interactive GDPR 2016/0679 EN
BG CS DA DE EL EN ES ET FI FR GA HR HU IT LV LT MT NL PL PT RO SK SL SV print pdf
- personal data
- processing
- restriction of processing
- profiling
- pseudonymisation
- filing system
- controller
- processor
- recipient
- third party
- consent
- personal data breach
- genetic data
- biometric data
- data concerning health
- main establishment
- representative
- enterprise
- group of undertakings
- binding corporate rules
- supervisory authority
- supervisory authority concerned
- cross-border processing
- relevant and reasoned objection
- information society service
- international organisation
- personal_data 93
- means 60
- which 51
- controller 50
- article 49
- data 49
- processing 43
- processor 43
- shall 40
- natural 40
- person 37
- referred 35
- pursuant 33
- union 29
- regulation 28
- supervisory_authority 25
- such 24
- subject 22
- article 21
- public 21
- breach 21
- information 20
- protection 19
- issue 19
- more 18
- specific 17
- authorities 17
- accordance 17
- member 17
- state 16
- subjects 16
- paragraph 16
- legal 15
- member state 15
- commission 14
- including 14
- code 14
- appropriate 14
- draft 14
- whether 13
- than 13
- body 13
- the 13
- conduct 13
- establishment 13
- board 12
- supervisory 12
- third 12
- authority 12
- certification 12
Article 4
Definitions
For the purposes of this Regulation:
| (1) | ‘ personal_data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; |
| (2) | ‘ processing’ means any operation or set of operations which is performed on personal_data or on sets of personal_data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; |
| (3) | ‘restriction of processing’ means the marking of stored personal_data with the aim of limiting their processing in the future; |
| (4) | ‘ profiling’ means any form of automated processing of personal_data consisting of the use of personal_data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements; |
| (5) | ‘ pseudonymisation’ means the processing of personal_data in such a manner that the personal_data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal_data are not attributed to an identified or identifiable natural person; |
| (6) | ‘ filing_system’ means any structured set of personal_data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis; |
| (7) | ‘ controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal_data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law; |
| (8) | ‘ processor’ means a natural or legal person, public authority, agency or other body which processes personal_data on behalf of the controller; |
| (9) | ‘ recipient’ means a natural or legal person, public authority, agency or another body, to which the personal_data are disclosed, whether a third_party or not. However, public authorities which may receive personal_data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing; |
| (10) | ‘ third_party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal_data; |
| (11) | ‘ consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal_data relating to him or her; |
| (12) | ‘ personal_data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal_data transmitted, stored or otherwise processed; |
| (13) | ‘ genetic_data’ means personal_data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question; |
| (14) | ‘ biometric_data’ means personal_data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data; |
| (15) | ‘ data_concerning_health’ means personal_data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status; |
| (16) | ‘ main_establishment’ means:
|
| (17) | ‘ representative’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Regulation; |
| (18) | ‘ enterprise’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity; |
| (19) | ‘ group_of_undertakings’ means a controlling undertaking and its controlled undertakings; |
| (20) | ‘ binding_corporate_rules’ means personal_data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal_data to a controller or processor in one or more third countries within a group_of_undertakings, or group of enterprises engaged in a joint economic activity; |
| (21) | ‘ supervisory_authority’ means an independent public authority which is established by a Member State pursuant to Article 51; |
| (22) | ‘ supervisory_authority concerned’ means a supervisory_authority which is concerned by the processing of personal_data because:
|
| (23) | ‘cross-border processing’ means either:
|
| (24) | ‘ relevant_and_reasoned_objection’ means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal_data within the Union; |
| (25) | ‘ information_society_service’ means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council (19); |
| (26) | ‘ international_organisation’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries. |
CHAPTER II
Principles
Article 4
Definitions
For the purposes of this Regulation:
| (1) | ‘ personal_data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; |
| (2) | ‘ processing’ means any operation or set of operations which is performed on personal_data or on sets of personal_data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; |
| (3) | ‘restriction of processing’ means the marking of stored personal_data with the aim of limiting their processing in the future; |
| (4) | ‘ profiling’ means any form of automated processing of personal_data consisting of the use of personal_data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements; |
