responsibility over the child
the child's parent
or guardian
taking into consideration available technology.
2. Paragraph 1 shall not affect the general contract law of Member States such as the rules on the validity, formation or effect of a contract in relation to a child.
3. The Commission shall be
empowered to adopt delegated acts in accordance with Article 86 for
the purpose of further specifying the criteria and requirements for
the methods to obtain verifiable consent referred to in paragraph 1.
In doing so, the Commission shall consider specific measures for
micro, small and medium-sized enterprises.
4. The Commission may lay down standard forms for specific methods to obtain verifiable consent referred to in paragraph 1. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
ARTICLE 9
PROCESSING OF SPECIAL
CATEGORIES OF PERSONAL DATA
1. The processing of personal data,
revealing race
racial
or ethnic origin, political opinions, religious
or philosophical
beliefs, trade-union membership, and the processing of genetic data
or data concerning health or sex life or
criminal convictions or related security measures
shall be prohibited.
2. Paragraph 1 shall not apply if one of the following applies and Article 6 is complied with:
(a) the
data subject has given explicit
consent to the processing of those personal data,subject
to the conditions laid down in Articles 7 and 8,
except where Union law or Member State law provide that the
prohibition referred to in paragraph 1 may not be lifted by the data
subject; or
(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and protection law in so far as it is authorised by Union law or Member State law or a collective agreementpursuant to Member State law providing for adequate safeguards; or
(c) processing is necessary to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving consent; or
(d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other non-profit-seeking body with a political, philosophical, religious or trade-union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the data are not disclosed outside that body without the consent of the data subjects; or
(e) the processing relates to personal data which are manifestly made public by the data subject; or
(f) processing is necessary for the establishment, exercise or defence of legal claims; or
(g) processing is necessary for
the performance of a task carried out in for
reasons of
public interest, on the basis of Union law or Member State law which
shall provide for suitable and
specific
measures to safeguard the data subject's legitimate interests; or
(h) processing of
data concerning health
is necessary for health
purposes the purposes
of preventive or occupational medicine, for
the assessment of the working capacity of the employee,
medical diagnosis,
the provision of care or treatment or the management of health-care
systems serviceson
the basis of Union law or Member State lawor pursuant to contract to
which the data subject is party
and
subject to the conditions and safeguards referred to in Article
81 paragraph
4
(ha)processing of genetic data is necessary for purposes specified in points c),f), g), h) and hb) of this paragraph on the basis of Union or Member State law and subject to the conditions and safeguards referred to in paragraph 4;
(hb)processingis necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union law or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject data;
(i) processing is necessary for
archiving purposes
in the public interest
or
historical, statistical or scientific research
purposes and
subject to the conditions and safeguards referred to in Article 83
(j) processing
of data relating to criminal convictions or related security measures
is carried out either under the control of official authority or when
the processing is necessary for compliance with a legal or regulatory
obligation to which a controller is subject, or for the performance
of a task carried out for important public interest reasons, and in
so far as authorised by Union law or Member State law providing for
adequate safeguards. A complete register of criminal convictions
shall be kept only under the control of official authority.
3. The
Commission shall be empowered to adopt delegated acts in accordance
with Article 86 for the purpose of further specifying the criteria,
conditions and appropriate safeguards for the processing of the
special categories of personal data referred to in paragraph 1 and
the exemptions laid down in paragraph 2.
4. Personal data referred to in paragraph 1 may on the basis of Union or Member State law be processed for the purposes referred to in points (h) and (ha) of paragraph 2 when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies; by another person also subject to an obligation of secrecy under Member State law or rules established by national competent bodies.
4a. In case a transfer of personal data referred to Article 44(1)(f) involves personal data concerning health such transfer can take place only subject to the condition that those data will be processed by a health professional subject to the obligation of professional secrecy under the law of the third State concerned or rules established by national competent bodies to the obligation of professional secrecy, or by another person also subject to an obligation of secrecy under the law of the third State concerned or rules established by national competent bodies.
ARTICLE
9A
PROCESSING
OF DATA RELATING TO CRIMINAL CONVICTIONS AND OFFENCES
Processing of data relating to criminal
convictions and offences or related security measures based on
Article 6(1) may only be carried out either under the control of
official authority or
when the processing is authorised by Union
law or Member State law
providing for adequate safeguards for the rights and freedoms of data
subjects. A complete register of criminal convictions may be kept
only under the control of official authority.
