interactive GDPR 2016/0679 EN
BG CS DA DE EL EN ES ET FI FR GA HR HU IT LV LT MT NL PL PT RO SK SL SV print pdf
- personal data
- processing
- restriction of processing
- profiling
- pseudonymisation
- filing system
- controller
- processor
- recipient
- third party
- consent
- personal data breach
- genetic data
- biometric data
- data concerning health
- main establishment
- representative
- enterprise
- group of undertakings
- binding corporate rules
- supervisory authority
- supervisory authority concerned
- cross-border processing
- relevant and reasoned objection
- information society service
- international organisation
- article 32
- referred 28
- controller 27
- processor 26
- data 25
- shall 22
- processing 18
- personal_data 18
- protection 17
- pursuant 14
- binding_corporate_rules 13
- accordance 13
- commission 12
- including 12
- issue 12
- guidelines 11
- practices 11
- best 11
- recommendations 10
- article 10
- paragraph 10
- regulation 10
- authorities 10
- requirements 10
- third 10
- supervisory 10
- board 9
- legal 9
- the 9
- appropriate 8
- member 8
- supervisory_authority 8
- rights 8
- country 8
- union 8
- information 7
- group_of_undertakings 7
- activity 7
- application 7
- economic 7
- engaged 7
- group 7
- enterprises 7
- contract 7
- joint 7
- such 7
- measures 7
- obligations 6
- subject 6
- regard 6
Article 28
Processor
1. Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.
2. The processor shall not engage another processor without prior specific or general written authorisation of the controller. In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.
3. Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal_data and categories of data subjects and the obligations and rights of the controller. That contract or other legal act shall stipulate, in particular, that the processor:
| (a) | processes the personal_data only on documented instructions from the controller, including with regard to transfers of personal_data to a third country or an international_organisation, unless required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest; |
| (b) | ensures that persons authorised to process the personal_data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; |
| (c) | takes all measures required pursuant to Article 32; |
| (d) | respects the conditions referred to in paragraphs 2 and 4 for engaging another processor; |
| (e) | taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III; |
| (f) | assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 taking into account the nature of processing and the information available to the processor; |
| (g) | at the choice of the controller, deletes or returns all the personal_data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal_data; |
| (h) | makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller. |
With regard to point (h) of the first subparagraph, the processor shall immediately inform the controller if, in its opinion, an instruction infringes this Regulation or other Union or Member State data protection provisions.
4. Where a processor engages another processor for carrying out specific processing activities on behalf of the controller, the same data protection obligations as set out in the contract or other legal act between the controller and the processor as referred to in paragraph 3 shall be imposed on that other processor by way of a contract or other legal act under Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of this Regulation. Where that other processor fails to fulfil its data protection obligations, the initial processor shall remain fully liable to the controller for the performance of that other processor's obligations.
5. Adherence of a processor to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate sufficient guarantees as referred to in paragraphs 1 and 4 of this Article.
6. Without prejudice to an individual contract between the controller and the processor, the contract or the other legal act referred to in paragraphs 3 and 4 of this Article may be based, in whole or in part, on standard contractual clauses referred to in paragraphs 7 and 8 of this Article, including when they are part of a certification granted to the controller or processor pursuant to Articles 42 and 43.
7. The Commission may lay down standard contractual clauses for the matters referred to in paragraph 3 and 4 of this Article and in accordance with the examination procedure referred to in Article 93(2).
8. A supervisory_authority may adopt standard contractual clauses for the matters referred to in paragraph 3 and 4 of this Article and in accordance with the consistency mechanism referred to in Article 63.
9. The contract or the other legal act referred to in paragraphs 3 and 4 shall be in writing, including in electronic form.
10. Without prejudice to Articles 82, 83 and 84, if a processor infringes this Regulation by determining the purposes and means of processing, the processor shall be considered to be a controller in respect of that processing.
