interactive GDPR 2016/0679 EN
BG CS DA DE EL EN ES ET FI FR GA HR HU IT LV LT MT NL PL PT RO SK SL SV print pdf
- personal data
- processing
- restriction of processing
- profiling
- pseudonymisation
- filing system
- controller
- processor
- recipient
- third party
- consent
- personal data breach
- genetic data
- biometric data
- data concerning health
- main establishment
- representative
- enterprise
- group of undertakings
- binding corporate rules
- supervisory authority
- supervisory authority concerned
- cross-border processing
- relevant and reasoned objection
- information society service
- international organisation
- processing 39
- personal_data 30
- which 19
- controller 19
- subject 18
- article 17
- data 16
- shall 15
- purposes 10
- public 9
- necessary 8
- have 8
- legal 7
- protection 7
- referred 7
- union 6
- appropriate 6
- collected 6
- specific 6
- including 6
- interest 6
- compliance 5
- ensure 5
- take 5
- performance 5
- pursuant 5
- been 5
- measures 5
- particular 5
- purpose 5
- processed 5
- account 4
- security 4
- exercise 4
- authority 4
- carried 4
- international 4
- steps 4
- right 4
- legislation 4
- member state 4
- interests 4
- technical 4
- obligation 4
- freedoms 3
- processor 3
- chapter 3
- rights 3
- authorities 3
- access 3
Article 6
Lawfulness of processing
1. Processing shall be lawful only if and to the extent that at least one of the following applies:
| (a) | the data subject has given consent to the processing of his or her personal_data for one or more specific purposes; |
| (b) | processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; |
| (c) | processing is necessary for compliance with a legal obligation to which the controller is subject; |
| (d) | processing is necessary in order to protect the vital interests of the data subject or of another natural person; |
| (e) | processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; |
| (f) | processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third_party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal_data, in particular where the data subject is a child. |
Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.
2. Member States may maintain or introduce more specific provisions to adapt the application of the rules of this Regulation with regard to processing for compliance with points (c) and (e) of paragraph 1 by determining more precisely specific requirements for the processing and other measures to ensure lawful and fair processing including for other specific processing situations as provided for in Chapter IX.
3. The basis for the processing referred to in point (c) and (e) of paragraph 1 shall be laid down by:
| (a) | Union law; or |
| (b) | Member State law to which the controller is subject. |
The purpose of the processing shall be determined in that legal basis or, as regards the processing referred to in point (e) of paragraph 1, shall be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. That legal basis may contain specific provisions to adapt the application of rules of this Regulation, inter alia: the general conditions governing the lawfulness of processing by the controller; the types of data which are subject to the processing; the data subjects concerned; the entities to, and the purposes for which, the personal_data may be disclosed; the purpose limitation; storage periods; and processing operations and processing procedures, including measures to ensure lawful and fair processing such as those for other specific processing situations as provided for in Chapter IX. The Union or the Member State law shall meet an objective of public interest and be proportionate to the legitimate aim pursued.
4. Where the processing for a purpose other than that for which the personal_data have been collected is not based on the data subject's consent or on a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1), the controller shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal_data are initially collected, take into account, inter alia:
| (a) | any link between the purposes for which the personal_data have been collected and the purposes of the intended further processing; |
| (b) | the context in which the personal_data have been collected, in particular regarding the relationship between data subjects and the controller; |
| (c) | the nature of the personal_data, in particular whether special categories of personal_data are processed, pursuant to Article 9, or whether personal_data related to criminal convictions and offences are processed, pursuant to Article 10; |
| (d) | the possible consequences of the intended further processing for data subjects; |
| (e) | the existence of appropriate safeguards, which may include encryption or pseudonymisation. |
Article 17
Right to erasure (‘right to be forgotten’)
1. The data subject shall have the right to obtain from the controller the erasure of personal_data concerning him or her without undue delay and the controller shall have the obligation to erase personal_data without undue delay where one of the following grounds applies:
| (a) | the personal_data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; |
| (b) | the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing; |
| (c) | the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2); |
| (d) | the personal_data have been unlawfully processed; |
| (e) | the personal_data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject; |
| (f) | the personal_data have been collected in relation to the offer of information_society_services referred to in Article 8(1). |
2. Where the controller has made the personal_data public and is obliged pursuant to paragraph 1 to erase the personal_data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal_data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal_data.
3. Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:
| (a) | for exercising the right of freedom of expression and information; |
| (b) | for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; |
| (c) | for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3); |
| (d) | for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or |
| (e) | for the establishment, exercise or defence of legal claims. |
Article 32
Security of processing
1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
| (a) | the pseudonymisation and encryption of personal_data; |
| (b) | the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; |
| (c) | the ability to restore the availability and access to personal_data in a timely manner in the event of a physical or technical incident; |
| (d) | a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. |
2. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal_data transmitted, stored or otherwise processed.
3. Adherence to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate compliance with the requirements set out in paragraph 1 of this Article.
4. The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal_data does not process them except on instructions from the controller, unless he or she is required to do so by Union or Member State law.
Article 50
International cooperation for the protection of personal_data
In relation to third countries and international_organisations, the Commission and supervisory authorities shall take appropriate steps to:
| (a) | develop international cooperation mechanisms to facilitate the effective enforcement of legislation for the protection of personal_data; |
| (b) | provide international mutual assistance in the enforcement of legislation for the protection of personal_data, including through notification, complaint referral, investigative assistance and information exchange, subject to appropriate safeguards for the protection of personal_data and other fundamental rights and freedoms; |
| (c) | engage relevant stakeholders in discussion and activities aimed at furthering international cooperation in the enforcement of legislation for the protection of personal_data; |
| (d) | promote the exchange and documentation of personal_data protection legislation and practice, including on jurisdictional conflicts with third countries. |
CHAPTER VI
Independent supervisory authorities
whereas
dal 2004 diritto e informatica