(9) The objectives and principles of Directive 95/46/EC remain sound, but it has not prevented fragmentation in the implementation of data protection across the Union, legal uncertainty or a widespread public perception that there are significant risks to the protection of natural persons, in particular with regard to online activity.
Differences in the level of protection of the rights and freedoms of natural persons, in particular the right to the protection of personal_data, with regard to the processing of personal_data in the Member States may prevent the free flow of personal_data throughout the Union.
Those differences may therefore constitute an obstacle to the pursuit of economic activities at the level of the Union, distort competition and impede authorities in the discharge of their responsibilities under Union law.
Such a difference in levels of protection is due to the existence of differences in the implementation and application of Directive 95/46/EC.
- = -
(10) In order to ensure a consistent and high level of protection of natural persons and to remove the obstacles to flows of personal_data within the Union, the level of protection of the rights and freedoms of natural persons with regard to the processing of such data should be equivalent in all Member States.
Consistent and homogenous application of the rules for the protection of the fundamental rights and freedoms of natural persons with regard to the processing of personal_data should be ensured throughout the Union.
Regarding the processing of personal_data for compliance with a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, Member States should be allowed to maintain or introduce national provisions to further specify the application of the rules of this Regulation.
In conjunction with the general and horizontal law on data protection implementing Directive 95/46/EC, Member States have several sector-specific laws in areas that need more specific provisions.
This Regulation also provides a margin of manoeuvre for Member States to specify its rules, including for the processing of special categories of personal_data (‘sensitive data’).
To that extent, this Regulation does not exclude Member State law that sets out the circumstances for specific processing situations, including determining more precisely the conditions under which the processing of personal_data is lawful.
- = -
(11) Effective protection of personal_data throughout the Union requires the strengthening and setting out in detail of the rights of data subjects and the obligations of those who process and determine the processing of personal_data, as well as equivalent powers for monitoring and ensuring compliance with the rules for the protection of personal_data and equivalent sanctions for infringements in the Member States.
- = -
(13) In order to ensure a consistent level of protection for natural persons throughout the Union and to prevent divergences hampering the free movement of personal_data within the internal market, a Regulation is necessary to provide legal certainty and transparency for economic operators, including micro, small and medium-sized enterprises, and to provide natural persons in all Member States with the same level of legally enforceable rights and obligations and responsibilities for controllers and processors, to ensure consistent monitoring of the processing of personal_data, and equivalent sanctions in all Member States as well as effective cooperation between the supervisory authorities of different Member States.
The proper functioning of the internal market requires that the free movement of personal_data within the Union is not restricted or prohibited for reasons connected with the protection of natural persons with regard to the processing of personal_data.
To take account of the specific situation of micro, small and medium-sized enterprises, this Regulation includes a derogation for organisations with fewer than 250 employees with regard to record-keeping.
In addition, the Union institutions and bodies, and Member States and their supervisory authorities, are encouraged to take account of the specific needs of micro, small and medium-sized enterprises in the application of this Regulation.
The notion of micro, small and medium-sized enterprises should draw from Article 2 of the Annex to Commission Recommendation 2003/361/EC (5).
- = -
(22) Any processing of personal_data in the context of the activities of an establishment of a controller or a processor in the Union should be carried out in accordance with this Regulation, regardless of whether the processing itself takes place within the Union.
Establishment implies the effective and real exercise of activity through stable arrangements.
The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect.
- = -
(36) The main_establishment of a controller in the Union should be the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal_data are taken in another establishment of the controller in the Union, in which case that other establishment should be considered to be the main_establishment.
The main_establishment of a controller in the Union should be determined according to objective criteria and should imply the effective and real exercise of management activities determining the main decisions as to the purposes and means of processing through stable arrangements.
That criterion should not depend on whether the processing of personal_data is carried out at that location.
The presence and use of technical means and technologies for processing personal_data or processing activities do not, in themselves, constitute a main_establishment and are therefore not determining criteria for a main_establishment.
The main_establishment of the processor should be the place of its central administration in the Union or, if it has no central administration in the Union, the place where the main processing activities take place in the Union.
