interactive GDPR 2016/0679 EN
BG CS DA DE EL EN ES ET FI FR GA HR HU IT LV LT MT NL PL PT RO SK SL SV print pdf
- personal data
- processing
- restriction of processing
- profiling
- pseudonymisation
- filing system
- controller
- processor
- recipient
- third party
- consent
- personal data breach
- genetic data
- biometric data
- data concerning health
- main establishment
- representative
- enterprise
- group of undertakings
- binding corporate rules
- supervisory authority
- supervisory authority concerned
- cross-border processing
- relevant and reasoned objection
- information society service
- international organisation
- pursuant 18
- article 18
- shall 16
- processor 13
- controller 13
- supervisory_authority 13
- administrative 12
- data 11
- referred 10
- fines 10
- infringement 9
- article 9
- case 7
- subject 7
- appropriate 7
- safeguards 7
- accordance 7
- effective 6
- subjects 6
- third 6
- country 5
- enforceable 5
- provisions 5
- approved 5
- authorities 5
- rights 5
- imposed 5
- adopted 5
- commission 5
- financial 4
- total 4
- personal_data 4
- articles 4
- measures 4
- fine 4
- each 4
- processing 4
- member state 4
- paragraph 4
- including 4
- the 4
- provided 4
- obligations 4
- paragraph 4
- bodies 3
- them 3
- member 3
- preceding 3
- public 3
- turnover 3
Article 46
Transfers subject to appropriate safeguards
1. In the absence of a decision pursuant to Article 45(3), a controller or processor may transfer personal_data to a third country or an international_organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.
2. The appropriate safeguards referred to in paragraph 1 may be provided for, without requiring any specific authorisation from a supervisory_authority, by:
| (a) | a legally binding and enforceable instrument between public authorities or bodies; |
| (b) | binding_corporate_rules in accordance with Article 47; |
| (c) | standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93(2); |
| (d) | standard data protection clauses adopted by a supervisory_authority and approved by the Commission pursuant to the examination procedure referred to in Article 93(2); |
| (e) | an approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights; or |
| (f) | an approved certification mechanism pursuant to Article 42 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights. |
3. Subject to the authorisation from the competent supervisory_authority, the appropriate safeguards referred to in paragraph 1 may also be provided for, in particular, by:
| (a) | contractual clauses between the controller or processor and the controller, processor or the recipient of the personal_data in the third country or international_organisation; or |
| (b) | provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights. |
4. The supervisory_authority shall apply the consistency mechanism referred to in Article 63 in the cases referred to in paragraph 3 of this Article.
5. Authorisations by a Member State or supervisory_authority on the basis of Article 26(2) of Directive 95/46/EC shall remain valid until amended, replaced or repealed, if necessary, by that supervisory_authority. Decisions adopted by the Commission on the basis of Article 26(4) of Directive 95/46/EC shall remain in force until amended, replaced or repealed, if necessary, by a Commission Decision adopted in accordance with paragraph 2 of this Article.
Article 76
Confidentiality
1. The discussions of the Board shall be confidential where the Board deems it necessary, as provided for in its rules of procedure.
2. Access to documents submitted to members of the Board, experts and representatives of third parties shall be governed by Regulation (EC) No 1049/2001 of the European Parliament and of the Council (21).
CHAPTER VIII
remedies, liability and penalties
Article 83
General conditions for imposing administrative fines
1. Each supervisory_authority shall ensure that the imposition of administrative fines pursuant to this Article in respect of infringements of this Regulation referred to in paragraphs 4, 5 and 6 shall in each individual case be effective, proportionate and dissuasive.
2. Administrative fines shall, depending on the circumstances of each individual case, be imposed in addition to, or instead of, measures referred to in points (a) to (h) and (j) of Article 58(2). When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following:
| (a) | the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them; |
| (b) | the intentional or negligent character of the infringement; |
| (c) | any action taken by the controller or processor to mitigate the damage suffered by data subjects; |
| (d) | the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32; |
| (e) | any relevant previous infringements by the controller or processor; |
| (f) | the degree of cooperation with the supervisory_authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement; |
| (g) | the categories of personal_data affected by the infringement; |
| (h) | the manner in which the infringement became known to the supervisory_authority, in particular whether, and if so to what extent, the controller or processor notified the infringement; |
| (i) | where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures; |
| (j) | adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and |
| (k) | any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement. |
3. If a controller or processor intentionally or negligently, for the same or linked processing operations, infringes several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement.
4. Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:
| (a) | the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39 and 42 and 43; |
| (b) | the obligations of the certification body pursuant to Articles 42 and 43; |
| (c) | the obligations of the monitoring body pursuant to Article 41(4). |
5. Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:
| (a) | the basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7 and 9; |
| (b) | the data subjects' rights pursuant to Articles 12 to 22; |
| (c) | the transfers of personal_data to a recipient in a third country or an international_organisation pursuant to Articles 44 to 49; |
| (d) | any obligations pursuant to Member State law adopted under Chapter IX; |
| (e) | non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory_authority pursuant to Article 58(2) or failure to provide access in violation of Article 58(1). |
6. Non-compliance with an order by the supervisory_authority as referred to in Article 58(2) shall, in accordance with paragraph 2 of this Article, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
7. Without prejudice to the corrective powers of supervisory authorities pursuant to Article 58(2), each Member State may lay down the rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that Member State.
8. The exercise by the supervisory_authority of its powers under this Article shall be subject to appropriate procedural safeguards in accordance with Union and Member State law, including effective judicial remedy and due process.
9. Where the legal system of the Member State does not provide for administrative fines, this Article may be applied in such a manner that the fine is initiated by the competent supervisory_authority and imposed by competent national courts, while ensuring that those legal remedies are effective and have an equivalent effect to the administrative fines imposed by supervisory authorities. In any event, the fines imposed shall be effective, proportionate and dissuasive. Those Member States shall notify to the Commission the provisions of their laws which they adopt pursuant to this paragraph by 25 May 2018 and, without delay, any subsequent amendment law or amendment affecting them.
whereas
dal 2004 diritto e informatica