interactive GDPR 2016/0679 EN

‘ personal_data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

(2)

‘ processing’ means any operation or set of operations which is performed on personal_data or on sets of personal_data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

(3)	‘restriction of processing’ means the marking of stored personal_data with the aim of limiting their processing in the future;

(4)

‘ profiling’ means any form of automated processing of personal_data consisting of the use of personal_data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

(5)

‘ pseudonymisation’ means the processing of personal_data in such a manner that the personal_data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal_data are not attributed to an identified or identifiable natural person;

(6)	‘ filing_system’ means any structured set of personal_data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;

(7)

‘ controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal_data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

(8)	‘ processor’ means a natural or legal person, public authority, agency or other body which processes personal_data on behalf of the controller;

(9)

‘ recipient’ means a natural or legal person, public authority, agency or another body, to which the personal_data are disclosed, whether a third_party or not. However, public authorities which may receive personal_data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;

(10)	‘ third_party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal_data;

(11)	‘ consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal_data relating to him or her;

(12)	‘ personal_data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal_data transmitted, stored or otherwise processed;

(13)

‘ genetic_data’ means personal_data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;

(14)	‘ biometric_data’ means personal_data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;

(15)	‘ data_concerning_health’ means personal_data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;

(16)

‘ main_establishment’ means:

(a)

as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal_data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main_establishment;

(b)

as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;

(17)	‘ representative’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Regulation;

(18)	‘ enterprise’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;

(19)	‘ group_of_undertakings’ means a controlling undertaking and its controlled undertakings;

(20)

‘ binding_corporate_rules’ means personal_data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal_data to a controller or processor in one or more third countries within a group_of_undertakings, or group of enterprises engaged in a joint economic activity;

(21)	‘ supervisory_authority’ means an independent public authority which is established by a Member State pursuant to Article 51;

(22)

‘ supervisory_authority concerned’ means a supervisory_authority which is concerned by the processing of personal_data because:

(a)	the controller or processor is established on the territory of the Member State of that supervisory_authority;

(b)	data subjects residing in the Member State of that supervisory_authority are substantially affected or likely to be substantially affected by the processing; or

(c)	a complaint has been lodged with that supervisory_authority;

(23)

‘cross-border processing’ means either:

(a)	processing of personal_data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or

(b)	processing of personal_data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.

(24)

‘ relevant_and_reasoned_objection’ means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal_data within the Union;

(25)	‘ information_society_service’ means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council (19);

(26)	‘ international_organisation’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.

CHAPTER II

Principles

Article 6

Lawfulness of processing

1. Processing shall be lawful only if and to the extent that at least one of the following applies:

(a)	the data subject has given consent to the processing of his or her personal_data for one or more specific purposes;

(b)	processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

(c)	processing is necessary for compliance with a legal obligation to which the controller is subject;

(d)	processing is necessary in order to protect the vital interests of the data subject or of another natural person;

(e)	processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(f)

processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third_party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal_data, in particular where the data subject is a child.

Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.

2. Member States may maintain or introduce more specific provisions to adapt the application of the rules of this Regulation with regard to processing for compliance with points (c) and (e) of paragraph 1 by determining more precisely specific requirements for the processing and other measures to ensure lawful and fair processing including for other specific processing situations as provided for in Chapter IX.

3. The basis for the processing referred to in point (c) and (e) of paragraph 1 shall be laid down by:

(a)	Union law; or

(b)	Member State law to which the controller is subject.

The purpose of the processing shall be determined in that legal basis or, as regards the processing referred to in point (e) of paragraph 1, shall be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. That legal basis may contain specific provisions to adapt the application of rules of this Regulation, inter alia: the general conditions governing the lawfulness of processing by the controller; the types of data which are subject to the processing; the data subjects concerned; the entities to, and the purposes for which, the personal_data may be disclosed; the purpose limitation; storage periods; and processing operations and processing procedures, including measures to ensure lawful and fair processing such as those for other specific processing situations as provided for in Chapter IX. The Union or the Member State law shall meet an objective of public interest and be proportionate to the legitimate aim pursued.

