GDPR – Privacy

 

REGULATIONS

REGULATION (EU) 2016/679 THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

of April 27 2016

on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General Regulation for Privacy)

(Text with EEA relevance)

THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,
Having regard to the Treaty on the Functioning of the European Union, and in particular Article 16, Having regard to the Commission proposal,
After transmission of the draft legislative act to the national parliaments,
Having regard to the opinion of the European Economic and Social Committee (1),
Having regard to the opinion of the Committee (2),
Acting in accordance with the ordinary legislative procedure (3),
Whereas:

  1. (1) The protection of individuals with regard to the processing of personal data is a fundamental right. The article 8 paragraph 1 the Charter of Fundamental Rights ("Map") and Article 16 paragraph 1 the Treaty on the Functioning of the European Union (TFEU) states that everyone has the right to protection of personal data concerning him.
  2. (2) The principles and rules on the protection of individuals with regard to the processing of their personal data should, regardless of the nationality or place of residence, respect fundamental rights and freedoms, in particular their right to protection of personal data. This Regulation aims to contribute to the attainment of freedom, security and justice and of an economic union, economic and social progress, the strengthening and the convergence of economies within the internal market and the prosperity of individuals.
  3. (3) Directive 95/46 / EC of the European Parliament and of the Council (4) It seeks to harmonize the protection of fundamental rights and freedoms of individuals with regard to processing activities and to guarantee the free movement of personal data between Member States.
  1. (1) EEC229tis31.7.2012, s.90.
  2. (2) EEC391tis18.12.2012, s.127.
  3. (3) Parliament's position of 12 March 2014 (not yet published in the Official Journal) and position of the Council

    at first reading of 8 April 2016 (not yet published in the Official Journal). European Parliament position

    14April 2016.

  4. (4) Directive 95/46 / EK of the European Parliament and of the Council, 24 October 1995, on the protection of individuals

    against personal data and on the free movement of such data (OJ L 281 of 23.11.1995, p. 31).

Official Journal of the European Union 4.5.2016

The processing of personal data should be designed to serve man. The right to protection of personal data is not an absolute right· It must be assessed in relation to its function in society and be balanced with other fundamental rights, accordance with the principle of proportionality. This Regulation respects all fundamental rights and freedoms and observes the principles recognized by the Charter as enshrined in the Treaties, in particular, respect for private and family life, housing and communications, protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, entrepreneurial freedom, the right to an effective remedy and to a fair trial and the cultural, religious and linguistic diversity.

The economic and social integration, which resulted from the operation of the internal market, result in a significant increase of cross-border flows of personal data character. H exchange of personal data between public and private actors, including natural persons, associations and businesses throughout the Union, has increased. The national authorities of the Member States are required by EU law to collaborate and exchange personal data so that they can perform their duties or perform tasks on behalf of another Member State authority.

Rapid technological developments and globalization have created new challenges for the protection of personal data. The scale of the collection and exchange of personal data has increased significantly. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in the pursuit of their activities. Individuals increasingly disclose personal information and make it available worldwide. The technology has changed both the economy and social life and should further facilitate free movement of personal data within the Union and the transfer to third countries and international organizations, while ensuring a high level of protection of personal data.

These developments require a strong and more coherent data protection framework in the Union, SUPPORT tiated by strict application of the law, as it is important to create the necessary trust that will allow the digital economy to grow throughout the internal market. Individuals should have control of their personal data own character. Will legal security should be strengthened and practical certainty for individuals, economic operators and public authorities.

Where this Regulation provides specifications or restrictions on the rules of the law of the Member States, Member States may incorporate elements of this Regulation in their national law, to the extent necessary to ensure consistency and to be understood by the national provisions to persons to whom they apply.

While the objectives and principles of Directive 95/46 / EC remain strong, Directive failed to prevent the fragmentation of the application of data protection throughout the Union, legal uncertainty and a widespread public perception that there are significant risks to the protection of individuals, particularly regarding online activity. Differences in the level of protection of the rights and freedoms of individuals, especially the right to protection of personal data, concerning the processing of personal data within the Member States, may impede the free movement of personal data throughout the Union. Therefore, These differences can be an obstacle to doing business in the Union, distort competition and impede authorities in carrying out their responsibilities, such as those arising from European Union law. This difference in levels of protection is due to divergences in the implementation and application of Directive 95/46 / EC.

To ensure a consistent and high level of protection of individuals and removing obstacles to flows of personal data within the Union, the level of protection of the rights and freedoms of individuals with regard to the processing of such data must be equivalent in all Member States. It should ensure a coherent and uniform application of the rules on the protection of fundamental rights and freedoms of individuals with regard to the processing of personal data throughout the Union. As regards the processing of personal data is to comply with a legal obligation, to fulfill a task carried out in the public interest or in the exercise of official authority vested in the controller, Member States should be allowed to maintain or introduce national provisions to further define the application of the rules of this Regulation. In conjunction with the general and horizontal data protection laws aimed at implementing Directive 95/46 / EC, Member States apply different sectoral laws in areas that require specific provisions. This Regulation also provides room for maneuver to Member States, in order to tailor the rules of, including those relating to the processing of special categories of personal data ("sensitive data"). In this degree, this Regulation does not preclude the Member States' law to determine the circumstances of special processing conditions, inter alia, to define more precisely the conditions under which the processing of personal data is lawful.

Official Journal of the European Union L 119/3

 

  1. (11) Effective protection of personal data throughout the Union requires strengthening and detailed definition of the data subjects' rights, as well as those liabilities proces amplifier operate and determine the processing of personal data, and their respective powers for monitoring and ensuring compliance with the standards of protection of personal data and the corresponding penalties for violations in the Member States.
  2. (12) The article 16 paragraph 2 TFEU ​​entrusts the European Parliament and the Council to set the rules for the protection of individuals with regard to the processing of personal data and rules on the free movement of personal data.
  3. (13) To ensure a consistent level of protection for individuals throughout the Union and to avoid gaps that impede the free movement of personal data within the internal market, regulation is required which will safeguard legal certainty and transparency for economic agents, including micro, small and medium enterprises, and provide for individuals in all Member States the same level of legally enforceable rights and obligations, and responsibilities for controllers and processors, to ensure consistent monitoring of the processing of personal data, and equivalent sanctions in all Member States and the effective cooperation between supervisory authorities of different Member States. The smooth functioning of the internal market, the free movement of personal data within the Union should not be limited, nor prohibited for reasons connected with the protection of individuals with regard to the processing of personal data. To take account of the specific situation of micro, small and medium enterprises, this regulation includes a derogation for organizations employing fewer than 250 individuals with regard to record keeping. Furthermore, the institutions and bodies of the Union, as well as Member States and their supervisory authorities, encouraged to take into account the specific needs of micro, small and medium enterprises in the implementation of this Regulation. The concept of micro, small and medium enterprises should be based on Article 2 the Annex to Recommendation 2003/361 / EC (1).
  4. (14) The protection afforded by this Regulation should apply to natural persons, irrespective of nationality or residence, in relation to the processing of personal data character. This Regulation does not cover the processing of personal data relating to legal persons and in particular undertakings established as legal entities, including the name, type and contact information of the entity.
  5. (15) In order to prevent a serious risk of circumvention, The protection of individuals should be technologically neutral and not depend on the techniques used. The protection of individuals should apply both to the processing of personal data by automated means, and in manual processing, if personal data are contained or are intended to be included in a filing system. Files or sets of files, as well as their covers, which are not structured according to specific criteria should not fall under the scope of this Regulation.
  6. (16) This Regulation does not apply to protection of fundamental rights and freedoms or the free movement of personal data relating to activities not covered in the application of Union law field, as activities related to national security. This Regulation shall not apply to the processing of personal data by the Member States when they carry out activities related to the common foreign and security policy of the Union.
  7. (17) The rule (EC) No. 45/2001 European Parliament and Council (2) applied to the processing of personal data by the institutions and bodies, agencies and Union services. The rule (EC) No. 45/2001 and other legal acts of the Union which personal data is applicable to such a character processing should be adapted to the principles and rules laid down in this Regulation and applied in the light of this Regulation. To ensure a strong and coherent data protection framework in the Union, after adoption of this Regulation should follow the necessary adaptations to Regulation (FROM) No. 45/2001, to allow the application simultaneously with this Regulation.
  8. (18) This Regulation shall not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and therefore no connection with any professional or
  1. (1) Commission Recommendation, 6 May 2003, concerning the definition of micro, small and medium enterprises [C(2003) 1422] (OJ L 124 of 20.5.2003, p. 36).
  2. (2) regulation(FROM)arith.45 / 2001touEfropaikouKoinovoulioukaitouSymvouliou,tis18isDekemvriou2000, schetikametinprostasiaton individuals with regard to the processing of personal data by the institutions and bodies and on the free movement of such data (OJ L 8 of 12.1.2001, p. 1).

 

Official Journal of the European Union 4.5.2016

 

(19)

commercial activity. Personal or household activities could include correspondence and the address record keeping or social networking and online activity engaged in such activities. However, it shall apply to controllers or processors which provide the personal data processing within character for such personal or domestic activities.

The protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal sanctions, including ensuring against threats to public security and their prevention and the free movement of such data, subject to a specific EU legal act. This Regulation should therefore not apply to the processing activities for those purposes. However, personal data processed by public authorities under this Regulation should, when they used for these purposes, be regulated by specific EU legal act, namely Directive (EU) 2016/680 European Parliament and Council (1). Member States may confer to the competent authorities within the meaning of Directive (EU) 2016/680 tasks that do not necessarily exercised for the purposes of prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal sanctions, including ensuring against threats to public security and their prevention, so that the processing of personal data for these purposes, if it falls within the scope of Union law, be within the scope of this Regulation.

With regard to the processing of personal data by those authorities for purposes within the scope of this Regulation, Member States should be able to maintain or introduce specific provisions to adapt the application of the rules of this Regulation. These regulations may specify more precisely the specific requirements for the processing of personal data by those authorities for these purposes, taking into account the constitutional, organizational and administrative structure of the respective Member States. When the processing of personal data by private entities falling within the scope of this Regulation, this Regulation should provide for the possibility for Member States to restrict by law, under special conditions, certain obligations and rights, when such restriction constitutes a necessary and proportionate measure within a democratic society to safeguard especially important interests, including public safety and prevention, investigation, detection and prosecution of criminal offenses or the execution of criminal penalties, including ensuring against threats to public security and their prevention. This matter, for example, in the fight against money laundering or the activities of forensic laboratories.

While this Regulation applies, including, the activities of courts and other judicial authorities, Union law or Member States could specify the operations and processing procedures in relation to the processing of personal data by courts and other judicial authorities. The competence of the supervisory authorities should not cover the processing of personal data, when the courts acting in their judicial capacity, to ensure the independence of the judiciary in the exercise of their judicial functions, including the decision-making. Supervision of the data processing operations should be able to be assigned to specific bodies within the judicial system of the Member State, which should in particular ensure compliance with the rules of this Regulation, to sensitize members of the judiciary with regard to their obligations under this Regulation and to deal with complaints in relation to the said data processing procedures.

This Regulation shall apply without prejudice to Directive 2000/31 / EC of the European Parliament and of the Council (2), particularly the rules on the liability of intermediary service providers laid down in Articles 12 until 15 of that Directive. This Directive aims to contribute to the smooth functioning of the internal market, ensuring the free movement of information society services between Member States.

Any processing of personal data in the framework of activities of the facility controller or processor in the Union should be conducted in accordance with this Regulation, regardless of whether the same processing is performed in Union. The installation requires the effective and real exercise of activity through stable arrangements. In this regard, the legal form of such arrangements, whether Annex or a subsidiary with legal personality, It is not decisive.

(1) Directive (EU) 2016/680 European Parliament and Council, of April 27 2016, for the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal sanctions and on the free movement of such data and repealing Council Framework Decision 2008/977 / JHA (see page 89 of this Official Journal).

  1. (2) Directive 2000/31 / EC of the European Parliament and of the Council, 8 June 2000, on certain legal aspects of information society services, in particular electronic commerce, in the internal market ("For e-commerce Directive ') (OJ L 178 of 17.7.2000, p. 1).

 

Official Journal of the European Union L 119/5

 

  1. (23) To ensure that individuals are not deprived of the protection they are entitled under this Regulation, the processing of personal data subjects in the Union by a controller or processor is not established in the Union should be governed by this Regulation, where the processing activities are related to the provision of goods or services to such data subjects, whether related to payment. To determine whether such a controller or processor offers goods or services to data subjects in the Union, it must be determined if the controller or the processor is clearly intended to provide services to data subjects in one or more EU Member States. While the simple accessibility to the website of the controller, a processor or an intermediary in the Union or the email address and other contact or use language elements usually used in the third country where the controller is established is not sufficient to substantiate such intention, factors such as the use of language or currency generally used in one or more Member States, with the possibility of ordering products and services on that other language, or reference customers or users located in the Union may make it clear that the data controller intends to offer goods or services to data subjects in the Union.
  2. (24) The personal data of persons who are in the Union by a controller or processor is not established in the Union should also be covered by this Regulation, if the monitoring of the behavior of such data subjects to the extent that their behavior is taking place within the Union. To determine whether a processing activity can be considered to monitor the behavior of the data subject, it should be ascertained whether individuals are tracked on the Internet, including potential subsequent use of personal data processing technical nature which consists in shaping the "profile" of a natural person, in particular in order to take decisions concerning him or to analyze or predict personal preferences, behaviors and attitudes.
  3. (25) If the law of a Member State applies by virtue of public international law, this Regulation should also apply to a controller not established in the Union, such as, for example, for the diplomatic mission or consular post of a Member State.
  4. (26) The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have been psefdonymopoiisi, which could be attributed to an individual through the use of supplementary information, They should be considered information about identifiable natural person. To determine whether a person is identifiable, They should be taken of all the means that are reasonably likely to be used, for example, the separation of, either by the controller or by a third party for direct or indirect identification of the individual identity. To see if any means reasonably likely to be used to verify the identity of the natural person, should take into account all the objective factors, as the cost and time required to identify, taking into account the technology available at the time of processing and technology developments. The principles of data protection should therefore not apply to anonymous information, ie information which is not related to an identified or identifiable natural person or personal data have been rendered anonymous so that the identity of the data subject can not or can no longer be ascertained. This Regulation is therefore the treatment of such anonymous information, not including for statistical or research purposes.
  5. (27) This Regulation shall not apply to personal data deceased. Member States may provide rules for processing personal data deceased.
  6. (28) Using psefdonymopoiisis to personal data can reduce the risks to data subjects and facilitate their controllers and processors to meet the relevant requirements of the Data Protection. The explicit introduction of "psefdonymopoiisis" of this regulation is not intended to exclude any other data protection measure.
  7. (29) To create incentives for psefdonymopoiisi when processing personal data, It should be possible to take measures psefdonymopoiisis, whilst allowing a generic analysis, within the same controller, when said controller has taken the technical and organizational measures necessary, to ensure, for the relevant data processing, the application of this Regulation and additional information about the performance of personal data to the data subject concerned are kept separate. The data controller who processes personal data should designate authorized persons within the same controller.

Official Journal of the European Union 4.5.2016

Individuals may be associated with online identifiers items, which are provided by the devices, applications, tools and protocols, such as Internet Protocol addresses, IDs cookies or other identifiers such as radio frequency identification tags. These may leave traces which, especially when combined with unique identifiers and other information received by the servers, They can be used to create profiles of individuals and recognize their identity.

The public authorities to which the personal data disclosed in accordance with a legal obligation to perform their official duties, such as tax and customs authorities, economic research units, independent administrative authorities or financial markets authorities responsible for the regulation and supervision of securities markets should not be regarded as recipients, if they receive personal data necessary to carry out a special investigation in the public interest, under the law of the Union or a Member State. The disclosure requests sent by public authorities should always be written, justified under the circumstances and should not involve the entirety of a filing system or lead to the linking of filing systems. The processing of personal data by these public authorities should comply with applicable data protection rules depending on purposes of the processing.

Consent should be provided with clear positive energy which constitute free, specific, explicit and informed indication of the agreement of the data subject for the processing of data concerning him, for example by written declaration, including by electronic means, or oral statement. This could include the completion of a box when visiting a web site, select the desired technical arrangements for services of the information society or a statement or conduct which clearly indicates, in this context, that the data subject accepts the proposal processing of their personal data. Therefore, the silence, the pre-checked boxes or inaction should not be construed as consent. Consent should cover all processing activities carried out for the same purpose or for the same purposes. When the processing has multiple purposes, consent should be given for all these purposes. If the consent of the data subject will be given upon request electronically, the request must be clear, comprehensive and not unreasonably disturb the use of the service which is provided.

Often, It can not be fully determined the purpose of processing personal data for scientific research at the time of data collection. Hence, data subjects should be able to give their consent to certain areas of scientific research, when the recognized ethical standards are followed for scientific research. Data subjects should be allowed to give their consent only in certain areas of research or only parts of research programs, to the extent permitted by its intended purpose.

As genetic data should be defined personal data associated with inherited or apokektimena genetic characteristics of an individual resulting from the biological sample analysis of the natural person, especially from chromosomal deoxyribonucleic acid analysis (DNA) or ribonucleic acid (RNA) or concerning another element that allows to obtain equivalent information.

Personal data relating to health should include all data related to the health status of the data subject and which reveal information about the past, current or future state of physical or mental health of the data subject. This includes information about the individual collected during registration for health services and the provision thereof as defined in Directive 2011/24 / EU of the European Parliament and of the Council (1) to the individual in question· a number, a symbol or a characteristic identity attributed to an individual in order to fully identify the individual for health purposes· information resulting from tests or analyzes in part or substance of the body, inter alia by genetic data and biological samples and any information, for example, on disease, disability, risk of disease, medical history, clinical treatment or the physiological or biomedical status of the data subject, whatever its source, for example, by a doctor or other professional healthcare, hospital, medical device or diagnostic test in vitro.

H main installation of the controller Union should be the place of central administration in the Union, unless decisions on the purposes and means of processing personal data obtained in another establishment of the controller in the Union, so that another facility will be regarded as the main installation. The main establishment of a controller in the Union should be determined according to objective criteria and should imply the effective and real exercise of management activities which determine the major decisions regarding the purposes and means of processing through stable arrangements. This criterion should not depend whether the processing

(1) Directive 2011/24 / EU of the European Parliament and of the Council, 9 March 2011, on the application of patients' rights in cross-border healthcare (OJ L 88 of 4.4.2011, p. 45).

 

Official Journal of the European Union

Personal data may be in this location. The existence and use of technical means and technologies for processing personal data or processing activities do not constitute itself’ se main installation, therefore, not constitute decisive criteria for the main installation. The main establishment of the processor should be the place of central administration in the Union or, if he has no head office in the Union, the place where the main processing activities in the Union. In cases where both the controller and the processor, responsible chief supervisory authority should remain the supervisory authority of the Member State where the main establishment of the controller, but the supervisor of the processor should be regarded as concerned supervisor and that supervisor should participate in the cooperation procedure laid down in this Regulation. In each case, the supervisory authorities of the Member State or States where the processor has one or more establishments should not be regarded as supervisory authorities concerned when the draft decision relates only to the controller. When processing is carried out by business group, as a principal place of controlling undertaking should be considered the principal place of business group, unless the purpose and means of processing are determined by another company.

  1. (37) The group of enterprises should cover the controlling company and companies it controls, where the controlling undertaking should be the undertaking which can exercise a dominant influence over the other undertakings under, for example, ownership, financial participation or the rules which govern it or the personal data protection rules applying power. Undertaking exercising control over the processing of personal data to associated enterprises should be considered, together with these companies, business group.
  2. (38) Children require special protection for their personal data, as children may be less aware of the risks, consequences and safeguards and their rights in relation to the processing of personal data. This special protection will especially be true in the use of personal data for marketing or creating personality profiles or user profiles and collect personal data relating to children when using services directly offered to a child. The consent of the parent or guardian should not be necessary in connection with prevention advice or services directly available to a child.
  3. (39) Any processing of personal data must be lawful and fair. It should be clear to individuals that personal data concerning them are collected, they are used, considered or submitted by’ otherwise processed, and to what extent personal data are or will be processed. That principle requires that any information and communication on the processing of their personal data to be easily accessible and understandable, and use clear and simple language. This principle relates in particular to inform data subjects about the identity of the controller and the purposes of the processing and further information in order to ensure fair and transparent process in relation to these individuals and their right to obtain confirmation and to achieve communication relating to these personal data are processed. You should be available to natural persons risk being, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing. Especially, the personal data specific purposes of the processing should be clear, legal and determinate when the collection of personal data. Personal data should be adequate, relevant and limited to what is necessary for the purposes of their processing. This requires, in particular to ensure that the storage of personal data is limited to the minimum. Personal data should be processed only if the purpose of processing can not be achieved by other means. To ensure that personal data is not kept longer than necessary, the controller should set deadlines for their removal or for their periodic review. It should take all reasonable steps, to ensure that personal data which are inaccurate be corrected or deleted. Personal data should be processed in a manner to ensure appropriate protection and confidentiality of personal data, inter alia, to prevent any unauthorized access to such personal data and to equipment used to process or use personal data and of such equipment.
  4. (40) To be treated fairly, personal data must be processed by the consent of the data subject or other basis, statutory, or in this Regulation or in other legislation of the Union or a Member State as mentioned in this

 

Official Journal of the European Union 4.5.2016

Regulation, including the need to comply with the legal obligation to which the controller is subject, or the need to perform a contract to which the data subject is party or in order to take steps at the request of the data subject prior to contract.

Whenever this regulation refers to the legal basis or legislative measure, this does not necessarily require legislation approved by a parliament, subject to the requirements in accordance with the constitutional order of the Member State. However, this legal basis or legislative measure should be worded clearly and precisely and its application is foreseeable for persons subject to this, according to the jurisprudence of the European Court of Justice (the court") and the European Court of Human Rights.

When the processing is based on consent of the data subject, the controller must be able to prove that the data subject has consented to the processing operation. particularly, under a written declaration on another matter, They should be guarantees to ensure that the data subject is aware of this fact and to what extent has consented. Under Directive 93/13 / EEC (1), You should be provided consent form, drafted in advance by the controller in a comprehensible and easily accessible form, clear and simple wording, without unfair. To be considered informed consent, the data subject should know at least the identity of the controller and the purposes of processing the intended personal data. The consent should not be considered as freely given if the data subject has no real or free choice or not be able to refuse or withdraw consent without prejudicing.

To ensure that the consent is given freely, consent should not provide a valid legal basis for processing personal data in a particular case, when there is a clear imbalance between the data subject and the controller, especially where the controller is a public authority and is therefore unlikely to have given consent freely to all the circumstances of this specific situation. Consent is deemed not to have been given freely, if not allowed to give a separate consent to different processing personal data nature, even if it is appropriate in this case, or when the performance of a contract, Including mathe- a service, the consent, even if such consent is not necessary for such execution.

The treatment should also be lawful, necessary under contract or contract of intent.

When processing is carried out under a legal obligation to which the controller under or when necessary for the performance of a task carried out in the public interest or in the exercise of official authority, treatment should be based on Union law or Member State. This Regulation does not require specific law for each individual treatment. a single law may suffice as a basis for more than one processing operations based on a legal obligation to which the controller is subject or where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority. Also, the definition of the purpose of processing should be left to the law of the Union or a Member State. Furthermore, this law could determine the general conditions of this Regulation governing the lawful processing of personal data and to adopt specifications for the determination of the controller, the kind of personal data processed, the respective data subjects, the entities can koinolo gountai personal data, the objective constraints, storage period and other measures to ensure lawful and fair processing. Also, It should be left to the Union law or the law of the Member States to define whether the controller to fulfill a duty performed in the public interest or in the exercise of official authority should be a public authority or other natural or legal person governed public law or, if this is justified by reasons of public interest, including for health reasons, such as public health and social protection and healthcare services management, by private law, as a professional body.

The processing of personal data should also be considered lawful where it is necessary to protect an interest which is essential for the life of the data subject or another individual. The processing of personal data by the vital interests of another individual should,’

 

(1) Directive 93/13 / EOK of the Council, the April 5 1993, on unfair terms in contracts concluded with consumers (OJ L 95 of 21.4.1993, p. 29).

4.5.2016

 

 

principle be carried out only if it is obvious that the processing can not have another legal basis. Some types of treatment can be used both for important reasons of public interest and the other for the vital interests of the data subject, such as, for example, when the processing is necessary for humanitarian purposes, including to monitor epidemics and their spread, or in situations of urgent humanitarian need, especially in cases of natural and man-made disasters.

  1. (47) The legitimate interests of the controller, including those of a controller which can be disclosed the personal data or third, can provide a legal basis for processing, provided they do not override the interests or fundamental rights and freedoms of the data subject, taking into account the legitimate expectations of data subjects on the basis of their relationship with the controller. Such an interest might for instance occur when no relevant and appropriate relation between the data subject and the controller, as if the data subject is a client of the controller or in the service of. In any event, the existence of legitimate interest would need careful assessment, inter alia, as to whether the data subject, at the time and in the context of the collection of personal data, it is reasonable to expect that for this purpose may be processed. particularly, the interests and fundamental rights of the data subject could take precedence over the interests of the controller, when personal data are processed in cases where the data subject is not reasonably expect further processing of data. Since it is for the legislature to provide by law the legal basis for the processing of personal data by public authorities, this legal basis should not be applied to the treatment by public authorities in the performance of their duties. H processing of personal data, to the extent strictly necessary for fraud prevention purposes, also constitute a legitimate interest of the data controller. H processing of personal data for direct marketing purposes can be considered that an instance of a legitimate interest.
  2. (48) The controllers that are members of group of companies or institutions associated with central body may have a legitimate interest to transfer personal data within the business group for internal administrative purposes, including the processing of personal customer or employee data. The general principles of the transmission of personal data, within a group of companies, to an undertaking established in a third country are not affected.
  3. (49) The processing of personal data, insofar as is strictly necessary and proportionate for the purposes of ensuring network and information security, ie the ability of a network or an information system to resist, at a given confidence level, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted tiveness personal data, and security of the services offered by these networks and systems or accessible via these networks and systems, or offered by public authorities, of Emergency Response Teams in IT (CERT), from intervention teams for events related to computer security (CSIRT), from network providers of electronic communications services and providers of technologies and security services, It constitutes a legitimate interest of the data controller. This could include, for example, preventing unauthorized access to electronic communications networks and malicious code distribution and stopping "denial of service attacks" and damage to computer systems and electronic communications.
  4. (50) The processing of personal data for purposes other than those for which the personal data was originally collected should only be allowed where processing is compatible with the purposes for which the personal data was originally collected. In this case, no separate legal basis is required than that allowed for the collection of personal data. If the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, Union law or Member State may determine and define the tasks and purposes for which they should be considered compatible and lawful further processing. Further processing for archival reasons relating to the public interest, for purposes of scientific or historical research or for statistical purposes should be considered compatible unlawful processing operation. The legal basis provided for by the law of the Union or a Member State for processing personal data may also constitute the legal basis for the further processing. To determine whether the purpose of further processing is compatible with the purpose of the original collection of personal data, the controller, if it meets all the requirements for the legality of the initial processing, You should take into account, including: any links between those objectives and goals of the intended further processing· the context in which personal data collected, especially the reasonable expectations of the data subject on the basis of its relationship with the controller for their further use· the nature of the personal data· the

 

Official Journal of the European Union 4.5.2016

(51)

consequences of the intended further processing of the data subjects· and the existence of adequate safeguards for both the original and the intended further processing operations.

When the data subject has provided his consent or processing is based on the law of the Union or a Member State constitutes a necessary and proportionate measure within a democratic society to ensure, particularly, major objectives in the context of general public interest, It should allow the controller to carry out further processing of personal data, regardless of the compatibility of the purposes. In each case, It should ensure the application of the principles laid down in this Regulation and, Especially, inform the data subject on those other purposes and on their rights, including the right to object. Labeling possible crime or threats to public safety by the controller and the transmission of personal related data to a competent authority in an individual case or to more than one cases involving the same offense or the same threats to public safety it should be considered as falling within the legitimate interests pursued by the controller. However, The transmission is within the legitimate interest of the controller or the further processing of personal data should be prohibited, if the process is not compatible with legal, professional or other binding obligation of confidentiality.

Personal data which are particularly sensitive in nature in relation to fundamental rights and freedoms requiring special protection, because the context of the treatment could create serious risks for the fundamental rights and freedoms. These personal data should include personal data revealing racial or ethnic origin, where the use of the term 'racial origin' in this Regulation does not imply that the Union accepted theories that support the existence of separate human races. Photo editing should not systematically be considered to be processing of special categories of personal data, as these are covered by the definition of biometric data only where processing by means of special technical means which allow unambiguous identification or authentication of a natural person. Such personal data must not be processed, unless such treatment is allowed in special cases provided for in this Regulation, whereas the law of Member States may lay down specific provisions on data protection, to adapt the application of the rules of this Regulation to comply with legal obligations or fulfill this task performed in the public interest or in the exercise of official authority vested in the controller. Apart from the specific requirements which subject such processing, They should apply the general principles and other rules of this Regulation, particularly in,Regarding the legal treatment conditions. Exceptions to the general prohibition of personal data character falling within those specific categories should be expressly provided, including, in case of express consent of the data subject or in respect of disabled, particular where the processing is carried out under legitimate activities of certain associations or foundations, whose purpose is to permit the exercise of fundamental freedoms.

The derogation from the prohibition on processing of special categories of personal data should also be allowed where provided by Union law or Member State and subject to appropriate safeguards, to protect personal data and other fundamental rights, if justified by reasons of public interest, in particular the processing of personal data in the area of ​​labor law, the social protection law, including pensions, and for health safety purposes, monitoring and alarm for preventing or controlling communicable diseases and other serious health threats. This exception can be made for health purposes, including public health and health care management, in particular in order to ensure the quality and efficiency cost of the procedures used for settling claims for benefits and services in the health insurance system, or for archiving purposes in the public interest, purposes of scientific or historical research or statistical purposes. It should also be a derogation to allow the processing of such personal data when it is necessary to establish, training or support legal claims, either in legal proceedings or in any administrative or extra-judicial process.

The processing of special categories of personal data that require higher protection should be made only for purposes related to health, if this is necessary to achieve those objectives, for the benefit of individuals and society as a whole, particularly in the context of service management and healthcare systems and social care, including the processing of such data by the management and the central national health authorities for the purpose of quality control, information management and overall national and local oversight of health care or social care, and ensuring continuity of healthcare or social work and cross-border healthcare or health security, for monitoring and alarm purposes or for archiving purposes in the public interest, scientific or historical research or

4.5.2016

Official Journal of the European Union

statistical purposes, by Union law or Member States with a view to serve the public interest, as well as studies carried out in the public interest in the public health sector. consequently, this Regulation should provide for harmonized conditions for the processing of special categories of personal health related data, compared with Disabilities, particular where the processing of these data is carried out for certain purposes concerning the health of persons who are under a legal obligation of professional secrecy. Union law or Member States should provide specific and adequate measures for the protection of fundamental rights and personal data of individuals. Member States should be able to maintain or introduce further conditions, including restrictions, regarding the processing of genetic data, biometric data or data concerning health. However, this should not prevent the free movement of personal data within the Union, when those conditions apply to cross-border processing of such data.

  1. (54) The processing of special categories of personal data may be necessary in the public interest in the fields of public health, without the consent of the data subject. Such processing should be subject to appropriate and specific measures to protect the rights and freedoms of individuals. In this context, "public health" should be interpreted as defined in Regulation (FROM) No. 1338/2008 European Parliament and Council (1), ie all the elements associated with health, namely health, including morbidity and disability, the determinants that affect health, healthcare needs, the resources available for health care, the provision of health care and universal access to it, and the costs and financing of health care and the causes of mortality. This data relating to health in the public interest should not result in the processing of personal data for other purposes by third parties, such as employers or insurance companies and banks.
  2. (55) Furthermore, the processing of personal data by official authorities for achieving aims officially recognized religious associations, laid down in constitutional law or international public law, thing topoieitai public interest.
  3. (56) If, under electoral activities, the operation of the democratic system in a Member State shall require of political parties personal data relating to political opinions of citizens, the processing of such data may be permitted for reasons of public interest, if provided adequate safeguards.
  4. (57) If personal data is processed by a controller do not permit the controller to identify a natural person, the data controller should not be obliged to acquire additional information, to identify the data subject for the sole purpose of complying with any provision of this Regulation. However, the controller should not refuse to receive additional information provided by the data subject in order to support the exercise of his rights. The identification should include digital identification of the data subject, for example through the authentication mechanism, as the same identification information are used by the data subject upon entry (log-in) the online service provided by the controller.
  5. (58) The principle of transparency requires that any information addressed to the public or to the data subject be brief, easily accessible and easily understood and clear and simple wording and, Furthermore, where appropriate, display. Such information could be provided in electronic form, for example, when intended for the public, via website. This is particularly important in cases where a multitude of participants and the complexity of technologies make it difficult for the data subject to know and understand if, by whom and for what purpose the collected personal data relating,as in the case of online advertising. Since children need special protection, each information and communication, if the treatment is aimed at children, It should be expressed in clear and simple language that the child can easily understand.
  6. (59) They should provide ways to enable the data subject to exercise his rights under this Regulation, among other mechanisms by which to request and, where appropriate, be obtained free, Especially, access to personal data and correct or delete them and to exercise the right to object. The controller should also provide the means for electronic submission of requests, especially when personal data are processed electronically. The controller should be obliged to respond to requests of the data subject without delay and at the latest within one month and to provide justification, when it does not intend to comply with any such requests.

(1) regulation (FROM) No. 1338/2008 European Parliament and Council, of December 16 2008, on Community statistics on public health and health and safety at work (OJ L 354 of 31.12.2008, p. 70).

Official Journal of the European Union 4.5.2016

The principles of fair and transparent processing require to inform the data subject of the existence of the processing operation and its purposes. The controller should provide the data subject any further information that is necessary to ensure fair and transparent treatment, taking into account the specific circumstances and context in which it is carried out the processing of personal data. Further, the data subject will be the consequences and what profile must be updated if it is established. If personal data provided by the data subject, the data subject should also be informed whether obliged to provide personal data and for the consequences, when it does not provide such data. This information can be provided in combination with standardized icons to be placed prominently, understandable and legible way an essential overview of the intended processing. If the icons are available electronically, They should be machine-readable.

Information in relation to the processing of personal data relating to the data subject should be provided in the collection of the data subject or, if the personal data received from another source, within a reasonable time, depending on the circumstances of each case. If personal data may be disclosed to another recipient, the data subject must be informed, when personal data are disclosed for the first time to the recipient. When the controller intends to process personal data for a purpose other than that for which it was collected, the data controller should provide the data subject, prior to said further processing, Information for this purpose and other necessary information. When the origin of personal data can not be disclosed to the data subject because different sources have been used, They should be given general information.

However, it is not necessary to impose the obligation to provide information, if the data subject already has the information, if recording or disclosure of personal data is expressly provided by law or if the provision of information to the data subject proves impossible or would require a disproportionate effort. The latter could be particularly, when the treatment is for archival purposes in the public interest, for purposes of scientific or historical research or statistical purposes. connection, They should take into account the number of data subjects, the age of the data and any appropriate safeguards introduced.

A data subject shall have the right to access personal data collected and concern and to exercise this right easily and at reasonable intervals, to be aware and verify the lawfulness of processing. This includes the right of data subjects to have access to data concerning their health, for example the data in their medical records containing such information as diagnosis, test results, assessments by treating physicians and any treatment or interventions rendered. Therefore, every data subject should have the right to know and the especially announced for what purpose is the processing of personal data, if possible, how long is the processing of personal data, recipients who receive personal data, What logic is followed in any automatic processing of personal data and what could be the consequences of such processing, at least when based on profiling. The controller should be able to provide remote access to a secure system through which the data subject gains direct access to the data concerning him. This right should not adversely affect the rights or freedoms of others, such as professional secrecy or the right to intellectual property and, particularly, copyright protecting the software. However, These factors should not result in the denial of any information to the data subject. When the Controller process large amounts of information about the data subject, the controller should be able to ask the subject, given prior information, specify the information or processing activities associated with the request.

The controller should use all reasonable measures to verify the identity of the data subject that requests access, particularly in the context of online services and online identifiers identity. The controller should not retain personal data for the sole purpose to be able to respond to potential requests.