In cases involving both the controller and the processor, the competent lead supervisory_authority should remain the supervisory_authority of the Member State where the controller has its main_establishment, but the supervisory_authority of the processor should be considered to be a supervisory_authority concerned and that supervisory_authority should participate in the cooperation procedure provided for by this Regulation.
In any case, the supervisory authorities of the Member State or Member States where the processor has one or more establishments should not be considered to be supervisory authorities concerned where the draft decision concerns only the controller.
Where the processing is carried out by a group_of_undertakings, the main_establishment of the controlling undertaking should be considered to be the main_establishment of the group_of_undertakings, except where the purposes and means of processing are determined by another undertaking.
- = -
(51) Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms.
Those personal_data should include personal_data revealing racial or ethnic origin, whereby the use of the term ‘racial origin’ in this Regulation does not imply an acceptance by the Union of theories which attempt to determine the existence of separate human races.
The processing of photographs should not systematically be considered to be processing of special categories of personal_data as they are covered by the definition of biometric_data only when processed through a specific technical means allowing the unique identification or authentication of a natural person.
Such personal_data should not be processed, unless processing is allowed in specific cases set out in this Regulation, taking into account that Member States law may lay down specific provisions on data protection in order to adapt the application of the rules of this Regulation for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
In addition to the specific requirements for such processing, the general principles and other rules of this Regulation should apply, in particular as regards the conditions for lawful processing.
Derogations from the general prohibition for processing such special categories of personal_data should be explicitly provided, inter alia, where the data subject gives his or her explicit consent or in respect of specific needs in particular where the processing is carried out in the course of legitimate activities by certain associations or foundations the purpose of which is to permit the exercise of fundamental freedoms.
- = -
(57) If the personal_data processed by a controller do not permit the controller to identify a natural person, the data controller should not be obliged to acquire additional information in order to identify the data subject for the sole purpose of complying with any provision of this Regulation.
However, the controller should not refuse to take additional information provided by the data subject in order to support the exercise of his or her rights.
Identification should include the digital identification of a data subject, for example through authentication mechanism such as the same credentials, used by the data subject to log-in to the on-line service offered by the data controller.
- = -
(58) The principle of transparency requires that any information addressed to the public or to the data subject be concise, easily accessible and easy to understand, and that clear and plain language and, additionally, where appropriate, visualisation be used.
Such information could be provided in electronic form, for example, when addressed to the public, through a website.
This is of particular relevance in situations where the proliferation of actors and the technological complexity of practice make it difficult for the data subject to know and understand whether, by whom and for what purpose personal_data relating to him or her are being collected, such as in the case of online advertising.
Given that children merit specific protection, any information and communication, where processing is addressed to a child, should be in such a clear and plain language that the child can easily understand.
- = -
(103) The Commission may decide with effect for the entire Union that a third country, a territory or specified sector within a third country, or an international_organisation, offers an adequate level of data protection, thus providing legal certainty and uniformity throughout the Union as regards the third country or international_organisation which is considered to provide such level of protection.
In such cases, transfers of personal_data to that third country or international_organisation may take place without the need to obtain any further authorisation.
The Commission may also decide, having given notice and a full statement setting out the reasons to the third country or international_organisation, to revoke such a decision.
- = -
(120) Each supervisory_authority should be provided with the financial and human resources, premises and infrastructure necessary for the effective performance of their tasks, including those related to mutual assistance and cooperation with other supervisory authorities throughout the Union.
Each supervisory_authority should have a separate, public annual budget, which may be part of the overall state or national budget.
- = -
(123) The supervisory authorities should monitor the application of the provisions pursuant to this Regulation and contribute to its consistent application throughout the Union, in order to protect natural persons in relation to the processing of their personal_data and to facilitate the free flow of personal_data within the internal market.
For that purpose, the supervisory authorities should cooperate with each other and with the Commission, without the need for any agreement between Member States on the provision of mutual assistance or on such cooperation.
- = -
(129) In order to ensure consistent monitoring and enforcement of this Regulation throughout the Union, the supervisory authorities should have in each Member State the same tasks and effective powers, including powers of investigation, corrective powers and sanctions, and authorisation and advisory powers, in particular in cases of complaints from natural persons, and without prejudice to the powers of prosecutorial authorities under Member State law, to bring infringements of this Regulation to the attention of the judicial authorities and engage in legal proceedings.