ARTICLE 10
PROCESSING NOT
REQUIRING
IDENTIFICATION
1. If the data
processed by purposes
for which
a controller do not
permit the controller to identify a natural person processes
personal data do not require the identification of a data subject by
the controller,
the controller shall not be obliged to acquire additional information
nor to engage in additional
processing
in order to identify the data
subject for the sole purpose of complying with any
provision of
this Regulation.
2. Where, in such cases the controller is not in a position to identify the data subject, articles 15, 16, 17, 17a, 17b and 18 do not apply except where the data subject, for the purpose of exercising his or her rights under these articles, provides additional information enabling his or her identification.
CHAPTER III
SECTION
1
TRANSPARENCY AND MODALITIES
ARTICLE 11
TRANSPARENT INFORMATION AND COMMUNICATION
1.The
controller shall have transparent and easily accessible policies with
regard to the processing of personal data and for the exercise of
data subjects' rights.
2.The
controller shall provide any information and any communication
relating to the processing of personal data to the data subject in an
intelligible form, using clear and plain language, adapted to the
data subject, in particular for any information addressed
specifically to a child.
ARTICLE 12
PROCEDURES
AND MECHANISMS TRANSPARENT
INFORMATION, COMMUNICATION AND MODALITIES
FOR
EXERCISING THE RIGHTS OF THE DATA SUBJECT
1. The controller
shall establish
procedures for providing the
take
appropriate measures to provide any
information referred to in Articles 14 and for
the exercise of the rights of data subjects referred to in Article 13
and Articles 15 to 19. 14a
and any communication under Articles 15 to 19
and 32
relating to the processing of personal data to the data
subject
in an intelligible and easily accessible form, using clear and plain
language.
The
controller shall provide in particular mechanisms for facilitating
the request for the actions referred to in Article 13 and Articles 15
to 19.
Where personal data are processed by automated means, the controller
shall also provide means for requests to be made electronically.
The
information shall be provided in writing, or where appropriate,
electronically or by other means.
1a. The controller shall facilitate the exercise of data subject rights under Articles 15 to 19.
2. The controller
shall inform
provide
the information referred to in Articles 14a and 15 and information on
action taken on a request under Articles 16 to 19 to
the
data subject without
undue
delay
and
at
the latest within
one month of receipt of the request ,whether
or not any action has been taken pursuant to Article 13 and Articles
15 to 19 and shall provide the requested information.
This period may be prolonged
extended
for a further two
months,
if several data subjects exercise their rights and their cooperation
is necessary to a reasonable extent to prevent an unnecessary and
disproportionate effort on the part of the controller. The
information shall be given in writing.Where
the data subject makes the request in electronic form, the
information shall be provided in electronic form, unless otherwise
requested by the data subject.
when necessary,
taking into account the complexity of the request and the number of
requests.
Where
the extended period applies, the data subject shall be informed
within one month of receipt of the request of the reasons for the
delay.
3. If the controller
refuses
does
not
take
action on the request of the data subject, the controller shall
inform the data subject without
delay and at
the latest within
one month of receipt of the request
of
the reasons for refusal
not
taking action
and on the possibilitiesy
of
lodging a complaint to the
a
supervisory authority and
seeking a judicial remedy.
4. The
Information
and
the actions taken on requests referred to in paragraph 1 shall be
free of charge
provided
under Articles 14 and 14a and any communication under Articles 16 to
19 and 32 shall be provided free of charge.
Where requests from
a data subject
are manifestly unfounded
or
excessive, in particular because of their repetitive character, the
controller may charge
a fee for providing the information or taking the action requested,
or the controller may not take the action requested refuse
to act on the request.
In that case, the controller shall bear the burden of proving
demonstrating
the
manifestly
unfounded or
excessive character of the request.
4a.Without prejudice to Article 10, where the controller has reasonable doubts concerning the identity of the individual making the request referred to in Articles 15 to 19, the controller may request the provision of additional information necessary to confirm the identity of the data subject.
5. The
Commission shall be empowered to adopt delegated acts in accordance
with Article 86 for the purpose of further specifying the criteria
and conditions for the manifestly excessive requests and the fees
referred to in paragraph 4.
6. The
Commission may lay down standard forms and specifying standard
procedures for the communication referred to in paragraph 2,
including the electronic format. In doing so, the Commission shall
take the appropriate measures for micro, small and medium-sized
enterprises. Those implementing acts shall be adopted in accordance
with the examination procedure referred to in Article 87(2).