A data subject shall have the right to request correction of personal data relating to him, and the "right to oblivion", if the retention of such data violates this Regulation or the law of the Union or the Member State where the controller is subject. Especially, the data subject should have the right to request the deletion and termination of the processing of personal data relating to him, if the personal data is no longer necessary in relation to the purposes for which they are collected or submitted pursuant’ otherwise processed, if the data subject withdraws consent to treatment or if object to the processing of personal data relating to him or if the processing of personal data relating to him are not in accordance with this Regulation in’ otherwise. This right is particularly important where the data subject has provided his consent as a child, when he was not fully aware

4.5.2016

Official Journal of the European Union

the risks of treatment, and later wants to remove certain personal data, mainly from the Internet. The data subject should be able to exercise this right even though it is no longer child. However, further conservation of personal data should be lawful where it is necessary for the exercise of the right of freedom of expression and information, for compliance with a legal obligation, to fulfill a task carried out in the public interest or in the exercise of official authority vested in the controller, public interest in the public health sector, for archival purposes in the public interest, for purposes of scientific or historical research or statistical purposes, or for establishing, training or support legal claims.

  1. (66) To strengthen the right to be forgotten in the online environment, the right to erasure should also be extended in such a way that the controller who published the personal data be required to inform the controllers process such personal data in order to erase any links or copy or replication of that data personal. When it does so, said controller must take reasonable steps, considering the technology available and the means available to the data controller, including technical measures, to inform controllers who process personal data on the data subject's request.
  2. (67) Methods used to restrict the processing of personal data could include, including, the temporary movement of the selected data to another processing system, removing the accessibility of selected personal data by users or temporary removal of published data from website. In automated filing systems limiting processing should in’ principle be ensured by technical means so that personal data is not subject to further processing operation and can not be changed. The fact that the processing of personal data is limited will be indicated in the system.
  3. (68) To further strengthen the control over the personal data, when the processing of personal data carried out by automated means, the data subject should also be allowed to receive personal data relating to him which has provided a controller, a structured, commonly used and machine readable format interoperable, and forward them to another controller. The data controllers should include encouraging nontai develop interoperable formats allow data portability. This right should apply where the data subject has provided the personal data with consent or where the processing is necessary for the performance of a contract. It should not apply where the processing is based on powers other than consent or agreement. From the nature of this right should not be exercised by controllers who process personal data in the exercise of their public duties. It should therefore apply where processing of personal data is necessary for compliance with a legal obligation to which the controller is subject, or to fulfill a task carried out in the public interest or in the exercise of official authority vested in the controller. The right of the data subject to transmit or receive personal data relating to him should not create an obligation for controllers to adopt or maintain treatment systems that are compatible technically. When, a particular set of personal data, affected more than one data subjects, the right to receive personal data should not affect the rights and freedoms of other data subjects under this Regulation. Furthermore, this right should not prejudice the right of the data subject to request the deletion of personal data or limitations of this right, as provided for in this Regulation and in particular should not lead to deletion of personal data concerning the data subject of the personal character and which has been supplied by it under a contract, the extent and if this data is necessary for the performance of this contract. When technically feasible, the data subject should have the right to ensure that personal data are transferred directly from one controller to another.
  4. (69) Where personal data may be legitimately processed because processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or for reasons legitimate interests of the controller or a third party, any data subject should be entitled to par’ all of them to object to the processing of any personal data relating to the particular situation. It should be for the controller to prove that the imperative legitimate interests may override the interests or fundamental rights and freedoms of the data subject.
  5. (70) Where personal data are processed for purposes of direct marketing, the data subject should have the right to object to such processing, including training profile to the extent that is associated with that direct marketing, whether initial or for further processing, at any time and without charge. This right must be specifically brought to the attention of the data subject, and clearly shown separately from any other information.

Official Journal of the European Union 4.5.2016

The data subject should have the right not to be subject to a decision, which may include some measure, which evaluate personal aspects relating to him, obtained solely on automated processing and which produces legal effects for that person or significantly affects accordingly, like automatic refusal online credit application or electronic hiring practices without human intervention. This treatment involves "profiling" which consists of any form of automated processing of personal data to evaluate personal aspects relating to a natural person, especially analyzing or predicting aspects of performance at work, the economic situation, health, personal preferences or interests, reliability or behavior, the position or movement of the data subject, insofar as legally effective against such person or significantly affects analogously. However, a decision based on this treatment, including training profile, It should be allowed when expressly provided by the law of the Union or a Member State, in which the controller is subject, including for purposes of monitoring and prevention of fraud and tax evasion in accordance with Regulations, the standards and recommendations of the institutions of the Union and national supervisory bodies and to ensure the safety and reliability of the service provided by the controller, or when it is necessary for the conclusion or performance of a contract between the data subject and the controller or when the data subject has provided their explicit consent. In each case, such processing should be subject to appropriate safeguards, which should include specific information of the data subject and the right securing human intervention, the right of expression of opinion of, the right to receive reasons for the decision taken in the context of this assessment and the right to challenge the decision. This measure should not concern a child.

In order to ensure a fair and transparent process in relation to the data subject, taking into account the specific circumstances and context in which it is carried out the processing of personal data, the controller should use appropriate mathematical or statistical procedures for compiling the profile, to implement technical and organizational measures, to correct the factors that lead to inaccuracies in personal data and to minimize the risk of errors, make secure personal data in a way that takes into account the potential risks associated with the interests and rights of the data subject and in a way that prevents, including, the discriminatory effects against individuals on the basis of racial or ethnic origin, political opinion, religion or belief, participation in trade unions, genetic condition or health status or sexual Guidance, or equivalent measures. Automated decision making and profiling based on specific categories of personal data should only be allowed under specific conditions.

The profiling is subject to the rules of this Regulation governing the processing of personal data, as legal grounds for processing or data protection authorities. In this context, the European Data Protection Board established by this Regulation ("Data Protection Board") You should be able to give directions.

They may be imposed by Union law or Member State law restrictions on certain fundamental principles and rights to information, access and rectification or erasure of personal data, the right to data portability, the right to object, the decisions based on profiling, and the violation of personal data communication to the data subject and on certain related obligations of the controllers, to the extent that is necessary and proportionate in a democratic society to safeguard public security, including the protection of human life, particularly in the event of natural or man-made disasters, prevention, investigation and prosecution of criminal offenses or the execution of criminal sanctions, including ensuring against threats to public security and their prevention or ethical violations in regulated professions, other important objectives of general public interest of the Union or a Member State, in particular an important economic or financial interest of the Union or a Member State, compliance with public records in the general interest, further processing of personal data archived to provide specific information on the political behavior in former authoritarian regimes or the protection of the data subject or the rights and freedoms of others, including social protection, public health and humanitarian purposes. These restrictions should be in conformity with the requirements laid down in the Charter and the European Convention for the Protection of Human Rights and Fundamental Freedoms.

It should establish responsibility and compensation of the controller for any processing of personal data performed by the controller or on behalf of the controller. particularly, the controller should be obliged to implement properly and effectively measure and be able to demonstrate the conformity of processing operations with this Regulation, including the effectiveness of the measures. These measures should take into account the nature, the frame, the scope and purposes of the processing and the risk to the rights and freedoms of individuals.

Official Journal of the European Union

 

  1. (75) The risks to the rights and freedoms of natural persons, varying probability and severity, They can be obtained from the processing of personal data which could lead to physical, physical or non-physical damage, especially when the treatment may lead to discrimination, abuse or identity theft, financial loss, reputation damage, loss of confidentiality of personal data protected by professional secrecy, unlawful removal of psefdonymopoiisis, or any other significant economic or social disadvantage· when data subjects could be deprived of their rights and freedoms or prevented from exercising control over their personal data· when subjected to processing of personal data revealing racial or ethnic origin, political convictions, religion or philosophical beliefs or participation in trade unions and processed genetic data, data concerning health or data relating to sexual life or criminal convictions or related offenses and security measures· when personal aspects evaluated, especially when trying to analyze or predict aspects of performance at work, the economic situation, health, personal preferences or interests, reliability or behavior, the position or movements, to create or use personal profiles· when they processed personal data vulnerable individuals, especially children· or where the treatment involves a large amount of personal data and affects a large number of data subjects.
  2. (76) The likelihood and seriousness of the risk to the rights and freedoms of the data subject should be determined by reference to the nature, the scope, the context and purpose of the processing. This risk should be assessed on an objective assessment, declaring whether data processing operations involve risk or high risk.
  3. (77) Guidance for the implementation of appropriate measures and to demonstrate compliance of the controller and processor, in particular as regards the determination of the risks associated with the treatment, their assessment in terms of origin, nature, probability and severity and identify best practices for risk reduction will in particular can be provided with approved codes of conduct, approved certifications, guidelines provided by the Data Protection Board or to the instructions provided DPO. The Data Protection Board may also issue guidelines on processing operations that are considered to be unlikely to lead to a high risk for the rights and freedoms of individuals, which would indicate what measures may be sufficient in this case to address the relative risk.
  4. (78) The protection of the rights and freedoms of individuals with regard to the processing of personal data requires that appropriate technical and organizational measures to ensure that the requirements of this Regulation. To be able to demonstrate compliance with this Regulation, the controller should adopt internal policies and implement measures that respond in particular to the principles of data protection by design and by default. Such measures could include, including, minimizing the processing of personal data, psefdonymopoiisi the personal data as soon as possible, transparency regarding the functions and processing of personal data, to enable the data subject to monitor the data processing and to be able the controller creates and improves the security features. In developing, design, selecting and using applications, services and products based on the processing of personal data or down processing of personal data for the performance of their duties, the producers, services and applications should be encouraged to take into account the right to data protection, in the development and design of such products, services and applications, in order that, taking into account the latest developments, ensuring that controllers and processors would be able to fulfill their obligations regarding data protection. The principles of data protection by design and by default should also be taken into account in public procurement.
  5. (79) The protection of rights and freedoms of data subjects, as well as the responsibility and liability for damages to controllers and performing processing, including in relation to monitoring by supervisory authorities and supervisory measures, It requires a clear allocation of responsibilities under this Regulation, including the case where a controller determines the purposes and means of the processing jointly with other controllers or where a processing operation is carried out on behalf of a controller.
  6. (80) If a controller or processor is not established in the Union is processing personal data subjects which are in the Union and perform processing activities related to the supply of goods or services, or require payment from the person or not, in these subjects in the Union or the monitoring of their behavior to the extent that their behavior takes place in the Union, the controller or the processor should designate a representative, unless the processing is casual, does not include processing, in big scale, personal data or processing personal data relating to criminal convictions and offenses and is likely to result in danger to the rights and freedoms of natural persons, taking into account the scope, the frame, the nature and purposes of the processing, or if the controller is a public authority or body. The representative should act on behalf of the controller or processor and that can be addressed each supervisor. The representative should be clearly defined

L 119/16

Official Journal of the European Union 4.5.2016

(81)

written authority of the controller or the processor to act on his behalf in respect of their obligations under this Regulation. The appointment of the representative shall not affect the responsibility or accountability of the controller or the processor under this Regulation. This representative should perform its duties according to the mandate given by the controller or the processor, inter alia cooperate with the competent authorities of any measures taken to ensure compliance with this Regulation. The appointed representative will be subject to enforcement procedures in case of non-compliance by the controller or the processor.

To ensure compliance with the requirements of this Regulation with regard to the conduct of processing by the processor, by the controller, where assigned to the processor processing activities, the controller should use only processors who offer adequate assurances, particularly in terms of expertise, credibility and resources, to implement technical and organizational measures to meet the requirements of this Regulation, including those concerning security of processing. The accession of the processor to an approved code of conduct or an approved certification scheme can be used as evidence to prove compliance with the obligations of the controller. The treatment of the processor must be governed by a contract or other legal act, based on Union law or the law of the Member States, connecting the processor to the controller, which defines the scope and duration of treatment, the nature and purposes of the processing, the kind of personal data and categories of data subjects, taking into account the specific tasks and responsibilities of the processor as part of the processing to be carried out and the risk to the rights and freedoms of data subjects. The controller and the processor may opt to use an individual contract or standard contractual clauses or approved directly by the Commission or by a supervisory authority in accordance with the consistency mechanism and subsequently approved by the Commission. After completion of the processing on behalf of the controller, the processor should, depending on the choice of the controller, return or delete the personal data, unless required to store personal data under Union law or the law of the Member State in which the processor belongs.

To be able to demonstrate compliance with this Regulation, the controller or the processor shall keep records of processing operations under their responsibility. Each controller and each processor should be obliged to cooperate with the supervisory authority and to make available the, upon request, such records, so it can be used for monitoring of specific processing operations.

To maintain security and to prevent processing in breach of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as through encryption. These measures should ensure an appropriate level of security, which includes the confidential tiveness, taking into account the latest developments and the cost of implementation in relation to the risks and nature of personal data to be protected. In assessing the risk to data security should be given to the risks arising from the processing of personal data, such as accidental or unlawful destruction, loss, change, unauthorized disclosure of or access to personal data transmitted, stored or subjected flat’ otherwise processed which could result in physical, physical or non-physical damage.

In order to reinforce compliance with this Regulation when processing operations may result in a high risk to the rights and freedoms of individuals, the controller will be responsible for conducting impact assessment on data protection, to assess, Especially, source, nature, the likelihood and severity of this risk. The result of the assessment should be taken into account when determining what action should be taken to demonstrate that the processing of personal data is in accordance with this Regulation. If the impact assessment on data protection indicates that processing operations involve a high risk that the controller can not be mitigated by appropriate measures in terms of available technology and implementation costs, They should be consulted by the supervisory authority before processing.

Violation of personal data may, if not addressed in an adequate and timely, result in physical, physical or non-physical harm to individuals, such as loss of control over their personal data or restriction of their rights, discriminatory, abuse or identity theft, financial loss, unlawful removal of psefdonymopoiisis, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or other important social or economic disadvantage to the individual concerned. Consequently, as soon as the controller

Official Journal of the European Union

becomes aware of a violation of personal data, should without delay, if possible, within 72 hours of acquired knowledge of the event, disclose the violation of personal data to the competent supervisory authority, unless o controller can prove, according to the principle of accountability, that the violation of personal data is not likely to cause danger to the rights and freedoms of individuals. If such a notification can not be achieved within 72 hours, The notification must be accompanied by justification stating the reasons for the delay and the information can be gradually supplied without undue delay.

  1. (86) The controller must immediately notify the data subject of violation of personal data, when the violation of personal data is likely to result in a high risk to the rights and freedoms of the individual, in order to be allowed to take the necessary precautions. The notice should describe the nature of the violation of personal data and recommendations to the individual concerned to mitigate potential adverse effects. These are the data subjects should be made as soon as possible, in close cooperation with the supervisory authority, respecting guidance provided by it or other relevant authorities, such as law enforcement authorities. For example, the need to mitigate an imminent risk of loss would require immediate notice to data subjects, and the need to implement appropriate measures against continuing or similar data breaches of personal nature may justify a longer notice.
  2. (87) It should be ascertained whether they have implemented all appropriate measures technological protection and organizational measures for the immediate identification of any personal data breach and the immediate notification of the supervisory authority and the data subject. It should be noted that the disclosure was made without undue delay, taking into account in particular the nature and gravity of the violation of personal data, and the consequences and adverse effects for the data subject. The notification may lead to intervention by the supervisory authority, in accordance with the tasks and powers defined in this Regulation.
  3. (88) In setting detailed rules concerning the format and procedures applicable to the notification of personal data breaches, They should take due account of the circumstances of such breach, including whether personal data protected by appropriate technical protection measures, effectively limiting the likelihood of identity fraud or other forms of abuse. Furthermore, these rules and procedures should take into account the legitimate interests of law enforcement authorities, where early disclosure could unnecessarily impede the investigation of the circumstances of a breach of personal data.
  4. (89) Directive 95/46 / EC provided for a general obligation to disclose the personal data to the supervisory authorities. Although this obligation entails administrative and financial burdens, It did not help in all cases to improve the protection of personal data. Therefore, general obligations such disclosure, undifferentiated, They should be abolished and replaced with effective procedures and mechanisms that focus on those types of processing operations that may result in a high risk to the rights and freedoms of individuals because of the nature, the scope, the context and their objectives. These kinds of processing operations may be those, Especially, including the use of new technologies or new type is when it has previously carried out an impact assessment as regards the protection of data from the controller or when they are necessary because of the time elapsed from the initial processing.
  5. (90) In these cases, the controller, before treatment, should carry out an impact assessment regarding data protection, to assess the particular probability and severity of high risk, taking into account the nature, extent, context and purpose of the processing and risk sources. This impact assessment should include, Especially, the planned measures, safeguards and mechanisms that mitigate this risk, ensuring the protection of personal data and demonstrate compliance with this Regulation.
  6. (91) This will be particularly true for large scale processing operations aimed at processing a significant amount of personal data at regional, national or supranational level, which could affect a large number of data subjects and which is likely to result in high risk, for example because of their sensitivity, when according to the existing technological knowledge levels used a new technology widely, and other processing operations which result in a high risk to the rights and freedoms of data subjects, particularly where such acts impede the exercise of data subjects' rights. It should also be carried out an impact assessment regarding data protection when personal data are processed in coming to decisions relating to specific individuals following a systematic and extensive evaluation of personal aspects relating to individuals based training

 

Official Journal of the European Union

profiles based on those data, or after the processing of specific categories of personal data, biometric data or data relating to offenses and criminal convictions or related security measures. impact assessment on data protection is also needed for monitoring publicly accessible areas on a large scale, especially when used for optoelectronic devices or any other work whenever the competent authority considers that the processing may result in a high risk to the rights and freedoms of data subjects, in particular because it prevents data subjects to exercise any right or use a service or contract or because systematically carried out on a large scale. The processing of personal data should not be considered to be major, if the processing relates to personal data of patients and doctors as private clients, other professional healthcare or lawyer. In such cases, the impact assessment of data protection should not be mandatory.

There are cases where it may be sensible and economic subject of an impact assessment regarding data protection exceeding a single project, for example where public authorities or bodies intend to establish a common application or processing platform or if more controllers plan to introduce a common application or processing environment to an industrial sector or industry or for a widely used horizontal activity.

Under the version of the legislation of a Member State underlying the performance of the duties of a public authority or public body, which regulates the act or series of processing operations, Member States may deem it necessary to carry out this assessment before treatment activities.

If the impact assessment relating to the protection of the data suggests that treatment, without safeguards, security measures and mechanisms to mitigate the risk, would result in a high risk to the rights and freedoms of individuals and the controller is of the opinion that the risk can not be mitigated by reasonable measures as regards the available technology and the cost of implementation, should be consulted by the supervisory authority before the start of the processing activities. Such high risk is likely to occur from certain processing and a certain degree of processing and frequency, so even damage or interference with the rights and freedoms of the individual. The supervisory authority should respond to the request for consultation within a given period. However, The lack of reaction of the supervisory authority within the said time limit should not affect any intervention of the supervisory authority, in accordance with the tasks and powers defined in this Regulation, including the prohibition of processing operations of power. As part of this consultation process, may be submitted to the supervisory authority the result of the impact assessment on data protection conducted in connection with the issue processing, in particular the measures provided to mitigate the risk to the rights and freedoms of individuals.

The processor should provide assistance to the Controller, when necessary and upon request, to ensure compliance with the obligations arising from the conduct of impact assessments on the protection of data and the prior consultation of the supervisory authority.

Consultation with the supervisory authority should also be performed during the preparation of a legislative or regulatory measure under which the processing of personal data, to ensure compliance of the intended processing with this Regulation and, Especially, To mitigate the risks to the data subject.

If the processing is carried out by a public authority, excluding the courts or independent judicial authorities when acting in their judicial competence, provided that, the private sector, the processing performed by the controller whose main activities involve processing operations which require regular and systematic monitoring of data subjects on a large scale, or if the basic activities of the controller or the processor are large-scale processing of special categories of personal data and data relating to criminal convictions and offenses,

Official Journal of the European Union

a person with expertise in law and data protection practices should assist the controller or the processor in the monitoring of internal compliance with this Regulation. In the private sector, the basic operations of a controller related to the core business and not the processing of personal data as an ancillary activity. The necessary level of experience should be determined in particular according to the data processing carried out by the protection which require that personal data processed by the controller or the processor. These Data Protection Officers, regardless of whether they are employees of the controller, You should be able to perform its obligations and duties in an independent manner.

  1. (98) The compounds or other entities that represent categories of controllers or processors should be encouraged to draw codes, within the limits of this Regulation, to facilitate effective implementation of this Regulation, taking into account the specific characteristics of the processing carried out in certain areas and particular needs of micro, small and medium enterprises. particularly, these codes could regulate the obligations of controllers and processors, taking into account the risk that could result from the treatment to the rights and freedoms of individuals.
  2. (99) When drawing up a code of conduct or the amendment or extension of such a code, associations and other bodies representing categories of controllers or processors should consult interested parties, including by data subjects, where feasible, and take account of any comments submitted and those views expressed in these consultations.
  3. (100) To improve transparency and compliance with this Regulation, They should be encouraged to establish certification mechanisms and seals and data protection signals, allowing data subjects to quickly assess the level of data protection of relevant products and services.
  4. (101) The personal data flows to and from countries outside the EU and international organizations are necessary for the expansion of international trade and international cooperation. The expansion of these flows has created new challenges and concerns relating to the protection of personal data. However, when personal data are transferred from the Union to controllers, processors or other recipients in third countries or international organizations, level should not undermine the protection of individuals which guarantees the Union this Regulation, including where further transfers of personal data to a third country or international organization to controllers and processors in the same or another third country or another international organization. In each case, transfers to third countries and international organizations can be notified effected only in full compliance with this Regulation. Transmission can take place only if, subject to the other provisions of this Regulation, the controller or the processor shall comply with the terms of the provisions of this Regulation regarding the transfer of personal data to third countries or international organizations.
  5. (102) This Regulation is without prejudice to international agreements concluded between the Union and third countries governing the transmission of personal data and provide adequate safeguards for data subjects. Member States may conclude international agreements which provide for transfer of personal data to third countries or international organizations, insofar as those agreements do not affect the provisions of this Regulation or other provisions of Union law and include an appropriate level of protection for the fundamental rights of data subjects.
  6. (103) The Commission may decide, with effect for the entire Union, that a third country, soil or specific sector in a third country or international organization, offer an adequate level of data protection and thereby preserve legal certainty and uniformity throughout the Union as regards the third country or international organization which is considered to provide such level of protection. In such cases, the personal data in that third country or international organization can be made without having to request another license. The Commission may also decide to revoke this decision, upon notice and justification statement to the third country or international organization.
  7. (104) According to the fundamental principles of the Union, in particular the protection of human rights, the Commission should, when assessing third country or a territory or a specific sector in a third country, take into account whether a given third country respects the rule of law, Access to Justice, and international norms and standards on human rights and the general and sectoral laws, on, including legislation on public security, defense and national security, and public policy and criminal law. Version adequacy decision for a soil or third-country field should be

 

Official Journal of the European Union

account clear and objective criteria, as specific processing activities and the scope of the applicable legal standards and legislation in force in the third country. The third country must offer guarantees that ensure an adequate level of protection, substantially equivalent to that ensured in the Union, particular where the processing of personal data is done in one or several specific areas. particularly, the third country should ensure the effective independent supervision of data protection and provides mechanisms for cooperation with data protection authorities in Member States, not the data subjects should have at their disposal effectively and legally enforceable right, and the possibility of an effective administrative and judicial redress.

In addition to international commitments the third country or international organization, the Commission should take into account the obligations arising from its participation in the third country or international organization in multilateral or regional systems, particularly in relation to the protection of personal data, as the application of such obligations. It must, Especially, take account of the accession of the third country in the Council of Europe Convention of 28 January 1981 on the protection of individuals with regard to automatic processing of personal data and its Additional Protocol. The Commission should consult the Data Protection Council consulted whenever assess the level of protection in third countries or international organizations.

The Commission should monitor the operation of the decisions on the level of protection in a third country, soil or specific area of ​​a third country or an international organization and to monitor the operation of the decisions adopted pursuant to Article 25 paragraph 6 or Article 26 paragraph 4 Directive 95/46 / EC. The decisions of proficiency, the Commission should provide for periodic review mechanism of operation. This periodic review should be done in consultation with the third country or international organization and should take into account all relevant developments in the third country or international organization. For the purposes of monitoring and conducting periodic reviews, the Commission should take into account the opinions and conclusions of the European Parliament and of the Council, and other relevant bodies and sources. The Commission should assess, within a reasonable time, operation of recent decisions and report any pertinent findings to the Committee within the meaning of Regulation (EU) No. 182/2011 European Parliament and Council (1), as established by this Regulation, the European Parliament and the Council.

IEpitropimporeinadiapistoseiotimiatritichora,edafosisygkekrimenostomeasmiastritischorasienasdiethnis body does not ensure an adequate level of data protection. Hence, It should prohibit the transfer of personal data in that third country or international organization, unless the requirements of this Regulation concerning transfers subject to appropriate safeguards, including binding corporate rules, and on exceptions for special situations. In this case, They should involve consultation between the Commission and such third countries or international organizations. The Commission should, timely, inform the third country or international organization on the grounds and to enter into consultations to address the situation.

Absence adequacy decision, the controller or processor should take measures to compensate for the lack of data protection in a third country through appropriate safeguards for the data subject. Such appropriate safeguards may involve the use of binding corporate rules, standard data protection clauses adopted by the Commission, standard data protection clauses adopted by a supervisory authority or contractual clauses approved by supervisory authority. Such safeguards should ensure compliance with data protection requirements and the rights of data subjects, in light of the processing within the Union, Including mathe- availability legally robust data subjects' rights and real remedies, such as including the right to an effective administrative or judicial action and claim for compensation, in the Union or in a third country. They should relate in particular to compliance with the general principles governing the processing of personal data and the principles of data protection by design and by default. Transfers can also be carried out by public authorities or institutions with public authorities or bodies to third countries or international organizations which have similar tasks or responsibilities, including under provisions to be incorporated into administrative arrangements, as a memorandum, where they are provided effectively and legally strong rights for data subjects. The permission of the competent supervisory authority should be obtained if the guarantees provided in non-legally binding administrative settings.

The ability of the controller or the processor to use standard data protection clauses approved by the Commission or the audit authority should not prevent controllers or processors incorporate standard data protection clauses in a wider contract, as a contract between the processor and other executing

Official Journal of the European Union

processing, nor to add other clauses or additional guarantees, if they do not contradict, directly or indirectly, to approval by the Commission or by a supervisory authority or contractual clauses infringe the fundamental rights and freedoms of data subjects. The controllers and processors should be encouraged to provide additional guarantees through contractual commitments are complementary to existing data protection clauses.

  1. (110) A group of companies, as well as a group of companies engaged in joint economic activity, You should be able to make use of approved binding corporate rules for its international transfers from the Union to organizations within the same group of companies or group of companies engaged in joint economic activity, if such corporate rules include all the basic principles and rights to receive legal protection, to ensure appropriate safeguards for transfers or categories of personal data transfers.
  2. (111) The possibility of transfers in some cases be made, when the data subject has provided their explicit consent, if the transmission is occasional and necessary in connection with a contract or a legal claim, either in legal proceedings or in any administrative or extra-judicial process, including in proceedings before regulatory bodies. The possibility of transfers should also be made, where important reasons of public interest laid down by Union law or Member States so require or where the transfer is made from a register established by law and intended for extracting information from the public or persons having a legitimate interest. In the latter case, this transmission should not cover the entirety of the data or entire categories of personal data contained in the registry and, when the register is intended to obtain information from persons who have a legitimate interest, the transfer should be made only at the request of those persons or, whether it be those recipients transmission, taking full account of the interests and fundamental rights of the data subject.
  3. (112) These derogations should in particular apply to data transfers requested and necessary for important reasons of public interest, for example in cases of international data exchange between competition authorities, tax or customs authorities, among financial supervisors, between agencies responsible for social security or public health, for example in case of contact tracing to detect infectious diseases or in order to reduce and / or eliminate doping (doping) in sport. The transfer of personal data should also be considered lawful where it is necessary to protect the interest which is essential for the vital interests of the data subject or another person, including for the physical integrity or life, if the data subject is unable to give consent. Absence adequacy decision, Union law or the law of a Member State may, for serious reasons of public interest, explicitly provides for restrictions on the transmission of specific categories of data to a third country or international organization. Member States shall notify those provisions to the Commission. Any transfer to international humanitarian personnel data organization character of a subject that does not have the natural or legal capacity to give consent, which is designed to fulfill a duty under the Geneva Conventions or to comply with international humanitarian law in armed conflicts, It could be regarded as necessary for a good cause the public interest or because it intends to vital interests of the data subject.
  4. (113) Transfers which are identifiable non-recurring and which concern a limited number of data subjects may also be allowed due to overriding legitimate interests pursued by the controller, when the interests or the rights and freedoms of the data subject do not override these interests when the controller has assessed all the circumstances surrounding the transfer of data. The controller should take particular account of the nature of the personal data, the purpose and duration of the proposed operation or processing operations, and the situation in the country of origin, the third country and the country of final destination, and provide the services appropriate safeguards for the protection of fundamental rights and freedoms of individuals with regard to the protection of personal data. These transfers should only be possible in cases where none of the other transfer purposes. For purposes of scientific or historical research or statistical purposes, They should take into account the legitimate expectations of society for an increase of knowledge. The controller should inform the supervisory authority and the data subject for the transfer.
  5. (114) In each case, if the Commission has not received an adequacy decision on the level of data protection in a third country, the controller or the processor will have to find solutions that can provide regarding the processing of their data in the Union to data subjects effectively and legally enforceable right after the transmission of such data, to continue to benefit the fundamental rights and guarantees.

L 119/22 (115)

Official Journal of the European Union 4.5.2016

Some third countries enact laws, regulations and other legal instruments which purport to directly regulate the processing activities of natural and legal persons under the jurisdiction of Member States. This may include court decisions or decisions of administrative authorities in third countries that require a controller or processor to transfer or disclose personal data which are not based on international agreement, eg Convention on Mutual Assistance in force between the country concerned and the Union or a Member State requesting. The extraterritorial application of these laws, regulations and other legal acts may violate international law and impede the attainment of the protection of individuals guaranteed in the Union by this Regulation. Transfers should only be allowed if the conditions of this Regulation to transfers to third countries. This can happen, including, if the disclosure is necessary for an important ground of public interest which is recognized in Union law or Member State in which the controller is subject.

The transboundary movement of personal data outside the EU possibly putting at greater risk the ability of individuals to exercise data protection rights in particular to protect tefontai against unauthorized use or disclosure of such information. At the same time, the supervisory authorities may find that they are unable to act on complaints or to conduct investigations into activities outside their borders. Their efforts to work together in a cross-border context may also be hampered by insufficient preventive or remedial powers, of contradictory legal regimes and practical obstacles, such as the lack of resources. Therefore, there is a need to promote closer cooperation between data protection supervisory authorities, to make it easier to exchange information and carry out investigations with their international counterparts. To develop international cooperation mechanisms to facilitate and provide international mutual assistance in the enforcement of data protection legislation, The Commission and supervisory authorities should exchange information and cooperate in activities related to the exercise of their powers by the competent authorities of third countries, on the basis of reciprocity and in accordance with this Regulation·

The establishment of supervisory authorities in Member States, authorized to carry out their duties and exercise their powers in full independence, It is an essential component of the protection of individuals with regard to the processing of their personal data. Member States should be able to establish more supervisors, depending on the constitutional, organizational and administrative structure.

The independence of the supervisory authorities should not imply that the supervisory authorities can not be subject to inspection or monitoring mechanisms in terms of their financial expenses or judicial review.

Where a Member State introduces more supervisors, should establish by law mechanisms, to ensure the effective participation of those supervisory authorities in the consistency mechanism. The Member State should designate, Especially, the supervisory authority which is the single contact point for the effective participation of those authorities in the mechanism, to ensure rapid and smooth cooperation with other supervisory authorities, the Data Protection Council and Commission.

In each supervisor financial and human resources should be provided, facilities and infrastructure that are essential to the effective performance of its functions, including those relating to mutual assistance and cooperation with other supervisory authorities throughout the Union. Each supervisor should have separate, public annual budget, which can be part of the overall state or national budget.

The general conditions for the member or members of the supervisory authority should be established by law in each Member State and should provide, Especially, that those members appointed, transparent process, either by parliament, the government or the head of state of the Member State on a proposal from the government, State government, parliament or part of parliament, either by an independent body responsible for this purpose by the law of the Member States. To ensure the independence of supervisors, the member or members should act with integrity, to refrain from any action incompatible with their duties and, during their term of office, They should not engage in any incompatible occupation, profitable or not. The supervisory authority must have its own staff, selected by the supervisory authority or by an independent body set up under the law of a Member State, and be under the exclusive direction of the member or members of the supervisory authority.

Each supervisor will be responsible, in the Member State responsible, to exercise the powers and perform the functions assigned in accordance with this Regulation. This should cover in particular the treatment in the activities of an establishment of the controller or the processor in the territory of their own Member State, the processing of personal data carried out by public authorities or private bodies acting in the public interest, processing that affects the underlying data in the territory or processing carried out by

Official Journal of the European Union

controller or processor is not established in the Union, when targeted data subjects residing in its territory. This should include addressing complaints submitted by the data subject, Investigations on the implementation of this Regulation and promoting public awareness of the dangers, the rules, guarantees and rights related to the processing of personal data.

  1. (123) The supervisory authorities should monitor the application of the provisions of this Regulation and to contribute to a consistent application across the Union, order to protect individuals with regard to the processing of their personal data and to facilitate the free movement of personal data within the internal market. For this purpose, supervisors should cooperate with each other and with the Commission, without requiring an agreement between the Member States for mutual assistance or for such cooperation.
  2. (124) Όταν η επεξεργασία δεδομένων προσωπικού χαρακτήρα πραγματοποιείται στο πλαίσιο των δραστηριοτήτων μιας εγκατάστασης ενός υπευθύνου επεξεργασίας ή εκτελούντος την επεξεργασία στην Ένωση και ο υπεύθυνος επεξεργασίας ή ο εκτελών την επεξεργασία είναι εγκατεστημένος σε περισσότερα κράτη μέλη ή όταν η επεξεργασία που πραγματο­ ποιείται στο πλαίσιο των δραστηριοτήτων της μόνης εγκατάστασης υπευθύνου επεξεργασίας ή εκτελούντος την επεξεργασία στην Ένωση επηρεάζει ουσιωδώς ή είναι πιθανόν να επηρεάσει ουσιωδώς υποκείμενα των δεδομένων σε περισσότερα του ενός κράτη μέλη, as head authority acts as supervisor for the main establishment of the controller or the processor or the only installation of the controller or the processor. It should cooperate with other authorities concerned, because the controller or processor has an establishment in the territory of the Member State, because data subjects residing in their territory materially affected or because the complaint has been lodged. Also, when a data subject who does not reside in that Member State submits a complaint, the supervisory authority to which an application should also be concerned supervisor. As part of his duties to issue guidelines on any issue related to the implementation of this Regulation, the Data Protection Council should be able to issue guidelines, in particular the criteria to be taken into account in determining whether such treatment affects materially the data subjects in several Member States and what constitutes relevant and reasoned objection.
  3. (125) The chief authority should be empowered to take binding decisions on measures to implement the tasks conferred upon it under this Regulation. In its capacity as lead authority, the supervisory authority should ensure the active participation and coordination of the parties concerned supervisors in the decision making process. If the decision rejects, wholly or partly, the termination of the data subject, this decision should be approved by the supervisory authority to which the complaint was lodged.
  4. (126) The decision should be agreed jointly by the chief supervisor and the supervisory authorities and should be addressed to the principal or sole installation of the controller or the processor and be binding on the controller and the processor. The controller or processor should take the necessary measures to ensure compliance with this regulation and the implementation of the decision notified by the chief supervisor in the main installation of the controller or the processor regarding processing activities the Union.
  5. (127) Each supervisory authority does not act as the lead supervisor must be competent to deal with local affairs where the controller or processor is established in more than one Member State, but the subject of the treatment only processing that takes place in a single Member State and relates to data subjects in that Member State only, for example, when the subject of the processing of personal data of workers in particular employment within a Member State. In such cases, The supervisory authority must inform thereof the chief supervisory authority without delay. Once updated, the chief supervisor should decide whether to deal with the case in accordance with the arrangement on cooperation between the chief supervisor and the other supervisory authorities ("One-stop mechanism '), or whether it should deal with the case at the local level the supervisory authority informed. When deciding whether to hear the case, the chief supervisor should take into account whether there is a facility of the controller or the processor in the Member State of the supervisory authority informed, to ensure efficient enforcement of the decision against the controller or the processor. When the

 

Official Journal of the European Union

chief supervisory authority decides to hear the case, the supervisory authority informed should be able to submit a draft decision, which should head the supervisory authority to take the utmost account when preparing the draft decision in the context of the one-stop mechanism.