4. Where the processing for a purpose other than that for which the personal_data have been collected is not based on the data subject's consent or on a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1), the controller shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal_data are initially collected, take into account, inter alia:

(a)	any link between the purposes for which the personal_data have been collected and the purposes of the intended further processing;

(b)	the context in which the personal_data have been collected, in particular regarding the relationship between data subjects and the controller;

(c)	the nature of the personal_data, in particular whether special categories of personal_data are processed, pursuant to Article 9, or whether personal_data related to criminal convictions and offences are processed, pursuant to Article 10;

(d)	the possible consequences of the intended further processing for data subjects;

(e)	the existence of appropriate safeguards, which may include encryption or pseudonymisation.

Article 8

Conditions applicable to child's consent in relation to information_society_services

1. Where point (a) of Article 6(1) applies, in relation to the offer of information_society_services directly to a child, the processing of the personal_data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.

Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years.

2. The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.

3. Paragraph 1 shall not affect the general contract law of Member States such as the rules on the validity, formation or effect of a contract in relation to a child.

Article 17

Right to erasure (‘right to be forgotten’)

1. The data subject shall have the right to obtain from the controller the erasure of personal_data concerning him or her without undue delay and the controller shall have the obligation to erase personal_data without undue delay where one of the following grounds applies:

(a)	the personal_data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

(b)	the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;

(c)	the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);

(d)	the personal_data have been unlawfully processed;

(e)	the personal_data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;

(f)	the personal_data have been collected in relation to the offer of information_society_services referred to in Article 8(1).

2. Where the controller has made the personal_data public and is obliged pursuant to paragraph 1 to erase the personal_data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal_data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal_data.

3. Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:

(a)	for exercising the right of freedom of expression and information;

(b)	for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(c)	for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);

(d)

for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or

(e)	for the establishment, exercise or defence of legal claims.

Article 21

Right to object

1. The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal_data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal_data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

2. Where personal_data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal_data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

3. Where the data subject objects to processing for direct marketing purposes, the personal_data shall no longer be processed for such purposes.

4. At the latest at the time of the first communication with the data subject, the right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.

5. In the context of the use of information_society_services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.

6. Where personal_data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1), the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal_data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

Article 25

Data protection by design and by default

1. Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.

2. The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal_data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal_data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal_data are not made accessible without the individual's intervention to an indefinite number of natural persons.

3. An approved certification mechanism pursuant to Article 42 may be used as an element to demonstrate compliance with the requirements set out in paragraphs 1 and 2 of this Article.

Article 45

Transfers on the basis of an adequacy decision

1. A transfer of personal_data to a third country or an international_organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international_organisation in question ensures an adequate level of protection. Such a transfer shall not require any specific authorisation.

2. When assessing the adequacy of the level of protection, the Commission shall, in particular, take account of the following elements:

(a)

the rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal_data, as well as the implementation of such legislation, data protection rules, professional rules and security measures, including rules for the onward transfer of personal_data to another third country or international_organisation which are complied with in that country or international_organisation, case-law, as well as effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal_data are being transferred;

(b)

the existence and effective functioning of one or more independent supervisory authorities in the third country or to which an international_organisation is subject, with responsibility for ensuring and enforcing compliance with the data protection rules, including adequate enforcement powers, for assisting and advising the data subjects in exercising their rights and for cooperation with the supervisory authorities of the Member States; and

(c)

the international commitments the third country or international_organisation concerned has entered into, or other obligations arising from legally binding conventions or instruments as well as from its participation in multilateral or regional systems, in particular in relation to the protection of personal_data.

3. The Commission, after assessing the adequacy of the level of protection, may decide, by means of implementing act, that a third country, a territory or one or more specified sectors within a third country, or an international_organisation ensures an adequate level of protection within the meaning of paragraph 2 of this Article. The implementing act shall provide for a mechanism for a periodic review, at least every four years, which shall take into account all relevant developments in the third country or international_organisation. The implementing act shall specify its territorial and sectoral application and, where applicable, identify the supervisory_authority or authorities referred to in point (b) of paragraph 2 of this Article. The implementing act shall be adopted in accordance with the examination procedure referred to in Article 93(2).

4. The Commission shall, on an ongoing basis, monitor developments in third countries and international_organisations that could affect the functioning of decisions adopted pursuant to paragraph 3 of this Article and decisions adopted on the basis of Article 25(6) of Directive 95/46/EC.

