interactive GDPR 2016/0679 EN
BG CS DA DE EL EN ES ET FI FR GA HR HU IT LV LT MT NL PL PT RO SK SL SV print pdf
- personal data
- processing
- restriction of processing
- profiling
- pseudonymisation
- filing system
- controller
- processor
- recipient
- third party
- consent
- personal data breach
- genetic data
- biometric data
- data concerning health
- main establishment
- representative
- enterprise
- group of undertakings
- binding corporate rules
- supervisory authority
- supervisory authority concerned
- cross-border processing
- relevant and reasoned objection
- information society service
- international organisation
- article 38
- pursuant 31
- shall 26
- article 23
- referred 23
- regulation 20
- issue 19
- protection 19
- data 18
- accordance 17
- personal_data 16
- certification 16
- supervisory_authority 15
- authorities 14
- member 12
- provide 12
- practices 12
- controller 12
- supervisory 12
- commission 11
- best 11
- guidelines 11
- board 10
- order 10
- processing 10
- recommendations 10
- processor 10
- application 9
- conduct 9
- including 9
- have 9
- information 8
- paragraph 8
- tasks 8
- third 8
- body 8
- state 7
- request 7
- appropriate 7
- each 7
- subject 7
- codes 7
- measures 6
- public 6
- bodies 6
- criteria 6
- approve 6
- the 6
- requirements 6
- country 6
Article 53
General conditions for the members of the supervisory_authority
1. Member States shall provide for each member of their supervisory authorities to be appointed by means of a transparent procedure by:
| — | their parliament; |
| — | their government; |
| — | their head of State; or |
| — | an independent body entrusted with the appointment under Member State law. |
2. Each member shall have the qualifications, experience and skills, in particular in the area of the protection of personal_data, required to perform its duties and exercise its powers.
3. The duties of a member shall end in the event of the expiry of the term of office, resignation or compulsory retirement, in accordance with the law of the Member State concerned.
4. A member shall be dismissed only in cases of serious misconduct or if the member no longer fulfils the conditions required for the performance of the duties.
Article 57
Tasks
1. Without prejudice to other tasks set out under this Regulation, each supervisory_authority shall on its territory:
| (a) | monitor and enforce the application of this Regulation; |
| (b) | promote public awareness and understanding of the risks, rules, safeguards and rights in relation to processing. Activities addressed specifically to children shall receive specific attention; |
| (c) | advise, in accordance with Member State law, the national parliament, the government, and other institutions and bodies on legislative and administrative measures relating to the protection of natural persons' rights and freedoms with regard to processing; |
| (d) | promote the awareness of controllers and processors of their obligations under this Regulation; |
| (e) | upon request, provide information to any data subject concerning the exercise of their rights under this Regulation and, if appropriate, cooperate with the supervisory authorities in other Member States to that end; |
| (f) | handle complaints lodged by a data subject, or by a body, organisation or association in accordance with Article 80, and investigate, to the extent appropriate, the subject matter of the complaint and inform the complainant of the progress and the outcome of the investigation within a reasonable period, in particular if further investigation or coordination with another supervisory_authority is necessary; |
| (g) | cooperate with, including sharing information and provide mutual assistance to, other supervisory authorities with a view to ensuring the consistency of application and enforcement of this Regulation; |
| (h) | conduct investigations on the application of this Regulation, including on the basis of information received from another supervisory_authority or other public authority; |
| (i) | monitor relevant developments, insofar as they have an impact on the protection of personal_data, in particular the development of information and communication technologies and commercial practices; |
| (j) | adopt standard contractual clauses referred to in Article 28(8) and in point (d) of Article 46(2); |
| (k) | establish and maintain a list in relation to the requirement for data protection impact assessment pursuant to Article 35(4); |
| (l) | give advice on the processing operations referred to in Article 36(2); |
| (m) | encourage the drawing up of codes of conduct pursuant to Article 40(1) and provide an opinion and approve such codes of conduct which provide sufficient safeguards, pursuant to Article 40(5); |
| (n) | encourage the establishment of data protection certification mechanisms and of data protection seals and marks pursuant to Article 42(1), and approve the criteria of certification pursuant to Article 42(5); |
| (o) | where applicable, carry out a periodic review of certifications issued in accordance with Article 42(7); |
| (p) | draft and publish the criteria for accreditation of a body for monitoring codes of conduct pursuant to Article 41 and of a certification body pursuant to Article 43; |
| (q) | conduct the accreditation of a body for monitoring codes of conduct pursuant to Article 41 and of a certification body pursuant to Article 43; |
| (r) | authorise contractual clauses and provisions referred to in Article 46(3); |
| (s) | approve binding_corporate_rules pursuant to Article 47; |
| (t) | contribute to the activities of the Board; |
| (u) | keep internal records of infringements of this Regulation and of measures taken in accordance with Article 58(2); and |
| (v) | fulfil any other tasks related to the protection of personal_data. |
2. Each supervisory_authority shall facilitate the submission of complaints referred to in point (f) of paragraph 1 by measures such as a complaint submission form which can also be completed electronically, without excluding other means of communication.