The rules on the chief supervisor and the one-stop mechanism should not be applied where the processing is carried out by public authorities or private institutions in the public interest. In such cases, the sole supervisory authority is competent to exercise the powers conferred under this Regulation should be the supervisory authority of the Member State where it is established that a public authority or private body.

To ensure consistent monitoring and enforcement of this Regulation throughout the Union, supervisory authorities should have in each Member State the same duties and the same real powers, including investigation powers, corrective powers and sanctions, and licensing and advisory powers, particularly in cases of complaints from individuals, and, without prejudice to the powers of prosecution under the law of a Member State, the power to refer violations of the provisions of this Regulation to the judicial authorities and to engage in legal proceedings. Those powers should also include the power to impose a temporary or definitive restriction processing, including prohibiting the taking of. Member States may designate particular other tasks related to the protection of personal data under this Regulation. The powers of supervisory authorities should be exercised in accordance with appropriate procedural safeguards set out in EU law and the law of the Member States, impartially, fairly and within a reasonable time. Especially, every measure must be appropriate, necessary and proportionate, to ensure compliance with this Regulation, taking into account the circumstances of each individual case, to respect the right to be heard every person before any individual measure against him and to avoid unnecessary costs and excessive burdens on the persons concerned. The investigative powers as regards access to premises should be exercised in accordance with the specific requirements of the procedural law of the Member State, such as requiring prior judicial authorization issuance. Any legally binding measure of the supervisory authority should be made in writing, be clear and unambiguous, state supervisory authority which issued, the date of issue, be signed by the head or member of the supervisory authority authorized by the, state the reasons for the measure and the right to an effective remedy. This should not exclude the possibility of additional requirements in accordance with the procedural law of the Member State. The adoption of a legally binding decision that may involve, possibly, be subject to judicial control in the Member State of the supervisory authority which issued the judgment.

Where the supervisory authority to which the complaint was not the lead supervisor, the chief supervisory authority should cooperate closely with the supervisory authority to which the complaint was lodged in accordance with the provisions on cooperation and coherence provisions in this Regulation. In such cases, the chief supervisor should, taking measures destined to produce legal effects, such as administrative fines, take particular account of the opinions of the supervisory authority to which the complaint was lodged and which should remain responsible for carrying out any of the Member State research on the ground in connection with the competent supervisory authority.

When another supervisory authority must act as chief supervisor for processing activities of the controller or the processor, but this matter of the action or any infringement concerns only processing activities of the controller or the processor in the Member State where the complaint was lodged or found any violation and the matter does not significantly affect or are likely to significantly affect the data subjects in other Member States, the supervisory authority that receives a complaint or finds or is informed otherwise situations involving infringements of this Regulation should pursue a friendly settlement with the controller and, if this proves unsuccessful, to exercise the full range of powers. This should include: the specific treatment carried out on the territory of the Member State of the supervisory authority or with respect to data subjects on the territory of that Member State· processing carried out in the context of supplying goods and services intended specifically to underlying data in the national territory of the supervisory authority or processing which must be assessed, taking into account the respective legal obligations under Member State law.

Awareness raising activities by supervisory authorities addressed to the public should shall include concrete measures for controllers and processors, Included enon micro, small and medium enterprises, and individuals particularly in education.

Official Journal of the European Union

  1. (133) Supervisors should support each other in the performance of their duties and provide mutual assistance, to ensure the consistent application and enforcement of this Regulation in the internal market. Supervisory authority requesting mutual assistance may take interim measure, if he does not receive a reply to a request for assistance within one month of receipt of the request by the other supervisor.
  2. (134) Each supervisor should, where appropriate, to participate in joint operations with other supervisors. The supervisory authority to which the request should be required to respond to the request within a specified period.
  3. (135) To ensure consistent application of this Regulation throughout the Union, will coherence mechanism should be established for cooperation between supervisory authorities. This mechanism should apply in particular where a supervisory authority intends to adopt a measure to have legal consequences for processing operations that materially affect a significant number of data subjects in several Member States. You should also apply where any supervisory authority or the Commission requesting the handling of the case under the consistency mechanism. This mechanism should not prejudice any measures that may be taken by the Commission in the exercise of its powers under the Treaties.
  4. (136) When applying the consistency mechanism, the Data Protection Board should issue an opinion, within a specified period, decide if this is the majority of its members or at the request of a supervisory authority or by the Commission. The Data Protection Board should also be empowered to issue legally binding decisions when there are differences between supervisors. For this purpose, should issue, flat’ principle by a majority of two thirds of its members, legally binding decisions in clearly defined cases where there are conflicting opinions between supervisors, particularly under the cooperation mechanism between the chief supervisor and the supervisory authorities on the merits of the case, in particular whether there is a breach of this Regulation.
  5. (137) There may be an urgent need for measures to protect the rights and freedoms of data subjects, especially when there is a risk to be significantly impeded the exercise of a right of a data subject. Therefore, a supervisory authority should be able to properly adopt temporary measures justified in its territory with a specified validity period which should not exceed three months.
  6. (138) The application of this mechanism should be a condition for the legality of the measure taken by the supervisory authority in order to have legal effect in cases in which its application is mandatory. In other cases of cross-border interest, cooperation mechanism should apply between the Lead Authority and relevant supervisors, not the supervisory authorities could resort to mutual assistance and joint ventures, bilateral or multilateral, without triggering the consistency mechanism.
  7. (139) In order to foster consistent implementation of this Regulation, the Data Protection Board should be set up as an independent body of the Union. To meet the objectives of, the Data Protection Council shall have legal personality. The Data Protection Board should be represented by its President. You need to replace the protective group of persons against the processing of personal data established by Directive 95/46 / EC. It should be composed of the head of the supervisory authority from each Member State and the European Data Protection Supervisor or their respective representatives. The Commission should participate in its activities Data Protection Council without voting rights and the European Data Protection Supervisor should have special voting rights. The Data Protection Board should contribute to the consistent application of this Regulation throughout the Union, including providing advice to the Commission, particularly on the level of protection in third countries or international organizations, and promoting cooperation among supervisory authorities across the Union. The Data Protection Board should act independently in the performance of his duties.
  8. (140) The Data Protection Board should be assisted by a secretariat provided by the European Data Protection Supervisor. The European Data Protection Supervisor personnel involved in performing the tasks entrusted to the Data Protection Board under this Regulation should exercise their duties solely under the instructions of the President of the Data Protection Council and inform him about.
  9. (141) Every data subject should have the right to complain to a single supervisory authority, especially in the Member State of habitual residence, and the right to an effective judicial remedy pursuant to Article 47 Charter, if he considers that violated his rights under this Regulation or where the supervisory authority does not act on a complaint, wholly or partly reject or declare a complaint inadmissible or

 

Official Journal of the European Union

It does not act and must act to protect the rights of the data subject. The investigation following a complaint should be carried out, subject to judicial review, to the extent appropriate to the specific case. The supervisory authority must inform the data subject of the progress and outcome of the complaint within a reasonable time. If the case requires further investigation or coordination with another supervisory authority, interim will update the data subject must be provided. In order to facilitate the submission of complaints, each supervisory authority should take measures such as providing Complaint Form, which can be completed electronically, without excluding other means of communication.

When the data subject believes that violated his rights under this Regulation, You should have the right to assign a non-profit organization, body or organization incorporated under the law of a Member State, It has statutory objectives that are in the public interest and active roots in the field of protection of personal data, complain on his behalf to a supervisor, exercise the right of litigation on behalf of the data subject or, if provided for by the law of a Member State, the right to receive compensation on behalf of data subjects. Member State may provide that this body, agency or organization has the right to refer to that State complaint, regardless of any assignment of the data subject, and right to an effective judicial remedy, when it has reason to believe that the rights of the data subject are violated as a result of the processing of personal data in violation of this Regulation. The body, agency or organization may not have the right to demand compensation on behalf of the data subject, regardless of any assignment of the data subject.

Any natural or legal person is entitled to bring an action for annulment of the Data Protection Council's decision before the Court in accordance with the conditions laid down in Article 263 TFEU. As recipients of these decisions, the supervisory authorities that wish to offend must appeal within two months of their notification, according to the article 263 TFEU. If the decisions of the Data Protection Council directly and individually concerned a controller, processor or complaint, they may bring an action for annulment of those decisions within two months from the publication of these decisions on the website of SymvouliouProstasias Data, according to the article 263 TFEU. Subject to that right under Article 263 TFEU, any natural or legal person should have the right to an effective remedy before the competent national court against a supervisory authority decision which produces legal effects concerning that person. These decisions concerning in particular the exercise of powers of investigation and remedial and licensing powers of the supervisory authority or in cases where complaints are deemed inadmissible or rejected. However, an effective remedy does not cover measures that supervisors are not legally binding, such opinions or advice provided by the supervisory authority. Proceedings against the supervisory authority should be brought before the courts of the Member State where the supervisory authority is established and conducted in accordance with the procedural law of that Member State. These courts should exercise full jurisdiction, which should include the authority to examine all the factual and legal issues relating to the case pending before them.

When a complaint has been rejected or deemed inadmissible by supervisor, the complainant can initiate court proceedings in that Member State. In judicial actions related to the implementation of this Regulation, national courts, which consider that a decision on the question is necessary for the adoption of their decision may or, in the case provided for in Article 267 TFEU, obliged to ask the Court for a preliminary ruling on the interpretation of European Union law, including this Regulation. Furthermore, when a decision supervisory authority which implements Council Decision Privacy challenged before a national court and challenged the validity of the Data Protection Council Decision, that national court has no jurisdiction to declare void the Data Protection Council Decision but it must refer the question of validity to the Court under Article 267 TFEU ​​as interpreted by the Court, if he considers the decision invalid. However, a national court can not refer the question of the validity of a Council decision Privacy request natural or legal person who was able to bring an action for annulment of that decision, especially if that decision is of direct and individual concern, but has not done so within the period provided for by Article 263 TFEU.

If a court hearing proceedings brought against Supervisory Authority Decision and has reason to believe that proceedings have been initiated for the same treatment, as for the same purpose as regards the processing of the same data controller or data processor or the same cause, before a competent court in another Member State, You should communicate with the national court to confirm the existence of a similar process. If the relevant proceedings pending before a court in another Member State, each

Official Journal of the European Union

court other than that first seised may stay proceedings or may, upon request by a party, to decline jurisdiction in favor of the court first seised, if that court has jurisdiction for this procedure and its law permits the joinder of these related procedures. Considered relevant procedures associated with each other so closely, that it is expedient be tried and judged together, to avoid the risk of irreconcilable judgments, as would happen if separate proceedings.

  1. (145) For procedures within the controller or processor, the applicant should be able to choose to bring proceedings before the courts of the Member State where the controller or the processor has an establishment or in the Member State of residence of the data subject, unless the controller is a public authority of a Member State, acting in the exercise of public powers.
  2. (146) Any damage sustained by a person as a result of processing in breach of this Regulation should be compensated by the controller or the processor. The controller or the processor should be exempt from liability for damages if they can show that they bear no responsibility for damage. The concept of damage should be broadly interpreted in the light of the case so as to fully take into account the objectives of this Regulation. This does not affect any claims for damages, practitioners for violating other rules of Union law or Member States. Processed in breach of this Regulation shall also include any treatment in violation of flat’ delegated and implementing acts adopted pursuant’ implementation of this Regulation and Member States' law which specifies the rules of this Regulation. Data subjects should receive full and effective compensation for the damage suffered. If controllers or processors involved in the same process, each data controller or processor should be liable for the total loss. However, when referred by public justice, under the laws of the Member States, compensation may be apportioned according to the responsibility of each data controller or processor for the damage caused by the treatment, provided that ensure full and effective compensation to the data subject who has suffered the damage. Each controller or processor paid full compensation can then take action against other controllers or processors participating in the same process.
  3. (147) Should this Regulation contains specific rules on jurisdiction, particularly regarding procedures in institute court proceedings, including for compensation, by the controller or processor, The general rules on jurisdiction as laid down in Regulation (EU) No. 1215/2012 European Parliament and Council (1) should not affect the application of these special rules.
  4. (148) In order to strengthen the enforcement of this Regulation, sanctions, including administrative fines, They should be applied for any breach of this Regulation, in addition to or instead of the appropriate measures required by the supervisory authority in accordance with this Regulation. In case of minor infringement or whether the fine which may be imposed would constitute a disproportionate burden in individual, could be imposed instead reprimand fine. However, they should be duly taken into account the nature, the severity and duration of the infringement, the deliberate nature of the infringement, the actions undertaken to mitigate the harm, the degree of responsibility or any other relevant previous offenses, the way in which the supervisory authority is informed of the infringement, compliance with measures against the controller or the processor, compliance with Code of Conduct and any other aggravating or mitigating circumstance. The sanctions, including administrative fines, should be subject to adequate procedural safeguards in accordance with the general principles of EU law and the Charter, symperilam CD- of effective judicial protection and due process.
  5. (149) Member States should lay down the rules on penalties for infringements of this Regulation, including for breaches of national rules adopted in’ application and within the limits of this Regulation. These criminal penalties may also consist of deprivation of the benefits gained for the sake of infringements of this Regulation. However, Criminal penalties for violations of such national rules and administrative sanctions should not lead to a breach of the principle ne bis in idem, as interpreted by the Court.
  6. (150) To strengthen and harmonize administrative sanctions against infringements of this Regulation, each supervisory authority should have the power to impose administrative fines. This Regulation should indicate violations, and the ceiling and the criteria for determining the relevant administrative fines, which should be determined by the competent authority in each individual case, taking into account all relevant circumstances of the situation, with due consideration especially in nature, the severity and duration of the breach and its consequences and the measures taken to

(1) regulation(EU)arith.1215 / 2012touEfropaikouKoinovoulioukaitouSymvouliou,tis12isDekemvriou2012, giatidiethnidikaiodosia, recognition and enforcement of judgments in civil and commercial matters (OJ L 351 of 20.12.2012, p. 1).

 

Official Journal of the European Union

ensuring compliance with the obligations arising from this Regulation and to prevent or mitigate the effects of the infringement. If the fines imposed on an undertaking, a business should mean undertaking in accordance with Articles 101 and 102 TFEU ​​for these purposes. If the fines imposed on persons who are not undertakings, the supervisor should take into account the general level of income in the Member State, and the economic situation of the person, when considering the appropriate amount of the fine. The consistency mechanism may also be used to promote a consistent enforcement of administrative fines. It should be up to Member States to decide whether and to what extent fines to public authorities may be imposed. The imposition of an administrative fine or warning does not affect the application of other powers of supervisory authorities or other sanctions under this Regulation.

In the legal systems of Denmark and Estonia are not provided for fines as defined in this Regulation. The rules relating to administrative fines can be applied so as to Denmark the fine imposed by the competent national courts as a criminal penalty in Estonia and the fine imposed by the supervisory authority in proceedings for misdemeanors, provided that such application of the rules in those Member States having equivalent effect to fines imposed by the supervisory authorities. Hence, the competent national courts must take into account the recommendation of the supervisory authority from which the fine. in any case, fines imposed should be effective, proportionate and dissuasive.

When this Regulation does not harmonize administrative sanctions or if necessary in other cases, for example in cases of serious infringements of this Regulation, Member States should implement a system of effective, proportionate and dissuasive penalties. The nature of those penalties, criminal or administrative, It should be determined by the law of the Member States.

The Member States' law should reconcile the rules governing freedom of expression and information, including journalism, university, artistic or literary expression, the right to protection of personal data under this Regulation. The processing of personal data solely for journalistic purposes or for academic purposes, artistic or literary expression should be subject to derogations or exemptions from certain provisions of this Regulation, if it is necessary to reconcile the right to protection of personal data with the right to freedom of expression and information, as enshrined in Article 11 Charter. This should be particularly true with regard to the processing of personal data in the audiovisual field and in news archives and press libraries. Therefore, Member States should adopt legislative measures to provide for the necessary exceptions and derogations for balancing these fundamental rights. Member States should introduce such exceptions and derogations on the general principles, the rights of the data subject, the controller and the processor, the transfer of personal data to third countries or international organizations, independent supervisory authorities, cooperation and coherence and specific data processing situations. Where such exemptions or exceptions differ from one Member State to another, should apply the law of the Member State in which the controller is subject. To reflect the importance of the right of freedom of expression in every democratic society, necessary be interpreted broadly the concepts relating to the said freedom, such as journalism.

This regulation allows to take into account the principle of public access to official documents in the application of this Regulation. The public access to official documents can be considered as a public interest. Personal data in documents held by a public authority or a public body should be disclosed publicly by that authority or body if disclosure provided by Union law or Member State law to which the public authority is subject or the public body. Such laws must reconcile public access to official documents and the re-use of public sector information with the right of personal data protection and may, consequently, provide the necessary reconciliation with the right to protection of personal data under this Regulation. The reference to public authorities and bodies should in this case include all authorities or other entities covered by the law of a Member State concerning public access to documents. Directive 2003/98 / EC of the European Parliament and of the Council (1) not prejudice or affect

Official Journal of the European Union

in any way the level of protection of individuals with regard to the processing of personal data under the provisions of EU law and the law of Member States and in particular does not alter the obligations and rights set out in this Regulation. particularly, this Directive should not apply to documents to which access is restricted or prohibited under the access schemes for personal data protection character, nor to parts of documents that are accessible under those arrangements and containing personal data re-use of which is provided by the law that is incompatible with the law on the protection of individuals with regard to the processing of personal data.

  1. (155) At national law or collective agreements, including "labor agreements', Specific rules may be adopted for processing of personal data of workers in the employment context, in particular the conditions under which personal data in the employment context can be processed based on the consent of the employee, for recruitment purposes, execution of the employment contract, including the implementation of obligations prescribed by law or by collective agreements, management, planning and organizing work, equality and diversity in the workplace and health and safety at work, and for exercise purposes and pleasure, individually or collectively, Rights and benefits related to employment for purposes of termination of the employment relationship.
  2. (156) The processing of personal data for archival purposes in the public interest, historical or scientific research or statistical purposes should be subject to appropriate safeguards for the rights and freedoms of the data subject in accordance with this Regulation. Those safeguards should ensure that the technical and organizational measures that guarantee established, particularly, the principle of data minimization. The further processing of personal data for archival purposes in the public interest, historical or scientific research or statistical purposes occurs when the controller has assessed whether it is possible to meet these objectives through data which do not permit or no longer allow identification of data subjects, provided that there are adequate safeguards (such as, for example, the psefdonymopoiisi data). Member States should provide for appropriate safeguards on the processing of personal data for archival purposes in the public interest, purposes of scientific or historical research or statistical purposes. It should allow Member States to provide, under certain circumstances and with appropriate guarantees for data subjects, requirements and exceptions regarding information requirements and the rights of correction and deletion, the right to be forgotten, may limit processing,the right to data portability and the right to object to the processing of personal data for archival purposes in the public interest, purposes of scientific or historical research or statistical purposes. Such conditions and guarantees may involve special procedures, that data subjects can exercise such rights, where appropriate for the purposes pursued by this treatment, along with technical and organizational measures designed to minimize the processing of personal data in accordance with the principles of proportionality and necessity. The processing of personal data for scientifically purposes must also comply with other relevant laws, as for clinical trials.
  3. (157) Combining information from registers, researchers can gain new knowledge of great importance in terms prevalent pathologies such as cardiovascular diseases, cancer and depression. Based on records, research results can be enhanced, since they rely on a wider population base. In the social sciences, research based on registers gives researchers the opportunity to acquire essential knowledge for long-term correlation of certain social situations, such as unemployment and education with other living conditions. The research results obtained through registers provide reliable and quality knowledge which can form the basis for developing and implementing policy based on knowledge, to improve the quality of life of some people and improve the effectiveness of social services. With the aim of scientific research, personal data may be processed for purposes of scientific research, under appropriate conditions and safeguards laid down in Union law or Member State law.
  4. (158) Where personal data are processed for archival purposes, this Regulation should also apply to such processing, bearing in mind that this regulation should not apply to deceased. Public authorities and public or private bodies maintain public interest files should be services which, under Union law or the law of a Member State, held a statutory obligation to acquire, to maintain, to evaluate, to classify, describe, to communicate, to promote, disseminate and provide access to a fixed value records for the general public interest. Member States should also be given the right to provide further processing of personal data for archival purposes, for example in order to provide specific information on political behavior in former authoritarian regimes, genocide, crimes against humanity, especially the Holocaust, or war crimes.

 

Official Journal of the European Union

Where personal data are processed for purposes of scientific research, this Regulation should apply to this treatment. For the purposes of this Regulation, the processing of personal data for purposes of scientific research should be broadly interpreted, i.e. comprising for example technological development and demonstration of, fundamental research, applied research, and privately funded research. Furthermore, should take into account the Union's target under Article 179 paragraph 1 TFEU ​​to achieve a European Research Area. In scientific research should include studies conducted in the public interest in the public health sector. To take into account the specificities of personal data for purposes of scientific research, special conditions should apply in particular as regards the publication or otherwise of personal data disclosure in the context of scientific research purposes. If the result of scientific research particularly in the health sector justifies further action in the interest of the data subject, the general rules applicable to this Regulation as regards the measures.

Where personal data processed for historical research purposes, this Regulation should also apply to such processing. Include here the historical research and research for genealogical purposes, bearing in mind that this regulation should not apply to deceased.

For the purpose of consent to participation in scientific research in clinical trials, the relevant provisions of the Regulation should apply (EU) No. 536/2014 European Parliament and Council (1).

Where personal data are processed for statistical purposes, this Regulation should apply to this treatment. Union law or Member State law should, within the limits of this Regulation, define the statistical content, access control, specifications for the processing of personal data for statistical purposes and appropriate measures to ensure the rights and freedoms of the data subject and designed to ensure statistical confidentiality. The term "statistical purposes" means any act of collection and processing of personal data necessary to carry out surveys or to produce statistical results. This statistical effect can be further used for various purposes, including for purposes of scientific research. The statistical objective implies that the result of processing for statistical purposes is not personal data, but aggregated data and that this result or that personal data is not used in support of measures or decisions regarding any particular individual.

Will confidential information collected by EU and national statistical offices should be protected for the training of official EU and national statistics. European statistics should be developed, they are developed and disseminated in accordance with the statistical principles laid down in Article 338 paragraph 2 TFEU, while national statistics should also comply with the law of the Member States. The rule (FROM) No. 223/2009 European Parliament and Council (2) It provides further diefkri niseis on statistical confidentiality on European statistics.

As regards the powers of supervisory authorities to ensure the controller or processor access personal data and access to its premises, Member States may adopt by law, within the limits of this Regulation, specific rules in order to preserve professional secrecy obligations or other equivalent secrecy obligations, to the extent necessary for the compromise of personal data protection right character with the obligation of professional secrecy. This is without prejudice to existing obligations of the Member State to adopt rules of professional secrecy, where required by EU law.

This Regulation respects and does not prejudice the status under the current constitutional law of churches and religious associations or communities in the Member States, as recognized in Article 17 TFEU.

To fulfill the objectives of this Regulation, namely the protection of fundamental rights and freedoms of individuals and, Especially, the right to protection of personal data

  1. (1) regulation (EU) No. 536/2014 European Parliament and Council, of April 16 2014, Clinical trials of medicinal products for human use, and repealing Directive 2001/20 / EC (OJ L 158 of 27.5.2014, p. 1).
  2. (2) regulation (FROM) No. 223/2009 European Parliament and Council, of March 11 2009, on European statistics and repealing Regulation (FROM, Euratom) No. 1101/2008 the European Parliament and of the Council on the transmission to the Statistical Office of the European Communities of data subject to statistical confidentiality, Regulation (FROM) No. 322/97 Council on Community statistics, and Decision 89/382 / EEC, Euratom establishing a Committee of the European Statistical Program (OJ L 87 of 31.3.2009, p. 164).

 

Official Journal of the European Union

concern, and ensuring freedom of movement in the Union personal data, will the power to adopt acts should be delegated to the Commission in accordance with Article 290 TFEU. particularly, They should be adopted in’ delegated acts concerning the criteria and requirements for certification mechanisms, the information presented in standard icons and the procedures for providing such icons. It is particularly important that the Commission carry out appropriate consultations during its preparatory work, including at expert level. The committee, when preparing and drawing in’ delegated acts, should ensure a simultaneous, timely and appropriate transmission of relevant documents to the European Parliament and the Council.

  1. (167) In order to ensure uniform conditions of application of this Regulation should be conferred implementing powers on the Commission where provided for by this Regulation. Those powers should be exercised in accordance with Regulation (EU) No. 182/2011. In this context, the Commission should consider specific measures for micro, small and medium enterprises.
  2. (168) The examination procedure should apply for the adoption of implementing acts regarding the standard contractual clauses between controllers and processors, and between processors· codes· technical standards and certification mechanisms· appropriate level of protection in a third country, a ground or a specific sector within that third country or international body· standard clauses to protect· formats and procedures for the electronic exchange of information between controllers, processors and supervisory authorities for binding corporate rules· mutual assistance and exchange of information arrangements with electronic means between supervisory authorities and between supervisory authorities and the Data Protection Council.
  3. (169) The Commission should adopt immediately applicable implementing acts where the available data reveals that third country, soil or specific sector in the third country or international body does not ensure an adequate level of protection and require compelling urgency.
  4. (170) Since the objective of this Regulation, namely to ensure an equivalent level of protection of individuals and the free movement of personal data throughout the Union, can not be sufficiently achieved by the Member States, may however, reason of the scale or effects of the proposed action, be better achieved at Union level, the Union may adopt measures, accordance with the principle of subsidiarity, as provided for in Article 5 of the Treaty on European Union (TEU). According to the principle of proportionality, provided in that Article, this Regulation does not go beyond what is necessary to achieve that objective.
  5. (171) Directive 95/46 / EC should be repealed by this Regulation. Processing already underway on the date of application of this Regulation should be harmonized with this Regulation within two years from the entry into force of this Regulation. When the processing is based on consent under Directive 95/46 / EC, it is not necessary new consent of the data subject, if the way in which consent has been obtained is in accordance with the terms of this Regulation, order the controller to continue processing after the date of application of this Regulation. The Commission's decisions and supervisors authorizations issued under Directive 95/46 / EC shall remain in force until the amendment, replace or remove them.
  6. (172) We consulted the European Data Protection Supervisor under Article 28 paragraph 2 Regulation (FROM) No. 45/2001, which he delivered on 7 Of March 2012 (1).
  7. (173) This Regulation should apply to all matters concerning protection of fundamental rights and freedoms with regard to the processing of personal data and which are not subject to specific obligations with the same objective, as described in Directive 2002/58 / EC of the European Parliament and of the Council (2), including obligations of the controller and the rights of individuals. To clarify the relationship between this Regulation and Directive 2002/58 / EC, that Directive should be amended accordingly. Once this Regulation is adopted, You should review the Directive 2002/58 / EC, in particular to ensure its consistency with this Regulation,

HAVE ADOPTED THIS REGULATION:

Official Journal of the European Union

CHAPTER I

General provisions

Article 1

Purpose and Objectives

4.5.2016

THE

1. This Regulation establishes rules concerning the protection of individuals with regard to the processing of personal data and rules on the free movement of personal data.

2. This Regulation protects the fundamental rights and freedoms of natural persons and particularly their right to protection of personal data.

3. The free movement of personal data within the Union is not limited nor prohibited for reasons connected with the protection of individuals with regard to the processing of personal data.

Article 2

Substantive scope

1. This Regulation applies to, wholly or partly, automated processing of personal data, and the manual processing of such data included or to be included in a filing system.

2. a) b)

c) d)

This Regulation shall not apply to the processing of personal data: under activity which falls outside the scope of Union law,

Member States when carrying out activities which fall within the scope of capital 2 Title V TEU,

natural person in the course of a purely personal or household activity,

by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal sanctions, including protection and prevention against risks to public safety.

3.
Union, the Regulation applies (FROM) No. 45/2001. The rule (EC) No. 45/2001 and other legal acts of the Union applicable to such processing of personal data are adjusted to the principles and rules of this Regulation in accordance with Article 98.

4. This Regulation shall not prejudice the application of Directive 2000/31 / EC, particularly the rules on the liability of intermediary service providers laid down in Articles 12 until 15 of that Directive.

Article 3

Territorial scope

1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing is performed within the Union.

For the processing of personal data by the institutions, bodies, departments and agencies

4.5.2016 Official Journal of the European Union L 119/33

THE

2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor is not established in the Union, if the processing activities related to:

a) the supply of goods or services in these subjects in the Union database, whether payment is required by data subjects, or

b) monitoring their behavior, to the extent that this behavior takes place within the Union.

3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where the law of the Member State applies by virtue of public international law.

Article 4

definitions

  1. 1) "Personal data": any information relating to an identified or identifiable natural person ('Data subject')· the identifiable individual is one whose identity can be verified, directly or indirectly, in particular by reference to ID authentication element, such as name, number identity, in location data, an online identifier or to one or more factors specific to physical, normal, genetic, psychological, economic, cultural or social identity of that individual,
  2. 2) "processing": any act or series of acts performed by or without automatic means, personal data or personal data sets character, such as collection, registration, the organization, structure, save, adaptation or variation, recovery, search information, the use, disclosure by transmission, dissemination or otherwise making available, correlation or combination, restriction, erasure or destruction,
  3. 3) 'Restriction of processing': the marking of stored personal data with the aim of limiting their processing in future,
  4. 4) 'Profiling': any form of personal data automatic processing that involves the use of personal data for the evaluation of certain personal aspects of an individual, especially for analyzing or predicting aspects related to work performance, the economic situation, health, personal preferences, interests, the reliability, the behaviour, the position or movements of the natural person,
  5. 5) "Psefdonymopoiisi": the processing of personal data so that the data can no longer be attributed to an identified data subject without the use of supplementary information, where such additional information is maintained separately and subject to technical and organizational measures to ensure that they can not be attributed to an identified or identifiable natural person,
  6. 6) "Filing system": any structured set of personal data which is accessible by specific criteria, either centralized, decentralized or dispersed on a functional or geographical basis,
  7. 7) "Controller": the natural or legal person, public authority, agency or other entity, alone or jointly with others, determine the purposes and means of processing personal data· when the objectives and means of this processing are determined by Union law or the law of a Member State, the controller or the specific criteria for his appointment may be provided by Union law or the law of a Member State,
  8. 8) "Processor": the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller,
  9. 9) "addressee": the natural or legal person, public authority, agency or other entity, which disclosed the personal data, whether or not third. However, the public authorities may take

For the purposes of this Regulation::

L 119/34

Official Journal of the European Union 4.5.2016

10)

11)

12)

13)

14)

15)

16)

personal data in a particular investigation in accordance with Union law or Member State is not regarded as recipients· the processing of such data by these public authorities takes place in accordance with the rules of data protection depending on purposes of the processing,

"third": any natural or legal person, Public authority, department or agency, excluding the data subject, the controller, the processor and the persons who, under the direct authority of the controller or the processor, They are authorized to process personal data,

"Consent" of the data subject: every indication of intent, free, specific, explicit and informed, by which the data subject expresses his agreement, a statement or a clear positive energy, be processed personal data relating,

"Personal data breach": a breach of security leading to the accidental or unlawful destruction, loss, change, unauthorized disclosure or access to personal data which were transmitted, stored or subjected flat’ otherwise processed,

"Genetic data": personal data relating to individual genetic characteristics inherited or acquired, as they appear, Especially, of biological sample analysis of the individual and which provide unique information about the physiology or health of that individual,

"Biometrics": personal data which arise from special processing technique associated with natural, biological or behavioral characteristics of a person and which permit or confirm the unequivocal identification of said individual, such as facial images, or finger purpose data,

'Data concerning health': personal data relating to physical or mental health of an individual, including health care services, and which reveal information about the state of health,

"Main establishment":

  1. a) when it comes to controller with sites in more than one Member State, the place of central administration of the Union, unless decisions regarding the purposes and means of processing personal data obtained in another establishment of the controller in the Union and the facility has the authority to enforce those decisions, so as the main installation is considered the installation that took those decisions,
  2. b) when it comes to the processor with sites in more than one Member State, the place of central administration of the Union or, if the processor has no central administration in the Union, installing a processor in the Union which carried the main processing activities within the installation activities of the processor, in so far as the processor is subject to specific requirements under this Regulation,

"representative": natural or legal person established within the Union, defined in writing by the controller or the processor pursuant to Article 27 and represents the controller or the processor as to their respective obligations under this Regulation,

"business": natural or legal person pursuing an economic activity, regardless of its legal form, including partnerships or associations regularly engaged in economic activity,

"business group": a controlling undertaking and its controlled undertakings that,

"Binding corporate rules": the data protection policies of personal character which follows a data controller or processor established in a Member State for transfers or set of transfers of personal data to a controller or processor to one or more third countries within a group of companies, or group of companies engaged in joint economic activity,

17)

18)

19) 20)

21)

"supervising Authority": independent public entity set up by Member States in accordance with Article 51,

THE

4.5.2016 Official Journal of the European Union L 119/35

  1. 22) "Supervisory authority": supervisory authority concerning the processing of personal data, because:
    1. a) the controller or processor is established in the territory of the Member State of that supervisory authority,
    2. b) the data subjects residing in the Member State of that supervisory authority are or may be substantially affected by working or
    3. c) It has submitted a complaint to the supervisory authority,
  2. 23) "Cross processing":
    1. a) the processing of personal data which is in the activities of various establishments in more than one Member State controller or a processor in the Union where the controller or the processor is established in several Member States or
    2. b) the processing of personal data which is in the activities of a single installation controller or a processor in the Union but which affects or may materially affect the data subjects in several Member States,
  3. 24) "Relevant and reasoned objection": protest a draft decision regarding the existence of infringements of this Regulation, or for compliance with this Regulation the proposed action in relation to the controller or the processor, which clearly demonstrates the importance of the risks posed by the draft decision as regards fundamental rights and freedoms of data subjects and, where appropriate, the free movement of personal data within the Union,
  4. 25) "Service of the information society": service within the meaning of Article 1 paragraph 1 b) of the instruction (EU) 2015/1535 European Parliament and Council (1),
  5. 26) "International Organisation": organization and their subordinate that bodies governed by public international law or other body established by, or on the basis of an agreement between two or more countries.

    CHAPTER II

    authorities

    Article 5

    Principles governing the processing of personal data

1. Personal data:

  1. a) subjected to fairly and lawfully in a transparent manner with respect to data subject ("legality, objectivity and transparency "),
  2. b) collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with these purposes· further processing for archiving purposes in the public interest or scientific or historical research or statistical purposes is not considered incompatible with the original purposes in accordance with Article 89 paragraph 1 ('Purpose limitation'),
  3. c) suitable, related and limited to what is necessary for the purpose for which they are treated ('Data minimization'),
  4. d) is accurate and, when necessary, updated· all reasonable steps should be taken to immediately delete or correct personal data which are inaccurate, in relation to the processing purposes ("accuracy"),

(1) Directive (EU) 2015/1535 European Parliament and Council, 9 September 2015, for the provision of information in the field of technical regulations and rules on services of the information society (OJ L 241 of 17.9.2015, p. 1).

THE

L 119/36 e)

f)

Official Journal of the European Union 4.5.2016

kept in a form which permits identification of data subjects only for the time needed for the purposes of processing personal data· personal data can be stored for longer periods, if personal data will be processed only for archival purposes in the public interest, for purposes of scientific or historical research or statistical purposes, according to the article 89 paragraph 1 and if appropriate applied technical and organizational measures required by this Regulation to ensure the rights and freedoms of the data subject ("Limitation of the storage period '),

processed in a way that ensures proper security of personal data, including their protection against unauthorized or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organizational measures ("Integrity and confidentiality ').

The Controller is responsible and able to demonstrate compliance with paragraph 1

Article 6

Lawfulness of processing

2. ("Accountability").

THE

1. The processing is lawful only if and where applicable at least one of the following conditions:

  1. a) the data subject has consented to the processing of personal data for a specific purpose or purposes,
  2. b) processing is necessary for the execution of a contract to which the data subject is party or in order to take measures in’ request of the data subject prior to contract,
  3. c) processing is necessary for compliance with a legal obligation of the controller,
  4. d) processing is necessary to protect the vital interests of the data subject or another individual,
  5. e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller,

f) processing is necessary for the purposes of legitimate interests pursued by the controller or third, unless against those interests prevail over the interests or fundamental rights and freedoms of the data subject which require protection of personal data, especially if the data subject is a child.

