interactive GDPR 2016/0679 EN

‘ personal_data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

(2)

‘ processing’ means any operation or set of operations which is performed on personal_data or on sets of personal_data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

(3)	‘restriction of processing’ means the marking of stored personal_data with the aim of limiting their processing in the future;

(4)

‘ profiling’ means any form of automated processing of personal_data consisting of the use of personal_data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

(5)

‘ pseudonymisation’ means the processing of personal_data in such a manner that the personal_data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal_data are not attributed to an identified or identifiable natural person;

(6)	‘ filing_system’ means any structured set of personal_data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;

(7)

‘ controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal_data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

(8)	‘ processor’ means a natural or legal person, public authority, agency or other body which processes personal_data on behalf of the controller;

(9)

‘ recipient’ means a natural or legal person, public authority, agency or another body, to which the personal_data are disclosed, whether a third_party or not. However, public authorities which may receive personal_data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;

(10)	‘ third_party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal_data;

(11)	‘ consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal_data relating to him or her;

(12)	‘ personal_data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal_data transmitted, stored or otherwise processed;

(13)

‘ genetic_data’ means personal_data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;

(14)	‘ biometric_data’ means personal_data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;

(15)	‘ data_concerning_health’ means personal_data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;

(16)

‘ main_establishment’ means:

(a)

as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal_data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main_establishment;

(b)

as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;

(17)	‘ representative’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Regulation;

(18)	‘ enterprise’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;

(19)	‘ group_of_undertakings’ means a controlling undertaking and its controlled undertakings;

(20)

‘ binding_corporate_rules’ means personal_data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal_data to a controller or processor in one or more third countries within a group_of_undertakings, or group of enterprises engaged in a joint economic activity;

(21)	‘ supervisory_authority’ means an independent public authority which is established by a Member State pursuant to Article 51;

(22)

‘ supervisory_authority concerned’ means a supervisory_authority which is concerned by the processing of personal_data because:

(a)	the controller or processor is established on the territory of the Member State of that supervisory_authority;

(b)	data subjects residing in the Member State of that supervisory_authority are substantially affected or likely to be substantially affected by the processing; or

(c)	a complaint has been lodged with that supervisory_authority;

(23)

‘cross-border processing’ means either:

(a)	processing of personal_data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or

(b)	processing of personal_data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.

(24)

‘ relevant_and_reasoned_objection’ means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal_data within the Union;

(25)	‘ information_society_service’ means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council (19);

(26)	‘ international_organisation’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.

CHAPTER II

Principles

Article 19

Notification obligation regarding rectification or erasure of personal_data or restriction of processing

The controller shall communicate any rectification or erasure of personal_data or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 to each recipient to whom the personal_data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.

Article 23

Restrictions

1. Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:

(a)	national security;

(b)

defence;

(c)	public security;

(d)	the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;

(e)	other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation a matters, public health and social security;

(f)	the protection of judicial independence and judicial proceedings;

(g)	the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions;

(h)	a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in points (a) to (e) and (g);

(i)	the protection of the data subject or the rights and freedoms of others;

(j)	the enforcement of civil law claims.

2. In particular, any legislative measure referred to in paragraph 1 shall contain specific provisions at least, where relevant, as to:

(a)	the purposes of the processing or categories of processing;

(b)	the categories of personal_data;

(c)	the scope of the restrictions introduced;

(d)	the safeguards to prevent abuse or unlawful access or transfer;

(e)	the specification of the controller or categories of controllers;

(f)	the storage periods and the applicable safeguards taking into account the nature, scope and purposes of the processing or categories of processing;

(g)	the risks to the rights and freedoms of data subjects; and

(h)	the right of data subjects to be informed about the restriction, unless that may be prejudicial to the purpose of the restriction.

CHAPTER IV

Controller and processor

Section 1

General obligations

Article 25

Data protection by design and by default

1. Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.

2. The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal_data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal_data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal_data are not made accessible without the individual's intervention to an indefinite number of natural persons.

3. An approved certification mechanism pursuant to Article 42 may be used as an element to demonstrate compliance with the requirements set out in paragraphs 1 and 2 of this Article.

Article 26

Joint controllers

1. Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. They shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14, by means of an arrangement between them unless, and in so far as, the respective responsibilities of the controllers are determined by Union or Member State law to which the controllers are subject. The arrangement may designate a contact point for data subjects.

2. The arrangement referred to in paragraph 1 shall duly reflect the respective roles and relationships of the joint controllers vis-à-vis the data subjects. The essence of the arrangement shall be made available to the data subject.

3. Irrespective of the terms of the arrangement referred to in paragraph 1, the data subject may exercise his or her rights under this Regulation in respect of and against each of the controllers.

Article 30

Records of processing activities

1. each controller and, where applicable, the controller's representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information:

(a)	the name and contact details of the controller and, where applicable, the joint controller, the controller's representative and the data protection officer;

(b)	the purposes of the processing;

(c)	a description of the categories of data subjects and of the categories of personal_data;

(d)	the categories of recipients to whom the personal_data have been or will be disclosed including recipients in third countries or international_organisations;

(e)

where applicable, transfers of personal_data to a third country or an international_organisation, including the identification of that third country or international_organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;

(f)	where possible, the envisaged time limits for erasure of the different categories of data;

(g)	where possible, a general description of the technical and organisational security measures referred to in Article 32(1).

2. each processor and, where applicable, the processor's representative shall maintain a record of all categories of processing activities carried out on behalf of a controller, containing:

(a)	the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller's or the processor's representative, and the data protection officer;

(b)	the categories of processing carried out on behalf of each controller;

(c)

(d)	where possible, a general description of the technical and organisational security measures referred to in Article 32(1).

3. The records referred to in paragraphs 1 and 2 shall be in writing, including in electronic form.

4. The controller or the processor and, where applicable, the controller's or the processor's representative, shall make the record available to the supervisory_authority on request.

5. The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal_data relating to criminal convictions and offences referred to in Article 10.

Article 33

Notification of a personal_data breach to the supervisory_authority

1. In the case of a personal_data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal_data breach to the supervisory_authority competent in accordance with Article 55, unless the personal_data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory_authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

2. The processor shall notify the controller without undue delay after becoming aware of a personal_data breach.

3. The notification referred to in paragraph 1 shall at least:

(a)	describe the nature of the personal_data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal_data records concerned;

(b)	communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;

(c)	describe the likely consequences of the personal_data breach;

(d)	describe the measures taken or proposed to be taken by the controller to address the personal_data breach, including, where appropriate, measures to mitigate its possible adverse effects.

4. Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.

5. The controller shall document any personal_data breaches, comprising the facts relating to the personal_data breach, its effects and the remedial action taken. That documentation shall enable the supervisory_authority to verify compliance with this Article.

Article 34

Communication of a personal_data breach to the data subject

1. When the personal_data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal_data breach to the data subject without undue delay.

2. The communication to the data subject referred to in paragraph 1 of this Article shall describe in clear and plain language the nature of the personal_data breach and contain at least the information and measures referred to in points (b), (c) and (d) of Article 33(3).

3. The communication to the data subject referred to in paragraph 1 shall not be required if any of the following conditions are met:

(a)

the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal_data affected by the personal_data breach, in particular those that render the personal_data unintelligible to any person who is not authorised to access it, such as encryption;

(b)	the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in paragraph 1 is no longer likely to materialise;

(c)	it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

4. If the controller has not already communicated the personal_data breach to the data subject, the supervisory_authority, having considered the likelihood of the personal_data breach resulting in a high risk, may require it to do so or may decide that any of the conditions referred to in paragraph 3 are met.

Section 3

Data protection impact assessment and prior consultation

Article 37

Designation of the data protection officer

1. The controller and the processor shall designate a data protection officer in any case where:

(a)	the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;

(b)	the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or

(c)	the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal_data relating to criminal convictions and offences referred to in Article 10.

2. A group_of_undertakings may appoint a single data protection officer provided that a data protection officer is easily accessible from each establishment.

3. Where the controller or the processor is a public authority or body, a single data protection officer may be designated for several such authorities or bodies, taking account of their organisational structure and size.

4. In cases other than those referred to in paragraph 1, the controller or processor or associations and other bodies representing categories of controllers or processors may or, where required by Union or Member State law shall, designate a data protection officer. The data protection officer may act for such associations and other bodies representing controllers or processors.

