interactive GDPR 2016/0679 EN

(2) The principles of, and rules on the protection of natural persons with regard to the processing of their personal_data should, whatever their nationality or residence, respect their fundamental rights and freedoms, in particular their right to the protection of personal_data.

  This Regulation is intended to contribute to the accomplishment of an area of freedom, security and justice and of an economic union, to economic and social progress, to the strengthening and the convergence of the economies within the internal market, and to the well-being of natural persons.

(4) The processing of personal_data should be designed to serve mankind.

  The right to the protection of personal_data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality.

  This Regulation respects all fundamental rights and observes the freedoms and principles recognised in the Charter as enshrined in the Treaties, in particular the respect for private and family life, home and communications, the protection of personal_data, freedom of thought, conscience and religion, freedom of expression and information, freedom to conduct a business, the right to an effective remedy and to a fair trial, and cultural, religious and linguistic diversity.

(9) The objectives and principles of Directive 95/46/EC remain sound, but it has not prevented fragmentation in the implementation of data protection across the Union, legal uncertainty or a widespread public perception that there are significant risks to the protection of natural persons, in particular with regard to online activity.

  Differences in the level of protection of the rights and freedoms of natural persons, in particular the right to the protection of personal_data, with regard to the processing of personal_data in the Member States may prevent the free flow of personal_data throughout the Union.

  Those differences may therefore constitute an obstacle to the pursuit of economic activities at the level of the Union, distort competition and impede authorities in the discharge of their responsibilities under Union law.

  Such a difference in levels of protection is due to the existence of differences in the implementation and application of Directive 95/46/EC.

(14) The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal_data.

  This Regulation does not cover the processing of personal_data which concerns legal persons and in particular undertakings established as legal persons, including the name and the form of the legal person and the contact details of the legal person.

(20) While this Regulation applies, inter alia, to the activities of courts and other judicial authorities, Union or Member State law could specify the processing operations and processing procedures in relation to the processing of personal_data by courts and other judicial authorities.

  The competence of the supervisory authorities should not cover the processing of personal_data when courts are acting in their judicial capacity, in order to safeguard the independence of the judiciary in the performance of its judicial tasks, including decision-making.

  It should be possible to entrust supervision of such data processing operations to specific bodies within the judicial system of the Member State, which should, in particular ensure compliance with the rules of this Regulation, enhance awareness among members of the judiciary of their obligations under this Regulation and handle complaints in relation to such data processing operations.

(21) This Regulation is without prejudice to the application of Directive 2000/31/EC of the European Parliament and of the Council (8), in particular of the liability rules of intermediary service providers in Articles 12 to 15 of that Directive.

  That Directive seeks to contribute to the proper functioning of the internal market by ensuring the free movement of information_society_services between Member States.

(24) The processing of personal_data of data subjects who are in the Union by a controller or processor not established in the Union should also be subject to this Regulation when it is related to the monitoring of the behaviour of such data subjects in so far as their behaviour takes place within the Union.

  In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal_data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.

(30) Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags.

  This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.

(31) Public authorities to which personal_data are disclosed in accordance with a legal obligation for the exercise of their official mission, such as tax and customs authorities, financial investigation units, independent administrative authorities, or financial market authorities responsible for the regulation and supervision of securities markets should not be regarded as recipients if they receive personal_data which are necessary to carry out a particular inquiry in the general interest, in accordance with Union or Member State law.

  The requests for disclosure sent by the public authorities should always be in writing, reasoned and occasional and should not concern the entirety of a filing_system or lead to the interconnection of filing_systems.

  The processing of personal_data by those public authorities should comply with the applicable data-protection rules according to the purposes of the processing.

(34) Genetic data should be defined as personal_data relating to the inherited or acquired genetic characteristics of a natural person which result from the analysis of a biological sample from the natural person in question, in particular chromosomal, deoxyribonucleic acid (DNA) or ribonucleic acid (RNA) analysis, or from the analysis of another element enabling equivalent information to be obtained.

(35) Personal data_concerning_health should include all data pertaining to the health status of a data subject which reveal information relating to the past, current or future physical or mental health status of the data subject.

  This includes information about the natural person collected in the course of the registration for, or the provision of, health care services as referred to in Directive 2011/24/EU of the European Parliament and of the Council (9) to that natural person; a number, symbol or particular assigned to a natural person to uniquely identify the natural person for health purposes; information derived from the testing or examination of a body part or bodily substance, including from genetic_data and biological samples; and any information on, for example, a disease, disability, disease risk, medical history, clinical treatment or the physiological or biomedical state of the data subject independent of its source, for example from a physician or other health professional, a hospital, a medical device or an in vitro diagnostic test.

(38) Children merit specific protection with regard to their personal_data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal_data.

  Such specific protection should, in particular, apply to the use of personal_data of children for the purposes of marketing or creating personality or user profiles and the collection of personal_data with regard to children when using services offered directly to a child.

  The consent of the holder of parental responsibility should not be necessary in the context of preventive or counselling services offered directly to a child.

(39) Any processing of personal_data should be lawful and fair.

  It should be transparent to natural persons that personal_data concerning them are collected, used, consulted or otherwise processed and to what extent the personal_data are or will be processed.

  The principle of transparency requires that any information and communication relating to the processing of those personal_data be easily accessible and easy to understand, and that clear and plain language be used.

  That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal_data concerning them which are being processed.

  Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal_data and how to exercise their rights in relation to such processing.

  In particular, the specific purposes for which personal_data are processed should be explicit and legitimate and determined at the time of the collection of the personal_data.

  The personal_data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed.

  This requires, in particular, ensuring that the period for which the personal_data are stored is limited to a strict minimum.

  Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means.

  In order to ensure that the personal_data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review.

  Every reasonable step should be taken to ensure that personal_data which are inaccurate are rectified or deleted.

  Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal_data, including for preventing unauthorised access to or use of personal_data and the equipment used for the processing.

(42) Where processing is based on the data subject's consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation.

  In particular in the context of a written declaration on another matter, safeguards should ensure that the data subject is aware of the fact that and the extent to which consent is given.

  In accordance with Council Directive 93/13/EEC (10) a declaration of consent pre-formulated by the controller should be provided in an intelligible and easily accessible form, using clear and plain language and it should not contain unfair terms.

  For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal_data are intended.

  Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.

