interactive GDPR 2016/0679 EN

whereas applies:

• whereas (17) 1
• whereas (18) 1
• whereas (20) 1
• whereas (25) 1

definitions:

• personal data
• processing
• restriction of processing
• profiling
• pseudonymisation
• filing system
• controller
• processor
• recipient
• third party
• consent
• personal data breach
• genetic data
• biometric data
• data concerning health
• main establishment
• representative
• enterprise
• group of undertakings
• binding corporate rules
• supervisory authority
• supervisory authority concerned
• cross-border processing
• relevant and reasoned objection
• information society service
• international organisation

Article 2

Material scope

1.   This Regulation applies to the processing of personal_data wholly or partly by automated means and to the processing other than by automated means of personal_data which form part of a filing_system or are intended to form part of a filing_system.

2.   This Regulation does not apply to the processing of personal_data:

(a)	in the course of an activity which falls outside the scope of Union law;

(b)	by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the TEU;

(c)	by a natural person in the course of a purely personal or household activity;

(d)	by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.

3.   For the processing of personal_data by the Union institutions, bodies, offices and agencies, Regulation (EC) No 45/2001 applies. Regulation (EC) No 45/2001 and other Union legal acts applicable to such processing of personal_data shall be adapted to the principles and rules of this Regulation in accordance with Article 98.

4.   This Regulation shall be without prejudice to the application of Directive 2000/31/EC, in particular of the liability rules of intermediary service providers in Articles 12 to 15 of that Directive.

Article 3

Territorial scope

1.   This Regulation applies to the processing of personal_data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.

2.   This Regulation applies to the processing of personal_data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

(a)	the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

(b)	the monitoring of their behaviour as far as their behaviour takes place within the Union.

3.   This Regulation applies to the processing of personal_data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.

Article 6

Lawfulness of processing

1.   Processing shall be lawful only if and to the extent that at least one of the following applies:

(a)	the data subject has given consent to the processing of his or her personal_data for one or more specific purposes;

(b)	processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

(c)	processing is necessary for compliance with a legal obligation to which the controller is subject;

(d)	processing is necessary in order to protect the vital interests of the data subject or of another natural person;

(e)	processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(f)

processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third_party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal_data, in particular where the data subject is a child.

Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.

2.   Member States may maintain or introduce more specific provisions to adapt the application of the rules of this Regulation with regard to processing for compliance with points (c) and (e) of paragraph 1 by determining more precisely specific requirements for the processing and other measures to ensure lawful and fair processing including for other specific processing situations as provided for in Chapter IX.

3.   The basis for the processing referred to in point (c) and (e) of paragraph 1 shall be laid down by:

(a)	Union law; or

(b)	Member State law to which the controller is subject.

The purpose of the processing shall be determined in that legal basis or, as regards the processing referred to in point (e) of paragraph 1, shall be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. That legal basis may contain specific provisions to adapt the application of rules of this Regulation, inter alia: the general conditions governing the lawfulness of processing by the controller; the types of data which are subject to the processing; the data subjects concerned; the entities to, and the purposes for which, the personal_data may be disclosed; the purpose limitation; storage periods; and processing operations and processing procedures, including measures to ensure lawful and fair processing such as those for other specific processing situations as provided for in Chapter IX. The Union or the Member State law shall meet an objective of public interest and be proportionate to the legitimate aim pursued.

4.   Where the processing for a purpose other than that for which the personal_data have been collected is not based on the data subject's consent or on a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1), the controller shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal_data are initially collected, take into account, inter alia:

(a)	any link between the purposes for which the personal_data have been collected and the purposes of the intended further processing;

(b)	the context in which the personal_data have been collected, in particular regarding the relationship between data subjects and the controller;

(c)	the nature of the personal_data, in particular whether special categories of personal_data are processed, pursuant to Article 9, or whether personal_data related to criminal convictions and offences are processed, pursuant to Article 10;

(d)	the possible consequences of the intended further processing for data subjects;

(e)	the existence of appropriate safeguards, which may include encryption or pseudonymisation.