5. The Commission shall, where available information reveals, in particular following the review referred to in paragraph 3 of this Article, that a third country, a territory or one or more specified sectors within a third country, or an international_organisation no longer ensures an adequate level of protection within the meaning of paragraph 2 of this Article, to the extent necessary, repeal, amend or suspend the decision referred to in paragraph 3 of this Article by means of implementing acts without retro-active effect. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 93(2).

On duly justified imperative grounds of urgency, the Commission shall adopt immediately applicable implementing acts in accordance with the procedure referred to in Article 93(3).

6. The Commission shall enter into consultations with the third country or international_organisation with a view to remedying the situation giving rise to the decision made pursuant to paragraph 5.

7. A decision pursuant to paragraph 5 of this Article is without prejudice to transfers of personal_data to the third country, a territory or one or more specified sectors within that third country, or the international_organisation in question pursuant to Articles 46 to 49.

8. The Commission shall publish in the Official Journal of the European Union and on its website a list of the third countries, territories and specified sectors within a third country and international_organisations for which it has decided that an adequate level of protection is or is no longer ensured.

9. Decisions adopted by the Commission on the basis of Article 25(6) of Directive 95/46/EC shall remain in force until amended, replaced or repealed by a Commission Decision adopted in accordance with paragraph 3 or 5 of this Article.

Article 49

Derogations for specific situations

1. In the absence of an adequacy decision pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46, including binding_corporate_rules, a transfer or a set of transfers of personal_data to a third country or an international_organisation shall take place only on one of the following conditions:

(a)	the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;

(b)	the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request;

(c)	the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;

(d)	the transfer is necessary for important reasons of public interest;

(e)	the transfer is necessary for the establishment, exercise or defence of legal claims;

(f)	the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent;

(g)

the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case.

Where a transfer could not be based on a provision in Article 45 or 46, including the provisions on binding_corporate_rules, and none of the derogations for a specific situation referred to in the first subparagraph of this paragraph is applicable, a transfer to a third country or an international_organisation may take place only if the transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject, and the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal_data. The controller shall inform the supervisory_authority of the transfer. The controller shall, in addition to providing the information referred to in Articles 13 and 14, inform the data subject of the transfer and on the compelling legitimate interests pursued.

2. A transfer pursuant to point (g) of the first subparagraph of paragraph 1 shall not involve the entirety of the personal_data or entire categories of the personal_data contained in the register. Where the register is intended for consultation by persons having a legitimate interest, the transfer shall be made only at the request of those persons or if they are to be the recipients.

3. Points (a), (b) and (c) of the first subparagraph of paragraph 1 and the second subparagraph thereof shall not apply to activities carried out by public authorities in the exercise of their public powers.

4. The public interest referred to in point (d) of the first subparagraph of paragraph 1 shall be recognised in Union law or in the law of the Member State to which the controller is subject.

5. In the absence of an adequacy decision, Union or Member State law may, for important reasons of public interest, expressly set limits to the transfer of specific categories of personal_data to a third country or an international_organisation. Member States shall notify such provisions to the Commission.

6. The controller or processor shall document the assessment as well as the suitable safeguards referred to in the second subparagraph of paragraph 1 of this Article in the records referred to in Article 30.

Article 57

Tasks

1. Without prejudice to other tasks set out under this Regulation, each supervisory_authority shall on its territory:

(a)	monitor and enforce the application of this Regulation;

(b)	promote public awareness and understanding of the risks, rules, safeguards and rights in relation to processing. Activities addressed specifically to children shall receive specific attention;

(c)	advise, in accordance with Member State law, the national parliament, the government, and other institutions and bodies on legislative and administrative measures relating to the protection of natural persons' rights and freedoms with regard to processing;

(d)	promote the awareness of controllers and processors of their obligations under this Regulation;

(e)	upon request, provide information to any data subject concerning the exercise of their rights under this Regulation and, if appropriate, cooperate with the supervisory authorities in other Member States to that end;

(f)

handle complaints lodged by a data subject, or by a body, organisation or association in accordance with Article 80, and investigate, to the extent appropriate, the subject matter of the complaint and inform the complainant of the progress and the outcome of the investigation within a reasonable period, in particular if further investigation or coordination with another supervisory_authority is necessary;