5. The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.

6. The data protection officer may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract.

7. The controller or the processor shall publish the contact details of the data protection officer and communicate them to the supervisory_authority.

Article 40

Codes of conduct

1. The Member States, the supervisory authorities, the Board and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper application of this Regulation, taking account of the specific features of the various processing sectors and the specific needs of micro, small and medium-sized enterprises.

2. Associations and other bodies representing categories of controllers or processors may prepare codes of conduct, or amend or extend such codes, for the purpose of specifying the application of this Regulation, such as with regard to:

(a)	fair and transparent processing;

(b)	the legitimate interests pursued by controllers in specific contexts;

(c)	the collection of personal_data;

(d)	the pseudonymisation of personal_data;

(e)	the information provided to the public and to data subjects;

(f)	the exercise of the rights of data subjects;

(g)	the information provided to, and the protection of, children, and the manner in which the consent of the holders of parental responsibility over children is to be obtained;

(h)	the measures and procedures referred to in Articles 24 and 25 and the measures to ensure security of processing referred to in Article 32;

(i)	the notification of personal_data breaches to supervisory authorities and the communication of such personal_data breaches to data subjects;

(j)	the transfer of personal_data to third countries or international_organisations; or

(k)	out-of-court proceedings and other dispute resolution procedures for resolving disputes between controllers and data subjects with regard to processing, without prejudice to the rights of data subjects pursuant to Articles 77 and 79.

3. In addition to adherence by controllers or processors subject to this Regulation, codes of conduct approved pursuant to paragraph 5 of this Article and having general validity pursuant to paragraph 9 of this Article may also be adhered to by controllers or processors that are not subject to this Regulation pursuant to Article 3 in order to provide appropriate safeguards within the framework of personal_data transfers to third countries or international_organisations under the terms referred to in point (e) of Article 46(2). Such controllers or processors shall make binding and enforceable commitments, via contractual or other legally binding instruments, to apply those appropriate safeguards including with regard to the rights of data subjects.

4. A code of conduct referred to in paragraph 2 of this Article shall contain mechanisms which enable the body referred to in Article 41(1) to carry out the mandatory monitoring of compliance with its provisions by the controllers or processors which undertake to apply it, without prejudice to the tasks and powers of supervisory authorities competent pursuant to Article 55 or 56.

5. Associations and other bodies referred to in paragraph 2 of this Article which intend to prepare a code of conduct or to amend or extend an existing code shall submit the draft code, amendment or extension to the supervisory_authority which is competent pursuant to Article 55. The supervisory_authority shall provide an opinion on whether the draft code, amendment or extension complies with this Regulation and shall approve that draft code, amendment or extension if it finds that it provides sufficient appropriate safeguards.

6. Where the draft code, or amendment or extension is approved in accordance with paragraph 5, and where the code of conduct concerned does not relate to processing activities in several Member States, the supervisory_authority shall register and publish the code.

7. Where a draft code of conduct relates to processing activities in several Member States, the supervisory_authority which is competent pursuant to Article 55 shall, before approving the draft code, amendment or extension, submit it in the procedure referred to in Article 63 to the Board which shall provide an opinion on whether the draft code, amendment or extension complies with this Regulation or, in the situation referred to in paragraph 3 of this Article, provides appropriate safeguards.

8. Where the opinion referred to in paragraph 7 confirms that the draft code, amendment or extension complies with this Regulation, or, in the situation referred to in paragraph 3, provides appropriate safeguards, the Board shall submit its opinion to the Commission.

9. The Commission may, by way of implementing acts, decide that the approved code of conduct, amendment or extension submitted to it pursuant to paragraph 8 of this Article have general validity within the Union. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 93(2).

10. The Commission shall ensure appropriate publicity for the approved codes which have been decided as having general validity in accordance with paragraph 9.

11. The Board shall collate all approved codes of conduct, amendments and extensions in a register and shall make them publicly available by way of appropriate means.

Article 47

Binding corporate rules

1. The competent supervisory_authority shall approve binding_corporate_rules in accordance with the consistency mechanism set out in Article 63, provided that they:

(a)	are legally binding and apply to and are enforced by every member concerned of the group_of_undertakings, or group of enterprises engaged in a joint economic activity, including their employees;

(b)	expressly confer enforceable rights on data subjects with regard to the processing of their personal_data; and

(c)	fulfil the requirements laid down in paragraph 2.

2. The binding_corporate_rules referred to in paragraph 1 shall specify at least:

(a)	the structure and contact details of the group_of_undertakings, or group of enterprises engaged in a joint economic activity and of each of its members;

(b)	the data transfers or set of transfers, including the categories of personal_data, the type of processing and its purposes, the type of data subjects affected and the identification of the third country or countries in question;

(c)	their legally binding nature, both internally and externally;

(d)

the application of the general data protection principles, in particular purpose limitation, data minimisation, limited storage periods, data quality, data protection by design and by default, legal basis for processing, processing of special categories of personal_data, measures to ensure data security, and the requirements in respect of onward transfers to bodies not bound by the binding_corporate_rules;

(e)

the rights of data subjects in regard to processing and the means to exercise those rights, including the right not to be subject to decisions based solely on automated processing, including profiling in accordance with Article 22, the right to lodge a complaint with the competent supervisory_authority and before the competent courts of the Member States in accordance with Article 79, and to obtain redress and, where appropriate, compensation for a breach of the binding_corporate_rules;

(f)

the acceptance by the controller or processor established on the territory of a Member State of liability for any breaches of the binding_corporate_rules by any member concerned not established in the Union; the controller or the processor shall be exempt from that liability, in whole or in part, only if it proves that that member is not responsible for the event giving rise to the damage;

(g)	how the information on the binding_corporate_rules, in particular on the provisions referred to in points (d), (e) and (f) of this paragraph is provided to the data subjects in addition to Articles 13 and 14;

(h)

the tasks of any data protection officer designated in accordance with Article 37 or any other person or entity in charge of the monitoring compliance with the binding_corporate_rules within the group_of_undertakings, or group of enterprises engaged in a joint economic activity, as well as monitoring training and complaint-handling;

(i)	the complaint procedures;

(j)

the mechanisms within the group_of_undertakings, or group of enterprises engaged in a joint economic activity for ensuring the verification of compliance with the binding_corporate_rules. Such mechanisms shall include data protection audits and methods for ensuring corrective actions to protect the rights of the data subject. Results of such verification should be communicated to the person or entity referred to in point (h) and to the board of the controlling undertaking of a group_of_undertakings, or of the group of enterprises engaged in a joint economic activity, and should be available upon request to the competent supervisory_authority;

(k)	the mechanisms for reporting and recording changes to the rules and reporting those changes to the supervisory_authority;

(l)

the cooperation mechanism with the supervisory_authority to ensure compliance by any member of the group_of_undertakings, or group of enterprises engaged in a joint economic activity, in particular by making available to the supervisory_authority the results of verifications of the measures referred to in point (j);

(m)

the mechanisms for reporting to the competent supervisory_authority any legal requirements to which a member of the group_of_undertakings, or group of enterprises engaged in a joint economic activity is subject in a third country which are likely to have a substantial adverse effect on the guarantees provided by the binding_corporate_rules; and

(n)	the appropriate data protection training to personnel having permanent or regular access to personal_data.

3. The Commission may specify the format and procedures for the exchange of information between controllers, processors and supervisory authorities for binding_corporate_rules within the meaning of this Article. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 93(2).

Article 51

Supervisory authority

1. each Member State shall provide for one or more independent public authorities to be responsible for monitoring the application of this Regulation, in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal_data within the Union (‘ supervisory_authority’).

2. each supervisory_authority shall contribute to the consistent application of this Regulation throughout the Union. For that purpose, the supervisory authorities shall cooperate with each other and the Commission in accordance with Chapter VII.

3. Where more than one supervisory_authority is established in a Member State, that Member State shall designate the supervisory_authority which is to represent those authorities in the Board and shall set out the mechanism to ensure compliance by the other authorities with the rules relating to the consistency mechanism referred to in Article 63.

4. each Member State shall notify to the Commission the provisions of its law which it adopts pursuant to this Chapter, by 25 May 2018 and, without delay, any subsequent amendment affecting them.

