interactive GDPR 2016/0679 EN

1. This Regulation applies to the processing of personal_data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.

2. This Regulation applies to the processing of personal_data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

(a)	the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

(b)	the monitoring of their behaviour as far as their behaviour takes place within the Union.

3. This Regulation applies to the processing of personal_data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.

Article 4

Definitions

For the purposes of this Regulation:

(1)

‘ personal_data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

(2)

‘ processing’ means any operation or set of operations which is performed on personal_data or on sets of personal_data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

(3)	‘restriction of processing’ means the marking of stored personal_data with the aim of limiting their processing in the future;

(4)

‘ profiling’ means any form of automated processing of personal_data consisting of the use of personal_data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

(5)

‘ pseudonymisation’ means the processing of personal_data in such a manner that the personal_data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal_data are not attributed to an identified or identifiable natural person;

(6)	‘ filing_system’ means any structured set of personal_data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;

(7)

‘ controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal_data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

(8)	‘ processor’ means a natural or legal person, public authority, agency or other body which processes personal_data on behalf of the controller;

(9)

‘ recipient’ means a natural or legal person, public authority, agency or another body, to which the personal_data are disclosed, whether a third_party or not. However, public authorities which may receive personal_data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;

(10)	‘ third_party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal_data;

(11)	‘ consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal_data relating to him or her;

(12)	‘ personal_data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal_data transmitted, stored or otherwise processed;

(13)

‘ genetic_data’ means personal_data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;

(14)	‘ biometric_data’ means personal_data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;

(15)	‘ data_concerning_health’ means personal_data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;

(16)

‘ main_establishment’ means:

(a)

as regards a controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal_data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main_establishment;

(b)

as regards a processor with establishments in more than one Member State, the place of its central administration in the Union, or, if the processor has no central administration in the Union, the establishment of the processor in the Union where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under this Regulation;

(17)	‘ representative’ means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Regulation;

(18)	‘ enterprise’ means a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity;

(19)	‘ group_of_undertakings’ means a controlling undertaking and its controlled undertakings;

(20)

‘ binding_corporate_rules’ means personal_data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal_data to a controller or processor in one or more third countries within a group_of_undertakings, or group of enterprises engaged in a joint economic activity;

(21)	‘ supervisory_authority’ means an independent public authority which is established by a Member State pursuant to Article 51;

(22)

‘ supervisory_authority concerned’ means a supervisory_authority which is concerned by the processing of personal_data because:

(a)	the controller or processor is established on the territory of the Member State of that supervisory_authority;

(b)	data subjects residing in the Member State of that supervisory_authority are substantially affected or likely to be substantially affected by the processing; or

(c)	a complaint has been lodged with that supervisory_authority;

(23)

‘cross-border processing’ means either:

(a)	processing of personal_data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or

(b)	processing of personal_data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.

(24)

‘ relevant_and_reasoned_objection’ means an objection to a draft decision as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal_data within the Union;

(25)	‘ information_society_service’ means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council (19);

(26)	‘ international_organisation’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.

CHAPTER II

Principles

Article 9

Processing of special categories of personal_data

1. Processing of personal_data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic_data, biometric_data for the purpose of uniquely identifying a natural person, data_concerning_health or data concerning a natural person's sex life or sexual orientation shall be prohibited.

2. Paragraph 1 shall not apply if one of the following applies:

(a)	the data subject has given explicit consent to the processing of those personal_data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;

(b)

processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;

(c)	processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;

(d)

processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal_data are not disclosed outside that body without the consent of the data subjects;

(e)	processing relates to personal_data which are manifestly made public by the data subject;

(f)	processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;

(g)

processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;

(h)

processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;

(i)

processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;

(j)

processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

3. Personal data referred to in paragraph 1 may be processed for the purposes referred to in point (h) of paragraph 2 when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies.

4. Member States may maintain or introduce further conditions, including limitations, with regard to the processing of genetic_data, biometric_data or data_concerning_health.

Article 14

Information to be provided where personal_data have not been obtained from the data subject

1. Where personal_data have not been obtained from the data subject, the controller shall provide the data subject with the following information:

(a)	the identity and the contact details of the controller and, where applicable, of the controller's representative;

(b)	the contact details of the data protection officer, where applicable;

(c)	the purposes of the processing for which the personal_data are intended as well as the legal basis for the processing;

(d)	the categories of personal_data concerned;

(e)	the recipients or categories of recipients of the personal_data, if any;

(f)

where applicable, that the controller intends to transfer personal_data to a recipient in a third country or international_organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means to obtain a copy of them or where they have been made available.

2. In addition to the information referred to in paragraph 1, the controller shall provide the data subject with the following information necessary to ensure fair and transparent processing in respect of the data subject:

(a)	the period for which the personal_data will be stored, or if that is not possible, the criteria used to determine that period;

(b)	where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third_party;

(c)	the existence of the right to request from the controller access to and rectification or erasure of personal_data or restriction of processing concerning the data subject and to object to processing as well as the right to data portability;

(d)	where processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;

(e)	the right to lodge a complaint with a supervisory_authority;

(f)	from which source the personal_data originate, and if applicable, whether it came from publicly accessible sources;

(g)	the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

3. The controller shall provide the information referred to in paragraphs 1 and 2:

(a)	within a reasonable period after obtaining the personal_data, but at the latest within one month, having regard to the specific circumstances in which the personal_data are processed;

(b)	if the personal_data are to be used for communication with the data subject, at the latest at the time of the first communication to that data subject; or

(c)	if a disclosure to another recipient is envisaged, at the latest when the personal_data are first disclosed.

