interactive GDPR 2016/0679 EN
BG CS DA DE EL EN ES ET FI FR GA HR HU IT LV LT MT NL PL PT RO SK SL SV print pdf
- personal data
- processing
- restriction of processing
- profiling
- pseudonymisation
- filing system
- controller
- processor
- recipient
- third party
- consent
- personal data breach
- genetic data
- biometric data
- data concerning health
- main establishment
- representative
- enterprise
- group of undertakings
- binding corporate rules
- supervisory authority
- supervisory authority concerned
- cross-border processing
- relevant and reasoned objection
- information society service
- international organisation
- data 29
- shall 27
- article 25
- subject 21
- certification 19
- pursuant 18
- information 17
- controller 15
- request 14
- protection 12
- supervisory_authority 12
- under 11
- referred 11
- regulation 11
- the 10
- provided 10
- article 9
- processing 8
- appropriate 7
- conduct 7
- rights 7
- means 7
- provide 7
- body 6
- communication 6
- particular 6
- articles 6
- within 5
- accordance 5
- board 5
- controllers 5
- processors 5
- tasks 5
- which 5
- competent 5
- taking 4
- such 4
- supervisory 4
- criteria 4
- necessary 4
- measures 4
- without 4
- seals 4
- mechanisms 4
- personal_data 4
- codes 4
- reasonable 4
- demonstrating 4
- icons 4
- character 4
Article 12
Transparent information, communication and modalities for the exercise of the rights of the data subject
1. The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.
2. The controller shall facilitate the exercise of data subject rights under Articles 15 to 22. In the cases referred to in Article 11(2), the controller shall not refuse to act on the request of the data subject for exercising his or her rights under Articles 15 to 22, unless the controller demonstrates that it is not in a position to identify the data subject.
3. The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.
4. If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory_authority and seeking a judicial remedy.
5. Information provided under Articles 13 and 14 and any communication and any actions taken under Articles 15 to 22 and 34 shall be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either:
| (a) | charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or |
| (b) | refuse to act on the request. |
The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.
6. Without prejudice to Article 11, where the controller has reasonable doubts concerning the identity of the natural person making the request referred to in Articles 15 to 21, the controller may request the provision of additional information necessary to confirm the identity of the data subject.
7. The information to be provided to data subjects pursuant to Articles 13 and 14 may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner a meaningful overview of the intended processing. Where the icons are presented electronically they shall be machine-readable.
8. The Commission shall be empowered to adopt delegated acts in accordance with Article 92 for the purpose of determining the information to be presented by the icons and the procedures for providing standardised icons.
Article 42
Certification
1. The Member States, the supervisory authorities, the Board and the Commission shall encourage, in particular at Union level, the establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with this Regulation of processing operations by controllers and processors. The specific needs of micro, small and medium-sized enterprises shall be taken into account.
2. In addition to adherence by controllers or processors subject to this Regulation, data protection certification mechanisms, seals or marks approved pursuant to paragraph 5 of this Article may be established for the purpose of demonstrating the existence of appropriate safeguards provided by controllers or processors that are not subject to this Regulation pursuant to Article 3 within the framework of personal_data transfers to third countries or international_organisations under the terms referred to in point (f) of Article 46(2). Such controllers or processors shall make binding and enforceable commitments, via contractual or other legally binding instruments, to apply those appropriate safeguards, including with regard to the rights of data subjects.
3. The certification shall be voluntary and available via a process that is transparent.
4. A certification pursuant to this Article does not reduce the responsibility of the controller or the processor for compliance with this Regulation and is without prejudice to the tasks and powers of the supervisory authorities which are competent pursuant to Article 55 or 56.
5. A certification pursuant to this Article shall be issued by the certification bodies referred to in Article 43 or by the competent supervisory_authority, on the basis of criteria approved by that competent supervisory_authority pursuant to Article 58(3) or by the Board pursuant to Article 63. Where the criteria are approved by the Board, this may result in a common certification, the European Data Protection Seal.