(g)	cooperate with, including sharing information and provide mutual assistance to, other supervisory authorities with a view to ensuring the consistency of application and enforcement of this Regulation;

(h)	conduct investigations on the application of this Regulation, including on the basis of information received from another supervisory_authority or other public authority;

(i)	monitor relevant developments, insofar as they have an impact on the protection of personal_data, in particular the development of information and communication technologies and commercial practices;

(j)	adopt standard contractual clauses referred to in Article 28(8) and in point (d) of Article 46(2);

(k)	establish and maintain a list in relation to the requirement for data protection impact assessment pursuant to Article 35(4);

(l)	give advice on the processing operations referred to in Article 36(2);

(m)	encourage the drawing up of codes of conduct pursuant to Article 40(1) and provide an opinion and approve such codes of conduct which provide sufficient safeguards, pursuant to Article 40(5);

(n)	encourage the establishment of data protection certification mechanisms and of data protection seals and marks pursuant to Article 42(1), and approve the criteria of certification pursuant to Article 42(5);

(o)	where applicable, carry out a periodic review of certifications issued in accordance with Article 42(7);

(p)	draft and publish the criteria for accreditation of a body for monitoring codes of conduct pursuant to Article 41 and of a certification body pursuant to Article 43;

(q)	conduct the accreditation of a body for monitoring codes of conduct pursuant to Article 41 and of a certification body pursuant to Article 43;

(r)	authorise contractual clauses and provisions referred to in Article 46(3);

(s)	approve binding_corporate_rules pursuant to Article 47;

(t)	contribute to the activities of the Board;

(u)	keep internal records of infringements of this Regulation and of measures taken in accordance with Article 58(2); and

(v)	fulfil any other tasks related to the protection of personal_data.

2. Each supervisory_authority shall facilitate the submission of complaints referred to in point (f) of paragraph 1 by measures such as a complaint submission form which can also be completed electronically, without excluding other means of communication.

3. The performance of the tasks of each supervisory_authority shall be free of charge for the data subject and, where applicable, for the data protection officer.

4. Where requests are manifestly unfounded or excessive, in particular because of their repetitive character, the supervisory_authority may charge a reasonable fee based on administrative costs, or refuse to act on the request. The supervisory_authority shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.

Article 83

General conditions for imposing administrative fines

1. Each supervisory_authority shall ensure that the imposition of administrative fines pursuant to this Article in respect of infringements of this Regulation referred to in paragraphs 4, 5 and 6 shall in each individual case be effective, proportionate and dissuasive.

2. Administrative fines shall, depending on the circumstances of each individual case, be imposed in addition to, or instead of, measures referred to in points (a) to (h) and (j) of Article 58(2). When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following:

(a)	the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;

(b)	the intentional or negligent character of the infringement;

(c)	any action taken by the controller or processor to mitigate the damage suffered by data subjects;

(d)	the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32;

(e)	any relevant previous infringements by the controller or processor;

(f)	the degree of cooperation with the supervisory_authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement;

(g)	the categories of personal_data affected by the infringement;

(h)	the manner in which the infringement became known to the supervisory_authority, in particular whether, and if so to what extent, the controller or processor notified the infringement;

(i)	where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures;

(j)	adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and

(k)	any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.

3. If a controller or processor intentionally or negligently, for the same or linked processing operations, infringes several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement.

4. Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:

(a)	the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39 and 42 and 43;

(b)	the obligations of the certification body pursuant to Articles 42 and 43;

(c)	the obligations of the monitoring body pursuant to Article 41(4).

5. Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:

(a)	the basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7 and 9;

(b)	the data subjects' rights pursuant to Articles 12 to 22;

(c)	the transfers of personal_data to a recipient in a third country or an international_organisation pursuant to Articles 44 to 49;

(d)	any obligations pursuant to Member State law adopted under Chapter IX;

(e)	non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory_authority pursuant to Article 58(2) or failure to provide access in violation of Article 58(1).

6. Non-compliance with an order by the supervisory_authority as referred to in Article 58(2) shall, in accordance with paragraph 2 of this Article, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.