(43) In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal_data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation.

  Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal_data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.

(46) The processing of personal_data should also be regarded to be lawful where it is necessary to protect an interest which is essential for the life of the data subject or that of another natural person.

  Processing of personal_data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on another legal basis.

  Some types of processing may serve both important grounds of public interest and the vital interests of the data subject as for instance when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread or in situations of humanitarian emergencies, in particular in situations of natural and man-made disasters.

(47) The legitimate interests of a controller, including those of a controller to which the personal_data may be disclosed, or of a third_party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller.

  Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller.

  At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal_data that processing for that purpose may take place.

  The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal_data are processed in circumstances where data subjects do not reasonably expect further processing.

  Given that it is for the legislator to provide by law for the legal basis for public authorities to process personal_data, that legal basis should not apply to the processing by public authorities in the performance of their tasks.

  The processing of personal_data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned.

  The processing of personal_data for direct marketing purposes may be regarded as carried out for a legitimate interest.

(50) The processing of personal_data for purposes other than those for which the personal_data were initially collected should be allowed only where the processing is compatible with the purposes for which the personal_data were initially collected.

  In such a case, no legal basis separate from that which allowed the collection of the personal_data is required.

  If the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, Union or Member State law may determine and specify the tasks and purposes for which the further processing should be regarded as compatible and lawful.

  Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes should be considered to be compatible lawful processing operations.

  The legal basis provided by Union or Member State law for the processing of personal_data may also provide a legal basis for further processing.

  In order to ascertain whether a purpose of further processing is compatible with the purpose for which the personal_data are initially collected, the controller, after having met all the requirements for the lawfulness of the original processing, should take into account, inter alia: any link between those purposes and the purposes of the intended further processing; the context in which the personal_data have been collected, in particular the reasonable expectations of data subjects based on their relationship with the controller as to their further use; the nature of the personal_data; the consequences of the intended further processing for data subjects; and the existence of appropriate safeguards in both the original and intended further processing operations.

(51) Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms.

  Those personal_data should include personal_data revealing racial or ethnic origin, whereby the use of the term ‘racial origin’ in this Regulation does not imply an acceptance by the Union of theories which attempt to determine the existence of separate human races.

  The processing of photographs should not systematically be considered to be processing of special categories of personal_data as they are covered by the definition of biometric_data only when processed through a specific technical means allowing the unique identification or authentication of a natural person.

  Such personal_data should not be processed, unless processing is allowed in specific cases set out in this Regulation, taking into account that Member States law may lay down specific provisions on data protection in order to adapt the application of the rules of this Regulation for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

  In addition to the specific requirements for such processing, the general principles and other rules of this Regulation should apply, in particular as regards the conditions for lawful processing.

  Derogations from the general prohibition for processing such special categories of personal_data should be explicitly provided, inter alia, where the data subject gives his or her explicit consent or in respect of specific needs in particular where the processing is carried out in the course of legitimate activities by certain associations or foundations the purpose of which is to permit the exercise of fundamental freedoms.

(52) Derogating from the prohibition on processing special categories of personal_data should also be allowed when provided for in Union or Member State law and subject to suitable safeguards, so as to protect personal_data and other fundamental rights, where it is in the public interest to do so, in particular processing personal_data in the field of employment law, social protection law including pensions and for health security, monitoring and alert purposes, the prevention or control of communicable diseases and other serious threats to health.

  Such a derogation may be made for health purposes, including public health and the management of health-care services, especially in order to ensure the quality and cost-effectiveness of the procedures used for settling claims for benefits and services in the health insurance system, or for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

  A derogation should also allow the processing of such personal_data where necessary for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.

(53) Special categories of personal_data which merit higher protection should be processed for health-related purposes only where necessary to achieve those purposes for the benefit of natural persons and society as a whole, in particular in the context of the management of health or social care services and systems, including processing by the management and central national health authorities of such data for the purpose of quality control, management information and the general national and local supervision of the health or social care system, and ensuring continuity of health or social care and cross-border healthcare or health security, monitoring and alert purposes, or for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, based on Union or Member State law which has to meet an objective of public interest, as well as for studies conducted in the public interest in the area of public health.

  Therefore, this Regulation should provide for harmonised conditions for the processing of special categories of personal_data concerning health, in respect of specific needs, in particular where the processing of such data is carried out for certain health-related purposes by persons subject to a legal obligation of professional secrecy.

  Union or Member State law should provide for specific and suitable measures so as to protect the fundamental rights and the personal_data of natural persons.

  Member States should be allowed to maintain or introduce further conditions, including limitations, with regard to the processing of genetic_data, biometric_data or data_concerning_health.

  However, this should not hamper the free flow of personal_data within the Union when those conditions apply to cross-border processing of such data.

(58) The principle of transparency requires that any information addressed to the public or to the data subject be concise, easily accessible and easy to understand, and that clear and plain language and, additionally, where appropriate, visualisation be used.

  Such information could be provided in electronic form, for example, when addressed to the public, through a website.

  This is of particular relevance in situations where the proliferation of actors and the technological complexity of practice make it difficult for the data subject to know and understand whether, by whom and for what purpose personal_data relating to him or her are being collected, such as in the case of online advertising.

  Given that children merit specific protection, any information and communication, where processing is addressed to a child, should be in such a clear and plain language that the child can easily understand.

(59) Modalities should be provided for facilitating the exercise of the data subject's rights under this Regulation, including mechanisms to request and, if applicable, obtain, free of charge, in particular, access to and rectification or erasure of personal_data and the exercise of the right to object.

  The controller should also provide means for requests to be made electronically, especially where personal_data are processed by electronic means.

  The controller should be obliged to respond to requests from the data subject without undue delay and at the latest within one month and to give reasons where the controller does not intend to comply with any such requests.

(62) However, it is not necessary to impose the obligation to provide information where the data subject already possesses the information, where the recording or disclosure of the personal_data is expressly laid down by law or where the provision of information to the data subject proves to be impossible or would involve a disproportionate effort.

  The latter could in particular be the case where processing is carried out for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

  In that regard, the number of data subjects, the age of the data and any appropriate safeguards adopted should be taken into consideration.

(63) A data subject should have the right of access to personal_data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing.

  This includes the right for data subjects to have access to data concerning their health, for example the data in their medical records containing information such as diagnoses, examination results, assessments by treating physicians and any treatment or interventions provided.