Article 8

Conditions applicable to child's consent in relation to information_society_services

1.   Where point (a) of Article 6(1) applies, in relation to the offer of information_society_services directly to a child, the processing of the personal_data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.

Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years.

2.   The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.

3.   Paragraph 1 shall not affect the general contract law of Member States such as the rules on the validity, formation or effect of a contract in relation to a child.

Article 9

Processing of special categories of personal_data

1.   Processing of personal_data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic_data, biometric_data for the purpose of uniquely identifying a natural person, data_concerning_health or data concerning a natural person's sex life or sexual orientation shall be prohibited.

2.   Paragraph 1 shall not apply if one of the following applies:

(a)	the data subject has given explicit consent to the processing of those personal_data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;

(b)

processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;

(c)	processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;

(d)

processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal_data are not disclosed outside that body without the consent of the data subjects;

(e)	processing relates to personal_data which are manifestly made public by the data subject;

(f)	processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;

(g)

processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;

(h)

processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;

(i)

processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;

(j)

processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

3.   Personal data referred to in paragraph 1 may be processed for the purposes referred to in point (h) of paragraph 2 when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies.

4.   Member States may maintain or introduce further conditions, including limitations, with regard to the processing of genetic_data, biometric_data or data_concerning_health.

Article 17

Right to erasure (‘right to be forgotten’)

1.   The data subject shall have the right to obtain from the controller the erasure of personal_data concerning him or her without undue delay and the controller shall have the obligation to erase personal_data without undue delay where one of the following grounds applies:

(a)	the personal_data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

(b)	the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;

(c)	the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);

(d)	the personal_data have been unlawfully processed;

(e)	the personal_data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;

(f)	the personal_data have been collected in relation to the offer of information_society_services referred to in Article 8(1).

2.   Where the controller has made the personal_data public and is obliged pursuant to paragraph 1 to erase the personal_data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal_data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal_data.

3.   Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:

(a)	for exercising the right of freedom of expression and information;

(b)	for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(c)	for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);

(d)

for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or

(e)	for the establishment, exercise or defence of legal claims.

Article 18

Right to restriction of processing

1.   The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:

(a)	the accuracy of the personal_data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal_data;

(b)	the processing is unlawful and the data subject opposes the erasure of the personal_data and requests the restriction of their use instead;

(c)	the controller no longer needs the personal_data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;

(d)	the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.

2.   Where processing has been restricted under paragraph 1, such personal_data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

3.   A data subject who has obtained restriction of processing pursuant to paragraph 1 shall be informed by the controller before the restriction of processing is lifted.

Article 22

Automated individual decision-making, including profiling

1.   The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

2.   Paragraph 1 shall not apply if the decision:

(a)	is necessary for entering into, or performance of, a contract between the data subject and a data controller;

(b)	is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or

(c)	is based on the data subject's explicit consent.

3.   In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.

4.   Decisions referred to in paragraph 2 shall not be based on special categories of personal_data referred to in Article 9(1), unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard the data subject's rights and freedoms and legitimate interests are in place.

Section 5

Restrictions

Article 25

Data protection by design and by default

1.   Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.

2.   The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal_data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal_data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal_data are not made accessible without the individual's intervention to an indefinite number of natural persons.

3.   An approved certification mechanism pursuant to Article 42 may be used as an element to demonstrate compliance with the requirements set out in paragraphs 1 and 2 of this Article.

Article 27

Representatives of controllers or processors not established in the Union

1.   Where Article 3(2) applies, the controller or the processor shall designate in writing a representative in the Union.

2.   The obligation laid down in paragraph 1 of this Article shall not apply to:

(a)

processing which is occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal_data relating to criminal convictions and offences referred to in Article 10, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing; or

(b)	a public authority or body.

3.   The representative shall be established in one of the Member States where the data subjects, whose personal_data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, are.

4.   The representative shall be mandated by the controller or processor to be addressed in addition to or instead of the controller or the processor by, in particular, supervisory authorities and data subjects, on all issues related to processing, for the purposes of ensuring compliance with this Regulation.

5.   The designation of a representative by the controller or processor shall be without prejudice to legal actions which could be initiated against the controller or the processor themselves.