REGULATIONS

REGULATION (EU) 2016/679 THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

of April 27 2016

on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General Regulation for Privacy)

(Text with EEA relevance)

THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,
Having regard to the Treaty on the Functioning of the European Union, and in particular Article 16, Having regard to the Commission proposal,
After transmission of the draft legislative act to the national parliaments,
Having regard to the opinion of the European Economic and Social Committee (1),
Having regard to the opinion of the Committee (2),
Acting in accordance with the ordinary legislative procedure (3),
Whereas:

1. (1) The protection of individuals with regard to the processing of personal data is a fundamental right. The article 8 paragraph 1 the Charter of Fundamental Rights ("Map") and Article 16 paragraph 1 the Treaty on the Functioning of the European Union (TFEU) states that everyone has the right to protection of personal data concerning him.
2. (2) The principles and rules on the protection of individuals with regard to the processing of their personal data should, regardless of the nationality or place of residence, respect fundamental rights and freedoms, in particular their right to protection of personal data. This Regulation aims to contribute to the attainment of freedom, security and justice and of an economic union, economic and social progress, the strengthening and the convergence of economies within the internal market and the prosperity of individuals.
3. (3) Directive 95/46 / EC of the European Parliament and of the Council (4) It seeks to harmonize the protection of fundamental rights and freedoms of individuals with regard to processing activities and to guarantee the free movement of personal data between Member States.

1. (1) EEC229tis31.7.2012, s.90.
2. (2) EEC391tis18.12.2012, s.127.
3. (3) Parliament's position of 12 March 2014 (not yet published in the Official Journal) and position of the Council

   at first reading of 8 April 2016 (not yet published in the Official Journal). European Parliament position

   14April 2016.

4. (4) Directive 95/46 / EK of the European Parliament and of the Council, 24 October 1995, on the protection of individuals

   against personal data and on the free movement of such data (OJ L 281 of 23.11.1995, p. 31).

Official Journal of the European Union 4.5.2016

The processing of personal data should be designed to serve man. The right to the protection of personal data is not an absolute right; it must be valued in relation to its functioning in society and weighed against other fundamental rights., accordance with the principle of proportionality. This Regulation respects all fundamental rights and freedoms and observes the principles recognized by the Charter as enshrined in the Treaties, in particular, respect for private and family life, housing and communications, protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, entrepreneurial freedom, the right to an effective remedy and to a fair trial and the cultural, religious and linguistic diversity.

The economic and social integration, which resulted from the operation of the internal market, result in a significant increase of cross-border flows of personal data character. H exchange of personal data between public and private actors, including natural persons, associations and businesses throughout the Union, has increased. The national authorities of the Member States are required by EU law to collaborate and exchange personal data so that they can perform their duties or perform tasks on behalf of another Member State authority.

Rapid technological developments and globalization have created new challenges for the protection of personal data. The scale of the collection and exchange of personal data has increased significantly. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in the pursuit of their activities. Individuals increasingly disclose personal information and make it available worldwide. The technology has changed both the economy and social life and should further facilitate free movement of personal data within the Union and the transfer to third countries and international organizations, while ensuring a high level of protection of personal data.

These developments require a strong and more coherent data protection framework in the Union, SUPPORT tiated by strict application of the law, as it is important to create the necessary trust that will allow the digital economy to grow throughout the internal market. Individuals should have control of their personal data own character. Will legal security should be strengthened and practical certainty for individuals, economic operators and public authorities.

Where this Regulation provides specifications or restrictions on the rules of the law of the Member States, Member States may incorporate elements of this Regulation in their national law, to the extent necessary to ensure consistency and to be understood by the national provisions to persons to whom they apply.

While the objectives and principles of Directive 95/46 / EC remain strong, Directive failed to prevent the fragmentation of the application of data protection throughout the Union, legal uncertainty and a widespread public perception that there are significant risks to the protection of individuals, particularly regarding online activity. Differences in the level of protection of the rights and freedoms of individuals, especially the right to protection of personal data, concerning the processing of personal data within the Member States, may impede the free movement of personal data throughout the Union. Therefore, These differences can be an obstacle to doing business in the Union, distort competition and impede authorities in carrying out their responsibilities, such as those arising from European Union law. This difference in levels of protection is due to divergences in the implementation and application of Directive 95/46 / EC.

To ensure a consistent and high level of protection of individuals and removing obstacles to flows of personal data within the Union, the level of protection of the rights and freedoms of individuals with regard to the processing of such data must be equivalent in all Member States. It should ensure a coherent and uniform application of the rules on the protection of fundamental rights and freedoms of individuals with regard to the processing of personal data throughout the Union. As regards the processing of personal data is to comply with a legal obligation, to fulfill a task carried out in the public interest or in the exercise of official authority vested in the controller, Member States should be allowed to maintain or introduce national provisions to further define the application of the rules of this Regulation. In conjunction with the general and horizontal data protection laws aimed at implementing Directive 95/46 / EC, Member States apply different sectoral laws in areas that require specific provisions. This Regulation also provides room for maneuver to Member States, in order to tailor the rules of, including those relating to the processing of special categories of personal data ("sensitive data"). In this degree, this Regulation does not preclude the Member States' law to determine the circumstances of special processing conditions, inter alia, to define more precisely the conditions under which the processing of personal data is lawful.