ARTICLE 13
RIGHTS
IN RELATION TO RECIPIENTS
The
controller shall communicate any rectification or erasure carried out
in accordance with Articles 16 and 17 to each recipient to whom the
data have been disclosed, unless this proves impossible or involves a
disproportionate effort.
SECTION
2
INFORMATION AND ACCESS TO DATA
ARTICLE 14
INFORMATION TO
BE
PROVIDED WHERE THE DATA ARE COLLECTED FROM
THE DATA SUBJECT
1. Where personal data
relating to a data subject are collected
from the data subject,
the controller shall, at
the time when personal data are obtained,
provide the data subject with at
least
the following information:
(a) the identity and
the contact details of the controller and, if any, of the
controller's representative and
;
the controller may also include the contact details
of the data protection officer,
if any;
(b) the purposes of
the processing for which the personal data are intended; including
the contract terms and general conditions where the processing is
based on point (b) of Article 6(1) and the legitimate interests
pursued by the controller where the processing is based on point (f)
of Article 6(1);
(c) the
period for which the personal data will be stored;
(d) the
existence of the right to request from the controller access to and
rectification or erasure of the personal data concerning the data
subject or to object to the processing of such personal data;
(e) the
right to lodge a complaint to the supervisory authority and the
contact details of the supervisory authority;
(f) the
recipients or categories of recipients of the personal data;
(g) where
applicable, that the controller intends to transfer to a third
country or international organisation and on the level of protection
afforded by that third country or international organisation by
reference to an adequacy decision by the Commission;
(h) any
further information necessary to guarantee fair processing in respect
of the data subject, having regard to the specific circumstances in
which the personal data are collected.
1a.In addition to the information referred to in paragraph 1, the controller shall provide the data subject with such further information necessary to ensure fair and transparent processing in respect of the data subject, having regard to the specific circumstances and context in which the personal data are processed:
(b) where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller;
(c) the recipients or categories of recipients of the personal data;
(d) where
applicable, that the controller intends to transfer personal data to
a recipient in a
third
country or international organisation; and
on the level of protection afforded by that third country or
international organisation by reference to an adequacy decision by
the Commission;
(e) the existence of the right to request from the controller access to and rectification or erasure of the personal data or restriction of processing of personal data concerning the data subject and to object to the processing of such personal data;
(f) the right to
lodge a complaint to the
a
supervisory authority [and
the contact details of the supervisory authority];
(g) whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as the possible consequences of failure to provide such data; and
(h) the existence of automated decision making including -profiling referred to in Article 20(1) and (3) and information concerning the processing , as well as the significance and the envisaged consequences of such processing for the data subject.
2. Where
the personal data are collected from the data subject, the controller
shall inform the data subject, in addition to the information
referred to in paragraph 1, whether the provision of personal data is
obligatory or voluntary, as well as the possible consequences of
failure to provide such data.
3.Where
the personal data are not collected from the data subject, the
controller shall inform the data subject, in addition to the
information referred to in paragraph 1, from which source the
personal data originate.
4.The
controller shall provide the information referred to in paragraphs 1,
2 and 3:
(a) at
the time when the personal data are obtained from the data subject;
or
(b) where
the personal data are not collected from the data subject, at the
time of the recording or within a reasonable period after the
collection, having regard to the specific circumstances in which the
data are collected or otherwise processed, or, if a disclosure to
another recipient is envisaged, and at the latest when the data are
first disclosed.
5. Paragraphs
1 to 4 shall not apply, where:
(a)the
data subject has already the information referred to in paragraphs 1,
2 and 3; or
(b)
the data are not collected from the data subject and the provision of
such information proves impossible or would involve a
disproportionate effort; or
(c)the
data are not collected from the data subject and recording or
disclosure is expressly laid down by law; or
(d) the
data are not collected from the data subject and the provision of
such information will impair the rights and freedoms of others, as
defined in Union law or Member State law in accordance with Article
21.
Paragraphs 1 and 1a shall not apply where and insofar as the data subject already has the information.
6.In
the case referred to in point (b) of paragraph 5, the controller
shall provide appropriate measures to protect the data subject's
legitimate interests.
7.The
Commission shall be empowered to adopt delegated acts in accordance
with Article 86 for the purpose of further specifying the criteria
for categories of recipients referred to in point (f) of paragraph 1,
the requirements for the notice of potential access referred to in
point (g) of paragraph 1, the criteria for the further information
necessary referred to in point (h) of paragraph 1 for specific
sectors and situations, and the conditions and appropriate safeguards
for the exceptions laid down in point (b) of paragraph 5. In doing
so, the Commission shall take the appropriate measures for micro,
small and medium-sized-enterprises.