  Every data subject should therefore have the right to know and obtain communication in particular with regard to the purposes for which the personal_data are processed, where possible the period for which the personal_data are processed, the recipients of the personal_data, the logic involved in any automatic personal_data processing and, at least when based on profiling, the consequences of such processing.

  Where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal_data.

  That right should not adversely affect the rights or freedoms of others, including trade secrets or intellectual property and in particular the copyright protecting the software.

  However, the result of those considerations should not be a refusal to provide all information to the data subject.

  Where the controller processes a large quantity of information concerning the data subject, the controller should be able to request that, before the information is delivered, the data subject specify the information or processing activities to which the request relates.

(64) The controller should use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers.

  A controller should not retain personal_data for the sole purpose of being able to react to potential requests.

(65) A data subject should have the right to have personal_data concerning him or her rectified and a ‘right to be forgotten’ where the retention of such data infringes this Regulation or Union or Member State law to which the controller is subject.

  In particular, a data subject should have the right to have his or her personal_data erased and no longer processed where the personal_data are no longer necessary in relation to the purposes for which they are collected or otherwise processed, where a data subject has withdrawn his or her consent or objects to the processing of personal_data concerning him or her, or where the processing of his or her personal_data does not otherwise comply with this Regulation.

  That right is relevant in particular where the data subject has given his or her consent as a child and is not fully aware of the risks involved by the processing, and later wants to remove such personal_data, especially on the internet.

  The data subject should be able to exercise that right notwithstanding the fact that he or she is no longer a child.

  However, the further retention of the personal_data should be lawful where it is necessary, for exercising the right of freedom of expression and information, for compliance with a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, on the grounds of public interest in the area of public health, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, or for the establishment, exercise or defence of legal claims.

(68) To further strengthen the control over his or her own data, where the processing of personal_data is carried out by automated means, the data subject should also be allowed to receive personal_data concerning him or her which he or she has provided to a controller in a structured, commonly used, machine-readable and interoperable format, and to transmit it to another controller.

  Data controllers should be encouraged to develop interoperable formats that enable data portability.

  That right should apply where the data subject provided the personal_data on the basis of his or her consent or the processing is necessary for the performance of a contract.

  It should not apply where processing is based on a legal ground other than consent or contract.

  By its very nature, that right should not be exercised against controllers processing personal_data in the exercise of their public duties.

  It should therefore not apply where the processing of the personal_data is necessary for compliance with a legal obligation to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of an official authority vested in the controller.

  The data subject's right to transmit or receive personal_data concerning him or her should not create an obligation for the controllers to adopt or maintain processing systems which are technically compatible.

  Where, in a certain set of personal_data, more than one data subject is concerned, the right to receive the personal_data should be without prejudice to the rights and freedoms of other data subjects in accordance with this Regulation.

  Furthermore, that right should not prejudice the right of the data subject to obtain the erasure of personal_data and the limitations of that right as set out in this Regulation and should, in particular, not imply the erasure of personal_data concerning the data subject which have been provided by him or her for the performance of a contract to the extent that and for as long as the personal_data are necessary for the performance of that contract.

  Where technically feasible, the data subject should have the right to have the personal_data transmitted directly from one controller to another.

(69) Where personal_data might lawfully be processed because processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, or on grounds of the legitimate interests of a controller or a third_party, a data subject should, nevertheless, be entitled to object to the processing of any personal_data relating to his or her particular situation.

  It should be for the controller to demonstrate that its compelling legitimate interest overrides the interests or the fundamental rights and freedoms of the data subject.

(71) The data subject should have the right not to be subject to a decision, which may include a measure, evaluating personal aspects relating to him or her which is based solely on automated processing and which produces legal effects concerning him or her or similarly significantly affects him or her, such as automatic refusal of an online credit application or e-recruiting practices without any human intervention.

  Such processing includes ‘ profiling’ that consists of any form of automated processing of personal_data evaluating the personal aspects relating to a natural person, in particular to analyse or predict aspects concerning the data subject's performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, where it produces legal effects concerning him or her or similarly significantly affects him or her.

  However, decision-making based on such processing, including profiling, should be allowed where expressly authorised by Union or Member State law to which the controller is subject, including for fraud and tax-evasion monitoring and prevention purposes conducted in accordance with the regulations, standards and recommendations of Union institutions or national oversight bodies and to ensure the security and reliability of a service provided by the controller, or necessary for the entering or performance of a contract between the data subject and a controller, or when the data subject has given his or her explicit consent.

  In any case, such processing should be subject to suitable safeguards, which should include specific information to the data subject and the right to obtain human intervention, to express his or her point of view, to obtain an explanation of the decision reached after such assessment and to challenge the decision.

  Such measure should not concern a child.

(73) Restrictions concerning specific principles and the rights of information, access to and rectification or erasure of personal_data, the right to data portability, the right to object, decisions based on profiling, as well as the communication of a personal_data breach to a data subject and certain related obligations of the controllers may be imposed by Union or Member State law, as far as necessary and proportionate in a democratic society to safeguard public security, including the protection of human life especially in response to natural or manmade disasters, the prevention, investigation and prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security, or of breaches of ethics for regulated professions, other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, the keeping of public registers kept for reasons of general public interest, further processing of archived personal_data to provide specific information related to the political behaviour under former totalitarian state regimes or the protection of the data subject or the rights and freedoms of others, including social protection, public health and humanitarian purposes.

  Those restrictions should be in accordance with the requirements set out in the Charter and in the European Convention for the Protection of Human Rights and Fundamental Freedoms.

(74) The responsibility and liability of the controller for any processing of personal_data carried out by the controller or on the controller's behalf should be established.

  In particular, the controller should be obliged to implement appropriate and effective measures and be able to demonstrate the compliance of processing activities with this Regulation, including the effectiveness of the measures.

  Those measures should take into account the nature, scope, context and purposes of the processing and the risk to the rights and freedoms of natural persons.

(75) The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal_data processing which could lead to physical, material or non-material damage, in particular: where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal_data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage; where data subjects might be deprived of their rights and freedoms or prevented from exercising control over their personal_data; where personal_data are processed which reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, and the processing of genetic_data, data_concerning_health or data concerning sex life or criminal convictions and offences or related security measures; where personal aspects are evaluated, in particular analysing or predicting aspects concerning performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, in order to create or use personal profiles; where personal_data of vulnerable natural persons, in particular of children, are processed; or where processing involves a large amount of personal_data and affects a large number of data subjects.