Official Journal of the European Union L 119/3

11. (11) Effective protection of personal data throughout the Union requires strengthening and detailed definition of the data subjects' rights, as well as those liabilities proces amplifier operate and determine the processing of personal data, and their respective powers for monitoring and ensuring compliance with the standards of protection of personal data and the corresponding penalties for violations in the Member States.
12. (12) The article 16 paragraph 2 TFEU ​​entrusts the European Parliament and the Council to set the rules for the protection of individuals with regard to the processing of personal data and rules on the free movement of personal data.
13. (13) To ensure a consistent level of protection for individuals throughout the Union and to avoid gaps that impede the free movement of personal data within the internal market, regulation is required which will safeguard legal certainty and transparency for economic agents, including micro, small and medium enterprises, and provide for individuals in all Member States the same level of legally enforceable rights and obligations, and responsibilities for controllers and processors, to ensure consistent monitoring of the processing of personal data, and equivalent sanctions in all Member States and the effective cooperation between supervisory authorities of different Member States. The smooth functioning of the internal market, the free movement of personal data within the Union should not be limited, nor prohibited for reasons connected with the protection of individuals with regard to the processing of personal data. To take account of the specific situation of micro, small and medium enterprises, this regulation includes a derogation for organizations employing fewer than 250 individuals with regard to record keeping. Furthermore, the institutions and bodies of the Union, as well as Member States and their supervisory authorities, encouraged to take into account the specific needs of micro, small and medium enterprises in the implementation of this Regulation. The concept of micro, small and medium enterprises should be based on Article 2 the Annex to Recommendation 2003/361 / EC (1).
14. (14) The protection afforded by this Regulation should apply to natural persons, irrespective of nationality or residence, in relation to the processing of personal data character. This Regulation does not cover the processing of personal data relating to legal persons and in particular undertakings established as legal entities, including the name, type and contact information of the entity.
15. (15) In order to prevent a serious risk of circumvention, The protection of individuals should be technologically neutral and not depend on the techniques used. The protection of individuals should apply both to the processing of personal data by automated means, and in manual processing, if personal data are contained or are intended to be included in a filing system. Files or sets of files, as well as their covers, which are not structured according to specific criteria should not fall under the scope of this Regulation.
16. (16) This Regulation does not apply to protection of fundamental rights and freedoms or the free movement of personal data relating to activities not covered in the application of Union law field, as activities related to national security. This Regulation shall not apply to the processing of personal data by the Member States when they carry out activities related to the common foreign and security policy of the Union.
17. (17) The rule (EC) No. 45/2001 European Parliament and Council (2) applied to the processing of personal data by the institutions and bodies, agencies and Union services. The rule (EC) No. 45/2001 and other legal acts of the Union which personal data is applicable to such a character processing should be adapted to the principles and rules laid down in this Regulation and applied in the light of this Regulation. To ensure a strong and coherent data protection framework in the Union, after adoption of this Regulation should follow the necessary adaptations to Regulation (FROM) No. 45/2001, to allow the application simultaneously with this Regulation.
18. (18) This Regulation shall not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and therefore no connection with any professional or

1. (1) Commission Recommendation, 6 May 2003, concerning the definition of micro, small and medium enterprises [C(2003) 1422] (OJ L 124 of 20.5.2003, p. 36).
2. (2) regulation(FROM)arith.45 / 2001touEfropaikouKoinovoulioukaitouSymvouliou,tis18isDekemvriou2000, schetikametinprostasiaton individuals with regard to the processing of personal data by the institutions and bodies and on the free movement of such data (OJ L 8 of 12.1.2001, p. 1).

Official Journal of the European Union 4.5.2016

(19)

commercial activity. Personal or household activities could include correspondence and the address record keeping or social networking and online activity engaged in such activities. However, it shall apply to controllers or processors which provide the personal data processing within character for such personal or domestic activities.

The protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal sanctions, including ensuring against threats to public security and their prevention and the free movement of such data, subject to a specific EU legal act. This Regulation should therefore not apply to the processing activities for those purposes. However, personal data processed by public authorities under this Regulation should, when they used for these purposes, be regulated by specific EU legal act, namely Directive (EU) 2016/680 European Parliament and Council (1). Member States may confer to the competent authorities within the meaning of Directive (EU) 2016/680 tasks that do not necessarily exercised for the purposes of prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal sanctions, including ensuring against threats to public security and their prevention, so that the processing of personal data for these purposes, if it falls within the scope of Union law, be within the scope of this Regulation.

With regard to the processing of personal data by those authorities for purposes within the scope of this Regulation, Member States should be able to maintain or introduce specific provisions to adapt the application of the rules of this Regulation. These regulations may specify more precisely the specific requirements for the processing of personal data by those authorities for these purposes, taking into account the constitutional, organizational and administrative structure of the respective Member States. When the processing of personal data by private entities falling within the scope of this Regulation, this Regulation should provide for the possibility for Member States to restrict by law, under special conditions, certain obligations and rights, when such restriction constitutes a necessary and proportionate measure within a democratic society to safeguard especially important interests, including public safety and prevention, investigation, detection and prosecution of criminal offenses or the execution of criminal penalties, including ensuring against threats to public security and their prevention. This matter, for example, in the fight against money laundering or the activities of forensic laboratories.

While this Regulation applies, including, the activities of courts and other judicial authorities, Union law or Member States could specify the operations and processing procedures in relation to the processing of personal data by courts and other judicial authorities. The competence of the supervisory authorities should not cover the processing of personal data, when the courts acting in their judicial capacity, to ensure the independence of the judiciary in the exercise of their judicial functions, including the decision-making. Supervision of the data processing operations should be able to be assigned to specific bodies within the judicial system of the Member State, which should in particular ensure compliance with the rules of this Regulation, to sensitize members of the judiciary with regard to their obligations under this Regulation and to deal with complaints in relation to the said data processing procedures.

This Regulation shall apply without prejudice to Directive 2000/31 / EC of the European Parliament and of the Council (2), particularly the rules on the liability of intermediary service providers laid down in Articles 12 until 15 of that Directive. This Directive aims to contribute to the smooth functioning of the internal market, ensuring the free movement of information society services between Member States.

Any processing of personal data in the framework of activities of the facility controller or processor in the Union should be conducted in accordance with this Regulation, regardless of whether the same processing is performed in Union. The installation requires the effective and real exercise of activity through stable arrangements. In this regard, the legal form of such arrangements, whether Annex or a subsidiary with legal personality, It is not decisive.

(1) Directive (EU) 2016/680 European Parliament and Council, of April 27 2016, for the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal sanctions and on the free movement of such data and repealing Council Framework Decision 2008/977 / JHA (see page 89 of this Official Journal).

1. (2) Directive 2000/31 / EC of the European Parliament and of the Council, 8 June 2000, on certain legal aspects of information society services, in particular electronic commerce, in the internal market ("For e-commerce Directive ') (OJ L 178 of 17.7.2000, p. 1).