4. Where the controller intends to further process the personal_data for a purpose other than that for which the personal_data were obtained, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 2.

5. Paragraphs 1 to 4 shall not apply where and insofar as:

(a)	the data subject already has the information;

(b)

the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the conditions and safeguards referred to in Article 89(1) or in so far as the obligation referred to in paragraph 1 of this Article is likely to render impossible or seriously impair the achievement of the objectives of that processing. In such cases the controller shall take appropriate measures to protect the data subject's rights and freedoms and legitimate interests, including making the information publicly available;

(c)	obtaining or disclosure is expressly laid down by Union or Member State law to which the controller is subject and which provides appropriate measures to protect the data subject's legitimate interests; or

(d)	where the personal_data must remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law, including a statutory obligation of secrecy.

Article 23

Restrictions

1. Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:

(a)	national security;

(b)

defence;

(c)	public security;

(d)	the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;

(e)	other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation a matters, public health and social security;

(f)	the protection of judicial independence and judicial proceedings;

(g)	the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions;

(h)	a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in points (a) to (e) and (g);

(i)	the protection of the data subject or the rights and freedoms of others;

(j)	the enforcement of civil law claims.

2. In particular, any legislative measure referred to in paragraph 1 shall contain specific provisions at least, where relevant, as to:

(a)	the purposes of the processing or categories of processing;

(b)	the categories of personal_data;

(c)	the scope of the restrictions introduced;

(d)	the safeguards to prevent abuse or unlawful access or transfer;

(e)	the specification of the controller or categories of controllers;

(f)	the storage periods and the applicable safeguards taking into account the nature, scope and purposes of the processing or categories of processing;

(g)	the risks to the rights and freedoms of data subjects; and

(h)	the right of data subjects to be informed about the restriction, unless that may be prejudicial to the purpose of the restriction.

CHAPTER IV

Controller and processor

Section 1

General obligations

Article 26

Joint controllers

1. Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. They shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14, by means of an arrangement between them unless, and in so far as, the respective responsibilities of the controllers are determined by Union or Member State law to which the controllers are subject. The arrangement may designate a contact point for data subjects.

2. The arrangement referred to in paragraph 1 shall duly reflect the respective roles and relationships of the joint controllers vis-à-vis the data subjects. The essence of the arrangement shall be made available to the data subject.

3. Irrespective of the terms of the arrangement referred to in paragraph 1, the data subject may exercise his or her rights under this Regulation in respect of and against each of the controllers.

Article 28

Processor

1. Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.

2. The processor shall not engage another processor without prior specific or general written authorisation of the controller. In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.

3. Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal_data and categories of data subjects and the obligations and rights of the controller. That contract or other legal act shall stipulate, in particular, that the processor:

(a)

processes the personal_data only on documented instructions from the controller, including with regard to transfers of personal_data to a third country or an international_organisation, unless required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;

(b)	ensures that persons authorised to process the personal_data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

(c)	takes all measures required pursuant to Article 32;

(d)	respects the conditions referred to in paragraphs 2 and 4 for engaging another processor;

(e)	taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III;

(f)	assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 taking into account the nature of processing and the information available to the processor;

(g)	at the choice of the controller, deletes or returns all the personal_data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal_data;

(h)	makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.

With regard to point (h) of the first subparagraph, the processor shall immediately inform the controller if, in its opinion, an instruction infringes this Regulation or other Union or Member State data protection provisions.

4. Where a processor engages another processor for carrying out specific processing activities on behalf of the controller, the same data protection obligations as set out in the contract or other legal act between the controller and the processor as referred to in paragraph 3 shall be imposed on that other processor by way of a contract or other legal act under Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of this Regulation. Where that other processor fails to fulfil its data protection obligations, the initial processor shall remain fully liable to the controller for the performance of that other processor's obligations.

5. Adherence of a processor to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate sufficient guarantees as referred to in paragraphs 1 and 4 of this Article.

6. Without prejudice to an individual contract between the controller and the processor, the contract or the other legal act referred to in paragraphs 3 and 4 of this Article may be based, in whole or in part, on standard contractual clauses referred to in paragraphs 7 and 8 of this Article, including when they are part of a certification granted to the controller or processor pursuant to Articles 42 and 43.

7. The Commission may lay down standard contractual clauses for the matters referred to in paragraph 3 and 4 of this Article and in accordance with the examination procedure referred to in Article 93(2).

8. A supervisory_authority may adopt standard contractual clauses for the matters referred to in paragraph 3 and 4 of this Article and in accordance with the consistency mechanism referred to in Article 63.

9. The contract or the other legal act referred to in paragraphs 3 and 4 shall be in writing, including in electronic form.

10. Without prejudice to Articles 82, 83 and 84, if a processor infringes this Regulation by determining the purposes and means of processing, the processor shall be considered to be a controller in respect of that processing.

Article 36

Prior consultation

1. The controller shall consult the supervisory_authority prior to processing where a data protection impact assessment under Article 35 indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk.