(77) Guidance on the implementation of appropriate measures and on the demonstration of compliance by the controller or the processor, especially as regards the identification of the risk related to the processing, their assessment in terms of origin, nature, likelihood and severity, and the identification of best practices to mitigate the risk, could be provided in particular by means of approved codes of conduct, approved certifications, guidelines provided by the Board or indications provided by a data protection officer.

  The Board may also issue guidelines on processing operations that are considered to be unlikely to result in a high risk to the rights and freedoms of natural persons and indicate what measures may be sufficient in such cases to address such risk.

(78) The protection of the rights and freedoms of natural persons with regard to the processing of personal_data require that appropriate technical and organisational measures be taken to ensure that the requirements of this Regulation are met.

  In order to be able to demonstrate compliance with this Regulation, the controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default.

  Such measures could consist, inter alia, of minimising the processing of personal_data, pseudonymising personal_data as soon as possible, transparency with regard to the functions and processing of personal_data, enabling the data subject to monitor the data processing, enabling the controller to create and improve security features.

  When developing, designing, selecting and using applications, services and products that are based on the processing of personal_data or process personal_data to fulfil their task, producers of the products, services and applications should be encouraged to take into account the right to data protection when developing and designing such products, services and applications and, with due regard to the state of the art, to make sure that controllers and processors are able to fulfil their data protection obligations.

  The principles of data protection by design and by default should also be taken into consideration in the context of public tenders.

(81) To ensure compliance with the requirements of this Regulation in respect of the processing to be carried out by the processor on behalf of the controller, when entrusting a processor with processing activities, the controller should use only processors providing sufficient guarantees, in particular in terms of expert knowledge, reliability and resources, to implement technical and organisational measures which will meet the requirements of this Regulation, including for the security of processing.

  The adherence of the processor to an approved code of conduct or an approved certification mechanism may be used as an element to demonstrate compliance with the obligations of the controller.

  The carrying-out of processing by a processor should be governed by a contract or other legal act under Union or Member State law, binding the processor to the controller, setting out the subject-matter and duration of the processing, the nature and purposes of the processing, the type of personal_data and categories of data subjects, taking into account the specific tasks and responsibilities of the processor in the context of the processing to be carried out and the risk to the rights and freedoms of the data subject.

  The controller and processor may choose to use an individual contract or standard contractual clauses which are adopted either directly by the Commission or by a supervisory_authority in accordance with the consistency mechanism and then adopted by the Commission.

  After the completion of the processing on behalf of the controller, the processor should, at the choice of the controller, return or delete the personal_data, unless there is a requirement to store the personal_data under Union or Member State law to which the processor is subject.

(83) In order to maintain security and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption.

  Those measures should ensure an appropriate level of security, including confidentiality, taking into account the state of the art and the costs of implementation in relation to the risks and the nature of the personal_data to be protected.

  In assessing data security risk, consideration should be given to the risks that are presented by personal_data processing, such as accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal_data transmitted, stored or otherwise processed which may in particular lead to physical, material or non-material damage.

(84) In order to enhance compliance with this Regulation where processing operations are likely to result in a high risk to the rights and freedoms of natural persons, the controller should be responsible for the carrying-out of a data protection impact assessment to evaluate, in particular, the origin, nature, particularity and severity of that risk.

  The outcome of the assessment should be taken into account when determining the appropriate measures to be taken in order to demonstrate that the processing of personal_data complies with this Regulation.

  Where a data-protection impact assessment indicates that processing operations involve a high risk which the controller cannot mitigate by appropriate measures in terms of available technology and costs of implementation, a consultation of the supervisory_authority should take place prior to the processing.

(87) It should be ascertained whether all appropriate technological protection and organisational measures have been implemented to establish immediately whether a personal_data breach has taken place and to inform promptly the supervisory_authority and the data subject.

  The fact that the notification was made without undue delay should be established taking into account in particular the nature and gravity of the personal_data breach and its consequences and adverse effects for the data subject.

  Such notification may result in an intervention of the supervisory_authority in accordance with its tasks and powers laid down in this Regulation.

(89) Directive 95/46/EC provided for a general obligation to notify the processing of personal_data to the supervisory authorities.

  While that obligation produces administrative and financial burdens, it did not in all cases contribute to improving the protection of personal_data.

  Such indiscriminate general notification obligations should therefore be abolished, and replaced by effective procedures and mechanisms which focus instead on those types of processing operations which are likely to result in a high risk to the rights and freedoms of natural persons by virtue of their nature, scope, context and purposes.

  Such types of processing operations may be those which in, particular, involve using new technologies, or are of a new kind and where no data protection impact assessment has been carried out before by the controller, or where they become necessary in the light of the time that has elapsed since the initial processing.

(90) In such cases, a data protection impact assessment should be carried out by the controller prior to the processing in order to assess the particular likelihood and severity of the high risk, taking into account the nature, scope, context and purposes of the processing and the sources of the risk.

  That impact assessment should include, in particular, the measures, safeguards and mechanisms envisaged for mitigating that risk, ensuring the protection of personal_data and demonstrating compliance with this Regulation.

(91) This should in particular apply to large-scale processing operations which aim to process a considerable amount of personal_data at regional, national or supranational level and which could affect a large number of data subjects and which are likely to result in a high risk, for example, on account of their sensitivity, where in accordance with the achieved state of technological knowledge a new technology is used on a large scale as well as to other processing operations which result in a high risk to the rights and freedoms of data subjects, in particular where those operations render it more difficult for data subjects to exercise their rights.

  A data protection impact assessment should also be made where personal_data are processed for taking decisions regarding specific natural persons following any systematic and extensive evaluation of personal aspects relating to natural persons based on profiling those data or following the processing of special categories of personal_data, biometric_data, or data on criminal convictions and offences or related security measures.

  A data protection impact assessment is equally required for monitoring publicly accessible areas on a large scale, especially when using optic-electronic devices or for any other operations where the competent supervisory_authority considers that the processing is likely to result in a high risk to the rights and freedoms of data subjects, in particular because they prevent data subjects from exercising a right or using a service or a contract, or because they are carried out systematically on a large scale.

