interactive GDPR 2016/0679 EN
BG CS DA DE EL EN ES ET FI FR GA HR HU IT LV LT MT NL PL PT RO SK SL SV print pdf
- personal data
- processing
- restriction of processing
- profiling
- pseudonymisation
- filing system
- controller
- processor
- recipient
- third party
- consent
- personal data breach
- genetic data
- biometric data
- data concerning health
- main establishment
- representative
- enterprise
- group of undertakings
- binding corporate rules
- supervisory authority
- supervisory authority concerned
- cross-border processing
- relevant and reasoned objection
- information society service
- international organisation
- data 38
- shall 33
- personal_data 32
- subject 29
- processing 25
- controller 24
- certification 22
- which 20
- referred 20
- article 18
- information 17
- article 17
- consent 15
- supervisory_authority 12
- provide 10
- from 9
- right 9
- competent 9
- pursuant 9
- paragraph 8
- bodies 8
- based 8
- the 8
- existence 8
- accreditation 7
- such 7
- applicable 7
- point 7
- further 7
- protection 7
- well 7
- requirements 6
- period 6
- appropriate 6
- time 6
- have 6
- criteria 6
- withdrawal 6
- whether 5
- necessary 5
- purposes 5
- including 5
- interests 5
- been 5
- purpose 5
- obtained 5
- where 5
- body 5
- regulation 5
- mechanisms 5
Article 7
Conditions for consent
1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal_data.
2. If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.
3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal_data that is not necessary for the performance of that contract.
Article 13
Information to be provided where personal_data are collected from the data subject
1. Where personal_data relating to a data subject are collected from the data subject, the controller shall, at the time when personal_data are obtained, provide the data subject with all of the following information:
| (a) | the identity and the contact details of the controller and, where applicable, of the controller's representative; |
| (b) | the contact details of the data protection officer, where applicable; |
| (c) | the purposes of the processing for which the personal_data are intended as well as the legal basis for the processing; |
| (d) | where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third_party; |
| (e) | the recipients or categories of recipients of the personal_data, if any; |
| (f) | where applicable, the fact that the controller intends to transfer personal_data to a third country or international_organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available. |
2. In addition to the information referred to in paragraph 1, the controller shall, at the time when personal_data are obtained, provide the data subject with the following further information necessary to ensure fair and transparent processing:
| (a) | the period for which the personal_data will be stored, or if that is not possible, the criteria used to determine that period; |
| (b) | the existence of the right to request from the controller access to and rectification or erasure of personal_data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability; |
| (c) | where the processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal; |
| (d) | the right to lodge a complaint with a supervisory_authority; |
| (e) | whether the provision of personal_data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal_data and of the possible consequences of failure to provide such data; |
| (f) | the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. |
3. Where the controller intends to further process the personal_data for a purpose other than that for which the personal_data were collected, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 2.
4. Paragraphs 1, 2 and 3 shall not apply where and insofar as the data subject already has the information.
Article 14
Information to be provided where personal_data have not been obtained from the data subject
1. Where personal_data have not been obtained from the data subject, the controller shall provide the data subject with the following information:
| (a) | the identity and the contact details of the controller and, where applicable, of the controller's representative; |
| (b) | the contact details of the data protection officer, where applicable; |
| (c) | the purposes of the processing for which the personal_data are intended as well as the legal basis for the processing; |
| (d) | the categories of personal_data concerned; |
| (e) | the recipients or categories of recipients of the personal_data, if any; |
| (f) | where applicable, that the controller intends to transfer personal_data to a recipient in a third country or international_organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means to obtain a copy of them or where they have been made available. |
2. In addition to the information referred to in paragraph 1, the controller shall provide the data subject with the following information necessary to ensure fair and transparent processing in respect of the data subject:
| (a) | the period for which the personal_data will be stored, or if that is not possible, the criteria used to determine that period; |
| (b) | where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third_party; |
| (c) | the existence of the right to request from the controller access to and rectification or erasure of personal_data or restriction of processing concerning the data subject and to object to processing as well as the right to data portability; |
| (d) | where processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal; |
| (e) | the right to lodge a complaint with a supervisory_authority; |
| (f) | from which source the personal_data originate, and if applicable, whether it came from publicly accessible sources; |
| (g) | the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. |
3. The controller shall provide the information referred to in paragraphs 1 and 2:
| (a) | within a reasonable period after obtaining the personal_data, but at the latest within one month, having regard to the specific circumstances in which the personal_data are processed; |
| (b) | if the personal_data are to be used for communication with the data subject, at the latest at the time of the first communication to that data subject; or |
| (c) | if a disclosure to another recipient is envisaged, at the latest when the personal_data are first disclosed. |
4. Where the controller intends to further process the personal_data for a purpose other than that for which the personal_data were obtained, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 2.
