interactive GDPR 2016/0679 EN

1. Processing of high_tag_cloud' title='definition'>personal_data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the high_tag_cloud' title='definition'>processing of high_tag_cloud' title='definition'>genetic_data, high_tag_cloud' title='definition'>biometric_data for the purpose of uniquely identifying a natural person, high_tag_cloud' title='definition'>data_concerning_health or data concerning a natural person's sex life or sexual orientation shall be prohibited.

2. Paragraph 1 shall not apply if one of the following applies:

(a)

the data subject has given explicit high_tag_cloud' title='definition'>consent to the high_tag_cloud' title='definition'>processing of those high_tag_cloud' title='definition'>personal_data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;

(b)

high_tag_cloud' title='definition'>processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the high_tag_cloud' title='definition'>controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;

(c)	high_tag_cloud' title='definition'>processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving high_tag_cloud' title='definition'>consent;

(d)

high_tag_cloud' title='definition'>processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the high_tag_cloud' title='definition'>processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the high_tag_cloud' title='definition'>personal_data are not disclosed outside that body without the high_tag_cloud' title='definition'>consent of the data subjects;

(e)	high_tag_cloud' title='definition'>processing relates to high_tag_cloud' title='definition'>personal_data which are manifestly made public by the data subject;

(f)	high_tag_cloud' title='definition'>processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;

(g)

high_tag_cloud' title='definition'>processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;

(h)

high_tag_cloud' title='definition'>processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;

(i)

high_tag_cloud' title='definition'>processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;

(j)

high_tag_cloud' title='definition'>processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

3. Personal data referred to in paragraph 1 may be processed for the purposes referred to in point (h) of paragraph 2 when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies.

4. Member States may maintain or introduce further conditions, including limitations, with regard to the high_tag_cloud' title='definition'>processing of high_tag_cloud' title='definition'>genetic_data, high_tag_cloud' title='definition'>biometric_data or high_tag_cloud' title='definition'>data_concerning_health.

Article 34

Communication of a high_tag_cloud' title='definition'>personal_data breach to the data subject

1. When the high_tag_cloud' title='definition'>personal_data breach is likely to result in a high risk to the rights and freedoms of natural persons, the high_tag_cloud' title='definition'>controller shall communicate the high_tag_cloud' title='definition'>personal_data breach to the data subject without undue delay.

2. The communication to the data subject referred to in paragraph 1 of this Article shall describe in clear and plain language the nature of the high_tag_cloud' title='definition'>personal_data breach and contain at least the information and measures referred to in points (b), (c) and (d) of Article 33(3).

3. The communication to the data subject referred to in paragraph 1 shall not be required if any of the following conditions are met:

(a)

the high_tag_cloud' title='definition'>controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the high_tag_cloud' title='definition'>personal_data affected by the high_tag_cloud' title='definition'>personal_data breach, in particular those that render the high_tag_cloud' title='definition'>personal_data unintelligible to any person who is not authorised to access it, such as encryption;

(b)	the high_tag_cloud' title='definition'>controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in paragraph 1 is no longer likely to materialise;

(c)	it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

4. If the high_tag_cloud' title='definition'>controller has not already communicated the high_tag_cloud' title='definition'>personal_data breach to the data subject, the high_tag_cloud' title='definition'>supervisory_authority, having considered the likelihood of the high_tag_cloud' title='definition'>personal_data breach resulting in a high risk, may require it to do so or may decide that any of the conditions referred to in paragraph 3 are met.

Section 3

Data protection impact assessment and prior consultation

Article 35

Data protection impact assessment

1. Where a type of high_tag_cloud' title='definition'>processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the high_tag_cloud' title='definition'>processing, is likely to result in a high risk to the rights and freedoms of natural persons, the high_tag_cloud' title='definition'>controller shall, prior to the high_tag_cloud' title='definition'>processing, carry out an assessment of the impact of the envisaged high_tag_cloud' title='definition'>processing operations on the protection of high_tag_cloud' title='definition'>personal_data. A single assessment may address a set of similar high_tag_cloud' title='definition'>processing operations that present similar high risks.

2. The high_tag_cloud' title='definition'>controller shall seek the advice of the data protection officer, where designated, when carrying out a data protection impact assessment.