2. Where the supervisory_authority is of the opinion that the intended processing referred to in paragraph 1 would infringe this Regulation, in particular where the controller has insufficiently identified or mitigated the risk, the supervisory_authority shall, within period of up to eight weeks of receipt of the request for consultation, provide written advice to the controller and, where applicable to the processor, and may use any of its powers referred to in Article 58. That period may be extended by six weeks, taking into account the complexity of the intended processing. The supervisory_authority shall inform the controller and, where applicable, the processor, of any such extension within one month of receipt of the request for consultation together with the reasons for the delay. Those periods may be suspended until the supervisory_authority has obtained information it has requested for the purposes of the consultation.

3. When consulting the supervisory_authority pursuant to paragraph 1, the controller shall provide the supervisory_authority with:

(a)	where applicable, the respective responsibilities of the controller, joint controllers and processors involved in the processing, in particular for processing within a group_of_undertakings;

(b)	the purposes and means of the intended processing;

(c)	the measures and safeguards provided to protect the rights and freedoms of data subjects pursuant to this Regulation;

(d)	where applicable, the contact details of the data protection officer;

(e)	the data protection impact assessment provided for in Article 35; and

(f)	any other information requested by the supervisory_authority.

4. Member States shall consult the supervisory_authority during the preparation of a proposal for a legislative measure to be adopted by a national parliament, or of a regulatory measure based on such a legislative measure, which relates to processing.

5. Notwithstanding paragraph 1, Member State law may require controllers to consult with, and obtain prior authorisation from, the supervisory_authority in relation to processing by a controller for the performance of a task carried out by the controller in the public interest, including processing in relation to social protection and public health.

Section 4

Data protection officer

Article 43

Certification bodies

1. Without prejudice to the tasks and powers of the competent supervisory_authority under Articles 57 and 58, certification bodies which have an appropriate level of expertise in relation to data protection shall, after informing the supervisory_authority in order to allow it to exercise its powers pursuant to point (h) of Article 58(2) where necessary, issue and renew certification. Member States shall ensure that those certification bodies are accredited by one or both of the following:

(a)	the supervisory_authority which is competent pursuant to Article 55 or 56;

(b)

the national accreditation body named in accordance with Regulation (EC) No 765/2008 of the European Parliament and of the Council (20) in accordance with EN-ISO/IEC 17065/2012 and with the additional requirements established by the supervisory_authority which is competent pursuant to Article 55 or 56.

2. Certification bodies referred to in paragraph 1 shall be accredited in accordance with that paragraph only where they have:

(a)	demonstrated their independence and expertise in relation to the subject-matter of the certification to the satisfaction of the competent supervisory_authority;

(b)	undertaken to respect the criteria referred to in Article 42(5) and approved by the supervisory_authority which is competent pursuant to Article 55 or 56 or by the Board pursuant to Article 63;

(c)	established procedures for the issuing, periodic review and withdrawal of data protection certification, seals and marks;

(d)

established procedures and structures to handle complaints about infringements of the certification or the manner in which the certification has been, or is being, implemented by the controller or processor, and to make those procedures and structures transparent to data subjects and the public; and

(e)	demonstrated, to the satisfaction of the competent supervisory_authority, that their tasks and duties do not result in a conflict of interests.

3. The accreditation of certification bodies as referred to in paragraphs 1 and 2 of this Article shall take place on the basis of criteria approved by the supervisory_authority which is competent pursuant to Article 55 or 56 or by the Board pursuant to Article 63. In the case of accreditation pursuant to point (b) of paragraph 1 of this Article, those requirements shall complement those envisaged in Regulation (EC) No 765/2008 and the technical rules that describe the methods and procedures of the certification bodies.

4. The certification bodies referred to in paragraph 1 shall be responsible for the proper assessment leading to the certification or the withdrawal of such certification without prejudice to the responsibility of the controller or processor for compliance with this Regulation. The accreditation shall be issued for a maximum period of five years and may be renewed on the same conditions provided that the certification body meets the requirements set out in this Article.

5. The certification bodies referred to in paragraph 1 shall provide the competent supervisory authorities with the reasons for granting or withdrawing the requested certification.

6. The requirements referred to in paragraph 3 of this Article and the criteria referred to in Article 42(5) shall be made public by the supervisory_authority in an easily accessible form. The supervisory authorities shall also transmit those requirements and criteria to the Board. The Board shall collate all certification mechanisms and data protection seals in a register and shall make them publicly available by any appropriate means.

7. Without prejudice to Chapter VIII, the competent supervisory_authority or the national accreditation body shall revoke an accreditation of a certification body pursuant to paragraph 1 of this Article where the conditions for the accreditation are not, or are no longer, met or where actions taken by a certification body infringe this Regulation.

8. The Commission shall be empowered to adopt delegated acts in accordance with Article 92 for the purpose of specifying the requirements to be taken into account for the data protection certification mechanisms referred to in Article 42(1).

9. The Commission may adopt implementing acts laying down technical standards for certification mechanisms and data protection seals and marks, and mechanisms to promote and recognise those certification mechanisms, seals and marks. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 93(2).

CHAPTER V

Transfers of personal_data to third countries or international_organisations

Article 45

Transfers on the basis of an adequacy decision

1. A transfer of personal_data to a third country or an international_organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international_organisation in question ensures an adequate level of protection. Such a transfer shall not require any specific authorisation.