  The processing of personal_data should not be considered to be on a large scale if the processing concerns personal_data from patients or clients by an individual physician, other health care professional or lawyer.

  In such cases, a data protection impact assessment should not be mandatory.

(94) Where a data protection impact assessment indicates that the processing would, in the absence of safeguards, security measures and mechanisms to mitigate the risk, result in a high risk to the rights and freedoms of natural persons and the controller is of the opinion that the risk cannot be mitigated by reasonable means in terms of available technologies and costs of implementation, the supervisory_authority should be consulted prior to the start of processing activities.

  Such high risk is likely to result from certain types of processing and the extent and frequency of processing, which may result also in a realisation of damage or interference with the rights and freedoms of the natural person.

  The supervisory_authority should respond to the request for consultation within a specified period.

  However, the absence of a reaction of the supervisory_authority within that period should be without prejudice to any intervention of the supervisory_authority in accordance with its tasks and powers laid down in this Regulation, including the power to prohibit processing operations.

  As part of that consultation process, the outcome of a data protection impact assessment carried out with regard to the processing at issue may be submitted to the supervisory_authority, in particular the measures envisaged to mitigate the risk to the rights and freedoms of natural persons.

(96) A consultation of the supervisory_authority should also take place in the course of the preparation of a legislative or regulatory measure which provides for the processing of personal_data, in order to ensure compliance of the intended processing with this Regulation and in particular to mitigate the risk involved for the data subject.

(97) Where the processing is carried out by a public authority, except for courts or independent judicial authorities when acting in their judicial capacity, where, in the private sector, processing is carried out by a controller whose core activities consist of processing operations that require regular and systematic monitoring of the data subjects on a large scale, or where the core activities of the controller or the processor consist of processing on a large scale of special categories of personal_data and data relating to criminal convictions and offences, a person with expert knowledge of data protection law and practices should assist the controller or processor to monitor internal compliance with this Regulation.

  In the private sector, the core activities of a controller relate to its primary activities and do not relate to the processing of personal_data as ancillary activities.

  The necessary level of expert knowledge should be determined in particular according to the data processing operations carried out and the protection required for the personal_data processed by the controller or the processor.

  Such data protection officers, whether or not they are an employee of the controller, should be in a position to perform their duties and tasks in an independent manner.

(98) Associations or other bodies representing categories of controllers or processors should be encouraged to draw up codes of conduct, within the limits of this Regulation, so as to facilitate the effective application of this Regulation, taking account of the specific characteristics of the processing carried out in certain sectors and the specific needs of micro, small and medium enterprises.

  In particular, such codes of conduct could calibrate the obligations of controllers and processors, taking into account the risk likely to result from the processing for the rights and freedoms of natural persons.

(104) In line with the fundamental values on which the Union is founded, in particular the protection of human rights, the Commission should, in its assessment of the third country, or of a territory or specified sector within a third country, take into account how a particular third country respects the rule of law, access to justice as well as international human rights norms and standards and its general and sectoral law, including legislation concerning public security, defence and national security as well as public order and criminal law.

  The adoption of an adequacy decision with regard to a territory or a specified sector in a third country should take into account clear and objective criteria, such as specific processing activities and the scope of applicable legal standards and legislation in force in the third country.

  The third country should offer guarantees ensuring an adequate level of protection essentially equivalent to that ensured within the Union, in particular where personal_data are processed in one or several specific sectors.

  In particular, the third country should ensure effective independent data protection supervision and should provide for cooperation mechanisms with the Member States' data protection authorities, and the data subjects should be provided with effective and enforceable rights and effective administrative and judicial redress.

(105) Apart from the international commitments the third country or international_organisation has entered into, the Commission should take account of obligations arising from the third country's or international_organisation's participation in multilateral or regional systems in particular in relation to the protection of personal_data, as well as the implementation of such obligations.

  In particular, the third country's accession to the Council of Europe Convention of 28 January 1981 for the Protection of Individuals with regard to the Automatic Processing of Personal Data and its Additional Protocol should be taken into account.

  The Commission should consult the Board when assessing the level of protection in third countries or international_organisations.

(108) In the absence of an adequacy decision, the controller or processor should take measures to compensate for the lack of data protection in a third country by way of appropriate safeguards for the data subject.

  Such appropriate safeguards may consist of making use of binding_corporate_rules, standard data protection clauses adopted by the Commission, standard data protection clauses adopted by a supervisory_authority or contractual clauses authorised by a supervisory_authority.

  Those safeguards should ensure compliance with data protection requirements and the rights of the data subjects appropriate to processing within the Union, including the availability of enforceable data subject rights and of effective legal remedies, including to obtain effective administrative or judicial redress and to claim compensation, in the Union or in a third country.

  They should relate in particular to compliance with the general principles relating to personal_data processing, the principles of data protection by design and by default.

  Transfers may also be carried out by public authorities or bodies with public authorities or bodies in third countries or with international_organisations with corresponding duties or functions, including on the basis of provisions to be inserted into administrative arrangements, such as a memorandum of understanding, providing for enforceable and effective rights for data subjects.

  Authorisation by the competent supervisory_authority should be obtained when the safeguards are provided for in administrative arrangements that are not legally binding.

(112) Those derogations should in particular apply to data transfers required and necessary for important reasons of public interest, for example in cases of international data exchange between competition authorities, tax or customs administrations, between financial supervisory authorities, between services competent for social security matters, or for public health, for example in the case of contact tracing for contagious diseases or in order to reduce and/or eliminate doping in sport.

  A transfer of personal_data should also be regarded as lawful where it is necessary to protect an interest which is essential for the data subject's or another person's vital interests, including physical integrity or life, if the data subject is incapable of giving consent.

  In the absence of an adequacy decision, Union or Member State law may, for important reasons of public interest, expressly set limits to the transfer of specific categories of data to a third country or an international_organisation.

  Member States should notify such provisions to the Commission.

  Any transfer to an international humanitarian organisation of personal_data of a data subject who is physically or legally incapable of giving consent, with a view to accomplishing a task incumbent under the Geneva Conventions or to complying with international humanitarian law applicable in armed conflicts, could be considered to be necessary for an important reason of public interest or because it is in the vital interest of the data subject.