8.The
Commission may lay down standard forms for providing the information
referred to in paragraphs 1 to 3, taking into account the specific
characteristics and needs of various sectors and data processing
situations where necessary. Those implementing acts shall be adopted
in accordance with the examination procedure referred to in Article
87(2).
ARTICLE 14 A
INFORMATION TO BE PROVIDED WHERE THE DATA HAVE NOT BEEN OBTAINED FROM THE DATA SUBJECT
1.Where personal data have not been obtained from the data subject, the controller shall provide the data subject with the following information:
(a)the identity and the contact details of the controller and, if any, of the controller's representative; the controller may also include the contact details of the data protection officer, if any;
(b)the purposes of the processing for which the personal data are intended.
2.In addition to the information referred to in paragraph 1, the controller shall provide the data subject with such further information necessary to ensure fair and transparent processing in respect of the data subject, having regard to the specific circumstances and context in which the personal data are processed:
(a)the categories of personal data concerned;
(c)where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller;
(d)the recipients or categories of recipients of the personal data;
(e)the existence of the right to request from the controller access to and rectification or erasure of the personal data concerning the data subject and to object to the processing of such personal data;
(f)the right to lodge a complaint to a supervisory authority;
(g)the origin of the personal data, unless the data originate from publicly accessible sources;
(h)the existence of automated decision making including profiling referred to in Article 20(1) and (3) and information concerning the processing, as well as the significance and the envisaged consequences of such processing for the data subject.
3.The
controller shall provide the information referred to in paragraphs 1
and 2:
(a)within
a reasonable period after obtaining the data, having regard to the
specific circumstances in which the data are processed, or
(b)if
a disclosure to another recipient is envisaged, at the latest when
the data are first disclosed.
4.Paragraphs 1 to 3 shall not apply where and insofar as:
(a)the data subject already has the information; or
(b)the provision of such information proves impossible or would involve a disproportionate effort or is likely to render impossible or to seriously impair the achievement of the purposes of the processing; in such cases the controller shall take appropriate measures to protect the data subject's legitimate interests; or
(c)obtaining or disclosure is expressly laid down by Union or Member State law to which the controller is subject, which provides appropriate measures to protect the data subject's legitimate interests; or
(d)where the data originate from publicly available sources; or
(e)where the data must remain confidential in accordance with a legal provision in Union or Member State law or because of the overriding legitimate interests of another person.
ARTICLE 15
RIGHT
OF ACCESS FOR THE DATA SUBJECT
1. The data subject
shall have the right to obtain from the controller at any
time, on request,
reasonable
intervals
and free of charge
confirmation as to whether or not personal data subject
concerning
him or her
are being processed.
and
where
such personal data are being processed the
controller shall provide
access
to the data
and the
following information:
(a) the purposes of the processing;
(b) the
categories of personal data concerned;
(c) the recipients or
categories of recipients to whom the personal data are
to be or
have been or
will
be disclosed, in particular to recipients in third countries;
(d) where possible, the envisaged period for which the personal data will be stored;
(e) the existence of the right to request from the controller rectification or erasure of personal data concerning the data subject or to object to the processing of such personal data;
(f) the right to lodge
a complaint to the
a
supervisory authority and
the contact details of the supervisory authority;
(g) communication
of the personal data undergoing processing and of
where
the personal data are not collected from the data subject,
any available information as to their source;
(h) in
the case of automated
decision making including profiling
referred to in Article 20(1) and (3),
knowledge of the logic involved in any automated data processing as
well as
the significance and envisaged consequences of such processing,
at least in the case of measures referred to in Article 20.
1a. Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 42 relating to the transfer.
1b.On request and without an excessive charge, the controller shall provide a copy ofthe personal data undergoing processing to the data subject.
2. The
data subject shall have the right to obtain from the controller
communication of the personal data undergoing processing. Where the
data subject makes the request in electronic form, the information
shall be provided in electronic form, unless otherwise requested by
the data subject.
Where personal data
supplied by the data subject are processed by automated means and in
a structured and commonly used format, the controller shall, on
request and without an excessive charge, provide a copy of the data
concerning the data subject in that format to the data
subject.
2a.The right to obtain a copy referred to in paragraphs 1b and 2 shall not apply where such copy cannot be provided without disclosing personal data of other data subjects.
