interactive GDPR 2016/0679 EN
BG CS DA DE EL EN ES ET FI FR GA HR HU IT LV LT MT NL PL PT RO SK SL SV print pdf
- 1 Article 6 Lawfulness of processing
- 1 Article 17 Right to erasure (‘right to be forgotten’)
- 1 Article 22 Automated individual decision-making, including profiling
- 1 Article 23 Restrictions
- 1 Article 34 Communication of a personal data breach to the data subject
- 1 Article 47 Binding corporate rules
- 1 Article 70 Tasks of the Board
- 1 Article 83 General conditions for imposing administrative fines
- 1 Article 90 Obligations of secrecy
- personal data
- processing
- restriction of processing
- profiling
- pseudonymisation
- filing system
- controller
- processor
- recipient
- third party
- consent
- personal data breach
- genetic data
- biometric data
- data concerning health
- main establishment
- representative
- enterprise
- group of undertakings
- binding corporate rules
- supervisory authority
- supervisory authority concerned
- cross-border processing
- relevant and reasoned objection
- information society service
- international organisation
- data 70
- article 57
- shall 53
- personal_data 52
- subject 50
- processing 49
- controller 45
- referred 40
- which 34
- pursuant 34
- public 24
- paragraph 21
- protection 20
- including 19
- necessary 19
- transfer 18
- rights 18
- article 18
- measures 18
- accordance 17
- union 17
- supervisory_authority 16
- subjects 16
- authorities 16
- member 15
- binding_corporate_rules 15
- member state 14
- the 14
- interest 14
- legal 14
- processor 14
- commission 14
- purposes 13
- third 13
- supervisory 13
- such 12
- have 12
- particular 12
- issue 12
- administrative 12
- provisions 11
- categories 11
- freedoms 11
- country 11
- interests 11
- best 11
- guidelines 11
- fines 11
- practices 11
- specific 11
Article 6
Lawfulness of processing
1. Processing shall be lawful only if and to the extent that at least one of the following applies:
| (a) | the data subject has given consent to the processing of his or her personal_data for one or more specific purposes; |
| (b) | processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; |
| (c) | processing is necessary for compliance with a legal obligation to which the controller is subject; |
| (d) | processing is necessary in order to protect the vital interests of the data subject or of another natural person; |
| (e) | processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; |
| (f) | processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third_party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal_data, in particular where the data subject is a child. |
Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.
2. Member States may maintain or introduce more specific provisions to adapt the application of the rules of this Regulation with regard to processing for compliance with points (c) and (e) of paragraph 1 by determining more precisely specific requirements for the processing and other measures to ensure lawful and fair processing including for other specific processing situations as provided for in Chapter IX.
3. The basis for the processing referred to in point (c) and (e) of paragraph 1 shall be laid down by:
| (a) | Union law; or |
| (b) | Member State law to which the controller is subject. |
The purpose of the processing shall be determined in that legal basis or, as regards the processing referred to in point (e) of paragraph 1, shall be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. That legal basis may contain specific provisions to adapt the application of rules of this Regulation, inter alia: the general conditions governing the lawfulness of processing by the controller; the types of data which are subject to the processing; the data subjects concerned; the entities to, and the purposes for which, the personal_data may be disclosed; the purpose limitation; storage periods; and processing operations and processing procedures, including measures to ensure lawful and fair processing such as those for other specific processing situations as provided for in Chapter IX. The Union or the Member State law shall meet an objective of public interest and be proportionate to the legitimate aim pursued.
4. Where the processing for a purpose other than that for which the personal_data have been collected is not based on the data subject's consent or on a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1), the controller shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal_data are initially collected, take into account, inter alia:
| (a) | any link between the purposes for which the personal_data have been collected and the purposes of the intended further processing; |
| (b) | the context in which the personal_data have been collected, in particular regarding the relationship between data subjects and the controller; |
| (c) | the nature of the personal_data, in particular whether special categories of personal_data are processed, pursuant to Article 9, or whether personal_data related to criminal convictions and offences are processed, pursuant to Article 10; |
| (d) | the possible consequences of the intended further processing for data subjects; |
| (e) | the existence of appropriate safeguards, which may include encryption or pseudonymisation. |
Article 17
Right to erasure (‘right to be forgotten’)
1. The data subject shall have the right to obtain from the controller the erasure of personal_data concerning him or her without undue delay and the controller shall have the obligation to erase personal_data without undue delay where one of the following grounds applies:
| (a) | the personal_data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; |
| (b) | the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing; |
| (c) | the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2); |
| (d) | the personal_data have been unlawfully processed; |
| (e) | the personal_data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject; |
| (f) | the personal_data have been collected in relation to the offer of information_society_services referred to in Article 8(1). |
2. Where the controller has made the personal_data public and is obliged pursuant to paragraph 1 to erase the personal_data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal_data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal_data.
3. Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:
| (a) | for exercising the right of freedom of expression and information; |
| (b) | for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; |
| (c) | for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3); |
| (d) | for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or |
| (e) | for the establishment, exercise or defence of legal claims. |
Article 22
Automated individual decision-making, including profiling
1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
2. Paragraph 1 shall not apply if the decision:
| (a) | is necessary for entering into, or performance of, a contract between the data subject and a data controller; |
| (b) | is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or |
| (c) | is based on the data subject's explicit consent. |
3. In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
4. Decisions referred to in paragraph 2 shall not be based on special categories of personal_data referred to in Article 9(1), unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard the data subject's rights and freedoms and legitimate interests are in place.
Article 23
Restrictions
1. Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:
| (a) | national security; |
| (b) | defence; |
| (c) | public security; |
| (d) | the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security; |
| (e) | other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation a matters, public health and social security; |
| (f) | the protection of judicial independence and judicial proceedings; |
| (g) | the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions; |
| (h) | a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in points (a) to (e) and (g); |
| (i) | the protection of the data subject or the rights and freedoms of others; |
| (j) | the enforcement of civil law claims. |
2. In particular, any legislative measure referred to in paragraph 1 shall contain specific provisions at least, where relevant, as to:
| (a) | the purposes of the processing or categories of processing; |
| (b) | the categories of personal_data; |
| (c) | the scope of the restrictions introduced; |
| (d) | the safeguards to prevent abuse or unlawful access or transfer; |
| (e) | the specification of the controller or categories of controllers; |
| (f) | the storage periods and the applicable safeguards taking into account the nature, scope and purposes of the processing or categories of processing; |
| (g) | the risks to the rights and freedoms of data subjects; and |
| (h) | the right of data subjects to be informed about the restriction, unless that may be prejudicial to the purpose of the restriction. |
CHAPTER IV
Controller and processor
Article 34
Communication of a personal_data breach to the data subject
1. When the personal_data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal_data breach to the data subject without undue delay.
2. The communication to the data subject referred to in paragraph 1 of this Article shall describe in clear and plain language the nature of the personal_data breach and contain at least the information and measures referred to in points (b), (c) and (d) of Article 33(3).
3. The communication to the data subject referred to in paragraph 1 shall not be required if any of the following conditions are met:
| (a) | the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal_data affected by the personal_data breach, in particular those that render the personal_data unintelligible to any person who is not authorised to access it, such as encryption; |
| (b) | the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in paragraph 1 is no longer likely to materialise; |
| (c) | it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner. |
4. If the controller has not already communicated the personal_data breach to the data subject, the supervisory_authority, having considered the likelihood of the personal_data breach resulting in a high risk, may require it to do so or may decide that any of the conditions referred to in paragraph 3 are met.