2. When assessing the adequacy of the level of protection, the Commission shall, in particular, take account of the following elements:

(a)

the rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal_data, as well as the implementation of such legislation, data protection rules, professional rules and security measures, including rules for the onward transfer of personal_data to another third country or international_organisation which are complied with in that country or international_organisation, case-law, as well as effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal_data are being transferred;

(b)

the existence and effective functioning of one or more independent supervisory authorities in the third country or to which an international_organisation is subject, with responsibility for ensuring and enforcing compliance with the data protection rules, including adequate enforcement powers, for assisting and advising the data subjects in exercising their rights and for cooperation with the supervisory authorities of the Member States; and

(c)

the international commitments the third country or international_organisation concerned has entered into, or other obligations arising from legally binding conventions or instruments as well as from its participation in multilateral or regional systems, in particular in relation to the protection of personal_data.

3. The Commission, after assessing the adequacy of the level of protection, may decide, by means of implementing act, that a third country, a territory or one or more specified sectors within a third country, or an international_organisation ensures an adequate level of protection within the meaning of paragraph 2 of this Article. The implementing act shall provide for a mechanism for a periodic review, at least every four years, which shall take into account all relevant developments in the third country or international_organisation. The implementing act shall specify its territorial and sectoral application and, where applicable, identify the supervisory_authority or authorities referred to in point (b) of paragraph 2 of this Article. The implementing act shall be adopted in accordance with the examination procedure referred to in Article 93(2).

4. The Commission shall, on an ongoing basis, monitor developments in third countries and international_organisations that could affect the functioning of decisions adopted pursuant to paragraph 3 of this Article and decisions adopted on the basis of Article 25(6) of Directive 95/46/EC.

5. The Commission shall, where available information reveals, in particular following the review referred to in paragraph 3 of this Article, that a third country, a territory or one or more specified sectors within a third country, or an international_organisation no longer ensures an adequate level of protection within the meaning of paragraph 2 of this Article, to the extent necessary, repeal, amend or suspend the decision referred to in paragraph 3 of this Article by means of implementing acts without retro-active effect. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 93(2).

On duly justified imperative grounds of urgency, the Commission shall adopt immediately applicable implementing acts in accordance with the procedure referred to in Article 93(3).

6. The Commission shall enter into consultations with the third country or international_organisation with a view to remedying the situation giving rise to the decision made pursuant to paragraph 5.

7. A decision pursuant to paragraph 5 of this Article is without prejudice to transfers of personal_data to the third country, a territory or one or more specified sectors within that third country, or the international_organisation in question pursuant to Articles 46 to 49.

8. The Commission shall publish in the Official Journal of the European Union and on its website a list of the third countries, territories and specified sectors within a third country and international_organisations for which it has decided that an adequate level of protection is or is no longer ensured.

9. Decisions adopted by the Commission on the basis of Article 25(6) of Directive 95/46/EC shall remain in force until amended, replaced or repealed by a Commission Decision adopted in accordance with paragraph 3 or 5 of this Article.

Article 47

Binding corporate rules

1. The competent supervisory_authority shall approve binding_corporate_rules in accordance with the consistency mechanism set out in Article 63, provided that they:

(a)	are legally binding and apply to and are enforced by every member concerned of the group_of_undertakings, or group of enterprises engaged in a joint economic activity, including their employees;

(b)	expressly confer enforceable rights on data subjects with regard to the processing of their personal_data; and

(c)	fulfil the requirements laid down in paragraph 2.

2. The binding_corporate_rules referred to in paragraph 1 shall specify at least:

(a)	the structure and contact details of the group_of_undertakings, or group of enterprises engaged in a joint economic activity and of each of its members;

(b)	the data transfers or set of transfers, including the categories of personal_data, the type of processing and its purposes, the type of data subjects affected and the identification of the third country or countries in question;

(c)	their legally binding nature, both internally and externally;

(d)

the application of the general data protection principles, in particular purpose limitation, data minimisation, limited storage periods, data quality, data protection by design and by default, legal basis for processing, processing of special categories of personal_data, measures to ensure data security, and the requirements in respect of onward transfers to bodies not bound by the binding_corporate_rules;

(e)

the rights of data subjects in regard to processing and the means to exercise those rights, including the right not to be subject to decisions based solely on automated processing, including profiling in accordance with Article 22, the right to lodge a complaint with the competent supervisory_authority and before the competent courts of the Member States in accordance with Article 79, and to obtain redress and, where appropriate, compensation for a breach of the binding_corporate_rules;

(f)

the acceptance by the controller or processor established on the territory of a Member State of liability for any breaches of the binding_corporate_rules by any member concerned not established in the Union; the controller or the processor shall be exempt from that liability, in whole or in part, only if it proves that that member is not responsible for the event giving rise to the damage;

(g)	how the information on the binding_corporate_rules, in particular on the provisions referred to in points (d), (e) and (f) of this paragraph is provided to the data subjects in addition to Articles 13 and 14;

(h)

the tasks of any data protection officer designated in accordance with Article 37 or any other person or entity in charge of the monitoring compliance with the binding_corporate_rules within the group_of_undertakings, or group of enterprises engaged in a joint economic activity, as well as monitoring training and complaint-handling;

(i)	the complaint procedures;

