interactive GDPR 2016/0679 EN

1. This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal_data and rules relating to the free movement of personal_data.

2. This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal_data.

3. The free movement of personal_data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal_data.

Article 4

Definitions

For the purposes of this Regulation:

(1)

‘ personal_data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

(2)

‘ processing’ means any operation or set of operations which is performed on personal_data or on sets of personal_data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

(3)	‘restriction of processing’ means the marking of stored personal_data with the aim of limiting their processing in the future;

(4)

‘ profiling’ means any form of automated processing of personal_data consisting of the use of personal_data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

(5)

‘ pseudonymisation’ means the processing of personal_data in such a manner that the personal_data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal_data are not attributed to an identified or identifiable natural person;

(6)	‘ filing_system’ means any structured set of personal_data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;

(7)

‘ controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal_data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

(8)	‘ processor’ means a natural or legal person, public authority, agency or other body which processes personal_data on behalf of the controller;

(9)

‘ recipient’ means a natural or legal person, public authority, agency or another body, to which the personal_data are disclosed, whether a third_party or not. However, public authorities which may receive personal_data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;

(10)	‘ third_party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal_data;

(11)	‘ consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal_data relating to him or her;

(12)	‘ personal_data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal_data transmitted, stored or otherwise processed;

(13)

‘ genetic_data’ means personal_data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;

(14)	‘ biometric_data’ means personal_data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;

(15)	‘ data_concerning_health’ means personal_data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;

(16)

‘ main_establishment’ means:

(a)

as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal_data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main_establishment;

(b)

as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;

(17)	‘ representative’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Regulation;

(18)	‘ enterprise’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;

(19)	‘ group_of_undertakings’ means a controlling undertaking and its controlled undertakings;

(20)

‘ binding_corporate_rules’ means personal_data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal_data to a controller or processor in one or more third countries within a group_of_undertakings, or group of enterprises engaged in a joint economic activity;

(21)	‘ supervisory_authority’ means an independent public authority which is established by a Member State pursuant to Article 51;

(22)

‘ supervisory_authority concerned’ means a supervisory_authority which is concerned by the processing of personal_data because:

(a)	the controller or processor is established on the territory of the Member State of that supervisory_authority;

(b)	data subjects residing in the Member State of that supervisory_authority are substantially affected or likely to be substantially affected by the processing; or

(c)	a complaint has been lodged with that supervisory_authority;

(23)

‘cross-border processing’ means either:

(a)	processing of personal_data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or

(b)	processing of personal_data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.

(24)

‘ relevant_and_reasoned_objection’ means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal_data within the Union;

(25)	‘ information_society_service’ means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council (19);

(26)	‘ international_organisation’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.

CHAPTER II

Principles

Article 5

Principles relating to processing of personal_data

1. Personal data shall be:

(a)	processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);

(b)

collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);

(c)	adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);

(d)	accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal_data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);

(e)

kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal_data are processed; personal_data may be stored for longer periods insofar as the personal_data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);

(f)	processed in a manner that ensures appropriate security of the personal_data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).

Article 6

Lawfulness of processing

1. Processing shall be lawful only if and to the extent that at least one of the following applies:

(a)	the data subject has given consent to the processing of his or her personal_data for one or more specific purposes;

(b)	processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

(c)	processing is necessary for compliance with a legal obligation to which the controller is subject;

(d)	processing is necessary in order to protect the vital interests of the data subject or of another natural person;

(e)	processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(f)

processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third_party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal_data, in particular where the data subject is a child.

Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.

2. Member States may maintain or introduce more specific provisions to adapt the application of the rules of this Regulation with regard to processing for compliance with points (c) and (e) of paragraph 1 by determining more precisely specific requirements for the processing and other measures to ensure lawful and fair processing including for other specific processing situations as provided for in Chapter IX.

3. The basis for the processing referred to in point (c) and (e) of paragraph 1 shall be laid down by:

(a)	Union law; or

(b)	Member State law to which the controller is subject.

The purpose of the processing shall be determined in that legal basis or, as regards the processing referred to in point (e) of paragraph 1, shall be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. That legal basis may contain specific provisions to adapt the application of rules of this Regulation, inter alia: the general conditions governing the lawfulness of processing by the controller; the types of data which are subject to the processing; the data subjects concerned; the entities to, and the purposes for which, the personal_data may be disclosed; the purpose limitation; storage periods; and processing operations and processing procedures, including measures to ensure lawful and fair processing such as those for other specific processing situations as provided for in Chapter IX. The Union or the Member State law shall meet an objective of public interest and be proportionate to the legitimate aim pursued.

4. Where the processing for a purpose other than that for which the personal_data have been collected is not based on the data subject's consent or on a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1), the controller shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal_data are initially collected, take into account, inter alia:

(a)	any link between the purposes for which the personal_data have been collected and the purposes of the intended further processing;

(b)	the context in which the personal_data have been collected, in particular regarding the relationship between data subjects and the controller;

(c)	the nature of the personal_data, in particular whether special categories of personal_data are processed, pursuant to Article 9, or whether personal_data related to criminal convictions and offences are processed, pursuant to Article 10;

(d)	the possible consequences of the intended further processing for data subjects;

(e)	the existence of appropriate safeguards, which may include encryption or pseudonymisation.

Article 9

Processing of special categories of personal_data

1. Processing of personal_data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic_data, biometric_data for the purpose of uniquely identifying a natural person, data_concerning_health or data concerning a natural person's sex life or sexual orientation shall be prohibited.

2. Paragraph 1 shall not apply if one of the following applies:

(a)	the data subject has given explicit consent to the processing of those personal_data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;

(b)

processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;

(c)	processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;

(d)

processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal_data are not disclosed outside that body without the consent of the data subjects;

(e)	processing relates to personal_data which are manifestly made public by the data subject;

(f)	processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;

(g)

processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;

(h)

processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;

(i)

processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;

(j)

processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

3. Personal data referred to in paragraph 1 may be processed for the purposes referred to in point (h) of paragraph 2 when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies.

4. Member States may maintain or introduce further conditions, including limitations, with regard to the processing of genetic_data, biometric_data or data_concerning_health.

Article 10

Processing of personal_data relating to criminal convictions and offences

Processing of personal_data relating to criminal convictions and offences or related security measures based on Article 6(1) shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects. Any comprehensive register of criminal convictions shall be kept only under the control of official authority.

Article 14

Information to be provided where personal_data have not been obtained from the data subject

1. Where personal_data have not been obtained from the data subject, the controller shall provide the data subject with the following information:

(a)	the identity and the contact details of the controller and, where applicable, of the controller's representative;

(b)	the contact details of the data protection officer, where applicable;

(c)	the purposes of the processing for which the personal_data are intended as well as the legal basis for the processing;

(d)	the categories of personal_data concerned;

(e)	the recipients or categories of recipients of the personal_data, if any;

(f)

where applicable, that the controller intends to transfer personal_data to a recipient in a third country or international_organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means to obtain a copy of them or where they have been made available.

2. In addition to the information referred to in paragraph 1, the controller shall provide the data subject with the following information necessary to ensure fair and transparent processing in respect of the data subject:

(a)	the period for which the personal_data will be stored, or if that is not possible, the criteria used to determine that period;

(b)	where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third_party;

(c)	the existence of the right to request from the controller access to and rectification or erasure of personal_data or restriction of processing concerning the data subject and to object to processing as well as the right to data portability;

(d)	where processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;

(e)	the right to lodge a complaint with a supervisory_authority;

(f)	from which source the personal_data originate, and if applicable, whether it came from publicly accessible sources;

(g)	the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

3. The controller shall provide the information referred to in paragraphs 1 and 2:

(a)	within a reasonable period after obtaining the personal_data, but at the latest within one month, having regard to the specific circumstances in which the personal_data are processed;

(b)	if the personal_data are to be used for communication with the data subject, at the latest at the time of the first communication to that data subject; or

(c)	if a disclosure to another recipient is envisaged, at the latest when the personal_data are first disclosed.