5. Paragraphs 1 to 4 shall not apply where and insofar as:
| (a) | the data subject already has the information; |
| (b) | the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the conditions and safeguards referred to in Article 89(1) or in so far as the obligation referred to in paragraph 1 of this Article is likely to render impossible or seriously impair the achievement of the objectives of that processing. In such cases the controller shall take appropriate measures to protect the data subject's rights and freedoms and legitimate interests, including making the information publicly available; |
| (c) | obtaining or disclosure is expressly laid down by Union or Member State law to which the controller is subject and which provides appropriate measures to protect the data subject's legitimate interests; or |
| (d) | where the personal_data must remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law, including a statutory obligation of secrecy. |
Article 43
Certification bodies
1. Without prejudice to the tasks and powers of the competent supervisory_authority under Articles 57 and 58, certification bodies which have an appropriate level of expertise in relation to data protection shall, after informing the supervisory_authority in order to allow it to exercise its powers pursuant to point (h) of Article 58(2) where necessary, issue and renew certification. Member States shall ensure that those certification bodies are accredited by one or both of the following:
| (a) | the supervisory_authority which is competent pursuant to Article 55 or 56; |
| (b) | the national accreditation body named in accordance with Regulation (EC) No 765/2008 of the European Parliament and of the Council (20) in accordance with EN-ISO/IEC 17065/2012 and with the additional requirements established by the supervisory_authority which is competent pursuant to Article 55 or 56. |
2. Certification bodies referred to in paragraph 1 shall be accredited in accordance with that paragraph only where they have:
| (a) | demonstrated their independence and expertise in relation to the subject-matter of the certification to the satisfaction of the competent supervisory_authority; |
| (b) | undertaken to respect the criteria referred to in Article 42(5) and approved by the supervisory_authority which is competent pursuant to Article 55 or 56 or by the Board pursuant to Article 63; |
| (c) | established procedures for the issuing, periodic review and withdrawal of data protection certification, seals and marks; |
| (d) | established procedures and structures to handle complaints about infringements of the certification or the manner in which the certification has been, or is being, implemented by the controller or processor, and to make those procedures and structures transparent to data subjects and the public; and |
| (e) | demonstrated, to the satisfaction of the competent supervisory_authority, that their tasks and duties do not result in a conflict of interests. |
3. The accreditation of certification bodies as referred to in paragraphs 1 and 2 of this Article shall take place on the basis of criteria approved by the supervisory_authority which is competent pursuant to Article 55 or 56 or by the Board pursuant to Article 63. In the case of accreditation pursuant to point (b) of paragraph 1 of this Article, those requirements shall complement those envisaged in Regulation (EC) No 765/2008 and the technical rules that describe the methods and procedures of the certification bodies.
4. The certification bodies referred to in paragraph 1 shall be responsible for the proper assessment leading to the certification or the withdrawal of such certification without prejudice to the responsibility of the controller or processor for compliance with this Regulation. The accreditation shall be issued for a maximum period of five years and may be renewed on the same conditions provided that the certification body meets the requirements set out in this Article.
5. The certification bodies referred to in paragraph 1 shall provide the competent supervisory authorities with the reasons for granting or withdrawing the requested certification.
6. The requirements referred to in paragraph 3 of this Article and the criteria referred to in Article 42(5) shall be made public by the supervisory_authority in an easily accessible form. The supervisory authorities shall also transmit those requirements and criteria to the Board. The Board shall collate all certification mechanisms and data protection seals in a register and shall make them publicly available by any appropriate means.
7. Without prejudice to Chapter VIII, the competent supervisory_authority or the national accreditation body shall revoke an accreditation of a certification body pursuant to paragraph 1 of this Article where the conditions for the accreditation are not, or are no longer, met or where actions taken by a certification body infringe this Regulation.
8. The Commission shall be empowered to adopt delegated acts in accordance with Article 92 for the purpose of specifying the requirements to be taken into account for the data protection certification mechanisms referred to in Article 42(1).
9. The Commission may adopt implementing acts laying down technical standards for certification mechanisms and data protection seals and marks, and mechanisms to promote and recognise those certification mechanisms, seals and marks. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 93(2).
CHAPTER V
Transfers of personal_data to third countries or international_organisations
whereas
dal 2004 diritto e informatica