The component f) The first subparagraph shall not apply to the processing carried out by public authorities in the performance of their duties.

2. Member States may maintain or introduce more specific provisions to adapt the application of the rules of this Regulation concerning the treatment to comply with paragraph 1 data c) and e), defining more precisely the specific requirements for treatment and other measures to ensure lawful and fair processing, including for other special treatment cases as provided for in Chapter IX.

3. The basis for the processing referred to in paragraph 1 data c) and e) is defined according to: a) Union law, or
b) the law of the Member State in which the controller is subject.

The purpose of processing is defined in this legal basis or, regarding the treatment referred to in paragraph 1 point e), It is the necessity of processing for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. This legal basis may include special provisions to adapt the application of the rules of this Regulation, including: general conditions governing the lawful processing of the controller· kinds of

4.5.2016 Official Journal of the European Union L 119/37

THE

Data processed· the relevant underlying data· entities which may be disclosed personal data and the purpose of this notification· purpose limitation· storage periods· and processing operations and processing procedures, including measures to ensure lawful and fair processing, such as those for processing other special cases as provided for in Chapter IX. Union law or Member State law responds to the aim of public interest and is proportionate to the legitimate aim pursued.

4. When the processing for a purpose other than that for which it was collected personal data is not based on the consent of the data subject or of Union law or the law of a Member State which is a necessary and proportionate measure within a democratic society to safeguard purposes referred to in Article 23 paragraph 1, the controller, in order to determine whether the processing for another purpose is compatible with the purpose for which it was originally collected personal data, take into account, including:

  1. a) any link between the purposes for which the personal data and the aims of the intended further processing collected,
  2. b) the context in which personal data collected, in particular as regards the relationship between the data subject and the controller,
  3. c) the nature of the personal data, especially for special categories of personal data processed, according to the article 9, or whether personal data relating to criminal convictions and offenses processed, according to the article 10,
  4. d) the potential consequences of the intended further processing of the data subjects,
  5. e) the existence of adequate safeguards, which may include encryption or psefdonymopoiisi.

    Article 7

    Conditions for approval

1. When the processing is based on consent, the controller is able to prove that the data subject has consented to the processing of personal data.

2. If the consent of the data subject is provided in a written declaration which also concerns other issues, the request for consent shall be submitted in a manner that is clearly distinct from other subjects, a understood and readily accessible form, using clear and simple wording. Each section of this statement which violates this regulation is not binding.

3. The data subject has the right to withdraw consent at any time. The withdrawal of consent shall not affect the lawfulness of the processing based on consent before its revocation. Before providing consent, the data subject shall be informed. The withdrawal of consent is as easy as providing the.

4. In assessing whether the consent is given freely, particular take into account whether, including, for a contract, including the provision of a service, made conditional consent to the processing of personal data is not necessary for the execution of this contract.

Article 8

Conditions applicable to the child's consent in relation to the services of the information society

1. Where Article applies 6 paragraph 1 point a), in relation to the provision of services of the information society in child online, the processing of personal data the child is legitimate if the child is at least 16 years. If the child is under the age of 16 years, the processing is lawful only if and to the extent such consent is provided or approved by the person who has custody of the child.

Member States may provide by law minimum age for such purposes, provided that said earlier age is not below 13 years.

L 119/38 Official Journal of the European Union 4.5.2016

THE

2. The controller shall make reasonable efforts to verify these cases that the consent provided or approved by the person who has custody of the child, taking into account the available technology.

3. paragraph 1 It does not affect the general contract law of Member States, such as the rules on entry, training or consequences of a contract in relation to child.

Article 9

Processing of special categories of personal data

1. The processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, and the processing of genetic data, biometric data for the unambiguous identification person, data concerning health or data relating to individual sexual life or sexual orientation.

2. paragraph 1 not apply to the following:

  1. a) the data subject has given explicit consent to the processing of such personal data for one or more specific purposes, except where Union law or Member State provide that the prohibition referred to in paragraph 1 It can not be lifted by the data subject,
  2. b) processing is necessary for the performance of obligations and exercise of certain rights of the controller or the data subject in the area of ​​labor law and social security law and social protection, if allowed by Union law or Member State or by a collective agreement in accordance with national law providing appropriate safeguards for fundamental rights and interests of the data subject,
  3. c) processing is necessary for protection of vital interest of the data subject or another individual, if the data subject is physically or legally incapable of consent,
  4. d) processing carried, with appropriate safeguards, under the legal foundation activities, organization or other non-profit body with political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or former members of the organization or persons who have regular contact with it in connection with its purposes and that the personal data is not shared outside of this body without the consent of the data subjects,
  5. e) the processing relates to personal data which are manifestly made public by the data subject,

f) processing is necessary for the foundation, training or support legal claims or when the courts acting in their judicial capacity,

  1. g) processing is necessary for reasons of substantial public interest, by Union law or Member State, which is proportionate to the objective pursued, preserves the content of the right to data protection and provides for appropriate specific measures to safeguard the fundamental rights and interests of the data subject,
  2. or) processing is necessary for the purposes of preventive or occupational medicine, assessment of working capacity of the employee, medical diagnosis, providing health or social care or treatment or the management of health and social systems and services under EU law or national law or under contract with professional health and subject to the conditions and guarantees referred to in paragraph 3,
  3. i) processing is necessary for the public interest in the public health sector, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and medicines or medical devices, by Union law or Member State law, which provides for appropriate specific measures to protect the rights and freedoms of the data subject, in particular professional secrecy, or

4.5.2016 j)

Official Journal of the European Union L 119/39

processing is necessary for archiving purposes in the public interest, for purposes of scientific or historical research or for statistical purposes in accordance with Article 89 paragraph 1 entitled under Union or Member State, which are proportionate to the aim pursued, respect the essence of the right to data protection and provide for appropriate and specific measures to safeguard fundamental rights and interests of the data subject.

THE

3.
purposes of paragraph 2 point h), where those data are processed by or under the responsibility of professional subject to the obligation of professional secrecy under Union law or Member State or under rules established by national competent bodies or by another person who also has an obligation of confidentiality by Union law or Member State or under rules established by national competent bodies.

4. Member States may maintain or introduce further conditions, including restrictions, regarding the processing of genetic data, biometric data or data concerning health.

Article 10

Processing of personal data relating to criminal convictions and offenses

The processing of personal data relating to criminal convictions and offenses or related security measures based on Article 6 paragraph 1 carried out only under the control of official authority, or if the process is allowed by Union law or Member State law which provides adequate safeguards for the rights and freedoms of data subjects. Full criminal record kept only under official control authority.

Article 11

Treatment which does not require identification

1. If the purposes for which the controller processes personal data shall not require or no longer require the identification of the data subject by the controller, the controller is not required to maintain, to acquire and process additional information for verification of the data subject's identity solely for the purpose of compliance with this Regulation.

2. When, in the cases referred to in paragraph 1 of this Article, the controller can show that he is unable to verify the identity of the data subject, the controller shall inform the data subject, if it is possible. In such cases, the articles 15 as 20 not applicable, unless the data subject, for the purpose of the exercise of its rights under these Articles, provide supplementary information allowing verification of identity.

CHAPTER III

Rights of the data subject

Part 1

Transparency and settings

Article 12

transparent information, communication and arrangements for exercising the data subject's rights

1. The controller shall take appropriate measures to provide the data subject with any information referred to in Articles 13 and 14 and any communication under Articles 15 until 22 and Article 34 about editing in brief, transparent, understood and readily accessible form, using clear and simple wording, especially for information specifically aimed at children. The information provided in writing or by other means, including, where appropriate, electronically. When requested by the data subject, the information can be given orally, provided that the identity of the data subject is proven by other means.

Personal data referred to in paragraph 1 can be processed for

L 119/40 Official Journal of the European Union 4.5.2016

THE

2. The controller facilitates the exercise of data subjects' rights set out in Articles 15 until 22. In the cases provided for in Article 11 paragraph 2, the controller does not refuse to act on a request of the data subject to exercise his rights under Articles 15 until 22, unless the controller proves that he is not able to verify the identity of the data subject.

3. The controller provides the data subject about the action performed on request under Articles 15 until 22 without delay and in any event within one month of receipt of the request. This period may be extended by another two months, if necessary, taking into account the complexity of the request and the number of requests. The controller shall inform the data subject of such extension within one month of receipt of the request, as well as reasons for the delay. If the data subject making the request by electronic means, update is, if it is possible, electronically, unless the data subject requests otherwise.

4. If the controller does not act on the request of the data subject, the controller shall inform the data subject, without delay and at the latest within one month of receipt of the request, the reasons why it has not acted and the possibility of complaint to a supervisor and exercise judicial review.

5. The information provided in accordance with Articles 13 and 14 and any communication and any action taken in accordance with Articles 15 until 22 and Article 34 free of charge. If requests of the data subject is manifestly unfounded or too, in particular because of their repetitive nature, the controller may either:

a) to impose the payment of a reasonable fee, taking into account administrative costs for the provision of information or communication or perform the requested action, or

b) refuse to follow up the request.

The controller has the burden of proving the manifestly unfounded or excessive character of the request.

6. Notwithstanding Article 11, when the Controller has reasonable doubt about the identity of the person making the request referred to in Articles 15 until 21, the controller may require the provision of additional information necessary to confirm the data subject's identity.

7. The information to be provided to the data subjects in accordance with Articles 13 and 14 They can be provided in conjunction with standardized icons to be placed prominently, understandable and legible way a substantial overview of the intended processing. If the icons are available electronically, is machine-readable.

8. The Commission is empowered to adopt delegated’ delegated acts in accordance with Article 92 determining the information to be presented with icons and procedures for the provision of standard icons.

Part 2

Information and access to personal data

Article 13

Information provided if the personal data collected from the data subject

1. Where personal data relating to a data subject are collected from the data subject, the controller, when receiving personal data, provide the data subject of the following information:

  1. a) the identity and contact details of the controller and, where appropriate, the representative of the controller,
  2. b) contact details of the data protection officer, where appropriate,
  3. c) purposes of the processing for which they are personal data, and the legal basis for processing,

4.5.2016 d)

e) f)

Official Journal of the European Union L 119/41

where the processing is based on Article 6 paragraph 1 f), the legitimate interests pursued by the controller or by a third,

the recipients or categories of recipients of personal data, if they exist,

where appropriate, the intention of the controller to transfer personal data to a third country or international organization and the existence or absence of a Commission decision adequacy or, when it comes to the information referred to in Article 46 or 47 or Article 49 paragraph 1 second subparagraph, reference to appropriate or appropriate safeguards and means to obtain a copy or where available.

THE

2.
personal data, provide the data subject with the following additional information is necessary to ensure fair and transparent treatment:

In addition to the information referred to in paragraph 1, the controller, when taking

  1. a) the period for which it will store the personal data or, when this is impossible, criteria defining this period,
  2. b) the entitlement request to the controller for access to and correction or erasure of personal data or restriction of processing concerning the data subject or right to object to the processing, and the right to data portability,
  3. c) where the processing is based on Article 6 paragraph 1 point a) or Article 9 paragraph 2 point a), the existence of the right to withdraw consent at any time, without undermining the legitimacy of the processing based on consent before its withdrawal,
  4. d) the right to complain to a supervisor,
  5. e) whether the provision of personal data is a legal or contractual obligation or requirement for contracting, and whether the data subject is obliged to provide personal data and what possible consequences would be the failure to provide such data,

f) the existence of an automated decision-making, including training profile, referred to in Article 22 paragraphs 1 and 4 and, at least in those cases, important information concerning the logic followed, and the importance and foreseeable consequences of such processing for the data subject.

3. When the controller intends to process the personal data for any purpose other than that for which the personal data collected, the controller provides the data subject, prior to said further processing, information for that purpose and any other necessary information, as mentioned in paragraph 2.

4. paragraphs 1, 2 and 3 not applicable, when and where the data subject already has the information,

Article 14

Information provided if the personal data are not collected from the data subject

1. Where personal data are not collected from the data subject, the controller provides the data subject with the following information:

  1. a) the identity and contact details of the controller and, where appropriate, the representative of the controller,
  2. b) contact details of the data protection officer, where appropriate,
  3. c) purposes of the processing for which they are personal data, and the legal basis for processing,
  4. d) the categories of personal data,
  5. e) the recipients or categories of recipients of personal data, possibly,

L 119/42 Official Journal of the European Union 4.5.2016

THE

f) where appropriate, that the controller intends to transmit personal data to a recipient in a third country or international organization and the existence or absence of a Commission decision adequacy or, when it comes to the information referred to in Article 46 or 47 or Article 49 paragraph 1 second subparagraph, reference to appropriate or appropriate safeguards and means to obtain a copy or where available.

2. In addition to the information referred to in paragraph 1, the controller provides the data subject with the following information necessary to ensure fair and transparent process concerning the data subject:

  1. a) the period for which it will store the personal data or, when this is impossible, the criteria determining this time,
  2. b) where the processing is based on Article 6 paragraph 1 f), the legitimate interests pursued by the controller or by a third,
  3. c) the entitlement request to the controller for access to and correction or erasure of personal data or restriction of processing concerning the data subject and the right to object to the processing, and the right to data portability,
  4. d) where the processing is based on Article 6 paragraph 1 point a) or Article 9 paragraph 2 point a), the existence of the right to withdraw consent at any time, without undermining the legitimacy of the processing based on consent before its withdrawal,
  5. e) the right to complain to a supervisor,

f) the source from which the personal data and, it depends on the situation, if the data came from sources available to the public,

g) the existence of an automated decision-making, including training profile, provided for in Article 22 paragraphs 1 and 4 and, at least in those cases, important information concerning the logic followed, and the importance and foreseeable consequences of such processing for the data subject.

3. The controller provides the information referred to in paragraphs 1 and 2:

  1. a) within a reasonable period after the collection of personal data, but no later than one month, taking into account the specific circumstances in which personal data are processed,
  2. b) if personal data will be used for communication with the data subject, no later than the first contact with that data subject, or
  3. c) if required disclosure to another recipient, at the latest when the personal data are disclosed for the first time.

4. When the controller intends to process the personal data for a purpose other than that for which the personal data collected, the data controller should provide the data subject, prior to said further processing, information for that purpose and any other necessary information, as mentioned in paragraph 2.

5. paragraphs 1 until 4 shall not apply if and when:

  1. a) the data subject already has the information,
  2. b) the provision of such information proves impossible or would involve disproportionate effort, in particular as regards processing for archiving purposes in the public interest, for purposes of scientific or historical research or statistical purposes, under the conditions and guarantees referred to in Article 89 paragraph 1 or if the obligation referred to in paragraph 1 This article is likely to make it impossible or greatly damage the achievement of the purposes of the processing. In such cases, the controller shall take appropriate measures to protect the rights and freedoms and legitimate interests of the data subject, including making the information available to the public,
  3. c) acquisition or disclosure is expressly provided for by the law of the Union or of the Member State in which the controller is subject and which provides appropriate measures to protect legitimate interests of the data subject or
  4. d) if personal data must remain confidential under professional secrecy obligation is governed by the law of the Union or a Member State, including from the obligation of confidentiality law.

4.5.2016 Official Journal of the European Union L 119/43

THE

Article 15

Right of access of the data subject

1. The data subject has the right to obtain from the Controller confirmation as to whether or not personal data concerning him are processed and, if this happens, the right of access to personal data and information on these:

  1. a) purposes of the processing,
  2. b) the categories of personal data,
  3. c) the recipients or categories of recipients to whom disclosed or to be disclosed personal data, in particular the recipients in third countries or international organizations,
  4. d) if it is possible, the period for which it will store the personal data or, when this is impossible, criteria defining this period,
  5. e) the entitlement request to the controller for data correction or deletion of personal data or restriction of processing of personal data concerning the data subject or the right to object to such processing,

f) the right to complain to a supervisor,

  1. g) when the personal data are not collected from the data subject, any available information about their origins,
  2. or) the existence of an automated decision-making, including training profile, provided for in Article 22 paragraphs 1 and 4 and, at least in those cases, important information concerning the logic followed, and the importance and foreseeable consequences of such processing for the data subject.

2. Where personal data are transferred to a third country or international organization, the data subject has the right to obtain adequate safeguards in accordance with Article 46 on transfer.

3. The controller shall provide a copy of personal data processed. For additional copies may be obtained from the data subject, the controller may require the payment of a reasonable fee for administrative costs. If the data subject making the request electronically and unless the data subject requests otherwise, update is provided in electronic format commonly used.

4. The right to obtain a copy referred to in paragraph 3 not adversely affect the rights and freedoms of others.

Part 3

Correction and deletion

Article 16

right of rectification

The data subject has the right to demand from the controller without undue delay rectify inaccurate personal data concerning him. Having regard to the purposes of the processing, the data subject has the right to require the completion of incomplete personal data, including through supplementary declaration.

Article 17

right of erasure ("Right to oblivion")

1. The data subject has the right to request from the controller the erasure of personal data concerning him or her without undue delay and the controller is obliged to delete personal data without undue delay, if applicable one of the following reasons:

a) personal data is no longer necessary in relation to the purposes for which it was collected or received by’ otherwise processed,

L 119/44 b)

c)

d) e)

f)

Official Journal of the European Union 4.5.2016

the data subject withdraws consent on which the processing is based according to Article 6 paragraph 1 point a) or Article 9 paragraph 2 point a) and there is no legal basis for processing,

the data subject objects to the processing in accordance with Article 21 paragraph 1 and there are compelling and legitimate grounds for processing or the data subject objects to the processing in accordance with Article 21 paragraph 2,

personal data processed illegally,

personal data must be erased, order to comply with a legal obligation under Union law or Member State law, in which the controller is subject,

personal data collected in connection with the provision of services of the information society as referred to in Article 8 paragraph 1.

THE

2.
section 1 erase personal data, the controller, given the available technology and the cost of implementation, take reasonable measures, including technical measures, to inform controllers who process personal data, that the data subject requested deletion of these controllers any links with these data or copies or reproductions of such personal data.

3. a) b)

c) d)

e)

paragraphs 1 and 2 not apply to the extent that the processing is necessary:

for exercising the right to freedom of expression and right to information,

for compliance with a legal obligation imposed by the treatment under European Union law or Member State law to which the controller is subject, or to fulfill a task carried out in the public interest or in the exercise of official authority vested in the controller,

public interest in the public health sector in accordance with Article 9 paragraph 2 the elements) and i), and Article 9 paragraph 3,

for archival purposes in the public interest, for purposes of scientific or historical research or for statistical purposes in accordance with Article 89 paragraph 1, if the right referred to in paragraph 1 It is likely to make it impossible or greatly hinder the intended purpose of the processing, or

for the foundation, training or support legal claims.

Article 18

Right restriction processing

When the controller has to disclose personal data and is bound by

1.
processing, when one of the following:

The data subject is entitled to obtain from the controller limitation of

  1. a) the accuracy of personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of personal data,
  2. b) the processing is unlawful and the data subject opposes the deletion of personal data and calls, instead’ this, limiting their use,
  3. c) the controller no longer needs the personal data for purposes of the processing, but the data required by the data subject for the foundation, exercise or support legal claims,
  4. d) the data subject objects to the processing in accordance with Article 21 paragraph 1, pending verification of whether the legal grounds of the controller override the grounds of the data subject.

2. When the processing has been limited in accordance with paragraph 1, these personal data, outside the storage, They are processed only with the consent of the data subject or on the basis, training or support legal claims or to protect the rights of another natural or legal person, or for reasons of overriding public interest of the Union or a Member State.

4.5.2016 Official Journal of the European Union L 119/45

THE

3. The data subject who has secured the processing restriction in accordance with paragraph 1 informed by the controller before lifting the restriction processing.

Article 19

disclosure obligation regarding the correction or deletion of personal data or restriction of processing

The controller shall communicate any rectification or erasure of personal data or restriction of processing data carried out pursuant to Article 16, the article 17 paragraph 1 and Article 18 to each recipient to whom personal data are disclosed, unless this proves impossible or would involve a disproportionate effort. The controller shall inform the data subject on those recipients, upon request by the data subject.

Article 20

Right to data portability

1. The data subject has the right to obtain the personal data concerning him, and which has provided a controller, a structured, commonly used and readable format machines, and the right to transmit such data to another controller without objection from the controller to which the personal data provided, when:

a) processing based on consent under Article 6 paragraph 1 point a) or Article 9 paragraph 2 point a) or contract in accordance with Article 6 paragraph 1 b) and

b) The processing carried out by automated means.

2. In the exercise of the right to data portability under paragraph 1, the data subject has the right to ask for the direct transmission of personal data from one controller to another, if this is technically feasible.

3. The right referred to in paragraph 1 of this Article shall be exercised subject to Article 17. This right does not apply to the processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

4. The right referred to in paragraph 1 not adversely affect the rights and freedoms of others. Part 4

Right opposition and automated individual decisions

Article 21

right of opposition

1. The data subject is entitled to object, at any time and for its specific situation related reasons, the processing of personal data concerning him, which is based on Article 6 paragraph 1 point e) or f), including the profiles training under those provisions. The controller no longer submit personal data processed, unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, the rights and freedoms of the data subject or on the basis, training or support legal claims.

2. If personal data are processed for direct marketing purposes, the data subject is entitled to object at any time to the processing of personal data concerning him for that marketing, including training profile, if it relates to direct marketing.

3. When data subjects object to processing for direct marketing purposes, personal data no longer processed for these purposes.

L 119/46 Official Journal of the European Union 4.5.2016

THE

4. The latest on the first contact with the data subject, the right referred to in paragraphs 1 and 2 clearly indicated to the data subject and is described clearly and separately from any other information.

5. As part of the service user of the information society, and without prejudice to Directive 2002/58 / EC, the data subject may exercise his right to object to automated instruments that use specifications.

6. Where personal data processed for scientific or historical research or statistical purposes under Article 89 paragraph 1, the data subject is entitled to oppose, for its specific situation related reasons, the processing of personal data relating to him, unless the processing is necessary for the performance of tasks is exercised in the public interest.

Article 22

Automated individual decisions, including training profile

1. The data subject has the right not to be subject to a decision taken solely on automation topoiimenis processing, including training profile, which produces legal effects concerning him or significantly affects a similar way.

2. a)

b)

c)

paragraph 1 not apply where the decision:

necessary for the conclusion or performance of a contract between the data subject and the data controller,

allowed by Union law or the law of the Member State where the controller is subject and which also provides for appropriate measures to protect the rights, freedoms and legitimate interests of the data subject or

based on the explicit consent of the data subject.

3.
implement appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, at least the right to human intervention assurance on the part of the controller, view expression and challenge Decision.

4. The decisions referred to in paragraph 2 not based on specific categories of personal data referred to in Article 9 paragraph 1, unless Article applies 9 paragraph 2 point a) or g) and whether there are adequate measures to protect the rights, freedoms and legitimate interests of the data subject.

Part 5

limitations

Article 23

limitations

1. Union law or Member State which governs the controller or the processor of data may restrict by a legislative measure the scope of the obligations and rights provided for in Articles 12 until 22 and Article 34, and Article 5, if its provisions are the rights and obligations provided for in Articles 12 until 22, when such a restriction preserves the content of fundamental rights and freedoms and is a necessary and proportionate measure within a democratic society to ensure:

  1. a) State security,
  2. b) defense,
  3. c) public safety,

In the cases referred to in paragraph 2 evidence a) and G), the data controller

4.5.2016 Official Journal of the European Union L 119/47

THE

  1. d) prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal sanctions, including protection against threats to public security and the prevention of these,
  2. e) other important objectives of general public interest of the Union or a Member State, in particular an important economic or financial interest of the Union or a Member State, including monetary, public legal and tax issues, public health and social security,

f) the protection of judicial independence and judicial proceedings,

  1. g) prevention, investigation, detection and prosecution of ethics violations in regulated professions,
  2. or) tracking, inspection or regulatory task connected, even occasionally, with the exercise of official authority in cases referred to in points) to e) and g),
  3. i) the protection of the data subject or the rights and freedoms of others,
  4. j) the execution of civil claims.

2. particularly, any legislative measure referred to in paragraph 1 contain specific provisions at least, it depends on the situation, concerning:

  1. a) purposes of the processing or treatment categories,
  2. b) the categories of personal data,
  3. c) the scope of the restrictions imposed,
  4. d) safeguards to prevent misuse or unauthorized access or transmission,
  5. e) specification of the controller or the categories of controllers,

f) storage periods and applicable guarantees, taking into account the nature, the scope and purposes of the processing or treatment categories,

  1. g) risks to the rights and freedoms of data subjects and
  2. or) the right of data subjects to be informed of the restriction, unless this can be detrimental for the purposes of limitation.

    CHAPTER IV

    Controller and processor

    Part 1

    general obligations

    Article 24

    Responsibility of the controller

1. Given the nature, the scope, the context and purpose of the processing, and the likelihood of different risks and the seriousness of the rights and freedoms of individuals, the controller shall implement appropriate technical and organizational measures to ensure and be able to prove that the treatment carried out pursuant to this Regulation. These measures are reviewed and epikai AYS when necessary.

2. When justified in relation to processing operations, the measures referred to in paragraph 1 They include the implementation of appropriate policies for the protection of data from the controller.

3. Compliance approved codes of conduct referred to in Article 40 or an approved accreditation scheme as referred to in Article 42 It may be used as evidence to prove compliance with the obligations of the controller.

L 119/48 Official Journal of the European Union 4.5.2016

Article 25

Data protection already designing and default

1. Considering the latest developments, implementation costs and nature, the scope, the context and purpose of the processing, and the likelihood of different risks and the seriousness of the rights and freedoms of individuals from treatment, the controller shall implement effectively, both at the time of setting processing means and at the time of treatment, appropriate technical and organizational measures, like psefdonymopoiisi, designed to implement data protection principles, such as data minimization, and incorporate appropriate guarantees in processing so as to meet the requirements of this Regulation and to protect the rights of data subjects.

2. The controller shall implement appropriate technical and organizational measures to ensure that, by definition, only processed personal data necessary for the specific purposes of the processing. This requirement applies to the extent of personal data collected, the degree of processing, the period of storage and accessibility. particularly, these measures ensure that, by definition, personal data become inaccessible without the intervention of an individual to an indefinite number of individuals.

3. Approved certification mechanism pursuant to Article 42 It can be used as evidence of compliance with the requirements set out in paragraphs 1 and 2 of this Article.

Article 26

Together controllers

1. If two or more controllers together determine the purposes and means of processing, are joint controllers. They define in a transparent manner their respective responsibilities for compliance with obligations arising from this Regulation, in particular regarding the exercise of the data subject's rights and their corresponding duties to provide the information referred to in Articles 13 and 14, by agreement between them, unless and to the extent that the respective responsibilities of the controllers are determined by Union law or Member State law governing the controllers. The Agreement may be referred to a contact point for data subjects.

2. The agreement referred to in paragraph 1 properly reflects their respective roles and relationships of joint controllers over the data subjects. The essence of the agreement is available to the data subject.

3. Regardless of the terms of the agreement referred to in paragraph 1, the data subject may exercise his rights under this Regulation and over in each of the controllers.

Article 27

Representatives of controllers or processors not established in Compound

1. In cases where Article 3 paragraph 2, the controller or the processor shall designate a representative in writing to the Union.

2. a)

The obligation laid down in paragraph 1 This Article shall not apply to:

treatment which is casual, it does not include, largely, processing of special categories of data under Article 9 paragraph 1 or processing of personal data relating to criminal convictions and offenses referred to in Article 10 and not likely to cause danger to the rights and freedoms of individuals, taking into account the nature, the frame, the scope and purposes of the processing, or

b)

public authority or body.

THE

4.5.2016 Official Journal of the European Union L 119/49

THE

3. The representative is established in one of the Member States and are the data subjects, whose personal data are processed in connection with offering goods or services to them or whose behavior is monitored.

4. The representative receives instruction from the controller or the processor to turn to him supervisors and data subjects, additionally or instead of the controller or the processor, on all issues related to treatment, to ensure compliance with this Regulation.

5. The representative is appointed by the controller or the processor shall not affect the applications that can be exercised against the same of the controller or the processor.

Article 28

Processor

1. When processing is carried out for the account controller, the controller uses only processors that provide sufficient assurances to implement appropriate technical and organizational measures, so that the process meets the requirements of this Regulation and diasfa lizetai the protection of the data subject's rights.

2. The processor does not recruit another processor without any general or special written permission of the controller. In the case of written authorization, the processor shall inform the data controller of any intended changes concerning the addition or substitution of other processors, providing in this way enables the controller to oppose these changes.

3. The processing by the processor be governed by a contract or other legal act governed by the law of the Union or the Member State, binding the processor with respect to the controller and determines the subject and the duration of treatment, the nature and purpose of the processing, the kind of personal data and categories of data subjects and the obligations and rights of the controller. This contract or other legal act provides in particular that the processor:

  1. a) process personal data only on the recorded signal of the controller, including regarding the transfer of personal data to a third country or international organization, unless required to do so under European Union law or Member State law which governs the processor· In this case, the processor shall inform the data controller for this legal requirement before treatment, unless that law prohibits this kind of information for serious reasons of public interest,
  2. b) ensure that persons authorized to process personal data are committed to confidentiality or are under a proper regulatory obligation of confidentiality ness,
  3. c) take all necessary measures pursuant to Article 32,
  4. d) respect the conditions referred to in paragraphs 2 and 4 for the recruitment of another processor,
  5. e) taking into account the nature of the treatment and assist the controller to implement appropriate technical and organizational measures, the extent possible, to fulfill the obligation of the controller to respond to requests for exercising those referred to in Chapter III Rights of the data subject,

f) assist the controller in ensuring compliance with the obligations deriving from Articles 32 until 36, taking into account the nature of the processing and the information available to the processor,

  1. g) flat’ selection of the controller, delete or return all personal data to the Controller after providing processing services and clears existing copies, except where Union law or Member State requires the storage of personal data,
  2. or) shall provide the controller with all necessary information to demonstrate compliance with the obligations established in this Article and shall allow inspections, including inspections, carried out by the controller or another controller authorized by the controller.

L 119/50 Official Journal of the European Union 4.5.2016

THE

On the first subparagraph the), the processor shall immediately inform the data controller, if, in my opinion, a command violates this Regulation or other Union or national data protection provisions.

4. When the processor takes another data to perform specific processing activities on behalf of the controller, the same obligations with regard to data protection laid down in the contract or other legal instrument between the controller and processor, as provided in paragraph 3, imposed on other performer through this contract or other legal act pursuant to Union law or Member State, especially to provide sufficient assurances to implement appropriate technical and organizational measures, that processing meets the requirements of this Regulation. When the other processor fails to meet the relevant requirements of protection of data, the original performer remains fully accountable to the controller for carrying out the obligations of the other processor.

5. The compliance of the processor approved code of conduct as referred to in Article 40 or an approved accreditation scheme as referred to in Article 42 It may be used as evidence to prove that provide adequate assurances in accordance with paragraphs 1 and 4 of this Article.

6. Subject to individual agreement between the controller and the processor, such contract or other legal instrument referred to in paragraphs 3 and 4 of this Article may be based, wholly or partly, on standard contractual clauses set out in paragraphs 7 and 8 of this Article, including when they are part of the certification issued to the controller or the processor in accordance with Articles 42 and 43.

7. The Commission may adopt the standard contractual clauses for the issues referred to in paragraphs 3 and 4 of this Article and in accordance with the examination procedure referred to in Article 93 paragraph 2.

8. A supervisory authority may establish standard contractual clauses for the issues referred to in paragraphs 3 and 4 of this Article and in accordance with the consistency mechanism referred to in Article 63.

9. This contract or other legal instrument referred to in paragraphs 3 and 4 is writing, including in electronic form.

10. Notwithstanding Articles 82, 83 and 84, if the processor set in breach of this Regulation the purposes and means of processing, the processor is considered controller for this processing.

Article 29

Processed under the supervision of the controller or the processor

The processor and any person acting under the authority of the controller or the processor, which has access to personal data, processing said data only in’ command the controller, unless required to do so by the law of the Union or the Member State.

Article 30

Records of processing activities

1. Each controller and, where appropriate, his representative, keep a record of the processing activities for which they are responsible. This file includes all of the following information:

  1. a) the name and contact details of the controller and, where appropriate, the joint controller, the representative of the controller and the data protection officer,
  2. b) purposes of the processing,
  3. c) description of the categories of data subjects and of the categories of personal data,

4.5.2016 d)

e)

f) g)

Official Journal of the European Union L 119/51

the categories of recipients who are to be disclosed or communicated personal data, including recipients in third countries or international organizations,

where applicable, the personal data to a third country or international organization, including having the identification of that third country or international organization, in case of transfers referred to in Article 49 paragraph 1 second subparagraph, documentation of appropriate safeguards,

where possible, the deadlines deleting various types of data,

where possible, general description of the technical and organizational security measures referred to in Article 32 paragraph 1.

THE

2.
of
The following:

a)

b) c)

d)

3.

the name and contact details of the person or processors and controllers on whose behalf the person performing acts, where appropriate, the representative of the controller or the processor, and the Data Protection Officer,

the categories of processing performed by each controller,

where applicable, the personal data to a third country or international organization, including having the identification of that third country or international organization, in case of transfers referred to in Article 49 paragraph 1 second subparagraph, documentation of appropriate safeguards,

where possible, general description of the technical and organizational security measures referred to in Article 32 paragraph 1.

The records referred to in paragraphs 1 and 2 there writing, including in electronic form.

Each processor and, where appropriate, spokesman processor keep records of all categories of processing operations carried out by the controller, which includes

4.
or processor make the file available to the supervisory authority on request.

The controller or the processor and, where appropriate, the representative of the controller

5. The obligations referred to in paragraphs 1 and 2 does not apply to business or organization that employs fewer than 250 people, unless the processing carried out is likely to cause danger to the rights and freedoms of the data subject, processing is not casual or processing including special categories of data under Article 9 paragraph 1 or processing of personal data relating to criminal convictions and offenses referred to in Article 10.

Article 31

Cooperation with the supervisory authority

The controller and the processor and, where appropriate, their representatives cooperate, on request, Supervisory Authority to perform its tasks.

Part 2

Security of personal data

Article 32

security of processing

1. Considering the latest developments, implementation costs and nature, the scope, the context and purpose of the processing, and the likelihood of different risks and the seriousness of the rights and freedoms of individuals, the controller and the processor shall implement appropriate technical and organizational measures to ensure the appropriate level of security against risks, including, including, where appropriate:

a) the psefdonymopoiisis and personal data encryption,

L 119/52 b)

c)

d)

Official Journal of the European Union 4.5.2016

the possibility of confidentiality assurance, integrity, the availability and reliability of systems and processing services on a continuous basis,

rehabilitation possibility of availability and access to personal data in a timely manner in the event of natural or technical incident,

process for periodic testing, assess and evaluate the effectiveness of technical and organizational measures to ensure security of processing.

2.
processing, notably against accidental or unlawful destruction, loss, deterioration, unauthorized disclosure of or access to personal data transmitted, stored or subjected flat’ otherwise processed.

3. a)

b)

c) d)

The notification referred to in paragraph 1 flat’ minimum:

It describes the nature of the violation of personal data, included, where possible, categories and approximate number of affected data subjects, and categories and approximate number of affected personal data files,

communicate the name and contact details of the data protection officer or other contact point where they can obtain more information,

describes the possible consequences of the violation of personal data,

It describes the measures adopted or proposed measures to be taken by the controller to address the violation of personal data, and, where appropriate, measures to mitigate possible adverse effects of.

THE

In assessing the appropriate security level taking particular account of the risks arising from

3. Compliance with the approved code of conduct as referred to in Article 40 or an approved accreditation scheme as referred to in Article 42 It may be used as evidence to prove compliance with the requirements of paragraph 1 of this Article.

4. The controller and the processor shall take measures to ensure that any natural person acting under the authority of the controller or the processor which has access to personal data is processed only in’ command the controller, unless required to do so by the law of the Union or the Member State.

Article 33

Disclosure of personal data breach to the supervisory authority

1. In case of personal data breaches, the Controller shall promptly notify and, if it is possible, within 72 hours of acquiring knowledge of the fact of violation of personal data to the supervisory authority competent under Article 55, unless the violation of personal data is not likely to cause danger to the rights and freedoms of individuals. When notifying the supervisory authority does not take place within 72 hours, accompanied by a justification for the delay.

2. The processor shall inform the controller immediately, just realize violation of personal data.

4.
gradually without undue delay.