(j)

the mechanisms within the group_of_undertakings, or group of enterprises engaged in a joint economic activity for ensuring the verification of compliance with the binding_corporate_rules. Such mechanisms shall include data protection audits and methods for ensuring corrective actions to protect the rights of the data subject. Results of such verification should be communicated to the person or entity referred to in point (h) and to the board of the controlling undertaking of a group_of_undertakings, or of the group of enterprises engaged in a joint economic activity, and should be available upon request to the competent supervisory_authority;

(k)	the mechanisms for reporting and recording changes to the rules and reporting those changes to the supervisory_authority;

(l)

the cooperation mechanism with the supervisory_authority to ensure compliance by any member of the group_of_undertakings, or group of enterprises engaged in a joint economic activity, in particular by making available to the supervisory_authority the results of verifications of the measures referred to in point (j);

(m)

the mechanisms for reporting to the competent supervisory_authority any legal requirements to which a member of the group_of_undertakings, or group of enterprises engaged in a joint economic activity is subject in a third country which are likely to have a substantial adverse effect on the guarantees provided by the binding_corporate_rules; and

(n)	the appropriate data protection training to personnel having permanent or regular access to personal_data.

3. The Commission may specify the format and procedures for the exchange of information between controllers, processors and supervisory authorities for binding_corporate_rules within the meaning of this Article. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 93(2).

Article 65

Dispute resolution by the Board

1. In order to ensure the correct and consistent application of this Regulation in individual cases, the Board shall adopt a binding decision in the following cases:

(a)

where, in a case referred to in Article 60(4), a supervisory_authority concerned has raised a relevant_and_reasoned_objection to a draft decision of the lead authority or the lead authority has rejected such an objection as being not relevant or reasoned. The binding decision shall concern all the matters which are the subject of the relevant_and_reasoned_objection, in particular whether there is an infringement of this Regulation;

(b)	where there are conflicting views on which of the supervisory authorities concerned is competent for the main_establishment;

(c)

where a competent supervisory_authority does not request the opinion of the Board in the cases referred to in Article 64(1), or does not follow the opinion of the Board issued under Article 64. In that case, any supervisory_authority concerned or the Commission may communicate the matter to the Board.

2. The decision referred to in paragraph 1 shall be adopted within one month from the referral of the subject-matter by a two-thirds majority of the members of the Board. That period may be extended by a further month on account of the complexity of the subject-matter. The decision referred to in paragraph 1 shall be reasoned and addressed to the lead supervisory_authority and all the supervisory authorities concerned and binding on them.

3. Where the Board has been unable to adopt a decision within the periods referred to in paragraph 2, it shall adopt its decision within two weeks following the expiration of the second month referred to in paragraph 2 by a simple majority of the members of the Board. Where the members of the Board are split, the decision shall by adopted by the vote of its Chair.

4. The supervisory authorities concerned shall not adopt a decision on the subject matter submitted to the Board under paragraph 1 during the periods referred to in paragraphs 2 and 3.

5. The Chair of the Board shall notify, without undue delay, the decision referred to in paragraph 1 to the supervisory authorities concerned. It shall inform the Commission thereof. The decision shall be published on the website of the Board without delay after the supervisory_authority has notified the final decision referred to in paragraph 6.

6. The lead supervisory_authority or, as the case may be, the supervisory_authority with which the complaint has been lodged shall adopt its final decision on the basis of the decision referred to in paragraph 1 of this Article, without undue delay and at the latest by one month after the Board has notified its decision. The lead supervisory_authority or, as the case may be, the supervisory_authority with which the complaint has been lodged, shall inform the Board of the date when its final decision is notified respectively to the controller or the processor and to the data subject. The final decision of the supervisory authorities concerned shall be adopted under the terms of Article 60(7), (8) and (9). The final decision shall refer to the decision referred to in paragraph 1 of this Article and shall specify that the decision referred to in that paragraph will be published on the website of the Board in accordance with paragraph 5 of this Article. The final decision shall attach the decision referred to in paragraph 1 of this Article.

Article 68

European Data Protection Board

1. The European Data Protection Board (the ‘Board’) is hereby established as a body of the Union and shall have legal personality.

2. The Board shall be represented by its Chair.

3. The Board shall be composed of the head of one supervisory_authority of each Member State and of the European Data Protection Supervisor, or their respective representatives.

4. Where in a Member State more than one supervisory_authority is responsible for monitoring the application of the provisions pursuant to this Regulation, a joint representative shall be appointed in accordance with that Member State's law.

5. The Commission shall have the right to participate in the activities and meetings of the Board without voting right. The Commission shall designate a representative. The Chair of the Board shall communicate to the Commission the activities of the Board.

6. In the cases referred to in Article 65, the European Data Protection Supervisor shall have voting rights only on decisions which concern principles and rules applicable to the Union institutions, bodies, offices and agencies which correspond in substance to those of this Regulation.

Article 83

General conditions for imposing administrative fines

1. Each supervisory_authority shall ensure that the imposition of administrative fines pursuant to this Article in respect of infringements of this Regulation referred to in paragraphs 4, 5 and 6 shall in each individual case be effective, proportionate and dissuasive.

2. Administrative fines shall, depending on the circumstances of each individual case, be imposed in addition to, or instead of, measures referred to in points (a) to (h) and (j) of Article 58(2). When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following:

(a)	the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;

(b)	the intentional or negligent character of the infringement;

(c)	any action taken by the controller or processor to mitigate the damage suffered by data subjects;

(d)	the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32;

(e)	any relevant previous infringements by the controller or processor;

(f)	the degree of cooperation with the supervisory_authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement;

(g)	the categories of personal_data affected by the infringement;

(h)	the manner in which the infringement became known to the supervisory_authority, in particular whether, and if so to what extent, the controller or processor notified the infringement;

(i)	where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures;

(j)	adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and

(k)	any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.