(113) Transfers which can be qualified as not repetitive and that only concern a limited number of data subjects, could also be possible for the purposes of the compelling legitimate interests pursued by the controller, when those interests are not overridden by the interests or rights and freedoms of the data subject and when the controller has assessed all the circumstances surrounding the data transfer.

  The controller should give particular consideration to the nature of the personal_data, the purpose and duration of the proposed processing operation or operations, as well as the situation in the country of origin, the third country and the country of final destination, and should provide suitable safeguards to protect fundamental rights and freedoms of natural persons with regard to the processing of their personal_data.

  Such transfers should be possible only in residual cases where none of the other grounds for transfer are applicable.

  For scientific or historical research purposes or statistical purposes, the legitimate expectations of society for an increase of knowledge should be taken into consideration.

  The controller should inform the supervisory_authority and the data subject about the transfer.

(116) When personal_data moves across borders outside the Union it may put at increased risk the ability of natural persons to exercise data protection rights in particular to protect themselves from the unlawful use or disclosure of that information.

  At the same time, supervisory authorities may find that they are unable to pursue complaints or conduct investigations relating to the activities outside their borders.

  Their efforts to work together in the cross-border context may also be hampered by insufficient preventative or remedial powers, inconsistent legal regimes, and practical obstacles like resource constraints.

  Therefore, there is a need to promote closer cooperation among data protection supervisory authorities to help them exchange information and carry out investigations with their international counterparts.

  For the purposes of developing international cooperation mechanisms to facilitate and provide international mutual assistance for the enforcement of legislation for the protection of personal_data, the Commission and the supervisory authorities should exchange information and cooperate in activities related to the exercise of their powers with competent authorities in third countries, based on reciprocity and in accordance with this Regulation.

(119) Where a Member State establishes several supervisory authorities, it should establish by law mechanisms for ensuring the effective participation of those supervisory authorities in the consistency mechanism.

  That Member State should in particular designate the supervisory_authority which functions as a single contact point for the effective participation of those authorities in the mechanism, to ensure swift and smooth cooperation with other supervisory authorities, the Board and the Commission.

(121) The general conditions for the member or members of the supervisory_authority should be laid down by law in each Member State and should in particular provide that those members are to be appointed, by means of a transparent procedure, either by the parliament, government or the head of State of the Member State on the basis of a proposal from the government, a member of the government, the parliament or a chamber of the parliament, or by an independent body entrusted under Member State law.

  In order to ensure the independence of the supervisory_authority, the member or members should act with integrity, refrain from any action that is incompatible with their duties and should not, during their term of office, engage in any incompatible occupation, whether gainful or not.

  The supervisory_authority should have its own staff, chosen by the supervisory_authority or an independent body established by Member State law, which should be subject to the exclusive direction of the member or members of the supervisory_authority.

(122) Each supervisory_authority should be competent on the territory of its own Member State to exercise the powers and to perform the tasks conferred on it in accordance with this Regulation.

  This should cover in particular the processing in the context of the activities of an establishment of the controller or processor on the territory of its own Member State, the processing of personal_data carried out by public authorities or private bodies acting in the public interest, processing affecting data subjects on its territory or processing carried out by a controller or processor not established in the Union when targeting data subjects residing on its territory.

  This should include handling complaints lodged by a data subject, conducting investigations on the application of this Regulation and promoting public awareness of the risks, rules, safeguards and rights in relation to the processing of personal_data.

(124) Where the processing of personal_data takes place in the context of the activities of an establishment of a controller or a processor in the Union and the controller or processor is established in more than one Member State, or where processing taking place in the context of the activities of a single establishment of a controller or processor in the Union substantially affects or is likely to substantially affect data subjects in more than one Member State, the supervisory_authority for the main_establishment of the controller or processor or for the single establishment of the controller or processor should act as lead authority.

  It should cooperate with the other authorities concerned, because the controller or processor has an establishment on the territory of their Member State, because data subjects residing on their territory are substantially affected, or because a complaint has been lodged with them.

  Also where a data subject not residing in that Member State has lodged a complaint, the supervisory_authority with which such complaint has been lodged should also be a supervisory_authority concerned.

  Within its tasks to issue guidelines on any question covering the application of this Regulation, the Board should be able to issue guidelines in particular on the criteria to be taken into account in order to ascertain whether the processing in question substantially affects data subjects in more than one Member State and on what constitutes a relevant_and_reasoned_objection.

(129) In order to ensure consistent monitoring and enforcement of this Regulation throughout the Union, the supervisory authorities should have in each Member State the same tasks and effective powers, including powers of investigation, corrective powers and sanctions, and authorisation and advisory powers, in particular in cases of complaints from natural persons, and without prejudice to the powers of prosecutorial authorities under Member State law, to bring infringements of this Regulation to the attention of the judicial authorities and engage in legal proceedings.

  Such powers should also include the power to impose a temporary or definitive limitation, including a ban, on processing.

  Member States may specify other tasks related to the protection of personal_data under this Regulation.

  The powers of supervisory authorities should be exercised in accordance with appropriate procedural safeguards set out in Union and Member State law, impartially, fairly and within a reasonable time.

  In particular each measure should be appropriate, necessary and proportionate in view of ensuring compliance with this Regulation, taking into account the circumstances of each individual case, respect the right of every person to be heard before any individual measure which would affect him or her adversely is taken and avoid superfluous costs and excessive inconveniences for the persons concerned.

  Investigatory powers as regards access to premises should be exercised in accordance with specific requirements in Member State procedural law, such as the requirement to obtain a prior judicial authorisation.

  Each legally binding measure of the supervisory_authority should be in writing, be clear and unambiguous, indicate the supervisory_authority which has issued the measure, the date of issue of the measure, bear the signature of the head, or a member of the supervisory_authority authorised by him or her, give the reasons for the measure, and refer to the right of an effective remedy.

  This should not preclude additional requirements pursuant to Member State procedural law.

  The adoption of a legally binding decision implies that it may give rise to judicial review in the Member State of the supervisory_authority that adopted the decision.

(132) Awareness-raising activities by supervisory authorities addressed to the public should include specific measures directed at controllers and processors, including micro, small and medium-sized enterprises, as well as natural persons in particular in the educational context.

(135) In order to ensure the consistent application of this Regulation throughout the Union, a consistency mechanism for cooperation between the supervisory authorities should be established.