3. The
Commission shall be empowered to adopt delegated acts in accordance
with Article 86 for the purpose of further specifying the criteria
and requirements for the communication to the data subject of the
content of the personal data referred to in point (g) of paragraph 1.
4. The
Commission may specify standard forms and procedures for requesting
and granting access to the information referred to in paragraph 1,
including for verification of the identity of the data subject and
communicating the personal data to the data subject, taking into
account the specific features and necessities of various sectors and
data processing situations. Those implementing acts shall be adopted
in accordance with the examination procedure referred to in Article
87(2).
RECTIFICATION AND ERASURE
ARTICLE 16
RIGHT
TO RECTIFICATION
The data subject shall
have the right to obtain from the controller the rectification of
personal data relating
to them
concerning
him or her
which are inaccurate. Having
regard to the purposes for which data were processed,
the data subject shall have the right to obtain completion of
incomplete personal data, including by way
of means
of providing a
supplementing
supplementary
a
statement.
ARTICLE 17
RIGHT
TO BE FORGOTTEN AND TO ERASURE
The data subject shall have the right to obtain from the controller the erasure of personal data relating to them and the abstention from further dissemination of such data, especially in relation to personal data which are made available by the data subject while he or she was a child,The controller shall have the obligation to erase personal data without undue delay and the data subject shall have the right to obtain the erasure of personal datawithout undue delay where one of the following grounds applies:
(a) the data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
(b) the data subject
withdraws consent on which the processing is based according to point
(a) of Article 6(1) or
point (a) of Article 9(2)
or
when the storage period consented to has expired,
and
where
there is no other legal ground for the processing of the data;
(c) the data subject objects to the processing of personal data pursuant to Article 19(1)and there are no overriding legitimate grounds for the processing or the data subject objects to the processing of personal data pursuant to Article 19(2);
(d) the
processing of the data does not comply with this Regulation for other
reasons. the
data have been unlawfully processed;
(e) the data have to be erased for compliance with a legal obligation to which the controller is subject.
2. Where
the controller referred to in paragraph 1 has made the personal data
public, it shall take all reasonable steps, including technical
measures, in relation to data for the publication of which the
controller is responsible, to inform third parties which are
processing such data, that a data subject requests them to erase any
links to, or copy or replication of that personal data. Where the
controller has authorised a third party publication of personal data,
the controller shall be considered responsible for that
publication.
2a. Where
the controller referred
to paragraph 1
has
made the personal data public and
is obliged pursuant to paragraph 1 to erase the data,
the
controller, taking account of available technology and the cost of
implementation, it
shall
take all
reasonable steps, including technical measures, in
relation to data for the publication of which the controller is
responsible,
to
inform third
parties controllers
which are processing such
the
data, that a data subject requests them
to
erase any links to, or copy or replication of that personal data.
Where
the controller has authorised a third party publication of personal
data, the controller shall be considered responsible for that
publication.
3. The
controller shall carry out the erasure without delay, except
Paragraphs
1 and 2a shall not apply
to the extent that the
retention
processing
of the personal data is necessary:
(a) for exercising the right of freedom of expression in accordance with Article 80;
(b)
for compliance with a legal obligation to retain
process
the personal data by Union or Member State law to which the
controller is subject or
for the performance of a task carried out in the public interest or
in the exercise of official authority vested in the controller;
Member
State laws shall meet an objective of public interest, respect the
essence of the right to the protection of personal data and be
proportionate to the legitimate aim pursued;
(c) for reasons of public interest in the area of public health in accordance with Article 81;
(d) for
archiving
purposes in the public interest or for
historical, statistical and research
scientific purposes in accordance with Article
[83];
(e) in
the cases referred to in paragraph 4
(g) for the establishment, exercise or defence of legal claims.
4. Instead
of erasure, the controller shall restrict processing of personal data
where:
(a) their
accuracy is contested by the data subject, for a period enabling the
controller to verify the accuracy of the data;
(b) the
controller no longer needs the personal data for the accomplishment
of its task but they have to be maintained for purposes of
proof;
(c) the
processing is unlawful and the data subject opposes their erasure and
requests the restriction of their use instead;
(d) the
data subject requests to transmit the personal data into another
automated processing system in accordance with Article 18(2).
5. Personal
data referred to in paragraph 4 may, with the exception of storage,
only be processed for purposes of proof, or with the data subject's
consent, or for the protection of the rights of another natural or
legal person or for an objective of public interest.