4. Where the controller intends to further process the personal_data for a purpose other than that for which the personal_data were obtained, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 2.

5. Paragraphs 1 to 4 shall not apply where and insofar as:

(a)	the data subject already has the information;

(b)

the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the conditions and safeguards referred to in Article 89(1) or in so far as the obligation referred to in paragraph 1 of this Article is likely to render impossible or seriously impair the achievement of the objectives of that processing. In such cases the controller shall take appropriate measures to protect the data subject's rights and freedoms and legitimate interests, including making the information publicly available;

(c)	obtaining or disclosure is expressly laid down by Union or Member State law to which the controller is subject and which provides appropriate measures to protect the data subject's legitimate interests; or

(d)	where the personal_data must remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law, including a statutory obligation of secrecy.

Article 15

Right of access by the data subject

1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal_data concerning him or her are being processed, and, where that is the case, access to the personal_data and the following information:

(a)	the purposes of the processing;

(b)	the categories of personal_data concerned;

(c)	the recipients or categories of recipient to whom the personal_data have been or will be disclosed, in particular recipients in third countries or international_organisations;

(d)	where possible, the envisaged period for which the personal_data will be stored, or, if not possible, the criteria used to determine that period;

(e)	the existence of the right to request from the controller rectification or erasure of personal_data or restriction of processing of personal_data concerning the data subject or to object to such processing;

(f)	the right to lodge a complaint with a supervisory_authority;

(g)	where the personal_data are not collected from the data subject, any available information as to their source;

(h)	the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

2. Where personal_data are transferred to a third country or to an international_organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.

3. The controller shall provide a copy of the personal_data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.

4. The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.

Section 3

Rectification and erasure

Article 20

Right to data portability

1. The data subject shall have the right to receive the personal_data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal_data have been provided, where:

(a)	the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and

(b)	the processing is carried out by automated means.

2. In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal_data transmitted directly from one controller to another, where technically feasible.

3. The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

4. The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.

Section 4

Right to object and automated individual decision-making

Article 21

Right to object

1. The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal_data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal_data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

2. Where personal_data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal_data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

3. Where the data subject objects to processing for direct marketing purposes, the personal_data shall no longer be processed for such purposes.

4. At the latest at the time of the first communication with the data subject, the right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.

5. In the context of the use of information_society_services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.

6. Where personal_data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1), the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal_data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

Article 22

Automated individual decision-making, including profiling

1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

2. Paragraph 1 shall not apply if the decision:

(a)	is necessary for entering into, or performance of, a contract between the data subject and a data controller;

(b)	is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or

(c)	is based on the data subject's explicit consent.

3. In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.

4. Decisions referred to in paragraph 2 shall not be based on special categories of personal_data referred to in Article 9(1), unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard the data subject's rights and freedoms and legitimate interests are in place.

Section 5

Restrictions

Article 23

Restrictions

1. Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:

(a)	national security;

(b)

defence;

(c)	public security;

(d)	the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;

(e)	other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation a matters, public health and social security;

(f)	the protection of judicial independence and judicial proceedings;

(g)	the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions;

(h)	a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in points (a) to (e) and (g);

(i)	the protection of the data subject or the rights and freedoms of others;

(j)	the enforcement of civil law claims.

2. In particular, any legislative measure referred to in paragraph 1 shall contain specific provisions at least, where relevant, as to:

(a)	the purposes of the processing or categories of processing;

(b)	the categories of personal_data;

(c)	the scope of the restrictions introduced;

(d)	the safeguards to prevent abuse or unlawful access or transfer;

(e)	the specification of the controller or categories of controllers;

(f)	the storage periods and the applicable safeguards taking into account the nature, scope and purposes of the processing or categories of processing;

(g)	the risks to the rights and freedoms of data subjects; and

(h)	the right of data subjects to be informed about the restriction, unless that may be prejudicial to the purpose of the restriction.

CHAPTER IV

Controller and processor

Section 1

General obligations

Article 24

Responsibility of the controller

1. Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.

2. Where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller.

3. Adherence to approved codes of conduct as referred to in Article 40 or approved certification mechanisms as referred to in Article 42 may be used as an element by which to demonstrate compliance with the obligations of the controller.

Article 25

Data protection by design and by default

1. Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.

2. The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal_data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal_data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal_data are not made accessible without the individual's intervention to an indefinite number of natural persons.

3. An approved certification mechanism pursuant to Article 42 may be used as an element to demonstrate compliance with the requirements set out in paragraphs 1 and 2 of this Article.

Article 27

Representatives of controllers or processors not established in the Union

1. Where Article 3(2) applies, the controller or the processor shall designate in writing a representative in the Union.

2. The obligation laid down in paragraph 1 of this Article shall not apply to:

(a)

processing which is occasional, does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal_data relating to criminal convictions and offences referred to in Article 10, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing; or

(b)	a public authority or body.

3. The representative shall be established in one of the Member States where the data subjects, whose personal_data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, are.

4. The representative shall be mandated by the controller or processor to be addressed in addition to or instead of the controller or the processor by, in particular, supervisory authorities and data subjects, on all issues related to processing, for the purposes of ensuring compliance with this Regulation.

5. The designation of a representative by the controller or processor shall be without prejudice to legal actions which could be initiated against the controller or the processor themselves.

Article 30

Records of processing activities

1. Each controller and, where applicable, the controller's representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information:

(a)	the name and contact details of the controller and, where applicable, the joint controller, the controller's representative and the data protection officer;

(b)	the purposes of the processing;

(c)	a description of the categories of data subjects and of the categories of personal_data;

(d)	the categories of recipients to whom the personal_data have been or will be disclosed including recipients in third countries or international_organisations;

(e)

where applicable, transfers of personal_data to a third country or an international_organisation, including the identification of that third country or international_organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;

(f)	where possible, the envisaged time limits for erasure of the different categories of data;

(g)	where possible, a general description of the technical and organisational security measures referred to in Article 32(1).

2. Each processor and, where applicable, the processor's representative shall maintain a record of all categories of processing activities carried out on behalf of a controller, containing:

(a)	the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller's or the processor's representative, and the data protection officer;

(b)	the categories of processing carried out on behalf of each controller;

(c)

(d)	where possible, a general description of the technical and organisational security measures referred to in Article 32(1).

3. The records referred to in paragraphs 1 and 2 shall be in writing, including in electronic form.

4. The controller or the processor and, where applicable, the controller's or the processor's representative, shall make the record available to the supervisory_authority on request.

5. The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal_data relating to criminal convictions and offences referred to in Article 10.

Article 32

Security of processing

1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

(a)	the pseudonymisation and encryption of personal_data;

(b)	the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

(c)	the ability to restore the availability and access to personal_data in a timely manner in the event of a physical or technical incident;

(d)	a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

2. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal_data transmitted, stored or otherwise processed.

3. Adherence to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate compliance with the requirements set out in paragraph 1 of this Article.

4. The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal_data does not process them except on instructions from the controller, unless he or she is required to do so by Union or Member State law.

Article 33

Notification of a personal_data breach to the supervisory_authority

1. In the case of a personal_data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal_data breach to the supervisory_authority competent in accordance with Article 55, unless the personal_data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory_authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

2. The processor shall notify the controller without undue delay after becoming aware of a personal_data breach.

3. The notification referred to in paragraph 1 shall at least:

(a)	describe the nature of the personal_data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal_data records concerned;

(b)	communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;

(c)	describe the likely consequences of the personal_data breach;

(d)	describe the measures taken or proposed to be taken by the controller to address the personal_data breach, including, where appropriate, measures to mitigate its possible adverse effects.

4. Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.

5. The controller shall document any personal_data breaches, comprising the facts relating to the personal_data breach, its effects and the remedial action taken. That documentation shall enable the supervisory_authority to verify compliance with this Article.