3. If a controller or processor intentionally or negligently, for the same or linked processing operations, infringes several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement.

4. Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:

(a)	the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39 and 42 and 43;

(b)	the obligations of the certification body pursuant to Articles 42 and 43;

(c)	the obligations of the monitoring body pursuant to Article 41(4).

5. Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:

(a)	the basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7 and 9;

(b)	the data subjects' rights pursuant to Articles 12 to 22;

(c)	the transfers of personal_data to a recipient in a third country or an international_organisation pursuant to Articles 44 to 49;

(d)	any obligations pursuant to Member State law adopted under Chapter IX;

(e)	non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory_authority pursuant to Article 58(2) or failure to provide access in violation of Article 58(1).

6. Non-compliance with an order by the supervisory_authority as referred to in Article 58(2) shall, in accordance with paragraph 2 of this Article, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.

7. Without prejudice to the corrective powers of supervisory authorities pursuant to Article 58(2), each Member State may lay down the rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that Member State.

8. The exercise by the supervisory_authority of its powers under this Article shall be subject to appropriate procedural safeguards in accordance with Union and Member State law, including effective judicial remedy and due process.

9. Where the legal system of the Member State does not provide for administrative fines, this Article may be applied in such a manner that the fine is initiated by the competent supervisory_authority and imposed by competent national courts, while ensuring that those legal remedies are effective and have an equivalent effect to the administrative fines imposed by supervisory authorities. In any event, the fines imposed shall be effective, proportionate and dissuasive. Those Member States shall notify to the Commission the provisions of their laws which they adopt pursuant to this paragraph by 25 May 2018 and, without delay, any subsequent amendment law or amendment affecting them.

Article 88

Processing in the context of employment

1. Member States may, by law or by collective agreements, provide for more specific rules to ensure the protection of the rights and freedoms in respect of the processing of employees' personal_data in the employment context, in particular for the purposes of the recruitment, the performance of the contract of employment, including discharge of obligations laid down by law or by collective agreements, management, planning and organisation of work, equality and diversity in the workplace, health and safety at work, protection of employer's or customer's property and for the purposes of the exercise and enjoyment, on an individual or collective basis, of rights and benefits related to employment, and for the purpose of the termination of the employment relationship.

2. Those rules shall include suitable and specific measures to safeguard the data subject's human dignity, legitimate interests and fundamental rights, with particular regard to the transparency of processing, the transfer of personal_data within a group_of_undertakings, or a group of enterprises engaged in a joint economic activity and monitoring systems at the work place.

3. Each Member State shall notify to the Commission those provisions of its law which it adopts pursuant to paragraph 1, by 25 May 2018 and, without delay, any subsequent amendment affecting them.

Article 89

Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

1. Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, shall be subject to appropriate safeguards, in accordance with this Regulation, for the rights and freedoms of the data subject. Those safeguards shall ensure that technical and organisational measures are in place in particular in order to ensure respect for the principle of data minimisation. Those measures may include pseudonymisation provided that those purposes can be fulfilled in that manner. Where those purposes can be fulfilled by further processing which does not permit or no longer permits the identification of data subjects, those purposes shall be fulfilled in that manner.

2. Where personal_data are processed for scientific or historical research purposes or statistical purposes, Union or Member State law may provide for derogations from the rights referred to in Articles 15, 16, 18 and 21 subject to the conditions and safeguards referred to in paragraph 1 of this Article in so far as such rights are likely to render impossible or seriously impair the achievement of the specific purposes, and such derogations are necessary for the fulfilment of those purposes.

3. Where personal_data are processed for archiving purposes in the public interest, Union or Member State law may provide for derogations from the rights referred to in Articles 15, 16, 18, 19, 20 and 21 subject to the conditions and safeguards referred to in paragraph 1 of this Article in so far as such rights are likely to render impossible or seriously impair the achievement of the specific purposes, and such derogations are necessary for the fulfilment of those purposes.

4. Where processing referred to in paragraphs 2 and 3 serves at the same time another purpose, the derogations shall apply only to processing for the purposes referred to in those paragraphs.

whereas

(2) The principles of, and rules on the protection of natural persons with regard to the processing of their personal_data should, whatever their nationality or residence, respect their fundamental rights and freedoms, in particular their right to the protection of personal_data.
This Regulation is intended to contribute to the accomplishment of an area of freedom, security and justice and of an economic union, to economic and social progress, to the strengthening and the convergence of the economies within the internal market, and to the well-being of natural persons.

- = -

(3) Directive 95/46/EC of the European Parliament and of the Council (4) seeks to harmonise the protection of fundamental rights and freedoms of natural persons in respect of processing activities and to ensure the free flow of personal_data between Member States.

- = -

(4) The processing of personal_data should be designed to serve mankind.
The right to the protection of personal_data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality.
This Regulation respects all fundamental rights and observes the freedoms and principles recognised in the Charter as enshrined in the Treaties, in particular the respect for private and family life, home and communications, the protection of personal_data, freedom of thought, conscience and religion, freedom of expression and information, freedom to conduct a business, the right to an effective remedy and to a fair trial, and cultural, religious and linguistic diversity.