Article 52

Independence

1. each supervisory_authority shall act with complete independence in performing its tasks and exercising its powers in accordance with this Regulation.

2. The member or members of each supervisory_authority shall, in the performance of their tasks and exercise of their powers in accordance with this Regulation, remain free from external influence, whether direct or indirect, and shall neither seek nor take instructions from anybody.

3. Member or members of each supervisory_authority shall refrain from any action incompatible with their duties and shall not, during their term of office, engage in any incompatible occupation, whether gainful or not.

4. each Member State shall ensure that each supervisory_authority is provided with the human, technical and financial resources, premises and infrastructure necessary for the effective performance of its tasks and exercise of its powers, including those to be carried out in the context of mutual assistance, cooperation and participation in the Board.

5. each Member State shall ensure that each supervisory_authority chooses and has its own staff which shall be subject to the exclusive direction of the member or members of the supervisory_authority concerned.

6. each Member State shall ensure that each supervisory_authority is subject to financial control which does not affect its independence and that it has separate, public annual budgets, which may be part of the overall state or national budget.

Article 53

General conditions for the members of the supervisory_authority

1. Member States shall provide for each member of their supervisory authorities to be appointed by means of a transparent procedure by:

—	their parliament;

—	their government;

—	their head of State; or

—	an independent body entrusted with the appointment under Member State law.

2. each member shall have the qualifications, experience and skills, in particular in the area of the protection of personal_data, required to perform its duties and exercise its powers.

3. The duties of a member shall end in the event of the expiry of the term of office, resignation or compulsory retirement, in accordance with the law of the Member State concerned.

4. A member shall be dismissed only in cases of serious misconduct or if the member no longer fulfils the conditions required for the performance of the duties.

Article 54

Rules on the establishment of the supervisory_authority

1. each Member State shall provide by law for all of the following:

(a)	the establishment of each supervisory_authority;

(b)	the qualifications and eligibility conditions required to be appointed as member of each supervisory_authority;

(c)	the rules and procedures for the appointment of the member or members of each supervisory_authority;

(d)

the duration of the term of the member or members of each supervisory_authority of no less than four years, except for the first appointment after 24 May 2016, part of which may take place for a shorter period where that is necessary to protect the independence of the supervisory_authority by means of a staggered appointment procedure;

(e)	whether and, if so, for how many terms the member or members of each supervisory_authority is eligible for reappointment;

(f)	the conditions governing the obligations of the member or members and staff of each supervisory_authority, prohibitions on actions, occupations and benefits incompatible therewith during and after the term of office and rules governing the cessation of employment.

2. The member or members and the staff of each supervisory_authority shall, in accordance with Union or Member State law, be subject to a duty of professional secrecy both during and after their term of office, with regard to any confidential information which has come to their knowledge in the course of the performance of their tasks or exercise of their powers. During their term of office, that duty of professional secrecy shall in particular apply to reporting by natural persons of infringements of this Regulation.

Section 2

Competence, tasks and powers

Article 55

Competence

1. each supervisory_authority shall be competent for the performance of the tasks assigned to and the exercise of the powers conferred on it in accordance with this Regulation on the territory of its own Member State.

2. Where processing is carried out by public authorities or private bodies acting on the basis of point (c) or (e) of Article 6(1), the supervisory_authority of the Member State concerned shall be competent. In such cases Article 56 does not apply.

3. Supervisory authorities shall not be competent to supervise processing operations of courts acting in their judicial capacity.

Article 56

Competence of the lead supervisory_authority

1. Without prejudice to Article 55, the supervisory_authority of the main_establishment or of the single establishment of the controller or processor shall be competent to act as lead supervisory_authority for the cross-border processing carried out by that controller or processor in accordance with the procedure provided in Article 60.

2. By derogation from paragraph 1, each supervisory_authority shall be competent to handle a complaint lodged with it or a possible infringement of this Regulation, if the subject matter relates only to an establishment in its Member State or substantially affects data subjects only in its Member State.

3. In the cases referred to in paragraph 2 of this Article, the supervisory_authority shall inform the lead supervisory_authority without delay on that matter. Within a period of three weeks after being informed the lead supervisory_authority shall decide whether or not it will handle the case in accordance with the procedure provided in Article 60, taking into account whether or not there is an establishment of the controller or processor in the Member State of which the supervisory_authority informed it.

4. Where the lead supervisory_authority decides to handle the case, the procedure provided in Article 60 shall apply. The supervisory_authority which informed the lead supervisory_authority may submit to the lead supervisory_authority a draft for a decision. The lead supervisory_authority shall take utmost account of that draft when preparing the draft decision referred to in Article 60(3).

5. Where the lead supervisory_authority decides not to handle the case, the supervisory_authority which informed the lead supervisory_authority shall handle it according to Articles 61 and 62.

6. The lead supervisory_authority shall be the sole interlocutor of the controller or processor for the cross-border processing carried out by that controller or processor.

Article 57

Tasks

1. Without prejudice to other tasks set out under this Regulation, each supervisory_authority shall on its territory:

(a)	monitor and enforce the application of this Regulation;

(b)	promote public awareness and understanding of the risks, rules, safeguards and rights in relation to processing. Activities addressed specifically to children shall receive specific attention;

(c)	advise, in accordance with Member State law, the national parliament, the government, and other institutions and bodies on legislative and administrative measures relating to the protection of natural persons' rights and freedoms with regard to processing;

(d)	promote the awareness of controllers and processors of their obligations under this Regulation;

(e)	upon request, provide information to any data subject concerning the exercise of their rights under this Regulation and, if appropriate, cooperate with the supervisory authorities in other Member States to that end;

(f)

handle complaints lodged by a data subject, or by a body, organisation or association in accordance with Article 80, and investigate, to the extent appropriate, the subject matter of the complaint and inform the complainant of the progress and the outcome of the investigation within a reasonable period, in particular if further investigation or coordination with another supervisory_authority is necessary;

(g)	cooperate with, including sharing information and provide mutual assistance to, other supervisory authorities with a view to ensuring the consistency of application and enforcement of this Regulation;

(h)	conduct investigations on the application of this Regulation, including on the basis of information received from another supervisory_authority or other public authority;

(i)	monitor relevant developments, insofar as they have an impact on the protection of personal_data, in particular the development of information and communication technologies and commercial practices;

(j)	adopt standard contractual clauses referred to in Article 28(8) and in point (d) of Article 46(2);

(k)	establish and maintain a list in relation to the requirement for data protection impact assessment pursuant to Article 35(4);

(l)	give advice on the processing operations referred to in Article 36(2);

(m)	encourage the drawing up of codes of conduct pursuant to Article 40(1) and provide an opinion and approve such codes of conduct which provide sufficient safeguards, pursuant to Article 40(5);

(n)	encourage the establishment of data protection certification mechanisms and of data protection seals and marks pursuant to Article 42(1), and approve the criteria of certification pursuant to Article 42(5);

(o)	where applicable, carry out a periodic review of certifications issued in accordance with Article 42(7);

(p)	draft and publish the criteria for accreditation of a body for monitoring codes of conduct pursuant to Article 41 and of a certification body pursuant to Article 43;

(q)	conduct the accreditation of a body for monitoring codes of conduct pursuant to Article 41 and of a certification body pursuant to Article 43;

(r)	authorise contractual clauses and provisions referred to in Article 46(3);

(s)	approve binding_corporate_rules pursuant to Article 47;

(t)	contribute to the activities of the Board;

(u)	keep internal records of infringements of this Regulation and of measures taken in accordance with Article 58(2); and

(v)	fulfil any other tasks related to the protection of personal_data.

2. each supervisory_authority shall facilitate the submission of complaints referred to in point (f) of paragraph 1 by measures such as a complaint submission form which can also be completed electronically, without excluding other means of communication.

3. The performance of the tasks of each supervisory_authority shall be free of charge for the data subject and, where applicable, for the data protection officer.

4. Where requests are manifestly unfounded or excessive, in particular because of their repetitive character, the supervisory_authority may charge a reasonable fee based on administrative costs, or refuse to act on the request. The supervisory_authority shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.