Article 34

Communication of a personal_data breach to the data subject

1. When the personal_data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal_data breach to the data subject without undue delay.

2. The communication to the data subject referred to in paragraph 1 of this Article shall describe in clear and plain language the nature of the personal_data breach and contain at least the information and measures referred to in points (b), (c) and (d) of Article 33(3).

3. The communication to the data subject referred to in paragraph 1 shall not be required if any of the following conditions are met:

(a)

the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal_data affected by the personal_data breach, in particular those that render the personal_data unintelligible to any person who is not authorised to access it, such as encryption;

(b)	the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in paragraph 1 is no longer likely to materialise;

(c)	it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

4. If the controller has not already communicated the personal_data breach to the data subject, the supervisory_authority, having considered the likelihood of the personal_data breach resulting in a high risk, may require it to do so or may decide that any of the conditions referred to in paragraph 3 are met.

Section 3

Data protection impact assessment and prior consultation

Article 35

Data protection impact assessment

1. Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal_data. A single assessment may address a set of similar processing operations that present similar high risks.

2. The controller shall seek the advice of the data protection officer, where designated, when carrying out a data protection impact assessment.

3. A data protection impact assessment referred to in paragraph 1 shall in particular be required in the case of:

(a)	a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;

(b)	processing on a large scale of special categories of data referred to in Article 9(1), or of personal_data relating to criminal convictions and offences referred to in Article 10; or

(c)	a systematic monitoring of a publicly accessible area on a large scale.

4. The supervisory_authority shall establish and make public a list of the kind of processing operations which are subject to the requirement for a data protection impact assessment pursuant to paragraph 1. The supervisory_authority shall communicate those lists to the Board referred to in Article 68.

5. The supervisory_authority may also establish and make public a list of the kind of processing operations for which no data protection impact assessment is required. The supervisory_authority shall communicate those lists to the Board.

6. Prior to the adoption of the lists referred to in paragraphs 4 and 5, the competent supervisory_authority shall apply the consistency mechanism referred to in Article 63 where such lists involve processing activities which are related to the offering of goods or services to data subjects or to the monitoring of their behaviour in several Member States, or may substantially affect the free movement of personal_data within the Union.

7. The assessment shall contain at least:

(a)	a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;

(b)	an assessment of the necessity and proportionality of the processing operations in relation to the purposes;

(c)	an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; and

(d)	the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal_data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.

8. Compliance with approved codes of conduct referred to in Article 40 by the relevant controllers or processors shall be taken into due account in assessing the impact of the processing operations performed by such controllers or processors, in particular for the purposes of a data protection impact assessment.

9. Where appropriate, the controller shall seek the views of data subjects or their representatives on the intended processing, without prejudice to the protection of commercial or public interests or the security of processing operations.

10. Where processing pursuant to point (c) or (e) of Article 6(1) has a legal basis in Union law or in the law of the Member State to which the controller is subject, that law regulates the specific processing operation or set of operations in question, and a data protection impact assessment has already been carried out as part of a general impact assessment in the context of the adoption of that legal basis, paragraphs 1 to 7 shall not apply unless Member States deem it to be necessary to carry out such an assessment prior to processing activities.

11. Where necessary, the controller shall carry out a review to assess if processing is performed in accordance with the data protection impact assessment at least when there is a change of the risk represented by processing operations.

Article 36

Prior consultation

1. The controller shall consult the supervisory_authority prior to processing where a data protection impact assessment under Article 35 indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk.

2. Where the supervisory_authority is of the opinion that the intended processing referred to in paragraph 1 would infringe this Regulation, in particular where the controller has insufficiently identified or mitigated the risk, the supervisory_authority shall, within period of up to eight weeks of receipt of the request for consultation, provide written advice to the controller and, where applicable to the processor, and may use any of its powers referred to in Article 58. That period may be extended by six weeks, taking into account the complexity of the intended processing. The supervisory_authority shall inform the controller and, where applicable, the processor, of any such extension within one month of receipt of the request for consultation together with the reasons for the delay. Those periods may be suspended until the supervisory_authority has obtained information it has requested for the purposes of the consultation.

3. When consulting the supervisory_authority pursuant to paragraph 1, the controller shall provide the supervisory_authority with:

(a)	where applicable, the respective responsibilities of the controller, joint controllers and processors involved in the processing, in particular for processing within a group_of_undertakings;

(b)	the purposes and means of the intended processing;

(c)	the measures and safeguards provided to protect the rights and freedoms of data subjects pursuant to this Regulation;

(d)	where applicable, the contact details of the data protection officer;

(e)	the data protection impact assessment provided for in Article 35; and

(f)	any other information requested by the supervisory_authority.

4. Member States shall consult the supervisory_authority during the preparation of a proposal for a legislative measure to be adopted by a national parliament, or of a regulatory measure based on such a legislative measure, which relates to processing.

5. Notwithstanding paragraph 1, Member State law may require controllers to consult with, and obtain prior authorisation from, the supervisory_authority in relation to processing by a controller for the performance of a task carried out by the controller in the public interest, including processing in relation to social protection and public health.

Section 4

Data protection officer

Article 45

Transfers on the basis of an adequacy decision

1. A transfer of personal_data to a third country or an international_organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international_organisation in question ensures an adequate level of protection. Such a transfer shall not require any specific authorisation.

2. When assessing the adequacy of the level of protection, the Commission shall, in particular, take account of the following elements:

(a)

the rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal_data, as well as the implementation of such legislation, data protection rules, professional rules and security measures, including rules for the onward transfer of personal_data to another third country or international_organisation which are complied with in that country or international_organisation, case-law, as well as effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal_data are being transferred;

(b)

the existence and effective functioning of one or more independent supervisory authorities in the third country or to which an international_organisation is subject, with responsibility for ensuring and enforcing compliance with the data protection rules, including adequate enforcement powers, for assisting and advising the data subjects in exercising their rights and for cooperation with the supervisory authorities of the Member States; and

(c)

the international commitments the third country or international_organisation concerned has entered into, or other obligations arising from legally binding conventions or instruments as well as from its participation in multilateral or regional systems, in particular in relation to the protection of personal_data.

3. The Commission, after assessing the adequacy of the level of protection, may decide, by means of implementing act, that a third country, a territory or one or more specified sectors within a third country, or an international_organisation ensures an adequate level of protection within the meaning of paragraph 2 of this Article. The implementing act shall provide for a mechanism for a periodic review, at least every four years, which shall take into account all relevant developments in the third country or international_organisation. The implementing act shall specify its territorial and sectoral application and, where applicable, identify the supervisory_authority or authorities referred to in point (b) of paragraph 2 of this Article. The implementing act shall be adopted in accordance with the examination procedure referred to in Article 93(2).

4. The Commission shall, on an ongoing basis, monitor developments in third countries and international_organisations that could affect the functioning of decisions adopted pursuant to paragraph 3 of this Article and decisions adopted on the basis of Article 25(6) of Directive 95/46/EC.

5. The Commission shall, where available information reveals, in particular following the review referred to in paragraph 3 of this Article, that a third country, a territory or one or more specified sectors within a third country, or an international_organisation no longer ensures an adequate level of protection within the meaning of paragraph 2 of this Article, to the extent necessary, repeal, amend or suspend the decision referred to in paragraph 3 of this Article by means of implementing acts without retro-active effect. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 93(2).

On duly justified imperative grounds of urgency, the Commission shall adopt immediately applicable implementing acts in accordance with the procedure referred to in Article 93(3).

6. The Commission shall enter into consultations with the third country or international_organisation with a view to remedying the situation giving rise to the decision made pursuant to paragraph 5.

7. A decision pursuant to paragraph 5 of this Article is without prejudice to transfers of personal_data to the third country, a territory or one or more specified sectors within that third country, or the international_organisation in question pursuant to Articles 46 to 49.

8. The Commission shall publish in the Official Journal of the European Union and on its website a list of the third countries, territories and specified sectors within a third country and international_organisations for which it has decided that an adequate level of protection is or is no longer ensured.