3. A data protection impact assessment referred to in paragraph 1 shall in particular be required in the case of:

(a)

a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated high_tag_cloud' title='definition'>processing, including high_tag_cloud' title='definition'>profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;

(b)	high_tag_cloud' title='definition'>processing on a large scale of special categories of data referred to in Article 9(1), or of high_tag_cloud' title='definition'>personal_data relating to criminal convictions and offences referred to in Article 10; or

(c)	a systematic monitoring of a publicly accessible area on a large scale.

4. The high_tag_cloud' title='definition'>supervisory_authority shall establish and make public a list of the kind of high_tag_cloud' title='definition'>processing operations which are subject to the requirement for a data protection impact assessment pursuant to paragraph 1. The high_tag_cloud' title='definition'>supervisory_authority shall communicate those lists to the Board referred to in Article 68.

5. The high_tag_cloud' title='definition'>supervisory_authority may also establish and make public a list of the kind of high_tag_cloud' title='definition'>processing operations for which no data protection impact assessment is required. The high_tag_cloud' title='definition'>supervisory_authority shall communicate those lists to the Board.

6. Prior to the adoption of the lists referred to in paragraphs 4 and 5, the competent high_tag_cloud' title='definition'>supervisory_authority shall apply the consistency mechanism referred to in Article 63 where such lists involve high_tag_cloud' title='definition'>processing activities which are related to the offering of goods or services to data subjects or to the monitoring of their behaviour in several Member States, or may substantially affect the free movement of high_tag_cloud' title='definition'>personal_data within the Union.

7. The assessment shall contain at least:

(a)	a systematic description of the envisaged high_tag_cloud' title='definition'>processing operations and the purposes of the high_tag_cloud' title='definition'>processing, including, where applicable, the legitimate interest pursued by the high_tag_cloud' title='definition'>controller;

(b)	an assessment of the necessity and proportionality of the high_tag_cloud' title='definition'>processing operations in relation to the purposes;

(c)	an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; and

(d)

the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of high_tag_cloud' title='definition'>personal_data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.

8. Compliance with approved codes of conduct referred to in Article 40 by the relevant high_tag_cloud' title='definition'>controllers or high_tag_cloud' title='definition'>processors shall be taken into due account in assessing the impact of the high_tag_cloud' title='definition'>processing operations performed by such high_tag_cloud' title='definition'>controllers or high_tag_cloud' title='definition'>processors, in particular for the purposes of a data protection impact assessment.

9. Where appropriate, the high_tag_cloud' title='definition'>controller shall seek the views of data subjects or their high_tag_cloud' title='definition'>representatives on the intended high_tag_cloud' title='definition'>processing, without prejudice to the protection of commercial or public interests or the security of high_tag_cloud' title='definition'>processing operations.

10. Where high_tag_cloud' title='definition'>processing pursuant to point (c) or (e) of Article 6(1) has a legal basis in Union law or in the law of the Member State to which the high_tag_cloud' title='definition'>controller is subject, that law regulates the specific high_tag_cloud' title='definition'>processing operation or set of operations in question, and a data protection impact assessment has already been carried out as part of a general impact assessment in the context of the adoption of that legal basis, paragraphs 1 to 7 shall not apply unless Member States deem it to be necessary to carry out such an assessment prior to high_tag_cloud' title='definition'>processing activities.

11. Where necessary, the high_tag_cloud' title='definition'>controller shall carry out a review to assess if high_tag_cloud' title='definition'>processing is performed in accordance with the data protection impact assessment at least when there is a change of the risk represented by high_tag_cloud' title='definition'>processing operations.

Article 36

Prior consultation

1. The high_tag_cloud' title='definition'>controller shall consult the high_tag_cloud' title='definition'>supervisory_authority prior to high_tag_cloud' title='definition'>processing where a data protection impact assessment under Article 35 indicates that the high_tag_cloud' title='definition'>processing would result in a high risk in the absence of measures taken by the high_tag_cloud' title='definition'>controller to mitigate the risk.