6. The controller or processor which submits its processing to the certification mechanism shall provide the certification body referred to in Article 43, or where applicable, the competent supervisory_authority, with all information and access to its processing activities which are necessary to conduct the certification procedure.
7. Certification shall be issued to a controller or processor for a maximum period of three years and may be renewed, under the same conditions, provided that the relevant requirements continue to be met. Certification shall be withdrawn, as applicable, by the certification bodies referred to in Article 43 or by the competent supervisory_authority where the requirements for the certification are not or are no longer met.
8. The Board shall collate all certification mechanisms and data protection seals and marks in a register and shall make them publicly available by any appropriate means.
Article 57
Tasks
1. Without prejudice to other tasks set out under this Regulation, each supervisory_authority shall on its territory:
| (a) | monitor and enforce the application of this Regulation; |
| (b) | promote public awareness and understanding of the risks, rules, safeguards and rights in relation to processing. Activities addressed specifically to children shall receive specific attention; |
| (c) | advise, in accordance with Member State law, the national parliament, the government, and other institutions and bodies on legislative and administrative measures relating to the protection of natural persons' rights and freedoms with regard to processing; |
| (d) | promote the awareness of controllers and processors of their obligations under this Regulation; |
| (e) | upon request, provide information to any data subject concerning the exercise of their rights under this Regulation and, if appropriate, cooperate with the supervisory authorities in other Member States to that end; |
| (f) | handle complaints lodged by a data subject, or by a body, organisation or association in accordance with Article 80, and investigate, to the extent appropriate, the subject matter of the complaint and inform the complainant of the progress and the outcome of the investigation within a reasonable period, in particular if further investigation or coordination with another supervisory_authority is necessary; |
| (g) | cooperate with, including sharing information and provide mutual assistance to, other supervisory authorities with a view to ensuring the consistency of application and enforcement of this Regulation; |
| (h) | conduct investigations on the application of this Regulation, including on the basis of information received from another supervisory_authority or other public authority; |
| (i) | monitor relevant developments, insofar as they have an impact on the protection of personal_data, in particular the development of information and communication technologies and commercial practices; |
| (j) | adopt standard contractual clauses referred to in Article 28(8) and in point (d) of Article 46(2); |
| (k) | establish and maintain a list in relation to the requirement for data protection impact assessment pursuant to Article 35(4); |
| (l) | give advice on the processing operations referred to in Article 36(2); |
| (m) | encourage the drawing up of codes of conduct pursuant to Article 40(1) and provide an opinion and approve such codes of conduct which provide sufficient safeguards, pursuant to Article 40(5); |
| (n) | encourage the establishment of data protection certification mechanisms and of data protection seals and marks pursuant to Article 42(1), and approve the criteria of certification pursuant to Article 42(5); |
| (o) | where applicable, carry out a periodic review of certifications issued in accordance with Article 42(7); |
| (p) | draft and publish the criteria for accreditation of a body for monitoring codes of conduct pursuant to Article 41 and of a certification body pursuant to Article 43; |
| (q) | conduct the accreditation of a body for monitoring codes of conduct pursuant to Article 41 and of a certification body pursuant to Article 43; |
| (r) | authorise contractual clauses and provisions referred to in Article 46(3); |
| (s) | approve binding_corporate_rules pursuant to Article 47; |
| (t) | contribute to the activities of the Board; |
| (u) | keep internal records of infringements of this Regulation and of measures taken in accordance with Article 58(2); and |
| (v) | fulfil any other tasks related to the protection of personal_data. |
2. Each supervisory_authority shall facilitate the submission of complaints referred to in point (f) of paragraph 1 by measures such as a complaint submission form which can also be completed electronically, without excluding other means of communication.
3. The performance of the tasks of each supervisory_authority shall be free of charge for the data subject and, where applicable, for the data protection officer.
4. Where requests are manifestly unfounded or excessive, in particular because of their repetitive character, the supervisory_authority may charge a reasonable fee based on administrative costs, or refuse to act on the request. The supervisory_authority shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.
whereas
dal 2004 diritto e informatica