interactive GDPR 2016/0679 EN
BG CS DA DE EL EN ES ET FI FR GA HR HU IT LV LT MT NL PL PT RO SK SL SV print pdf
- personal data
- processing
- restriction of processing
- profiling
- pseudonymisation
- filing system
- controller
- processor
- recipient
- third party
- consent
- personal data breach
- genetic data
- biometric data
- data concerning health
- main establishment
- representative
- enterprise
- group of undertakings
- binding corporate rules
- supervisory authority
- supervisory authority concerned
- cross-border processing
- relevant and reasoned objection
- information society service
- international organisation
- european 24
- council 22
- parliament 20
- regulation 17
- processing 17
- personal_data 16
- union 12
- shall 11
- this 10
- competent 10
- code 9
- article 9
- supervisory_authority 8
- data 8
- regulation 8
- directive 7
- protection 7
- body 7
- public 7
- which 6
- such 6
- controller 6
- applies 6
- rules 6
- free 5
- //ec 5
- referred 5
- natural 5
- regard 5
- movement 5
- processor 5
- apply 4
- journal 4
- directive 4
- april 4
- repealing 4
- accreditation 4
- persons 4
- criminal 4
- established 4
- official 4
- electronic 4
- scope 4
- no / 4
- subjects 3
- bodies 3
- information 3
- prejudice 3
- application 3
- procedures 3
Article 1
Subject-matter and objectives
1. this Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal_data and rules relating to the free movement of personal_data.
2. this Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal_data.
3. The free movement of personal_data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal_data.
Article 2
Material scope
1. this Regulation applies to the processing of personal_data wholly or partly by automated means and to the processing other than by automated means of personal_data which form part of a filing_system or are intended to form part of a filing_system.
2. this Regulation does not apply to the processing of personal_data:
| (a) | in the course of an activity which falls outside the scope of Union law; |
| (b) | by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the TEU; |
| (c) | by a natural person in the course of a purely personal or household activity; |
| (d) | by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. |
3. For the processing of personal_data by the Union institutions, bodies, offices and agencies, Regulation (EC) No 45/2001 applies. Regulation (EC) No 45/2001 and other Union legal acts applicable to such processing of personal_data shall be adapted to the principles and rules of this Regulation in accordance with Article 98.
4. this Regulation shall be without prejudice to the application of Directive 2000/31/EC, in particular of the liability rules of intermediary service providers in Articles 12 to 15 of that Directive.
Article 3
Territorial scope
1. this Regulation applies to the processing of personal_data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
2. this Regulation applies to the processing of personal_data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
| (a) | the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or |
| (b) | the monitoring of their behaviour as far as their behaviour takes place within the Union. |
3. this Regulation applies to the processing of personal_data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
Article 41
Monitoring of approved codes of conduct
1. Without prejudice to the tasks and powers of the competent supervisory_authority under Articles 57 and 58, the monitoring of compliance with a code of conduct pursuant to Article 40 may be carried out by a body which has an appropriate level of expertise in relation to the subject-matter of the code and is accredited for that purpose by the competent supervisory_authority.
2. A body as referred to in paragraph 1 may be accredited to monitor compliance with a code of conduct where that body has:
| (a) | demonstrated its independence and expertise in relation to the subject-matter of the code to the satisfaction of the competent supervisory_authority; |
| (b) | established procedures which allow it to assess the eligibility of controllers and processors concerned to apply the code, to monitor their compliance with its provisions and to periodically review its operation; |
| (c) | established procedures and structures to handle complaints about infringements of the code or the manner in which the code has been, or is being, implemented by a controller or processor, and to make those procedures and structures transparent to data subjects and the public; and |
| (d) | demonstrated to the satisfaction of the competent supervisory_authority that its tasks and duties do not result in a conflict of interests. |
3. The competent supervisory_authority shall submit the draft criteria for accreditation of a body as referred to in paragraph 1 of this Article to the Board pursuant to the consistency mechanism referred to in Article 63.
4. Without prejudice to the tasks and powers of the competent supervisory_authority and the provisions of Chapter VIII, a body as referred to in paragraph 1 of this Article shall, subject to appropriate safeguards, take appropriate action in cases of infringement of the code by a controller or processor, including suspension or exclusion of the controller or processor concerned from the code. It shall inform the competent supervisory_authority of such actions and the reasons for taking them.
