interactive GDPR 2016/0679 EN
BG CS DA DE EL EN ES ET FI FR GA HR HU IT LV LT MT NL PL PT RO SK SL SV print pdf
- personal data
- processing
- restriction of processing
- profiling
- pseudonymisation
- filing system
- controller
- processor
- recipient
- third party
- consent
- personal data breach
- genetic data
- biometric data
- data concerning health
- main establishment
- representative
- enterprise
- group of undertakings
- binding corporate rules
- supervisory authority
- supervisory authority concerned
- cross-border processing
- relevant and reasoned objection
- information society service
- international organisation
- processing 48
- data 39
- shall 37
- supervisory_authority 26
- referred 24
- which 24
- controller 24
- purposes 22
- decision 22
- subject 21
- personal_data 21
- article 18
- board 16
- protection 14
- rights 12
- public 12
- article 12
- paragraph 12
- subjects 11
- particular 11
- necessary 11
- paragraph 11
- including 10
- concerned 10
- the 10
- binding_corporate_rules 10
- processed 9
- provided 9
- within 9
- joint 8
- measures 8
- accordance 8
- interest 8
- such 8
- group_of_undertakings 8
- economic 8
- member state 7
- processor 7
- measure 7
- periods 7
- competent 7
- member 7
- purpose 7
- specific 7
- authorities 7
- regulation 7
- engaged 7
- enterprises 7
- activity 7
- group 7
Article 5
Principles relating to processing of personal_data
1. Personal data shall be:
| (a) | processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’); |
| (b) | collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’); |
| (c) | adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’); |
| (d) | accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal_data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’); |
| (e) | kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal_data are processed; personal_data may be stored for longer periods insofar as the personal_data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’); |
| (f) | processed in a manner that ensures appropriate security of the personal_data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’). |
2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).
Article 6
Lawfulness of processing
1. Processing shall be lawful only if and to the extent that at least one of the following applies:
| (a) | the data subject has given consent to the processing of his or her personal_data for one or more specific purposes; |
| (b) | processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; |
| (c) | processing is necessary for compliance with a legal obligation to which the controller is subject; |
| (d) | processing is necessary in order to protect the vital interests of the data subject or of another natural person; |
| (e) | processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; |
| (f) | processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third_party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal_data, in particular where the data subject is a child. |
Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.
2. Member States may maintain or introduce more specific provisions to adapt the application of the rules of this Regulation with regard to processing for compliance with points (c) and (e) of paragraph 1 by determining more precisely specific requirements for the processing and other measures to ensure lawful and fair processing including for other specific processing situations as provided for in Chapter IX.
3. The basis for the processing referred to in point (c) and (e) of paragraph 1 shall be laid down by:
| (a) | Union law; or |
| (b) | Member State law to which the controller is subject. |
The purpose of the processing shall be determined in that legal basis or, as regards the processing referred to in point (e) of paragraph 1, shall be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. That legal basis may contain specific provisions to adapt the application of rules of this Regulation, inter alia: the general conditions governing the lawfulness of processing by the controller; the types of data which are subject to the processing; the data subjects concerned; the entities to, and the purposes for which, the personal_data may be disclosed; the purpose limitation; storage periods; and processing operations and processing procedures, including measures to ensure lawful and fair processing such as those for other specific processing situations as provided for in Chapter IX. The Union or the Member State law shall meet an objective of public interest and be proportionate to the legitimate aim pursued.
4. Where the processing for a purpose other than that for which the personal_data have been collected is not based on the data subject's consent or on a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1), the controller shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal_data are initially collected, take into account, inter alia:
| (a) | any link between the purposes for which the personal_data have been collected and the purposes of the intended further processing; |
| (b) | the context in which the personal_data have been collected, in particular regarding the relationship between data subjects and the controller; |
| (c) | the nature of the personal_data, in particular whether special categories of personal_data are processed, pursuant to Article 9, or whether personal_data related to criminal convictions and offences are processed, pursuant to Article 10; |
| (d) | the possible consequences of the intended further processing for data subjects; |
| (e) | the existence of appropriate safeguards, which may include encryption or pseudonymisation. |
Article 23
Restrictions
1. Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:
| (a) | national security; |
| (b) | defence; |
| (c) | public security; |
| (d) | the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security; |
| (e) | other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation a matters, public health and social security; |
| (f) | the protection of judicial independence and judicial proceedings; |
| (g) | the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions; |
| (h) | a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in points (a) to (e) and (g); |
| (i) | the protection of the data subject or the rights and freedoms of others; |
| (j) | the enforcement of civil law claims. |
2. In particular, any legislative measure referred to in paragraph 1 shall contain specific provisions at least, where relevant, as to:
| (a) | the purposes of the processing or categories of processing; |
| (b) | the categories of personal_data; |
| (c) | the scope of the restrictions introduced; |
| (d) | the safeguards to prevent abuse or unlawful access or transfer; |
| (e) | the specification of the controller or categories of controllers; |
| (f) | the storage periods and the applicable safeguards taking into account the nature, scope and purposes of the processing or categories of processing; |
| (g) | the risks to the rights and freedoms of data subjects; and |
| (h) | the right of data subjects to be informed about the restriction, unless that may be prejudicial to the purpose of the restriction. |
CHAPTER IV
Controller and processor
Article 36
Prior consultation
1. The controller shall consult the supervisory_authority prior to processing where a data protection impact assessment under Article 35 indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk.