Article 58

Powers

1. each supervisory_authority shall have all of the following investigative powers:

(a)	to order the controller and the processor, and, where applicable, the controller's or the processor's representative to provide any information it requires for the performance of its tasks;

(b)	to carry out investigations in the form of data protection audits;

(c)	to carry out a review on certifications issued pursuant to Article 42(7);

(d)	to notify the controller or the processor of an alleged infringement of this Regulation;

(e)	to obtain, from the controller and the processor, access to all personal_data and to all information necessary for the performance of its tasks;

(f)	to obtain access to any premises of the controller and the processor, including to any data processing equipment and means, in accordance with Union or Member State procedural law.

2. each supervisory_authority shall have all of the following corrective powers:

(a)	to issue warnings to a controller or processor that intended processing operations are likely to infringe provisions of this Regulation;

(b)	to issue reprimands to a controller or a processor where processing operations have infringed provisions of this Regulation;

(c)	to order the controller or the processor to comply with the data subject's requests to exercise his or her rights pursuant to this Regulation;

(d)	to order the controller or processor to bring processing operations into compliance with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period;

(e)	to order the controller to communicate a personal_data breach to the data subject;

(f)	to impose a temporary or definitive limitation including a ban on processing;

(g)	to order the rectification or erasure of personal_data or restriction of processing pursuant to Articles 16, 17 and 18 and the notification of such actions to recipients to whom the personal_data have been disclosed pursuant to Article 17(2) and Article 19;

(h)	to withdraw a certification or to order the certification body to withdraw a certification issued pursuant to Articles 42 and 43, or to order the certification body not to issue certification if the requirements for the certification are not or are no longer met;

(i)	to impose an administrative fine pursuant to Article 83, in addition to, or instead of measures referred to in this paragraph, depending on the circumstances of each individual case;

(j)	to order the suspension of data flows to a recipient in a third country or to an international_organisation.

3. each supervisory_authority shall have all of the following authorisation and advisory powers:

(a)	to advise the controller in accordance with the prior consultation procedure referred to in Article 36;

(b)	to issue, on its own initiative or on request, opinions to the national parliament, the Member State government or, in accordance with Member State law, to other institutions and bodies as well as to the public on any issue related to the protection of personal_data;

(c)	to authorise processing referred to in Article 36(5), if the law of the Member State requires such prior authorisation;

(d)	to issue an opinion and approve draft codes of conduct pursuant to Article 40(5);

(e)	to accredit certification bodies pursuant to Article 43;

(f)	to issue certifications and approve criteria of certification in accordance with Article 42(5);

(g)	to adopt standard data protection clauses referred to in Article 28(8) and in point (d) of Article 46(2);

(h)	to authorise contractual clauses referred to in point (a) of Article 46(3);

(i)	to authorise administrative arrangements referred to in point (b) of Article 46(3);

(j)	to approve binding_corporate_rules pursuant to Article 47.

4. The exercise of the powers conferred on the supervisory_authority pursuant to this Article shall be subject to appropriate safeguards, including effective judicial remedy and due process, set out in Union and Member State law in accordance with the Charter.

5. each Member State shall provide by law that its supervisory_authority shall have the power to bring infringements of this Regulation to the attention of the judicial authorities and where appropriate, to commence or engage otherwise in legal proceedings, in order to enforce the provisions of this Regulation.

6. each Member State may provide by law that its supervisory_authority shall have additional powers to those referred to in paragraphs 1, 2 and 3. The exercise of those powers shall not impair the effective operation of Chapter VII.

Article 59

Activity reports

each supervisory_authority shall draw up an annual report on its activities, which may include a list of types of infringement notified and types of measures taken in accordance with Article 58(2). Those reports shall be transmitted to the national parliament, the government and other authorities as designated by Member State law. They shall be made available to the public, to the Commission and to the Board.

CHAPTER VII

Cooperation and consistency

Section 1

Cooperation

Article 60

Cooperation between the lead supervisory_authority and the other supervisory authorities concerned

1. The lead supervisory_authority shall cooperate with the other supervisory authorities concerned in accordance with this Article in an endeavour to reach consensus. The lead supervisory_authority and the supervisory authorities concerned shall exchange all relevant information with each other.

2. The lead supervisory_authority may request at any time other supervisory authorities concerned to provide mutual assistance pursuant to Article 61 and may conduct joint operations pursuant to Article 62, in particular for carrying out investigations or for monitoring the implementation of a measure concerning a controller or processor established in another Member State.

3. The lead supervisory_authority shall, without delay, communicate the relevant information on the matter to the other supervisory authorities concerned. It shall without delay submit a draft decision to the other supervisory authorities concerned for their opinion and take due account of their views.

4. Where any of the other supervisory authorities concerned within a period of four weeks after having been consulted in accordance with paragraph 3 of this Article, expresses a relevant_and_reasoned_objection to the draft decision, the lead supervisory_authority shall, if it does not follow the relevant_and_reasoned_objection or is of the opinion that the objection is not relevant or reasoned, submit the matter to the consistency mechanism referred to in Article 63.

5. Where the lead supervisory_authority intends to follow the relevant_and_reasoned_objection made, it shall submit to the other supervisory authorities concerned a revised draft decision for their opinion. That revised draft decision shall be subject to the procedure referred to in paragraph 4 within a period of two weeks.

6. Where none of the other supervisory authorities concerned has objected to the draft decision submitted by the lead supervisory_authority within the period referred to in paragraphs 4 and 5, the lead supervisory_authority and the supervisory authorities concerned shall be deemed to be in agreement with that draft decision and shall be bound by it.

7. The lead supervisory_authority shall adopt and notify the decision to the main_establishment or single establishment of the controller or processor, as the case may be and inform the other supervisory authorities concerned and the Board of the decision in question, including a summary of the relevant facts and grounds. The supervisory_authority with which a complaint has been lodged shall inform the complainant on the decision.

8. By derogation from paragraph 7, where a complaint is dismissed or rejected, the supervisory_authority with which the complaint was lodged shall adopt the decision and notify it to the complainant and shall inform the controller thereof.

9. Where the lead supervisory_authority and the supervisory authorities concerned agree to dismiss or reject parts of a complaint and to act on other parts of that complaint, a separate decision shall be adopted for each of those parts of the matter. The lead supervisory_authority shall adopt the decision for the part concerning actions in relation to the controller, shall notify it to the main_establishment or single establishment of the controller or processor on the territory of its Member State and shall inform the complainant thereof, while the supervisory_authority of the complainant shall adopt the decision for the part concerning dismissal or rejection of that complaint, and shall notify it to that complainant and shall inform the controller or processor thereof.

10. After being notified of the decision of the lead supervisory_authority pursuant to paragraphs 7 and 9, the controller or processor shall take the necessary measures to ensure compliance with the decision as regards processing activities in the context of all its establishments in the Union. The controller or processor shall notify the measures taken for complying with the decision to the lead supervisory_authority, which shall inform the other supervisory authorities concerned.

11. Where, in exceptional circumstances, a supervisory_authority concerned has reasons to consider that there is an urgent need to act in order to protect the interests of data subjects, the urgency procedure referred to in Article 66 shall apply.

12. The lead supervisory_authority and the other supervisory authorities concerned shall supply the information required under this Article to each other by electronic means, using a standardised format.

Article 61

Mutual assistance

1. Supervisory authorities shall provide each other with relevant information and mutual assistance in order to implement and apply this Regulation in a consistent manner, and shall put in place measures for effective cooperation with one another. Mutual assistance shall cover, in particular, information requests and supervisory measures, such as requests to carry out prior authorisations and consultations, inspections and investigations.

2. each supervisory_authority shall take all appropriate measures required to reply to a request of another supervisory_authority without undue delay and no later than one month after receiving the request. Such measures may include, in particular, the transmission of relevant information on the conduct of an investigation.

3. Requests for assistance shall contain all the necessary information, including the purpose of and reasons for the request. Information exchanged shall be used only for the purpose for which it was requested.

4. The requested supervisory_authority shall not refuse to comply with the request unless:

(a)	it is not competent for the subject-matter of the request or for the measures it is requested to execute; or

(b)	compliance with the request would infringe this Regulation or Union or Member State law to which the supervisory_authority receiving the request is subject.

5. The requested supervisory_authority shall inform the requesting supervisory_authority of the results or, as the case may be, of the progress of the measures taken in order to respond to the request. The requested supervisory_authority shall provide reasons for any refusal to comply with a request pursuant to paragraph 4.