| (5) | ‘ pseudonymisation’ means the processing of personal_data in such a manner that the personal_data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal_data are not attributed to an identified or identifiable natural person; |
| (6) | ‘ filing_system’ means any structured set of personal_data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis; |
| (7) | ‘ controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal_data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law; |
| (8) | ‘ processor’ means a natural or legal person, public authority, agency or other body which processes personal_data on behalf of the controller; |
| (9) | ‘ recipient’ means a natural or legal person, public authority, agency or another body, to which the personal_data are disclosed, whether a third_party or not. However, public authorities which may receive personal_data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing; |
| (10) | ‘ third_party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal_data; |
| (11) | ‘ consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal_data relating to him or her; |
| (12) | ‘ personal_data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal_data transmitted, stored or otherwise processed; |
| (13) | ‘ genetic_data’ means personal_data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question; |
| (14) | ‘ biometric_data’ means personal_data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data; |
| (15) | ‘ data_concerning_health’ means personal_data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status; |
| (16) | ‘ main_establishment’ means:
|
| (17) | ‘ representative’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Regulation; |
| (18) | ‘ enterprise’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity; |
| (19) | ‘ group_of_undertakings’ means a controlling undertaking and its controlled undertakings; |
| (20) | ‘ binding_corporate_rules’ means personal_data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal_data to a controller or processor in one or more third countries within a group_of_undertakings, or group of enterprises engaged in a joint economic activity; |
| (21) | ‘ supervisory_authority’ means an independent public authority which is established by a Member State pursuant to Article 51; |
| (22) | ‘ supervisory_authority concerned’ means a supervisory_authority which is concerned by the processing of personal_data because:
|
| (23) | ‘cross-border processing’ means either:
|
| (24) | ‘ relevant_and_reasoned_objection’ means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal_data within the Union; |
| (25) | ‘ information_society_service’ means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council (19); |
| (26) | ‘ international_organisation’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries. |
CHAPTER II
Principles
Article 33
Notification of a personal_data breach to the supervisory_authority
1. In the case of a personal_data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal_data breach to the supervisory_authority competent in accordance with Article 55, unless the personal_data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory_authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
2. The processor shall notify the controller without undue delay after becoming aware of a personal_data breach.
3. The notification referred to in paragraph 1 shall at least:
| (a) | describe the nature of the personal_data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal_data records concerned; |
| (b) | communicate the name and contact details of the data protection officer or other contact point where more information can be obtained; |
| (c) | describe the likely consequences of the personal_data breach; |
| (d) | describe the measures taken or proposed to be taken by the controller to address the personal_data breach, including, where appropriate, measures to mitigate its possible adverse effects. |
4. Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
5. The controller shall document any personal_data breaches, comprising the facts relating to the personal_data breach, its effects and the remedial action taken. That documentation shall enable the supervisory_authority to verify compliance with this Article.
Article 34
Communication of a personal_data breach to the data subject
1. When the personal_data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal_data breach to the data subject without undue delay.
2. The communication to the data subject referred to in paragraph 1 of this Article shall describe in clear and plain language the nature of the personal_data breach and contain at least the information and measures referred to in points (b), (c) and (d) of Article 33(3).
3. The communication to the data subject referred to in paragraph 1 shall not be required if any of the following conditions are met:
| (a) | the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal_data affected by the personal_data breach, in particular those that render the personal_data unintelligible to any person who is not authorised to access it, such as encryption; |
| (b) | the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in paragraph 1 is no longer likely to materialise; |
| (c) | it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner. |
4. If the controller has not already communicated the personal_data breach to the data subject, the supervisory_authority, having considered the likelihood of the personal_data breach resulting in a high risk, may require it to do so or may decide that any of the conditions referred to in paragraph 3 are met.