Such powers should also include the power to impose a temporary or definitive limitation, including a ban, on processing.
Member States may specify other tasks related to the protection of personal_data under this Regulation.
The powers of supervisory authorities should be exercised in accordance with appropriate procedural safeguards set out in Union and Member State law, impartially, fairly and within a reasonable time.
In particular each measure should be appropriate, necessary and proportionate in view of ensuring compliance with this Regulation, taking into account the circumstances of each individual case, respect the right of every person to be heard before any individual measure which would affect him or her adversely is taken and avoid superfluous costs and excessive inconveniences for the persons concerned.
Investigatory powers as regards access to premises should be exercised in accordance with specific requirements in Member State procedural law, such as the requirement to obtain a prior judicial authorisation.
Each legally binding measure of the supervisory_authority should be in writing, be clear and unambiguous, indicate the supervisory_authority which has issued the measure, the date of issue of the measure, bear the signature of the head, or a member of the supervisory_authority authorised by him or her, give the reasons for the measure, and refer to the right of an effective remedy.
This should not preclude additional requirements pursuant to Member State procedural law.
The adoption of a legally binding decision implies that it may give rise to judicial review in the Member State of the supervisory_authority that adopted the decision.
- = -
(135) In order to ensure the consistent application of this Regulation throughout the Union, a consistency mechanism for cooperation between the supervisory authorities should be established.
That mechanism should in particular apply where a supervisory_authority intends to adopt a measure intended to produce legal effects as regards processing operations which substantially affect a significant number of data subjects in several Member States.
It should also apply where any supervisory_authority concerned or the Commission requests that such matter should be handled in the consistency mechanism.
That mechanism should be without prejudice to any measures that the Commission may take in the exercise of its powers under the Treaties.
- = -
(139) In order to promote the consistent application of this Regulation, the Board should be set up as an independent body of the Union.
To fulfil its objectives, the Board should have legal personality.
The Board should be represented by its Chair.
It should replace the Working Party on the Protection of Individuals with Regard to the Processing of Personal Data established by Directive 95/46/EC.
It should consist of the head of a supervisory_authority of each Member State and the European Data Protection Supervisor or their respective representatives.
The Commission should participate in the Board's activities without voting rights and the European Data Protection Supervisor should have specific voting rights.
The Board should contribute to the consistent application of this Regulation throughout the Union, including by advising the Commission, in particular on the level of protection in third countries or international_organisations, and promoting cooperation of the supervisory authorities throughout the Union.
The Board should act independently when performing its tasks.
- = -
(149) Member States should be able to lay down the rules on criminal penalties for infringements of this Regulation, including for infringements of national rules adopted pursuant to and within the limits of this Regulation.
Those criminal penalties may also allow for the deprivation of the profits obtained through infringements of this Regulation.
However, the imposition of criminal penalties for infringements of such national rules and of administrative penalties should not lead to a breach of the principle of ne bis in idem, as interpreted by the Court of Justice.
- = -
(157) By coupling information from registries, researchers can obtain new knowledge of great value with regard to widespread medical conditions such as cardiovascular disease, cancer and depression.
On the basis of registries, research results can be enhanced, as they draw on a larger population.
Within social science, research on the basis of registries enables researchers to obtain essential knowledge about the long-term correlation of a number of social conditions such as unemployment and education with other life conditions.
Research results obtained through registries provide solid, high-quality knowledge which can provide the basis for the formulation and implementation of knowledge-based policy, improve the quality of life for a number of people and improve the efficiency of social services.
In order to facilitate scientific research, personal_data can be processed for scientific research purposes, subject to appropriate conditions and safeguards set out in Union or Member State law.
- = -
(170) Since the objective of this Regulation, namely to ensure an equivalent level of protection of natural persons and the free flow of personal_data throughout the Union, cannot be sufficiently achieved by the Member States and can rather, by reason of the scale or effects of the action, be better achieved at Union level, the Union may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union (TEU).
In accordance with the principle of proportionality as set out in that Article, this Regulation does not go beyond what is necessary in order to achieve that objective.
- = -