If and when it is not possible to provide information simultaneously, They can be provided

5. The controller shall document any personal data breach, consisting of the facts concerning the violation of personal data, the consequences and the corrective measures. This documentation allows the supervisory authority to verify compliance with this Article.

Article 34

Communication of personal data breach to the data subject

1. When the personal data breach is likely to pose a high risk to the rights and freedoms of individuals, the controller immediately announces the violation of personal data to the data subject.

4.5.2016 Official Journal of the European Union L 119/53

THE

2. The communication to the data subject referred to in paragraph 1 of this Article clearly described the nature of the violation of personal data and shall contain at least the information and measures referred to in Article 33 paragraph 3 data b), c) and D).

3. The communication to the data subject referred to in paragraph 1 not required, if you met any of the following conditions:

  1. a) the controller shall implement appropriate technical and organizational measures, and those measures were applied to the affected by the violation of personal data, particularly measures allowing non-understandable personal data to those who do not have permission to access them, such as encryption,
  2. b) the controller then took steps to ensure that it is no longer likely to occur as referenced in paragraph 1 high risk for the rights and freedoms of data subjects,
  3. c) involves a disproportionate effort. In this case, becomes instead’ this public notice or there is a similar measure by which data subjects are informed equally effectively.

4. If the controller has already announced the violation of personal data to the data subject, the supervisory authority may, having considered the possibility of risk occurrence of the violation of personal data, ask him to do so or may decide that it met any of the conditions referred to in paragraph 3.

Part 3

impact assessment on data protection and prior consultation

Article 35

Impact assessment on data protection

1. When a processing type, in particular using new technologies and taking into account the nature, the scope, the context and purpose of the processing, may result in a high risk to the rights and freedoms of individuals, the controller performs, before treatment, impact assessment of plans tiated processing operations on personal data protection. In an assessment may be considered a set of similar processing operations which pose similar high risks.

2. The controller shall consult the Data Protection Officer, if it is set, when conducting impact assessment on data protection.

3. The reference to paragraph 1 impact assessment regarding data protection is required particularly in the case:

  1. a) systematic and extensive evaluation of personal aspects relating to natural persons, based on automatic processing esterified, including training profile, and in which decisions are based that produce legal effects concerning the individual or likewise significantly affect the individual,
  2. b) large-scale processing of special categories of data referred to in Article 9 paragraph 1 or personal data relating to criminal convictions and offenses referred to in Article 10 or
  3. c) systematic monitoring publicly accessible area on a large scale.

4. The supervisory authority shall establish and publish a list of the types of processing operations subject to the requirement to conduct an impact assessment on data protection under paragraph 1. The supervisory authority shall communicate that list to the Data Protection Board referred to in Article 68.

5. The supervisory authority may also establish and publish a list of the types of processing operations which do not require an impact assessment on data protection. The supervisory authority shall communicate that list to the Data Protection Board.

6. Before issuing the lists referred to in paragraphs 4 and 5, the competent authority shall apply the consistency mechanism referred to in Article 63, if these lists include processing activities related to the supply of goods or services to data subjects or moni toring of their behavior in more than one Member State or which may significantly affect the free movement of personal data in Join.

L 119/54

Official Journal of the European Union 4.5.2016

THE

7. a)

b) c)

d)

The assessment contains at least:

systematic description of the envisaged processing operations and objectives of treatment, including, where appropriate, the legitimate interests pursued by the controller,

assessing the necessity and proportionality of processing operations in connection with the purposes,

assessment of risks to the rights and freedoms of data subjects mentioned in paragraph 1 and

provided risk mitigation measures, including guarantees, measures and security mechanisms, to ensure the protection of personal data and to demonstrate compliance with this Regulation, taking into account the rights and legitimate interests of data subjects and other persons concerned.

8.
processing or processors duly taken into account when assessing the impact of processing operations performed by these controllers or processors, especially for impact assessment purposes on data protection.

9. where appropriate, the controller shall seek the views of data subjects or their representatives on the intended processing, subject to the protection of commercial or public interests or the security of processing operations.

10. When processing under Article 6 paragraph 1 point c) or e) It has a legal basis in Union law or Member State law to which the controller is subject, this law regulates the respective specific processing operation or series of operations and has already carried out an impact assessment on data protection as part of a general impact assessment in the approval of the legal base, paragraphs 1 until 7 not applicable, unless Member States consider it essential to carrying out this evaluation before treatment activities.

11. Where required, the controller carry out a review to assess whether the processing of personal data carried out according to the impact assessment to protect data at least when changing the risk posed by processing operations.

Article 36

prior consultation

1. The Controller shall consult the supervisory authority before processing, when under Article 35 impact assessment on data protection indicates that the treatment would cause a high risk of absence of risk mitigation measures by the controller.

2. Where the supervisory authority considers that the intended process referred to in paragraph 1 breach of this Regulation, especially if the controller has not identified or adequately mitigate the risk, the supervisory authority shall provide written advice to the controller within the first eight weeks of receipt of the consultation request, and, where required, the processor, and may use any of the powers referred to in Article 58. This period can be extended by six weeks, because of the complexity that characterizes the planned treatment. The supervisory authority shall inform the data controller and, where required, the processor for such an extension within one month of receipt of the consultation request, as well as reasons for the delay. These limits may be inhibited until the supervisor has received the information requested for consultation purposes.

3. In consultation with the supervisory authority under paragraph 1, the controller provides the supervisory authority:

  1. a) where appropriate, the respective responsibilities of the controller, the joint controllers and processors involved in the work, in particular concerning processed within enterprise group,
  2. b) the purposes and means of the proposed treatment,
  3. c) measures and safeguards to protect the rights and freedoms of data subjects under this Regulation,

Compliance with agreed codes of conduct referred to in Article 40 by relevant officers

d) where appropriate, contact details of the data protection officer,

4.5.2016 Official Journal of the European Union L 119/55

THE

e) the impact assessment on data protection laid down in Article 35, and

f) any other information requested by the supervisor.

4. Member States shall consult the supervisory authority when preparing proposals for legislative measures to be adopted by national parliaments or regulatory measures based on such legislative measures, which concern the processing.

5. Notwithstanding paragraph 1, the Member State law may require controllers to consult and receive prior authorization from the supervisory authority in relation to the processing of controller for performance of tasks exercised by that manager in the public interest, including treatment in relation to social protection and public health.

Part 4

Data Protection Officer

Article 37

Set the Data Protection Officer

1. The controller and the processor shall designate a data protection officer in any case where:

  1. a) the processing carried out by a public authority or body, except courts acting in their judicial competence,
  2. b) The core activities of the controller or the processor are processing operations, due to the nature, the scope and / or their purposes, They require regular and systematic moni toring of data subjects on a large scale, or
  3. c) The core activities of the controller or the processor are large-scale processing of special categories of personal data under Article 9 and data relating to criminal convictions and offenses referred to in Article 10.

2. conglomerate may appoint a single data protection officer, provided that each establishment has easy access to the DPO.

3. If the controller or the processor is a public authority or public body, a single data protection officer may be designated for several such authorities or several such bodies, taking into account their organizational structure and size.

4. In cases other than those referred to in paragraph 1, a controller or processor or associations and other bodies representing categories of controllers or processors may designate DPO or, where required by Union law or Member State, appoint a Data Protection Officer. The DPO may act on those associations and other bodies representing controllers or processors.

5. The DPO is appointed based on professional qualifications, in particular on the basis of the expertise available in the field of law and practices on data protection, and based on the ability to fulfill the tasks listed in Article 39.

6. The Data Protection Officer may be a member of the staff of the controller or processor or to hold office under service contract.

7. The controller or the processor shall publish the contact details of the data protection officer and notify the supervisory authority.

Article 38

Location of the data protection officer

1. The controller and the processor shall ensure that the DPO is involved, duly and timely, on all issues related to the protection of personal data.

L 119/56 Official Journal of the European Union 4.5.2016

THE

2. The controller and the processor shall support the DPO in carrying out the tasks referred to in Article 39 providing necessary resources to perform these tasks and access to personal data and processing operations, and resources necessary to maintain expertise.

3. The controller and the processor shall ensure that the DPO is not receiving commands to perform these tasks. Not dismissed or penalized by the controller or the processor because the tasks done. The DPO shall report directly to the senior management level of the controller or the processor.

4. Data subjects may contact the DPO for all matters concerning the processing of their personal data and exercise of their rights under this Regulation.

5. The Data Protection Officer is bound by secrecy or confidentiality on the performance of his duties, under the law of the Union or the Member State.

6. The DPO may perform other tasks and obligations. The controller or the processor shall ensure that these duties and obligations do not involve a conflict of interest.

1. a)

b)

c)

d) e)

Article 39

Duties of the data protection officer

The DPO has at least the following tasks:

inform and advise the controller or the processor and officials proces amplifier operate their obligations under this Regulation and other Union legislation or the Member State on data protection,

monitor compliance with this Regulation, with other provisions of Union or national legislation on data protection and the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, the sensitive poetry and the training of staff involved in processing operations, and related controls,

provides advice, when requested, with regard to the impact assessment on data protection and monitor its implementation in accordance with Article 35,

cooperate with the supervisory authority,

act as a contact point for the supervisory authority on issues related to treatment, including prior consultation referred to in Article 36, and consult, it depends on the situation, any other matter.

2.
connected to the processing operations, taking into account the nature, the scope, the context and purpose of the processing.

In the performance of his duties, the DPO shall take due account of the risk

Part 5

Codes of conduct and certification

Article 40

codes of conduct

1. The member states, supervisors, the Data Protection Board and the Commission encourage the development of codes of conduct intended to contribute to the proper implementation of this Regulation, taking into account the specific characteristics of the various processing sectors and the specific needs of micro, small and medium enterprises.

2. Compounds and others representing categories of controllers or processors can establish codes or to modify or extend existing codes, in order to determine the application of this Regulation, such respect:

a) to fair and transparent treatment,

4.5.2016 Official Journal of the European Union

L 119/57

THE

  1. b) the legitimate interests pursued by the controllers in specific contexts,
  2. c) the collection of personal data,
  3. d) psefdonymopoiisi the personal data,
  4. e) informing the public and of data subjects,

f) the exercise of data subjects' rights,

  1. g) information and the protection of children and how to obtain the consent of the parental authority of the child,
  2. or) measures and procedures referred to in Articles 24 and 25 and measures to ensure security of processing referred to in Article 32,
  3. i) the notification of personal data breaches to the supervisory authorities and the communication of such personal data breaches to data subjects,
  4. j) the transfer of personal data to third countries or international organizations, or

k) litigation proceedings and other dispute resolution procedures for resolving disputes between controllers and data subjects regarding the processing, without prejudice to the rights of data subjects under Articles 77 and 79.

3. Besides their observance of controllers or processors subordinate to this Regulation, codes of conduct adopted under paragraph 5 of this Article and of general application under paragraph 9 of this Article may also be followed by controllers or processors are not covered by this Regulation in accordance with Article 3, in order to provide adequate guarantees under personal data transfers to third countries or international organizations, under the conditions set out in Article 46 paragraph 2 point e). These controllers or processors undertake binding and enforceable commitments by contract or other legally binding instruments, to implement these appropriate safeguards, including as regards the rights of data subjects.

4. The code of conduct referred to in paragraph 2 of this article contain mechanisms that allow the said Article 41 paragraph 1 operator to carry out the mandatory monitoring of compliance with the provisions of the controllers or processors that are responsible for applying the, without prejudice to the functions and powers of supervisory authorities responsible under Article 55 or 56.

5. Associations and other entities referred to in paragraph 2 of this Article and intends to develop a code of conduct or to amend or extend existing code submit the draft code to the supervisory authority competent under Article 55. The Supervisory Authority opinion on the compliance of the draft code, modification or extension to this Regulation and approve the draft code, modification or extension, if it considers that it provides sufficient appropriate safeguards.

6. When the draft code or change or extension of approved under paragraph 5 and when the resulting code of conduct is not related to processing activities in more than one Member State, the supervisory authority shall record and publish the code.

7. If draft code of conduct refers to processing activities in several Member States, the supervisory authority competent under Article 55 submit, before the adoption of the draft Code, modification or expansion, the procedure laid down in Article 63 the Data Protection Council, which opinion on the compliance of the draft code, modification or extension to this Regulation or, in the case referred to in paragraph 3 of this Article, as to provide sufficient guarantees that.

8. If the opinion referred to in paragraph 7 confirms that the code, modification or extension is in accordance with this Regulation or, in the case referred to in paragraph 3, provide sufficient guarantees, the Data Protection Board shall forward its opinion to the Commission.

9. The Commission may, through implementing acts, decide that the approved codes of conduct and amendments or extensions that were submitted under paragraph 8 of this Article shall have general application within the Union. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 93 paragraph 2.

L 119/58 Official Journal of the European Union 4.5.2016

THE

10. The Commission shall ensure appropriate publicity for the codes approved for its decision to have general application under paragraph 9.

11. The Data Protection Board collects all approved codes, modifications and extensions to the registry and makes them available to the public by any appropriate means.

Article 41

Monitoring of approved codes of conduct

1. Without prejudice to the functions and powers of the competent supervisory authority in accordance with Articles 57 and 58, monitor compliance with the code of conduct under Article 40 It can be conducted by a body that has the appropriate level of expertise in relation to the object code and is accredited for this purpose by the competent supervisory authority.

2. with

a) b)

c)

d)

The entity referred to in paragraph 1 It can be accredited to monitor the compliance code of conduct, if said carrier:

It has proven its independence and expertise in relation to the object code to the satisfaction of the competent supervisory authority,

It has established procedures that allow the assessment of the eligibility of the controllers and processors to implement the code, monitoring of their compliance with its provisions and the periodic review of the operation,

It has established procedures and structures to deal with complaints of violations of the code or concerning the manner in which the code is implemented or applied by a controller or processor, and to make these processes and structures transparent to data subjects and the general public, and

proves, at the discretion of the competent supervisory authority, that the duties and obligations do not involve a conflict of interest.

3.
of this Article to the Data Protection Board in accordance with the consistency mechanism referred to in Article 63.

The competent authority shall submit the draft of certification criteria entity referred to in paragraph 1

4. Without prejudice to the functions and powers of the competent supervisory authority and the provisions of Chapter VIII, the entity referred to in paragraph 1 this article assumes, subject to appropriate safeguards, appropriate action in the event of violation of the code from the controller or the processor, including employment purposes suspension or exclusion of the relevant data controller or processor to code. Inform the competent supervisory authority for these actions and their reasons for withdrawal.

5. The competent authority shall revoke the certification body as referred to in paragraph 1, if the certification conditions are not met or are no longer met or actions taken by the institution contravening this regulation.

6. This Article shall not apply to the processing carried out by public authorities and public bodies.

Article 42

Certification

1. The member states, supervisors, the Data Protection Council and the Commission urge, particularly at EU level, the establishment of data protection certification mechanisms and data protection seals and marks, in order to demonstrate compliance with this Regulation of processing operations by data controllers and processors. Take into account the specific needs of micro, small and medium enterprises.

4.5.2016 Official Journal of the European Union L 119/59

THE

2. In addition to their application by controllers or processors subject to this regulation, certification mechanisms and data protection seals and data protection signals authorized under paragraph 5 of this Article may be adopted for the purpose of proving that appropriate safeguards are provided by controllers or processors that are not subject to this Regulation, according to the article 3, in the context of personal data transfers to third countries or international organizations, under the conditions set out in Article 46 paragraph 2 f). These controllers or processors undertake binding and enforceable commitments by contract or other legally binding instruments, to implement these appropriate safeguards, including as regards the rights of data subjects.

  1. Certification is voluntary and available through a transparent procedure.
  2. The certification in accordance with this Article shall not limit the responsibility of the controller or of the person

processing for compliance with this regulation and shall not affect the tasks and responsibilities of the supervisory authorities responsible under Article 55 or 56.

5. The certification in accordance with this Article shall be granted by the certification bodies referred to in Article 43 or by the competent supervisory authority, criteria approved by this competent authority pursuant to Article 58 paragraph 3 or the Data Protection Board in accordance with Article 63. When the criteria are approved by the Data Protection Board, This can lead to joint certification, European Data Protection Seal.

6 The controller or the processor making the processing of the authentication mechanism provides the certification body referred to in Article 43 or, it depends on the situation, the competent supervisory authority all information and access to treatment activities required to carry out the certification process.

7. The certification issued to the controller or processor for a maximum period of three years and can be renewed on the same terms, provided that the relevant requirements are still met. The certification revoked, it depends on the situation, by certification bodies provided for in Article 43 or by the competent supervisory authority, when not or are no longer met the requirements for certification.

8. The Data Protection Board collects all authentication mechanisms and seals and data protection signals in a register and kept available to the public by any appropriate means.

Article 43

certification bodies

1. Without prejudice to the functions and powers of the competent supervisory authority in accordance with Articles 57 and 58, certification bodies have the appropriate level of expertise in relation to data protection, after informing the supervisory authority to be able to exercise its powers under Article 58 paragraph 2 point h) where required, issue and renew certificates. The Member State shall ensure that the accreditation of the certification bodies carried out by one or both of the following:

a) b)

a) They have demonstrated the independence and expertise in relation to the subject of certification for the judgment of the competent supervisory authority,

(1) REGULATION (FROM) No. 765/2008 European Parliament and Council, of July 9 2008, laying down the requirements for accreditation and market surveillance relating to the marketing of products and repealing Regulation (EEC) No. 339/93 Council (OJ L 218 of 13.8.2008, p. 30).

the supervisory authority which is competent pursuant to Articles 55 or 56,

the national accreditation body appointed pursuant to Regulation (FROM) No. 765/2008 European Parliament and Council (1), according to the standard EN-ISO / IEC 17065/2012 and in accordance with the supplementary requirements set by the supervisory authority competent under Article 55 or 56.

The certification bodies referred to in paragraph 1 accredited in accordance with this paragraph,

2.
only if:

L 119/60 b)

c) d)

e)

Official Journal of the European Union 4.5.2016

They have pledged to respect the criteria referred to in Article 42 paragraph 5 and approved by the supervisory authority competent under Article 55 or 56 or from the Data Protection Council under Article 63,

They have procedures for issuing, periodic review and revocation of certificates, stamps and data protection signals,

They have procedures and structures for the management of complaints concerning infringements of the certification or on the way in which certification is applied or implemented by the controller or the processor, and to make these processes and structures transparent to data subjects and the general public, and

prove, at the discretion of the competent supervisory authority, that the duties and obligations do not involve a conflict of interest.

THE

3.
poieitai criteria approved by the supervisory authority competent under Article 55 or 56, or from the Data Protection Council under Article 63. If accreditation under point b) of paragraph 1 of this Article, those requirements complement the requirements laid down in Regulation (FROM) No. 765/2008 and technical rules that describe the methods and procedures of certification bodies.

4. The certification bodies referred to in paragraph 1 He is responsible for the proper assessment leading to certification or revocation of certification, without prejudice to the responsibility of the controller or the processor to comply with this Regulation. Accreditation is granted for a maximum period of five years and may be renewed on the same terms, provided that the certification body meets the requirements of this Article.

5. The certification bodies referred to in paragraph 1 They provide the competent authorities the reasons for granting or revocation of certification sought.

6. The requirements of paragraph 3 of this article and the criteria set out in Article 42 section 5 published by the supervisory authority in easily accessible format. The supervisory authorities shall also forward these requirements and criteria to the Data Protection Board. The Data Protection Board collects all certification mechanisms and data protection seals in a register and kept available to the public by any appropriate means.

7. Without prejudice to Chapter VIII, the competent supervisory authority or national accreditation body shall withdraw accreditation to a certification body in accordance with paragraph 1 of this Article, provided that the certification conditions are not met or are no longer fulfilled or if the certification body actions violate this regulation.

8. The Commission is empowered to adopt delegated’ delegated acts in accordance with Article 92, to determine the requirements to be taken into consideration for the data protection certification mechanisms referred to in Article 42 paragraph 1.

9. The Commission may adopt implementing acts laying down technical standards for certification mechanisms, seals and data protection signals, and mechanisms for the promotion and recognition of the certification mechanisms, seals and labels. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 93 paragraph 2.

CHAPTER V

Transfers of personal data to third countries or international organizations

Article 44

General principles for transfers

Any transfer of personal data which are undergoing processing or are intended to be processed after they are sent to a third country or international organization is only possible if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter shall be kept by the controller and the processor, including on further transfers of personal data to a third country or international organization to another third country or another international organization. All provisions of this Chapter in order to ensure that the level of protection of individuals guaranteed by this Regulation is not compromised.

The accreditation of certification bodies as referred to in paragraphs 1 and 2 of this article carried

4.5.2016 Official Journal of the European Union L 119/61

THE

Article 45

Transfers based on an adequacy decision

1. The transfer of personal data to a third country or international organization may take place if the Commission decides that ensure an adequate level of protection by the third country, from the ground or from one or more specific sectors in the third country or by that international organization. For such a transfer does not require a special permit.

2. a)

b)

c)

In assessing the adequacy of protection, the Commission notes, Especially, the following elements:

the rule of law, respect for human rights and fundamental freedoms, the relevant legislation, both general and sectoral, including as regards public security, the defense, national security and criminal law and access of public authorities to personal data, and the implementation of this legislation, rules on data protection, professional rules and security measures, CD- contained rules on further transfers of personal data to another country or international organization held in that third country or international organization, case law, and substantive and enforceable rights to data subjects and effective administrative and judicial redress for data subjects whose personal data are transferred,

the existence and effective functioning of one or more independent supervisory authorities that are in that third country or where an international organization subject, responsible to ensure and enforce compliance with data protection rules, including sufficient enforcement powers, assisting and advising the data subjects in the exercise of their rights and to cooperate with the supervisory authorities of the Member States, and

the international commitments undertaken by that third country or international organization or other liabilities arising from legally binding contracts or transactions and by their participation in multilateral or regional systems, especially as regards the protection of personal data.

3.
ensure an adequate level of protection within the meaning of paragraph 2 of this article from a third country or territory or one or more specific areas of a third country or international organization. The implementing act provides for periodic review mechanism, at least every four years, which takes account of all relevant developments in the third country or international organization. The implementing act shall specify the territorial and sectoral implementation of, and, where applicable, the supervisory authority or authorities referred to in b) of paragraph 2 of this Article. The implementing act adopted in accordance with the examination procedure referred to in Article 93 paragraph 2.

4. The Commission closely monitors developments in third countries and international organizations that could affect the operation of decisions adopted in accordance with paragraph 3 of this Article and the decisions adopted pursuant to Article 25 paragraph 6 Directive 95/46 / EC.

5. The committee, when reportedly reveal, mainly following the review referred to in paragraph 3 of this Article, that a third country, soil or specific sector in a third country or international organization no longer ensures an adequate level of protection within the meaning of paragraph 2 of this Article, abolishes, modify or suspend, to the extent necessary, Decision paragraph 3 of this Article by means of implementing acts without retroactive effect. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 93 paragraph 2.

On duly justified imperative grounds of urgency, the Commission shall adopt immediately applicable implementing acts in accordance with the procedure referred to in Article 93 paragraph 3.

6. The Commission initiated consultations with the third country or international organization in order to remedy the situation which is the result of the decision taken under paragraph 5.

7. The decision according to paragraph 5 This Article shall not affect the personal data in the third country, the ground or to one or more specified areas in that third country or international organization in accordance with Articles 46 until 49.

8. The Commission shall publish in the Official Journal of the European Union and on its website a list of third countries, territories and specific areas in a third country, and international organizations, for which it has decided that ensure or no longer ensures an adequate level of protection.

The committee, After assessing the adequacy of protection, may decide, by implementing act, that

L 119/62 Official Journal of the European Union 4.5.2016

THE

9. Decisions issued by the Commission under Article 25 paragraph 6 Directive 95/46 / EC shall remain in effect until amended, replaced or repealed by a Commission decision adopted pursuant to paragraph 3 or 5 of this Article.

Article 46

Transfers subject to appropriate safeguards

1. Absence of a decision under Article 45 paragraph 3, the controller or the processor may transfer personal data to a third country or an international organization only if the controller or the processor has provided the appropriate guarantees, and provided that there are enforceable rights and effective remedies for the subjects data.

2. The appropriate safeguards referred to in paragraph 1 can be provided, without special permission supervisor, via:

  1. a) a legally binding and enforceable instrument between public authorities or bodies,
  2. b) binding corporate rules pursuant to Article 47,
  3. c) standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93 paragraph 2,
  4. d) standard data protection clauses adopted by a supervisory authority and approved by the Commission in accordance with the examination procedure referred to in Article 93 paragraph 2,
  5. e) approved code of conduct, according to the article 40, together with binding and enforceable obligations of the controller or the processor in the third country to apply appropriate safeguards, including as regards the rights of data subjects, or

f) approved certification mechanism, according to the article 42, together with binding and enforceable obligations of the controller or the processor in the third country to apply appropriate safeguards, including as regards the rights of data subjects.

3. Subject to authorization by the competent supervisory authority, Appropriate safeguards paragraph 1 in particular, they can also be provided through:

a)

b)

contractual terms between the controller or the processor and the controller, the processor or the recipient of personal data to a third country or international organization or

provisions for inclusion in administrative arrangements between public authorities or entities that include enforceable and substantive rights of data subjects.

4.
referred to in paragraph 3 of this Article.

The supervisory authority shall apply the consistency mechanism referred to in Article 63 where

5. Authorizations from Member States or supervisory authority under Article 26 paragraph 2 Directive 95/46 / EC shall remain in effect until amended, replaced or repealed, if required, by that supervisory authority. Decisions issued by the Commission under Article 26 paragraph 4 Directive 95/46 / EC shall remain in effect until amended, replaced or repealed, if required, by a Commission decision adopted pursuant to paragraph 2 of this Article.

Article 47

Binding Corporate Rules

1. The competent supervisory authority shall approve binding corporate rules pursuant to the consistency mechanism referred to in Article 63, under the condition that:

a) legally binding and applicable in every Member State and applied by each Member State of the group, or group of companies engaged in joint economic activity, including their staff,

4.5.2016 Official Journal of the European Union L 119/63

THE

  1. b) expressly confer enforceable rights to data subjects regarding the processing of personal data concerning them and
  2. c) meet the requirements set out in paragraph 2.

2. Binding corporate rules referred to in paragraph 1 specify at least:

  1. a) the structure and the contact details of the group, or group of companies engaged in joint economic activity and each member,
  2. b) data transfers or set of data transfer operations, including the categories of personal data, the type of treatment and the purpose of, the type of data subjects affected and the setting of that third country or third countries,
  3. c) the legally binding nature of the, both internally and externally,
  4. d) the application of general data protection principles, in particular the purpose limitation, minimizing data, the limited storage period, data quality, data protection by design and by default, the legal basis for processing, processing of special categories of personal data, Safeguards data security, and the implementation of the requirements of onward transfers to organizations which are not bound by the binding corporate rules,
  5. e) the rights of data subjects regarding the processing and the means to exercise these rights, including the right not subject to any decisions solely on automation topoiimenis processing, including training profiles in accordance with Article 22, the right to submit complaints to the competent supervisory authority and before the competent courts of the Member States in accordance with Article 79, and ensuring redress and, where required, damages for breach of the binding corporate rules,

f) acceptance of responsibility by the controller or processor established in a Member State for infringements of binding corporate rules by any Member State is not established in the Union· the controller or the processor shall be exempt from this responsibility, wholly or partly, only proving that that member is not responsible for the event giving rise to the damage,

  1. g) how to provide information on the binding corporate rules for data subjects, in particular the provisions mentioned in subparagraphs d), e) and St) this paragraph, Additional Articles 13 and 14,
  2. or) the tasks of data protection officer designated in accordance with Article 37 or any person or entity responsible for monitoring compliance with the binding corporate rules within the group of companies, or group of companies engaged in joint economic activity, and the moni toring of training and handling of complaints,
  3. i) complaint procedures,
  4. j) the mechanisms within the group of companies, or group of companies engaged in joint economic activity for checking compliance with the binding corporate rules. These mechanisms include controls to protect data and methods ensuring corrective actions to protect the data subject's rights. The results of this verification must be communicated to the person or entity referred to in point h) and the Management Board of the controlling company of the group or the group of companies engaged in joint economic activity, while also be provided upon request to the competent supervisory authority,
  1. k) reporting mechanisms and registration of changes to the rules and reporting these changes to the supervisory authority,
  2. l) the cooperation mechanism with the supervisory authority, to ensure the compliance of each member of the group, or group of companies engaged in joint economic activity, particularly by providing the supervisory authority of the results of the measures referred to under point controls),
  3. m) reporting mechanisms to the competent supervisory authority in any legal requirement that a member of the group, or group of companies engaged in joint economic activity is subject to a third country and which could have a significant negative effect on the guarantees provided by the binding corporate rules
  4. n) proper training in the protection of personal data has permanent or regular access to personal data.

L 119/64 Official Journal of the European Union 4.5.2016

THE

3. The Commission may specify the format and procedures for sharing information between controllers, processors and supervisory authorities for binding corporate rules within the meaning of this Article. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 93 paragraph 2.

Article 48

Communications or notifications that are not allowed by Union law

Every court and every decision of an administrative authority of a third country requires the data controller or processor to transmit or communicate personal data can be recognized or be enforceable in’ any way unless based on an international agreement, such as mutual legal assistance contract, in force between the requesting third country and the Union or a Member State, without prejudice to other transmission ratios in accordance with this Chapter.

Article 49

Exemptions for specific situations

1. In the absence of adequacy decision under Article 45 paragraph 3 or appropriate safeguards pursuant to Article 46, including binding corporate rules, the transfer or all transfers of personal data to a third country or an international organization is only possible if one of the following conditions:

  1. a) the data subject expressly consented to the proposed transfer, after being informed of the potential risks of such transfers for the data subject in the absence adequacy decision and appropriate safeguards,
  2. b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of precontractual measures taken at the request of the data subject,
  3. c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person,
  4. d) the transfer is necessary for important reasons of public interest,
  5. e) the transfer is necessary for the foundation, exercise or support legal claims,

f) the transfer is necessary to protect the vital interests of the data subject or other persons, if the data subject does not have the physical or legal capacity to give consent,

g) the transfer is made from a register which according to Union law or Member State intended to provide information to the public and is open to search for information either to the public or to any person may claim a legitimate interest, but only provided that in each case the conditions laid down in Union law or Member State law to search for information.

When the transfer can not be based on a provision of Article 45 or 46, including provisions on binding corporate rules, and does not apply any of the exceptions for special condition referred to in the first subparagraph of this paragraph, the transfer to a third country or an international organization may take place only if the transfer is not repeated, concerns only a limited number of data subjects, is necessary for the purpose of overriding legitimate interests pursued by the controller which does not override the interests or the rights and freedoms of the data subject and the controller has evaluated all circumstances related to the transmission of data and has provided, on the basis of this assessment, appropriate safeguards for the protection of personal data. The controller shall inform the supervisory authority for the transmission. The Controller, in addition to the information referred to in Articles 13 and 14, inform the data subject on the transmission and on the compelling legitimate interests pursued.

2. Transmission carried out under paragraph 1 first paragraph, point g) It does not include all the personal data or entire categories of personal data contained in the register. When the register is intended for obtaining information from persons who have a legitimate interest, the transfer is made only at the request of those persons or if going to be the recipients.

4.5.2016 Official Journal of the European Union L 119/65

THE

3. paragraph 1 first subparagraph, points a), b) and G) and paragraph 1 second subparagraph shall not apply to activities which are undertaken by public authorities in the exercise of their public powers.

4. The public interest referred to in paragraph 1 first paragraph, point d) recognized in Union law or the national law of the Member State in which the controller is subject.

5. Absence adequacy decision, Union law or Member State may, for serious reasons of public interest, explicitly provides for restrictions on the transmission of special categories of personal data to a third country or international organization. Member States shall notify those provisions to the Commission.

6. The controller or the processor registers the assessment, and appropriate safeguards mentioned in the second sentence of paragraph 1 of this Article, in the records referred to in Article 30.

Article 50

International cooperation on the protection of personal data

In relation to third countries and international organizations, The Commission and the supervisory authorities shall take appropriate measures to:

  1. a) developing international cooperation mechanisms to facilitate the effective enforcement of legislation on the protection of personal data,
  2. b) provide international mutual assistance in the enforcement of the protection of personal data, including through notification, transmission complaints, assistance in investigations and exchange of information, subject to appropriate safeguards to protect personal data and other fundamental rights and freedoms,
  3. c) the involvement of relevant stakeholders in discussion and activities aimed at promoting international cooperation for enforcement on the protection of personal data,
  4. d) promote the exchange and documentation of the legislation and practice on the protection of personal data, including jurisdictional conflicts with third countries.

    CHAPTER VI

    Independent supervisory authorities

    Part 1

    independent status

    Article 51

    Supervising Authority

1. Each Member State shall ensure that one or more independent public authorities are responsible for moni toring the application of this Regulation, in order to protect fundamental rights and freedoms of individuals with regard to the processing relating to them and to facilitate the free movement of personal data in the Union ("supervising Authority").

2. Each supervisory authority contributes to the consistent application of this Regulation throughout the Union. For this purpose,, supervisory authorities shall cooperate with each other and with the Commission in accordance with Chapter VII.

3. If a Member State established several supervisors, that Member State shall designate the supervisory authority to represent those authorities in the Data Protection Board lays down the mechanism to ensure compliance of the other principles with rules relating to the consistency mechanism referred to in Article 63.

4. Each Member State shall notify the Commission of the provisions laid down in its law under this Chapter, until 25 May 2018 and, without delay, any subsequent amendment.

L 119/66 Official Journal of the European Union 4.5.2016

THE

Article 52

Independence

1. Each supervisory authority shall perform the duties and exercise the powers under this Regulation in full independence.

2. The member or members of any supervisory authority carry out their duties and exercise their powers in accordance with this regulation without external influences, either direct or indirect, and they shall not seek or receive instructions from any.

3. The member or members of any supervisory authority shall refrain from any action incompatible with their duties and, during their term of office, not hold any incompatible occupation, profitable or not.

4. Each Member State shall ensure that each supervisor has the necessary human, technical and financial resources and the necessary facilities and infrastructure for the effective performance of the functions and exercise of its powers, including those available under the mutual assistance, cooperation and participation in the Data Protection Council.

5. Each Member State shall ensure that each supervisor chooses and has its own employees who are managed exclusively by the member or members of the supervisory authority concerned.

6. Each Member State shall ensure that each supervisory authority is subject to financial control which shall not affect its independence and has separate, public annual budgets, which may be part of the overall state or national budget.

Article 53

General conditions for the members of the supervisory authority

1. Member States shall provide that each member of the supervisory authorities should be appointed through a transparent procedure by: - their parliament,
- their government,
- their head of state or

- independent body entrusted, under the law of the Member State, appointment.

2. Each member has, particularly in the field of personal data protection, the qualifications, the experience and skills required to perform the duties and exercise the powers of.

3. The duties of a member shall cease when the office closing, resignation or compulsory retirement, under the law of the Member State.

4. Member may be dismissed only in cases of serious misconduct or if they no longer fulfill the conditions required for the performance of his duties.

Article 54

Rules for the establishment of the supervisory authority

1. Each Member State shall provide by law all of the following: a) set up any supervisory authority,

4.5.2016

Official Journal of the European Union L 119/67

THE

b) c) d)

e) f)

the qualifications and eligibility requirements for the appointment of a member of any supervisory authority,

rules and procedures for the appointment of the member or members of any supervisory authority,

the term of office of the member or members of any supervisory authority, which is not less than four years, except the first appointment after 24 May 2016, part of which may cover a shorter period if this is necessary to protect the independence of the supervisory authority over the process of staggered appointments,

whether and for how many terms a member or members of any supervisory authority shall be eligible for reappointment,

the conditions governing the obligations of membership or members and employees of any supervisory authority, prohibit acts, professional activities and benefits is incompatible with these obligations, both during the mandate and after this, and rules governing the termination of employment.

2.
Member State, by professional secrecy both during the mandate and after this, in respect of confidential information which has come to their knowledge during the performance of his duties or the exercise of their powers. During their term of office, this obligation of professional secrecy applies in particular to the report by individuals of this breaches Regulation.

Part 2

Competence, duties and powers

Article 55

Competence

1. Each supervisory authority is competent to perform the duties and exercise the powers conferred on it by this Regulation in the Member State of.

2. When processed by public authorities or private bodies acting under Article 6 paragraph 1 point c) or e), It is the competent supervisory authority of the Member State. In these cases do not apply Article 56.

3. The supervisory authorities are not competent to monitor the processing operations carried out by the courts in their judicial competence.

