interactive GDPR 2016/0679 EN

BG CS DA DE EL EN ES ET FI FR GA HR HU IT LV LT MT NL PL PT RO SK SL SV print pdf

2016/0679 EN jump to: cercato: 'requires' . Output generated live by software developed by IusOnDemand srl

index requires:

1 Article 17 Right to erasure (‘right to be forgotten’)

1 Article 28 Processor

whereas requires:

definitions:

cloud tag:

and the number of total unique words without stopwords is: 381

Article 17

Right to erasure (‘right to be forgotten’)

1. The data subject shall have the right to obtain from the controller the erasure of personal_data concerning him or her without undue delay and the controller shall have the obligation to erase personal_data without undue delay where one of the following grounds applies:

(a)	the personal_data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

(b)	the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;

(c)	the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);

(d)	the personal_data have been unlawfully processed;

(e)	the personal_data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;

(f)	the personal_data have been collected in relation to the offer of information_society_services referred to in Article 8(1).

2. Where the controller has made the personal_data public and is obliged pursuant to paragraph 1 to erase the personal_data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal_data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal_data.

3. Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:

(a)	for exercising the right of freedom of expression and information;

(b)	for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(c)	for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);

(d)

for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or

(e)	for the establishment, exercise or defence of legal claims.

Article 28

Processor

1. Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.

2. The processor shall not engage another processor without prior specific or general written authorisation of the controller. In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.

3. Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal_data and categories of data subjects and the obligations and rights of the controller. That contract or other legal act shall stipulate, in particular, that the processor:

(a)

processes the personal_data only on documented instructions from the controller, including with regard to transfers of personal_data to a third country or an international_organisation, unless required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;

(b)	ensures that persons authorised to process the personal_data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

(c)	takes all measures required pursuant to Article 32;

(d)	respects the conditions referred to in paragraphs 2 and 4 for engaging another processor;

(e)	taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III;

(f)	assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 taking into account the nature of processing and the information available to the processor;

(g)	at the choice of the controller, deletes or returns all the personal_data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal_data;

(h)	makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.

With regard to point (h) of the first subparagraph, the processor shall immediately inform the controller if, in its opinion, an instruction infringes this Regulation or other Union or Member State data protection provisions.

4. Where a processor engages another processor for carrying out specific processing activities on behalf of the controller, the same data protection obligations as set out in the contract or other legal act between the controller and the processor as referred to in paragraph 3 shall be imposed on that other processor by way of a contract or other legal act under Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of this Regulation. Where that other processor fails to fulfil its data protection obligations, the initial processor shall remain fully liable to the controller for the performance of that other processor's obligations.

5. Adherence of a processor to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate sufficient guarantees as referred to in paragraphs 1 and 4 of this Article.

6. Without prejudice to an individual contract between the controller and the processor, the contract or the other legal act referred to in paragraphs 3 and 4 of this Article may be based, in whole or in part, on standard contractual clauses referred to in paragraphs 7 and 8 of this Article, including when they are part of a certification granted to the controller or processor pursuant to Articles 42 and 43.

7. The Commission may lay down standard contractual clauses for the matters referred to in paragraph 3 and 4 of this Article and in accordance with the examination procedure referred to in Article 93(2).

8. A supervisory_authority may adopt standard contractual clauses for the matters referred to in paragraph 3 and 4 of this Article and in accordance with the consistency mechanism referred to in Article 63.

9. The contract or the other legal act referred to in paragraphs 3 and 4 shall be in writing, including in electronic form.

10. Without prejudice to Articles 82, 83 and 84, if a processor infringes this Regulation by determining the purposes and means of processing, the processor shall be considered to be a controller in respect of that processing.