Official Journal of the European Union L 119/5

23. (23) To ensure that individuals are not deprived of the protection they are entitled under this Regulation, the processing of personal data subjects in the Union by a controller or processor is not established in the Union should be governed by this Regulation, where the processing activities are related to the provision of goods or services to such data subjects, whether related to payment. To determine whether such a controller or processor offers goods or services to data subjects in the Union, it must be determined if the controller or the processor is clearly intended to provide services to data subjects in one or more EU Member States. While the simple accessibility to the website of the controller, a processor or an intermediary in the Union or the email address and other contact or use language elements usually used in the third country where the controller is established is not sufficient to substantiate such intention, factors such as the use of language or currency generally used in one or more Member States, with the possibility of ordering products and services on that other language, or reference customers or users located in the Union may make it clear that the data controller intends to offer goods or services to data subjects in the Union.
24. (24) The personal data of persons who are in the Union by a controller or processor is not established in the Union should also be covered by this Regulation, if the monitoring of the behavior of such data subjects to the extent that their behavior is taking place within the Union. To determine whether a processing activity can be considered to monitor the behavior of the data subject, it should be ascertained whether individuals are tracked on the Internet, including potential subsequent use of personal data processing technical nature which consists in shaping the "profile" of a natural person, in particular in order to take decisions concerning him or to analyze or predict personal preferences, behaviors and attitudes.
25. (25) If the law of a Member State applies by virtue of public international law, this Regulation should also apply to a controller not established in the Union, such as, for example, for the diplomatic mission or consular post of a Member State.
26. (26) The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have been psefdonymopoiisi, which could be attributed to an individual through the use of supplementary information, They should be considered information about identifiable natural person. To determine whether a person is identifiable, They should be taken of all the means that are reasonably likely to be used, for example, the separation of, either by the controller or by a third party for direct or indirect identification of the individual identity. To see if any means reasonably likely to be used to verify the identity of the natural person, should take into account all the objective factors, as the cost and time required to identify, taking into account the technology available at the time of processing and technology developments. The principles of data protection should therefore not apply to anonymous information, ie information which is not related to an identified or identifiable natural person or personal data have been rendered anonymous so that the identity of the data subject can not or can no longer be ascertained. This Regulation is therefore the treatment of such anonymous information, not including for statistical or research purposes.
27. (27) This Regulation shall not apply to personal data deceased. Member States may provide rules for processing personal data deceased.
28. (28) Using psefdonymopoiisis to personal data can reduce the risks to data subjects and facilitate their controllers and processors to meet the relevant requirements of the Data Protection. The explicit introduction of "psefdonymopoiisis" of this regulation is not intended to exclude any other data protection measure.
29. (29) To create incentives for psefdonymopoiisi when processing personal data, It should be possible to take measures psefdonymopoiisis, whilst allowing a generic analysis, within the same controller, when said controller has taken the technical and organizational measures necessary, to ensure, for the relevant data processing, the application of this Regulation and additional information about the performance of personal data to the data subject concerned are kept separate. The data controller who processes personal data should designate authorized persons within the same controller.

Official Journal of the European Union 4.5.2016

Individuals may be associated with online identifiers items, which are provided by the devices, applications, tools and protocols, such as Internet Protocol addresses, IDs cookies or other identifiers such as radio frequency identification tags. These may leave traces which, especially when combined with unique identifiers and other information received by the servers, They can be used to create profiles of individuals and recognize their identity.

The public authorities to which the personal data disclosed in accordance with a legal obligation to perform their official duties, such as tax and customs authorities, economic research units, independent administrative authorities or financial markets authorities responsible for the regulation and supervision of securities markets should not be regarded as recipients, if they receive personal data necessary to carry out a special investigation in the public interest, under the law of the Union or a Member State. The disclosure requests sent by public authorities should always be written, justified under the circumstances and should not involve the entirety of a filing system or lead to the linking of filing systems. The processing of personal data by these public authorities should comply with applicable data protection rules depending on purposes of the processing.

Consent should be provided with clear positive energy which constitute free, specific, explicit and informed indication of the agreement of the data subject for the processing of data concerning him, for example by written declaration, including by electronic means, or oral statement. This could include the completion of a box when visiting a web site, select the desired technical arrangements for services of the information society or a statement or conduct which clearly indicates, in this context, that the data subject accepts the proposal processing of their personal data. Therefore, the silence, the pre-checked boxes or inaction should not be construed as consent. Consent should cover all processing activities carried out for the same purpose or for the same purposes. When the processing has multiple purposes, consent should be given for all these purposes. If the consent of the data subject will be given upon request electronically, the request must be clear, comprehensive and not unreasonably disturb the use of the service which is provided.

Often, It can not be fully determined the purpose of processing personal data for scientific research at the time of data collection. Hence, data subjects should be able to give their consent to certain areas of scientific research, when the recognized ethical standards are followed for scientific research. Data subjects should be allowed to give their consent only in certain areas of research or only parts of research programs, to the extent permitted by its intended purpose.

As genetic data should be defined personal data associated with inherited or apokektimena genetic characteristics of an individual resulting from the biological sample analysis of the natural person, especially from chromosomal deoxyribonucleic acid analysis (DNA) or ribonucleic acid (RNA) or concerning another element that allows to obtain equivalent information.

Personal data relating to health should include all data related to the health status of the data subject and which reveal information about the past, current or future state of physical or mental health of the data subject. This includes information about the individual collected during registration for health services and the provision thereof as defined in Directive 2011/24 / EU of the European Parliament and of the Council (1) to that natural person; a number, a symbol or identity attribute attributed to a natural person for the purpose of complete identification of the natural person for health purposes; information resulting from tests or analyzes on a part or substance of the body, inter alia by genetic data and biological samples and any information, for example, on disease, disability, risk of disease, medical history, clinical treatment or the physiological or biomedical status of the data subject, whatever its source, for example, by a doctor or other professional healthcare, hospital, medical device or diagnostic test in vitro.

H main installation of the controller Union should be the place of central administration in the Union, unless decisions on the purposes and means of processing personal data obtained in another establishment of the controller in the Union, so that another facility will be regarded as the main installation. The main establishment of a controller in the Union should be determined according to objective criteria and should imply the effective and real exercise of management activities which determine the major decisions regarding the purposes and means of processing through stable arrangements. This criterion should not depend whether the processing

(1) Directive 2011/24 / EU of the European Parliament and of the Council, 9 March 2011, on the application of patients' rights in cross-border healthcare (OJ L 88 of 4.4.2011, p. 45).

Official Journal of the European Union

Personal data may be in this location. The existence and use of technical means and technologies for processing personal data or processing activities do not constitute itself’ se main installation, therefore, not constitute decisive criteria for the main installation. The main establishment of the processor should be the place of central administration in the Union or, if he has no head office in the Union, the place where the main processing activities in the Union. In cases where both the controller and the processor, responsible chief supervisory authority should remain the supervisory authority of the Member State where the main establishment of the controller, but the supervisor of the processor should be regarded as concerned supervisor and that supervisor should participate in the cooperation procedure laid down in this Regulation. In each case, the supervisory authorities of the Member State or States where the processor has one or more establishments should not be regarded as supervisory authorities concerned when the draft decision relates only to the controller. When processing is carried out by business group, as a principal place of controlling undertaking should be considered the principal place of business group, unless the purpose and means of processing are determined by another company.