2. Where the high_tag_cloud' title='definition'>supervisory_authority is of the opinion that the intended high_tag_cloud' title='definition'>processing referred to in paragraph 1 would infringe this Regulation, in particular where the high_tag_cloud' title='definition'>controller has insufficiently identified or mitigated the risk, the high_tag_cloud' title='definition'>supervisory_authority shall, within period of up to eight weeks of receipt of the request for consultation, provide written advice to the high_tag_cloud' title='definition'>controller and, where applicable to the high_tag_cloud' title='definition'>processor, and may use any of its powers referred to in Article 58. That period may be extended by six weeks, taking into account the complexity of the intended high_tag_cloud' title='definition'>processing. The high_tag_cloud' title='definition'>supervisory_authority shall inform the high_tag_cloud' title='definition'>controller and, where applicable, the high_tag_cloud' title='definition'>processor, of any such extension within one month of receipt of the request for consultation together with the reasons for the delay. Those periods may be suspended until the high_tag_cloud' title='definition'>supervisory_authority has obtained information it has requested for the purposes of the consultation.

3. When consulting the high_tag_cloud' title='definition'>supervisory_authority pursuant to paragraph 1, the high_tag_cloud' title='definition'>controller shall provide the high_tag_cloud' title='definition'>supervisory_authority with:

(a)

where applicable, the respective responsibilities of the high_tag_cloud' title='definition'>controller, joint high_tag_cloud' title='definition'>controllers and high_tag_cloud' title='definition'>processors involved in the high_tag_cloud' title='definition'>processing, in particular for high_tag_cloud' title='definition'>processing within a high_tag_cloud' title='definition'>group_of_undertakings;

(b)	the purposes and means of the intended high_tag_cloud' title='definition'>processing;

(c)	the measures and safeguards provided to protect the rights and freedoms of data subjects pursuant to this Regulation;

(d)	where applicable, the contact details of the data protection officer;

(e)	the data protection impact assessment provided for in Article 35; and

(f)	any other information requested by the high_tag_cloud' title='definition'>supervisory_authority.

4. Member States shall consult the high_tag_cloud' title='definition'>supervisory_authority during the preparation of a proposal for a legislative measure to be adopted by a national parliament, or of a regulatory measure based on such a legislative measure, which relates to high_tag_cloud' title='definition'>processing.

5. Notwithstanding paragraph 1, Member State law may require high_tag_cloud' title='definition'>controllers to consult with, and obtain prior authorisation from, the high_tag_cloud' title='definition'>supervisory_authority in relation to high_tag_cloud' title='definition'>processing by a high_tag_cloud' title='definition'>controller for the performance of a task carried out by the high_tag_cloud' title='definition'>controller in the public interest, including high_tag_cloud' title='definition'>processing in relation to social protection and public health.

Section 4

Data protection officer

Article 38

Position of the data protection officer

1. The high_tag_cloud' title='definition'>controller and the high_tag_cloud' title='definition'>processor shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of high_tag_cloud' title='definition'>personal_data.

2. The high_tag_cloud' title='definition'>controller and high_tag_cloud' title='definition'>processor shall support the data protection officer in performing the tasks referred to in Article 39 by providing resources necessary to carry out those tasks and access to high_tag_cloud' title='definition'>personal_data and high_tag_cloud' title='definition'>processing operations, and to maintain his or her expert knowledge.

3. The high_tag_cloud' title='definition'>controller and high_tag_cloud' title='definition'>processor shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks. He or she shall not be dismissed or penalised by the high_tag_cloud' title='definition'>controller or the high_tag_cloud' title='definition'>processor for performing his tasks. The data protection officer shall directly report to the highest management level of the high_tag_cloud' title='definition'>controller or the high_tag_cloud' title='definition'>processor.

4. Data subjects may contact the data protection officer with regard to all issues related to high_tag_cloud' title='definition'>processing of their high_tag_cloud' title='definition'>personal_data and to the exercise of their rights under this Regulation.

5. The data protection officer shall be bound by secrecy or confidentiality concerning the performance of his or her tasks, in accordance with Union or Member State law.

6. The data protection officer may fulfil other tasks and duties. The high_tag_cloud' title='definition'>controller or high_tag_cloud' title='definition'>processor shall ensure that any such tasks and duties do not result in a conflict of interests.