Article 40
Codes of conduct
1. The Member States, the supervisory authorities, the Board and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper application of this Regulation, taking account of the specific features of the various processing sectors and the specific needs of micro, small and medium-sized enterprises.
2. Associations and other bodies representing categories of controllers or processors may prepare codes of conduct, or amend or extend such codes, for the purpose of specifying the application of this Regulation, such as with regard to:
| (a) | fair and transparent processing; |
| (b) | the legitimate interests pursued by controllers in specific contexts; |
| (c) | the collection of personal_data; |
| (d) | the pseudonymisation of personal_data; |
| (e) | the information provided to the public and to data subjects; |
| (f) | the exercise of the rights of data subjects; |
| (g) | the information provided to, and the protection of, children, and the manner in which the consent of the holders of parental responsibility over children is to be obtained; |
| (h) | the measures and procedures referred to in Articles 24 and 25 and the measures to ensure security of processing referred to in Article 32; |
| (i) | the notification of personal_data breaches to supervisory authorities and the communication of such personal_data breaches to data subjects; |
| (j) | the transfer of personal_data to third countries or international_organisations; or |
| (k) | out-of-court proceedings and other dispute resolution procedures for resolving disputes between controllers and data subjects with regard to processing, without prejudice to the rights of data subjects pursuant to Articles 77 and 79. |
3. In addition to adherence by controllers or processors subject to this Regulation, codes of conduct approved pursuant to paragraph 5 of this Article and having general validity pursuant to paragraph 9 of this Article may also be adhered to by controllers or processors that are not subject to this Regulation pursuant to Article 3 in order to provide appropriate safeguards within the framework of personal_data transfers to third countries or international_organisations under the terms referred to in point (e) of Article 46(2). Such controllers or processors shall make binding and enforceable commitments, via contractual or other legally binding instruments, to apply those appropriate safeguards including with regard to the rights of data subjects.
4. A code of conduct referred to in paragraph 2 of this Article shall contain mechanisms which enable the body referred to in Article 41(1) to carry out the mandatory monitoring of compliance with its provisions by the controllers or processors which undertake to apply it, without prejudice to the tasks and powers of supervisory authorities competent pursuant to Article 55 or 56.
5. Associations and other bodies referred to in paragraph 2 of this Article which intend to prepare a code of conduct or to amend or extend an existing code shall submit the draft code, amendment or extension to the supervisory_authority which is competent pursuant to Article 55. The supervisory_authority shall provide an opinion on whether the draft code, amendment or extension complies with this Regulation and shall approve that draft code, amendment or extension if it finds that it provides sufficient appropriate safeguards.
6. Where the draft code, or amendment or extension is approved in accordance with paragraph 5, and where the code of conduct concerned does not relate to processing activities in several Member States, the supervisory_authority shall register and publish the code.
7. Where a draft code of conduct relates to processing activities in several Member States, the supervisory_authority which is competent pursuant to Article 55 shall, before approving the draft code, amendment or extension, submit it in the procedure referred to in Article 63 to the Board which shall provide an opinion on whether the draft code, amendment or extension complies with this Regulation or, in the situation referred to in paragraph 3 of this Article, provides appropriate safeguards.
8. Where the opinion referred to in paragraph 7 confirms that the draft code, amendment or extension complies with this Regulation, or, in the situation referred to in paragraph 3, provides appropriate safeguards, the Board shall submit its opinion to the Commission.
9. The Commission may, by way of implementing acts, decide that the approved code of conduct, amendment or extension submitted to it pursuant to paragraph 8 of this Article have general validity within the Union. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 93(2).
10. The Commission shall ensure appropriate publicity for the approved codes which have been decided as having general validity in accordance with paragraph 9.
11. The Board shall collate all approved codes of conduct, amendments and extensions in a register and shall make them publicly available by way of appropriate means.