6. Requested supervisory authorities shall, as a rule, supply the information requested by other supervisory authorities by electronic means, using a standardised format.

7. Requested supervisory authorities shall not charge a fee for any action taken by them pursuant to a request for mutual assistance. Supervisory authorities may agree on rules to indemnify each other for specific expenditure arising from the provision of mutual assistance in exceptional circumstances.

8. Where a supervisory_authority does not provide the information referred to in paragraph 5 of this Article within one month of receiving the request of another supervisory_authority, the requesting supervisory_authority may adopt a provisional measure on the territory of its Member State in accordance with Article 55(1). In that case, the urgent need to act under Article 66(1) shall be presumed to be met and require an urgent binding decision from the Board pursuant to Article 66(2).

9. The Commission may, by means of implementing acts, specify the format and procedures for mutual assistance referred to in this Article and the arrangements for the exchange of information by electronic means between supervisory authorities, and between supervisory authorities and the Board, in particular the standardised format referred to in paragraph 6 of this Article. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 93(2).

Article 62

Joint operations of supervisory authorities

1. The supervisory authorities shall, where appropriate, conduct joint operations including joint investigations and joint enforcement measures in which members or staff of the supervisory authorities of other Member States are involved.

2. Where the controller or processor has establishments in several Member States or where a significant number of data subjects in more than one Member State are likely to be substantially affected by processing operations, a supervisory_authority of each of those Member States shall have the right to participate in joint operations. The supervisory_authority which is competent pursuant to Article 56(1) or (4) shall invite the supervisory_authority of each of those Member States to take part in the joint operations and shall respond without delay to the request of a supervisory_authority to participate.

3. A supervisory_authority may, in accordance with Member State law, and with the seconding supervisory_authority's authorisation, confer powers, including investigative powers on the seconding supervisory_authority's members or staff involved in joint operations or, in so far as the law of the Member State of the host supervisory_authority permits, allow the seconding supervisory_authority's members or staff to exercise their investigative powers in accordance with the law of the Member State of the seconding supervisory_authority. Such investigative powers may be exercised only under the guidance and in the presence of members or staff of the host supervisory_authority. The seconding supervisory_authority's members or staff shall be subject to the Member State law of the host supervisory_authority.

4. Where, in accordance with paragraph 1, staff of a seconding supervisory_authority operate in another Member State, the Member State of the host supervisory_authority shall assume responsibility for their actions, including liability, for any damage caused by them during their operations, in accordance with the law of the Member State in whose territory they are operating.

5. The Member State in whose territory the damage was caused shall make good such damage under the conditions applicable to damage caused by its own staff. The Member State of the seconding supervisory_authority whose staff has caused damage to any person in the territory of another Member State shall reimburse that other Member State in full any sums it has paid to the persons entitled on their behalf.

6. Without prejudice to the exercise of its rights vis-à-vis third parties and with the exception of paragraph 5, each Member State shall refrain, in the case provided for in paragraph 1, from requesting reimbursement from another Member State in relation to damage referred to in paragraph 4.

7. Where a joint operation is intended and a supervisory_authority does not, within one month, comply with the obligation laid down in the second sentence of paragraph 2 of this Article, the other supervisory authorities may adopt a provisional measure on the territory of its Member State in accordance with Article 55. In that case, the urgent need to act under Article 66(1) shall be presumed to be met and require an opinion or an urgent binding decision from the Board pursuant to Article 66(2).

Section 2

Consistency

Article 63

Consistency mechanism

In order to contribute to the consistent application of this Regulation throughout the Union, the supervisory authorities shall cooperate with each other and, where relevant, with the Commission, through the consistency mechanism as set out in this Section.

Article 68

European Data Protection Board

1. The European Data Protection Board (the ‘Board’) is hereby established as a body of the Union and shall have legal personality.

2. The Board shall be represented by its Chair.

3. The Board shall be composed of the head of one supervisory_authority of each Member State and of the European Data Protection Supervisor, or their respective representatives.

4. Where in a Member State more than one supervisory_authority is responsible for monitoring the application of the provisions pursuant to this Regulation, a joint representative shall be appointed in accordance with that Member State's law.

5. The Commission shall have the right to participate in the activities and meetings of the Board without voting right. The Commission shall designate a representative. The Chair of the Board shall communicate to the Commission the activities of the Board.

6. In the cases referred to in Article 65, the European Data Protection Supervisor shall have voting rights only on decisions which concern principles and rules applicable to the Union institutions, bodies, offices and agencies which correspond in substance to those of this Regulation.

Article 70

Tasks of the Board

1. The Board shall ensure the consistent application of this Regulation. To that end, the Board shall, on its own initiative or, where relevant, at the request of the Commission, in particular:

(a)	monitor and ensure the correct application of this Regulation in the cases provided for in Articles 64 and 65 without prejudice to the tasks of national supervisory authorities;

(b)	advise the Commission on any issue related to the protection of personal_data in the Union, including on any proposed amendment of this Regulation;

(c)	advise the Commission on the format and procedures for the exchange of information between controllers, processors and supervisory authorities for binding_corporate_rules;

(d)	issue guidelines, recommendations, and best practices on procedures for erasing links, copies or replications of personal_data from publicly available communication services as referred to in Article 17(2);

(e)	examine, on its own initiative, on request of one of its members or on request of the Commission, any question covering the application of this Regulation and issue guidelines, recommendations and best practices in order to encourage consistent application of this Regulation;

(f)	issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for further specifying the criteria and conditions for decisions based on profiling pursuant to Article 22(2);

(g)

issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for establishing the personal_data breaches and determining the undue delay referred to in Article 33(1) and (2) and for the particular circumstances in which a controller or a processor is required to notify the personal_data breach;

(h)	issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph as to the circumstances in which a personal_data breach is likely to result in a high risk to the rights and freedoms of the natural persons referred to in Article 34(1).

(i)

issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for the purpose of further specifying the criteria and requirements for personal_data transfers based on binding_corporate_rules adhered to by controllers and binding_corporate_rules adhered to by processors and on further necessary requirements to ensure the protection of personal_data of the data subjects concerned referred to in Article 47;

(j)	issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for the purpose of further specifying the criteria and requirements for the personal_data transfers on the basis of Article 49(1);

(k)	draw up guidelines for supervisory authorities concerning the application of measures referred to in Article 58(1), (2) and (3) and the setting of administrative fines pursuant to Article 83;

(l)	review the practical application of the guidelines, recommendations and best practices referred to in points (e) and (f);

(m)	issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for establishing common procedures for reporting by natural persons of infringements of this Regulation pursuant to Article 54(2);

(n)	encourage the drawing-up of codes of conduct and the establishment of data protection certification mechanisms and data protection seals and marks pursuant to Articles 40 and 42;

(o)	carry out the accreditation of certification bodies and its periodic review pursuant to Article 43 and maintain a public register of accredited bodies pursuant to Article 43(6) and of the accredited controllers or processors established in third countries pursuant to Article 42(7);

(p)	specify the requirements referred to in Article 43(3) with a view to the accreditation of certification bodies under Article 42;

(q)	provide the Commission with an opinion on the certification requirements referred to in Article 43(8);

(r)	provide the Commission with an opinion on the icons referred to in Article 12(7);

(s)

provide the Commission with an opinion for the assessment of the adequacy of the level of protection in a third country or international_organisation, including for the assessment whether a third country, a territory or one or more specified sectors within that third country, or an international_organisation no longer ensures an adequate level of protection. To that end, the Commission shall provide the Board with all necessary documentation, including correspondence with the government of the third country, with regard to that third country, territory or specified sector, or with the international_organisation.

(t)	issue opinions on draft decisions of supervisory authorities pursuant to the consistency mechanism referred to in Article 64(1), on matters submitted pursuant to Article 64(2) and to issue binding decisions pursuant to Article 65, including in cases referred to in Article 66;

(u)	promote the cooperation and the effective bilateral and multilateral exchange of information and best practices between the supervisory authorities;

(v)	promote common training programmes and facilitate personnel exchanges between the supervisory authorities and, where appropriate, with the supervisory authorities of third countries or with international_organisations;

(w)	promote the exchange of knowledge and documentation on data protection legislation and practice with data protection supervisory authorities worldwide.

