interactive GDPR 2016/0679 EN
BG CS DA DE EL EN ES ET FI FR GA HR HU IT LV LT MT NL PL PT RO SK SL SV print pdf
- personal data
- processing
- restriction of processing
- profiling
- pseudonymisation
- filing system
- controller
- processor
- recipient
- third party
- consent
- personal data breach
- genetic data
- biometric data
- data concerning health
- main establishment
- representative
- enterprise
- group of undertakings
- binding corporate rules
- supervisory authority
- supervisory authority concerned
- cross-border processing
- relevant and reasoned objection
- information society service
- international organisation
- personal_data 30
- article 25
- referred 21
- shall 19
- protection 17
- controller 16
- third 14
- data 12
- including 12
- issue 12
- guidelines 11
- best 11
- authorities 11
- practices 11
- pursuant 11
- commission 11
- supervisory 11
- breach 11
- recommendations 10
- article 10
- the 9
- processor 9
- country 9
- categories 9
- processing 8
- board 8
- paragraph 7
- accordance 7
- international_organisation 7
- applicable 7
- transfers 6
- possible 6
- information 6
- provide 6
- documentation 6
- regulation 6
- application 6
- point e 6
- representative 5
- exchange 5
- legislation 5
- requirements 5
- further 5
- countries 5
- appropriate 5
- measures 5
- delay 5
- supervisory_authority 5
- without 5
- freedoms 4
Article 30
Records of processing activities
1. Each controller and, where applicable, the controller's representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information:
| (a) | the name and contact details of the controller and, where applicable, the joint controller, the controller's representative and the data protection officer; |
| (b) | the purposes of the processing; |
| (c) | a description of the categories of data subjects and of the categories of personal_data; |
| (d) | the categories of recipients to whom the personal_data have been or will be disclosed including recipients in third countries or international_organisations; |
| (e) | where applicable, transfers of personal_data to a third country or an international_organisation, including the identification of that third country or international_organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards; |
| (f) | where possible, the envisaged time limits for erasure of the different categories of data; |
| (g) | where possible, a general description of the technical and organisational security measures referred to in Article 32(1). |
2. Each processor and, where applicable, the processor's representative shall maintain a record of all categories of processing activities carried out on behalf of a controller, containing:
| (a) | the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller's or the processor's representative, and the data protection officer; |
| (b) | the categories of processing carried out on behalf of each controller; |
| (c) | where applicable, transfers of personal_data to a third country or an international_organisation, including the identification of that third country or international_organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards; |
| (d) | where possible, a general description of the technical and organisational security measures referred to in Article 32(1). |
3. The records referred to in paragraphs 1 and 2 shall be in writing, including in electronic form.
4. The controller or the processor and, where applicable, the controller's or the processor's representative, shall make the record available to the supervisory_authority on request.
5. The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal_data relating to criminal convictions and offences referred to in Article 10.
Article 33
Notification of a personal_data breach to the supervisory_authority
1. In the case of a personal_data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal_data breach to the supervisory_authority competent in accordance with Article 55, unless the personal_data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory_authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
2. The processor shall notify the controller without undue delay after becoming aware of a personal_data breach.
3. The notification referred to in paragraph 1 shall at least:
| (a) | describe the nature of the personal_data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal_data records concerned; |
| (b) | communicate the name and contact details of the data protection officer or other contact point where more information can be obtained; |
| (c) | describe the likely consequences of the personal_data breach; |
| (d) | describe the measures taken or proposed to be taken by the controller to address the personal_data breach, including, where appropriate, measures to mitigate its possible adverse effects. |
4. Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
5. The controller shall document any personal_data breaches, comprising the facts relating to the personal_data breach, its effects and the remedial action taken. That documentation shall enable the supervisory_authority to verify compliance with this Article.