7. Without prejudice to the corrective powers of supervisory authorities pursuant to Article 58(2), each Member State may lay down the rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that Member State.

8. The exercise by the supervisory_authority of its powers under this Article shall be subject to appropriate procedural safeguards in accordance with Union and Member State law, including effective judicial remedy and due process.

9. Where the legal system of the Member State does not provide for administrative fines, this Article may be applied in such a manner that the fine is initiated by the competent supervisory_authority and imposed by competent national courts, while ensuring that those legal remedies are effective and have an equivalent effect to the administrative fines imposed by supervisory authorities. In any event, the fines imposed shall be effective, proportionate and dissuasive. Those Member States shall notify to the Commission the provisions of their laws which they adopt pursuant to this paragraph by 25 May 2018 and, without delay, any subsequent amendment law or amendment affecting them.

whereas

(10) In order to ensure a consistent and high level of protection of natural persons and to remove the obstacles to flows of personal_data within the Union, the level of protection of the rights and freedoms of natural persons with regard to the processing of such data should be equivalent in all Member States.
Consistent and homogenous application of the rules for the protection of the fundamental rights and freedoms of natural persons with regard to the processing of personal_data should be ensured throughout the Union.
Regarding the processing of personal_data for compliance with a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, Member States should be allowed to maintain or introduce national provisions to further specify the application of the rules of this Regulation.
In conjunction with the general and horizontal law on data protection implementing Directive 95/46/EC, Member States have several sector-specific laws in areas that need more specific provisions.
This Regulation also provides a margin of manoeuvre for Member States to specify its rules, including for the processing of special categories of personal_data (‘sensitive data’).
To that extent, this Regulation does not exclude Member State law that sets out the circumstances for specific processing situations, including determining more precisely the conditions under which the processing of personal_data is lawful.

- = -

(33) It is often not possible to fully identify the purpose of personal_data processing for scientific research purposes at the time of data collection.
Therefore, data subjects should be allowed to give their consent to certain areas of scientific research when in keeping with recognised ethical standards for scientific research.
Data subjects should have the opportunity to give their consent only to certain areas of research or parts of research projects to the extent allowed by the intended purpose.

- = -

(39) Any processing of personal_data should be lawful and fair.
It should be transparent to natural persons that personal_data concerning them are collected, used, consulted or otherwise processed and to what extent the personal_data are or will be processed.
The principle of transparency requires that any information and communication relating to the processing of those personal_data be easily accessible and easy to understand, and that clear and plain language be used.
That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal_data concerning them which are being processed.
Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal_data and how to exercise their rights in relation to such processing.
In particular, the specific purposes for which personal_data are processed should be explicit and legitimate and determined at the time of the collection of the personal_data.
The personal_data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed.
This requires, in particular, ensuring that the period for which the personal_data are stored is limited to a strict minimum.
Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means.
In order to ensure that the personal_data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review.
Every reasonable step should be taken to ensure that personal_data which are inaccurate are rectified or deleted.
Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal_data, including for preventing unauthorised access to or use of personal_data and the equipment used for the processing.

- = -

(42) Where processing is based on the data subject's consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation.
In particular in the context of a written declaration on another matter, safeguards should ensure that the data subject is aware of the fact that and the extent to which consent is given.
In accordance with Council Directive 93/13/EEC (10) a declaration of consent pre-formulated by the controller should be provided in an intelligible and easily accessible form, using clear and plain language and it should not contain unfair terms.
For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal_data are intended.
Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.

- = -

(49) The processing of personal_data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e.
the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal_data, and the security of the related services offered by, or accessible via, those networks and systems, by public authorities, by computer emergency response teams (CERTs), computer security incident response teams (CSIRTs), by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned.
This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems.