2. Where the supervisory_authority is of the opinion that the intended processing referred to in paragraph 1 would infringe this Regulation, in particular where the controller has insufficiently identified or mitigated the risk, the supervisory_authority shall, within period of up to eight weeks of receipt of the request for consultation, provide written advice to the controller and, where applicable to the processor, and may use any of its powers referred to in Article 58. That period may be extended by six weeks, taking into account the complexity of the intended processing. The supervisory_authority shall inform the controller and, where applicable, the processor, of any such extension within one month of receipt of the request for consultation together with the reasons for the delay. Those periods may be suspended until the supervisory_authority has obtained information it has requested for the purposes of the consultation.
3. When consulting the supervisory_authority pursuant to paragraph 1, the controller shall provide the supervisory_authority with:
| (a) | where applicable, the respective responsibilities of the controller, joint controllers and processors involved in the processing, in particular for processing within a group_of_undertakings; |
| (b) | the purposes and means of the intended processing; |
| (c) | the measures and safeguards provided to protect the rights and freedoms of data subjects pursuant to this Regulation; |
| (d) | where applicable, the contact details of the data protection officer; |
| (e) | the data protection impact assessment provided for in Article 35; and |
| (f) | any other information requested by the supervisory_authority. |
4. Member States shall consult the supervisory_authority during the preparation of a proposal for a legislative measure to be adopted by a national parliament, or of a regulatory measure based on such a legislative measure, which relates to processing.
5. Notwithstanding paragraph 1, Member State law may require controllers to consult with, and obtain prior authorisation from, the supervisory_authority in relation to processing by a controller for the performance of a task carried out by the controller in the public interest, including processing in relation to social protection and public health.
Article 47
Binding corporate rules
1. The competent supervisory_authority shall approve binding_corporate_rules in accordance with the consistency mechanism set out in Article 63, provided that they:
| (a) | are legally binding and apply to and are enforced by every member concerned of the group_of_undertakings, or group of enterprises engaged in a joint economic activity, including their employees; |
| (b) | expressly confer enforceable rights on data subjects with regard to the processing of their personal_data; and |
| (c) | fulfil the requirements laid down in paragraph 2. |
2. The binding_corporate_rules referred to in paragraph 1 shall specify at least:
| (a) | the structure and contact details of the group_of_undertakings, or group of enterprises engaged in a joint economic activity and of each of its members; |
| (b) | the data transfers or set of transfers, including the categories of personal_data, the type of processing and its purposes, the type of data subjects affected and the identification of the third country or countries in question; |
| (c) | their legally binding nature, both internally and externally; |
| (d) | the application of the general data protection principles, in particular purpose limitation, data minimisation, limited storage periods, data quality, data protection by design and by default, legal basis for processing, processing of special categories of personal_data, measures to ensure data security, and the requirements in respect of onward transfers to bodies not bound by the binding_corporate_rules; |
| (e) | the rights of data subjects in regard to processing and the means to exercise those rights, including the right not to be subject to decisions based solely on automated processing, including profiling in accordance with Article 22, the right to lodge a complaint with the competent supervisory_authority and before the competent courts of the Member States in accordance with Article 79, and to obtain redress and, where appropriate, compensation for a breach of the binding_corporate_rules; |
| (f) | the acceptance by the controller or processor established on the territory of a Member State of liability for any breaches of the binding_corporate_rules by any member concerned not established in the Union; the controller or the processor shall be exempt from that liability, in whole or in part, only if it proves that that member is not responsible for the event giving rise to the damage; |
| (g) | how the information on the binding_corporate_rules, in particular on the provisions referred to in points (d), (e) and (f) of this paragraph is provided to the data subjects in addition to Articles 13 and 14; |
| (h) | the tasks of any data protection officer designated in accordance with Article 37 or any other person or entity in charge of the monitoring compliance with the binding_corporate_rules within the group_of_undertakings, or group of enterprises engaged in a joint economic activity, as well as monitoring training and complaint-handling; |
| (i) | the complaint procedures; |