Article 56

Powers of chief supervisor

1. Notwithstanding Article 55, the supervisory authority of the main or the only installation of the controller or the processor is competent to act as chief supervisory authority for cross-border processing operations of the controller or the processor in accordance with the procedure laid down in Article 60.

2. Notwithstanding paragraph 1, each supervisory authority is responsible for examining the submitted complaint or to address any infringements of this Regulation, if the subject relates only establishment in the Member State or substantially affect the data subject only to the Member State.

3. Where paragraph 2 of this Article, the supervisory authority shall inform thereof the chief supervisory authority without delay. Within three weeks of the updating of, the chief supervisor decides whether to hear the case against the Article 60, taking into account whether or not install the controller or the processor in the Member State of the supervisory authority informed.

The member or members and staff each supervisory authority are bound, accordance with Union law or

L 119/68 Official Journal of the European Union 4.5.2016

THE

4. Should the chief supervisor decided to deal with the case, the procedure laid down in Article applies 60. The supervisory authority has informed the chief supervisory authority may submit to the head top draft decision. The chief supervisor shall pay particular attention to this plan in preparing the draft decision referred to in Article 60 paragraph 3.

5. Should the chief supervisor decides not to hear the case, the supervisory authority has informed the chief supervisory authority dealing with the case in accordance with Articles 61 and 62.

6. The head of supervisory authority is the sole interlocutor of the controller or processor for processing cross-border operation of the controller or the processor.

Article 57

Duties

1. Without prejudice to other tasks defined in this Regulation, each supervisory authority on its territory:

  1. a) monitors and enforces the application of this Regulation,
  2. b) promotes awareness and understanding of risks, the rules, guarantees and rights related to the processing. Special attention is given to activities specifically aimed at children,
  3. c) advises, under the law of the Member State, the national parliament, the government and other institutions and bodies on legislative and administrative measures relating to the protection of the rights and freedoms of individuals with regard to the processing,
  4. d) promotes awareness of controllers and processors of their obligations under this Regulation,
  5. e) on request, provides information to data subjects in the exercise of their rights under this Regulation and, possibly, cooperate to this end with the supervisory authorities in other Member States,

f) handles complaints submitted by the data subject or body or organization or association in accordance with Article 80 and investigating, to the extent appropriate, the complaint and inform the complainant of the progress and outcome of the investigation within a reasonable time, particularly if further research or coordination with another supervisory authority,

  1. g) cooperates, including through exchange of information, with other supervisors and provides mutual assistance to other supervisory authorities, in order to ensure consistency of application and enforcement of this Regulation,
  2. or) conduct investigations on the application of this Regulation, including on the basis of information received from another regulatory authority or other public authority,
  3. i) monitor relevant developments, insofar as they have impact on the protection of personal data, in particular the developments in information and communication technologies and commercial practices,
  4. j) establishes standard contractual clauses Article 28 paragraph 8 and Article 46 paragraph 2 point d),
  1. k) establish and maintain a list in relation to the requirement to conduct an impact assessment on data protection under Article 35 paragraph 4,
  2. l) provides advice on processing operations Article 36 paragraph 2,
  3. m) encourages the development of codes of conduct pursuant to Article 40 paragraph 1 and formulate an opinion and approve such codes of conduct that provide adequate safeguards, according to the article 40 paragraph 5,
  4. n) encourage the establishment of data protection certification mechanisms and seals and data protection marks under Article 42 paragraph 1 and approve the criteria for certification in accordance with Article 42 paragraph 5,
  5. o) where appropriate, conduct periodic review of certifications issued in accordance with Article 42 paragraph 7,

4.5.2016 Official Journal of the European Union L 119/69

THE

p) designs and publishes the institution accreditation criteria for monitoring codes of conduct pursuant to Article 41 and certification body in accordance with Article 43,

  1. q) conducts the accreditation body for monitoring codes of conduct pursuant to Article 41 and certification body in accordance with Article 43,
  2. r) allows contract terms and provisions of Article 46 paragraph 3,
  3. s) approve binding corporate rules pursuant to Article 47,

K) contributes to the Data Protection Council activities,

  1. Ms.) keep internal records of infringements of this Regulation and the measures taken in accordance with Article 58 paragraph 2, and
  2. v) εκπληρώνεικάθεάλλοκαθήκονσχετικόμετηνπροστασίαδεδομένωνπροσωπικούχαρακτήρα.

2. Κάθε εποπτική αρχή διευκολύνει την υποβολή των καταγγελιών που αναφέρονται στην παράγραφο 1 f) με μέτρα όπως το έντυπο υποβολής καταγγελίας το οποίο μπορεί επίσης να συμπληρωθεί ηλεκτρονικά, without excluding other means of communication.

3. Κάθε εποπτική αρχή ασκεί τα καθήκοντά της χωρίς επιβάρυνση για το υποκείμενο των δεδομένων και, where appropriate, για τον υπεύθυνο προστασίας δεδομένων.

4. Εάν τα αιτήματα είναι προδήλως αβάσιμα ή υπερβολικά, in particular because of their repetitive nature, η εποπτική αρχή μπορεί να επιβάλει ένα εύλογο τέλος για διοικητικά έξοδα ή να αρνηθεί να απαντήσει στο αίτημα. Η εποπτική αρχή φέρει το βάρος απόδειξης του προδήλως αβάσιμου ή υπερβολικού χαρακτήρα του αιτήματος.

Article 58

Εξουσίες

1. Κάθε αρχή ελέγχου διαθέτει όλες τις ακόλουθες εξουσίες έρευνας:

  1. a) να δίνει εντολή στον υπεύθυνο επεξεργασίας και στον εκτελούντα την επεξεργασία και, where applicable, στον εκπρόσωπο του υπευθύνου επεξεργασίας ή του εκτελούντος την επεξεργασία να παράσχουν κάθε πληροφορία την οποία απαιτεί για την εκτέλεση των καθηκόντων της,
  2. b) να διεξάγει έρευνες με τη μορφή ελέγχων για την προστασία των δεδομένων,
  3. c) να προβαίνει σε επανεξέταση των πιστοποιήσεων που εκδίδονται σύμφωνα με το άρθρο 42 paragraph 7,
  4. d) να ειδοποιεί τον υπεύθυνο επεξεργασίας ή τον εκτελούντα την επεξεργασία για εικαζόμενη παράβαση του παρόντος κανονισμού,
  5. e) να αποκτά, από τον υπεύθυνο επεξεργασίας και τον εκτελούντα την επεξεργασία, πρόσβαση σε όλα τα δεδομένα προσωπικού χαρακτήρα και όλες τις πληροφορίες που απαιτούνται για την εκτέλεση των καθηκόντων της,

f) να έχει πρόσβαση στις εγκαταστάσεις του υπευθύνου επεξεργασίας και του εκτελούντος την επεξεργασία, περιλαμβανομένων κάθε εξοπλισμού και μέσου επεξεργασίας δεδομένων, σύμφωνα με το δικονομικό δίκαιο της Ένωσης ή κράτους μέλους.

2. Κάθε αρχή ελέγχου διαθέτει όλες τις ακόλουθες διορθωτικές εξουσίες:

  1. a) να απευθύνει προειδοποιήσεις στον υπεύθυνο επεξεργασίας ή στον εκτελούντα την επεξεργασία ότι σκοπούμενες πράξεις επεξεργασίας είναι πιθανόν να παραβαίνουν διατάξεις του παρόντος κανονισμού,
  2. b) να απευθύνει επιπλήξεις στον υπεύθυνο επεξεργασίας ή στον εκτελούντα την επεξεργασία όταν πράξεις επεξεργασίας έχουν παραβεί διατάξεις του παρόντος κανονισμού,
  3. c) να δίνει εντολή στον υπεύθυνο επεξεργασίας ή στον εκτελούντα την επεξεργασία να συμμορφώνεται προς τα αιτήματα του υποκειμένου των δεδομένων για την άσκηση των δικαιωμάτων του σύμφωνα με τον παρόντα κανονισμό,

L 119/70 d)

e)

f) g)

or)

i)

j) 3. a)

b)

c)

d) e) f) g)

or) i) j)

Official Journal of the European Union 4.5.2016

να δίνει εντολή στον υπεύθυνο επεξεργασίας ή στον εκτελούντα την επεξεργασία να καθιστούν τις πράξεις επεξεργασίας σύμφωνες με τις διατάξεις του παρόντος κανονισμού, εάν χρειάζεται, με συγκεκριμένο τρόπο και εντός ορισμένης προθεσμίας,

να δίνει εντολή στον υπεύθυνο επεξεργασίας να ανακοινώνει την παραβίαση δεδομένων προσωπικού χαρακτήρα στο υποκείμενο των δεδομένων,

να επιβάλλει προσωρινό ή οριστικό περιορισμό, περιλαμβανομένης της απαγόρευσης της επεξεργασίας,

να δίνει εντολή διόρθωσης ή διαγραφής δεδομένων προσωπικού χαρακτήρα ή περιορισμού της επεξεργασίας δυνάμει των άρθρων 16, 17 and 18 και εντολή κοινοποίησης των ενεργειών αυτών σε αποδέκτες στους οποίους τα δεδομένα προσωπικού χαρακτήρα γνωστοποιήθηκαν δυνάμει του άρθρου 17 paragraph 2 and Article 19,

να αποσύρει την πιστοποίηση ή να διατάξει τον οργανισμό πιστοποίησης να αποσύρει ένα πιστοποιητικό εκδοθέν σύμφωνα με τα άρθρα 42 and 43 ή να διατάξει τον οργανισμό πιστοποίησης να μην εκδώσει πιστοποίηση, εφόσον οι απαιτήσεις πιστοποίησης δεν πληρούνται ή δεν πληρούνται πλέον,

να επιβάλλει διοικητικό πρόστιμο δυνάμει του άρθρου 83, επιπλέον ή αντί των μέτρων που αναφέρονται στην παρούσα παράγραφο, ανάλογα με τις περιστάσεις κάθε μεμονωμένης περίπτωσης,

να δίνει εντολή για αναστολή της κυκλοφορίας δεδομένων σε αποδέκτη σε τρίτη χώρα ή σε διεθνή οργανισμό. Κάθε αρχή ελέγχου διαθέτει όλες τις ακόλουθες αδειοδοτικές και συμβουλευτικές εξουσίες:

να παρέχει συμβουλές στον υπεύθυνο επεξεργασίας σύμφωνα με τη διαδικασία προηγούμενης διαβούλευσης που αναφέρεται στο άρθρο 36,

να εκδίδει, με δική της πρωτοβουλία ή κατόπιν αιτήματος, γνώμες προς το εθνικό κοινοβούλιο, την κυβέρνηση του κράτους μέλους ή, under the law of the Member State, προς άλλα όργανα και οργανισμούς, καθώς και προς το κοινό, για κάθε θέμα το οποίο σχετίζεται με την προστασία των δεδομένων προσωπικού χαρακτήρα,

να επιτρέπει την επεξεργασία που αναφέρεται στο άρθρο 36 paragraph 5, εάν το δίκαιο του κράτους μέλους απαιτεί αυτήν την προηγούμενη έγκριση,

να εκδίδει γνώμες για σχέδια κωδίκων δεοντολογίας και να εγκρίνει τα σχέδια αυτά δυνάμει του άρθρου 40 paragraph 5,

να παρέχει διαπίστευση σε φορείς πιστοποίησης σύμφωνα με το άρθρο 43,

να εκδίδει πιστοποιητικά και να εγκρίνει κριτήρια πιστοποίησης σύμφωνα με το άρθρο 42 paragraph 5,

να εγκρίνει τυποποιημένες ρήτρες προστασίας δεδομένων του άρθρου 28 paragraph 8 and Article 46 paragraph 2 point d),

να επιτρέπει συμβατικές ρήτρες του άρθρου 46 paragraph 3 point a),
να επιτρέπει διοικητικές ρυθμίσεις που αναφέρονται στο άρθρο 46 paragraph 3 b), να εγκρίνει δεσμευτικούς εταιρικούς κανόνες δυνάμει του άρθρου 47.

THE

4.
περιλαμβανομένης της άσκησης πραγματικής δικαστικής προσφυγής και της τήρησης της προσήκουσας διαδικασίας, όπως προβλέπονται στο δίκαιο της Ένωσης και το δίκαιο των κρατών μελών σύμφωνα με τον Χάρτη.

Η άσκηση εκ μέρους εποπτικής αρχής των εξουσιών της δυνάμει του παρόντος άρθρου υπόκειται στις δέουσες εγγυήσεις,

5. Κάθε κράτος μέλος προβλέπει διά νόμου ότι η οικεία εποπτική αρχή έχει την εξουσία να γνωστοποιεί στις δικαστικές αρχές τις παραβιάσεις του παρόντος κανονισμού και, where appropriate, να κινεί ή να μετέχει κατάλλο τρόπο σε νομικές διαδικασίες, ώστε να επιβάλει τις διατάξεις του παρόντος κανονισμού.

6. Κάθε κράτος μέλος προβλέπει διά νόμου ότι η εποπτική αρχή του έχει πρόσθετες εξουσίες πέραν εκείνων που αναφέρονται στις παραγράφους 1, 2 and 3. Η άσκηση των εν λόγω εξουσιών δεν θίγει την αποτελεσματική λειτουργία του κεφαλαίου VII.

Article 59

Εκθέσεις δραστηριοτήτων

Κάθε εποπτική αρχή καταρτίζει ετήσια έκθεση των δραστηριοτήτων της, η οποία μπορεί να περιλαμβάνει κατάλογο των τύπων των κοινοποιημένων παραβάσεων και το είδος των μέτρων που λήφθηκαν σύμφωνα με το άρθρο 58 paragraph 2. Οι εν λόγω εκθέσεις υποβάλλονται στο εθνικό κοινοβούλιο, την κυβέρνηση και άλλες αρχές, όπως ορίζεται από το δίκαιο του κράτους μέλους. Καθίσταται διαθέσιμη στο κοινό, στην Επιτροπή και στο Συμβούλιο Προστασίας Δεδομένων.

4.5.2016

Official Journal of the European Union

L 119/71

THE

ΚΕΦΑΛΑΙΟ VII

Συνεργασία και συνεκτικότητα

Part 1

Συνεργασία

Article 60

Συνεργασία μεταξύ της επικεφαλής εποπτικής αρχής και των άλλων ενδιαφερόμενων εποπτικών αρχών

1.
σκοπό να επιτύχει συναίνεση. Η επικεφαλής εποπτική αρχή και οι ενδιαφερόμενες εποπτικές αρχές ανταλλάσουν μεταξύ τους κάθε συναφή πληροφορία.

2. Η επικεφαλής εποπτική αρχή μπορεί να ζητεί ανά πάσα στιγμή από άλλες ενδιαφερόμενες εποπτικές αρχές να παράσχουν αμοιβαία συνδρομή δυνάμει του άρθρου 61 και μπορεί να διεξάγει κοινές επιχειρήσεις δυνάμει του άρθρου 62, ιδίως για την εκτέλεση ερευνών ή για την παρακολούθηση της εφαρμογής μέτρου που αφορά υπεύθυνο επεξεργασίας ή εκτελούντα την επεξεργασία εγκατεστημένο σε άλλο κράτος μέλος.

3. Η επικεφαλής εποπτική αρχή ανακοινώνει χωρίς καθυστέρηση τις συναφείς πληροφορίες για το θέμα αυτό στις άλλες ενδιαφερόμενες εποπτικές αρχές. Υποβάλλει χωρίς καθυστέρηση σχέδιο απόφασης στις άλλες ενδιαφερόμενες εποπτικές αρχές προς διατύπωση γνώμης και λαμβάνει δεόντως υπόψη τις απόψεις τους.

4. Εάν οποιαδήποτε από τις άλλες ενδιαφερόμενες εποπτικές αρχές, εντός προθεσμίας τεσσάρων εβδομάδων από την αίτηση γνωμοδότησης, σύμφωνα με την παράγραφο 3 of this Article, προβάλλει σχετική και αιτιολογημένη ένσταση για το σχέδιο απόφασης, η επικεφαλής εποπτική αρχή, εάν δεν ακολουθήσει τη σχετική και αιτιολογημένη ένσταση ή είναι της γνώμης ότι η ένσταση δεν είναι σχετική ή αιτιολογημένη, υποβάλλει το ζήτημα στον μηχανισμό συνεκτικότητας που αναφέρεται στο άρθρο 63.

5. Εάν η επικεφαλής εποπτική αρχή σκοπεύει να ακολουθήσει τη διατυπωθείσα σχετική και αιτιολογημένη ένσταση, υποβάλλει στις άλλες ενδιαφερόμενες εποπτικές αρχές αναθεωρημένο σχέδιο απόφασης για να εκφέρουν τη γνώμη τους. Αυτό το αναθεωρημένο σχέδιο απόφασης υπόκειται στη διαδικασία που αναφέρεται στην παράγραφο 4, εντός προθεσμίας δύο εβδομάδων.

6. Όταν καμία από τις άλλες ενδιαφερόμενες εποπτικές αρχές δεν έχει διατυπώσει ένσταση για το σχέδιο απόφασης που υπέβαλε η επικεφαλής εποπτική αρχή εντός της προθεσμίας που αναφέρεται στις παραγράφους 4 and 5, τεκμαίρεται ότι η επικεφαλής εποπτική αρχή και οι ενδιαφερόμενες εποπτικές αρχές συμφωνούν με το εν λόγω σχέδιο απόφασης και δεσμεύονται από αυτό.

7. Η επικεφαλής εποπτική αρχή εκδίδει και κοινοποιεί την απόφαση στην κύρια ή, αναλόγως, τη μόνη εγκατάσταση του υπευθύνου επεξεργασίας ή του εκτελούντος την επεξεργασία και ενημερώνει τις άλλες ενδιαφερόμενες εποπτικές αρχές και το Συμβούλιο Προστασίας Δεδομένων για την απόφαση αυτή, παρέχοντας μεταξύ άλλων σύνοψη των πραγματικών περιστατικών και των νομικών ισχυρισμών. Η εποπτική αρχή στην οποία έχει υποβληθεί καταγγελία ενημερώνει τον καταγγέλλοντα σχετικά με την απόφαση.

8. Notwithstanding paragraph 7, εάν μια καταγγελία έχει κριθεί απαράδεκτη ή έχει απορριφθεί, η εποπτική αρχή προς την οποία υποβλήθηκε η καταγγελία εκδίδει την απόφαση, την κοινοποιεί στον καταγγέλλοντα και ενημερώνει σχετικά τον υπεύθυνο επεξεργασίας.

9. Εάν η επικεφαλής εποπτική αρχή και οι ενδιαφερόμενες εποπτικές αρχές συμφωνούν να κρίνουν απαράδεκτα ή να απορρίψουν τμήματα μιας καταγγελίας και να ενεργήσουν ως προς άλλα τμήματα της ίδιας καταγγελίας, εκδίδεται χωριστή απόφαση για καθένα από τα τμήματα αυτά. Η επικεφαλής εποπτική αρχή εκδίδει την απόφαση για το τμήμα που αφορά ενέργειες του υπευθύνου επεξεργασίας, την κοινοποιεί στην κύρια ή τη μόνη εγκατάσταση του υπευθύνου επεξεργασίας ή του εκτελούντος την επεξεργασία στο έδαφος του οικείου κράτους μέλους και ενημερώνει σχετικά τον καταγγέλλοντα, ενώ η εποπτική αρχή του καταγγέλλοντος εκδίδει την απόφαση για το τμήμα αναφορικά με το απαράδεκτο ή την απόρριψη της εν λόγω καταγγελίας και την κοινοποιεί στον εν λόγω καταγγέλλοντα και ενημερώνει σχετικά τον υπεύθυνο επεξεργασίας ή τον εκτελούντα την επεξεργασία.

10. Μετά την κοινοποίηση της απόφασης της επικεφαλής εποπτικής αρχής σύμφωνα με τις παραγράφους 7 and 9, ο υπεύθυνος επεξεργασίας ή ο εκτελών την επεξεργασία λαμβάνει τα αναγκαία μέτρα για να διασφαλίσει τη συμμόρφωση με την απόφαση όσον αφορά τις δραστηριότητες επεξεργασίας σε όλες τις εγκαταστάσεις του στην Ένωση. Ο υπεύθυνος επεξεργασίας ή ο εκτελών την επεξεργασία κοινοποιεί τα ληφθέντα μέτρα για τη συμμόρφωση με την απόφαση στην επικεφαλής εποπτική αρχή, η οποία ενημερώνει τις άλλες ενδιαφερόμενες εποπτικές αρχές.

Η επικεφαλής εποπτική αρχή συνεργάζεται με τις άλλες ενδιαφερόμενες εποπτικές αρχές σύμφωνα με το παρόν άρθρο με

L 119/72 Official Journal of the European Union 4.5.2016

THE

11. If, σε έκτακτες περιστάσεις, μια ενδιαφερόμενη εποπτική αρχή έχει λόγους να κρίνει ότι υπάρχει επείγουσα ανάγκη λήψης μέτρων για να προστατευθούν τα συμφέροντα των υποκειμένων των δεδομένων, εφαρμόζεται η επείγουσα διαδικασία που αναφέρεται στο άρθρο 66.

12. Η επικεφαλής εποπτική αρχή και οι άλλες ενδιαφερόμενες εποπτικές αρχές παρέχουν τις πληροφορίες που απαιτούνται δυνάμει του παρόντος άρθρου σε κάθε άλλη αρχή με ηλεκτρονικά μέσα, χρησιμοποιώντας τυποποιημένο μορφότυπο.

Article 61

Αμοιβαία συνδρομή

1. Οι εποπτικές αρχές παρέχουν η μια στην άλλη σχετικές πληροφορίες και αμοιβαία συνδρομή, ώστε να υλοποιήσουν και να εφαρμόσουν τον παρόντα κανονισμό με συνεκτικό τρόπο, και θεσπίζουν μέτρα για την αποτελεσματική συνεργασία τους. Η αμοιβαία συνδρομή καλύπτει, Especially, αιτήματα παροχής πληροφοριών και μέτρα ελέγχου, παραδείγματος χάρη αιτήματα για προηγούμενες διαβουλεύσεις και εγκρίσεις, ελέγχους και έρευνες.

2. Κάθε εποπτική αρχή λαμβάνει όλα τα κατάλληλα μέτρα που απαιτούνται για να απαντήσει σε αίτημα άλλης εποπτικής αρχής αμελλητί και το αργότερο ένα μήνα μετά την παραλαβή του αιτήματος. Τα εν λόγω μέτρα μπορεί να περιλαμβάνουν, Especially, τη διαβίβαση σχετικών πληροφοριών όσον αφορά τη διενέργεια έρευνας.

3. Τα αιτήματα παροχής συνδρομής περιέχουν όλες τις απαραίτητες πληροφορίες, μεταξύ αυτών τον σκοπό και τους λόγους υποβολής του αιτήματος. Οι πληροφορίες που ανταλλάσσονται χρησιμοποιούνται μόνο για τον σκοπό για τον οποίο ζητήθηκαν.

4. Εποπτική αρχή στην οποία υποβλήθηκε αίτημα δεν αρνείται να συμμορφωθεί προς το αίτημα, παρά μόνο εάν:

a) δεν είναι αρμόδια για το αντικείμενο του αιτήματος ή για μέτρα που πρέπει να εκτελέσει ή

b) η συμμόρφωση προς το αίτημα θα παραβίαζε τον παρόντα κανονισμό ή το δίκαιο της Ένωσης ή το δίκαιο κράτους μέλους στο οποίο υπόκειται η εποπτική αρχή που λαμβάνει το αίτημα.

5. Η εποπτική αρχή στην οποία υποβλήθηκε το αίτημα ενημερώνει την εποπτική αρχή που υπέβαλε το αίτημα για τα αποτελέσματα ή, it depends on the situation, για την πρόοδο των μέτρων που έλαβε για να ανταποκριθεί στο αίτημα. Η εποπτική αρχή στην οποία υποβλήθηκε το αίτημα εξηγεί τους λόγους για οποιαδήποτε άρνηση συμμόρφωσης προς αίτημα δυνάμει της παραγράφου 4.

6. Οι εποπτικές αρχές στις οποία υποβλήθηκε αίτημα παρέχουν, κατά κανόνα, τις πληροφορίες που ζητούνται από άλλες εποπτικές αρχές με ηλεκτρονικά μέσα, χρησιμοποιώντας τυποποιημένο μορφότυπο.

7. Οι εποπτικές αρχές στις οποία υποβλήθηκε αίτημα δεν επιβάλλουν τέλος για οποιαδήποτε ενέργεια στην οποία προέβησαν σε συνέχεια αιτήματος αμοιβαίας συνδρομής. Οι εποπτικές αρχές δύνανται να συμφωνούν κανόνες σχετικούς με αποζημίωση για συγκεκριμένες δαπάνες που προκύπτουν από την παροχή αμοιβαίας συνδρομής σε εξαιρετικές περιστάσεις.

8. Εάν μια εποπτική αρχή δεν παράσχει τις αναφερόμενες στην παράγραφο 5 του παρόντος άρθρου πληροφορίες εντός μηνός από την παραλαβή του αιτήματος άλλης εποπτικής αρχής, η εποπτική αρχή που υπέβαλε το αίτημα δύναται να θεσπίσει προσωρινό μέτρο στο έδαφος του κράτους μέλους στο οποίο υπάγεται σύμφωνα με το άρθρο 55 paragraph 1. In this case, θεωρείται ότι υπάρχει επείγουσα ανάγκη λήψης μέτρων βάσει του άρθρο 66 paragraph 1 και απαιτείται επείγουσα δεσμευτική απόφαση του Συμβουλίου Προστασίας Δεδομένων, according to the article 66 paragraph 2.

9. The Commission may, through implementing acts, να προσδιορίσει τον μορφότυπο και τις διαδικασίες για την αμοιβαία συνδρομή που αναφέρεται στο παρόν άρθρο και τις ρυθμίσεις για την ανταλλαγή πληροφοριών με ηλεκτρονικά μέσα μεταξύ ελεγκτικών αρχών και μεταξύ ελεγκτικών αρχών και του Συμβουλίου Προστασίας Δεδομένων, ιδίως δε τον τυποποιημένο μορφότυπο που αναφέρεται στην παράγραφο 6 of this Article. Οι εν λόγω εκτελεστικές πράξεις εκδίδονται σύμφωνα με τη διαδικασία εξέτασης του άρθρου 93 paragraph 2.

Article 62

Κοινές επιχειρήσεις αρχών ελέγχου

1. Οι εποπτικές αρχές πραγματοποιούν, όταν χρειάζεται, κοινές επιχειρήσεις, μεταξύ άλλων και κοινές έρευνες και κοινά μέτρα επιβολής, στα οποία συμμετέχουν μέλη ή υπάλληλοι από εποπτικές αρχές άλλων κρατών μελών.

4.5.2016 Official Journal of the European Union L 119/73

THE

2. Όταν ο υπεύθυνος επεξεργασίας ή ο εκτελών την επεξεργασία είναι εγκατεστημένος σε πολλά κράτη μέλη ή σε περιπτώσεις στις οποίες σημαντικός αριθμός υποκειμένων των δεδομένων σε περισσότερα του ενός κράτη μέλη ενδέχεται να επηρεάζονται σημαντικά από πράξεις επεξεργασίας, μια εποπτική αρχή από καθένα από αυτά τα κράτη μέλη δικαιούται να συμμετέχει στις κοινές επιχειρήσεις. Η εποπτική αρχή που είναι αρμόδια δυνάμει του άρθρου 56 paragraph 1 or 4, καλεί τις εποπτικές αρχές εκάστου εκ των εν λόγω κρατών μελών να λάβουν μέρος στις κοινές επιχειρήσεις και απαντά αμελλητί στο αίτημα εποπτικής αρχής για συμμετοχή.

3. Η εποπτική αρχή μπορεί, σε συμφωνία με το δίκαιο του κράτους μέλους και με την έγκριση της εποπτικής αρχής απόσπασης, να απονέμει εξουσίες, περιλαμβανομένων εξουσιών έρευνας, στα μέλη ή στους υπαλλήλους της εποπτικής αρχής απόσπασης που συμμετέχουν σε κοινές επιχειρήσεις ή, εφόσον το επιτρέπει το δίκαιο του κράτους μέλους της εποπτικής αρχής υποδοχής, να επιτρέπει στα μέλη ή στους υπαλλήλους της εποπτικής αρχής απόσπασης να ασκούν τις εξουσίες τους έρευνας σύμφωνα με το δίκαιο του κράτους μέλους της εποπτικής αρχής απόσπασης. Οι εν λόγω εξουσίες έρευνας μπορούν να ασκούνται μόνο υπό την καθοδήγηση και παρουσία μελών ή υπαλλήλων της εποπτικής αρχής υποδοχής. Τα μέλη ή οι υπάλληλοι της εποπτικής αρχής απόσπασης υπάγονται στο δίκαιο του κράτους μέλους της εποπτικής αρχής υποδοχής.

4. When, σύμφωνα με την παράγραφο 1, το προσωπικό της εποπτικής αρχής απόσπασης ενεργεί σε άλλο κράτος μέλος, το κράτος μέλος της εποπτικής αρχής υποδοχής αναλαμβάνει την ευθύνη για τις πράξεις τους, περιλαμβανομένης και εκείνης για οποιαδήποτε ζημία προκαλέσει κατά τη διάρκεια των εκεί δραστηριοτήτων του, σύμφωνα με το δίκαιο του κράτους μέλους στο έδαφος του οποίου ενεργεί.

5. Το κράτος μέλος στο έδαφος του οποίου προκαλείται η ζημία την αποκαθιστά υπό τους όρους που ισχύουν για τις ζημίες που προκαλεί το προσωπικό του. Το κράτος μέλος της εποπτικής αρχής απόσπασης του οποίου το προσωπικό προκάλεσε ζημία σε οποιοδήποτε πρόσωπο στο έδαφος άλλου κράτους μέλους επιστρέφει στο εν λόγω άλλο κράτος μέλος το σύνολο των ποσών που κατέβαλε στους δικαιούχους.

6. Με την επιφύλαξη της άσκησης των δικαιωμάτων του έναντι τρίτων και κατεξαίρεση από την παράγραφο 5, κάθε κράτος μέλος παραιτείται, στην περίπτωση της παραγράφου 1, από τη δυνατότητα να ζητήσει από άλλο κράτος μέλος αποζημίωση για ζημίες που αναφέρονται στην παράγραφο 4.

7. Εάν πρόκειται να πραγματοποιηθεί κοινή επιχείρηση και μια εποπτική αρχή δεν συμμορφώνεται εντός προθεσμίας ενός μηνός προς την υποχρέωση που προβλέπεται στη δεύτερη περίοδο της παραγράφου 2 of this Article, οι υπόλοιπες εποπτικές αρχές δύνανται να θεσπίσουν προσωρινό μέτρο στο έδαφος του κράτους μέλους στο οποίο υπάγονται σύμφωνα με το άρθρο 55. In this case, θεωρείται ότι υπάρχει επείγουσα ανάγκη λήψης μέτρων βάσει του άρθρο 66 paragraph 1 και απαιτείται γνώμη ή επείγουσα δεσμευτική απόφαση του Συμβουλίου Προστασίας Δεδομένων σύμφωνα με το άρθρο 66 paragraph 2.

Part 2

Συνεκτικότητα

Article 63

Μηχανισμός συνεκτικότητας

Προκειμένου να συμβάλλουν στη συνεκτική εφαρμογή του παρόντος κανονισμού στο σύνολο της Ένωσης, οι εποπτικές αρχές συνεργάζονται μεταξύ τους και, if necessary, με την Επιτροπή, μέσω του μηχανισμού συνεκτικότητας όπως προβλέπεται στο παρόν τμήμα.

Article 64

Γνώμη του Συμβουλίου

1. Το Συμβούλιο εκδίδει γνώμη όποτε μια αρμόδια εποπτική αρχή προτίθεται να θεσπίσει οποιοδήποτε από τα κατωτέρω μέτρα. For this purpose, η αρμόδια εποπτική αρχή ανακοινώνει το σχέδιο απόφασης στο Συμβούλιο, when:

  1. a) It aims at adopting a list of processing operations that are subject to the requirement to conduct an impact assessment on data protection under Article 35 paragraph 4,
  2. b) αφορά ζήτημα δυνάμει του άρθρου 40 paragraph 7 του κατά πόσο ένα σχέδιο κώδικα δεοντολογίας ή μια τροποποίηση ή επέκταση κώδικα δεοντολογίας συνάδει με τον παρόντα κανονισμό,

L 119/74 c)

d)

e) f)

Official Journal of the European Union 4.5.2016

αποσκοπεί στην έγκριση των κριτηρίων για τη διαπίστευση φορέα σύμφωνα με το άρθρο 41 paragraph 3 ή φορέα πιστοποίησης σύμφωνα με το άρθρο 43 paragraph 3,

αποσκοπεί στον καθορισμό των τυποποιημένων ρητρών προστασίας δεδομένων που αναφέρονται στο άρθρο 46 paragraph 2 point d) and Article 28 paragraph 8,

αποσκοπεί στην έγκριση συμβατικών ρητρών του άρθρου 46 paragraph 3 point a) ή αποσκοπεί στην έγκριση δεσμευτικών εταιρικών κανόνων κατά την έννοια του άρθρου 47.

THE

2.
οποιουδήποτε ζητήματος γενικής εφαρμογής ή ζητήματος που παράγει αποτελέσματα σε περισσότερα από ένα κράτη μέλη από το Συμβούλιο Προστασίας Δεδομένων, με σκοπό τη έκδοση γνωμοδότησης, ιδίως όταν αρμόδια εποπτική αρχή δεν συμμορ­ φώνεται προς τις υποχρεώσεις περί αμοιβαίας συνδρομής σύμφωνα με το άρθρο 61 ή περί κοινών επιχειρήσεων σύμφωνα με το άρθρο 62.

3. Στις περιπτώσεις που αναφέρονται στις παραγράφους 1 and 2, το Συμβούλιο Προστασίας Δεδομένων εκδίδει γνώμη σχετικά με το αντικείμενο που του υποβάλλεται, εφόσον δεν έχει ήδη εκδώσει γνώμη επί του ίδιου θέματος. Η γνώμη αυτή εκδίδεται εντός προθεσμίας οκτώ εβδομάδων με απλή πλειοψηφία των μελών του Συμβουλίου Προστασίας Δεδομένων. Η προθεσμία αυτή μπορεί να παραταθεί κατά έξι ακόμα εβδομάδες, λαμβάνοντας υπόψη την πολυπλοκότητα του θέματος. Όσον αφορά το σχέδιο απόφασης που αναφέρεται στην παράγραφο 1 και κοινοποιείται στα μέλη του Διοικητικού Συμβουλίου σύμφωνα με την παράγραφο 5, ένα μέλος που δεν έχει προβάλει αντιρρήσεις εντός εύλογης προθεσμίας που ορίζεται από τον πρόεδρο θεωρείται ότι συμφωνεί με το σχέδιο απόφασης.

4. Οι εποπτικές αρχές και η Επιτροπή, χωρίς αδικαιολόγητη καθυστέρηση, ανακοινώνουν ηλεκτρονικά, χρησιμοποιώντας τυποποιημένο μορφότυπο, στο Συμβούλιο Προστασίας Δεδομένων κάθε σχετική πληροφορία, included, it depends on the situation, της σύνοψης των πραγματικών περιστατικών, του σχεδίου απόφασης, των λόγων για τους οποίους η εφαρμογή του εν λόγω μέτρου είναι αναγκαία και των απόψεων άλλων ενδιαφερόμενων εποπτικών αρχών.

5. a)

b)

Ο Πρόεδρος του Συμβουλίου Προστασίας Δεδομένων ενημερώνει αμελλητί με ηλεκτρονικό τρόπο:

τα μέλη του Συμβουλίου Προστασίας Δεδομένων και την Επιτροπή για κάθε σχετική πληροφορία που του έχει ανακοινωθεί, χρησιμοποιώντας τυποποιημένο μορφότυπο. Η γραμματεία του Συμβουλίου Προστασίας Δεδομένων παρέχει μεταφράσεις των σχετικών πληροφοριών, if necessary, and

την εποπτική αρχή που αναφέρεται, it depends on the situation, στις παραγράφους 1 and 2, καθώς και την Επιτροπή ως προς τη γνώμη, και τη δημοσιοποιεί.

Κάθε εποπτική αρχή, ο Πρόεδρος του Συμβουλίου Προστασίας Δεδομένων ή η Επιτροπή μπορεί να ζητήσει την εξέταση

6.
αναφέρεται στην παράγραφο 3.