9. Decisions adopted by the Commission on the basis of Article 25(6) of Directive 95/46/EC shall remain in force until amended, replaced or repealed by a Commission Decision adopted in accordance with paragraph 3 or 5 of this Article.

Article 49

Derogations for specific situations

1. In the absence of an adequacy decision pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46, including binding_corporate_rules, a transfer or a set of transfers of personal_data to a third country or an international_organisation shall take place only on one of the following conditions:

(a)	the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;

(b)	the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request;

(c)	the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;

(d)	the transfer is necessary for important reasons of public interest;

(e)	the transfer is necessary for the establishment, exercise or defence of legal claims;

(f)	the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent;

(g)

the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case.

Where a transfer could not be based on a provision in Article 45 or 46, including the provisions on binding_corporate_rules, and none of the derogations for a specific situation referred to in the first subparagraph of this paragraph is applicable, a transfer to a third country or an international_organisation may take place only if the transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject, and the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal_data. The controller shall inform the supervisory_authority of the transfer. The controller shall, in addition to providing the information referred to in Articles 13 and 14, inform the data subject of the transfer and on the compelling legitimate interests pursued.

2. A transfer pursuant to point (g) of the first subparagraph of paragraph 1 shall not involve the entirety of the personal_data or entire categories of the personal_data contained in the register. Where the register is intended for consultation by persons having a legitimate interest, the transfer shall be made only at the request of those persons or if they are to be the recipients.

3. Points (a), (b) and (c) of the first subparagraph of paragraph 1 and the second subparagraph thereof shall not apply to activities carried out by public authorities in the exercise of their public powers.

4. The public interest referred to in point (d) of the first subparagraph of paragraph 1 shall be recognised in Union law or in the law of the Member State to which the controller is subject.

5. In the absence of an adequacy decision, Union or Member State law may, for important reasons of public interest, expressly set limits to the transfer of specific categories of personal_data to a third country or an international_organisation. Member States shall notify such provisions to the Commission.

6. The controller or processor shall document the assessment as well as the suitable safeguards referred to in the second subparagraph of paragraph 1 of this Article in the records referred to in Article 30.

Article 50

International cooperation for the protection of personal_data

In relation to third countries and international_organisations, the Commission and supervisory authorities shall take appropriate steps to:

(a)	develop international cooperation mechanisms to facilitate the effective enforcement of legislation for the protection of personal_data;

(b)

provide international mutual assistance in the enforcement of legislation for the protection of personal_data, including through notification, complaint referral, investigative assistance and information exchange, subject to appropriate safeguards for the protection of personal_data and other fundamental rights and freedoms;

(c)	engage relevant stakeholders in discussion and activities aimed at furthering international cooperation in the enforcement of legislation for the protection of personal_data;

(d)	promote the exchange and documentation of personal_data protection legislation and practice, including on jurisdictional conflicts with third countries.

CHAPTER VI

Independent supervisory authorities

Section 1

Independent status

Article 51

Supervisory authority

1. Each Member State shall provide for one or more independent public authorities to be responsible for monitoring the application of this Regulation, in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal_data within the Union (‘ supervisory_authority’).

2. Each supervisory_authority shall contribute to the consistent application of this Regulation throughout the Union. For that purpose, the supervisory authorities shall cooperate with each other and the Commission in accordance with Chapter VII.

3. Where more than one supervisory_authority is established in a Member State, that Member State shall designate the supervisory_authority which is to represent those authorities in the Board and shall set out the mechanism to ensure compliance by the other authorities with the rules relating to the consistency mechanism referred to in Article 63.

4. Each Member State shall notify to the Commission the provisions of its law which it adopts pursuant to this Chapter, by 25 May 2018 and, without delay, any subsequent amendment affecting them.

Article 57

Tasks

1. Without prejudice to other tasks set out under this Regulation, each supervisory_authority shall on its territory:

(a)	monitor and enforce the application of this Regulation;

(b)	promote public awareness and understanding of the risks, rules, safeguards and rights in relation to processing. Activities addressed specifically to children shall receive specific attention;

(c)	advise, in accordance with Member State law, the national parliament, the government, and other institutions and bodies on legislative and administrative measures relating to the protection of natural persons' rights and freedoms with regard to processing;

(d)	promote the awareness of controllers and processors of their obligations under this Regulation;

(e)	upon request, provide information to any data subject concerning the exercise of their rights under this Regulation and, if appropriate, cooperate with the supervisory authorities in other Member States to that end;

(f)

handle complaints lodged by a data subject, or by a body, organisation or association in accordance with Article 80, and investigate, to the extent appropriate, the subject matter of the complaint and inform the complainant of the progress and the outcome of the investigation within a reasonable period, in particular if further investigation or coordination with another supervisory_authority is necessary;

(g)	cooperate with, including sharing information and provide mutual assistance to, other supervisory authorities with a view to ensuring the consistency of application and enforcement of this Regulation;

(h)	conduct investigations on the application of this Regulation, including on the basis of information received from another supervisory_authority or other public authority;

(i)	monitor relevant developments, insofar as they have an impact on the protection of personal_data, in particular the development of information and communication technologies and commercial practices;

(j)	adopt standard contractual clauses referred to in Article 28(8) and in point (d) of Article 46(2);

(k)	establish and maintain a list in relation to the requirement for data protection impact assessment pursuant to Article 35(4);

(l)	give advice on the processing operations referred to in Article 36(2);

(m)	encourage the drawing up of codes of conduct pursuant to Article 40(1) and provide an opinion and approve such codes of conduct which provide sufficient safeguards, pursuant to Article 40(5);

(n)	encourage the establishment of data protection certification mechanisms and of data protection seals and marks pursuant to Article 42(1), and approve the criteria of certification pursuant to Article 42(5);

(o)	where applicable, carry out a periodic review of certifications issued in accordance with Article 42(7);

(p)	draft and publish the criteria for accreditation of a body for monitoring codes of conduct pursuant to Article 41 and of a certification body pursuant to Article 43;

(q)	conduct the accreditation of a body for monitoring codes of conduct pursuant to Article 41 and of a certification body pursuant to Article 43;

(r)	authorise contractual clauses and provisions referred to in Article 46(3);

(s)	approve binding_corporate_rules pursuant to Article 47;

(t)	contribute to the activities of the Board;

(u)	keep internal records of infringements of this Regulation and of measures taken in accordance with Article 58(2); and

(v)	fulfil any other tasks related to the protection of personal_data.

2. Each supervisory_authority shall facilitate the submission of complaints referred to in point (f) of paragraph 1 by measures such as a complaint submission form which can also be completed electronically, without excluding other means of communication.

3. The performance of the tasks of each supervisory_authority shall be free of charge for the data subject and, where applicable, for the data protection officer.

4. Where requests are manifestly unfounded or excessive, in particular because of their repetitive character, the supervisory_authority may charge a reasonable fee based on administrative costs, or refuse to act on the request. The supervisory_authority shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.

Article 66

Urgency procedure

1. In exceptional circumstances, where a supervisory_authority concerned considers that there is an urgent need to act in order to protect the rights and freedoms of data subjects, it may, by way of derogation from the consistency mechanism referred to in Articles 63, 64 and 65 or the procedure referred to in Article 60, immediately adopt provisional measures intended to produce legal effects on its own territory with a specified period of validity which shall not exceed three months. The supervisory_authority shall, without delay, communicate those measures and the reasons for adopting them to the other supervisory authorities concerned, to the Board and to the Commission.

2. Where a supervisory_authority has taken a measure pursuant to paragraph 1 and considers that final measures need urgently be adopted, it may request an urgent opinion or an urgent binding decision from the Board, giving reasons for requesting such opinion or decision.