Article 70

Tasks of the Board

1. The Board shall ensure the consistent application of this Regulation. To that end, the Board shall, on its own initiative or, where relevant, at the request of the Commission, in particular:

(a)	monitor and ensure the correct application of this Regulation in the cases provided for in Articles 64 and 65 without prejudice to the tasks of national supervisory authorities;

(b)	advise the Commission on any issue related to the protection of high_tag_cloud' title='definition'>personal_data in the Union, including on any proposed amendment of this Regulation;

(c)	advise the Commission on the format and procedures for the exchange of information between high_tag_cloud' title='definition'>controllers, high_tag_cloud' title='definition'>processors and supervisory authorities for high_tag_cloud' title='definition'>binding_corporate_rules;

(d)	issue guidelines, recommendations, and best practices on procedures for erasing links, copies or replications of high_tag_cloud' title='definition'>personal_data from publicly available communication services as referred to in Article 17(2);

(e)	examine, on its own initiative, on request of one of its members or on request of the Commission, any question covering the application of this Regulation and issue guidelines, recommendations and best practices in order to encourage consistent application of this Regulation;

(f)	issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for further specifying the criteria and conditions for decisions based on high_tag_cloud' title='definition'>profiling pursuant to Article 22(2);

(g)

issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for establishing the high_tag_cloud' title='definition'>personal_data breaches and determining the undue delay referred to in Article 33(1) and (2) and for the particular circumstances in which a high_tag_cloud' title='definition'>controller or a high_tag_cloud' title='definition'>processor is required to notify the high_tag_cloud' title='definition'>personal_data breach;

(h)

issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph as to the circumstances in which a high_tag_cloud' title='definition'>personal_data breach is likely to result in a high risk to the rights and freedoms of the natural persons referred to in Article 34(1).

(i)

issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for the purpose of further specifying the criteria and requirements for high_tag_cloud' title='definition'>personal_data transfers based on high_tag_cloud' title='definition'>binding_corporate_rules adhered to by high_tag_cloud' title='definition'>controllers and high_tag_cloud' title='definition'>binding_corporate_rules adhered to by high_tag_cloud' title='definition'>processors and on further necessary requirements to ensure the protection of high_tag_cloud' title='definition'>personal_data of the data subjects concerned referred to in Article 47;

(j)	issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for the purpose of further specifying the criteria and requirements for the high_tag_cloud' title='definition'>personal_data transfers on the basis of Article 49(1);

(k)	draw up guidelines for supervisory authorities concerning the application of measures referred to in Article 58(1), (2) and (3) and the setting of administrative fines pursuant to Article 83;

(l)	review the practical application of the guidelines, recommendations and best practices referred to in points (e) and (f);

(m)	issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for establishing common procedures for reporting by natural persons of infringements of this Regulation pursuant to Article 54(2);

(n)	encourage the drawing-up of codes of conduct and the establishment of data protection certification mechanisms and data protection seals and marks pursuant to Articles 40 and 42;

(o)

carry out the accreditation of certification bodies and its periodic review pursuant to Article 43 and maintain a public register of accredited bodies pursuant to Article 43(6) and of the accredited high_tag_cloud' title='definition'>controllers or high_tag_cloud' title='definition'>processors established in third countries pursuant to Article 42(7);

(p)	specify the requirements referred to in Article 43(3) with a view to the accreditation of certification bodies under Article 42;

(q)	provide the Commission with an opinion on the certification requirements referred to in Article 43(8);

(r)	provide the Commission with an opinion on the icons referred to in Article 12(7);

(s)

provide the Commission with an opinion for the assessment of the adequacy of the level of protection in a third country or high_tag_cloud' title='definition'>international_organisation, including for the assessment whether a third country, a territory or one or more specified sectors within that third country, or an high_tag_cloud' title='definition'>international_organisation no longer ensures an adequate level of protection. To that end, the Commission shall provide the Board with all necessary documentation, including correspondence with the government of the third country, with regard to that third country, territory or specified sector, or with the high_tag_cloud' title='definition'>international_organisation.

(t)	issue opinions on draft decisions of supervisory authorities pursuant to the consistency mechanism referred to in Article 64(1), on matters submitted pursuant to Article 64(2) and to issue binding decisions pursuant to Article 65, including in cases referred to in Article 66;

(u)	promote the cooperation and the effective bilateral and multilateral exchange of information and best practices between the supervisory authorities;

(v)	promote common training programmes and facilitate personnel exchanges between the supervisory authorities and, where appropriate, with the supervisory authorities of third countries or with high_tag_cloud' title='definition'>international_organisations;

(w)	promote the exchange of knowledge and documentation on data protection legislation and practice with data protection supervisory authorities worldwide.