Η αρμόδια εποπτική αρχή δεν εγκρίνει το σχέδιο απόφασης που αναφέρεται στην παράγραφο 1 εντός της προθεσμίας που

7. Η εποπτική αρχή που αναφέρεται στην παράγραφο 1 λαμβάνει ιδιαιτέρως υπόψη τη γνώμη του Συμβουλίου Προστασίας Δεδομένων και, εντός δύο εβδομάδων από την παραλαβή της γνώμης, ανακοινώνει στον Πρόεδρο του Συμβουλίου Προστασίας Δεδομένων με ηλεκτρονικά μέσα κατά πόσο θα διατηρήσει ή θα τροποποιήσει το σχέδιο απόφασης και, εφόσον συντρέχει περίπτωση, το τροποποιημένο σχέδιο απόφασης, χρησιμοποιώντας τυποποιημένο μορφότυπο.

8. Όταν η ενδιαφερόμενη εποπτική αρχή ενημερώνει τον Πρόεδρο του Συμβουλίου Προστασίας Δεδομένων, εντός της προθεσμίας που αναφέρεται στην παράγραφο 7 of this Article, ότι δεν προτίθεται να ακολουθήσει τη γνώμη του Συμβουλίου Προστασίας Δεδομένων, στο σύνολό της ή εν μέρει, παρέχοντας τη σχετική αιτιολογία, εφαρμόζεται το άρθρο 65 paragraph 1.

Article 65

Επίλυση διαφορών από το Συμβούλιο Προστασίας Δεδομένων

1. Προκειμένου να διασφαλίζεται η ορθή και συνεκτική εφαρμογή του παρόντος κανονισμού σε μεμονωμένες περιπτώσεις, το Συμβούλιο Προστασίας Δεδομένων εκδίδει δεσμευτική απόφαση στις ακόλουθες περιπτώσεις:

a) when, στην περίπτωση που αναφέρεται στο άρθρο 60 paragraph 4, η ενδιαφερόμενη εποπτική αρχή έχει διατυπώσει σχετική και αιτιολογημένη ένσταση ως προς σχέδιο απόφασης της επικεφαλής αρχής ή η επικεφαλής αρχή έχει απορρίψει την εν λόγω ένσταση ως μη σχετική ή αιτιολογημένη. Η δεσμευτική απόφαση αφορά όλα τα θέματα που αποτελούν το αντικείμενο της σχετικής και αιτιολογημένης ένστασης, ιδίως όταν υπάρχει παράβαση του παρόντος κανονισμού,

4.5.2016 b)

c)

Official Journal of the European Union L 119/75

όταν υπάρχουν αντικρουόμενες απόψεις σχετικά με το ποια από τις ενδιαφερόμενες εποπτικές αρχές είναι αρμόδια για την κύρια εγκατάσταση,

εάν μια αρμόδια εποπτική αρχή δεν ζητήσει τη γνώμη του Συμβουλίου Προστασίας Δεδομένων στις περιπτώσεις που αναφέρονται στο άρθρο 64 paragraph 1 ή δεν ακολουθήσει τη γνώμη του Συμβουλίου Προστασίας Δεδομένων που εκδίδεται δυνάμει του άρθρου 64. In this case, κάθε ενδιαφερόμενη εποπτική αρχή ή η Επιτροπή μπορεί να ανακοινώσει το θέμα στο Συμβούλιο Προστασίας Δεδομένων.

THE

2.
δύο τρίτων των μελών του Συμβουλίου Προστασίας Δεδομένων. Η συγκεκριμένη προθεσμία μπορεί να παραταθεί κατά έναν ακόμα μήνα, λόγω της πολυπλοκότητας του αντικειμένου. The reference to paragraph 1 απόφαση είναι αιτιολογημένη και απευθύνεται στην επικεφαλής εποπτική αρχή και όλες τις ενδιαφερόμενες εποπτικές αρχές και είναι δεσμευτική για αυτές.

3. Όταν το Συμβούλιο Προστασίας Δεδομένων δεν είναι σε θέση να λάβει απόφαση εντός της προθεσμίας που αναφέρεται στην παράγραφο 2, εκδίδει την απόφασή του εντός δύο εβδομάδων από τη λήξη του δεύτερου μήνα που αναφέρεται στην παράγραφο 2 με απλή πλειοψηφία των μελών του Συμβουλίου Προστασίας Δεδομένων. Όταν τα μέλη του Συμβουλίου Προστασίας Δεδομένων δεν συμφωνούν, η απόφαση αυτή εκδίδεται με την ψήφο του Προέδρου του.

4. Οι ενδιαφερόμενες εποπτικές αρχές δεν εκδίδουν απόφαση σχετικά με το θέμα που υποβάλλεται στο Συμβούλιο Προστασίας Δεδομένων βάσει της παραγράφου 1 κατά τη διάρκεια των προθεσμιών που αναφέρονται στις παραγράφους 2 and 3.

5. Ο Πρόεδρος του Συμβουλίου Προστασίας Δεδομένων κοινοποιεί, χωρίς αδικαιολόγητη καθυστέρηση, την απόφαση που αναφέρεται στην παράγραφο 1 προς τις ενδιαφερόμενες εποπτικές αρχές. Ενημερώνει σχετικά την Επιτροπή. Η απόφαση δημοσιεύεται χωρίς καθυστέρηση στον ιστότοπο του Συμβουλίου Προστασίας Δεδομένων, αφού η εποπτική αρχή κοινοποιήσει την τελική απόφαση που αναφέρεται στην παράγραφο 6.

6. Η επικεφαλής εποπτική αρχή ή, it depends on the situation, η εποπτική αρχή στην οποία υποβλήθηκε η καταγγελία λαμβάνει την τελική της απόφαση επί τη βάσει της απόφασης που αναφέρεται στην παράγραφο 1 of this Article, χωρίς αδικαιολόγητη καθυστέρηση και το αργότερο ένα μήνα αφού το Συμβούλιο Προστασίας Δεδομένων έχει κοινοποιήσει την απόφασή του. Η επικεφαλής εποπτική αρχή ή, it depends on the situation, η εποπτική αρχή στην οποία υποβλήθηκε η καταγγελία ενημερώνει το Συμβούλιο Προστασίας Δεδομένων για την ημερομηνία κατά την οποία η τελική της απόφαση κοινοποιείται στον υπεύθυνο επεξεργασίας ή τον εκτελούντα την επεξεργασία και στο υποκείμενο των δεδομένων αντίστοιχα. Η τελική απόφαση των ενδιαφερόμενων εποπτικών αρχών λαμβάνεται σύμφωνα με τους όρους του άρθρου 60 paragraphs 7, 8 and 9. Η τελική απόφαση παραπέμπει στην απόφαση που αναφέρεται στην παράγραφο 1 του παρόντος άρθρου και διευκρινίζει ότι η απόφαση που αναφέρεται στην εν λόγω παράγραφο θα δημοσιευθεί στον ιστότοπο του Συμβουλίου Προστασίας Δεδομένων σύμφωνα με την παράγραφο 5 of this Article. Στην τελική απόφαση επισυνάπτεται η απόφαση που αναφέρεται στην παράγραφο 1 of this Article.

Article 66

Επείγουσα διαδικασία

1. Σε εξαιρετικές περιπτώσεις, όταν μια ενδιαφερόμενη εποπτική αρχή θεωρεί ότι υπάρχει επείγουσα ανάγκη λήψης μέτρων για να προστατευθούν τα δικαιώματα και οι ελευθερίες των υποκειμένων των δεδομένων, δύναται, κατά παρέκκλιση από τον μηχανισμό συνεκτικότητας των άρθρων 63, 64 and 65 ή τη διαδικασία του άρθρου 60, να θεσπίσει πάραυτα προσωρινά μέτρα που προορίζονται να παράγουν νομικά αποτελέσματα εντός της επικράτειάς της, με συγκεκριμένη διάρκεια ισχύος η οποία δεν υπερβαίνει τους τρεις μήνες. Η εποπτική αρχή ανακοινώνει αμελλητί τα εν λόγω μέτρα, καθώς και την αιτιολόγηση για τη θέσπισή τους, στις υπόλοιπες ενδιαφερόμενες εποπτικές αρχές, στο Συμβούλιο Προστασίας Δεδομένων και στην Επιτροπή.

2. Εάν εποπτική αρχή έχει λάβει μέτρο δυνάμει της παραγράφου 1 και θεωρεί ότι απαιτούνται επειγόντως οριστικά μέτρα, μπορεί να ζητήσει την έκδοση επείγουσας γνώμης ή επείγουσας δεσμευτικής απόφασης από το Συμβούλιο Προστασίας Δεδομένων, αιτιολογώντας τη σχετική αίτηση για γνώμη ή απόφαση.

3. Κάθε εποπτική αρχή μπορεί να ζητήσει την έκδοση επείγουσας γνώμης ή δεσμευτικής απόφασης, it depends on the situation, από το Συμβούλιο Προστασίας Δεδομένων, όταν δεν έχουν ληφθεί τα κατάλληλα μέτρα από αρμόδια εποπτική αρχή σε περίπτωση στην οποία απαιτείται επειγόντως η λήψη μέτρων για την προστασία των δικαιωμάτων και ελευθεριών των υποκειμένων των δεδομένων, αιτιολογώντας τη σχετική αίτηση για γνώμη ή απόφαση, μεταξύ άλλων και την επείγουσα ανάγκη λήψης μέτρων.

4. Κατά παρέκκλιση από το άρθρο 64 paragraph 3 and Article 65 paragraph 2, η επείγουσα γνώμη ή η επείγουσα δεσμευτική απόφαση κατά τις παραγράφους 2 and 3 του παρόντος άρθρου εκδίδεται εντός δύο εβδομάδων με απλή πλειοψηφία των μελών του Συμβουλίου Προστασίας Δεδομένων.

Η απόφαση που αναφέρεται στην παράγραφο 1 εκδίδεται εντός μηνός από την παραπομπή του θέματος με πλειοψηφία

L 119/76 Official Journal of the European Union 4.5.2016

THE

Article 67

Ανταλλαγή πληροφοριών

Η Επιτροπή μπορεί να εκδίδει εκτελεστικές πράξεις γενικής εμβέλειας προκειμένου να προσδιορίζει τις ρυθμίσεις ανταλλαγής πληροφοριών με ηλεκτρονικά μέσα μεταξύ εποπτικών αρχών και μεταξύ εποπτικών αρχών και του Συμβουλίου Προστασίας Δεδομένων, ιδίως τον τυποποιημένο μορφότυπο που αναφέρεται στο άρθρο 64.

Οι εν λόγω εκτελεστικές πράξεις εκδίδονται σύμφωνα με τη διαδικασία εξέτασης του άρθρου 93 paragraph 2. Part 3

Ευρωπαϊκό Συμβούλιο Προστασίας Δεδομένων

Article 68

Ευρωπαϊκό Συμβούλιο Προστασίας Δεδομένων

1. Το Ευρωπαϊκό Συμβούλιο Προστασίας Δεδομένων ("Data Protection Board") συστήνεται ως όργανο της Ένωσης και διαθέτει νομική προσωπικότητα.

  1. Το Συμβούλιο Προστασίας Δεδομένων εκπροσωπείται από τον Πρόεδρό του.
  2. Το Συμβούλιο Προστασίας Δεδομένων απαρτίζεται από τον προϊστάμενο μίας εποπτικής αρχής κάθε κράτους μέλους και

από τον Ευρωπαίο Επόπτη Προστασίας Δεδομένων ή τους αντίστοιχους εκπροσώπους τους.

4. Εάν σε ένα κράτος μέλος υπάρχουν περισσότερες εποπτικές αρχές επιφορτισμένες με την παρακολούθηση της εφαρμογής των διατάξεων βάσει του παρόντος κανονισμού, ορίζεται κοινός εκπρόσωπος σύμφωνα με το δίκαιο του εν λόγω κράτους μέλους.

5. Η Επιτροπή δικαιούται να συμμετέχει χωρίς δικαίωμα ψήφου στις δραστηριότητες και στις συνεδριάσεις του Συμβουλίου Προστασίας Δεδομένων. Η Επιτροπή ορίζει τον εκπρόσωπό της. Ο Πρόεδρος του Συμβουλίου Προστασίας Δεδομένων ανακοινώνει στην Επιτροπή τις δραστηριότητες του Συμβουλίου Προστασίας Δεδομένων.

6. Στις περιπτώσεις που αναφέρονται στο άρθρο 65, ο Ευρωπαίος Επόπτης Προστασίας Δεδομένων έχει δικαίωμα ψήφου μόνο στις αποφάσεις που αφορούν τις αρχές και τους κανόνες που ισχύουν στα θεσμικά όργανα της Ένωσης, στους φορείς, στις υπηρεσίες και στους οργανισμούς που αντιστοιχούν κατουσίαν προς εκείνους του παρόντος κανονισμού.

Article 69

Independence

1. Το Συμβούλιο Προστασίας Δεδομένων ενεργεί ανεξάρτητα κατά την εκτέλεση των καθηκόντων του ή την άσκηση των εξουσιών του δυνάμει των άρθρων 70 and 71.

2. Με την επιφύλαξη των αιτημάτων της Επιτροπής σύμφωνα με το άρθρο 70 paragraph 1 b) and Article 70 paragraph 2, το Συμβούλιο Προστασίας Δεδομένων δεν ζητεί ούτε λαμβάνει οδηγίες από οποιονδήποτε κατά την εκτέλεση των καθηκόντων του ή την άσκηση των εξουσιών του.

Article 70

Καθήκοντα του Ευρωπαϊκού Συμβουλίου Προστασίας Δεδομένων

1. Το Συμβούλιο Προστασίας Δεδομένων διασφαλίζει τη συνεκτική εφαρμογή του παρόντος κανονισμού. For this purpose, το Συμβούλιο Προστασίας Δεδομένων, με δική του πρωτοβουλία ή, where appropriate, κατόπιν αιτήματος της Επιτροπής, Especially:

a) παρακολουθεί και διασφαλίζει την ορθή εφαρμογή του παρόντος κανονισμού στις περιπτώσεις που προβλέπονται στα άρθρα 64 and 65, με την επιφύλαξη των καθηκόντων των εθνικών εποπτικών αρχών,

4.5.2016 Official Journal of the European Union L 119/77

THE

  1. b) συμβουλεύει την Επιτροπή για κάθε ζήτημα σχετικό με την προστασία των δεδομένων προσωπικού χαρακτήρα στην Ένωση, συμπεριλαμβανομένης κάθε προτεινόμενης τροποποίησης του παρόντος κανονισμού,
  2. c) συμβουλεύει την Επιτροπή σχετικά με τον μορφότυπο και τις διαδικασίες για την ανταλλαγή πληροφοριών μεταξύ υπευθύνων επεξεργασίας, processors and supervisory authorities for binding corporate rules,
  3. d) εκδίδει κατευθυντήριες γραμμές, συστάσεις και βέλτιστες πρακτικές σχετικά με τις διαδικασίες για τη διαγραφή συνδέσμων, αντιγράφων ή αναπαραγωγών δεδομένων προσωπικού χαρακτήρα από υπηρεσίες επικοινωνιών διαθέσιμες στο κοινό, όπως αναφέρεται στο άρθρο 17 paragraph 2,
  4. e) εξετάζει, με δική του πρωτοβουλία, κατόπιν αιτήματος ενός εκ των μελών του ή κατόπιν αιτήματος της Επιτροπής, κάθε ζήτημα το οποίο αφορά στην εφαρμογή του παρόντος κανονισμού και εκδίδει κατευθυντήριες γραμμές, συστάσεις και βέλτιστες πρακτικές, με σκοπό να ενθαρρύνει τη συνεκτική εφαρμογή του παρόντος κανονισμού,

f) εκδίδει κατευθυντήριες γραμμές, συστάσεις και βέλτιστες πρακτικές σύμφωνα με το στοιχείο ε) της παρούσας παραγράφου για τον περαιτέρω προσδιορισμό των κριτηρίων και των προϋποθέσεων για τη λήψη αποφάσεων που βασίζονται σε κατάρτιση προφίλ δυνάμει του άρθρου 22 paragraph 2,

  1. g) εκδίδει κατευθυντήριες γραμμές, συστάσεις και βέλτιστες πρακτικές σύμφωνα με το στοιχείο ε) της παρούσας παραγράφου σχετικά με τη διαπίστωση των παραβίασεων των δεδομένων προσωπικού χαρακτήρα και τον καθορισμό της αμελλητί δράσης που αναφέρεται στο άρθρο 33 paragraphs 1 and 2 και σχετικά με τις ειδικές συνθήκες υπό τις οποίες ο υπεύθυνος επεξεργασίας ή ο εκτελών την επεξεργασία υποχρεούται να κοινοποιήσει την παραβίαση των δεδομένων προσωπικού χαρακτήρα,
  2. or) εκδίδει κατευθυντήριες γραμμές, συστάσεις και βέλτιστες πρακτικές σύμφωνα με το στοιχείο ε) της παρούσας παραγράφου όσον αφορά τις συνθήκες υπό τις οποίες η παραβίαση δεδομένων προσωπικού χαρακτήρα ενδέχεται να έχει ως αποτέλεσμα υψηλό κίνδυνο για τα δικαιώματα και τις ελευθερίες των φυσικών προσώπων που αναφέρονται στο άρθρο 34 paragraph 1,
  3. i) εκδίδει κατευθυντήριες γραμμές, συστάσεις και βέλτιστες πρακτικές σύμφωνα με το στοιχείο ε) της παρούσας παραγράφου για τον περαιτέρω προσδιορισμό των κριτηρίων και των απαιτήσεων για τις διαβιβάσεις δεδομένων προσωπικού χαρακτήρα που βασίζονται σε δεσμευτικούς εταιρικούς κανόνες που τηρούν οι υπεύθυνοι επεξεργασίας και δεσμευτικούς εταιρικούς κανόνες που τηρούν οι υπεύθυνοι επεξεργασίας και των περαιτέρω αναγκαίων απαιτήσεων, ώστε να διασφαλίζεται η προστασία των δεδομένων προσωπικού χαρακτήρα των οικείων υποκειμένων των δεδομένων που αναφέρονται στο άρθρο 47,
  1. k) εκδίδει κατευθυντήριες γραμμές, συστάσεις και βέλτιστες πρακτικές σύμφωνα με το στοιχείο ε) της παρούσας παραγράφου για τους σκοπούς του περαιτέρω προσδιορισμού των κριτηρίων και των απαιτήσεων για τις διαβιβάσεις δεδομένων προσωπικού χαρακτήρα βάσει του άρθρου 49 paragraph 1,
  2. l) εκπονεί κατευθυντήριες γραμμές για τις εποπτικές αρχές όσον αφορά την εφαρμογή των μέτρων που αναφέρονται στο άρθρο 58 paragraphs 1, 2 and 3 και τον καθορισμό διοικητικών προστίμων δυνάμει του άρθρου 83,
  3. m) εξετάζει την πρακτική εφαρμογή των κατευθυντήριων γραμμών, των συστάσεων και των βέλτιστων πρακτικών που αναφέρονται στα στοιχεία ε) and St),
  4. n) εκδίδει κατευθυντήριες γραμμές, συστάσεις και βέλτιστες πρακτικές σύμφωνα με το στοιχείο ε) της παρούσας παραγράφου για την εκπόνηση κοινών διαδικασιών για την αναφορά από φυσικά πρόσωπα παραβάσεων του παρόντος κανονισμού βάσει του άρθρου 54 paragraph 2,
  5. o) ενθαρρύνει την κατάρτιση κωδίκων δεοντολογίας και τη θέσπιση μηχανισμών πιστοποίησης προστασίας δεδομένων και σφραγίδων και σημάτων προστασίας δεδομένων δυνάμει των άρθρων 40 and 42,

p) εκτελεί τη διαπίστευση των φορέων πιστοποίησης και την περιοδική επανεξέτασή της δυνάμει του άρθρου 43 και τηρεί δημόσιο μητρώο των διαπιστευμένων φορέων σύμφωνα με το άρθρο 43 paragraph 6 και των διαπιστευμένων υπευθύνων επεξεργασίας ή των εκτελούντων την επεξεργασία που είναι εγκατεστημένοι σε τρίτες χώρες σύμφωνα με το άρθρο 42 paragraph 7,

  1. q) προσδιορίζει τις απαιτήσεις που αναφέρονται στο άρθρο 43 paragraph 3 προκειμένου για τη διαπίστευση των φορέων πιστοποίησης σύμφωνα με το άρθρο 42,
  2. r) γνωμοδοτεί στην Επιτροπή σχετικά με τις απαιτήσεις πιστοποίησης που αναφέρονται στο άρθροου 43 paragraph 8,
  3. s) γνωμοδοτεί στην Επιτροπή σχετικά με τα εικονίδια που αναφέρονται στο άρθρο 12 paragraph 7,

K) παρέχει στην Επιτροπή γνωμοδότηση για την εκτίμηση της επάρκειας του επιπέδου προστασίας σε τρίτη χώρα ή διεθνή οργανισμό, συμπεριλαμβανομένης της εκτίμησης του κατά πόσο μια τρίτη χώρα, ένα έδαφος ή ένας ή περισσότεροι συγκεκριμένοι τομείς στην εν λόγω τρίτη χώρα ή ένας διεθνής οργανισμός δεν διασφαλίζει πλέον επαρκές επίπεδο προστασίας. For this purpose, η Επιτροπή παρέχει στο Συμβούλιο Προστασίας Δεδομένων όλη την απαραίτητη τεκμηρίωση, συμπεριλαμβανομένης της αλληλογραφίας με την κυβέρνηση της τρίτης χώρας, όσον αφορά την εν λόγω τρίτη χώρα, το έδαφος ή τον συγκεκριμένο τομέα ή τον διεθνή οργανισμό,

L 119/78 Ms.)

v)

κγ)

κδ)

κε)

κστ)

Official Journal of the European Union 4.5.2016

εκδίδει γνώμες για σχέδια αποφάσεων των εποπτικών αρχών δυνάμει του μηχανισμού συνεκτικότητας που αναφέρεται στο άρθρο 64 paragraph 1 και για ζητήματα που υποβάλλονται σύμφωνα με το άρθρο 64 paragraph 2 και εκδίδει δεσμευτικές αποφάσεις δυνάμει του άρθρου 65, μεταξύ άλλων στις περιπτώσεις που αναφέρονται στο άρθρο 66,

προωθεί τη συνεργασία και την αποτελεσματική διμερή και πολυμερή ανταλλαγή πληροφοριών και βέλτιστων πρακτικών μεταξύ των εποπτικών αρχών,

προωθεί κοινά προγράμματα κατάρτισης και διευκολύνει τις ανταλλαγές υπαλλήλων μεταξύ εποπτικών αρχών και, where appropriate, με τις εποπτικές αρχές τρίτων χωρών ή με διεθνείς οργανισμούς,

προωθεί την ανταλλαγή γνώσεων και τεκμηρίωσης σχετικά με τη νομοθεσία και την πρακτική στον τομέα της προστασίας δεδομένων με τις εποπτικές αρχές προστασίας δεδομένων ανά τον κόσμο,

γνωμοδοτεί επί των κωδίκων δεοντολογίας που εκπονούνται σε επίπεδο Ένωσης σύμφωνα με το άρθρο 40 paragraph 9 and

διατηρεί δημόσια προσβάσιμο ηλεκτρονικό μητρώο των αποφάσεων που λαμβάνονται από τις εποπτικές αρχές και τα δικαστήρια για ζητήματα που εξετάζονται στο πλαίσιο του μηχανισμού συνεκτικότητας.

THE

2.
λαμβάνοντας υπόψη τον επείγοντα χαρακτήρα του θέματος.

Όταν η Επιτροπή ζητεί τη συμβουλή του Συμβουλίου Προστασίας Δεδομένων, μπορεί να αναφέρει ενδεικτικά προθεσμία,

3. Το Συμβούλιο Προστασίας Δεδομένων διαβιβάζει τις γνώμες, τις κατευθυντήριες γραμμές, τις συστάσεις και τις βέλτιστες πρακτικές που εκδίδει στην Επιτροπή και στην επιτροπή του άρθρου 93 και τις δημοσιοποιεί.

4. Όπου είναι σκόπιμο, το Συμβούλιο Προστασίας Δεδομένων ζητεί τη γνώμη των ενδιαφερόμενων μέρων και τους δίνει την ευκαιρία να υποβάλουν παρατηρήσεις μέσα σε εύλογη προθεσμία. Το Συμβούλιο Προστασίας Δεδομένων, με την επιφύλαξη του άρθρου 76, κοινοποιεί τα αποτελέσματα της διαβούλευσης.

Article 71

Εκθέσεις

1. Το Συμβούλιο Προστασίας Δεδομένων εκπονεί ετήσια έκθεση όσον αφορά την προστασία των φυσικών προσώπων έναντι της επεξεργασίας στην Ένωση και, where appropriate, σε τρίτες χώρες και διεθνείς οργανισμούς. Η έκθεση δημοσιοποιείται και διαβιβάζεται στο Ευρωπαϊκό Κοινοβούλιο, στο Συμβούλιο και στην Επιτροπή.

2. Η ετήσια έκθεση περιλαμβάνει εξέταση της πρακτικής εφαρμογής των κατευθυντήριων γραμμών, των συστάσεων και των βέλτιστων πρακτικών που αναφέρονται στο άρθρο 70 paragraph 1 στοιχείο ιβ), καθώς και των δεσμευτικών αποφάσεων που αναφέρονται στο άρθρο 65.

Article 72

Διαδικασία

1. Το Συμβούλιο Προστασίας Δεδομένων αποφασίζει με απλή πλειοψηφία των μελών του, εκτός εάν ορίζεται άλλως στον παρόντα κανονισμό.

2. Το Συμβούλιο Προστασίας Δεδομένων εγκρίνει τον εσωτερικό κανονισμό του με την πλειοψηφία των δύο τρίτων των μελών του και οργανώνει τους οικείους κανόνες λειτουργίας.

Article 73

Πρόεδρος

1. Το Συμβούλιο Προστασίας Δεδομένων εκλέγει έναν Πρόεδρο και δύο αναπληρωτές προέδρους μεταξύ των μελών του με απλή πλειοψηφία.

2. Η διάρκεια της θητείας του Προέδρου και των αναπληρωτών προέδρων είναι πενταετής και είναι ανανεώσιμη άπαξ.

4.5.2016

Official Journal of the European Union L 119/79

THE

1. a) b)

c)

Article 74

Καθήκοντα του Προέδρου

Τα καθήκοντα του Προέδρου είναι τα ακόλουθα:
συγκαλεί τις συνεδριάσεις του Συμβουλίου Προστασίας Δεδομένων και καταρτίζει την ημερήσια διάταξή του,

κοινοποιεί τις αποφάσεις που εκδίδονται από το Συμβούλιο Προστασίας Δεδομένων δυνάμει του άρθρου 65 στην επικεφαλής εποπτική αρχή και στις ενδιαφερόμενες εποπτικές αρχές,

διασφαλίζει την έγκαιρη εκτέλεση των καθηκόντων του Συμβουλίου Προστασίας Δεδομένων, ιδίως σε σχέση με τον μηχανισμό συνεκτικότητας του άρθρου 63.

2.
Προέδρου και των αναπληρωτών προέδρων.

Το Συμβούλιο Προστασίας Δεδομένων καθορίζει στον εσωτερικό κανονισμό του την κατανομή καθηκόντων μεταξύ του

Article 75

Γραμματεία

1. Το Συμβούλιο Προστασίας Δεδομένων επικουρείται από γραμματεία, η οποία παρέχεται από τον Ευρωπαίο Επόπτη Προστασίας Δεδομένων.

2. Η γραμματεία ασκεί τα καθήκοντά της αποκλειστικά βάσει των εντολών του Προέδρου του Συμβουλίου Προστασίας Δεδομένων.

3. Το προσωπικό του Ευρωπαίου Επόπτη Προστασίας Δεδομένων το οποίο συμμετέχει στην άσκηση των καθηκόντων που ανατίθενται στο Συμβούλιο Προστασίας Δεδομένων βάσει του παρόντος κανονισμού υπόκειται σε χωριστές ιεραρχικές βαθμίδες από το προσωπικό το οποίο συμμετέχει στην άσκηση των καθηκόντων που ανατίθενται στον Ευρωπαϊκό Επόπτη Προστασίας Δεδομένων.

4. Κατά περίπτωση, το Συμβούλιο Προστασίας Δεδομένων και ο Ευρωπαίος Επόπτης Προστασίας Δεδομένων καταρτίζουν και δημοσιεύουν υπόμνημα συνεργασίας για την εφαρμογή του παρόντος άρθρου, με το οποίο καθορίζονται οι όροι συνεργασίας τους και το οποίο εφαρμόζεται στο προσωπικό του Ευρωπαίου Επόπτη Προστασίας Δεδομένων που συμμετέχει στην άσκηση

of

5.

6. a) b) c) d) e) f) g)

καθηκόντων που ανατίθενται στο Συμβούλιο Προστασίας Δεδομένων βάσει του παρόντος κανονισμού.

Η γραμματεία παρέχει αναλυτική, διοικητική και υλικοτεχνική στήριξη στο Συμβούλιο Προστασίας Δεδομένων.

Η γραμματεία είναι ιδίως υπεύθυνη για τα ακόλουθα:

τις καθημερινές εργασίες του Συμβουλίου Προστασίας Δεδομένων,

την επικοινωνία μεταξύ των μελών του Συμβουλίου Προστασίας Δεδομένων, του Προέδρου του και της Επιτροπής,

την επικοινωνία με άλλα όργανα και με το κοινό,

τη χρήση ηλεκτρονικών μέσων για την εσωτερική και την εξωτερική επικοινωνία,

τη μετάφραση σχετικών πληροφοριών,

την προετοιμασία και τη συνέχεια που δίνεται στις συνεδριάσεις του Συμβουλίου Προστασίας Δεδομένων,

την προετοιμασία, σύνταξη και δημοσίευση γνωμών, αποφάσεων σχετικά με την επίλυση διαφορών μεταξύ εποπτικών αρχών και άλλων κειμένων που εκδίδει το Συμβούλιο Προστασίας Δεδομένων.

Article 76

Εμπιστευτικότητα

1.
Δεδομένων το κρίνει αναγκαίο, όπως προβλέπεται στον εσωτερικό κανονισμό του.

Οι εργασίες του Συμβουλίου Προστασίας Δεδομένων οφείλουν να είναι εμπιστευτικές εφόσον το Συμβούλιο Προστασίας

L 119/80 Official Journal of the European Union 4.5.2016

THE

2. Η πρόσβαση στα έγγραφα που υποβάλλονται σε μέλη του Συμβουλίου Προστασίας Δεδομένων, εμπειρογνώμονες και εκπροσώπους τρίτων διέπεται από τον κανονισμό (FROM) No. 1049/2001 European Parliament and Council (1).

ΚΕΦΑΛΑΙΟ VIII

Προσφυγές, ευθύνη και κυρώσεις

Article 77

Δικαίωμα υποβολής καταγγελίας σε εποπτική αρχή

1. Με την επιφύλαξη τυχόν άλλων διοικητικών ή δικαστικών προσφυγών, κάθε υποκείμενο των δεδομένων έχει το δικαίωμα να υποβάλει καταγγελία σε εποπτική αρχή, ιδίως στο κράτος μέλος στο οποίο έχει τη συνήθη διαμονή του ή τον τόπο εργασίας του ή τον τόπο της εικαζόμενης παράβασης, εάν το υποκείμενο των δεδομένων θεωρεί ότι η επεξεργασία των δεδομένων προσωπικού χαρακτήρα που το αφορά παραβαίνει τον παρόντα κανονισμό.

2. Η εποπτική αρχή στην οποία έχει υποβληθεί καταγγελία ενημερώνει τον καταγγέλλοντα για την πρόοδο και για την έκβαση της καταγγελίας, καθώς και για τη δυνατότητα άσκησης δικαστικής προσφυγής σύμφωνα με το άρθρο 78.

Article 78

Δικαίωμα πραγματικής δικαστικής προσφυγής κατά αρχής ελέγχου

1. Με την επιφύλαξη κάθε άλλης διοικητικής ή μη δικαστικής προσφυγής, κάθε φυσικό ή νομικό πρόσωπο έχει το δικαίωμα πραγματικής δικαστικής προσφυγής κατά νομικά δεσμευτικής απόφασης εποπτικής αρχής που το αφορά.

2. Με την επιφύλαξη κάθε άλλης διοικητικής ή μη δικαστικής προσφυγής, κάθε υποκείμενο των δεδομένων έχει δικαίωμα πραγματικής δικαστικής προσφυγής, εφόσον η εποπτική αρχή που είναι αρμόδια δυνάμει των άρθρων 55 and 56 δεν εξετάσει την καταγγελία ή δεν ενημερώσει το υποκείμενο των δεδομένων εντός τριών μηνών για την πρόοδο ή την έκβαση της καταγγελίας που υποβλήθηκε δυνάμει του άρθρου 77.

3. Οι διαδικασίες κατά εποπτικής αρχής κινούνται ενώπιον των δικαστηρίων του κράτους μέλους στο οποίο είναι εγκατε­ στημένη η εποπτική αρχή.

4. Όταν κινούνται διαδικασίες κατά απόφασης εποπτικής αρχής, της οποίας προηγήθηκε γνώμη ή απόφαση του Συμβουλίου Προστασίας Δεδομένων στο πλαίσιο του μηχανισμού συνεκτικότητας, η εποπτική αρχή διαβιβάζει στο δικαστήριο τη συγκεκριμένη γνώμη ή απόφαση.

Article 79

Δικαίωμα πραγματικής δικαστικής προσφυγής κατά υπευθύνου επεξεργασίας ή εκτελούντος την επεξεργασία

1. Με την επιφύλαξη κάθε διαθέσιμης διοικητικής ή μη δικαστικής προσφυγής, συμπεριλαμβανομένου του δικαιώματος υποβολής καταγγελίας σε εποπτική αρχή δυνάμει του άρθρου 77, έκαστο υποκείμενο των δεδομένων έχει δικαίωμα πραγματικής δικαστικής προσφυγής εάν θεωρεί ότι τα δικαιώματά του που απορρέουν από τον παρόντα κανονισμό παραβιάστηκαν ως αποτέλεσμα της επεξεργασίας των δεδομένων προσωπικού χαρακτήρα του που το αφορούν κατά παράβαση του παρόντος κανονισμού.

2. Η διαδικασία κατά υπευθύνου επεξεργασίας ή εκτελούντος την επεξεργασία κινείται ενώπιον των δικαστηρίων του κράτους μέλους στο οποίο ο υπεύθυνος επεξεργασίας ή ο εκτελών την επεξεργασία έχουν εγκατάσταση. Εναλλακτικά, η εν λόγω διαδικασία μπορεί να κινηθεί ενώπιον των δικαστηρίων του κράτους μέλους στο οποίο το υποκείμενο των δεδομένων έχει τη συνήθη διαμονή του, εκτός εάν ο υπεύθυνος επεξεργασίας ή ο εκτελών την επεξεργασία είναι δημόσια αρχή κράτους μέλους η οποία ενεργεί κατά την άσκηση των δημόσιων εξουσιών της.

(1) regulation (FROM) No. 1049/2001 European Parliament and Council, της 30ής Μαΐου 2001, για την πρόσβαση του κοινού στα έγγραφα του Ευρωπαϊκού Κοινοβουλίου, του Συμβουλίου και της Επιτροπής (OJ L 145 of 31.5.2001, p. 43).

4.5.2016 Official Journal of the European Union L 119/81

THE

Article 80

Εκπροσώπηση υποκειμένων των δεδομένων

1. Tο υποκείμενο των δεδομένων έχει το δικαίωμα να αναθέσει σε μη κερδοσκοπικό φορέα, οργάνωση ή ένωση που έχει συσταθεί δεόντως σύμφωνα με το δίκαιο κράτους μέλους, διαθέτει καταστατικούς σκοπούς που είναι γενικού συμφέροντος και δραστηριοποιείται στον τομέα της προστασίας των δικαιωμάτων και των ελευθεριών των υποκειμένων των δεδομένων σε σχέση με την προστασία των δεδομένων τους προσωπικού χαρακτήρα να υποβάλει την καταγγελία για λογαριασμό του και να ασκήσει τα δικαιώματα που αναφέρονται στα άρθρα 77, 78 and 79 για λογαριασμό του και να ασκήσει το δικαίωμα αποζημίωσης που αναφέρεται στο άρθρο 82 εξ ονόματός του, εφόσον προβλέπεται από το δίκαιο του κράτους μέλους.