37. (37) The group of enterprises should cover the controlling company and companies it controls, where the controlling undertaking should be the undertaking which can exercise a dominant influence over the other undertakings under, for example, ownership, financial participation or the rules which govern it or the personal data protection rules applying power. Undertaking exercising control over the processing of personal data to associated enterprises should be considered, together with these companies, business group.
38. (38) Children require special protection for their personal data, as children may be less aware of the risks, consequences and safeguards and their rights in relation to the processing of personal data. This special protection will especially be true in the use of personal data for marketing or creating personality profiles or user profiles and collect personal data relating to children when using services directly offered to a child. The consent of the parent or guardian should not be necessary in connection with prevention advice or services directly available to a child.
39. (39) Any processing of personal data must be lawful and fair. It should be clear to individuals that personal data concerning them are collected, they are used, considered or submitted by’ otherwise processed, and to what extent personal data are or will be processed. That principle requires that any information and communication on the processing of their personal data to be easily accessible and understandable, and use clear and simple language. This principle relates in particular to inform data subjects about the identity of the controller and the purposes of the processing and further information in order to ensure fair and transparent process in relation to these individuals and their right to obtain confirmation and to achieve communication relating to these personal data are processed. You should be available to natural persons risk being, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing. Especially, the personal data specific purposes of the processing should be clear, legal and determinate when the collection of personal data. Personal data should be adequate, relevant and limited to what is necessary for the purposes of their processing. This requires, in particular to ensure that the storage of personal data is limited to the minimum. Personal data should be processed only if the purpose of processing can not be achieved by other means. To ensure that personal data is not kept longer than necessary, the controller should set deadlines for their removal or for their periodic review. It should take all reasonable steps, to ensure that personal data which are inaccurate be corrected or deleted. Personal data should be processed in a manner to ensure appropriate protection and confidentiality of personal data, inter alia, to prevent any unauthorized access to such personal data and to equipment used to process or use personal data and of such equipment.
40. (40) To be treated fairly, personal data must be processed by the consent of the data subject or other basis, statutory, or in this Regulation or in other legislation of the Union or a Member State as mentioned in this

Official Journal of the European Union 4.5.2016

Regulation, including the need to comply with the legal obligation to which the controller is subject, or the need to perform a contract to which the data subject is party or in order to take steps at the request of the data subject prior to contract.

Whenever this regulation refers to the legal basis or legislative measure, this does not necessarily require legislation approved by a parliament, subject to the requirements in accordance with the constitutional order of the Member State. However, this legal basis or legislative measure should be worded clearly and precisely and its application is foreseeable for persons subject to this, according to the jurisprudence of the European Court of Justice (the court") and the European Court of Human Rights.

When the processing is based on consent of the data subject, the controller must be able to prove that the data subject has consented to the processing operation. particularly, under a written declaration on another matter, They should be guarantees to ensure that the data subject is aware of this fact and to what extent has consented. Under Directive 93/13 / EEC (1), You should be provided consent form, drafted in advance by the controller in a comprehensible and easily accessible form, clear and simple wording, without unfair. To be considered informed consent, the data subject should know at least the identity of the controller and the purposes of processing the intended personal data. The consent should not be considered as freely given if the data subject has no real or free choice or not be able to refuse or withdraw consent without prejudicing.

To ensure that the consent is given freely, consent should not provide a valid legal basis for processing personal data in a particular case, when there is a clear imbalance between the data subject and the controller, especially where the controller is a public authority and is therefore unlikely to have given consent freely to all the circumstances of this specific situation. Consent is deemed not to have been given freely, if not allowed to give a separate consent to different processing personal data nature, even if it is appropriate in this case, or when the performance of a contract, Including mathe- a service, the consent, even if such consent is not necessary for such execution.

The treatment should also be lawful, necessary under contract or contract of intent.

When processing is carried out under a legal obligation to which the controller under or when necessary for the performance of a task carried out in the public interest or in the exercise of official authority, treatment should be based on Union law or Member State. This Regulation does not require specific law for each individual treatment. a single law may suffice as a basis for more than one processing operations based on a legal obligation to which the controller is subject or where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority. Also, the definition of the purpose of processing should be left to the law of the Union or a Member State. Furthermore, this law could determine the general conditions of this Regulation governing the lawful processing of personal data and to adopt specifications for the determination of the controller, the kind of personal data processed, the respective data subjects, the entities can koinolo gountai personal data, the objective constraints, storage period and other measures to ensure lawful and fair processing. Also, It should be left to the Union law or the law of the Member States to define whether the controller to fulfill a duty performed in the public interest or in the exercise of official authority should be a public authority or other natural or legal person governed public law or, if this is justified by reasons of public interest, including for health reasons, such as public health and social protection and healthcare services management, by private law, as a professional body.

The processing of personal data should also be considered lawful where it is necessary to protect an interest which is essential for the life of the data subject or another individual. The processing of personal data by the vital interests of another individual should,’

(1) Directive 93/13 / EOK of the Council, the April 5 1993, on unfair terms in contracts concluded with consumers (OJ L 95 of 21.4.1993, p. 29).

4.5.2016

principle be carried out only if it is obvious that the processing can not have another legal basis. Some types of treatment can be used both for important reasons of public interest and the other for the vital interests of the data subject, such as, for example, when the processing is necessary for humanitarian purposes, including to monitor epidemics and their spread, or in situations of urgent humanitarian need, especially in cases of natural and man-made disasters.