Article 47
Binding corporate rules
1. The competent supervisory_authority shall approve binding_corporate_rules in accordance with the consistency mechanism set out in Article 63, provided that they:
| (a) | are legally binding and apply to and are enforced by every member concerned of the group_of_undertakings, or group of enterprises engaged in a joint economic activity, including their employees; |
| (b) | expressly confer enforceable rights on data subjects with regard to the processing of their personal_data; and |
| (c) | fulfil the requirements laid down in paragraph 2. |
2. The binding_corporate_rules referred to in paragraph 1 shall specify at least:
| (a) | the structure and contact details of the group_of_undertakings, or group of enterprises engaged in a joint economic activity and of each of its members; |
| (b) | the data transfers or set of transfers, including the categories of personal_data, the type of processing and its purposes, the type of data subjects affected and the identification of the third country or countries in question; |
| (c) | their legally binding nature, both internally and externally; |
| (d) | the application of the general data protection principles, in particular purpose limitation, data minimisation, limited storage periods, data quality, data protection by design and by default, legal basis for processing, processing of special categories of personal_data, measures to ensure data security, and the requirements in respect of onward transfers to bodies not bound by the binding_corporate_rules; |
| (e) | the rights of data subjects in regard to processing and the means to exercise those rights, including the right not to be subject to decisions based solely on automated processing, including profiling in accordance with Article 22, the right to lodge a complaint with the competent supervisory_authority and before the competent courts of the Member States in accordance with Article 79, and to obtain redress and, where appropriate, compensation for a breach of the binding_corporate_rules; |
| (f) | the acceptance by the controller or processor established on the territory of a Member State of liability for any breaches of the binding_corporate_rules by any member concerned not established in the Union; the controller or the processor shall be exempt from that liability, in whole or in part, only if it proves that that member is not responsible for the event giving rise to the damage; |
| (g) | how the information on the binding_corporate_rules, in particular on the provisions referred to in points (d), (e) and (f) of this paragraph is provided to the data subjects in addition to Articles 13 and 14; |
| (h) | the tasks of any data protection officer designated in accordance with Article 37 or any other person or entity in charge of the monitoring compliance with the binding_corporate_rules within the group_of_undertakings, or group of enterprises engaged in a joint economic activity, as well as monitoring training and complaint-handling; |
| (i) | the complaint procedures; |
| (j) | the mechanisms within the group_of_undertakings, or group of enterprises engaged in a joint economic activity for ensuring the verification of compliance with the binding_corporate_rules. Such mechanisms shall include data protection audits and methods for ensuring corrective actions to protect the rights of the data subject. Results of such verification should be communicated to the person or entity referred to in point (h) and to the board of the controlling undertaking of a group_of_undertakings, or of the group of enterprises engaged in a joint economic activity, and should be available upon request to the competent supervisory_authority; |
| (k) | the mechanisms for reporting and recording changes to the rules and reporting those changes to the supervisory_authority; |
| (l) | the cooperation mechanism with the supervisory_authority to ensure compliance by any member of the group_of_undertakings, or group of enterprises engaged in a joint economic activity, in particular by making available to the supervisory_authority the results of verifications of the measures referred to in point (j); |
| (m) | the mechanisms for reporting to the competent supervisory_authority any legal requirements to which a member of the group_of_undertakings, or group of enterprises engaged in a joint economic activity is subject in a third country which are likely to have a substantial adverse effect on the guarantees provided by the binding_corporate_rules; and |
| (n) | the appropriate data protection training to personnel having permanent or regular access to personal_data. |
3. The Commission may specify the format and procedures for the exchange of information between controllers, processors and supervisory authorities for binding_corporate_rules within the meaning of this Article. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 93(2).
Article 49
Derogations for specific situations
1. In the absence of an adequacy decision pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46, including binding_corporate_rules, a transfer or a set of transfers of personal_data to a third country or an international_organisation shall take place only on one of the following conditions:
| (a) | the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards; |
| (b) | the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request; |
| (c) | the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person; |
| (d) | the transfer is necessary for important reasons of public interest; |
| (e) | the transfer is necessary for the establishment, exercise or defence of legal claims; |
| (f) | the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent; |
| (g) | the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case. |
Where a transfer could not be based on a provision in Article 45 or 46, including the provisions on binding_corporate_rules, and none of the derogations for a specific situation referred to in the first subparagraph of this paragraph is applicable, a transfer to a third country or an international_organisation may take place only if the transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject, and the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal_data. The controller shall inform the supervisory_authority of the transfer. The controller shall, in addition to providing the information referred to in Articles 13 and 14, inform the data subject of the transfer and on the compelling legitimate interests pursued.
2. A transfer pursuant to point (g) of the first subparagraph of paragraph 1 shall not involve the entirety of the personal_data or entire categories of the personal_data contained in the register. Where the register is intended for consultation by persons having a legitimate interest, the transfer shall be made only at the request of those persons or if they are to be the recipients.
3. points (a), (b) and (c) of the first subparagraph of paragraph 1 and the second subparagraph thereof shall not apply to activities carried out by public authorities in the exercise of their public powers.
4. The public interest referred to in point (d) of the first subparagraph of paragraph 1 shall be recognised in Union law or in the law of the Member State to which the controller is subject.