- = -

(22) Any processing of personal_data in the context of the activities of an establishment of a controller or a processor in the Union should be carried out in accordance with this Regulation, regardless of whether the processing itself takes place within the Union.
Establishment implies the effective and real exercise of activity through stable arrangements.
The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect.

- = -

(23) In order to ensure that natural persons are not deprived of the protection to which they are entitled under this Regulation, the processing of personal_data of data subjects who are in the Union by a controller or a processor not established in the Union should be subject to this Regulation where the processing activities are related to offering goods or services to such data subjects irrespective of whether connected to a payment.
In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union.
Whereas the mere accessibility of the controller's, processor's or an intermediary's website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.

- = -

(39) Any processing of personal_data should be lawful and fair.
It should be transparent to natural persons that personal_data concerning them are collected, used, consulted or otherwise processed and to what extent the personal_data are or will be processed.
The principle of transparency requires that any information and communication relating to the processing of those personal_data be easily accessible and easy to understand, and that clear and plain language be used.
That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal_data concerning them which are being processed.
Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal_data and how to exercise their rights in relation to such processing.
In particular, the specific purposes for which personal_data are processed should be explicit and legitimate and determined at the time of the collection of the personal_data.
The personal_data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed.
This requires, in particular, ensuring that the period for which the personal_data are stored is limited to a strict minimum.
Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means.
In order to ensure that the personal_data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review.
Every reasonable step should be taken to ensure that personal_data which are inaccurate are rectified or deleted.
Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal_data, including for preventing unauthorised access to or use of personal_data and the equipment used for the processing.

- = -

(51) Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms.
Those personal_data should include personal_data revealing racial or ethnic origin, whereby the use of the term ‘racial origin’ in this Regulation does not imply an acceptance by the Union of theories which attempt to determine the existence of separate human races.
The processing of photographs should not systematically be considered to be processing of special categories of personal_data as they are covered by the definition of biometric_data only when processed through a specific technical means allowing the unique identification or authentication of a natural person.
Such personal_data should not be processed, unless processing is allowed in specific cases set out in this Regulation, taking into account that Member States law may lay down specific provisions on data protection in order to adapt the application of the rules of this Regulation for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
In addition to the specific requirements for such processing, the general principles and other rules of this Regulation should apply, in particular as regards the conditions for lawful processing.
Derogations from the general prohibition for processing such special categories of personal_data should be explicitly provided, inter alia, where the data subject gives his or her explicit consent or in respect of specific needs in particular where the processing is carried out in the course of legitimate activities by certain associations or foundations the purpose of which is to permit the exercise of fundamental freedoms.

- = -

(53) Special categories of personal_data which merit higher protection should be processed for health-related purposes only where necessary to achieve those purposes for the benefit of natural persons and society as a whole, in particular in the context of the management of health or social care services and systems, including processing by the management and central national health authorities of such data for the purpose of quality control, management information and the general national and local supervision of the health or social care system, and ensuring continuity of health or social care and cross-border healthcare or health security, monitoring and alert purposes, or for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, based on Union or Member State law which has to meet an objective of public interest, as well as for studies conducted in the public interest in the area of public health.
Therefore, this Regulation should provide for harmonised conditions for the processing of special categories of personal_data concerning health, in respect of specific needs, in particular where the processing of such data is carried out for certain health-related purposes by persons subject to a legal obligation of professional secrecy.
Union or Member State law should provide for specific and suitable measures so as to protect the fundamental rights and the personal_data of natural persons.
Member States should be allowed to maintain or introduce further conditions, including limitations, with regard to the processing of genetic_data, biometric_data or data_concerning_health.
However, this should not hamper the free flow of personal_data within the Union when those conditions apply to cross-border processing of such data.

- = -

(80) Where a controller or a processor not established in the Union is processing personal_data of data subjects who are in the Union whose processing activities are related to the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union, or to the monitoring of their behaviour as far as their behaviour takes place within the Union, the controller or the processor should designate a representative, unless the processing is occasional, does not include processing, on a large scale, of special categories of personal_data or the processing of personal_data relating to criminal convictions and offences, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing or if the controller is a public authority or body.
The representative should act on behalf of the controller or the processor and may be addressed by any supervisory_authority.
The representative should be explicitly designated by a written mandate of the controller or of the processor to act on its behalf with regard to its obligations under this Regulation.
The designation of such a representative does not affect the responsibility or liability of the controller or of the processor under this Regulation.
Such a representative should perform its tasks according to the mandate received from the controller or processor, including cooperating with the competent supervisory authorities with regard to any action taken to ensure compliance with this Regulation.
The designated representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor.

- = -

(81) To ensure compliance with the requirements of this Regulation in respect of the processing to be carried out by the processor on behalf of the controller, when entrusting a processor with processing activities, the controller should use only processors providing sufficient guarantees, in particular in terms of expert knowledge, reliability and resources, to implement technical and organisational measures which will meet the requirements of this Regulation, including for the security of processing.
The adherence of the processor to an approved code of conduct or an approved certification mechanism may be used as an element to demonstrate compliance with the obligations of the controller.
The carrying-out of processing by a processor should be governed by a contract or other legal act under Union or Member State law, binding the processor to the controller, setting out the subject-matter and duration of the processing, the nature and purposes of the processing, the type of personal_data and categories of data subjects, taking into account the specific tasks and responsibilities of the processor in the context of the processing to be carried out and the risk to the rights and freedoms of the data subject.
The controller and processor may choose to use an individual contract or standard contractual clauses which are adopted either directly by the Commission or by a supervisory_authority in accordance with the consistency mechanism and then adopted by the Commission.
After the completion of the processing on behalf of the controller, the processor should, at the choice of the controller, return or delete the personal_data, unless there is a requirement to store the personal_data under Union or Member State law to which the processor is subject.