3. Any supervisory_authority may request an urgent opinion or an urgent binding decision, as the case may be, from the Board where a competent supervisory_authority has not taken an appropriate measure in a situation where there is an urgent need to act, in order to protect the rights and freedoms of data subjects, giving reasons for requesting such opinion or decision, including for the urgent need to act.

4. By derogation from Article 64(3) and Article 65(2), an urgent opinion or an urgent binding decision referred to in paragraphs 2 and 3 of this Article shall be adopted within two weeks by simple majority of the members of the Board.

Article 70

Tasks of the Board

1. The Board shall ensure the consistent application of this Regulation. To that end, the Board shall, on its own initiative or, where relevant, at the request of the Commission, in particular:

(a)	monitor and ensure the correct application of this Regulation in the cases provided for in Articles 64 and 65 without prejudice to the tasks of national supervisory authorities;

(b)	advise the Commission on any issue related to the protection of personal_data in the Union, including on any proposed amendment of this Regulation;

(c)	advise the Commission on the format and procedures for the exchange of information between controllers, processors and supervisory authorities for binding_corporate_rules;

(d)	issue guidelines, recommendations, and best practices on procedures for erasing links, copies or replications of personal_data from publicly available communication services as referred to in Article 17(2);

(e)	examine, on its own initiative, on request of one of its members or on request of the Commission, any question covering the application of this Regulation and issue guidelines, recommendations and best practices in order to encourage consistent application of this Regulation;

(f)	issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for further specifying the criteria and conditions for decisions based on profiling pursuant to Article 22(2);

(g)

issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for establishing the personal_data breaches and determining the undue delay referred to in Article 33(1) and (2) and for the particular circumstances in which a controller or a processor is required to notify the personal_data breach;

(h)	issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph as to the circumstances in which a personal_data breach is likely to result in a high risk to the rights and freedoms of the natural persons referred to in Article 34(1).

(i)

issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for the purpose of further specifying the criteria and requirements for personal_data transfers based on binding_corporate_rules adhered to by controllers and binding_corporate_rules adhered to by processors and on further necessary requirements to ensure the protection of personal_data of the data subjects concerned referred to in Article 47;

(j)	issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for the purpose of further specifying the criteria and requirements for the personal_data transfers on the basis of Article 49(1);

(k)	draw up guidelines for supervisory authorities concerning the application of measures referred to in Article 58(1), (2) and (3) and the setting of administrative fines pursuant to Article 83;

(l)	review the practical application of the guidelines, recommendations and best practices referred to in points (e) and (f);

(m)	issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for establishing common procedures for reporting by natural persons of infringements of this Regulation pursuant to Article 54(2);

(n)	encourage the drawing-up of codes of conduct and the establishment of data protection certification mechanisms and data protection seals and marks pursuant to Articles 40 and 42;

(o)	carry out the accreditation of certification bodies and its periodic review pursuant to Article 43 and maintain a public register of accredited bodies pursuant to Article 43(6) and of the accredited controllers or processors established in third countries pursuant to Article 42(7);

(p)	specify the requirements referred to in Article 43(3) with a view to the accreditation of certification bodies under Article 42;

(q)	provide the Commission with an opinion on the certification requirements referred to in Article 43(8);

(r)	provide the Commission with an opinion on the icons referred to in Article 12(7);

(s)

provide the Commission with an opinion for the assessment of the adequacy of the level of protection in a third country or international_organisation, including for the assessment whether a third country, a territory or one or more specified sectors within that third country, or an international_organisation no longer ensures an adequate level of protection. To that end, the Commission shall provide the Board with all necessary documentation, including correspondence with the government of the third country, with regard to that third country, territory or specified sector, or with the international_organisation.

(t)	issue opinions on draft decisions of supervisory authorities pursuant to the consistency mechanism referred to in Article 64(1), on matters submitted pursuant to Article 64(2) and to issue binding decisions pursuant to Article 65, including in cases referred to in Article 66;

(u)	promote the cooperation and the effective bilateral and multilateral exchange of information and best practices between the supervisory authorities;

(v)	promote common training programmes and facilitate personnel exchanges between the supervisory authorities and, where appropriate, with the supervisory authorities of third countries or with international_organisations;

(w)	promote the exchange of knowledge and documentation on data protection legislation and practice with data protection supervisory authorities worldwide.

(x)	issue opinions on codes of conduct drawn up at Union level pursuant to Article 40(9); and

(y)	maintain a publicly accessible electronic register of decisions taken by supervisory authorities and courts on issues handled in the consistency mechanism.

2. Where the Commission requests advice from the Board, it may indicate a time limit, taking into account the urgency of the matter.

3. The Board shall forward its opinions, guidelines, recommendations, and best practices to the Commission and to the committee referred to in Article 93 and make them public.

4. The Board shall, where appropriate, consult interested parties and give them the opportunity to comment within a reasonable period. The Board shall, without prejudice to Article 76, make the results of the consultation procedure publicly available.

Article 80

Representation of data subjects

1. The data subject shall have the right to mandate a not-for-profit body, organisation or association which has been properly constituted in accordance with the law of a Member State, has statutory objectives which are in the public interest, and is active in the field of the protection of data subjects' rights and freedoms with regard to the protection of their personal_data to lodge the complaint on his or her behalf, to exercise the rights referred to in Articles 77, 78 and 79 on his or her behalf, and to exercise the right to receive compensation referred to in Article 82 on his or her behalf where provided for by Member State law.

2. Member States may provide that any body, organisation or association referred to in paragraph 1 of this Article, independently of a data subject's mandate, has the right to lodge, in that Member State, a complaint with the supervisory_authority which is competent pursuant to Article 77 and to exercise the rights referred to in Articles 78 and 79 if it considers that the rights of a data subject under this Regulation have been infringed as a result of the processing.

Article 87

Processing of the national identification number

Member States may further determine the specific conditions for the processing of a national identification number or any other identifier of general application. In that case the national identification number or any other identifier of general application shall be used only under appropriate safeguards for the rights and freedoms of the data subject pursuant to this Regulation.

Article 88

Processing in the context of employment

1. Member States may, by law or by collective agreements, provide for more specific rules to ensure the protection of the rights and freedoms in respect of the processing of employees' personal_data in the employment context, in particular for the purposes of the recruitment, the performance of the contract of employment, including discharge of obligations laid down by law or by collective agreements, management, planning and organisation of work, equality and diversity in the workplace, health and safety at work, protection of employer's or customer's property and for the purposes of the exercise and enjoyment, on an individual or collective basis, of rights and benefits related to employment, and for the purpose of the termination of the employment relationship.

2. Those rules shall include suitable and specific measures to safeguard the data subject's human dignity, legitimate interests and fundamental rights, with particular regard to the transparency of processing, the transfer of personal_data within a group_of_undertakings, or a group of enterprises engaged in a joint economic activity and monitoring systems at the work place.

3. Each Member State shall notify to the Commission those provisions of its law which it adopts pursuant to paragraph 1, by 25 May 2018 and, without delay, any subsequent amendment affecting them.

Article 89

Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

1. Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, shall be subject to appropriate safeguards, in accordance with this Regulation, for the rights and freedoms of the data subject. Those safeguards shall ensure that technical and organisational measures are in place in particular in order to ensure respect for the principle of data minimisation. Those measures may include pseudonymisation provided that those purposes can be fulfilled in that manner. Where those purposes can be fulfilled by further processing which does not permit or no longer permits the identification of data subjects, those purposes shall be fulfilled in that manner.

2. Where personal_data are processed for scientific or historical research purposes or statistical purposes, Union or Member State law may provide for derogations from the rights referred to in Articles 15, 16, 18 and 21 subject to the conditions and safeguards referred to in paragraph 1 of this Article in so far as such rights are likely to render impossible or seriously impair the achievement of the specific purposes, and such derogations are necessary for the fulfilment of those purposes.