Article 47
Binding corporate rules
1. The competent supervisory_authority shall approve binding_corporate_rules in accordance with the consistency mechanism set out in Article 63, provided that they:
| (a) | are legally binding and apply to and are enforced by every member concerned of the group_of_undertakings, or group of enterprises engaged in a joint economic activity, including their employees; |
| (b) | expressly confer enforceable rights on data subjects with regard to the processing of their personal_data; and |
| (c) | fulfil the requirements laid down in paragraph 2. |
2. The binding_corporate_rules referred to in paragraph 1 shall specify at least:
| (a) | the structure and contact details of the group_of_undertakings, or group of enterprises engaged in a joint economic activity and of each of its members; |
| (b) | the data transfers or set of transfers, including the categories of personal_data, the type of processing and its purposes, the type of data subjects affected and the identification of the third country or countries in question; |
| (c) | their legally binding nature, both internally and externally; |
| (d) | the application of the general data protection principles, in particular purpose limitation, data minimisation, limited storage periods, data quality, data protection by design and by default, legal basis for processing, processing of special categories of personal_data, measures to ensure data security, and the requirements in respect of onward transfers to bodies not bound by the binding_corporate_rules; |
| (e) | the rights of data subjects in regard to processing and the means to exercise those rights, including the right not to be subject to decisions based solely on automated processing, including profiling in accordance with Article 22, the right to lodge a complaint with the competent supervisory_authority and before the competent courts of the Member States in accordance with Article 79, and to obtain redress and, where appropriate, compensation for a breach of the binding_corporate_rules; |
| (f) | the acceptance by the controller or processor established on the territory of a Member State of liability for any breaches of the binding_corporate_rules by any member concerned not established in the Union; the controller or the processor shall be exempt from that liability, in whole or in part, only if it proves that that member is not responsible for the event giving rise to the damage; |
| (g) | how the information on the binding_corporate_rules, in particular on the provisions referred to in points (d), (e) and (f) of this paragraph is provided to the data subjects in addition to Articles 13 and 14; |
| (h) | the tasks of any data protection officer designated in accordance with Article 37 or any other person or entity in charge of the monitoring compliance with the binding_corporate_rules within the group_of_undertakings, or group of enterprises engaged in a joint economic activity, as well as monitoring training and complaint-handling; |
| (i) | the complaint procedures; |
| (j) | the mechanisms within the group_of_undertakings, or group of enterprises engaged in a joint economic activity for ensuring the verification of compliance with the binding_corporate_rules. Such mechanisms shall include data protection audits and methods for ensuring corrective actions to protect the rights of the data subject. Results of such verification should be communicated to the person or entity referred to in point (h) and to the board of the controlling undertaking of a group_of_undertakings, or of the group of enterprises engaged in a joint economic activity, and should be available upon request to the competent supervisory_authority; |
| (k) | the mechanisms for reporting and recording changes to the rules and reporting those changes to the supervisory_authority; |
| (l) | the cooperation mechanism with the supervisory_authority to ensure compliance by any member of the group_of_undertakings, or group of enterprises engaged in a joint economic activity, in particular by making available to the supervisory_authority the results of verifications of the measures referred to in point (j); |
| (m) | the mechanisms for reporting to the competent supervisory_authority any legal requirements to which a member of the group_of_undertakings, or group of enterprises engaged in a joint economic activity is subject in a third country which are likely to have a substantial adverse effect on the guarantees provided by the binding_corporate_rules; and |
| (n) | the appropriate data protection training to personnel having permanent or regular access to personal_data. |
3. The Commission may specify the format and procedures for the exchange of information between controllers, processors and supervisory authorities for binding_corporate_rules within the meaning of this Article. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 93(2).