6.Where
processing of personal data is restricted pursuant to paragraph 4,
the controller shall inform the data subject before lifting the
restriction on processing.
7. The
controller shall implement mechanisms to ensure that the time limits
established for the erasure of personal data and/or for a periodic
review of the need for the storage of the data are observed.
8. Where
the erasure is carried out, the controller shall not otherwise
process such personal data.
9.The
Commission shall be empowered to adopt delegated acts in accordance
with Article 86 for the purpose of further specifying:
(a) the
criteria and requirements for the application of paragraph 1 for
specific sectors and in specific data processing situations;
(b)the
conditions for deleting links, copies or replications of personal
data from publicly available communication services as referred to in
paragraph 2;
(c)the
criteria and conditions for restricting the processing of personal
data referred to in paragraph 4.
ARTICLE 17A
RIGHT TO RESTRICTION OF PROCESSING
1. The data subject shall have the right to obtain from the controller the restriction of the processing of personal data where:
(a)the accuracy of the data is contested by the data subject, for a period enabling the controller to verify the accuracy of the data;
(b)the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; or
(c)he or she has objected to processing pursuant to Article 19(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.
3.Where processing of personal data has been restricted under paragraph 1, such data may, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest.
4.A data subject who obtained the restriction of processing pursuant to paragraph 1 shall be informed by the controller before the restriction of processing is lifted.
ARTICLE
17B
NOTIFICATION
OBLIGATION REGARDING RECTIFICATION, ERASURE OR RESTRICTION
The controller
shall communicate any rectification, erasure or restriction of
processing carried out in accordance with Articles 16, 17(1) and 17a
to each recipient to whom the data have been disclosed, unless this
proves impossible or involves a disproportionate effort.
ARTICLE 18
RIGHT
TO DATA PORTABILITY
1. The data
subject shall have the right, where personal data are processed by
electronic means and in a structured and commonly used format, to
obtain from the controller a copy of data undergoing processing in an
electronic and structured format which is commonly used and allows
for further use by the data subject.
2. Where
tThe
data subject has
provided the personal data and the processing is based on consent or
on a contract, the data
shall have the right to transmit those
the
personal
data and
any other information provided by the data subject and retained by an
automated processing system, into another one, in an electronic
format which is
concerning
him or herwhichhe or
she has provided to a controller to another controller
in a commonly used and
machine-readable format
without hindrance from the controller from
whom the personal data are withdrawn.
to
which the data have been provided to, where
(a)the processing is based on consent or on a contract pursuant to points (a) and (b) of Article 6 (2) or point (a) of Article 9 (2); and
(b)the processing is carriedout by automated means.
2a.The exercise of this right shall be without prejudice to Article 17.
2aa.The right referred to in paragraph 2 shall be without prejudice to intellectual property rights in relation to the processing of the those personal data.
3. The Commission may
specify the electronic
format referred to in paragraph 1 and technical
standards, modalities and procedures for the transmission of personal
data pursuant to paragraph 2. Those implementing acts shall be
adopted in accordance with the examination procedure referred to in
Article 87(2).
SECTION 4
1. The data subject
shall have the right to object, on reasoned
grounds relating to their
his
or her
particular situation, at any time to the processing of personal data
concerning
him or her
which is based on point (d),
(e) and (f)
of Article 6(1);
the
personal
data shall no longer be processed
unless the controller demonstrates compelling
legitimate grounds for the processing which override the interests
or fundamental
rights and freedoms of the data subject.
1a.Where an objection is upheld pursuant to paragraph 1, the controller shall no longer process the personal data concerned except for the establishment, exercise or defence of legal claims.
2. Where personal data
are processed for direct marketing purposes, the data subject shall
have the right to object free
of charge at
any time
to the processing of personal data concerning
him or her
for such marketing. This right shall be explicitly offered
brought
to the attention of
the data subject in
an intelligible manner
and shall be presented
clearly
distinguishable
and
separately from
any
other information.
2a.Where the data subject objects to the processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
3.Where
an objection is upheld pursuant to paragraphs 1 and 2, the controller
shall no longer use or otherwise process the personal data
concerned.
ARTICLE 20MEASURES
BASED ON PROFILING
1. Every
natural person
The
data
subject
shall have the right not to be subject to a measure
which decision
evaluating personal aspects relating to him or her, which is based
solely onautomated
processing, including profiling,
and
produces
legal effects concerning this
natural person or significantly affects this natural person, and
which is based solely on automated processing intended to evaluate
certain personal aspects relating to this natural person or to
analyse or predict in particular the natural person's performance at
work, economic situation, location, health, personal preferences,
reliability or behaviour him
or her or significantly affects
him or her.