3. Where personal_data are processed for archiving purposes in the public interest, Union or Member State law may provide for derogations from the rights referred to in Articles 15, 16, 18, 19, 20 and 21 subject to the conditions and safeguards referred to in paragraph 1 of this Article in so far as such rights are likely to render impossible or seriously impair the achievement of the specific purposes, and such derogations are necessary for the fulfilment of those purposes.

4. Where processing referred to in paragraphs 2 and 3 serves at the same time another purpose, the derogations shall apply only to processing for the purposes referred to in those paragraphs.

whereas

(2) The principles of, and rules on the protection of natural persons with regard to the processing of their personal_data should, whatever their nationality or residence, respect their fundamental rights and freedoms, in particular their right to the protection of personal_data.
This Regulation is intended to contribute to the accomplishment of an area of freedom, security and justice and of an economic union, to economic and social progress, to the strengthening and the convergence of the economies within the internal market, and to the well-being of natural persons.

- = -

(3) Directive 95/46/EC of the European Parliament and of the Council (4) seeks to harmonise the protection of fundamental rights and freedoms of natural persons in respect of processing activities and to ensure the free flow of personal_data between Member States.

- = -

(4) The processing of personal_data should be designed to serve mankind.
The right to the protection of personal_data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality.
This Regulation respects all fundamental rights and observes the freedoms and principles recognised in the Charter as enshrined in the Treaties, in particular the respect for private and family life, home and communications, the protection of personal_data, freedom of thought, conscience and religion, freedom of expression and information, freedom to conduct a business, the right to an effective remedy and to a fair trial, and cultural, religious and linguistic diversity.

- = -

(9) The objectives and principles of Directive 95/46/EC remain sound, but it has not prevented fragmentation in the implementation of data protection across the Union, legal uncertainty or a widespread public perception that there are significant risks to the protection of natural persons, in particular with regard to online activity.
Differences in the level of protection of the rights and freedoms of natural persons, in particular the right to the protection of personal_data, with regard to the processing of personal_data in the Member States may prevent the free flow of personal_data throughout the Union.
Those differences may therefore constitute an obstacle to the pursuit of economic activities at the level of the Union, distort competition and impede authorities in the discharge of their responsibilities under Union law.
Such a difference in levels of protection is due to the existence of differences in the implementation and application of Directive 95/46/EC.

- = -

(10) In order to ensure a consistent and high level of protection of natural persons and to remove the obstacles to flows of personal_data within the Union, the level of protection of the rights and freedoms of natural persons with regard to the processing of such data should be equivalent in all Member States.
Consistent and homogenous application of the rules for the protection of the fundamental rights and freedoms of natural persons with regard to the processing of personal_data should be ensured throughout the Union.
Regarding the processing of personal_data for compliance with a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, Member States should be allowed to maintain or introduce national provisions to further specify the application of the rules of this Regulation.
In conjunction with the general and horizontal law on data protection implementing Directive 95/46/EC, Member States have several sector-specific laws in areas that need more specific provisions.
This Regulation also provides a margin of manoeuvre for Member States to specify its rules, including for the processing of special categories of personal_data (‘sensitive data’).
To that extent, this Regulation does not exclude Member State law that sets out the circumstances for specific processing situations, including determining more precisely the conditions under which the processing of personal_data is lawful.

- = -

(16) This Regulation does not apply to issues of protection of fundamental rights and freedoms or the free flow of personal_data related to activities which fall outside the scope of Union law, such as activities concerning national security.
This Regulation does not apply to the processing of personal_data by the Member States when carrying out activities in relation to the common foreign and security policy of the Union.

- = -

(47) The legitimate interests of a controller, including those of a controller to which the personal_data may be disclosed, or of a third_party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller.
Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller.
At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal_data that processing for that purpose may take place.
The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal_data are processed in circumstances where data subjects do not reasonably expect further processing.
Given that it is for the legislator to provide by law for the legal basis for public authorities to process personal_data, that legal basis should not apply to the processing by public authorities in the performance of their tasks.
The processing of personal_data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned.
The processing of personal_data for direct marketing purposes may be regarded as carried out for a legitimate interest.

- = -

(51) Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms.
Those personal_data should include personal_data revealing racial or ethnic origin, whereby the use of the term ‘racial origin’ in this Regulation does not imply an acceptance by the Union of theories which attempt to determine the existence of separate human races.
The processing of photographs should not systematically be considered to be processing of special categories of personal_data as they are covered by the definition of biometric_data only when processed through a specific technical means allowing the unique identification or authentication of a natural person.
Such personal_data should not be processed, unless processing is allowed in specific cases set out in this Regulation, taking into account that Member States law may lay down specific provisions on data protection in order to adapt the application of the rules of this Regulation for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
In addition to the specific requirements for such processing, the general principles and other rules of this Regulation should apply, in particular as regards the conditions for lawful processing.
Derogations from the general prohibition for processing such special categories of personal_data should be explicitly provided, inter alia, where the data subject gives his or her explicit consent or in respect of specific needs in particular where the processing is carried out in the course of legitimate activities by certain associations or foundations the purpose of which is to permit the exercise of fundamental freedoms.

- = -

(54) The processing of special categories of personal_data may be necessary for reasons of public interest in the areas of public health without consent of the data subject.
Such processing should be subject to suitable and specific measures so as to protect the rights and freedoms of natural persons.
In that context, ‘public health’ should be interpreted as defined in Regulation (EC) No 1338/2008 of the European Parliament and of the Council (11), namely all elements related to health, namely health status, including morbidity and disability, the determinants having an effect on that health status, health care needs, resources allocated to health care, the provision of, and universal access to, health care as well as health care expenditure and financing, and the causes of mortality.
Such processing of data_concerning_health for reasons of public interest should not result in personal_data being processed for other purposes by third parties such as employers or insurance and banking companies.

- = -

(63) A data subject should have the right of access to personal_data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing.
This includes the right for data subjects to have access to data concerning their health, for example the data in their medical records containing information such as diagnoses, examination results, assessments by treating physicians and any treatment or interventions provided.
Every data subject should therefore have the right to know and obtain communication in particular with regard to the purposes for which the personal_data are processed, where possible the period for which the personal_data are processed, the recipients of the personal_data, the logic involved in any automatic personal_data processing and, at least when based on profiling, the consequences of such processing.
Where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal_data.
That right should not adversely affect the rights or freedoms of others, including trade secrets or intellectual property and in particular the copyright protecting the software.
However, the result of those considerations should not be a refusal to provide all information to the data subject.
Where the controller processes a large quantity of information concerning the data subject, the controller should be able to request that, before the information is delivered, the data subject specify the information or processing activities to which the request relates.

- = -

(68) To further strengthen the control over his or her own data, where the processing of personal_data is carried out by automated means, the data subject should also be allowed to receive personal_data concerning him or her which he or she has provided to a controller in a structured, commonly used, machine-readable and interoperable format, and to transmit it to another controller.
Data controllers should be encouraged to develop interoperable formats that enable data portability.
That right should apply where the data subject provided the personal_data on the basis of his or her consent or the processing is necessary for the performance of a contract.
It should not apply where processing is based on a legal ground other than consent or contract.
By its very nature, that right should not be exercised against controllers processing personal_data in the exercise of their public duties.
It should therefore not apply where the processing of the personal_data is necessary for compliance with a legal obligation to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of an official authority vested in the controller.
The data subject's right to transmit or receive personal_data concerning him or her should not create an obligation for the controllers to adopt or maintain processing systems which are technically compatible.
Where, in a certain set of personal_data, more than one data subject is concerned, the right to receive the personal_data should be without prejudice to the rights and freedoms of other data subjects in accordance with this Regulation.
Furthermore, that right should not prejudice the right of the data subject to obtain the erasure of personal_data and the limitations of that right as set out in this Regulation and should, in particular, not imply the erasure of personal_data concerning the data subject which have been provided by him or her for the performance of a contract to the extent that and for as long as the personal_data are necessary for the performance of that contract.
Where technically feasible, the data subject should have the right to have the personal_data transmitted directly from one controller to another.