Article 58

Powers

1. Each supervisory_authority shall have all of the following investigative powers:

(a)	to order the controller and the processor, and, where applicable, the controller's or the processor's representative to provide any information it requires for the performance of its tasks;

(b)	to carry out investigations in the form of data protection audits;

(c)	to carry out a review on certifications issued pursuant to Article 42(7);

(d)	to notify the controller or the processor of an alleged infringement of this Regulation;

(e)	to obtain, from the controller and the processor, access to all personal_data and to all information necessary for the performance of its tasks;

(f)	to obtain access to any premises of the controller and the processor, including to any data processing equipment and means, in accordance with Union or Member State procedural law.

2. Each supervisory_authority shall have all of the following corrective powers:

(a)	to issue warnings to a controller or processor that intended processing operations are likely to infringe provisions of this Regulation;

(b)	to issue reprimands to a controller or a processor where processing operations have infringed provisions of this Regulation;

(c)	to order the controller or the processor to comply with the data subject's requests to exercise his or her rights pursuant to this Regulation;

(d)	to order the controller or processor to bring processing operations into compliance with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period;

(e)	to order the controller to communicate a personal_data breach to the data subject;

(f)	to impose a temporary or definitive limitation including a ban on processing;

(g)	to order the rectification or erasure of personal_data or restriction of processing pursuant to Articles 16, 17 and 18 and the notification of such actions to recipients to whom the personal_data have been disclosed pursuant to Article 17(2) and Article 19;

(h)	to withdraw a certification or to order the certification body to withdraw a certification issued pursuant to Articles 42 and 43, or to order the certification body not to issue certification if the requirements for the certification are not or are no longer met;

(i)	to impose an administrative fine pursuant to Article 83, in addition to, or instead of measures referred to in this paragraph, depending on the circumstances of each individual case;

(j)	to order the suspension of data flows to a recipient in a third country or to an international_organisation.

3. Each supervisory_authority shall have all of the following authorisation and advisory powers:

(a)	to advise the controller in accordance with the prior consultation procedure referred to in Article 36;

(b)	to issue, on its own initiative or on request, opinions to the national parliament, the Member State government or, in accordance with Member State law, to other institutions and bodies as well as to the public on any issue related to the protection of personal_data;

(c)	to authorise processing referred to in Article 36(5), if the law of the Member State requires such prior authorisation;

(d)	to issue an opinion and approve draft codes of conduct pursuant to Article 40(5);

(e)	to accredit certification bodies pursuant to Article 43;

(f)	to issue certifications and approve criteria of certification in accordance with Article 42(5);

(g)	to adopt standard data protection clauses referred to in Article 28(8) and in point (d) of Article 46(2);

(h)	to authorise contractual clauses referred to in point (a) of Article 46(3);

(i)	to authorise administrative arrangements referred to in point (b) of Article 46(3);

(j)	to approve binding_corporate_rules pursuant to Article 47.

4. The exercise of the powers conferred on the supervisory_authority pursuant to this Article shall be subject to appropriate safeguards, including effective judicial remedy and due process, set out in Union and Member State law in accordance with the Charter.

5. Each Member State shall provide by law that its supervisory_authority shall have the power to bring infringements of this Regulation to the attention of the judicial authorities and where appropriate, to commence or engage otherwise in legal proceedings, in order to enforce the provisions of this Regulation.

6. Each Member State may provide by law that its supervisory_authority shall have additional powers to those referred to in paragraphs 1, 2 and 3. The exercise of those powers shall not impair the effective operation of Chapter VII.

whereas

(11) Effective protection of personal_data throughout the Union requires the strengthening and setting out in detail of the rights of data subjects and the obligations of those who process and determine the processing of personal_data, as well as equivalent powers for monitoring and ensuring compliance with the rules for the protection of personal_data and equivalent sanctions for infringements in the Member States.