(x)	issue opinions on codes of conduct drawn up at Union level pursuant to Article 40(9); and

(y)	maintain a publicly accessible electronic register of decisions taken by supervisory authorities and courts on issues handled in the consistency mechanism.

2. Where the Commission requests advice from the Board, it may indicate a time limit, taking into account the urgency of the matter.

3. The Board shall forward its opinions, guidelines, recommendations, and best practices to the Commission and to the committee referred to in Article 93 and make them public.

4. The Board shall, where appropriate, consult interested parties and give them the opportunity to comment within a reasonable period. The Board shall, without prejudice to Article 76, make the results of the consultation procedure publicly available.

Article 78

Right to an effective judicial remedy against a supervisory_authority

1. Without prejudice to any other administrative or non-judicial remedy, each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory_authority concerning them.

2. Without prejudice to any other administrative or non-judicial remedy, each data subject shall have the right to a an effective judicial remedy where the supervisory_authority which is competent pursuant to Articles 55 and 56 does not handle a complaint or does not inform the data subject within three months on the progress or outcome of the complaint lodged pursuant to Article 77.

3. Proceedings against a supervisory_authority shall be brought before the courts of the Member State where the supervisory_authority is established.

4. Where proceedings are brought against a decision of a supervisory_authority which was preceded by an opinion or a decision of the Board in the consistency mechanism, the supervisory_authority shall forward that opinion or decision to the court.

Article 79

Right to an effective judicial remedy against a controller or processor

1. Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory_authority pursuant to Article 77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal_data in non-compliance with this Regulation.

2. Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers.

Article 82

Right to compensation and liability

1. Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.

2. Any controller involved in processing shall be liable for the damage caused by processing which infringes this Regulation. A processor shall be liable for the damage caused by processing only where it has not complied with obligations of this Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.

3. A controller or processor shall be exempt from liability under paragraph 2 if it proves that it is not in any way responsible for the event giving rise to the damage.

4. Where more than one controller or processor, or both a controller and a processor, are involved in the same processing and where they are, under paragraphs 2 and 3, responsible for any damage caused by processing, each controller or processor shall be held liable for the entire damage in order to ensure effective compensation of the data subject.

5. Where a controller or processor has, in accordance with paragraph 4, paid full compensation for the damage suffered, that controller or processor shall be entitled to claim back from the other controllers or processors involved in the same processing that part of the compensation corresponding to their part of responsibility for the damage, in accordance with the conditions set out in paragraph 2.

6. Court proceedings for exercising the right to receive compensation shall be brought before the courts competent under the law of the Member State referred to in Article 79(2).

Article 83

General conditions for imposing administrative fines

1. each supervisory_authority shall ensure that the imposition of administrative fines pursuant to this Article in respect of infringements of this Regulation referred to in paragraphs 4, 5 and 6 shall in each individual case be effective, proportionate and dissuasive.

2. Administrative fines shall, depending on the circumstances of each individual case, be imposed in addition to, or instead of, measures referred to in points (a) to (h) and (j) of Article 58(2). When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following:

(a)	the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;

(b)	the intentional or negligent character of the infringement;

(c)	any action taken by the controller or processor to mitigate the damage suffered by data subjects;

(d)	the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32;

(e)	any relevant previous infringements by the controller or processor;

(f)	the degree of cooperation with the supervisory_authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement;

(g)	the categories of personal_data affected by the infringement;

(h)	the manner in which the infringement became known to the supervisory_authority, in particular whether, and if so to what extent, the controller or processor notified the infringement;

(i)	where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures;

(j)	adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and

(k)	any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.

3. If a controller or processor intentionally or negligently, for the same or linked processing operations, infringes several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement.

4. Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:

(a)	the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39 and 42 and 43;

(b)	the obligations of the certification body pursuant to Articles 42 and 43;

(c)	the obligations of the monitoring body pursuant to Article 41(4).

5. Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:

(a)	the basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7 and 9;

(b)	the data subjects' rights pursuant to Articles 12 to 22;

(c)	the transfers of personal_data to a recipient in a third country or an international_organisation pursuant to Articles 44 to 49;

(d)	any obligations pursuant to Member State law adopted under Chapter IX;

(e)	non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory_authority pursuant to Article 58(2) or failure to provide access in violation of Article 58(1).

6. Non-compliance with an order by the supervisory_authority as referred to in Article 58(2) shall, in accordance with paragraph 2 of this Article, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.

7. Without prejudice to the corrective powers of supervisory authorities pursuant to Article 58(2), each Member State may lay down the rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that Member State.

8. The exercise by the supervisory_authority of its powers under this Article shall be subject to appropriate procedural safeguards in accordance with Union and Member State law, including effective judicial remedy and due process.

9. Where the legal system of the Member State does not provide for administrative fines, this Article may be applied in such a manner that the fine is initiated by the competent supervisory_authority and imposed by competent national courts, while ensuring that those legal remedies are effective and have an equivalent effect to the administrative fines imposed by supervisory authorities. In any event, the fines imposed shall be effective, proportionate and dissuasive. Those Member States shall notify to the Commission the provisions of their laws which they adopt pursuant to this paragraph by 25 May 2018 and, without delay, any subsequent amendment law or amendment affecting them.

Article 84

Penalties

1. Member States shall lay down the rules on other penalties applicable to infringements of this Regulation in particular for infringements which are not subject to administrative fines pursuant to Article 83, and shall take all measures necessary to ensure that they are implemented. Such penalties shall be effective, proportionate and dissuasive.

2. each Member State shall notify to the Commission the provisions of its law which it adopts pursuant to paragraph 1, by 25 May 2018 and, without delay, any subsequent amendment affecting them.

CHAPTER IX

Provisions relating to specific processing situations

Article 85

Processing and freedom of expression and information

1. Member States shall by law reconcile the right to the protection of personal_data pursuant to this Regulation with the right to freedom of expression and information, including processing for journalistic purposes and the purposes of academic, artistic or literary expression.

2. For processing carried out for journalistic purposes or the purpose of academic artistic or literary expression, Member States shall provide for exemptions or derogations from Chapter II (principles), Chapter III (rights of the data subject), Chapter IV ( controller and processor), Chapter V (transfer of personal_data to third countries or international_organisations), Chapter VI (independent supervisory authorities), Chapter VII (cooperation and consistency) and Chapter IX (specific data processing situations) if they are necessary to reconcile the right to the protection of personal_data with the freedom of expression and information.

3. each Member State shall notify to the Commission the provisions of its law which it has adopted pursuant to paragraph 2 and, without delay, any subsequent amendment law or amendment affecting them.

Article 88

Processing in the context of employment

1. Member States may, by law or by collective agreements, provide for more specific rules to ensure the protection of the rights and freedoms in respect of the processing of employees' personal_data in the employment context, in particular for the purposes of the recruitment, the performance of the contract of employment, including discharge of obligations laid down by law or by collective agreements, management, planning and organisation of work, equality and diversity in the workplace, health and safety at work, protection of employer's or customer's property and for the purposes of the exercise and enjoyment, on an individual or collective basis, of rights and benefits related to employment, and for the purpose of the termination of the employment relationship.

2. Those rules shall include suitable and specific measures to safeguard the data subject's human dignity, legitimate interests and fundamental rights, with particular regard to the transparency of processing, the transfer of personal_data within a group_of_undertakings, or a group of enterprises engaged in a joint economic activity and monitoring systems at the work place.

3. each Member State shall notify to the Commission those provisions of its law which it adopts pursuant to paragraph 1, by 25 May 2018 and, without delay, any subsequent amendment affecting them.

Article 90

Obligations of secrecy

1. Member States may adopt specific rules to set out the powers of the supervisory authorities laid down in points (e) and (f) of Article 58(1) in relation to controllers or processors that are subject, under Union or Member State law or rules established by national competent bodies, to an obligation of professional secrecy or other equivalent obligations of secrecy where this is necessary and proportionate to reconcile the right of the protection of personal_data with the obligation of secrecy. Those rules shall apply only with regard to personal_data which the controller or processor has received as a result of or has obtained in an activity covered by that obligation of secrecy.