- = -

(69) Where personal_data might lawfully be processed because processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, or on grounds of the legitimate interests of a controller or a third_party, a data subject should, nevertheless, be entitled to object to the processing of any personal_data relating to his or her particular situation.
It should be for the controller to demonstrate that its compelling legitimate interest overrides the interests or the fundamental rights and freedoms of the data subject.

- = -

(73) Restrictions concerning specific principles and the rights of information, access to and rectification or erasure of personal_data, the right to data portability, the right to object, decisions based on profiling, as well as the communication of a personal_data breach to a data subject and certain related obligations of the controllers may be imposed by Union or Member State law, as far as necessary and proportionate in a democratic society to safeguard public security, including the protection of human life especially in response to natural or manmade disasters, the prevention, investigation and prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security, or of breaches of ethics for regulated professions, other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, the keeping of public registers kept for reasons of general public interest, further processing of archived personal_data to provide specific information related to the political behaviour under former totalitarian state regimes or the protection of the data subject or the rights and freedoms of others, including social protection, public health and humanitarian purposes.
Those restrictions should be in accordance with the requirements set out in the Charter and in the European Convention for the Protection of Human Rights and Fundamental freedoms.

- = -

(74) The responsibility and liability of the controller for any processing of personal_data carried out by the controller or on the controller's behalf should be established.
In particular, the controller should be obliged to implement appropriate and effective measures and be able to demonstrate the compliance of processing activities with this Regulation, including the effectiveness of the measures.
Those measures should take into account the nature, scope, context and purposes of the processing and the risk to the rights and freedoms of natural persons.

- = -

(75) The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal_data processing which could lead to physical, material or non-material damage, in particular: where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal_data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage; where data subjects might be deprived of their rights and freedoms or prevented from exercising control over their personal_data; where personal_data are processed which reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, and the processing of genetic_data, data_concerning_health or data concerning sex life or criminal convictions and offences or related security measures; where personal aspects are evaluated, in particular analysing or predicting aspects concerning performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, in order to create or use personal profiles; where personal_data of vulnerable natural persons, in particular of children, are processed; or where processing involves a large amount of personal_data and affects a large number of data subjects.

- = -

(76) The likelihood and severity of the risk to the rights and freedoms of the data subject should be determined by reference to the nature, scope, context and purposes of the processing.
Risk should be evaluated on the basis of an objective assessment, by which it is established whether data processing operations involve a risk or a high risk.

- = -

(77) Guidance on the implementation of appropriate measures and on the demonstration of compliance by the controller or the processor, especially as regards the identification of the risk related to the processing, their assessment in terms of origin, nature, likelihood and severity, and the identification of best practices to mitigate the risk, could be provided in particular by means of approved codes of conduct, approved certifications, guidelines provided by the Board or indications provided by a data protection officer.
The Board may also issue guidelines on processing operations that are considered to be unlikely to result in a high risk to the rights and freedoms of natural persons and indicate what measures may be sufficient in such cases to address such risk.

- = -

(78) The protection of the rights and freedoms of natural persons with regard to the processing of personal_data require that appropriate technical and organisational measures be taken to ensure that the requirements of this Regulation are met.
In order to be able to demonstrate compliance with this Regulation, the controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default.
Such measures could consist, inter alia, of minimising the processing of personal_data, pseudonymising personal_data as soon as possible, transparency with regard to the functions and processing of personal_data, enabling the data subject to monitor the data processing, enabling the controller to create and improve security features.
When developing, designing, selecting and using applications, services and products that are based on the processing of personal_data or process personal_data to fulfil their task, producers of the products, services and applications should be encouraged to take into account the right to data protection when developing and designing such products, services and applications and, with due regard to the state of the art, to make sure that controllers and processors are able to fulfil their data protection obligations.
The principles of data protection by design and by default should also be taken into consideration in the context of public tenders.

- = -

(79) The protection of the rights and freedoms of data subjects as well as the responsibility and liability of controllers and processors, also in relation to the monitoring by and measures of supervisory authorities, requires a clear allocation of the responsibilities under this Regulation, including where a controller determines the purposes and means of the processing jointly with other controllers or where a processing operation is carried out on behalf of a controller.

- = -

(80) Where a controller or a processor not established in the Union is processing personal_data of data subjects who are in the Union whose processing activities are related to the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union, or to the monitoring of their behaviour as far as their behaviour takes place within the Union, the controller or the processor should designate a representative, unless the processing is occasional, does not include processing, on a large scale, of special categories of personal_data or the processing of personal_data relating to criminal convictions and offences, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing or if the controller is a public authority or body.
The representative should act on behalf of the controller or the processor and may be addressed by any supervisory_authority.
The representative should be explicitly designated by a written mandate of the controller or of the processor to act on its behalf with regard to its obligations under this Regulation.
The designation of such a representative does not affect the responsibility or liability of the controller or of the processor under this Regulation.
Such a representative should perform its tasks according to the mandate received from the controller or processor, including cooperating with the competent supervisory authorities with regard to any action taken to ensure compliance with this Regulation.
The designated representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor.

- = -

(81) To ensure compliance with the requirements of this Regulation in respect of the processing to be carried out by the processor on behalf of the controller, when entrusting a processor with processing activities, the controller should use only processors providing sufficient guarantees, in particular in terms of expert knowledge, reliability and resources, to implement technical and organisational measures which will meet the requirements of this Regulation, including for the security of processing.
The adherence of the processor to an approved code of conduct or an approved certification mechanism may be used as an element to demonstrate compliance with the obligations of the controller.
The carrying-out of processing by a processor should be governed by a contract or other legal act under Union or Member State law, binding the processor to the controller, setting out the subject-matter and duration of the processing, the nature and purposes of the processing, the type of personal_data and categories of data subjects, taking into account the specific tasks and responsibilities of the processor in the context of the processing to be carried out and the risk to the rights and freedoms of the data subject.
The controller and processor may choose to use an individual contract or standard contractual clauses which are adopted either directly by the Commission or by a supervisory_authority in accordance with the consistency mechanism and then adopted by the Commission.
After the completion of the processing on behalf of the controller, the processor should, at the choice of the controller, return or delete the personal_data, unless there is a requirement to store the personal_data under Union or Member State law to which the processor is subject.

- = -

(84) In order to enhance compliance with this Regulation where processing operations are likely to result in a high risk to the rights and freedoms of natural persons, the controller should be responsible for the carrying-out of a data protection impact assessment to evaluate, in particular, the origin, nature, particularity and severity of that risk.
The outcome of the assessment should be taken into account when determining the appropriate measures to be taken in order to demonstrate that the processing of personal_data complies with this Regulation.
Where a data-protection impact assessment indicates that processing operations involve a high risk which the controller cannot mitigate by appropriate measures in terms of available technology and costs of implementation, a consultation of the supervisory_authority should take place prior to the processing.

- = -

(85) A personal_data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal_data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal_data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned.
Therefore, as soon as the controller becomes aware that a personal_data breach has occurred, the controller should notify the personal_data breach to the supervisory_authority without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the controller is able to demonstrate, in accordance with the accountability principle, that the personal_data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
Where such notification cannot be achieved within 72 hours, the reasons for the delay should accompany the notification and information may be provided in phases without undue further delay.

- = -

(86) The controller should communicate to the data subject a personal_data breach, without undue delay, where that personal_data breach is likely to result in a high risk to the rights and freedoms of the natural person in order to allow him or her to take the necessary precautions.
The communication should describe the nature of the personal_data breach as well as recommendations for the natural person concerned to mitigate potential adverse effects.
Such communications to data subjects should be made as soon as reasonably feasible and in close cooperation with the supervisory_authority, respecting guidance provided by it or by other relevant authorities such as law-enforcement authorities.
For example, the need to mitigate an immediate risk of damage would call for prompt communication with data subjects whereas the need to implement appropriate measures against continuing or similar personal_data breaches may justify more time for communication.