- = -

(13) In order to ensure a consistent level of protection for natural persons throughout the Union and to prevent divergences hampering the free movement of personal_data within the internal market, a Regulation is necessary to provide legal certainty and transparency for economic operators, including micro, small and medium-sized enterprises, and to provide natural persons in all Member States with the same level of legally enforceable rights and obligations and responsibilities for controllers and processors, to ensure consistent monitoring of the processing of personal_data, and equivalent sanctions in all Member States as well as effective cooperation between the supervisory authorities of different Member States.
The proper functioning of the internal market requires that the free movement of personal_data within the Union is not restricted or prohibited for reasons connected with the protection of natural persons with regard to the processing of personal_data.
To take account of the specific situation of micro, small and medium-sized enterprises, this Regulation includes a derogation for organisations with fewer than 250 employees with regard to record-keeping.
In addition, the Union institutions and bodies, and Member States and their supervisory authorities, are encouraged to take account of the specific needs of micro, small and medium-sized enterprises in the application of this Regulation.
The notion of micro, small and medium-sized enterprises should draw from Article 2 of the Annex to Commission Recommendation 2003/361/EC (5).

- = -

(39) Any processing of personal_data should be lawful and fair.
It should be transparent to natural persons that personal_data concerning them are collected, used, consulted or otherwise processed and to what extent the personal_data are or will be processed.
The principle of transparency requires that any information and communication relating to the processing of those personal_data be easily accessible and easy to understand, and that clear and plain language be used.
That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal_data concerning them which are being processed.
Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal_data and how to exercise their rights in relation to such processing.
In particular, the specific purposes for which personal_data are processed should be explicit and legitimate and determined at the time of the collection of the personal_data.
The personal_data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed.
This requires, in particular, ensuring that the period for which the personal_data are stored is limited to a strict minimum.
Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means.
In order to ensure that the personal_data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review.
Every reasonable step should be taken to ensure that personal_data which are inaccurate are rectified or deleted.
Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal_data, including for preventing unauthorised access to or use of personal_data and the equipment used for the processing.

- = -

(56) Where in the course of electoral activities, the operation of the democratic system in a Member State requires that political parties compile personal_data on people's political opinions, the processing of such data may be permitted for reasons of public interest, provided that appropriate safeguards are established.

- = -

(58) The principle of transparency requires that any information addressed to the public or to the data subject be concise, easily accessible and easy to understand, and that clear and plain language and, additionally, where appropriate, visualisation be used.
Such information could be provided in electronic form, for example, when addressed to the public, through a website.
This is of particular relevance in situations where the proliferation of actors and the technological complexity of practice make it difficult for the data subject to know and understand whether, by whom and for what purpose personal_data relating to him or her are being collected, such as in the case of online advertising.
Given that children merit specific protection, any information and communication, where processing is addressed to a child, should be in such a clear and plain language that the child can easily understand.

- = -

(79) The protection of the rights and freedoms of data subjects as well as the responsibility and liability of controllers and processors, also in relation to the monitoring by and measures of supervisory authorities, requires a clear allocation of the responsibilities under this Regulation, including where a controller determines the purposes and means of the processing jointly with other controllers or where a processing operation is carried out on behalf of a controller.

- = -

(141) Every data subject should have the right to lodge a complaint with a single supervisory_authority, in particular in the Member State of his or her habitual residence, and the right to an effective judicial remedy in accordance with Article 47 of the Charter if the data subject considers that his or her rights under this Regulation are infringed or where the supervisory_authority does not act on a complaint, partially or wholly rejects or dismisses a complaint or does not act where such action is necessary to protect the rights of the data subject.
The investigation following a complaint should be carried out, subject to judicial review, to the extent that is appropriate in the specific case.
The supervisory_authority should inform the data subject of the progress and the outcome of the complaint within a reasonable period.
If the case requires further investigation or coordination with another supervisory_authority, intermediate information should be given to the data subject.
In order to facilitate the submission of complaints, each supervisory_authority should take measures such as providing a complaint submission form which can also be completed electronically, without excluding other means of communication.

- = -

dal 2004 diritto e informatica