- = -

(68) To further strengthen the control over his or her own data, where the processing of personal_data is carried out by automated means, the data subject should also be allowed to receive personal_data concerning him or her which he or she has provided to a controller in a structured, commonly used, machine-readable and interoperable format, and to transmit it to another controller.
Data controllers should be encouraged to develop interoperable formats that enable data portability.
That right should apply where the data subject provided the personal_data on the basis of his or her consent or the processing is necessary for the performance of a contract.
It should not apply where processing is based on a legal ground other than consent or contract.
By its very nature, that right should not be exercised against controllers processing personal_data in the exercise of their public duties.
It should therefore not apply where the processing of the personal_data is necessary for compliance with a legal obligation to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of an official authority vested in the controller.
The data subject's right to transmit or receive personal_data concerning him or her should not create an obligation for the controllers to adopt or maintain processing systems which are technically compatible.
Where, in a certain set of personal_data, more than one data subject is concerned, the right to receive the personal_data should be without prejudice to the rights and freedoms of other data subjects in accordance with this Regulation.
Furthermore, that right should not prejudice the right of the data subject to obtain the erasure of personal_data and the limitations of that right as set out in this Regulation and should, in particular, not imply the erasure of personal_data concerning the data subject which have been provided by him or her for the performance of a contract to the extent that and for as long as the personal_data are necessary for the performance of that contract.
Where technically feasible, the data subject should have the right to have the personal_data transmitted directly from one controller to another.

- = -

(70) Where personal_data are processed for the purposes of direct marketing, the data subject should have the right to object to such processing, including profiling to the extent that it is related to such direct marketing, whether with regard to initial or further processing, at any time and free of charge.
That right should be explicitly brought to the attention of the data subject and presented clearly and separately from any other information.

- = -

(94) Where a data protection impact assessment indicates that the processing would, in the absence of safeguards, security measures and mechanisms to mitigate the risk, result in a high risk to the rights and freedoms of natural persons and the controller is of the opinion that the risk cannot be mitigated by reasonable means in terms of available technologies and costs of implementation, the supervisory_authority should be consulted prior to the start of processing activities.
Such high risk is likely to result from certain types of processing and the extent and frequency of processing, which may result also in a realisation of damage or interference with the rights and freedoms of the natural person.
The supervisory_authority should respond to the request for consultation within a specified period.
However, the absence of a reaction of the supervisory_authority within that period should be without prejudice to any intervention of the supervisory_authority in accordance with its tasks and powers laid down in this Regulation, including the power to prohibit processing operations.
As part of that consultation process, the outcome of a data protection impact assessment carried out with regard to the processing at issue may be submitted to the supervisory_authority, in particular the measures envisaged to mitigate the risk to the rights and freedoms of natural persons.

- = -

(141) Every data subject should have the right to lodge a complaint with a single supervisory_authority, in particular in the Member State of his or her habitual residence, and the right to an effective judicial remedy in accordance with Article 47 of the Charter if the data subject considers that his or her rights under this Regulation are infringed or where the supervisory_authority does not act on a complaint, partially or wholly rejects or dismisses a complaint or does not act where such action is necessary to protect the rights of the data subject.
The investigation following a complaint should be carried out, subject to judicial review, to the extent that is appropriate in the specific case.
The supervisory_authority should inform the data subject of the progress and the outcome of the complaint within a reasonable period.
If the case requires further investigation or coordination with another supervisory_authority, intermediate information should be given to the data subject.
In order to facilitate the submission of complaints, each supervisory_authority should take measures such as providing a complaint submission form which can also be completed electronically, without excluding other means of communication.

- = -

(150) In order to strengthen and harmonise administrative penalties for infringements of this Regulation, each supervisory_authority should have the power to impose administrative fines.
This Regulation should indicate infringements and the upper limit and criteria for setting the related administrative fines, which should be determined by the competent supervisory_authority in each individual case, taking into account all relevant circumstances of the specific situation, with due regard in particular to the nature, gravity and duration of the infringement and of its consequences and the measures taken to ensure compliance with the obligations under this Regulation and to prevent or mitigate the consequences of the infringement.
Where administrative fines are imposed on an undertaking, an undertaking should be understood to be an undertaking in accordance with Articles 101 and 102 TFEU for those purposes.
Where administrative fines are imposed on persons that are not an undertaking, the supervisory_authority should take account of the general level of income in the Member State as well as the economic situation of the person in considering the appropriate amount of the fine.
The consistency mechanism may also be used to promote a consistent application of administrative fines.
It should be for the Member States to determine whether and to which extent public authorities should be subject to administrative fines.
Imposing an administrative fine or giving a warning does not affect the application of other powers of the supervisory authorities or of other penalties under this Regulation.

- = -

dal 2004 diritto e informatica