5. In the absence of an adequacy decision, Union or Member State law may, for important reasons of public interest, expressly set limits to the transfer of specific categories of personal_data to a third country or an international_organisation. Member States shall notify such provisions to the Commission.
6. The controller or processor shall document the assessment as well as the suitable safeguards referred to in the second subparagraph of paragraph 1 of this Article in the records referred to in Article 30.
Article 70
Tasks of the Board
1. The Board shall ensure the consistent application of this Regulation. To that end, the Board shall, on its own initiative or, where relevant, at the request of the Commission, in particular:
| (a) | monitor and ensure the correct application of this Regulation in the cases provided for in Articles 64 and 65 without prejudice to the tasks of national supervisory authorities; |
| (b) | advise the Commission on any issue related to the protection of personal_data in the Union, including on any proposed amendment of this Regulation; |
| (c) | advise the Commission on the format and procedures for the exchange of information between controllers, processors and supervisory authorities for binding_corporate_rules; |
| (d) | issue guidelines, recommendations, and best practices on procedures for erasing links, copies or replications of personal_data from publicly available communication services as referred to in Article 17(2); |
| (e) | examine, on its own initiative, on request of one of its members or on request of the Commission, any question covering the application of this Regulation and issue guidelines, recommendations and best practices in order to encourage consistent application of this Regulation; |
| (f) | issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for further specifying the criteria and conditions for decisions based on profiling pursuant to Article 22(2); |
| (g) | issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for establishing the personal_data breaches and determining the undue delay referred to in Article 33(1) and (2) and for the particular circumstances in which a controller or a processor is required to notify the personal_data breach; |
| (h) | issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph as to the circumstances in which a personal_data breach is likely to result in a high risk to the rights and freedoms of the natural persons referred to in Article 34(1). |
| (i) | issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for the purpose of further specifying the criteria and requirements for personal_data transfers based on binding_corporate_rules adhered to by controllers and binding_corporate_rules adhered to by processors and on further necessary requirements to ensure the protection of personal_data of the data subjects concerned referred to in Article 47; |
| (j) | issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for the purpose of further specifying the criteria and requirements for the personal_data transfers on the basis of Article 49(1); |
| (k) | draw up guidelines for supervisory authorities concerning the application of measures referred to in Article 58(1), (2) and (3) and the setting of administrative fines pursuant to Article 83; |
| (l) | review the practical application of the guidelines, recommendations and best practices referred to in points (e) and (f); |
| (m) | issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for establishing common procedures for reporting by natural persons of infringements of this Regulation pursuant to Article 54(2); |
| (n) | encourage the drawing-up of codes of conduct and the establishment of data protection certification mechanisms and data protection seals and marks pursuant to Articles 40 and 42; |
| (o) | carry out the accreditation of certification bodies and its periodic review pursuant to Article 43 and maintain a public register of accredited bodies pursuant to Article 43(6) and of the accredited controllers or processors established in third countries pursuant to Article 42(7); |
| (p) | specify the requirements referred to in Article 43(3) with a view to the accreditation of certification bodies under Article 42; |
| (q) | provide the Commission with an opinion on the certification requirements referred to in Article 43(8); |
| (r) | provide the Commission with an opinion on the icons referred to in Article 12(7); |
| (s) | provide the Commission with an opinion for the assessment of the adequacy of the level of protection in a third country or international_organisation, including for the assessment whether a third country, a territory or one or more specified sectors within that third country, or an international_organisation no longer ensures an adequate level of protection. To that end, the Commission shall provide the Board with all necessary documentation, including correspondence with the government of the third country, with regard to that third country, territory or specified sector, or with the international_organisation. |
| (t) | issue opinions on draft decisions of supervisory authorities pursuant to the consistency mechanism referred to in Article 64(1), on matters submitted pursuant to Article 64(2) and to issue binding decisions pursuant to Article 65, including in cases referred to in Article 66; |
| (u) | promote the cooperation and the effective bilateral and multilateral exchange of information and best practices between the supervisory authorities; |
| (v) | promote common training programmes and facilitate personnel exchanges between the supervisory authorities and, where appropriate, with the supervisory authorities of third countries or with international_organisations; |
| (w) | promote the exchange of knowledge and documentation on data protection legislation and practice with data protection supervisory authorities worldwide. |
| (x) | issue opinions on codes of conduct drawn up at Union level pursuant to Article 40(9); and |
| (y) | maintain a publicly accessible electronic register of decisions taken by supervisory authorities and courts on issues handled in the consistency mechanism. |
2. Where the Commission requests advice from the Board, it may indicate a time limit, taking into account the urgency of the matter.