| (j) | the mechanisms within the group_of_undertakings, or group of enterprises engaged in a joint economic activity for ensuring the verification of compliance with the binding_corporate_rules. Such mechanisms shall include data protection audits and methods for ensuring corrective actions to protect the rights of the data subject. Results of such verification should be communicated to the person or entity referred to in point (h) and to the board of the controlling undertaking of a group_of_undertakings, or of the group of enterprises engaged in a joint economic activity, and should be available upon request to the competent supervisory_authority; |
| (k) | the mechanisms for reporting and recording changes to the rules and reporting those changes to the supervisory_authority; |
| (l) | the cooperation mechanism with the supervisory_authority to ensure compliance by any member of the group_of_undertakings, or group of enterprises engaged in a joint economic activity, in particular by making available to the supervisory_authority the results of verifications of the measures referred to in point (j); |
| (m) | the mechanisms for reporting to the competent supervisory_authority any legal requirements to which a member of the group_of_undertakings, or group of enterprises engaged in a joint economic activity is subject in a third country which are likely to have a substantial adverse effect on the guarantees provided by the binding_corporate_rules; and |
| (n) | the appropriate data protection training to personnel having permanent or regular access to personal_data. |
3. The Commission may specify the format and procedures for the exchange of information between controllers, processors and supervisory authorities for binding_corporate_rules within the meaning of this Article. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 93(2).
Article 65
Dispute resolution by the Board
1. In order to ensure the correct and consistent application of this Regulation in individual cases, the Board shall adopt a binding decision in the following cases:
| (a) | where, in a case referred to in Article 60(4), a supervisory_authority concerned has raised a relevant_and_reasoned_objection to a draft decision of the lead authority or the lead authority has rejected such an objection as being not relevant or reasoned. The binding decision shall concern all the matters which are the subject of the relevant_and_reasoned_objection, in particular whether there is an infringement of this Regulation; |
| (b) | where there are conflicting views on which of the supervisory authorities concerned is competent for the main_establishment; |
| (c) | where a competent supervisory_authority does not request the opinion of the Board in the cases referred to in Article 64(1), or does not follow the opinion of the Board issued under Article 64. In that case, any supervisory_authority concerned or the Commission may communicate the matter to the Board. |
2. The decision referred to in paragraph 1 shall be adopted within one month from the referral of the subject-matter by a two-thirds majority of the members of the Board. That period may be extended by a further month on account of the complexity of the subject-matter. The decision referred to in paragraph 1 shall be reasoned and addressed to the lead supervisory_authority and all the supervisory authorities concerned and binding on them.
3. Where the Board has been unable to adopt a decision within the periods referred to in paragraph 2, it shall adopt its decision within two weeks following the expiration of the second month referred to in paragraph 2 by a simple majority of the members of the Board. Where the members of the Board are split, the decision shall by adopted by the vote of its Chair.
4. The supervisory authorities concerned shall not adopt a decision on the subject matter submitted to the Board under paragraph 1 during the periods referred to in paragraphs 2 and 3.
5. The Chair of the Board shall notify, without undue delay, the decision referred to in paragraph 1 to the supervisory authorities concerned. It shall inform the Commission thereof. The decision shall be published on the website of the Board without delay after the supervisory_authority has notified the final decision referred to in paragraph 6.
6. The lead supervisory_authority or, as the case may be, the supervisory_authority with which the complaint has been lodged shall adopt its final decision on the basis of the decision referred to in paragraph 1 of this Article, without undue delay and at the latest by one month after the Board has notified its decision. The lead supervisory_authority or, as the case may be, the supervisory_authority with which the complaint has been lodged, shall inform the Board of the date when its final decision is notified respectively to the controller or the processor and to the data subject. The final decision of the supervisory authorities concerned shall be adopted under the terms of Article 60(7), (8) and (9). The final decision shall refer to the decision referred to in paragraph 1 of this Article and shall specify that the decision referred to in that paragraph will be published on the website of the Board in accordance with paragraph 5 of this Article. The final decision shall attach the decision referred to in paragraph 1 of this Article.
whereas
dal 2004 diritto e informatica