interactive GDPR 2016/0679 EN
BG CS DA DE EL EN ES ET FI FR GA HR HU IT LV LT MT NL PL PT RO SK SL SV print pdf
- personal data
- processing
- restriction of processing
- profiling
- pseudonymisation
- filing system
- controller
- processor
- recipient
- third party
- consent
- personal data breach
- genetic data
- biometric data
- data concerning health
- main establishment
- representative
- enterprise
- group of undertakings
- binding corporate rules
- supervisory authority
- supervisory authority concerned
- cross-border processing
- relevant and reasoned objection
- information society service
- international organisation
- shall 21
- data 19
- supervisory_authority 14
- board 12
- member 11
- protection 10
- binding_corporate_rules 10
- the 9
- tasks 8
- group 7
- group_of_undertakings 7
- engaged 7
- economic 7
- activity 7
- enterprises 7
- joint 7
- accordance 7
- article 6
- processing 6
- which 6
- subject 6
- each 6
- competent 5
- including 5
- european 5
- from 5
- supervisor 5
- secretariat 5
- members 5
- provided 5
- ensure 5
- personal_data 4
- reporting 4
- article 4
- regulation 4
- each 4
- referred 4
- rights 4
- particular 4
- mechanisms 4
- state 4
- staff 4
- subjects 4
- between 3
- transfers 3
- within 3
- compliance 3
- information 3
- appropriate 3
- exercise 3
Article 47
Binding corporate rules
1. The competent supervisory_authority shall approve binding_corporate_rules in accordance with the consistency mechanism set out in Article 63, provided that they:
| (a) | are legally binding and apply to and are enforced by every member concerned of the group_of_undertakings, or group of enterprises engaged in a joint economic activity, including their employees; |
| (b) | expressly confer enforceable rights on data subjects with regard to the processing of their personal_data; and |
| (c) | fulfil the requirements laid down in paragraph 2. |
2. The binding_corporate_rules referred to in paragraph 1 shall specify at least:
| (a) | the structure and contact details of the group_of_undertakings, or group of enterprises engaged in a joint economic activity and of each of its members; |
| (b) | the data transfers or set of transfers, including the categories of personal_data, the type of processing and its purposes, the type of data subjects affected and the identification of the third country or countries in question; |
| (c) | their legally binding nature, both internally and externally; |
| (d) | the application of the general data protection principles, in particular purpose limitation, data minimisation, limited storage periods, data quality, data protection by design and by default, legal basis for processing, processing of special categories of personal_data, measures to ensure data security, and the requirements in respect of onward transfers to bodies not bound by the binding_corporate_rules; |
| (e) | the rights of data subjects in regard to processing and the means to exercise those rights, including the right not to be subject to decisions based solely on automated processing, including profiling in accordance with Article 22, the right to lodge a complaint with the competent supervisory_authority and before the competent courts of the Member States in accordance with Article 79, and to obtain redress and, where appropriate, compensation for a breach of the binding_corporate_rules; |
| (f) | the acceptance by the controller or processor established on the territory of a Member State of liability for any breaches of the binding_corporate_rules by any member concerned not established in the Union; the controller or the processor shall be exempt from that liability, in whole or in part, only if it proves that that member is not responsible for the event giving rise to the damage; |
| (g) | how the information on the binding_corporate_rules, in particular on the provisions referred to in points (d), (e) and (f) of this paragraph is provided to the data subjects in addition to Articles 13 and 14; |
| (h) | the tasks of any data protection officer designated in accordance with Article 37 or any other person or entity in charge of the monitoring compliance with the binding_corporate_rules within the group_of_undertakings, or group of enterprises engaged in a joint economic activity, as well as monitoring training and complaint-handling; |
| (i) | the complaint procedures; |
| (j) | the mechanisms within the group_of_undertakings, or group of enterprises engaged in a joint economic activity for ensuring the verification of compliance with the binding_corporate_rules. Such mechanisms shall include data protection audits and methods for ensuring corrective actions to protect the rights of the data subject. Results of such verification should be communicated to the person or entity referred to in point (h) and to the board of the controlling undertaking of a group_of_undertakings, or of the group of enterprises engaged in a joint economic activity, and should be available upon request to the competent supervisory_authority; |
| (k) | the mechanisms for reporting and recording changes to the rules and reporting those changes to the supervisory_authority; |
| (l) | the cooperation mechanism with the supervisory_authority to ensure compliance by any member of the group_of_undertakings, or group of enterprises engaged in a joint economic activity, in particular by making available to the supervisory_authority the results of verifications of the measures referred to in point (j); |
| (m) | the mechanisms for reporting to the competent supervisory_authority any legal requirements to which a member of the group_of_undertakings, or group of enterprises engaged in a joint economic activity is subject in a third country which are likely to have a substantial adverse effect on the guarantees provided by the binding_corporate_rules; and |
| (n) | the appropriate data protection training to personnel having permanent or regular access to personal_data. |
3. The Commission may specify the format and procedures for the exchange of information between controllers, processors and supervisory authorities for binding_corporate_rules within the meaning of this Article. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 93(2).
Article 52
Independence
1. Each supervisory_authority shall act with complete independence in performing its tasks and exercising its powers in accordance with this Regulation.
2. The member or members of each supervisory_authority shall, in the performance of their tasks and exercise of their powers in accordance with this Regulation, remain free from external influence, whether direct or indirect, and shall neither seek nor take instructions from anybody.
3. Member or members of each supervisory_authority shall refrain from any action incompatible with their duties and shall not, during their term of office, engage in any incompatible occupation, whether gainful or not.
4. Each Member State shall ensure that each supervisory_authority is provided with the human, technical and financial resources, premises and infrastructure necessary for the effective performance of its tasks and exercise of its powers, including those to be carried out in the context of mutual assistance, cooperation and participation in the Board.
5. Each Member State shall ensure that each supervisory_authority chooses and has its own staff which shall be subject to the exclusive direction of the member or members of the supervisory_authority concerned.
6. Each Member State shall ensure that each supervisory_authority is subject to financial control which does not affect its independence and that it has separate, public annual budgets, which may be part of the overall state or national budget.
Article 75
Secretariat
1. The Board shall have a secretariat, which shall be provided by the European Data Protection Supervisor.
2. The secretariat shall perform its tasks exclusively under the instructions of the Chair of the Board.
3. The staff of the European Data Protection Supervisor involved in carrying out the tasks conferred on the Board by this Regulation shall be subject to separate reporting lines from the staff involved in carrying out tasks conferred on the European Data Protection Supervisor.
4. Where appropriate, the Board and the European Data Protection Supervisor shall establish and publish a Memorandum of Understanding implementing this Article, determining the terms of their cooperation, and applicable to the staff of the European Data Protection Supervisor involved in carrying out the tasks conferred on the Board by this Regulation.
5. The secretariat shall provide analytical, administrative and logistical support to the Board.
6. The secretariat shall be responsible in particular for:
| (a) | the day-to-day business of the Board; |
| (b) | communication between the members of the Board, its Chair and the Commission; |
| (c) | communication with other institutions and the public; |
| (d) | the use of electronic means for the internal and external communication; |
| (e) | the translation of relevant information; |
| (f) | the preparation and follow-up of the meetings of the Board; |
| (g) | the preparation, drafting and publication of opinions, decisions on the settlement of disputes between supervisory authorities and other texts adopted by the Board. |
whereas
dal 2004 diritto e informatica