2. each Member State shall notify to the Commission the rules adopted pursuant to paragraph 1, by 25 May 2018 and, without delay, any subsequent amendment affecting them.

whereas

(45) Where processing is carried out in accordance with a legal obligation to which the controller is subject or where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority, the processing should have a basis in Union or Member State law.
This Regulation does not require a specific law for each individual processing.
A law as a basis for several processing operations based on a legal obligation to which the controller is subject or where processing is necessary for the performance of a task carried out in the public interest or in the exercise of an official authority may be sufficient.
It should also be for Union or Member State law to determine the purpose of processing.
Furthermore, that law could specify the general conditions of this Regulation governing the lawfulness of personal_data processing, establish specifications for determining the controller, the type of personal_data which are subject to the processing, the data subjects concerned, the entities to which the personal_data may be disclosed, the purpose limitations, the storage period and other measures to ensure lawful and fair processing.
It should also be for Union or Member State law to determine whether the controller performing a task carried out in the public interest or in the exercise of official authority should be a public authority or another natural or legal person governed by public law, or, where it is in the public interest to do so, including for health purposes such as public health and social protection and the management of health care services, by private law, such as a professional association.

- = -

(71) The data subject should have the right not to be subject to a decision, which may include a measure, evaluating personal aspects relating to him or her which is based solely on automated processing and which produces legal effects concerning him or her or similarly significantly affects him or her, such as automatic refusal of an online credit application or e-recruiting practices without any human intervention.
Such processing includes ‘ profiling’ that consists of any form of automated processing of personal_data evaluating the personal aspects relating to a natural person, in particular to analyse or predict aspects concerning the data subject's performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, where it produces legal effects concerning him or her or similarly significantly affects him or her.
However, decision-making based on such processing, including profiling, should be allowed where expressly authorised by Union or Member State law to which the controller is subject, including for fraud and tax-evasion monitoring and prevention purposes conducted in accordance with the regulations, standards and recommendations of Union institutions or national oversight bodies and to ensure the security and reliability of a service provided by the controller, or necessary for the entering or performance of a contract between the data subject and a controller, or when the data subject has given his or her explicit consent.
In any case, such processing should be subject to suitable safeguards, which should include specific information to the data subject and the right to obtain human intervention, to express his or her point of view, to obtain an explanation of the decision reached after such assessment and to challenge the decision.
Such measure should not concern a child.

- = -

(73) Restrictions concerning specific principles and the rights of information, access to and rectification or erasure of personal_data, the right to data portability, the right to object, decisions based on profiling, as well as the communication of a personal_data breach to a data subject and certain related obligations of the controllers may be imposed by Union or Member State law, as far as necessary and proportionate in a democratic society to safeguard public security, including the protection of human life especially in response to natural or manmade disasters, the prevention, investigation and prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security, or of breaches of ethics for regulated professions, other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, the keeping of public registers kept for reasons of general public interest, further processing of archived personal_data to provide specific information related to the political behaviour under former totalitarian state regimes or the protection of the data subject or the rights and freedoms of others, including social protection, public health and humanitarian purposes.
Those restrictions should be in accordance with the requirements set out in the Charter and in the European Convention for the Protection of Human Rights and Fundamental Freedoms.

- = -

(82) In order to demonstrate compliance with this Regulation, the controller or processor should maintain records of processing activities under its responsibility.
each controller and processor should be obliged to cooperate with the supervisory_authority and make those records, on request, available to it, so that it might serve for monitoring those processing operations.

- = -

(85) A personal_data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal_data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal_data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned.
Therefore, as soon as the controller becomes aware that a personal_data breach has occurred, the controller should notify the personal_data breach to the supervisory_authority without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the controller is able to demonstrate, in accordance with the accountability principle, that the personal_data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
Where such notification cannot be achieved within 72 hours, the reasons for the delay should accompany the notification and information may be provided in phases without undue further delay.

- = -

(86) The controller should communicate to the data subject a personal_data breach, without undue delay, where that personal_data breach is likely to result in a high risk to the rights and freedoms of the natural person in order to allow him or her to take the necessary precautions.
The communication should describe the nature of the personal_data breach as well as recommendations for the natural person concerned to mitigate potential adverse effects.
Such communications to data subjects should be made as soon as reasonably feasible and in close cooperation with the supervisory_authority, respecting guidance provided by it or by other relevant authorities such as law-enforcement authorities.
For example, the need to mitigate an immediate risk of damage would call for prompt communication with data subjects whereas the need to implement appropriate measures against continuing or similar personal_data breaches may justify more time for communication.

- = -

(87) It should be ascertained whether all appropriate technological protection and organisational measures have been implemented to establish immediately whether a personal_data breach has taken place and to inform promptly the supervisory_authority and the data subject.
The fact that the notification was made without undue delay should be established taking into account in particular the nature and gravity of the personal_data breach and its consequences and adverse effects for the data subject.
Such notification may result in an intervention of the supervisory_authority in accordance with its tasks and powers laid down in this Regulation.

- = -

(88) In setting detailed rules concerning the format and procedures applicable to the notification of personal_data breaches, due consideration should be given to the circumstances of that breach, including whether or not personal_data had been protected by appropriate technical protection measures, effectively limiting the likelihood of identity fraud or other forms of misuse.
Moreover, such rules and procedures should take into account the legitimate interests of law-enforcement authorities where early disclosure could unnecessarily hamper the investigation of the circumstances of a personal_data breach.

- = -

(115) Some third countries adopt laws, regulations and other legal acts which purport to directly regulate the processing activities of natural and legal persons under the jurisdiction of the Member States.
This may include judgments of courts or tribunals or decisions of administrative authorities in third countries requiring a controller or processor to transfer or disclose personal_data, and which are not based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State.
The extraterritorial application of those laws, regulations and other legal acts may be in breach of international law and may impede the attainment of the protection of natural persons ensured in the Union by this Regulation.
Transfers should only be allowed where the conditions of this Regulation for a transfer to third countries are met.
This may be the case, inter alia, where disclosure is necessary for an important ground of public interest recognised in Union or Member State law to which the controller is subject.

- = -

(120) each supervisory_authority should be provided with the financial and human resources, premises and infrastructure necessary for the effective performance of their tasks, including those related to mutual assistance and cooperation with other supervisory authorities throughout the Union.
each supervisory_authority should have a separate, public annual budget, which may be part of the overall state or national budget.

- = -

(121) The general conditions for the member or members of the supervisory_authority should be laid down by law in each Member State and should in particular provide that those members are to be appointed, by means of a transparent procedure, either by the parliament, government or the head of State of the Member State on the basis of a proposal from the government, a member of the government, the parliament or a chamber of the parliament, or by an independent body entrusted under Member State law.
In order to ensure the independence of the supervisory_authority, the member or members should act with integrity, refrain from any action that is incompatible with their duties and should not, during their term of office, engage in any incompatible occupation, whether gainful or not.
The supervisory_authority should have its own staff, chosen by the supervisory_authority or an independent body established by Member State law, which should be subject to the exclusive direction of the member or members of the supervisory_authority.

- = -

(122) each supervisory_authority should be competent on the territory of its own Member State to exercise the powers and to perform the tasks conferred on it in accordance with this Regulation.
This should cover in particular the processing in the context of the activities of an establishment of the controller or processor on the territory of its own Member State, the processing of personal_data carried out by public authorities or private bodies acting in the public interest, processing affecting data subjects on its territory or processing carried out by a controller or processor not established in the Union when targeting data subjects residing on its territory.
This should include handling complaints lodged by a data subject, conducting investigations on the application of this Regulation and promoting public awareness of the risks, rules, safeguards and rights in relation to the processing of personal_data.

- = -

(123) The supervisory authorities should monitor the application of the provisions pursuant to this Regulation and contribute to its consistent application throughout the Union, in order to protect natural persons in relation to the processing of their personal_data and to facilitate the free flow of personal_data within the internal market.
For that purpose, the supervisory authorities should cooperate with each other and with the Commission, without the need for any agreement between Member States on the provision of mutual assistance or on such cooperation.