3. The performance of the tasks of each supervisory_authority shall be free of charge for the data subject and, where applicable, for the data protection officer.
4. Where requests are manifestly unfounded or excessive, in particular because of their repetitive character, the supervisory_authority may charge a reasonable fee based on administrative costs, or refuse to act on the request. The supervisory_authority shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.
Article 58
Powers
1. Each supervisory_authority shall have all of the following investigative powers:
| (a) | to order the controller and the processor, and, where applicable, the controller's or the processor's representative to provide any information it requires for the performance of its tasks; |
| (b) | to carry out investigations in the form of data protection audits; |
| (c) | to carry out a review on certifications issued pursuant to Article 42(7); |
| (d) | to notify the controller or the processor of an alleged infringement of this Regulation; |
| (e) | to obtain, from the controller and the processor, access to all personal_data and to all information necessary for the performance of its tasks; |
| (f) | to obtain access to any premises of the controller and the processor, including to any data processing equipment and means, in accordance with Union or Member State procedural law. |
2. Each supervisory_authority shall have all of the following corrective powers:
| (a) | to issue warnings to a controller or processor that intended processing operations are likely to infringe provisions of this Regulation; |
| (b) | to issue reprimands to a controller or a processor where processing operations have infringed provisions of this Regulation; |
| (c) | to order the controller or the processor to comply with the data subject's requests to exercise his or her rights pursuant to this Regulation; |
| (d) | to order the controller or processor to bring processing operations into compliance with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period; |
| (e) | to order the controller to communicate a personal_data breach to the data subject; |
| (f) | to impose a temporary or definitive limitation including a ban on processing; |
| (g) | to order the rectification or erasure of personal_data or restriction of processing pursuant to Articles 16, 17 and 18 and the notification of such actions to recipients to whom the personal_data have been disclosed pursuant to Article 17(2) and Article 19; |
| (h) | to withdraw a certification or to order the certification body to withdraw a certification issued pursuant to Articles 42 and 43, or to order the certification body not to issue certification if the requirements for the certification are not or are no longer met; |
| (i) | to impose an administrative fine pursuant to Article 83, in addition to, or instead of measures referred to in this paragraph, depending on the circumstances of each individual case; |
| (j) | to order the suspension of data flows to a recipient in a third country or to an international_organisation. |
3. Each supervisory_authority shall have all of the following authorisation and advisory powers:
| (a) | to advise the controller in accordance with the prior consultation procedure referred to in Article 36; |
| (b) | to issue, on its own initiative or on request, opinions to the national parliament, the Member State government or, in accordance with Member State law, to other institutions and bodies as well as to the public on any issue related to the protection of personal_data; |
| (c) | to authorise processing referred to in Article 36(5), if the law of the Member State requires such prior authorisation; |
| (d) | to issue an opinion and approve draft codes of conduct pursuant to Article 40(5); |
| (e) | to accredit certification bodies pursuant to Article 43; |
| (f) | to issue certifications and approve criteria of certification in accordance with Article 42(5); |
| (g) | to adopt standard data protection clauses referred to in Article 28(8) and in point (d) of Article 46(2); |
| (h) | to authorise contractual clauses referred to in point (a) of Article 46(3); |
| (i) | to authorise administrative arrangements referred to in point (b) of Article 46(3); |
| (j) | to approve binding_corporate_rules pursuant to Article 47. |
4. The exercise of the powers conferred on the supervisory_authority pursuant to this Article shall be subject to appropriate safeguards, including effective judicial remedy and due process, set out in Union and Member State law in accordance with the Charter.
5. Each Member State shall provide by law that its supervisory_authority shall have the power to bring infringements of this Regulation to the attention of the judicial authorities and where appropriate, to commence or engage otherwise in legal proceedings, in order to enforce the provisions of this Regulation.
6. Each Member State may provide by law that its supervisory_authority shall have additional powers to those referred to in paragraphs 1, 2 and 3. The exercise of those powers shall not impair the effective operation of Chapter VII.
Article 59
Activity reports
Each supervisory_authority shall draw up an annual report on its activities, which may include a list of types of infringement notified and types of measures taken in accordance with Article 58(2). Those reports shall be transmitted to the national parliament, the government and other authorities as designated by Member State law. They shall be made available to the public, to the Commission and to the Board.