1a.
Subject
to the other provisions of this Regulation, a person may be subjected
to a measure of the kind A
data subject may be subject to a decision
referred to in paragraph 1 only if the
processing
it
(a) is carried
out in the course of the necessary
for
entering
into, or performance of, a contract where
the request for the entering into or the performance of the contract,
lodged by the data subject, has been satisfied or where suitable
measures to safeguard the data subject's legitimate interests have
been adduced, such as the right to obtain human intervention
between
the data subject and a data controller
or
(b) is
expressly
authorized by Union or Member State law to
which the controller is subject and
which also lays down suitable measures to safeguard the data
subject's legitimate interests; or
(c) is based on the
data subject's explicit
consent, subject
to the conditions laid down in Article 7 and to suitable
safeguards.
1b. In cases referred to in paragraph 1a) the data controller shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, such as the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision:
2. Subject
to the other provisions of this Regulation, a person may be subjected
to a measure of the kind referred to in paragraph 1 only if the
processing:
(a) is carried
out in the course of the entering into, or performance of, a
contract, where the request for the entering into or the performance
of the contract, lodged by the data subject, has been satisfied or
where suitable measures to safeguard the data subject's legitimate
interests have been adduced, such as the right to obtain human
intervention; or
(b) is
expressly authorized by a Union or Member State law which also lays
down suitable measures to safeguard the data subject's legitimate
interests; or
(c) is based
on the data subject's consent, subject to the conditions laid down in
Article 7 and to suitable safeguards.
3. Automated
processing of personal data intended to evaluate certain personal
aspects relating to a natural person shall not be based solely on the
special categories of personal data referred to in Article 9.
Decisions referred
to in paragraph 1a shall not be based on special categories of
personal data referred to in Article 9(1), unless points (a) or (g)
of
Article
9(2) apply and suitable measures to safeguard the data subject's
legitimate interests are in place.
4. In
the cases referred to in paragraph 2, the information to be provided
by the controller under Article 14 shall include information as to
the existence of processing for a measure of the kind referred to in
paragraph 1 and the envisaged effects of such processing on the data
subject.
5. The
Commission shall be empowered to adopt delegated acts in accordance
with Article 86 for the purpose of further specifying the criteria
and conditions for suitable measures to safeguard the data subject's
legitimate interests referred to in paragraph 2.
SECTION 5
Restrictions
ARTICLE 21
RESTRICTIONS
1. Union or Member
State law to
which the data controller or processor is subject
may restrict by way of a legislative measure the scope of the
obligations and rights provided for in points
(a) to (e) of Article 5 and
Articles 1112
to 20 and Article 32, as
well as Article 5 in so far as its provisions correspond to the
rights and obligations provided for in Articles 12 to 20,
when such a restriction constitutes a necessary and proportionate
measure in a democratic society to safeguard:
(aa)national security;
(ab)defence;
(a) public security;
(b) the prevention, investigation, detection and prosecution of criminal offences and, for these purposes, safeguarding of public security, or the execution of criminal penalties;
(c) other
important
objectives of general
public interests of the Union or of a Member State, in particular an
important economic or financial interest of the Union or of a Member
State, including,
monetary, budgetary and taxation matters,
public
health and social security,
and
the protection of market stability and integrity;
(ca)the protection of judicial independence and judicial proceedings;
(d) the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions;
(e) a monitoring, inspection or regulatory function connected, even occasionally, with the exercise of official authority in cases referred to in (a), (b), (c) and (d);
(f) the protection of the data subject or the rights and freedoms of others.
(g) the enforcement of civil law claims.
2. In
particular aAny
legislative measure referred to in paragraph 1 shall contain specific
provisions at least,
where relevant as
to the
objectives to be pursued by the processing and the determination of
the controller the
purposes of the processing or categories of processing, the
categories of personal data, the scope of the restrictions
introduced, thespecification
of the controller or
categories of controllers ,
the
storage period
and the applicable safeguards taking into account of the nature,
scope and purposes of the processing and the risks for the rights and
freedoms of data subjects.