Article 50
International cooperation for the protection of personal_data
In relation to third countries and international_organisations, the Commission and supervisory authorities shall take appropriate steps to:
| (a) | develop international cooperation mechanisms to facilitate the effective enforcement of legislation for the protection of personal_data; |
| (b) | provide international mutual assistance in the enforcement of legislation for the protection of personal_data, including through notification, complaint referral, investigative assistance and information exchange, subject to appropriate safeguards for the protection of personal_data and other fundamental rights and freedoms; |
| (c) | engage relevant stakeholders in discussion and activities aimed at furthering international cooperation in the enforcement of legislation for the protection of personal_data; |
| (d) | promote the exchange and documentation of personal_data protection legislation and practice, including on jurisdictional conflicts with third countries. |
CHAPTER VI
Independent supervisory authorities
Article 70
Tasks of the Board
1. The Board shall ensure the consistent application of this Regulation. To that end, the Board shall, on its own initiative or, where relevant, at the request of the Commission, in particular:
| (a) | monitor and ensure the correct application of this Regulation in the cases provided for in Articles 64 and 65 without prejudice to the tasks of national supervisory authorities; |
| (b) | advise the Commission on any issue related to the protection of personal_data in the Union, including on any proposed amendment of this Regulation; |
| (c) | advise the Commission on the format and procedures for the exchange of information between controllers, processors and supervisory authorities for binding_corporate_rules; |
| (d) | issue guidelines, recommendations, and best practices on procedures for erasing links, copies or replications of personal_data from publicly available communication services as referred to in Article 17(2); |
| (e) | examine, on its own initiative, on request of one of its members or on request of the Commission, any question covering the application of this Regulation and issue guidelines, recommendations and best practices in order to encourage consistent application of this Regulation; |
| (f) | issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for further specifying the criteria and conditions for decisions based on profiling pursuant to Article 22(2); |
| (g) | issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for establishing the personal_data breaches and determining the undue delay referred to in Article 33(1) and (2) and for the particular circumstances in which a controller or a processor is required to notify the personal_data breach; |
| (h) | issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph as to the circumstances in which a personal_data breach is likely to result in a high risk to the rights and freedoms of the natural persons referred to in Article 34(1). |
| (i) | issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for the purpose of further specifying the criteria and requirements for personal_data transfers based on binding_corporate_rules adhered to by controllers and binding_corporate_rules adhered to by processors and on further necessary requirements to ensure the protection of personal_data of the data subjects concerned referred to in Article 47; |
| (j) | issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for the purpose of further specifying the criteria and requirements for the personal_data transfers on the basis of Article 49(1); |
| (k) | draw up guidelines for supervisory authorities concerning the application of measures referred to in Article 58(1), (2) and (3) and the setting of administrative fines pursuant to Article 83; |
| (l) | review the practical application of the guidelines, recommendations and best practices referred to in points (e) and (f); |
| (m) | issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for establishing common procedures for reporting by natural persons of infringements of this Regulation pursuant to Article 54(2); |
| (n) | encourage the drawing-up of codes of conduct and the establishment of data protection certification mechanisms and data protection seals and marks pursuant to Articles 40 and 42; |
| (o) | carry out the accreditation of certification bodies and its periodic review pursuant to Article 43 and maintain a public register of accredited bodies pursuant to Article 43(6) and of the accredited controllers or processors established in third countries pursuant to Article 42(7); |
| (p) | specify the requirements referred to in Article 43(3) with a view to the accreditation of certification bodies under Article 42; |
| (q) | provide the Commission with an opinion on the certification requirements referred to in Article 43(8); |
| (r) | provide the Commission with an opinion on the icons referred to in Article 12(7); |
| (s) | provide the Commission with an opinion for the assessment of the adequacy of the level of protection in a third country or international_organisation, including for the assessment whether a third country, a territory or one or more specified sectors within that third country, or an international_organisation no longer ensures an adequate level of protection. To that end, the Commission shall provide the Board with all necessary documentation, including correspondence with the government of the third country, with regard to that third country, territory or specified sector, or with the international_organisation. |
| (t) | issue opinions on draft decisions of supervisory authorities pursuant to the consistency mechanism referred to in Article 64(1), on matters submitted pursuant to Article 64(2) and to issue binding decisions pursuant to Article 65, including in cases referred to in Article 66; |
| (u) | promote the cooperation and the effective bilateral and multilateral exchange of information and best practices between the supervisory authorities; |
| (v) | promote common training programmes and facilitate personnel exchanges between the supervisory authorities and, where appropriate, with the supervisory authorities of third countries or with international_organisations; |
| (w) | promote the exchange of knowledge and documentation on data protection legislation and practice with data protection supervisory authorities worldwide. |
| (x) | issue opinions on codes of conduct drawn up at Union level pursuant to Article 40(9); and |
| (y) | maintain a publicly accessible electronic register of decisions taken by supervisory authorities and courts on issues handled in the consistency mechanism. |
2. Where the Commission requests advice from the Board, it may indicate a time limit, taking into account the urgency of the matter.
3. The Board shall forward its opinions, guidelines, recommendations, and best practices to the Commission and to the committee referred to in Article 93 and make them public.
4. The Board shall, where appropriate, consult interested parties and give them the opportunity to comment within a reasonable period. The Board shall, without prejudice to Article 76, make the results of the consultation procedure publicly available.
whereas
dal 2004 diritto e informatica