CHAPTER VII
Cooperation and consistency
Article 70
Tasks of the Board
1. The Board shall ensure the consistent application of this Regulation. To that end, the Board shall, on its own initiative or, where relevant, at the request of the Commission, in particular:
| (a) | monitor and ensure the correct application of this Regulation in the cases provided for in Articles 64 and 65 without prejudice to the tasks of national supervisory authorities; |
| (b) | advise the Commission on any issue related to the protection of personal_data in the Union, including on any proposed amendment of this Regulation; |
| (c) | advise the Commission on the format and procedures for the exchange of information between controllers, processors and supervisory authorities for binding_corporate_rules; |
| (d) | issue guidelines, recommendations, and best practices on procedures for erasing links, copies or replications of personal_data from publicly available communication services as referred to in Article 17(2); |
| (e) | examine, on its own initiative, on request of one of its members or on request of the Commission, any question covering the application of this Regulation and issue guidelines, recommendations and best practices in order to encourage consistent application of this Regulation; |
| (f) | issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for further specifying the criteria and conditions for decisions based on profiling pursuant to Article 22(2); |
| (g) | issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for establishing the personal_data breaches and determining the undue delay referred to in Article 33(1) and (2) and for the particular circumstances in which a controller or a processor is required to notify the personal_data breach; |
| (h) | issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph as to the circumstances in which a personal_data breach is likely to result in a high risk to the rights and freedoms of the natural persons referred to in Article 34(1). |
| (i) | issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for the purpose of further specifying the criteria and requirements for personal_data transfers based on binding_corporate_rules adhered to by controllers and binding_corporate_rules adhered to by processors and on further necessary requirements to ensure the protection of personal_data of the data subjects concerned referred to in Article 47; |
| (j) | issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for the purpose of further specifying the criteria and requirements for the personal_data transfers on the basis of Article 49(1); |
| (k) | draw up guidelines for supervisory authorities concerning the application of measures referred to in Article 58(1), (2) and (3) and the setting of administrative fines pursuant to Article 83; |
| (l) | review the practical application of the guidelines, recommendations and best practices referred to in points (e) and (f); |
| (m) | issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for establishing common procedures for reporting by natural persons of infringements of this Regulation pursuant to Article 54(2); |
| (n) | encourage the drawing-up of codes of conduct and the establishment of data protection certification mechanisms and data protection seals and marks pursuant to Articles 40 and 42; |
| (o) | carry out the accreditation of certification bodies and its periodic review pursuant to Article 43 and maintain a public register of accredited bodies pursuant to Article 43(6) and of the accredited controllers or processors established in third countries pursuant to Article 42(7); |
| (p) | specify the requirements referred to in Article 43(3) with a view to the accreditation of certification bodies under Article 42; |
| (q) | provide the Commission with an opinion on the certification requirements referred to in Article 43(8); |
| (r) | provide the Commission with an opinion on the icons referred to in Article 12(7); |
| (s) | provide the Commission with an opinion for the assessment of the adequacy of the level of protection in a third country or international_organisation, including for the assessment whether a third country, a territory or one or more specified sectors within that third country, or an international_organisation no longer ensures an adequate level of protection. To that end, the Commission shall provide the Board with all necessary documentation, including correspondence with the government of the third country, with regard to that third country, territory or specified sector, or with the international_organisation. |
| (t) | issue opinions on draft decisions of supervisory authorities pursuant to the consistency mechanism referred to in Article 64(1), on matters submitted pursuant to Article 64(2) and to issue binding decisions pursuant to Article 65, including in cases referred to in Article 66; |
| (u) | promote the cooperation and the effective bilateral and multilateral exchange of information and best practices between the supervisory authorities; |
| (v) | promote common training programmes and facilitate personnel exchanges between the supervisory authorities and, where appropriate, with the supervisory authorities of third countries or with international_organisations; |
| (w) | promote the exchange of knowledge and documentation on data protection legislation and practice with data protection supervisory authorities worldwide. |
| (x) | issue opinions on codes of conduct drawn up at Union level pursuant to Article 40(9); and |
| (y) | maintain a publicly accessible electronic register of decisions taken by supervisory authorities and courts on issues handled in the consistency mechanism. |
2. Where the Commission requests advice from the Board, it may indicate a time limit, taking into account the urgency of the matter.
3. The Board shall forward its opinions, guidelines, recommendations, and best practices to the Commission and to the committee referred to in Article 93 and make them public.
4. The Board shall, where appropriate, consult interested parties and give them the opportunity to comment within a reasonable period. The Board shall, without prejudice to Article 76, make the results of the consultation procedure publicly available.
whereas
dal 2004 diritto e informatica