SECTION
5
CODES OF CONDUCT AND CERTIFICATION
ARTICLE
38
CODES OF CONDUCT
1. The
Member States, the supervisory authorities, the
European Data Protection Board
and the Commission shall encourage the drawing up of codes of conduct
intended to contribute to the proper application of this Regulation,
taking account of the specific features of the various data
processing sectors in
particular in relation to: and
the specific needs of micro, small and medium-sized
enterprises.
1a.Associations and other bodies representing categories of controllers or processors may prepare codes of conduct, or amend or extend such codes, for the purpose ofspecifying the application of provisions of this Regulation, such as:
(a) fair and transparent data processing;
(aa)the legitimate interests pursued by controllers in specific contexts;
(b) the collection of data;
(bb)the pseudonymisation of personal data;
(c) the information of the public and of data subjects;
(d) requests
of data subjects in exercise of their rights;
the
exercise of the rightsof
data subjects;
(e) information and protection of children and the way to collect the parent’s and guardian’s consent;
(ee) measures and procedures referred to in Articles 22 and 23 and measures to ensure security of processing referred to in Article 30;
(ef)notification of personal data breaches to supervisory authorities and communication of such breaches to data subjects;
(f) transfers
of data to third countries or international organisations.
(g)mechanisms
for monitoring and ensuring compliance with the code by the
controllers adherent to it;
(h)
out-of-court
proceedings and other dispute resolution procedures for resolving
disputes between controllers and data subjects with respect to the
processing of personal data, without prejudice to the rights of the
data subjects pursuant to Articles 73 and 75.
1ab.In addition to adherence by controller or processor subject to the regulation, codes of conduct approved pursuant to paragraph 2 may also be adhered to by controllers or processors that are not subject to this Regulation according to Article 3 in order to provide appropriate safeguards within the framework of personal data transfers to third countries or international organisations under the terms referred to in Article 42(2)(d). Such controllers or processors shall make binding and enforceable commitments, via contractual instruments or otherwise, to apply those appropriate safeguards including as regards data subjects’ rights.
1b.Such a code of conduct shall contain mechanisms which enable the body referred to in paragraph 1 of article 38a to carry out the mandatory monitoring of compliance with its provisions by the controllers or processors which undertake to apply it, without prejudice to the tasks and powers of the supervisory authority which is competent pursuant to Article 51 or 51a.
2. Associations and other bodies
representing
categories of controllers or processors in one Member State
referred to in paragraph
1a
which intend to draw up
prepare a
codes
of conduct, or to amend or extend an existing code, shall
submit them the
draft code to an
opinion of the supervisory authority in that Member State. The
supervisory authority may give an opinion whether the draft code of
conduct or the amendment is in compliance with this Regulation. The
supervisory authority shall seek the views of data subjects or their
representatives on these drafts the
supervisory authoritywhich
is competent pursuant to Article 51. The supervisory authority shall
give an opinion on whether the draft code, or amended or extended
code, is in compliance with this Regulation and shall approve such
draft, amended or extended code if it finds that it provides
sufficient appropriate safeguards.
2a.Where the opinion referred to in paragraph 2 confirms that the code of conduct, or amended or extended code, is in compliance with this Regulation and the code is approved, and if the code of conduct does not relate to processing activities in several Member States, the supervisory authority shall register the code and publish the details thereof.
2b.Where the draft code of conduct relates to processing activities in several Member States, the supervisory authority competent pursuant to Article 51 shall, before approval, submit it in the procedure referred to in Article 57 to the European Data Protection Board which shall give an opinion on whether the draft code, or amended or extended code, is in compliance with this Regulation or, in the situation referred to in paragraph 1ab, provides appropriate safeguards.
3.
Associations
and other bodies representing categories of controllers in several
Member States may submit draft codes of conduct and amendments or
extensions to existing codes of conduct to the Commission.
Where
the opinion referred to in paragraph 2b confirms that the code of
conduct, or amended or extended code, is in compliance with this
Regulation, or, in the situation referred to in paragraph 1ab,
provides appropriate safeguards ,the European Data Protection Board
shall submit its opinion to the Commission.
4. The Commission may adopt implementing acts for deciding that the codes of conduct and amendments or extensions to existing approved codes of conduct submitted to it pursuant to paragraph 3 have general validity within the Union. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 87(2).
5. The Commission shall ensure appropriate publicity for the approved codes which have been decided as having general validity in accordance with paragraph 4.
5a.The European Data Protection Board shall collect all approved codes of conduct and amendments thereto in a register and shall make them publicly available through any appropriate means, such as through the European E-Justice Portal.