(x)	issue opinions on codes of conduct drawn up at Union level pursuant to Article 40(9); and

(y)	maintain a publicly accessible electronic register of decisions taken by supervisory authorities and courts on issues handled in the consistency mechanism.

2. Where the Commission requests advice from the Board, it may indicate a time limit, taking into account the urgency of the matter.

3. The Board shall forward its opinions, guidelines, recommendations, and best practices to the Commission and to the committee referred to in Article 93 and make them public.

4. The Board shall, where appropriate, consult interested parties and give them the opportunity to comment within a reasonable period. The Board shall, without prejudice to Article 76, make the results of the consultation procedure publicly available.

Article 83

General conditions for imposing administrative fines

1. Each high_tag_cloud' title='definition'>supervisory_authority shall ensure that the imposition of administrative fines pursuant to this Article in respect of infringements of this Regulation referred to in paragraphs 4, 5 and 6 shall in each individual case be effective, proportionate and dissuasive.

2. Administrative fines shall, depending on the circumstances of each individual case, be imposed in addition to, or instead of, measures referred to in points (a) to (h) and (j) of Article 58(2). When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following:

(a)	the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the high_tag_cloud' title='definition'>processing concerned as well as the number of data subjects affected and the level of damage suffered by them;

(b)	the intentional or negligent character of the infringement;

(c)	any action taken by the high_tag_cloud' title='definition'>controller or high_tag_cloud' title='definition'>processor to mitigate the damage suffered by data subjects;

(d)	the degree of responsibility of the high_tag_cloud' title='definition'>controller or high_tag_cloud' title='definition'>processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32;

(e)	any relevant previous infringements by the high_tag_cloud' title='definition'>controller or high_tag_cloud' title='definition'>processor;

(f)	the degree of cooperation with the high_tag_cloud' title='definition'>supervisory_authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement;

(g)	the categories of high_tag_cloud' title='definition'>personal_data affected by the infringement;

(h)	the manner in which the infringement became known to the high_tag_cloud' title='definition'>supervisory_authority, in particular whether, and if so to what extent, the high_tag_cloud' title='definition'>controller or high_tag_cloud' title='definition'>processor notified the infringement;

(i)	where measures referred to in Article 58(2) have previously been ordered against the high_tag_cloud' title='definition'>controller or high_tag_cloud' title='definition'>processor concerned with regard to the same subject-matter, compliance with those measures;

(j)	adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and

(k)	any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.

3. If a high_tag_cloud' title='definition'>controller or high_tag_cloud' title='definition'>processor intentionally or negligently, for the same or linked high_tag_cloud' title='definition'>processing operations, infringes several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement.

4. Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:

(a)	the obligations of the high_tag_cloud' title='definition'>controller and the high_tag_cloud' title='definition'>processor pursuant to Articles 8, 11, 25 to 39 and 42 and 43;

(b)	the obligations of the certification body pursuant to Articles 42 and 43;

(c)	the obligations of the monitoring body pursuant to Article 41(4).

5. Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:

(a)	the basic principles for high_tag_cloud' title='definition'>processing, including conditions for high_tag_cloud' title='definition'>consent, pursuant to Articles 5, 6, 7 and 9;

(b)	the data subjects' rights pursuant to Articles 12 to 22;

(c)	the transfers of high_tag_cloud' title='definition'>personal_data to a high_tag_cloud' title='definition'>recipient in a third country or an high_tag_cloud' title='definition'>international_organisation pursuant to Articles 44 to 49;

(d)	any obligations pursuant to Member State law adopted under Chapter IX;

(e)	non-compliance with an order or a temporary or definitive limitation on high_tag_cloud' title='definition'>processing or the suspension of data flows by the high_tag_cloud' title='definition'>supervisory_authority pursuant to Article 58(2) or failure to provide access in violation of Article 58(1).

6. Non-compliance with an order by the high_tag_cloud' title='definition'>supervisory_authority as referred to in Article 58(2) shall, in accordance with paragraph 2 of this Article, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.

7. Without prejudice to the corrective powers of supervisory authorities pursuant to Article 58(2), each Member State may lay down the rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that Member State.