3. The Board shall forward its opinions, guidelines, recommendations, and best practices to the Commission and to the committee referred to in Article 93 and make them public.
4. The Board shall, where appropriate, consult interested parties and give them the opportunity to comment within a reasonable period. The Board shall, without prejudice to Article 76, make the results of the consultation procedure publicly available.
Article 83
General conditions for imposing administrative fines
1. Each supervisory_authority shall ensure that the imposition of administrative fines pursuant to this Article in respect of infringements of this Regulation referred to in paragraphs 4, 5 and 6 shall in each individual case be effective, proportionate and dissuasive.
2. Administrative fines shall, depending on the circumstances of each individual case, be imposed in addition to, or instead of, measures referred to in points (a) to (h) and (j) of Article 58(2). When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following:
| (a) | the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them; |
| (b) | the intentional or negligent character of the infringement; |
| (c) | any action taken by the controller or processor to mitigate the damage suffered by data subjects; |
| (d) | the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32; |
| (e) | any relevant previous infringements by the controller or processor; |
| (f) | the degree of cooperation with the supervisory_authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement; |
| (g) | the categories of personal_data affected by the infringement; |
| (h) | the manner in which the infringement became known to the supervisory_authority, in particular whether, and if so to what extent, the controller or processor notified the infringement; |
| (i) | where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures; |
| (j) | adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and |
| (k) | any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement. |
3. If a controller or processor intentionally or negligently, for the same or linked processing operations, infringes several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement.
4. Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:
| (a) | the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39 and 42 and 43; |
| (b) | the obligations of the certification body pursuant to Articles 42 and 43; |
| (c) | the obligations of the monitoring body pursuant to Article 41(4). |
5. Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:
| (a) | the basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7 and 9; |
| (b) | the data subjects' rights pursuant to Articles 12 to 22; |
| (c) | the transfers of personal_data to a recipient in a third country or an international_organisation pursuant to Articles 44 to 49; |
| (d) | any obligations pursuant to Member State law adopted under Chapter IX; |
| (e) | non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory_authority pursuant to Article 58(2) or failure to provide access in violation of Article 58(1). |
6. Non-compliance with an order by the supervisory_authority as referred to in Article 58(2) shall, in accordance with paragraph 2 of this Article, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
7. Without prejudice to the corrective powers of supervisory authorities pursuant to Article 58(2), each Member State may lay down the rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that Member State.
8. The exercise by the supervisory_authority of its powers under this Article shall be subject to appropriate procedural safeguards in accordance with Union and Member State law, including effective judicial remedy and due process.
9. Where the legal system of the Member State does not provide for administrative fines, this Article may be applied in such a manner that the fine is initiated by the competent supervisory_authority and imposed by competent national courts, while ensuring that those legal remedies are effective and have an equivalent effect to the administrative fines imposed by supervisory authorities. In any event, the fines imposed shall be effective, proportionate and dissuasive. Those Member States shall notify to the Commission the provisions of their laws which they adopt pursuant to this paragraph by 25 May 2018 and, without delay, any subsequent amendment law or amendment affecting them.
Article 90
Obligations of secrecy
1. Member States may adopt specific rules to set out the powers of the supervisory authorities laid down in points (e) and (f) of Article 58(1) in relation to controllers or processors that are subject, under Union or Member State law or rules established by national competent bodies, to an obligation of professional secrecy or other equivalent obligations of secrecy where this is necessary and proportionate to reconcile the right of the protection of personal_data with the obligation of secrecy. Those rules shall apply only with regard to personal_data which the controller or processor has received as a result of or has obtained in an activity covered by that obligation of secrecy.
2. Each Member State shall notify to the Commission the rules adopted pursuant to paragraph 1, by 25 May 2018 and, without delay, any subsequent amendment affecting them.
whereas
dal 2004 diritto e informatica