interactive GDPR 2016/0679 EN

BG CS DA DE EL EN ES ET FI FR GA HR HU IT LV LT MT NL PL PT RO SK SL SV print pdf

2016/0679 EN jump to: cercato: 'systematic' . Output generated live by software developed by IusOnDemand srl

index systematic:

3 Article 35 Data protection impact assessment

1 Article 37 Designation of the data protection officer

whereas systematic:

whereas (51) 1

whereas (91) 2

whereas (97) 1

definitions:

cloud tag:

and the number of total unique words without stopwords is: 229

Article 35

Data protection impact assessment

1. Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal_data. A single assessment may address a set of similar processing operations that present similar high risks.

2. The controller shall seek the advice of the data protection officer, where designated, when carrying out a data protection impact assessment.

3. A data protection impact assessment referred to in paragraph 1 shall in particular be required in the case of:

(a)	a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;

(b)	processing on a large scale of special categories of data referred to in Article 9(1), or of personal_data relating to criminal convictions and offences referred to in Article 10; or

(c)	a systematic monitoring of a publicly accessible area on a large scale.

4. The supervisory_authority shall establish and make public a list of the kind of processing operations which are subject to the requirement for a data protection impact assessment pursuant to paragraph 1. The supervisory_authority shall communicate those lists to the Board referred to in Article 68.

5. The supervisory_authority may also establish and make public a list of the kind of processing operations for which no data protection impact assessment is required. The supervisory_authority shall communicate those lists to the Board.

6. Prior to the adoption of the lists referred to in paragraphs 4 and 5, the competent supervisory_authority shall apply the consistency mechanism referred to in Article 63 where such lists involve processing activities which are related to the offering of goods or services to data subjects or to the monitoring of their behaviour in several Member States, or may substantially affect the free movement of personal_data within the Union.

7. The assessment shall contain at least:

(a)	a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;

(b)	an assessment of the necessity and proportionality of the processing operations in relation to the purposes;

(c)	an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; and

(d)	the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal_data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.

8. Compliance with approved codes of conduct referred to in Article 40 by the relevant controllers or processors shall be taken into due account in assessing the impact of the processing operations performed by such controllers or processors, in particular for the purposes of a data protection impact assessment.

9. Where appropriate, the controller shall seek the views of data subjects or their representatives on the intended processing, without prejudice to the protection of commercial or public interests or the security of processing operations.

10. Where processing pursuant to point (c) or (e) of Article 6(1) has a legal basis in Union law or in the law of the Member State to which the controller is subject, that law regulates the specific processing operation or set of operations in question, and a data protection impact assessment has already been carried out as part of a general impact assessment in the context of the adoption of that legal basis, paragraphs 1 to 7 shall not apply unless Member States deem it to be necessary to carry out such an assessment prior to processing activities.

11. Where necessary, the controller shall carry out a review to assess if processing is performed in accordance with the data protection impact assessment at least when there is a change of the risk represented by processing operations.

Article 37

Designation of the data protection officer

1. The controller and the processor shall designate a data protection officer in any case where:

(a)	the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;

(b)	the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or

(c)	the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal_data relating to criminal convictions and offences referred to in Article 10.

2. A group_of_undertakings may appoint a single data protection officer provided that a data protection officer is easily accessible from each establishment.

3. Where the controller or the processor is a public authority or body, a single data protection officer may be designated for several such authorities or bodies, taking account of their organisational structure and size.

4. In cases other than those referred to in paragraph 1, the controller or processor or associations and other bodies representing categories of controllers or processors may or, where required by Union or Member State law shall, designate a data protection officer. The data protection officer may act for such associations and other bodies representing controllers or processors.

5. The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.

6. The data protection officer may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract.

7. The controller or the processor shall publish the contact details of the data protection officer and communicate them to the supervisory_authority.

whereas

(51) Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms.
Those personal_data should include personal_data revealing racial or ethnic origin, whereby the use of the term ‘racial origin’ in this Regulation does not imply an acceptance by the Union of theories which attempt to determine the existence of separate human races.
The processing of photographs should not systematically be considered to be processing of special categories of personal_data as they are covered by the definition of biometric_data only when processed through a specific technical means allowing the unique identification or authentication of a natural person.
Such personal_data should not be processed, unless processing is allowed in specific cases set out in this Regulation, taking into account that Member States law may lay down specific provisions on data protection in order to adapt the application of the rules of this Regulation for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
In addition to the specific requirements for such processing, the general principles and other rules of this Regulation should apply, in particular as regards the conditions for lawful processing.
Derogations from the general prohibition for processing such special categories of personal_data should be explicitly provided, inter alia, where the data subject gives his or her explicit consent or in respect of specific needs in particular where the processing is carried out in the course of legitimate activities by certain associations or foundations the purpose of which is to permit the exercise of fundamental freedoms.

- = -

(91) This should in particular apply to large-scale processing operations which aim to process a considerable amount of personal_data at regional, national or supranational level and which could affect a large number of data subjects and which are likely to result in a high risk, for example, on account of their sensitivity, where in accordance with the achieved state of technological knowledge a new technology is used on a large scale as well as to other processing operations which result in a high risk to the rights and freedoms of data subjects, in particular where those operations render it more difficult for data subjects to exercise their rights.
A data protection impact assessment should also be made where personal_data are processed for taking decisions regarding specific natural persons following any systematic and extensive evaluation of personal aspects relating to natural persons based on profiling those data or following the processing of special categories of personal_data, biometric_data, or data on criminal convictions and offences or related security measures.
A data protection impact assessment is equally required for monitoring publicly accessible areas on a large scale, especially when using optic-electronic devices or for any other operations where the competent supervisory_authority considers that the processing is likely to result in a high risk to the rights and freedoms of data subjects, in particular because they prevent data subjects from exercising a right or using a service or a contract, or because they are carried out systematically on a large scale.
The processing of personal_data should not be considered to be on a large scale if the processing concerns personal_data from patients or clients by an individual physician, other health care professional or lawyer.
In such cases, a data protection impact assessment should not be mandatory.

- = -

(97) Where the processing is carried out by a public authority, except for courts or independent judicial authorities when acting in their judicial capacity, where, in the private sector, processing is carried out by a controller whose core activities consist of processing operations that require regular and systematic monitoring of the data subjects on a large scale, or where the core activities of the controller or the processor consist of processing on a large scale of special categories of personal_data and data relating to criminal convictions and offences, a person with expert knowledge of data protection law and practices should assist the controller or processor to monitor internal compliance with this Regulation.
In the private sector, the core activities of a controller relate to its primary activities and do not relate to the processing of personal_data as ancillary activities.
The necessary level of expert knowledge should be determined in particular according to the data processing operations carried out and the protection required for the personal_data processed by the controller or the processor.
Such data protection officers, whether or not they are an employee of the controller, should be in a position to perform their duties and tasks in an independent manner.

- = -

dal 2004 diritto e informatica