5. The competent supervisory_authority shall revoke the accreditation of a body as referred to in paragraph 1 if the conditions for accreditation are not, or are no longer, met or where actions taken by the body infringe this Regulation.
6. this Article shall not apply to processing carried out by public authorities and bodies.
Article 99
Entry into force and application
1. this Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.
2. It shall apply from 25 May 2018.
This Regulation shall be binding in its entirety and directly applicable in all Member States.
Done at Brussels, 27 April 2016.
For the European Parliament
The President
M. SCHULZ
For the Council
The President
J.A. HENNIS-PLASSCHAERT
(1) OJ C 229, 31.7.2012, p. 90.
(2) OJ C 391, 18.12.2012, p. 127.
(3) Position of the European Parliament of 12 March 2014 (not yet published in the Official Journal) and position of the Council at first reading of 8 April 2016 (not yet published in the Official Journal). Position of the European Parliament of 14 April 2016.
(4) Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal_data and on the free movement of such data (OJ L 281, 23.11.1995, p. 31).
(5) Commission Recommendation of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises (C(2003) 1422) (OJ L 124, 20.5.2003, p. 36).
(6) Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal_data by the Community institutions and bodies and on the free movement of such data (OJ L 8, 12.1.2001, p. 1).
(7) Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal_data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data and repealing Council Framework Decision 2008/977/JHA (see page 89 of this Official Journal).
(8) Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information_society_services, in particular electronic commerce, in the Internal Market (‘Directive on electronic commerce’) (OJ L 178, 17.7.2000, p. 1).
(9) Directive 2011/24/EU of the European Parliament and of the Council of 9 March 2011 on the application of patients' rights in cross-border healthcare (OJ L 88, 4.4.2011, p. 45).
(10) Council Directive 93/13/EEC of 5 April 1993 on unfair terms in consumer contracts (OJ L 95, 21.4.1993, p. 29).
(11) Regulation (EC) No 1338/2008 of the European Parliament and of the Council of 16 December 2008 on Community statistics on public health and health and safety at work (OJ L 354, 31.12.2008, p. 70).
(12) Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by Member States of the Commission's exercise of implementing powers (OJ L 55, 28.2.2011, p. 13).
(13) Regulation (EU) No 1215/2012 of the European Parliament and of the Council of 12 December 2012 on jurisdiction and the recognition and enforcement of judgments in civil and commercial matters (OJ L 351, 20.12.2012, p. 1).
(14) Directive 2003/98/EC of the European Parliament and of the Council of 17 November 2003 on the re-use of public sector information (OJ L 345, 31.12.2003, p. 90).
(15) Regulation (EU) No 536/2014 of the European Parliament and of the Council of 16 April 2014 on clinical trials on medicinal products for human use, and repealing Directive 2001/20/EC (OJ L 158, 27.5.2014, p. 1).
(16) Regulation (EC) No 223/2009 of the European Parliament and of the Council of 11 March 2009 on European statistics and repealing Regulation (EC, Euratom) No 1101/2008 of the European Parliament and of the Council on the transmission of data subject to statistical confidentiality to the Statistical Office of the European Communities, Council Regulation (EC) No 322/97 on Community Statistics, and Council Decision 89/382/EEC, Euratom establishing a Committee on the Statistical Programmes of the European Communities (OJ L 87, 31.3.2009, p. 164).
(17) OJ C 192, 30.6.2012, p. 7.
(18) Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal_data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ L 201, 31.7.2002, p. 37).
(19) Directive (EU) 2015/1535 of the European Parliament and of the Council of 9 September 2015 laying down a procedure for the provision of information in the field of technical regulations and of rules on Information Society services (OJ L 241, 17.9.2015, p. 1).
(20) Regulation (EC) No 765/2008 of the European Parliament and of the Council of 9 July 2008 setting out the requirements for accreditation and market surveillance relating to the marketing of products and repealing Regulation (EEC) No 339/93 (OJ L 218, 13.8.2008, p. 30).
(21) Regulation (EC) No 1049/2001 of the European Parliament and of the Council of 30 May 2001 regarding public access to European Parliament, Council and Commission documents (OJ L 145, 31.5.2001, p. 43).
whereas
dal 2004 diritto e informatica