8. The exercise by the high_tag_cloud' title='definition'>supervisory_authority of its powers under this Article shall be subject to appropriate procedural safeguards in accordance with Union and Member State law, including effective judicial remedy and due process.

9. Where the legal system of the Member State does not provide for administrative fines, this Article may be applied in such a manner that the fine is initiated by the competent high_tag_cloud' title='definition'>supervisory_authority and imposed by competent national courts, while ensuring that those legal remedies are effective and have an equivalent effect to the administrative fines imposed by supervisory authorities. In any event, the fines imposed shall be effective, proportionate and dissuasive. Those Member States shall notify to the Commission the provisions of their laws which they adopt pursuant to this paragraph by 25 May 2018 and, without delay, any subsequent amendment law or amendment affecting them.

whereas

(6) Rapid technological developments and globalisation have brought new challenges for the protection of high_tag_cloud' title='definition'>personal_data.
The scale of the collection and sharing of high_tag_cloud' title='definition'>personal_data has increased significantly.
Technology allows both private companies and public authorities to make use of high_tag_cloud' title='definition'>personal_data on an unprecedented scale in order to pursue their activities.
Natural persons increasingly make personal information available publicly and globally.
Technology has transformed both the economy and social life, and should further facilitate the free flow of high_tag_cloud' title='definition'>personal_data within the Union and the transfer to third countries and high_tag_cloud' title='definition'>international_organisations, while ensuring a high level of the protection of high_tag_cloud' title='definition'>personal_data.

- = -

(10) In order to ensure a consistent and high level of protection of natural persons and to remove the obstacles to flows of high_tag_cloud' title='definition'>personal_data within the Union, the level of protection of the rights and freedoms of natural persons with regard to the high_tag_cloud' title='definition'>processing of such data should be equivalent in all Member States.
Consistent and homogenous application of the rules for the protection of the fundamental rights and freedoms of natural persons with regard to the high_tag_cloud' title='definition'>processing of high_tag_cloud' title='definition'>personal_data should be ensured throughout the Union.
Regarding the high_tag_cloud' title='definition'>processing of high_tag_cloud' title='definition'>personal_data for compliance with a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the high_tag_cloud' title='definition'>controller, Member States should be allowed to maintain or introduce national provisions to further specify the application of the rules of this Regulation.
In conjunction with the general and horizontal law on data protection implementing Directive 95/46/EC, Member States have several sector-specific laws in areas that need more specific provisions.
This Regulation also provides a margin of manoeuvre for Member States to specify its rules, including for the high_tag_cloud' title='definition'>processing of special categories of high_tag_cloud' title='definition'>personal_data (‘sensitive data’).
To that extent, this Regulation does not exclude Member State law that sets out the circumstances for specific high_tag_cloud' title='definition'>processing situations, including determining more precisely the conditions under which the high_tag_cloud' title='definition'>processing of high_tag_cloud' title='definition'>personal_data is lawful.

- = -

(53) Special categories of high_tag_cloud' title='definition'>personal_data which merit higher protection should be processed for health-related purposes only where necessary to achieve those purposes for the benefit of natural persons and society as a whole, in particular in the context of the management of health or social care services and systems, including high_tag_cloud' title='definition'>processing by the management and central national health authorities of such data for the purpose of quality control, management information and the general national and local supervision of the health or social care system, and ensuring continuity of health or social care and cross-border healthcare or health security, monitoring and alert purposes, or for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, based on Union or Member State law which has to meet an objective of public interest, as well as for studies conducted in the public interest in the area of public health.
Therefore, this Regulation should provide for harmonised conditions for the high_tag_cloud' title='definition'>processing of special categories of high_tag_cloud' title='definition'>personal_data concerning health, in respect of specific needs, in particular where the high_tag_cloud' title='definition'>processing of such data is carried out for certain health-related purposes by persons subject to a legal obligation of professional secrecy.
Union or Member State law should provide for specific and suitable measures so as to protect the fundamental rights and the high_tag_cloud' title='definition'>personal_data of natural persons.
Member States should be allowed to maintain or introduce further conditions, including limitations, with regard to the high_tag_cloud' title='definition'>processing of high_tag_cloud' title='definition'>genetic_data, high_tag_cloud' title='definition'>biometric_data or high_tag_cloud' title='definition'>data_concerning_health.
However, this should not hamper the free flow of high_tag_cloud' title='definition'>personal_data within the Union when those conditions apply to cross-border high_tag_cloud' title='definition'>processing of such data.