- = -

(89) Directive 95/46/EC provided for a general obligation to notify the processing of personal_data to the supervisory authorities.
While that obligation produces administrative and financial burdens, it did not in all cases contribute to improving the protection of personal_data.
Such indiscriminate general notification obligations should therefore be abolished, and replaced by effective procedures and mechanisms which focus instead on those types of processing operations which are likely to result in a high risk to the rights and freedoms of natural persons by virtue of their nature, scope, context and purposes.
Such types of processing operations may be those which in, particular, involve using new technologies, or are of a new kind and where no data protection impact assessment has been carried out before by the controller, or where they become necessary in the light of the time that has elapsed since the initial processing.

- = -

(91) This should in particular apply to large-scale processing operations which aim to process a considerable amount of personal_data at regional, national or supranational level and which could affect a large number of data subjects and which are likely to result in a high risk, for example, on account of their sensitivity, where in accordance with the achieved state of technological knowledge a new technology is used on a large scale as well as to other processing operations which result in a high risk to the rights and freedoms of data subjects, in particular where those operations render it more difficult for data subjects to exercise their rights.
A data protection impact assessment should also be made where personal_data are processed for taking decisions regarding specific natural persons following any systematic and extensive evaluation of personal aspects relating to natural persons based on profiling those data or following the processing of special categories of personal_data, biometric_data, or data on criminal convictions and offences or related security measures.
A data protection impact assessment is equally required for monitoring publicly accessible areas on a large scale, especially when using optic-electronic devices or for any other operations where the competent supervisory_authority considers that the processing is likely to result in a high risk to the rights and freedoms of data subjects, in particular because they prevent data subjects from exercising a right or using a service or a contract, or because they are carried out systematically on a large scale.
The processing of personal_data should not be considered to be on a large scale if the processing concerns personal_data from patients or clients by an individual physician, other health care professional or lawyer.
In such cases, a data protection impact assessment should not be mandatory.

- = -

(94) Where a data protection impact assessment indicates that the processing would, in the absence of safeguards, security measures and mechanisms to mitigate the risk, result in a high risk to the rights and freedoms of natural persons and the controller is of the opinion that the risk cannot be mitigated by reasonable means in terms of available technologies and costs of implementation, the supervisory_authority should be consulted prior to the start of processing activities.
Such high risk is likely to result from certain types of processing and the extent and frequency of processing, which may result also in a realisation of damage or interference with the rights and freedoms of the natural person.
The supervisory_authority should respond to the request for consultation within a specified period.
However, the absence of a reaction of the supervisory_authority within that period should be without prejudice to any intervention of the supervisory_authority in accordance with its tasks and powers laid down in this Regulation, including the power to prohibit processing operations.
As part of that consultation process, the outcome of a data protection impact assessment carried out with regard to the processing at issue may be submitted to the supervisory_authority, in particular the measures envisaged to mitigate the risk to the rights and freedoms of natural persons.

- = -

(98) Associations or other bodies representing categories of controllers or processors should be encouraged to draw up codes of conduct, within the limits of this Regulation, so as to facilitate the effective application of this Regulation, taking account of the specific characteristics of the processing carried out in certain sectors and the specific needs of micro, small and medium enterprises.
In particular, such codes of conduct could calibrate the obligations of controllers and processors, taking into account the risk likely to result from the processing for the rights and freedoms of natural persons.

- = -

(109) The possibility for the controller or processor to use standard data-protection clauses adopted by the Commission or by a supervisory_authority should prevent controllers or processors neither from including the standard data-protection clauses in a wider contract, such as a contract between the processor and another processor, nor from adding other clauses or additional safeguards provided that they do not contradict, directly or indirectly, the standard contractual clauses adopted by the Commission or by a supervisory_authority or prejudice the fundamental rights or freedoms of the data subjects.
Controllers and processors should be encouraged to provide additional safeguards via contractual commitments that supplement standard protection clauses.

- = -

(113) Transfers which can be qualified as not repetitive and that only concern a limited number of data subjects, could also be possible for the purposes of the compelling legitimate interests pursued by the controller, when those interests are not overridden by the interests or rights and freedoms of the data subject and when the controller has assessed all the circumstances surrounding the data transfer.
The controller should give particular consideration to the nature of the personal_data, the purpose and duration of the proposed processing operation or operations, as well as the situation in the country of origin, the third country and the country of final destination, and should provide suitable safeguards to protect fundamental rights and freedoms of natural persons with regard to the processing of their personal_data.
Such transfers should be possible only in residual cases where none of the other grounds for transfer are applicable.
For scientific or historical research purposes or statistical purposes, the legitimate expectations of society for an increase of knowledge should be taken into consideration.
The controller should inform the supervisory_authority and the data subject about the transfer.

- = -

(137) There may be an urgent need to act in order to protect the rights and freedoms of data subjects, in particular when the danger exists that the enforcement of a right of a data subject could be considerably impeded.
A supervisory_authority should therefore be able to adopt duly justified provisional measures on its territory with a specified period of validity which should not exceed three months.

- = -

(156) The processing of personal_data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes should be subject to appropriate safeguards for the rights and freedoms of the data subject pursuant to this Regulation.
Those safeguards should ensure that technical and organisational measures are in place in order to ensure, in particular, the principle of data minimisation.
The further processing of personal_data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes is to be carried out when the controller has assessed the feasibility to fulfil those purposes by processing data which do not permit or no longer permit the identification of data subjects, provided that appropriate safeguards exist (such as, for instance, pseudonymisation of the data).
Member States should provide for appropriate safeguards for the processing of personal_data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
Member States should be authorised to provide, under specific conditions and subject to appropriate safeguards for data subjects, specifications and derogations with regard to the information requirements and rights to rectification, to erasure, to be forgotten, to restriction of processing, to data portability, and to object when processing personal_data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
The conditions and safeguards in question may entail specific procedures for data subjects to exercise those rights if this is appropriate in the light of the purposes sought by the specific processing along with technical and organisational measures aimed at minimising the processing of personal_data in pursuance of the proportionality and necessity principles.
The processing of personal_data for scientific purposes should also comply with other relevant legislation such as on clinical trials.

- = -

(162) Where personal_data are processed for statistical purposes, this Regulation should apply to that processing.
Union or Member State law should, within the limits of this Regulation, determine statistical content, control of access, specifications for the processing of personal_data for statistical purposes and appropriate measures to safeguard the rights and freedoms of the data subject and for ensuring statistical confidentiality.
Statistical purposes mean any operation of collection and the processing of personal_data necessary for statistical surveys or for the production of statistical results.
Those statistical results may further be used for different purposes, including a scientific research purpose.
The statistical purpose implies that the result of processing for statistical purposes is not personal_data, but aggregate data, and that this result or the personal_data are not used in support of measures or decisions regarding any particular natural person.

- = -

(166) In order to fulfil the objectives of this Regulation, namely to protect the fundamental rights and freedoms of natural persons and in particular their right to the protection of personal_data and to ensure the free movement of personal_data within the Union, the power to adopt acts in accordance with Article 290 TFEU should be delegated to the Commission.
In particular, delegated acts should be adopted in respect of criteria and requirements for certification mechanisms, information to be presented by standardised icons and procedures for providing such icons.
It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level.
The Commission, when preparing and drawing-up delegated acts, should ensure a simultaneous, timely and appropriate transmission of relevant documents to the European Parliament and to the Council.

- = -

(173) This Regulation should apply to all matters concerning the protection of fundamental rights and freedoms vis-à-vis the processing of personal_data which are not subject to specific obligations with the same objective set out in Directive 2002/58/EC of the European Parliament and of the Council (18), including the obligations on the controller and the rights of natural persons.
In order to clarify the relationship between this Regulation and Directive 2002/58/EC, that Directive should be amended accordingly.
Once this Regulation is adopted, Directive 2002/58/EC should be reviewed in particular in order to ensure consistency with this Regulation,

- = -

dal 2004 diritto e informatica