47. (47) The legitimate interests of the controller, including those of a controller which can be disclosed the personal data or third, can provide a legal basis for processing, provided they do not override the interests or fundamental rights and freedoms of the data subject, taking into account the legitimate expectations of data subjects on the basis of their relationship with the controller. Such an interest might for instance occur when no relevant and appropriate relation between the data subject and the controller, as if the data subject is a client of the controller or in the service of. In any event, the existence of legitimate interest would need careful assessment, inter alia, as to whether the data subject, at the time and in the context of the collection of personal data, it is reasonable to expect that for this purpose may be processed. particularly, the interests and fundamental rights of the data subject could take precedence over the interests of the controller, when personal data are processed in cases where the data subject is not reasonably expect further processing of data. Since it is for the legislature to provide by law the legal basis for the processing of personal data by public authorities, this legal basis should not be applied to the treatment by public authorities in the performance of their duties. H processing of personal data, to the extent strictly necessary for fraud prevention purposes, also constitute a legitimate interest of the data controller. H processing of personal data for direct marketing purposes can be considered that an instance of a legitimate interest.
48. (48) The controllers that are members of group of companies or institutions associated with central body may have a legitimate interest to transfer personal data within the business group for internal administrative purposes, including the processing of personal customer or employee data. The general principles of the transmission of personal data, within a group of companies, to an undertaking established in a third country are not affected.
49. (49) The processing of personal data, insofar as is strictly necessary and proportionate for the purposes of ensuring network and information security, ie the ability of a network or an information system to resist, at a given confidence level, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted tiveness personal data, and security of the services offered by these networks and systems or accessible via these networks and systems, or offered by public authorities, of Emergency Response Teams in IT (CERT), from intervention teams for events related to computer security (CSIRT), from network providers of electronic communications services and providers of technologies and security services, It constitutes a legitimate interest of the data controller. This could include, for example, preventing unauthorized access to electronic communications networks and malicious code distribution and stopping "denial of service attacks" and damage to computer systems and electronic communications.
50. (50) The processing of personal data for purposes other than those for which the personal data was originally collected should only be allowed where processing is compatible with the purposes for which the personal data was originally collected. In this case, no separate legal basis is required than that allowed for the collection of personal data. If the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, Union law or Member State may determine and define the tasks and purposes for which they should be considered compatible and lawful further processing. Further processing for archival reasons relating to the public interest, for purposes of scientific or historical research or for statistical purposes should be considered compatible unlawful processing operation. The legal basis provided for by the law of the Union or a Member State for processing personal data may also constitute the legal basis for the further processing. To determine whether the purpose of further processing is compatible with the purpose of the original collection of personal data, the controller, if it meets all the requirements for the legality of the initial processing, You should take into account, including: any links between these purposes and the purposes of the intended further processing; the context in which the personal data have been collected, in particular the reasonable expectations of the data subject based on his / her relationship with the controller regarding their re-use; the nature of the personal data;

Official Journal of the European Union 4.5.2016

(51)

consequences of the intended further processing for the data subjects; and the existence of appropriate guarantees for both the initial and intended further processing operations.

When the data subject has provided his consent or processing is based on the law of the Union or a Member State constitutes a necessary and proportionate measure within a democratic society to ensure, particularly, major objectives in the context of general public interest, It should allow the controller to carry out further processing of personal data, regardless of the compatibility of the purposes. In each case, It should ensure the application of the principles laid down in this Regulation and, Especially, inform the data subject on those other purposes and on their rights, including the right to object. Labeling possible crime or threats to public safety by the controller and the transmission of personal related data to a competent authority in an individual case or to more than one cases involving the same offense or the same threats to public safety it should be considered as falling within the legitimate interests pursued by the controller. However, The transmission is within the legitimate interest of the controller or the further processing of personal data should be prohibited, if the process is not compatible with legal, professional or other binding obligation of confidentiality.

Personal data which are particularly sensitive in nature in relation to fundamental rights and freedoms requiring special protection, because the context of the treatment could create serious risks for the fundamental rights and freedoms. These personal data should include personal data revealing racial or ethnic origin, where the use of the term 'racial origin' in this Regulation does not imply that the Union accepted theories that support the existence of separate human races. Photo editing should not systematically be considered to be processing of special categories of personal data, as these are covered by the definition of biometric data only where processing by means of special technical means which allow unambiguous identification or authentication of a natural person. Such personal data must not be processed, unless such treatment is allowed in special cases provided for in this Regulation, whereas the law of Member States may lay down specific provisions on data protection, to adapt the application of the rules of this Regulation to comply with legal obligations or fulfill this task performed in the public interest or in the exercise of official authority vested in the controller. Apart from the specific requirements which subject such processing, They should apply the general principles and other rules of this Regulation, particularly in,Regarding the legal treatment conditions. Exceptions to the general prohibition of personal data character falling within those specific categories should be expressly provided, including, in case of express consent of the data subject or in respect of disabled, particular where the processing is carried out under legitimate activities of certain associations or foundations, whose purpose is to permit the exercise of fundamental freedoms.

The derogation from the prohibition on processing of special categories of personal data should also be allowed where provided by Union law or Member State and subject to appropriate safeguards, to protect personal data and other fundamental rights, if justified by reasons of public interest, in particular the processing of personal data in the area of ​​labor law, the social protection law, including pensions, and for health safety purposes, monitoring and alarm for preventing or controlling communicable diseases and other serious health threats. This exception can be made for health purposes, including public health and health care management, in particular in order to ensure the quality and efficiency cost of the procedures used for settling claims for benefits and services in the health insurance system, or for archiving purposes in the public interest, purposes of scientific or historical research or statistical purposes. It should also be a derogation to allow the processing of such personal data when it is necessary to establish, training or support legal claims, either in legal proceedings or in any administrative or extra-judicial process.

The processing of special categories of personal data that require higher protection should be made only for purposes related to health, if this is necessary to achieve those objectives, for the benefit of individuals and society as a whole, particularly in the context of service management and healthcare systems and social care, including the processing of such data by the management and the central national health authorities for the purpose of quality control, information management and overall national and local oversight of health care or social care, and ensuring continuity of healthcare or social work and cross-border healthcare or health security, for monitoring and alarm purposes or for archiving purposes in the public interest, scientific or historical research or

4.5.2016

Official Journal of the European Union

statistical purposes, by Union law or Member States with a view to serve the public interest, as well as studies carried out in the public interest in the public health sector. consequently, this Regulation should provide for harmonized conditions for the processing of special categories of personal health related data, compared with Disabilities, particular where the processing of these data is carried out for certain purposes concerning the health of persons who are under a legal obligation of professional secrecy. Union law or Member States should provide specific and adequate measures for the protection of fundamental rights and personal data of individuals. Member States should be able to maintain or introduce further conditions, including restrictions, regarding the processing of genetic data, biometric data or data concerning health. However, this should not prevent the free movement of personal data within the Union, when those conditions apply to cross-border processing of such data.