- = -

(76) The likelihood and severity of the risk to the rights and freedoms of the data subject should be determined by reference to the nature, scope, context and purposes of the high_tag_cloud' title='definition'>processing.
Risk should be evaluated on the basis of an objective assessment, by which it is established whether data high_tag_cloud' title='definition'>processing operations involve a risk or a high risk.

- = -

(77) Guidance on the implementation of appropriate measures and on the demonstration of compliance by the high_tag_cloud' title='definition'>controller or the high_tag_cloud' title='definition'>processor, especially as regards the identification of the risk related to the high_tag_cloud' title='definition'>processing, their assessment in terms of origin, nature, likelihood and severity, and the identification of best practices to mitigate the risk, could be provided in particular by means of approved codes of conduct, approved certifications, guidelines provided by the Board or indications provided by a data protection officer.
The Board may also issue guidelines on high_tag_cloud' title='definition'>processing operations that are considered to be unlikely to result in a high risk to the rights and freedoms of natural persons and indicate what measures may be sufficient in such cases to address such risk.

- = -

(84) In order to enhance compliance with this Regulation where high_tag_cloud' title='definition'>processing operations are likely to result in a high risk to the rights and freedoms of natural persons, the high_tag_cloud' title='definition'>controller should be responsible for the carrying-out of a data protection impact assessment to evaluate, in particular, the origin, nature, particularity and severity of that risk.
The outcome of the assessment should be taken into account when determining the appropriate measures to be taken in order to demonstrate that the high_tag_cloud' title='definition'>processing of high_tag_cloud' title='definition'>personal_data complies with this Regulation.
Where a data-protection impact assessment indicates that high_tag_cloud' title='definition'>processing operations involve a high risk which the high_tag_cloud' title='definition'>controller cannot mitigate by appropriate measures in terms of available technology and costs of implementation, a consultation of the high_tag_cloud' title='definition'>supervisory_authority should take place prior to the high_tag_cloud' title='definition'>processing.

- = -

(86) The high_tag_cloud' title='definition'>controller should communicate to the data subject a high_tag_cloud' title='definition'>personal_data breach, without undue delay, where that high_tag_cloud' title='definition'>personal_data breach is likely to result in a high risk to the rights and freedoms of the natural person in order to allow him or her to take the necessary precautions.
The communication should describe the nature of the high_tag_cloud' title='definition'>personal_data breach as well as recommendations for the natural person concerned to mitigate potential adverse effects.
Such communications to data subjects should be made as soon as reasonably feasible and in close cooperation with the high_tag_cloud' title='definition'>supervisory_authority, respecting guidance provided by it or by other relevant authorities such as law-enforcement authorities.
For example, the need to mitigate an immediate risk of damage would call for prompt communication with data subjects whereas the need to implement appropriate measures against continuing or similar high_tag_cloud' title='definition'>personal_data breaches may justify more time for communication.

- = -

(89) Directive 95/46/EC provided for a general obligation to notify the high_tag_cloud' title='definition'>processing of high_tag_cloud' title='definition'>personal_data to the supervisory authorities.
While that obligation produces administrative and financial burdens, it did not in all cases contribute to improving the protection of high_tag_cloud' title='definition'>personal_data.
Such indiscriminate general notification obligations should therefore be abolished, and replaced by effective procedures and mechanisms which focus instead on those types of high_tag_cloud' title='definition'>processing operations which are likely to result in a high risk to the rights and freedoms of natural persons by virtue of their nature, scope, context and purposes.
Such types of high_tag_cloud' title='definition'>processing operations may be those which in, particular, involve using new technologies, or are of a new kind and where no data protection impact assessment has been carried out before by the high_tag_cloud' title='definition'>controller, or where they become necessary in the light of the time that has elapsed since the initial high_tag_cloud' title='definition'>processing.

- = -

(90) In such cases, a data protection impact assessment should be carried out by the high_tag_cloud' title='definition'>controller prior to the high_tag_cloud' title='definition'>processing in order to assess the particular likelihood and severity of the high risk, taking into account the nature, scope, context and purposes of the high_tag_cloud' title='definition'>processing and the sources of the risk.
That impact assessment should include, in particular, the measures, safeguards and mechanisms envisaged for mitigating that risk, ensuring the protection of high_tag_cloud' title='definition'>personal_data and demonstrating compliance with this Regulation.