  That mechanism should in particular apply where a supervisory_authority intends to adopt a measure intended to produce legal effects as regards processing operations which substantially affect a significant number of data subjects in several Member States.

  It should also apply where any supervisory_authority concerned or the Commission requests that such matter should be handled in the consistency mechanism.

  That mechanism should be without prejudice to any measures that the Commission may take in the exercise of its powers under the Treaties.

(136) In applying the consistency mechanism, the Board should, within a determined period of time, issue an opinion, if a majority of its members so decides or if so requested by any supervisory_authority concerned or the Commission.

  The Board should also be empowered to adopt legally binding decisions where there are disputes between supervisory authorities.

  For that purpose, it should issue, in principle by a two-thirds majority of its members, legally binding decisions in clearly specified cases where there are conflicting views among supervisory authorities, in particular in the cooperation mechanism between the lead supervisory_authority and supervisory authorities concerned on the merits of the case, in particular whether there is an infringement of this Regulation.

(137) There may be an urgent need to act in order to protect the rights and freedoms of data subjects, in particular when the danger exists that the enforcement of a right of a data subject could be considerably impeded.

  A supervisory_authority should therefore be able to adopt duly justified provisional measures on its territory with a specified period of validity which should not exceed three months.

(139) In order to promote the consistent application of this Regulation, the Board should be set up as an independent body of the Union.

  To fulfil its objectives, the Board should have legal personality.

  The Board should be represented by its Chair.

  It should replace the Working Party on the Protection of Individuals with Regard to the Processing of Personal Data established by Directive 95/46/EC.

  It should consist of the head of a supervisory_authority of each Member State and the European Data Protection Supervisor or their respective representatives.

  The Commission should participate in the Board's activities without voting rights and the European Data Protection Supervisor should have specific voting rights.

  The Board should contribute to the consistent application of this Regulation throughout the Union, including by advising the Commission, in particular on the level of protection in third countries or international_organisations, and promoting cooperation of the supervisory authorities throughout the Union.

  The Board should act independently when performing its tasks.

(141) Every data subject should have the right to lodge a complaint with a single supervisory_authority, in particular in the Member State of his or her habitual residence, and the right to an effective judicial remedy in accordance with Article 47 of the Charter if the data subject considers that his or her rights under this Regulation are infringed or where the supervisory_authority does not act on a complaint, partially or wholly rejects or dismisses a complaint or does not act where such action is necessary to protect the rights of the data subject.

  The investigation following a complaint should be carried out, subject to judicial review, to the extent that is appropriate in the specific case.

  The supervisory_authority should inform the data subject of the progress and the outcome of the complaint within a reasonable period.

  If the case requires further investigation or coordination with another supervisory_authority, intermediate information should be given to the data subject.

  In order to facilitate the submission of complaints, each supervisory_authority should take measures such as providing a complaint submission form which can also be completed electronically, without excluding other means of communication.

(143) Any natural or legal person has the right to bring an action for annulment of decisions of the Board before the Court of Justice under the conditions provided for in Article 263 TFEU.

  As addressees of such decisions, the supervisory authorities concerned which wish to challenge them have to bring action within two months of being notified of them, in accordance with Article 263 TFEU.

  Where decisions of the Board are of direct and individual concern to a controller, processor or complainant, the latter may bring an action for annulment against those decisions within two months of their publication on the website of the Board, in accordance with Article 263 TFEU.

  Without prejudice to this right under Article 263 TFEU, each natural or legal person should have an effective judicial remedy before the competent national court against a decision of a supervisory_authority which produces legal effects concerning that person.

  Such a decision concerns in particular the exercise of investigative, corrective and authorisation powers by the supervisory_authority or the dismissal or rejection of complaints.

  However, the right to an effective judicial remedy does not encompass measures taken by supervisory authorities which are not legally binding, such as opinions issued by or advice provided by the supervisory_authority.

  Proceedings against a supervisory_authority should be brought before the courts of the Member State where the supervisory_authority is established and should be conducted in accordance with that Member State's procedural law.

  Those courts should exercise full jurisdiction, which should include jurisdiction to examine all questions of fact and law relevant to the dispute before them.

(147) Where specific rules on jurisdiction are contained in this Regulation, in particular as regards proceedings seeking a judicial remedy including compensation, against a controller or processor, general jurisdiction rules such as those of Regulation (EU) No 1215/2012 of the European Parliament and of the Council (13) should not prejudice the application of such specific rules.

(150) In order to strengthen and harmonise administrative penalties for infringements of this Regulation, each supervisory_authority should have the power to impose administrative fines.

  This Regulation should indicate infringements and the upper limit and criteria for setting the related administrative fines, which should be determined by the competent supervisory_authority in each individual case, taking into account all relevant circumstances of the specific situation, with due regard in particular to the nature, gravity and duration of the infringement and of its consequences and the measures taken to ensure compliance with the obligations under this Regulation and to prevent or mitigate the consequences of the infringement.

  Where administrative fines are imposed on an undertaking, an undertaking should be understood to be an undertaking in accordance with Articles 101 and 102 TFEU for those purposes.

  Where administrative fines are imposed on persons that are not an undertaking, the supervisory_authority should take account of the general level of income in the Member State as well as the economic situation of the person in considering the appropriate amount of the fine.

  The consistency mechanism may also be used to promote a consistent application of administrative fines.

  It should be for the Member States to determine whether and to which extent public authorities should be subject to administrative fines.

  Imposing an administrative fine or giving a warning does not affect the application of other powers of the supervisory authorities or of other penalties under this Regulation.

(153) Member States law should reconcile the rules governing freedom of expression and information, including journalistic, academic, artistic and or literary expression with the right to the protection of personal_data pursuant to this Regulation.

  The processing of personal_data solely for journalistic purposes, or for the purposes of academic, artistic or literary expression should be subject to derogations or exemptions from certain provisions of this Regulation if necessary to reconcile the right to the protection of personal_data with the right to freedom of expression and information, as enshrined in Article 11 of the Charter.

  This should apply in particular to the processing of personal_data in the audiovisual field and in news archives and press libraries.

  Therefore, Member States should adopt legislative measures which lay down the exemptions and derogations necessary for the purpose of balancing those fundamental rights.

  Member States should adopt such exemptions and derogations on general principles, the rights of the data subject, the controller and the processor, the transfer of personal_data to third countries or international_organisations, the independent supervisory authorities, cooperation and consistency, and specific data- processing situations.