54. (54) The processing of special categories of personal data may be necessary in the public interest in the fields of public health, without the consent of the data subject. Such processing should be subject to appropriate and specific measures to protect the rights and freedoms of individuals. In this context, "public health" should be interpreted as defined in Regulation (FROM) No. 1338/2008 European Parliament and Council (1), ie all the elements associated with health, namely health, including morbidity and disability, the determinants that affect health, healthcare needs, the resources available for health care, the provision of health care and universal access to it, and the costs and financing of health care and the causes of mortality. This data relating to health in the public interest should not result in the processing of personal data for other purposes by third parties, such as employers or insurance companies and banks.
55. (55) Furthermore, the processing of personal data by official authorities for achieving aims officially recognized religious associations, laid down in constitutional law or international public law, thing topoieitai public interest.
56. (56) If, under electoral activities, the operation of the democratic system in a Member State shall require of political parties personal data relating to political opinions of citizens, the processing of such data may be permitted for reasons of public interest, if provided adequate safeguards.
57. (57) If personal data is processed by a controller do not permit the controller to identify a natural person, the data controller should not be obliged to acquire additional information, to identify the data subject for the sole purpose of complying with any provision of this Regulation. However, the controller should not refuse to receive additional information provided by the data subject in order to support the exercise of his rights. The identification should include digital identification of the data subject, for example through the authentication mechanism, as the same identification information are used by the data subject upon entry (log-in) the online service provided by the controller.
58. (58) The principle of transparency requires that any information addressed to the public or to the data subject be brief, easily accessible and easily understood and clear and simple wording and, Furthermore, where appropriate, display. Such information could be provided in electronic form, for example, when intended for the public, via website. This is particularly important in cases where a multitude of participants and the complexity of technologies make it difficult for the data subject to know and understand if, by whom and for what purpose the collected personal data relating,as in the case of online advertising. Since children need special protection, each information and communication, if the treatment is aimed at children, It should be expressed in clear and simple language that the child can easily understand.
59. (59) They should provide ways to enable the data subject to exercise his rights under this Regulation, among other mechanisms by which to request and, where appropriate, be obtained free, Especially, access to personal data and correct or delete them and to exercise the right to object. The controller should also provide the means for electronic submission of requests, especially when personal data are processed electronically. The controller should be obliged to respond to requests of the data subject without delay and at the latest within one month and to provide justification, when it does not intend to comply with any such requests.

(1) regulation (FROM) No. 1338/2008 European Parliament and Council, of December 16 2008, on Community statistics on public health and health and safety at work (OJ L 354 of 31.12.2008, p. 70).

Official Journal of the European Union 4.5.2016

The principles of fair and transparent processing require to inform the data subject of the existence of the processing operation and its purposes. The controller should provide the data subject any further information that is necessary to ensure fair and transparent treatment, taking into account the specific circumstances and context in which it is carried out the processing of personal data. Further, the data subject will be the consequences and what profile must be updated if it is established. If personal data provided by the data subject, the data subject should also be informed whether obliged to provide personal data and for the consequences, when it does not provide such data. This information can be provided in combination with standardized icons to be placed prominently, understandable and legible way an essential overview of the intended processing. If the icons are available electronically, They should be machine-readable.

Information in relation to the processing of personal data relating to the data subject should be provided in the collection of the data subject or, if the personal data received from another source, within a reasonable time, depending on the circumstances of each case. If personal data may be disclosed to another recipient, the data subject must be informed, when personal data are disclosed for the first time to the recipient. When the controller intends to process personal data for a purpose other than that for which it was collected, the data controller should provide the data subject, prior to said further processing, Information for this purpose and other necessary information. When the origin of personal data can not be disclosed to the data subject because different sources have been used, They should be given general information.

However, it is not necessary to impose the obligation to provide information, if the data subject already has the information, if recording or disclosure of personal data is expressly provided by law or if the provision of information to the data subject proves impossible or would require a disproportionate effort. The latter could be particularly, when the treatment is for archival purposes in the public interest, for purposes of scientific or historical research or statistical purposes. connection, They should take into account the number of data subjects, the age of the data and any appropriate safeguards introduced.

A data subject shall have the right to access personal data collected and concern and to exercise this right easily and at reasonable intervals, to be aware and verify the lawfulness of processing. This includes the right of data subjects to have access to data concerning their health, for example the data in their medical records containing such information as diagnosis, test results, assessments by treating physicians and any treatment or interventions rendered. Therefore, every data subject should have the right to know and the especially announced for what purpose is the processing of personal data, if possible, how long is the processing of personal data, recipients who receive personal data, What logic is followed in any automatic processing of personal data and what could be the consequences of such processing, at least when based on profiling. The controller should be able to provide remote access to a secure system through which the data subject gains direct access to the data concerning him. This right should not adversely affect the rights or freedoms of others, such as professional secrecy or the right to intellectual property and, particularly, copyright protecting the software. However, These factors should not result in the denial of any information to the data subject. When the Controller process large amounts of information about the data subject, the controller should be able to ask the subject, given prior information, specify the information or processing activities associated with the request.

The controller should use all reasonable measures to verify the identity of the data subject that requests access, particularly in the context of online services and online identifiers identity. The controller should not retain personal data for the sole purpose to be able to respond to potential requests.

A data subject shall have the right to request correction of personal data relating to him, and the "right to oblivion", if the retention of such data violates this Regulation or the law of the Union or the Member State where the controller is subject. Especially, the data subject should have the right to request the deletion and termination of the processing of personal data relating to him, if the personal data is no longer necessary in relation to the purposes for which they are collected or submitted pursuant’ otherwise processed, if the data subject withdraws consent to treatment or if object to the processing of personal data relating to him or if the processing of personal data relating to him are not in accordance with this Regulation in’ otherwise. This right is particularly important where the data subject has provided his consent as a child, when he was not fully aware

4.5.2016

Official Journal of the European Union

the risks of treatment, and later wants to remove certain personal data, mainly from the Internet. The data subject should be able to exercise this right even though it is no longer child. However, further conservation of personal data should be lawful where it is necessary for the exercise of the right of freedom of expression and information, for compliance with a legal obligation, to fulfill a task carried out in the public interest or in the exercise of official authority vested in the controller, public interest in the public health sector, for archival purposes in the public interest, for purposes of scientific or historical research or statistical purposes, or for establishing, training or support legal claims.