Article 58
Powers
1. Each supervisory_authority shall have all of the following investigative powers:
| (a) | to order the controller and the processor, and, where applicable, the controller's or the processor's representative to provide any information it requires for the performance of its tasks; |
| (b) | to carry out investigations in the form of data protection audits; |
| (c) | to carry out a review on certifications issued pursuant to Article 42(7); |
| (d) | to notify the controller or the processor of an alleged infringement of this Regulation; |
| (e) | to obtain, from the controller and the processor, access to all personal_data and to all information necessary for the performance of its tasks; |
| (f) | to obtain access to any premises of the controller and the processor, including to any data processing equipment and means, in accordance with Union or Member State procedural law. |
2. Each supervisory_authority shall have all of the following corrective powers:
| (a) | to issue warnings to a controller or processor that intended processing operations are likely to infringe provisions of this Regulation; |
| (b) | to issue reprimands to a controller or a processor where processing operations have infringed provisions of this Regulation; |
| (c) | to order the controller or the processor to comply with the data subject's requests to exercise his or her rights pursuant to this Regulation; |
| (d) | to order the controller or processor to bring processing operations into compliance with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period; |
| (e) | to order the controller to communicate a personal_data breach to the data subject; |
| (f) | to impose a temporary or definitive limitation including a ban on processing; |
| (g) | to order the rectification or erasure of personal_data or restriction of processing pursuant to Articles 16, 17 and 18 and the notification of such actions to recipients to whom the personal_data have been disclosed pursuant to Article 17(2) and Article 19; |
| (h) | to withdraw a certification or to order the certification body to withdraw a certification issued pursuant to Articles 42 and 43, or to order the certification body not to issue certification if the requirements for the certification are not or are no longer met; |
| (i) | to impose an administrative fine pursuant to Article 83, in addition to, or instead of measures referred to in this paragraph, depending on the circumstances of each individual case; |
| (j) | to order the suspension of data flows to a recipient in a third country or to an international_organisation. |
3. Each supervisory_authority shall have all of the following authorisation and advisory powers:
| (a) | to advise the controller in accordance with the prior consultation procedure referred to in Article 36; |
| (b) | to issue, on its own initiative or on request, opinions to the national parliament, the Member State government or, in accordance with Member State law, to other institutions and bodies as well as to the public on any issue related to the protection of personal_data; |
| (c) | to authorise processing referred to in Article 36(5), if the law of the Member State requires such prior authorisation; |
| (d) | to issue an opinion and approve draft codes of conduct pursuant to Article 40(5); |
| (e) | to accredit certification bodies pursuant to Article 43; |
| (f) | to issue certifications and approve criteria of certification in accordance with Article 42(5); |
| (g) | to adopt standard data protection clauses referred to in Article 28(8) and in point (d) of Article 46(2); |
| (h) | to authorise contractual clauses referred to in point (a) of Article 46(3); |
| (i) | to authorise administrative arrangements referred to in point (b) of Article 46(3); |
| (j) | to approve binding_corporate_rules pursuant to Article 47. |
4. The exercise of the powers conferred on the supervisory_authority pursuant to this Article shall be subject to appropriate safeguards, including effective judicial remedy and due process, set out in Union and Member State law in accordance with the Charter.
5. Each Member State shall provide by law that its supervisory_authority shall have the power to bring infringements of this Regulation to the attention of the judicial authorities and where appropriate, to commence or engage otherwise in legal proceedings, in order to enforce the provisions of this Regulation.
6. Each Member State may provide by law that its supervisory_authority shall have additional powers to those referred to in paragraphs 1, 2 and 3. The exercise of those powers shall not impair the effective operation of Chapter VII.