- = -

(86) The controller should communicate to the data subject a personal_data breach, without undue delay, where that personal_data breach is likely to result in a high risk to the rights and freedoms of the natural person in order to allow him or her to take the necessary precautions.
The communication should describe the nature of the personal_data breach as well as recommendations for the natural person concerned to mitigate potential adverse effects.
Such communications to data subjects should be made as soon as reasonably feasible and in close cooperation with the supervisory_authority, respecting guidance provided by it or by other relevant authorities such as law-enforcement authorities.
For example, the need to mitigate an immediate risk of damage would call for prompt communication with data subjects whereas the need to implement appropriate measures against continuing or similar personal_data breaches may justify more time for communication.

- = -

(104) In line with the fundamental values on which the Union is founded, in particular the protection of human rights, the Commission should, in its assessment of the third country, or of a territory or specified sector within a third country, take into account how a particular third country respects the rule of law, access to justice as well as international human rights norms and standards and its general and sectoral law, including legislation concerning public security, defence and national security as well as public order and criminal law.
The adoption of an adequacy decision with regard to a territory or a specified sector in a third country should take into account clear and objective criteria, such as specific processing activities and the scope of applicable legal standards and legislation in force in the third country.
The third country should offer guarantees ensuring an adequate level of protection essentially equivalent to that ensured within the Union, in particular where personal_data are processed in one or several specific sectors.
In particular, the third country should ensure effective independent data protection supervision and should provide for cooperation mechanisms with the Member States' data protection authorities, and the data subjects should be provided with effective and enforceable rights and effective administrative and judicial redress.

- = -

(129) In order to ensure consistent monitoring and enforcement of this Regulation throughout the Union, the supervisory authorities should have in each Member State the same tasks and effective powers, including powers of investigation, corrective powers and sanctions, and authorisation and advisory powers, in particular in cases of complaints from natural persons, and without prejudice to the powers of prosecutorial authorities under Member State law, to bring infringements of this Regulation to the attention of the judicial authorities and engage in legal proceedings.
Such powers should also include the power to impose a temporary or definitive limitation, including a ban, on processing.
Member States may specify other tasks related to the protection of personal_data under this Regulation.
The powers of supervisory authorities should be exercised in accordance with appropriate procedural safeguards set out in Union and Member State law, impartially, fairly and within a reasonable time.
In particular each measure should be appropriate, necessary and proportionate in view of ensuring compliance with this Regulation, taking into account the circumstances of each individual case, respect the right of every person to be heard before any individual measure which would affect him or her adversely is taken and avoid superfluous costs and excessive inconveniences for the persons concerned.
Investigatory powers as regards access to premises should be exercised in accordance with specific requirements in Member State procedural law, such as the requirement to obtain a prior judicial authorisation.
Each legally binding measure of the supervisory_authority should be in writing, be clear and unambiguous, indicate the supervisory_authority which has issued the measure, the date of issue of the measure, bear the signature of the head, or a member of the supervisory_authority authorised by him or her, give the reasons for the measure, and refer to the right of an effective remedy.
This should not preclude additional requirements pursuant to Member State procedural law.
The adoption of a legally binding decision implies that it may give rise to judicial review in the Member State of the supervisory_authority that adopted the decision.

- = -

(139) In order to promote the consistent application of this Regulation, the Board should be set up as an independent body of the Union.
To fulfil its objectives, the Board should have legal personality.
The Board should be represented by its Chair.
It should replace the Working Party on the Protection of Individuals with Regard to the Processing of Personal Data established by Directive 95/46/EC.
It should consist of the head of a supervisory_authority of each Member State and the European Data Protection Supervisor or their respective representatives.
The Commission should participate in the Board's activities without voting rights and the European Data Protection Supervisor should have specific voting rights.
The Board should contribute to the consistent application of this Regulation throughout the Union, including by advising the Commission, in particular on the level of protection in third countries or international_organisations, and promoting cooperation of the supervisory authorities throughout the Union.
The Board should act independently when performing its tasks.

- = -

(165) This Regulation respects and does not prejudice the status under existing constitutional law of churches and religious associations or communities in the Member States, as recognised in Article 17 TFEU.

- = -

(166) In order to fulfil the objectives of this Regulation, namely to protect the fundamental rights and freedoms of natural persons and in particular their right to the protection of personal_data and to ensure the free movement of personal_data within the Union, the power to adopt acts in accordance with Article 290 TFEU should be delegated to the Commission.
In particular, delegated acts should be adopted in respect of criteria and requirements for certification mechanisms, information to be presented by standardised icons and procedures for providing such icons.
It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level.
The Commission, when preparing and drawing-up delegated acts, should ensure a simultaneous, timely and appropriate transmission of relevant documents to the European Parliament and to the Council.

- = -

dal 2004 diritto e informatica