- = -

(127) each supervisory_authority not acting as the lead supervisory_authority should be competent to handle local cases where the controller or processor is established in more than one Member State, but the subject matter of the specific processing concerns only processing carried out in a single Member State and involves only data subjects in that single Member State, for example, where the subject matter concerns the processing of employees' personal_data in the specific employment context of a Member State.
In such cases, the supervisory_authority should inform the lead supervisory_authority without delay about the matter.
After being informed, the lead supervisory_authority should decide, whether it will handle the case pursuant to the provision on cooperation between the lead supervisory_authority and other supervisory authorities concerned (‘one-stop-shop mechanism’), or whether the supervisory_authority which informed it should handle the case at local level.
When deciding whether it will handle the case, the lead supervisory_authority should take into account whether there is an establishment of the controller or processor in the Member State of the supervisory_authority which informed it in order to ensure effective enforcement of a decision vis-à-vis the controller or processor.
Where the lead supervisory_authority decides to handle the case, the supervisory_authority which informed it should have the possibility to submit a draft for a decision, of which the lead supervisory_authority should take utmost account when preparing its draft decision in that one-stop-shop mechanism.

- = -

(129) In order to ensure consistent monitoring and enforcement of this Regulation throughout the Union, the supervisory authorities should have in each Member State the same tasks and effective powers, including powers of investigation, corrective powers and sanctions, and authorisation and advisory powers, in particular in cases of complaints from natural persons, and without prejudice to the powers of prosecutorial authorities under Member State law, to bring infringements of this Regulation to the attention of the judicial authorities and engage in legal proceedings.
Such powers should also include the power to impose a temporary or definitive limitation, including a ban, on processing.
Member States may specify other tasks related to the protection of personal_data under this Regulation.
The powers of supervisory authorities should be exercised in accordance with appropriate procedural safeguards set out in Union and Member State law, impartially, fairly and within a reasonable time.
In particular each measure should be appropriate, necessary and proportionate in view of ensuring compliance with this Regulation, taking into account the circumstances of each individual case, respect the right of every person to be heard before any individual measure which would affect him or her adversely is taken and avoid superfluous costs and excessive inconveniences for the persons concerned.
Investigatory powers as regards access to premises should be exercised in accordance with specific requirements in Member State procedural law, such as the requirement to obtain a prior judicial authorisation.
each legally binding measure of the supervisory_authority should be in writing, be clear and unambiguous, indicate the supervisory_authority which has issued the measure, the date of issue of the measure, bear the signature of the head, or a member of the supervisory_authority authorised by him or her, give the reasons for the measure, and refer to the right of an effective remedy.
This should not preclude additional requirements pursuant to Member State procedural law.
The adoption of a legally binding decision implies that it may give rise to judicial review in the Member State of the supervisory_authority that adopted the decision.

- = -

(133) The supervisory authorities should assist each other in performing their tasks and provide mutual assistance, so as to ensure the consistent application and enforcement of this Regulation in the internal market.
A supervisory_authority requesting mutual assistance may adopt a provisional measure if it receives no response to a request for mutual assistance within one month of the receipt of that request by the other supervisory_authority.

- = -

(134) each supervisory_authority should, where appropriate, participate in joint operations with other supervisory authorities.
The requested supervisory_authority should be obliged to respond to the request within a specified time period.

- = -

(139) In order to promote the consistent application of this Regulation, the Board should be set up as an independent body of the Union.
To fulfil its objectives, the Board should have legal personality.
The Board should be represented by its Chair.
It should replace the Working Party on the Protection of Individuals with Regard to the Processing of Personal Data established by Directive 95/46/EC.
It should consist of the head of a supervisory_authority of each Member State and the European Data Protection Supervisor or their respective representatives.
The Commission should participate in the Board's activities without voting rights and the European Data Protection Supervisor should have specific voting rights.
The Board should contribute to the consistent application of this Regulation throughout the Union, including by advising the Commission, in particular on the level of protection in third countries or international_organisations, and promoting cooperation of the supervisory authorities throughout the Union.
The Board should act independently when performing its tasks.

- = -

(141) Every data subject should have the right to lodge a complaint with a single supervisory_authority, in particular in the Member State of his or her habitual residence, and the right to an effective judicial remedy in accordance with Article 47 of the Charter if the data subject considers that his or her rights under this Regulation are infringed or where the supervisory_authority does not act on a complaint, partially or wholly rejects or dismisses a complaint or does not act where such action is necessary to protect the rights of the data subject.
The investigation following a complaint should be carried out, subject to judicial review, to the extent that is appropriate in the specific case.
The supervisory_authority should inform the data subject of the progress and the outcome of the complaint within a reasonable period.
If the case requires further investigation or coordination with another supervisory_authority, intermediate information should be given to the data subject.
In order to facilitate the submission of complaints, each supervisory_authority should take measures such as providing a complaint submission form which can also be completed electronically, without excluding other means of communication.

- = -

(143) Any natural or legal person has the right to bring an action for annulment of decisions of the Board before the Court of Justice under the conditions provided for in Article 263 TFEU.
As addressees of such decisions, the supervisory authorities concerned which wish to challenge them have to bring action within two months of being notified of them, in accordance with Article 263 TFEU.
Where decisions of the Board are of direct and individual concern to a controller, processor or complainant, the latter may bring an action for annulment against those decisions within two months of their publication on the website of the Board, in accordance with Article 263 TFEU.
Without prejudice to this right under Article 263 TFEU, each natural or legal person should have an effective judicial remedy before the competent national court against a decision of a supervisory_authority which produces legal effects concerning that person.
Such a decision concerns in particular the exercise of investigative, corrective and authorisation powers by the supervisory_authority or the dismissal or rejection of complaints.
However, the right to an effective judicial remedy does not encompass measures taken by supervisory authorities which are not legally binding, such as opinions issued by or advice provided by the supervisory_authority.
Proceedings against a supervisory_authority should be brought before the courts of the Member State where the supervisory_authority is established and should be conducted in accordance with that Member State's procedural law.
Those courts should exercise full jurisdiction, which should include jurisdiction to examine all questions of fact and law relevant to the dispute before them.

- = -

(146) The controller or processor should compensate any damage which a person may suffer as a result of processing that infringes this Regulation.
The controller or processor should be exempt from liability if it proves that it is not in any way responsible for the damage.
The concept of damage should be broadly interpreted in the light of the case-law of the Court of Justice in a manner which fully reflects the objectives of this Regulation.
This is without prejudice to any claims for damage deriving from the violation of other rules in Union or Member State law.
Processing that infringes this Regulation also includes processing that infringes delegated and implementing acts adopted in accordance with this Regulation and Member State law specifying rules of this Regulation.
Data subjects should receive full and effective compensation for the damage they have suffered.
Where controllers or processors are involved in the same processing, each controller or processor should be held liable for the entire damage.
However, where they are joined to the same judicial proceedings, in accordance with Member State law, compensation may be apportioned according to the responsibility of each controller or processor for the damage caused by the processing, provided that full and effective compensation of the data subject who suffered the damage is ensured.
Any controller or processor which has paid full compensation may subsequently institute recourse proceedings against other controllers or processors involved in the same processing.

- = -

(149) Member States should be able to lay down the rules on criminal penalties for infringements of this Regulation, including for infringements of national rules adopted pursuant to and within the limits of this Regulation.
Those criminal penalties may also allow for the deprivation of the profits obtained through infringements of this Regulation.
However, the imposition of criminal penalties for infringements of such national rules and of administrative penalties should not lead to a breach of the principle of ne bis in idem, as interpreted by the Court of Justice.

- = -

(150) In order to strengthen and harmonise administrative penalties for infringements of this Regulation, each supervisory_authority should have the power to impose administrative fines.
This Regulation should indicate infringements and the upper limit and criteria for setting the related administrative fines, which should be determined by the competent supervisory_authority in each individual case, taking into account all relevant circumstances of the specific situation, with due regard in particular to the nature, gravity and duration of the infringement and of its consequences and the measures taken to ensure compliance with the obligations under this Regulation and to prevent or mitigate the consequences of the infringement.
Where administrative fines are imposed on an undertaking, an undertaking should be understood to be an undertaking in accordance with Articles 101 and 102 TFEU for those purposes.
Where administrative fines are imposed on persons that are not an undertaking, the supervisory_authority should take account of the general level of income in the Member State as well as the economic situation of the person in considering the appropriate amount of the fine.
The consistency mechanism may also be used to promote a consistent application of administrative fines.
It should be for the Member States to determine whether and to which extent public authorities should be subject to administrative fines.
Imposing an administrative fine or giving a warning does not affect the application of other powers of the supervisory authorities or of other penalties under this Regulation.

- = -

dal 2004 diritto e informatica