Article 70
Tasks of the Board
1. The Board shall ensure the consistent application of this Regulation. To that end, the Board shall, on its own initiative or, where relevant, at the request of the Commission, in particular:
| (a) | monitor and ensure the correct application of this Regulation in the cases provided for in Articles 64 and 65 without prejudice to the tasks of national supervisory authorities; |
| (b) | advise the Commission on any issue related to the protection of personal_data in the Union, including on any proposed amendment of this Regulation; |
| (c) | advise the Commission on the format and procedures for the exchange of information between controllers, processors and supervisory authorities for binding_corporate_rules; |
| (d) | issue guidelines, recommendations, and best practices on procedures for erasing links, copies or replications of personal_data from publicly available communication services as referred to in Article 17(2); |
| (e) | examine, on its own initiative, on request of one of its members or on request of the Commission, any question covering the application of this Regulation and issue guidelines, recommendations and best practices in order to encourage consistent application of this Regulation; |
| (f) | issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for further specifying the criteria and conditions for decisions based on profiling pursuant to Article 22(2); |
| (g) | issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for establishing the personal_data breaches and determining the undue delay referred to in Article 33(1) and (2) and for the particular circumstances in which a controller or a processor is required to notify the personal_data breach; |
| (h) | issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph as to the circumstances in which a personal_data breach is likely to result in a high risk to the rights and freedoms of the natural persons referred to in Article 34(1). |
| (i) | issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for the purpose of further specifying the criteria and requirements for personal_data transfers based on binding_corporate_rules adhered to by controllers and binding_corporate_rules adhered to by processors and on further necessary requirements to ensure the protection of personal_data of the data subjects concerned referred to in Article 47; |
| (j) | issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for the purpose of further specifying the criteria and requirements for the personal_data transfers on the basis of Article 49(1); |
| (k) | draw up guidelines for supervisory authorities concerning the application of measures referred to in Article 58(1), (2) and (3) and the setting of administrative fines pursuant to Article 83; |
| (l) | review the practical application of the guidelines, recommendations and best practices referred to in points (e) and (f); |
| (m) | issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for establishing common procedures for reporting by natural persons of infringements of this Regulation pursuant to Article 54(2); |
| (n) | encourage the drawing-up of codes of conduct and the establishment of data protection certification mechanisms and data protection seals and marks pursuant to Articles 40 and 42; |
| (o) | carry out the accreditation of certification bodies and its periodic review pursuant to Article 43 and maintain a public register of accredited bodies pursuant to Article 43(6) and of the accredited controllers or processors established in third countries pursuant to Article 42(7); |
| (p) | specify the requirements referred to in Article 43(3) with a view to the accreditation of certification bodies under Article 42; |
| (q) | provide the Commission with an opinion on the certification requirements referred to in Article 43(8); |
| (r) | provide the Commission with an opinion on the icons referred to in Article 12(7); |
| (s) | provide the Commission with an opinion for the assessment of the adequacy of the level of protection in a third country or international_organisation, including for the assessment whether a third country, a territory or one or more specified sectors within that third country, or an international_organisation no longer ensures an adequate level of protection. To that end, the Commission shall provide the Board with all necessary documentation, including correspondence with the government of the third country, with regard to that third country, territory or specified sector, or with the international_organisation. |
| (t) | issue opinions on draft decisions of supervisory authorities pursuant to the consistency mechanism referred to in Article 64(1), on matters submitted pursuant to Article 64(2) and to issue binding decisions pursuant to Article 65, including in cases referred to in Article 66; |
| (u) | promote the cooperation and the effective bilateral and multilateral exchange of information and best practices between the supervisory authorities; |
| (v) | promote common training programmes and facilitate personnel exchanges between the supervisory authorities and, where appropriate, with the supervisory authorities of third countries or with international_organisations; |
| (w) | promote the exchange of knowledge and documentation on data protection legislation and practice with data protection supervisory authorities worldwide. |
| (x) | issue opinions on codes of conduct drawn up at Union level pursuant to Article 40(9); and |
| (y) | maintain a publicly accessible electronic register of decisions taken by supervisory authorities and courts on issues handled in the consistency mechanism. |
2. Where the Commission requests advice from the Board, it may indicate a time limit, taking into account the urgency of the matter.
3. The Board shall forward its opinions, guidelines, recommendations, and best practices to the Commission and to the committee referred to in Article 93 and make them public.
4. The Board shall, where appropriate, consult interested parties and give them the opportunity to comment within a reasonable period. The Board shall, without prejudice to Article 76, make the results of the consultation procedure publicly available.
whereas
dal 2004 diritto e informatica