  Where such exemptions or derogations differ from one Member State to another, the law of the Member State to which the controller is subject should apply.

  In order to take account of the importance of the right to freedom of expression in every democratic society, it is necessary to interpret notions relating to that freedom, such as journalism, broadly.

(154) This Regulation allows the principle of public access to official documents to be taken into account when applying this Regulation.

  Public access to official documents may be considered to be in the public interest.

  Personal data in documents held by a public authority or a public body should be able to be publicly disclosed by that authority or body if the disclosure is provided for by Union or Member State law to which the public authority or public body is subject.

  Such laws should reconcile public access to official documents and the reuse of public sector information with the right to the protection of personal_data and may therefore provide for the necessary reconciliation with the right to the protection of personal_data pursuant to this Regulation.

  The reference to public authorities and bodies should in that context include all authorities or other bodies covered by Member State law on public access to documents.

  Directive 2003/98/EC of the European Parliament and of the Council (14) leaves intact and in no way affects the level of protection of natural persons with regard to the processing of personal_data under the provisions of Union and Member State law, and in particular does not alter the obligations and rights set out in this Regulation.

  In particular, that Directive should not apply to documents to which access is excluded or restricted by virtue of the access regimes on the grounds of protection of personal_data, and parts of documents accessible by virtue of those regimes which contain personal_data the re-use of which has been provided for by law as being incompatible with the law concerning the protection of natural persons with regard to the processing of personal_data.

(155) Member State law or collective agreements, including ‘works agreements’, may provide for specific rules on the processing of employees' personal_data in the employment context, in particular for the conditions under which personal_data in the employment context may be processed on the basis of the consent of the employee, the purposes of the recruitment, the performance of the contract of employment, including discharge of obligations laid down by law or by collective agreements, management, planning and organisation of work, equality and diversity in the workplace, health and safety at work, and for the purposes of the exercise and enjoyment, on an individual or collective basis, of rights and benefits related to employment, and for the purpose of the termination of the employment relationship.

(156) The processing of personal_data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes should be subject to appropriate safeguards for the rights and freedoms of the data subject pursuant to this Regulation.

  Those safeguards should ensure that technical and organisational measures are in place in order to ensure, in particular, the principle of data minimisation.

  The further processing of personal_data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes is to be carried out when the controller has assessed the feasibility to fulfil those purposes by processing data which do not permit or no longer permit the identification of data subjects, provided that appropriate safeguards exist (such as, for instance, pseudonymisation of the data).

  Member States should provide for appropriate safeguards for the processing of personal_data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

  Member States should be authorised to provide, under specific conditions and subject to appropriate safeguards for data subjects, specifications and derogations with regard to the information requirements and rights to rectification, to erasure, to be forgotten, to restriction of processing, to data portability, and to object when processing personal_data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

  The conditions and safeguards in question may entail specific procedures for data subjects to exercise those rights if this is appropriate in the light of the purposes sought by the specific processing along with technical and organisational measures aimed at minimising the processing of personal_data in pursuance of the proportionality and necessity principles.

  The processing of personal_data for scientific purposes should also comply with other relevant legislation such as on clinical trials.

(158) Where personal_data are processed for archiving purposes, this Regulation should also apply to that processing, bearing in mind that this Regulation should not apply to deceased persons.

  Public authorities or public or private bodies that hold records of public interest should be services which, pursuant to Union or Member State law, have a legal obligation to acquire, preserve, appraise, arrange, describe, communicate, promote, disseminate and provide access to records of enduring value for general public interest.

  Member States should also be authorised to provide for the further processing of personal_data for archiving purposes, for example with a view to providing specific information related to the political behaviour under former totalitarian state regimes, genocide, crimes against humanity, in particular the Holocaust, or war crimes.

(159) Where personal_data are processed for scientific research purposes, this Regulation should also apply to that processing.

  For the purposes of this Regulation, the processing of personal_data for scientific research purposes should be interpreted in a broad manner including for example technological development and demonstration, fundamental research, applied research and privately funded research.

  In addition, it should take into account the Union's objective under Article 179(1) TFEU of achieving a European Research Area.

  Scientific research purposes should also include studies conducted in the public interest in the area of public health.

  To meet the specificities of processing personal_data for scientific research purposes, specific conditions should apply in particular as regards the publication or otherwise disclosure of personal_data in the context of scientific research purposes.

  If the result of scientific research in particular in the health context gives reason for further measures in the interest of the data subject, the general rules of this Regulation should apply in view of those measures.

(162) Where personal_data are processed for statistical purposes, this Regulation should apply to that processing.

  Union or Member State law should, within the limits of this Regulation, determine statistical content, control of access, specifications for the processing of personal_data for statistical purposes and appropriate measures to safeguard the rights and freedoms of the data subject and for ensuring statistical confidentiality.

  Statistical purposes mean any operation of collection and the processing of personal_data necessary for statistical surveys or for the production of statistical results.

  Those statistical results may further be used for different purposes, including a scientific research purpose.

  The statistical purpose implies that the result of processing for statistical purposes is not personal_data, but aggregate data, and that this result or the personal_data are not used in support of measures or decisions regarding any particular natural person.

(166) In order to fulfil the objectives of this Regulation, namely to protect the fundamental rights and freedoms of natural persons and in particular their right to the protection of personal_data and to ensure the free movement of personal_data within the Union, the power to adopt acts in accordance with Article 290 TFEU should be delegated to the Commission.

  In particular, delegated acts should be adopted in respect of criteria and requirements for certification mechanisms, information to be presented by standardised icons and procedures for providing such icons.

  It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level.

  The Commission, when preparing and drawing-up delegated acts, should ensure a simultaneous, timely and appropriate transmission of relevant documents to the European Parliament and to the Council.

(173) This Regulation should apply to all matters concerning the protection of fundamental rights and freedoms vis-à-vis the processing of personal_data which are not subject to specific obligations with the same objective set out in Directive 2002/58/EC of the European Parliament and of the Council (18), including the obligations on the controller and the rights of natural persons.

  In order to clarify the relationship between this Regulation and Directive 2002/58/EC, that Directive should be amended accordingly.

  Once this Regulation is adopted, Directive 2002/58/EC should be reviewed in particular in order to ensure consistency with this Regulation,