66. (66) To strengthen the right to be forgotten in the online environment, the right to erasure should also be extended in such a way that the controller who published the personal data be required to inform the controllers process such personal data in order to erase any links or copy or replication of that data personal. When it does so, said controller must take reasonable steps, considering the technology available and the means available to the data controller, including technical measures, to inform controllers who process personal data on the data subject's request.
67. (67) Methods used to restrict the processing of personal data could include, including, the temporary movement of the selected data to another processing system, removing the accessibility of selected personal data by users or temporary removal of published data from website. In automated filing systems limiting processing should in’ principle be ensured by technical means so that personal data is not subject to further processing operation and can not be changed. The fact that the processing of personal data is limited will be indicated in the system.
68. (68) To further strengthen the control over the personal data, when the processing of personal data carried out by automated means, the data subject should also be allowed to receive personal data relating to him which has provided a controller, a structured, commonly used and machine readable format interoperable, and forward them to another controller. The data controllers should include encouraging nontai develop interoperable formats allow data portability. This right should apply where the data subject has provided the personal data with consent or where the processing is necessary for the performance of a contract. It should not apply where the processing is based on powers other than consent or agreement. From the nature of this right should not be exercised by controllers who process personal data in the exercise of their public duties. It should therefore apply where processing of personal data is necessary for compliance with a legal obligation to which the controller is subject, or to fulfill a task carried out in the public interest or in the exercise of official authority vested in the controller. The right of the data subject to transmit or receive personal data relating to him should not create an obligation for controllers to adopt or maintain treatment systems that are compatible technically. When, a particular set of personal data, affected more than one data subjects, the right to receive personal data should not affect the rights and freedoms of other data subjects under this Regulation. Furthermore, this right should not prejudice the right of the data subject to request the deletion of personal data or limitations of this right, as provided for in this Regulation and in particular should not lead to deletion of personal data concerning the data subject of the personal character and which has been supplied by it under a contract, the extent and if this data is necessary for the performance of this contract. When technically feasible, the data subject should have the right to ensure that personal data are transferred directly from one controller to another.
69. (69) Where personal data may be legitimately processed because processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or for reasons legitimate interests of the controller or a third party, any data subject should be entitled to par’ all of them to object to the processing of any personal data relating to the particular situation. It should be for the controller to prove that the imperative legitimate interests may override the interests or fundamental rights and freedoms of the data subject.
70. (70) Where personal data are processed for purposes of direct marketing, the data subject should have the right to object to such processing, including training profile to the extent that is associated with that direct marketing, whether initial or for further processing, at any time and without charge. This right must be specifically brought to the attention of the data subject, and clearly shown separately from any other information.

Official Journal of the European Union 4.5.2016

The data subject should have the right not to be subject to a decision, which may include some measure, which evaluate personal aspects relating to him, obtained solely on automated processing and which produces legal effects for that person or significantly affects accordingly, like automatic refusal online credit application or electronic hiring practices without human intervention. This treatment involves "profiling" which consists of any form of automated processing of personal data to evaluate personal aspects relating to a natural person, especially analyzing or predicting aspects of performance at work, the economic situation, health, personal preferences or interests, reliability or behavior, the position or movement of the data subject, insofar as legally effective against such person or significantly affects analogously. However, a decision based on this treatment, including training profile, It should be allowed when expressly provided by the law of the Union or a Member State, in which the controller is subject, including for purposes of monitoring and prevention of fraud and tax evasion in accordance with Regulations, the standards and recommendations of the institutions of the Union and national supervisory bodies and to ensure the safety and reliability of the service provided by the controller, or when it is necessary for the conclusion or performance of a contract between the data subject and the controller or when the data subject has provided their explicit consent. In each case, such processing should be subject to appropriate safeguards, which should include specific information of the data subject and the right securing human intervention, the right of expression of opinion of, the right to receive reasons for the decision taken in the context of this assessment and the right to challenge the decision. This measure should not concern a child.

In order to ensure a fair and transparent process in relation to the data subject, taking into account the specific circumstances and context in which it is carried out the processing of personal data, the controller should use appropriate mathematical or statistical procedures for compiling the profile, to implement technical and organizational measures, to correct the factors that lead to inaccuracies in personal data and to minimize the risk of errors, make secure personal data in a way that takes into account the potential risks associated with the interests and rights of the data subject and in a way that prevents, including, the discriminatory effects against individuals on the basis of racial or ethnic origin, political opinion, religion or belief, participation in trade unions, genetic condition or health status or sexual Guidance, or equivalent measures. Automated decision making and profiling based on specific categories of personal data should only be allowed under specific conditions.

The profiling is subject to the rules of this Regulation governing the processing of personal data, as legal grounds for processing or data protection authorities. In this context, the European Data Protection Board established by this Regulation ("Data Protection Board") You should be able to give directions.

They may be imposed by Union law or Member State law restrictions on certain fundamental principles and rights to information, access and rectification or erasure of personal data, the right to data portability, the right to object, the decisions based on profiling, and the violation of personal data communication to the data subject and on certain related obligations of the controllers, to the extent that is necessary and proportionate in a democratic society to safeguard public security, including the protection of human life, particularly in the event of natural or man-made disasters, prevention, investigation and prosecution of criminal offenses or the execution of criminal sanctions, including ensuring against threats to public security and their prevention or ethical violations in regulated professions, other important objectives of general public interest of the Union or a Member State, in particular an important economic or financial interest of the Union or a Member State, compliance with public records in the general interest, further processing of personal data archived to provide specific information on the political behavior in former authoritarian regimes or the protection of the data subject or the rights and freedoms of others, including social protection, public health and humanitarian purposes. These restrictions should be in conformity with the requirements laid down in the Charter and the European Convention for the Protection of Human Rights and Fundamental Freedoms.

It should establish responsibility and compensation of the controller for any processing of personal data performed by the controller or on behalf of the controller. particularly, the controller should be obliged to implement properly and effectively measure and be able to demonstrate the conformity of processing operations with this Regulation, including the effectiveness of the measures. These measures should take into account the nature, the frame, the scope and purposes of the processing and the risk to the rights and freedoms of individuals.