Article 70
Tasks of the Board
1. The Board shall ensure the consistent application of this Regulation. To that end, the Board shall, on its own initiative or, where relevant, at the request of the Commission, in particular:
| (a) | monitor and ensure the correct application of this Regulation in the cases provided for in Articles 64 and 65 without prejudice to the tasks of national supervisory authorities; |
| (b) | advise the Commission on any issue related to the protection of personal_data in the Union, including on any proposed amendment of this Regulation; |
| (c) | advise the Commission on the format and procedures for the exchange of information between controllers, processors and supervisory authorities for binding_corporate_rules; |
| (d) | issue guidelines, recommendations, and best practices on procedures for erasing links, copies or replications of personal_data from publicly available communication services as referred to in Article 17(2); |
| (e) | examine, on its own initiative, on request of one of its members or on request of the Commission, any question covering the application of this Regulation and issue guidelines, recommendations and best practices in order to encourage consistent application of this Regulation; |
| (f) | issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for further specifying the criteria and conditions for decisions based on profiling pursuant to Article 22(2); |
| (g) | issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for establishing the personal_data breaches and determining the undue delay referred to in Article 33(1) and (2) and for the particular circumstances in which a controller or a processor is required to notify the personal_data breach; |
| (h) | issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph as to the circumstances in which a personal_data breach is likely to result in a high risk to the rights and freedoms of the natural persons referred to in Article 34(1). |
| (i) | issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for the purpose of further specifying the criteria and requirements for personal_data transfers based on binding_corporate_rules adhered to by controllers and binding_corporate_rules adhered to by processors and on further necessary requirements to ensure the protection of personal_data of the data subjects concerned referred to in Article 47; |
| (j) | issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for the purpose of further specifying the criteria and requirements for the personal_data transfers on the basis of Article 49(1); |
| (k) | draw up guidelines for supervisory authorities concerning the application of measures referred to in Article 58(1), (2) and (3) and the setting of administrative fines pursuant to Article 83; |
| (l) | review the practical application of the guidelines, recommendations and best practices referred to in points (e) and (f); |
| (m) | issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for establishing common procedures for reporting by natural persons of infringements of this Regulation pursuant to Article 54(2); |
| (n) | encourage the drawing-up of codes of conduct and the establishment of data protection certification mechanisms and data protection seals and marks pursuant to Articles 40 and 42; |
| (o) | carry out the accreditation of certification bodies and its periodic review pursuant to Article 43 and maintain a public register of accredited bodies pursuant to Article 43(6) and of the accredited controllers or processors established in third countries pursuant to Article 42(7); |
| (p) | specify the requirements referred to in Article 43(3) with a view to the accreditation of certification bodies under Article 42; |
| (q) | provide the Commission with an opinion on the certification requirements referred to in Article 43(8); |
| (r) | provide the Commission with an opinion on the icons referred to in Article 12(7); |
| (s) | provide the Commission with an opinion for the assessment of the adequacy of the level of protection in a third country or international_organisation, including for the assessment whether a third country, a territory or one or more specified sectors within that third country, or an international_organisation no longer ensures an adequate level of protection. To that end, the Commission shall provide the Board with all necessary documentation, including correspondence with the government of the third country, with regard to that third country, territory or specified sector, or with the international_organisation. |
| (t) | issue opinions on draft decisions of supervisory authorities pursuant to the consistency mechanism referred to in Article 64(1), on matters submitted pursuant to Article 64(2) and to issue binding decisions pursuant to Article 65, including in cases referred to in Article 66; |
| (u) | promote the cooperation and the effective bilateral and multilateral exchange of information and best practices between the supervisory authorities; |
| (v) | promote common training programmes and facilitate personnel exchanges between the supervisory authorities and, where appropriate, with the supervisory authorities of third countries or with international_organisations; |
| (w) | promote the exchange of knowledge and documentation on data protection legislation and practice with data protection supervisory authorities worldwide. |
| (x) | issue opinions on codes of conduct drawn up at Union level pursuant to Article 40(9); and |
| (y) | maintain a publicly accessible electronic register of decisions taken by supervisory authorities and courts on issues handled in the consistency mechanism. |
2. Where the Commission requests advice from the Board, it may indicate a time limit, taking into account the urgency of the matter.
3. The Board shall forward its opinions, guidelines, recommendations, and best practices to the Commission and to the committee referred to in Article 93 and make them public.
4. The Board shall, where appropriate, consult interested parties and give them the opportunity to comment within a reasonable period. The Board shall, without prejudice to Article 76, make the results of the consultation procedure publicly available.
whereas
dal 2004 diritto e informatica