interactive GDPR 2016/0679 EN
BG CS DA DE EL EN ES ET FI FR GA HR HU IT LV LT MT NL PL PT RO SK SL SV print pdf
- personal data
- processing
- restriction of processing
- profiling
- pseudonymisation
- filing system
- controller
- processor
- recipient
- third party
- consent
- personal data breach
- genetic data
- biometric data
- data concerning health
- main establishment
- representative
- enterprise
- group of undertakings
- binding corporate rules
- supervisory authority
- supervisory authority concerned
- cross-border processing
- relevant and reasoned objection
- information society service
- international organisation
- controller 28
- personal_data 23
- data 22
- processing 22
- shall 21
- article 19
- referred 17
- processor 16
- subject 14
- have 12
- article 11
- pursuant 11
- order 9
- categories 9
- supervisory_authority 8
- certification 8
- including 8
- applicable 8
- third 8
- regulation 7
- issue 7
- the 7
- each 7
- erasure 6
- representative 6
- accordance 6
- international_organisation 6
- right 6
- country 6
- recipients 6
- possible 5
- rectification 5
- protection 5
- information 5
- following 5
- provisions 4
- from 4
- obtain 4
- been 4
- such 4
- record 4
- each 4
- transfers 4
- safeguards 4
- appropriate 4
- case 4
- provide 4
- whom 4
- disclosed 4
- access 4
Article 15
Right of access by the data subject
1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal_data concerning him or her are being processed, and, where that is the case, access to the personal_data and the following information:
| (a) | the purposes of the processing; |
| (b) | the categories of personal_data concerned; |
| (c) | the recipients or categories of recipient to whom the personal_data have been or will be disclosed, in particular recipients in third countries or international_organisations; |
| (d) | where possible, the envisaged period for which the personal_data will be stored, or, if not possible, the criteria used to determine that period; |
| (e) | the existence of the right to request from the controller rectification or erasure of personal_data or restriction of processing of personal_data concerning the data subject or to object to such processing; |
| (f) | the right to lodge a complaint with a supervisory_authority; |
| (g) | where the personal_data are not collected from the data subject, any available information as to their source; |
| (h) | the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. |
2. Where personal_data are transferred to a third country or to an international_organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.
3. The controller shall provide a copy of the personal_data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
4. The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.
Article 19
Notification obligation regarding rectification or erasure of personal_data or restriction of processing
The controller shall communicate any rectification or erasure of personal_data or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 to each recipient to whom the personal_data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.
Article 30
Records of processing activities
1. Each controller and, where applicable, the controller's representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information:
| (a) | the name and contact details of the controller and, where applicable, the joint controller, the controller's representative and the data protection officer; |
| (b) | the purposes of the processing; |
| (c) | a description of the categories of data subjects and of the categories of personal_data; |
| (d) | the categories of recipients to whom the personal_data have been or will be disclosed including recipients in third countries or international_organisations; |
| (e) | where applicable, transfers of personal_data to a third country or an international_organisation, including the identification of that third country or international_organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards; |
| (f) | where possible, the envisaged time limits for erasure of the different categories of data; |
| (g) | where possible, a general description of the technical and organisational security measures referred to in Article 32(1). |
2. Each processor and, where applicable, the processor's representative shall maintain a record of all categories of processing activities carried out on behalf of a controller, containing:
| (a) | the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller's or the processor's representative, and the data protection officer; |
| (b) | the categories of processing carried out on behalf of each controller; |
| (c) | where applicable, transfers of personal_data to a third country or an international_organisation, including the identification of that third country or international_organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards; |
| (d) | where possible, a general description of the technical and organisational security measures referred to in Article 32(1). |
3. The records referred to in paragraphs 1 and 2 shall be in writing, including in electronic form.
4. The controller or the processor and, where applicable, the controller's or the processor's representative, shall make the record available to the supervisory_authority on request.
5. The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal_data relating to criminal convictions and offences referred to in Article 10.
Article 58
Powers
1. Each supervisory_authority shall have all of the following investigative powers:
| (a) | to order the controller and the processor, and, where applicable, the controller's or the processor's representative to provide any information it requires for the performance of its tasks; |
| (b) | to carry out investigations in the form of data protection audits; |
| (c) | to carry out a review on certifications issued pursuant to Article 42(7); |
| (d) | to notify the controller or the processor of an alleged infringement of this Regulation; |
| (e) | to obtain, from the controller and the processor, access to all personal_data and to all information necessary for the performance of its tasks; |
| (f) | to obtain access to any premises of the controller and the processor, including to any data processing equipment and means, in accordance with Union or Member State procedural law. |
2. Each supervisory_authority shall have all of the following corrective powers:
| (a) | to issue warnings to a controller or processor that intended processing operations are likely to infringe provisions of this Regulation; |
| (b) | to issue reprimands to a controller or a processor where processing operations have infringed provisions of this Regulation; |
| (c) | to order the controller or the processor to comply with the data subject's requests to exercise his or her rights pursuant to this Regulation; |
| (d) | to order the controller or processor to bring processing operations into compliance with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period; |
| (e) | to order the controller to communicate a personal_data breach to the data subject; |
| (f) | to impose a temporary or definitive limitation including a ban on processing; |
| (g) | to order the rectification or erasure of personal_data or restriction of processing pursuant to Articles 16, 17 and 18 and the notification of such actions to recipients to whom the personal_data have been disclosed pursuant to Article 17(2) and Article 19; |
| (h) | to withdraw a certification or to order the certification body to withdraw a certification issued pursuant to Articles 42 and 43, or to order the certification body not to issue certification if the requirements for the certification are not or are no longer met; |
| (i) | to impose an administrative fine pursuant to Article 83, in addition to, or instead of measures referred to in this paragraph, depending on the circumstances of each individual case; |
| (j) | to order the suspension of data flows to a recipient in a third country or to an international_organisation. |
3. Each supervisory_authority shall have all of the following authorisation and advisory powers:
| (a) | to advise the controller in accordance with the prior consultation procedure referred to in Article 36; |
| (b) | to issue, on its own initiative or on request, opinions to the national parliament, the Member State government or, in accordance with Member State law, to other institutions and bodies as well as to the public on any issue related to the protection of personal_data; |
| (c) | to authorise processing referred to in Article 36(5), if the law of the Member State requires such prior authorisation; |
| (d) | to issue an opinion and approve draft codes of conduct pursuant to Article 40(5); |
| (e) | to accredit certification bodies pursuant to Article 43; |
| (f) | to issue certifications and approve criteria of certification in accordance with Article 42(5); |
| (g) | to adopt standard data protection clauses referred to in Article 28(8) and in point (d) of Article 46(2); |
| (h) | to authorise contractual clauses referred to in point (a) of Article 46(3); |
| (i) | to authorise administrative arrangements referred to in point (b) of Article 46(3); |
| (j) | to approve binding_corporate_rules pursuant to Article 47. |
4. The exercise of the powers conferred on the supervisory_authority pursuant to this Article shall be subject to appropriate safeguards, including effective judicial remedy and due process, set out in Union and Member State law in accordance with the Charter.
5. Each Member State shall provide by law that its supervisory_authority shall have the power to bring infringements of this Regulation to the attention of the judicial authorities and where appropriate, to commence or engage otherwise in legal proceedings, in order to enforce the provisions of this Regulation.
6. Each Member State may provide by law that its supervisory_authority shall have additional powers to those referred to in paragraphs 1, 2 and 3. The exercise of those powers shall not impair the effective operation of Chapter VII.
whereas
dal 2004 diritto e informatica