- = -

(91) This should in particular apply to large-scale high_tag_cloud' title='definition'>processing operations which aim to process a considerable amount of high_tag_cloud' title='definition'>personal_data at regional, national or supranational level and which could affect a large number of data subjects and which are likely to result in a high risk, for example, on account of their sensitivity, where in accordance with the achieved state of technological knowledge a new technology is used on a large scale as well as to other high_tag_cloud' title='definition'>processing operations which result in a high risk to the rights and freedoms of data subjects, in particular where those operations render it more difficult for data subjects to exercise their rights.
A data protection impact assessment should also be made where high_tag_cloud' title='definition'>personal_data are processed for taking decisions regarding specific natural persons following any systematic and extensive evaluation of personal aspects relating to natural persons based on high_tag_cloud' title='definition'>profiling those data or following the high_tag_cloud' title='definition'>processing of special categories of high_tag_cloud' title='definition'>personal_data, high_tag_cloud' title='definition'>biometric_data, or data on criminal convictions and offences or related security measures.
A data protection impact assessment is equally required for monitoring publicly accessible areas on a large scale, especially when using optic-electronic devices or for any other operations where the competent high_tag_cloud' title='definition'>supervisory_authority considers that the high_tag_cloud' title='definition'>processing is likely to result in a high risk to the rights and freedoms of data subjects, in particular because they prevent data subjects from exercising a right or using a service or a contract, or because they are carried out systematically on a large scale.
The high_tag_cloud' title='definition'>processing of high_tag_cloud' title='definition'>personal_data should not be considered to be on a large scale if the high_tag_cloud' title='definition'>processing concerns high_tag_cloud' title='definition'>personal_data from patients or clients by an individual physician, other health care professional or lawyer.
In such cases, a data protection impact assessment should not be mandatory.

- = -

(94) Where a data protection impact assessment indicates that the high_tag_cloud' title='definition'>processing would, in the absence of safeguards, security measures and mechanisms to mitigate the risk, result in a high risk to the rights and freedoms of natural persons and the high_tag_cloud' title='definition'>controller is of the opinion that the risk cannot be mitigated by reasonable means in terms of available technologies and costs of implementation, the high_tag_cloud' title='definition'>supervisory_authority should be consulted prior to the start of high_tag_cloud' title='definition'>processing activities.
Such high risk is likely to result from certain types of high_tag_cloud' title='definition'>processing and the extent and frequency of high_tag_cloud' title='definition'>processing, which may result also in a realisation of damage or interference with the rights and freedoms of the natural person.
The high_tag_cloud' title='definition'>supervisory_authority should respond to the request for consultation within a specified period.
However, the absence of a reaction of the high_tag_cloud' title='definition'>supervisory_authority within that period should be without prejudice to any intervention of the high_tag_cloud' title='definition'>supervisory_authority in accordance with its tasks and powers laid down in this Regulation, including the power to prohibit high_tag_cloud' title='definition'>processing operations.
As part of that consultation process, the outcome of a data protection impact assessment carried out with regard to the high_tag_cloud' title='definition'>processing at issue may be submitted to the high_tag_cloud' title='definition'>supervisory_authority, in particular the measures envisaged to mitigate the risk to the rights and freedoms of natural persons.

- = -

(157) By coupling information from registries, researchers can obtain new knowledge of great value with regard to widespread medical conditions such as cardiovascular disease, cancer and depression.
On the basis of registries, research results can be enhanced, as they draw on a larger population.
Within social science, research on the basis of registries enables researchers to obtain essential knowledge about the long-term correlation of a number of social conditions such as unemployment and education with other life conditions.
Research results obtained through registries provide solid, high-quality knowledge which can provide the basis for the formulation and implementation of knowledge-based policy, improve the quality of life for a number of people and improve the efficiency of social services.
In order to facilitate scientific research, high_tag_cloud' title='definition'>personal_data can be processed for scientific research purposes, subject to appropriate conditions and safeguards set out in Union or Member State law.

- = -

dal 2004 diritto e informatica