2. Τα κράτη μέλη μπορούν να προβλέπουν ότι κάθε φορέας, οργάνωση ή ένωση που αναφέρεται στην παράγραφο 1 του παρόντος άρθρου έχει το δικαίωμα, regardless of any assignment of the data subject, να υποβάλει στο εν λόγω κράτος μέλος καταγγελία στην εποπτική αρχή που είναι αρμόδια δυνάμει του άρθρου 77 και να ασκήσει τα δικαιώματα που αναφέρονται στα άρθρα 78 and 79, εφόσον θεωρεί ότι τα δικαιώματα του υποκειμένου των δεδομένων δυνάμει του παρόντος κανονισμού παραβιάστηκαν ως αποτέλεσμα της επεξεργασίας.

Article 81

Αναστολή των διαδικασιών

1. Όταν ένα αρμόδιο δικαστήριο κράτους μέλους διαθέτει πληροφορίες ότι διαδικασίες σχετικά με το ίδιο αντικείμενο που αφορά επεξεργασία από τον ίδιο υπεύθυνο επεξεργασίας ή εκτελούντα την επεξεργασία εκκρεμούν σε δικαστήριο άλλου κράτους μέλους, επικοινωνεί με το αρμόδιο δικαστήριο αυτού του άλλου κράτους μέλους για να επιβεβαιώσει την ύπαρξη τέτοιων διαδικασιών.

2. Όταν διαδικασίες σχετικά με το ίδιο αντικείμενο που αφορά επεξεργασία από τον ίδιο υπεύθυνο επεξεργασίας ή εκτελούντα την επεξεργασία εκκρεμούν σε δικαστήριο άλλου κράτους μέλους, οποιοδήποτε αρμόδιο δικαστήριο διαφορετικό από το πρώτο επιληφθέν δικαστήριο δύναται να αναστείλει τις οικείες διαδικασίες.

3. Όταν οι εν λόγω διαδικασίες εκκρεμούν σε πρώτο βαθμό δικαιοδοσίας, κάθε δικαστήριο εκτός του πρώτου επιληφθέντος δύναται επίσης, με αίτηση ενός των διαδίκων, να κηρύξει εαυτό αναρμόδιο, αν το πρώτο επιληφθέν δικαστήριο είναι αρμόδιο για τις εν λόγω προσφυγές και το δίκαιό του επιτρέπει τη συνεκδίκασή τους.

Article 82

Δικαίωμα αποζημίωσης και ευθύνη

1. Κάθε πρόσωπο το οποίο υπέστη υλική ή μη υλική ζημία ως αποτέλεσμα παραβίασης του παρόντος κανονισμού δικαιούται αποζημίωση από τον υπεύθυνο επεξεργασίας ή τον εκτελούντα την επεξεργασία για τη ζημία που υπέστη.

2. Κάθε υπεύθυνος επεξεργασίας που συμμετέχει στην επεξεργασία είναι υπεύθυνος για τη ζημία που προκάλεσε η εκ μέρους του επεξεργασία που παραβαίνει τον παρόντα κανονισμό. Ο εκτελών την επεξεργασία ευθύνεται για τη ζημία που προκάλεσε η επεξεργασία μόνο εφόσον δεν ανταποκρίθηκε στις υποχρεώσεις του παρόντος κανονισμού που αφορούν ειδικότερα τους εκτελούντες την επεξεργασία ή υπερέβη ή ενήργησε αντίθετα προς τις νόμιμες εντολές του υπευθύνου επεξεργασίας.

3. Ο υπεύθυνος επεξεργασίας ή ο εκτελών την επεξεργασία απαλλάσσεται από την ευθύνη που έχουν δυνάμει της παραγράφου 2, εάν αποδεικνύει ότι δεν φέρει καμία ευθύνη για το γενεσιουργό γεγονός της ζημίας.

4. Εάν περισσότεροι του ενός υπεύθυνοι επεξεργασίας ή εκτελούντες την επεξεργασία ή αμφότεροι ο υπεύθυνος επεξεργασίας και ο εκτελών την επεξεργασία εμπλέκονται στην ίδια επεξεργασία και, εάν δυνάμει των παραγράφων 2 and 3 είναι υπεύθυνοι για τυχόν ζημία που προκάλεσε η επεξεργασία, κάθε υπεύθυνος επεξεργασίας ή εκτελών την επεξεργασία ευθύνεται για τη συνολική ζημία, προκειμένου να διασφαλιστεί αποτελεσματική αποζημίωση του υποκειμένου των δεδομένων.

5. Εάν ο υπεύθυνος επεξεργασίας ή ο εκτελών την επεξεργασία έχει καταβάλει, σύμφωνα με την παράγραφο 4, πλήρη αποζημίωση για τη ζημία που προκάλεσε, ο εν λόγω υπεύθυνος ή εκτελών την επεξεργασία δικαιούται να ζητήσει από τους άλλους υπευθύνους επεξεργασίας ή εκτελούντες την επεξεργασία που εμπλέκονται στην ίδια επεξεργασία την ανάκτηση μέρους της αποζημίωσης που αντιστοιχεί στο μέρος της ευθύνης τους λόγω της ζημίας που προκλήθηκε σύμφωνα με τις προϋποθέσεις της παραγράφου 2.

L 119/82 Official Journal of the European Union 4.5.2016

THE

6. Οι δικαστικές διαδικασίες για την άσκηση του δικαιώματος αποζημίωσης υποβάλλονται ενώπιον των αρμόδιων δικαστηρίων δυνάμει του δικαίου του κράτους μέλους που αναφέρεται στο άρθρο 79 paragraph 2.

Article 83

Γενικοί όροι επιβολής διοικητικών προστίμων

1. Κάθε εποπτική αρχή μεριμνά ώστε η επιβολή διοικητικών προστίμων σύμφωνα με το παρόν άρθρο έναντι παραβάσεων του παρόντος κανονισμού που αναφέρονται στις παραγράφους 4, 5 and 6 να είναι για κάθε μεμονωμένη περίπτωση αποτελεσματική, αναλογική και αποτρεπτική.

2. Τα διοικητικά πρόστιμα, ανάλογα με τις περιστάσεις κάθε μεμονωμένης περίπτωσης, επιβάλλονται επιπρόσθετα ή αντί των μέτρων που αναφέρονται στο άρθρο 58 paragraph 2 evidence a) έως η) and Article 58 paragraph 2 στοιχείο ι). Κατά τη λήψη απόφασης σχετικά με την επιβολή διοικητικού προστίμου, καθώς και σχετικά με το ύψος του διοικητικού προστίμου για κάθε μεμονωμένη περίπτωση, λαμβάνονται δεόντως υπόψη τα ακόλουθα:

  1. a) η φύση, η βαρύτητα και η διάρκεια της παράβασης, taking into account the nature, την έκταση ή το σκοπό της σχετικής επεξεργασίας, καθώς και τον αριθμό των υποκειμένων των δεδομένων που έθιξε η παράβαση και το βαθμό ζημίας που υπέστησαν,
  2. b) ο δόλος ή η αμέλεια που προκάλεσε την παράβαση,
  3. c) οποιεσδήποτε ενέργειες στις οποίες προέβη ο υπεύθυνος επεξεργασίας ή ο εκτελών την επεξεργασία για να μετριάσει τη ζημία που υπέστησαν τα υποκείμενα των δεδομένων,
  4. d) ο βαθμός ευθύνης του υπευθύνου επεξεργασίας ή του εκτελούντος την επεξεργασία, λαμβάνοντας υπόψη τα τεχνικά και οργανωτικά μέτρα που εφαρμόζουν δυνάμει των άρθρων 25 and 32,
  5. e) τυχόν σχετικές προηγούμενες παραβάσεις του υπευθύνου επεξεργασίας ή του εκτελούντος την επεξεργασία,

f) ο βαθμός συνεργασίας με την αρχή ελέγχου για την επανόρθωση της παράβασης και τον περιορισμό των πιθανών δυσμενών επιπτώσεών της,

  1. g) οι κατηγορίες δεδομένων προσωπικού χαρακτήρα που επηρεάζει η παράβαση,
  2. or) the way in which the supervisory authority is informed of the infringement, ειδικότερα εάν και κατά πόσο ο υπεύθυνος επεξεργασίας ή ο εκτελών την επεξεργασία κοινοποίησε την παράβαση,
  3. i) σε περίπτωση που διατάχθηκε προηγουμένως η λήψη των μέτρων που αναφέρονται στο άρθρο 58 paragraph 2 κατά του εμπλεκόμενου υπευθύνου επεξεργασίας ή του εκτελούντος την επεξεργασία σχετικά με το ίδιο αντικείμενο, η συμμόρφωση με τα εν λόγω μέτρα,
  4. j) η τήρηση εγκεκριμένων κωδίκων δεοντολογίας σύμφωνα με το άρθρο 40 ή εγκεκριμένων μηχανισμών πιστοποίησης σύμφωνα με το άρθρο 42 and

k) κάθε άλλο επιβαρυντικό ή ελαφρυντικό στοιχείο που προκύπτει από τις περιστάσεις της συγκεκριμένης περίπτωσης, όπως τα οικονομικά οφέλη που αποκομίστηκαν ή ζημιών που αποφεύχθηκαν, directly or indirectly, από την παράβαση.

3. Σε περίπτωση που ο υπεύθυνος επεξεργασίας ή ο εκτελών την επεξεργασία, για τις ίδιες ή για συνδεδεμένες πράξεις επεξεργασίας, παραβιάζει αρκετές διατάξεις του παρόντος κανονισμού, το συνολικό ύψος του διοικητικού προστίμου δεν υπερβαίνει το ποσό που ορίζεται για τη βαρύτερη παράβαση.

4. Παραβάσεις των ακόλουθων διατάξεων επισύρουν, σύμφωνα με την παράγραφο 2, διοικητικά πρόστιμα έως 10 000 000 EUR ή, σε περίπτωση επιχειρήσεων, έως το 2 % του συνολικού παγκόσμιου ετήσιου κύκλου εργασιών του προηγούμενου οικονομικού έτους, ανάλογα με το ποιο είναι υψηλότερο:

a) οι υποχρεώσεις του υπευθύνου επεξεργασίας και του εκτελούντος την επεξεργασία σύμφωνα με τα άρθρα 8, 11, 25 until 39 and 42 and 43,

b) οι υποχρεώσεις του φορέα πιστοποίησης σύμφωνα με τα άρθρα 42 and 43,
c) οι υποχρεώσεις του φορέα παρακολούθησης σύμφωνα με το άρθρο 41 paragraph 4.

4.5.2016 Official Journal of the European Union L 119/83

THE

5. Παραβάσεις των ακόλουθων διατάξεων επισύρουν, σύμφωνα με την παράγραφο 2, διοικητικά πρόστιμα έως 20 000 000 EUR ή, σε περίπτωση επιχειρήσεων, έως το 4 % του συνολικού παγκόσμιου ετήσιου κύκλου εργασιών του προηγούμενου οικονομικού έτους, ανάλογα με το ποιο είναι υψηλότερο:

  1. a) οι βασικές αρχές για την επεξεργασία, περιλαμβανομένων των όρων που ισχύουν για την έγκριση, σύμφωνα με τα άρθρα 5, 6, 7 and 9,
  2. b) τα δικαιώματα των υποκειμένων των δεδομένων σύμφωνα με τα άρθρα 12 until 22,
  3. c) η διαβίβαση δεδομένων προσωπικού χαρακτήρα σε αποδέκτη σε τρίτη χώρα ή σε διεθνή οργανισμό σύμφωνα με τα άρθρα 44 until 49,
  4. d) οποιεσδήποτε υποχρεώσεις σύμφωνα με το δίκαιο του κράτους μέλους οι οποίες θεσπίζονται δυνάμει του κεφαλαίου IX,
  5. e) μη συμμόρφωση προς εντολή ή προς προσωρινό ή οριστικό περιορισμό της επεξεργασίας ή προς αναστολή της κυκλοφορίας δεδομένων που επιβάλλει η εποπτική αρχή δυνάμει του άρθρου 58 paragraph 2 ή μη παροχή πρόσβασης κατά παράβαση του άρθρου 58 paragraph 1.

6. Η μη συμμόρφωση προς εντολή της εποπτικής αρχής όπως αναφέρεται στο άρθρο 58 paragraph 2 επισύρει, σύμφωνα με την παράγραφο 2 of this Article, διοικητικά πρόστιμα έως 20 000 000 EUR ή, σε περίπτωση επιχειρήσεων, έως το 4 % του συνολικού παγκόσμιου ετήσιου κύκλου εργασιών του προηγούμενου οικονομικού έτους, ανάλογα με το ποιο είναι υψηλότερο.

7. Με την επιφύλαξη των διορθωτικών εξουσιών των εποπτικών αρχών σύμφωνα με το άρθρο 58 paragraph 2, κάθε κράτος μέλος δύναται να καθορίζει τους κανόνες για το εάν και σε ποιο βαθμό διοικητικά πρόστιμα μπορεί να επιβάλλονται σε δημόσιες αρχές και φορείς που έχουν συσταθεί στο εν λόγω κράτος μέλος.

8. Η άσκηση εκ μέρους εποπτικής αρχής των εξουσιών της δυνάμει του παρόντος άρθρου υπόκειται στις δέουσες δικονομικές εγγυήσεις σύμφωνα με το δίκαιο της Ένωσης και το δίκαιο του κράτους μέλους, συμπεριλαμβανομένης της άσκησης πραγματικής δικαστικής προσφυγής και της τήρησης της προσήκουσας διαδικασίας.

9. Όταν το νομικό σύστημα του κράτους μέλους δεν προβλέπει επιβολή διοικητικών προστίμων, το παρόν άρθρο μπορεί να εφαρμόζεται κατά τρόπο ώστε η διαδικασία επιβολής να κινείται από την αρμόδια εποπτική αρχή και να επιβάλλεται από τα αρμόδια εθνικά δικαστήρια, με την ταυτόχρονη διασφάλιση ότι τα εν λόγω ένδικα μέσα είναι αποτελεσματικά και έχουν ισοδύναμο αποτέλεσμα με τα διοικητικά πρόστιμα που επιβάλλονται από τις εποπτικές αρχές. in any case, τα πρόστιμα που επιβάλλονται είναι αποτελεσματικά, proportionate and dissuasive. Τα εν λόγω κράτη μέλη κοινοποιούν στην Επιτροπή τις διατάξεις των νόμων τους που θεσπίζουν σύμφωνα με την παρούσα παράγραφο, until 25 May 2018 and, without delay, κάθε επακολουθούντα τροποποιητικό νόμο ή τροποποίησή τους.

Article 84

Κυρώσεις

1. Τα κράτη μέλη θεσπίζουν τους κανόνες σχετικά με τις άλλες κυρώσεις που επιβάλλονται για παραβάσεις του παρόντος κανονισμού, ιδίως για τις παραβάσεις που δεν αποτελούν αντικείμενο διοικητικών προστίμων δυνάμει του άρθρου 83, και λαμβάνουν όλα τα αναγκαία μέτρα για να διασφαλιστεί ότι εφαρμόζονται. Οι εν λόγω κυρώσεις είναι αποτελεσματικές, αναλογικές και αποτρεπτικές.

2. Κάθε κράτος μέλος κοινοποιεί στην Επιτροπή τις διατάξεις που θεσπίζει στο δίκαιό του δυνάμει της παραγράφου 1, until 25 May 2018 and, without delay, κάθε επακολουθούσα τροποποίησή τους.

ΚΕΦΑΛΑΙΟ IX

Διατάξεις που αφορούν ειδικές περιπτώσεις επεξεργασίας

Article 85

Επεξεργασία και ελευθερία έκφρασης και πληροφόρησης

1. Τα κράτη μέλη διά νόμου συμβιβάζουν το δικαίωμα στην προστασία των δεδομένων προσωπικού χαρακτήρα δυνάμει του παρόντος κανονισμού με το δικαίωμα στην ελευθερία της έκφρασης και πληροφόρησης, συμπεριλαμβανομένης της επεξεργασίας για δημοσιογραφικούς σκοπούς και για σκοπούς πανεπιστημιακής, καλλιτεχνικής ή λογοτεχνικής έκφρασης.

L 119/84 Official Journal of the European Union 4.5.2016

THE

2. Για την επεξεργασία που διενεργείται για δημοσιογραφικούς σκοπούς ή για σκοπούς ακαδημαϊκής, καλλιτεχνικής ή λογοτεχνικής έκφρασης, τα κράτη μέλη προβλέπουν εξαιρέσεις ή παρεκκλίσεις από το κεφάλαιο ΙΙ (αρχές), το κεφάλαιο ΙΙΙ (δικαιώματα του υποκειμένου των δεδομένων), το κεφάλαιο IV (υπεύθυνος επεξεργασίας και εκτελών την επεξεργασία), το κεφάλαιο V (διαβίβαση δεδομένων προσωπικού χαρακτήρα προς τρίτες χώρες ή διεθνείς οργανισμούς), το κεφάλαιο VI (ανεξάρτητες εποπτικές αρχές), το κεφάλαιο VII (συνεργασία και συνεκτικότητα) και το κεφάλαιο ΙΧ (ειδικές περιπτώσεις επεξεργασίας δεδομένων), εφόσον αυτές είναι αναγκαίες για να συμβιβαστεί το δικαίωμα στην προστασία των δεδομένων προσωπικού χαρακτήρα με την ελευθερία της έκφρασης και πληροφόρησης.

3. Κάθε κράτος μέλος κοινοποιεί στην Επιτροπή τις διατάξεις που θεσπίζει στο δίκαιό του δυνάμει της παραγράφου 2 and, without delay, κάθε επακόλουθο τροποποιητικό νόμο ή τροποποίησή τους.

Article 86

Επεξεργασία και πρόσβαση του κοινού σε επίσημα έγγραφα

Τα δεδομένα προσωπικού χαρακτήρα σε επίσημα έγγραφα που κατέχει δημόσια αρχή ή δημόσιος ή ιδιωτικός φορέας για την εκπλήρωση καθήκοντος που εκτελείται προς το δημόσιο συμφέρον μπορούν να κοινοποιούνται από την εν λόγω αρχή ή φορέα σύμφωνα με το δίκαιο της Ένωσης ή του κράτους μέλους στο οποίο υπόκειται η δημόσια αρχή ή ο φορέας, προκειμένου να συμβιβάζεται η πρόσβαση του κοινού σε επίσημα έγγραφα με το δικαίωμα στην προστασία των δεδομένων προσωπικού χαρακτήρα δυνάμει του παρόντος κανονισμού.

Article 87

Επεξεργασία του εθνικού αριθμού ταυτότητας

Τα κράτη μέλη μπορούν να καθορίζουν περαιτέρω τις ειδικές προϋποθέσεις για την επεξεργασία εθνικού αριθμού ταυτότητας ή άλλου αναγνωριστικού στοιχείου ταυτότητας γενικής εφαρμογής. In this case, ο εθνικός αριθμός ταυτότητας ή οποιοδήποτε άλλο αναγνωριστικό στοιχείο ταυτότητας γενικής εφαρμογής χρησιμοποιείται μόνο με τις δέουσες εγγυήσεις για τα δικαιώματα και τις ελευθερίες του υποκειμένου των δεδομένων δυνάμει του παρόντος κανονισμού.

Article 88

Επεξεργασία στο πλαίσιο της απασχόλησης

1. The member states, μέσω της νομοθεσίας ή μέσω των συλλογικών συμβάσεων, μπορούν να θεσπίζουν ειδικούς κανόνες προκειμένου να διασφαλίζουν την προστασία των δικαιωμάτων και των ελευθεριών έναντι της επεξεργασίας των δεδομένων προσωπικού χαρακτήρα των εργαζομένων στο πλαίσιο της απασχόλησης, ιδίως για σκοπούς πρόσληψης, execution of the employment contract, including the implementation of obligations prescribed by law or by collective agreements, management, planning and organizing work, ισότητας και πολυμορφίας στον χώρο εργασίας, υγείας και ασφάλειας στην εργασία, προστασίας της περιουσίας εργοδοτών και πελατών και για σκοπούς άσκησης και απόλαυσης, individually or collectively, Rights and benefits related to employment for purposes of termination of the employment relationship.

2. Οι εν λόγω κανόνες περιλαμβάνουν κατάλληλα και ειδικά μέτρα για τη διαφύλαξη της ανθρώπινης αξιοπρέπειας, των έννομων συμφερόντων και των θεμελιωδών δικαιωμάτων του προσώπου στο οποίο αναφέρονται τα δεδομένα, με ιδιαίτερη έμφαση στη διαφάνεια της επεξεργασίας, τη διαβίβαση δεδομένων προσωπικού χαρακτήρα εντός ομίλου επιχειρήσεων, ή ομίλου εταιρειών που ασκούν κοινή οικονομική δραστηριότητα και τα συστήματα παρακολούθησης στο χώρο εργασίας.

3. Κάθε κράτος μέλος κοινοποιεί στην Επιτροπή τις διατάξεις που θεσπίζει στο δίκαιό του δυνάμει της παραγράφου 1, until 25 May 2018 and, without delay, κάθε επακολουθούσα τροποποίησή τους.

Article 89

Διασφαλίσεις και παρεκκλίσεις σχετικά με την επεξεργασία για σκοπούς αρχειοθέτησης προς το δημόσιο συμφέρον ή σκοπούς επιστημονικής ή ιστορικής έρευνας ή στατιστικούς σκοπούς

1. Η επεξεργασία για σκοπούς αρχειοθέτησης για το δημόσιο συμφέρον ή για σκοπούς επιστημονικής ή ιστορικής έρευνας ή για στατιστικούς σκοπούς υπόκειταισε κατάλληλες εγγυήσεις, σύμφωνα με τον παρόντα κανονισμό, ως προς τα δικαιώματα και τις ελευθερίες του υποκειμένου των δεδομένων, σύμφωνα με τον παρόντα κανονισμό. Οι εν λόγω εγγυήσεις διασφαλίζουν ότι έχουν θεσπιστεί τα τεχνικά και οργανωτικά μέτρα, ιδίως για να διασφαλίζουν την τήρηση της αρχής της ελαχιστοποίησης των

4.5.2016 Official Journal of the European Union L 119/85

THE

δεδομένων. Τα εν λόγω μέτρα μπορούν να περιλαμβάνουν τη χρήση ψευδωνύμων, εφόσον οι εν λόγω σκοποί μπορούν να εκπληρωθούν καταυτόν τον τρόπο. Εφόσον οι εν λόγω σκοποί μπορούν να εκπληρωθούν από περαιτέρω επεξεργασία η οποία δεν επιτρέπει ή δεν επιτρέπει πλέον την ταυτοποίηση των υποκειμένων των δεδομένων, οι εν λόγω σκοποί εκπληρώνονται καταυτόν τον τρόπο.

2. Όταν δεδομένα προσωπικού χαρακτήρα υφίστανται επεξεργασία για σκοπούς επιστημονικής ή ιστορικής έρευνας ή για στατιστικούς σκοπούς, το δίκαιο της Ένωσης ή κράτους μέλους μπορεί να προβλέπει παρεκκλίσεις από τα δικαιώματα που αναφέρονται στα άρθρα 15, 16, 18 and 21, με την επιφύλαξη των προϋποθέσεων και των εγγυήσεων που αναφέρονται στην παράγραφο 1 of this Article, εφόσον τα εν λόγω δικαιώματα είναι πιθανό να καταστήσουν αδύνατη ή να παρακωλύσουν σοβαρά την επίτευξη των ειδικών σκοπών και εφόσον οι εν λόγω παρεκκλίσεις είναι απαραίτητες για την εκπλήρωση των εν λόγω σκοπών.

3. Όταν δεδομένα προσωπικού χαρακτήρα υφίστανται επεξεργασία για σκοπούς αρχειοθέτησης προς το δημόσιο συμφέρον, το δίκαιο της Ένωσης ή κράτους μέλους μπορεί να προβλέπει παρεκκλίσεις από τα δικαιώματα που αναφέρονται στα άρθρα 15, 16, 18, 19, 20 and 21, με την επιφύλαξη των προϋποθέσεων και των εγγυήσεων που αναφέρονται στην παράγραφο 1 of this Article, εφόσον τα εν λόγω δικαιώματα είναι πιθανό να καταστήσουν αδύνατη ή να παρακωλύσουν σοβαρά την επίτευξη των ειδικών σκοπών και εφόσον οι εν λόγω παρεκκλίσεις είναι απαραίτητες για την εκπλήρωση των εν λόγω σκοπών.

4. Όταν η επεξεργασία που αναφέρεται στις παραγράφους 2 and 3 εξυπηρετεί την ίδια στιγμή και άλλο σκοπό, οι παρεκκλίσεις εφαρμόζονται μόνο στην επεξεργασία για τους σκοπούς που προβλέπουν οι εν λόγω παράγραφοι.

Article 90

Υποχρεώσεις τήρησης απορρήτου

1. Τα κράτη μέλη μπορούν να θεσπίζουν ειδικούς κανόνες για τον καθορισμό των εξουσιών των ελεγκτικών αρχών, οι οποίες προβλέπονται στο άρθρο 58 paragraph 1 στοιχεία ε) and St), σε σχέση με υπευθύνους επεξεργασίας ή εκτελούντες την επεξεργασία οι οποίοι υπέχουν, βάσει του δικαίου της Ένωσης ή κράτους μέλους ή των κανόνων που θεσπίζονται από αρμόδιους εθνικούς φορείς, υποχρέωση τήρησης του επαγγελματικού απορρήτου ή άλλες αντίστοιχες υποχρεώσεις τήρησης του απορρήτου, εάν αυτό είναι αναγκαίο και αναλογικό, προκειμένου να συμβιβαστεί το δικαίωμα στην προστασία των δεδομένων προσωπικού χαρακτήρα με την υποχρέωση τήρησης του απορρήτου. Οι εν λόγω κανόνες εφαρμόζονται μόνο σε σχέση με δεδομένα προσωπικού χαρακτήρα τα οποία ο υπεύθυνος επεξεργασίας ή ο εκτελών την επεξεργασία έλαβαν ή εξασφάλισαν στο πλαίσιο δραστηριότητας που καλύπτεται από την εν λόγω υποχρέωση απορρήτου.

2. Κάθε κράτος μέλος κοινοποιεί στην Επιτροπή τους κανόνες που θεσπίζει δυνάμει της παραγράφου 1, until 25 May 2018 and, without delay, κάθε επακολουθούσα τροποποίησή τους.

Article 91

Υφιστάμενοι κανόνες προστασίας των δεδομένων εκκλησιών και θρησκευτικών ενώσεων

1. Εάν σε κράτος μέλος εκκλησίες και θρησκευτικές ενώσεις ή κοινότητες εφαρμόζουν, κατά την έναρξη ισχύος του παρόντος κανονισμού, ολοκληρωμένους κανόνες οι οποίοι αφορούν την προστασία των φυσικών προσώπων έναντι της επεξεργασίας, οι εν λόγω κανόνες μπορούν να συνεχίσουν να εφαρμόζονται, εφόσον εναρμονιστούν με τις διατάξεις του παρόντος κανονισμού.

2. Οι εκκλησίες και θρησκευτικές ενώσεις που εφαρμόζουν ολοκληρωμένους κανόνες σύμφωνα με την παράγραφο 1 του παρόντος άρθρου υπόκεινται στον έλεγχο ανεξάρτητης εποπτικής αρχής, που μπορεί να είναι εξειδικευμένος, υπό τον όρο ότι πληροί τις προϋποθέσεις του κεφαλαίου VI του παρόντος κανονισμού.

ΚΕΦΑΛΑΙΟ X

Κατεξουσιοδότηση πράξεις και εκτελεστικές πράξεις

Article 92

Άσκηση της εξουσιοδότησης

1. Η εξουσία έκδοσης κατεξουσιοδότηση πράξεων ανατίθεται στην Επιτροπή υπό τις προϋποθέσεις που ορίζονται στο παρόν άρθρο.

L 119/86 Official Journal of the European Union 4.5.2016

THE

2. Η εξουσιοδότηση που αναφέρεται στο άρθρο 12 paragraph 8 and Article 43 paragraph 8 ανατίθεται στην Επιτροπή επαόριστο από τις 24 May 2016.

3. Η εξουσιοδότηση που αναφέρεται στο άρθρο 12 paragraph 8 and Article 43 paragraph 8 μπορεί να ανακληθεί ανά πάσα στιγμή από το Ευρωπαϊκό Κοινοβούλιο ή το Συμβούλιο. Η απόφαση ανάκλησης περατώνει την εξουσιοδότηση που προσδιορίζεται στην εν λόγω απόφαση. Αρχίζει να ισχύει την επόμενη ημέρα από τη δημοσίευσή της στην Επίσημη Εφημερίδα της Ευρωπαϊκής Ένωσης ή σε μεταγενέστερη ημερομηνία που ορίζεται σε αυτήν. Δεν θίγει την εγκυρότητα των ήδη ισχυουσών κατ’ delegated acts.

4. Μόλις εκδώσει κατεξουσιοδότηση πράξη, η Επιτροπή την κοινοποιεί ταυτόχρονα στο Ευρωπαϊκό Κοινοβούλιο και στο Συμβούλιο.

5. Κατεξουσιοδότηση πράξη που εκδίδεται δυνάμει του άρθρου 12 paragraph 8 and Article 43 paragraph 8 τίθεται σε ισχύ μόνο εφόσον δεν έχει διατυπωθεί αντίρρηση ούτε από το Ευρωπαϊκό Κοινοβούλιο ούτε από το Συμβούλιο εντός τριών μηνών από την ημέρα που η πράξη κοινοποιείται στο Ευρωπαϊκό Κοινοβούλιο και στο Συμβούλιο ή αν, προτού λήξει αυτή η προθεσμία, το Ευρωπαϊκό Κοινοβούλιο και το Συμβούλιο ενημερώσουν αμφότερα την Επιτροπή ότι δεν θα προβάλουν αντιρρήσεις. Η προθεσμία αυτή παρατείνεται κατά τρεις μήνες κατόπιν πρωτοβουλίας του Ευρωπαϊκού Κοινοβουλίου ή του Συμβουλίου.

Article 93

Διαδικασία επιτροπής

1. Η Επιτροπή επικουρείται από επιτροπή. Η εν λόγω επιτροπή αποτελεί επιτροπή κατά την έννοια του κανονισμού (EU) No. 182/2011.

  1. Όποτε γίνεται αναφορά στην παρούσα παράγραφο, εφαρμόζεται το άρθρο 5 Regulation (EU) No. 182/2011.
  2. Όποτε γίνεται αναφορά στην παρούσα παράγραφο, εφαρμόζεται το άρθρο 8 Regulation (EU) No. 182/2011, σε

συνδυασμό με το άρθρο 5.

ΚΕΦΑΛΑΙΟ XI

Τελικές διατάξεις

Article 94

Κατάργηση της οδηγίας 95/46/ΕΚ

  1. Η οδηγία 95/46/ΕΚ καταργείται από τις 25 May 2018.
  2. Οι παραπομπές στην καταργούμενη οδηγία θεωρούνται παραπομπές στον παρόντα κανονισμό. Οι παραπομπές στην ομάδα

προστασίας των προσώπων έναντι της επεξεργασίας δεδομένων προσωπικού χαρακτήρα, που συστάθηκε με το άρθρο 29 Directive 95/46 / EC, θεωρούνται παραπομπές στο Ευρωπαϊκό Συμβούλιο Προστασίας Δεδομένων που συστήνεται με τον παρόντα κανονισμό.

Article 95

Σχέση με την οδηγία 2002/58/ΕΚ

Ο παρών κανονισμός δεν επιβάλλει πρόσθετες υποχρεώσεις σε φυσικά ή νομικά πρόσωπα σε σχέση με την επεξεργασία όσον αφορά την παροχή υπηρεσιών ηλεκτρονικών επικοινωνιών διαθέσιμων στο κοινό σε δημόσια δίκτυα επικοινωνίας στην Ένωση σε σχέση με θέματα τα οποία υπόκεινται στις ειδικές υποχρεώσεις με τον ίδιο στόχο που ορίζεται στην οδηγία 2002/58/ΕΚ.

4.5.2016 Official Journal of the European Union L 119/87

THE

Article 96

Σχέση με συμφωνίες που έχουν συναφθεί παλαιότερα

Διεθνείς συμφωνίες που περιλαμβάνουν τη μεταφορά δεδομένων προσωπικού χαρακτήρα σε τρίτες χώρες ή διεθνείς οργανισμούς οι οποίες συνήφθησαν από τα κράτη μέλη πριν από τις 24 May 2016, και οι οποίες είναι συμβατές προς το εφαρμόσιμο πριν από την εν λόγω ημερομηνία ενωσιακό δίκαιο, εξακολουθούν να ισχύουν μέχρις ότου τροποποιηθούν, αντικατασταθούν ή ανακληθούν.

Article 97

Εκθέσεις της Επιτροπής

1. Έως τις 25 May 2020 και στη συνέχεια κάθε τέσσερα έτη, η Επιτροπή υποβάλλει εκθέσεις σχετικά με την αξιολόγηση και την αναθεώρηση του παρόντος κανονισμού στο Ευρωπαϊκό Κοινοβούλιο και στο Συμβούλιο. Οι εκθέσεις δημοσιοποιούνται.

2. Στο πλαίσιο των αξιολογήσεων και των αναθεωρήσεων που αναφέρονται στην παράγραφο 1, η Επιτροπή εξετάζει, particularly, την εφαρμογή και λειτουργία:

a) του κεφαλαίου V περί μεταφοράς των δεδομένων προσωπικού χαρακτήρα προς τρίτες χώρες ή διεθνείς οργανισμούς, λαμβάνοντας δεόντως υπόψη τις αποφάσεις που εκδίδονται σύμφωνα με το άρθρο 45 paragraph 3 του παρόντος κανονισμού και τις αποφάσεις που εκδίδονται βάσει του άρθρου 25 paragraph 6 Directive 95/46 / EC,

b) του κεφαλαίου VII για τη συνεργασία και τη συνεκτικότητα.

  1. Για τον σκοπό της παραγράφου 1, η Επιτροπή μπορεί να ζητεί πληροφορίες από τα κράτη μέλη και τις εποπτικές αρχές.
  2. Κατά τη διενέργεια των αξιολογήσεων και αναθεωρήσεων που αναφέρονται στις παραγράφους 1 and 2, η Επιτροπή

λαμβάνει υπόψη τις θέσεις και τα συμπεράσματα του Ευρωπαϊκού Κοινοβουλίου και του Συμβουλίου, καθώς και άλλων αρμόδιων φορέων ή πηγών.

5. Η Επιτροπή υποβάλλει, if necessary, κατάλληλες προτάσεις με σκοπό την τροποποίηση του παρόντος κανονισμού, ιδίως λαμβάνοντας υπόψη τις εξελίξεις στην τεχνολογία των πληροφοριών και υπό το πρίσμα της προόδου στην κοινωνία της πληροφορίας.

Article 98

Επισκόπηση άλλων νομικών πράξεων της Ένωσης για την προστασία των δεδομένων

The committee, εάν το κρίνει σκόπιμο, υποβάλλει νομοθετικές προτάσεις για την τροποποίηση άλλων νομικών πράξεων της Ένωσης σχετικά με την προστασία των δεδομένων προσωπικού χαρακτήρα, προκειμένου να διασφαλιστεί η ομοιόμορφη και συνεπής προστασία των φυσικών προσώπων έναντι της επεξεργασίας. Αυτό αφορά ιδίως τους κανόνες που σχετίζονται με την προστασία των φυσικών προσώπων έναντι της επεξεργασίας από τα θεσμικά και λοιπά όργανα και οργανισμούς της Ένωσης και την ελεύθερη κυκλοφορία των εν λόγω δεδομένων.

Article 99

Έναρξη ισχύος και εφαρμογή

1. Ο παρών κανονισμός αρχίζει να ισχύει την εικοστή ημέρα από τη δημοσίευσή του στην Επίσημη Εφημερίδα της Ευρωπαϊκής Ένωσης.

2. Τίθεται σε εφαρμογή από τις 25 May 2018.

L 119/88

Official Journal of the European Union

4.5.2016

THE

Ο παρών κανονισμός είναι δεσμευτικός ως προς όλα τα μέρη του και ισχύει άμεσα σε κάθε κράτος μέλος.

Βρυξέλλες, 27 Απριλίου 2016.

Για το Ευρωπαϊκό Κοινοβούλιο Ο Πρόεδρος
M. SCHULZ

Για το Συμβούλιο
Η Πρόεδρος
J.A. HENNIS-PLASSCHAERT