Official Journal of the European Union

75. (75) The risks to the rights and freedoms of natural persons, varying probability and severity, They can be obtained from the processing of personal data which could lead to physical, physical or non-physical damage, especially when the treatment may lead to discrimination, abuse or identity theft, financial loss, reputation damage, loss of confidentiality of personal data protected by professional secrecy, unlawful removal of psefdonymopoiisis, or any other significant economic or social disadvantage; when data subjects could be deprived of their rights and freedoms or prevented from exercising control over their personal data; when subject to processing of personal data which discloses racial or ethnic origin, political convictions, religion or philosophical beliefs or participation in trade unions and processed genetic data, data relating to health or data relating to sexual life or criminal convictions and offenses or related security measures; when assessing personal aspects, especially when trying to analyze or predict aspects of performance at work, the economic situation, health, personal preferences or interests, reliability or behavior, the position or movements, in order to create or use personal profiles; when processing personal data of vulnerable individuals, especially children; or when the processing involves a large amount of personal data and affects a large number of data subjects.
76. (76) The likelihood and seriousness of the risk to the rights and freedoms of the data subject should be determined by reference to the nature, the scope, the context and purpose of the processing. This risk should be assessed on an objective assessment, declaring whether data processing operations involve risk or high risk.
77. (77) Guidance for the implementation of appropriate measures and to demonstrate compliance of the controller and processor, in particular as regards the determination of the risks associated with the treatment, their assessment in terms of origin, nature, probability and severity and identify best practices for risk reduction will in particular can be provided with approved codes of conduct, approved certifications, guidelines provided by the Data Protection Board or to the instructions provided DPO. The Data Protection Board may also issue guidelines on processing operations that are considered to be unlikely to lead to a high risk for the rights and freedoms of individuals, which would indicate what measures may be sufficient in this case to address the relative risk.
78. (78) The protection of the rights and freedoms of individuals with regard to the processing of personal data requires that appropriate technical and organizational measures to ensure that the requirements of this Regulation. To be able to demonstrate compliance with this Regulation, the controller should adopt internal policies and implement measures that respond in particular to the principles of data protection by design and by default. Such measures could include, including, minimizing the processing of personal data, psefdonymopoiisi the personal data as soon as possible, transparency regarding the functions and processing of personal data, to enable the data subject to monitor the data processing and to be able the controller creates and improves the security features. In developing, design, selecting and using applications, services and products based on the processing of personal data or down processing of personal data for the performance of their duties, the producers, services and applications should be encouraged to take into account the right to data protection, in the development and design of such products, services and applications, in order that, taking into account the latest developments, ensuring that controllers and processors would be able to fulfill their obligations regarding data protection. The principles of data protection by design and by default should also be taken into account in public procurement.
79. (79) The protection of rights and freedoms of data subjects, as well as the responsibility and liability for damages to controllers and performing processing, including in relation to monitoring by supervisory authorities and supervisory measures, It requires a clear allocation of responsibilities under this Regulation, including the case where a controller determines the purposes and means of the processing jointly with other controllers or where a processing operation is carried out on behalf of a controller.
80. (80) If a controller or processor is not established in the Union is processing personal data subjects which are in the Union and perform processing activities related to the supply of goods or services, or require payment from the person or not, in these subjects in the Union or the monitoring of their behavior to the extent that their behavior takes place in the Union, the controller or the processor should designate a representative, unless the processing is casual, does not include processing, in big scale, personal data or processing personal data relating to criminal convictions and offenses and is likely to result in danger to the rights and freedoms of natural persons, taking into account the scope, the frame, the nature and purposes of the processing, or if the controller is a public authority or body. The representative should act on behalf of the controller or processor and that can be addressed each supervisor. The representative should be clearly defined

L 119/16

Official Journal of the European Union 4.5.2016

(81)

written authority of the controller or the processor to act on his behalf in respect of their obligations under this Regulation. The appointment of the representative shall not affect the responsibility or accountability of the controller or the processor under this Regulation. This representative should perform its duties according to the mandate given by the controller or the processor, inter alia cooperate with the competent authorities of any measures taken to ensure compliance with this Regulation. The appointed representative will be subject to enforcement procedures in case of non-compliance by the controller or the processor.

To ensure compliance with the requirements of this Regulation with regard to the conduct of processing by the processor, by the controller, where assigned to the processor processing activities, the controller should use only processors who offer adequate assurances, particularly in terms of expertise, credibility and resources, to implement technical and organizational measures to meet the requirements of this Regulation, including those concerning security of processing. The accession of the processor to an approved code of conduct or an approved certification scheme can be used as evidence to prove compliance with the obligations of the controller. The treatment of the processor must be governed by a contract or other legal act, based on Union law or the law of the Member States, connecting the processor to the controller, which defines the scope and duration of treatment, the nature and purposes of the processing, the kind of personal data and categories of data subjects, taking into account the specific tasks and responsibilities of the processor as part of the processing to be carried out and the risk to the rights and freedoms of data subjects. The controller and the processor may opt to use an individual contract or standard contractual clauses or approved directly by the Commission or by a supervisory authority in accordance with the consistency mechanism and subsequently approved by the Commission. After completion of the processing on behalf of the controller, the processor should, depending on the choice of the controller, return or delete the personal data, unless required to store personal data under Union law or the law of the Member State in which the processor belongs.

To be able to demonstrate compliance with this Regulation, the controller or the processor shall keep records of processing operations under their responsibility. Each controller and each processor should be obliged to cooperate with the supervisory authority and to make available the, upon request, such records, so it can be used for monitoring of specific processing operations.

To maintain security and to prevent processing in breach of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as through encryption. These measures should ensure an appropriate level of security, which includes the confidential tiveness, taking into account the latest developments and the cost of implementation in relation to the risks and nature of personal data to be protected. In assessing the risk to data security should be given to the risks arising from the processing of personal data, such as accidental or unlawful destruction, loss, change, unauthorized disclosure of or access to personal data transmitted, stored or subjected flat’ otherwise processed which could result in physical, physical or non-physical damage.

In order to reinforce compliance with this Regulation when processing operations may result in a high risk to the rights and freedoms of individuals, the controller will be responsible for conducting impact assessment on data protection, to assess, Especially, source, nature, the likelihood and severity of this risk. The result of the assessment should be taken into account when determining what action should be taken to demonstrate that the processing of personal data is in accordance with this Regulation. If the impact assessment on data protection indicates that processing operations involve a high risk that the controller can not be mitigated by appropriate measures in terms of available technology and implementation costs, They should be consulted by the supervisory authority before processing.

Violation of personal data may, if not addressed in an adequate and timely, result in physical, physical or non-physical harm to individuals, such as loss of control over their personal data or restriction of their rights, discriminatory, abuse or identity theft, financial loss, unlawful removal of psefdonymopoiisis, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or other important social or economic disadvantage to the individual concerned. Consequently, as soon as the controller

Official Journal of the European Union

becomes aware of a violation of personal data, should without delay, if possible, within 72 hours of acquired knowledge of the event, disclose the violation of personal data to the competent supervisory authority, unless o controller can prove, according to the principle of accountability, that the violation of personal data is not likely to cause danger to the rights and freedoms of individuals. If such a notification can not be achieved within 72 hours, The notification must be accompanied by justification stating the reasons for the delay and the information can be gradually supplied without undue delay.

86. (86) The controller must immediately notify the data subject of violation of personal data, when the violation of personal data is likely to result in a high risk to the rights and freedoms of the individual, in order to be allowed to take the necessary precautions. The notice should describe the nature of the violation of personal data and recommendations to the individual concerned to mitigate potential adverse effects. These are the data subjects should be made as soon as possible, in close cooperation with the supervisory authority, respecting guidance provided by it or other relevant authorities, such as law enforcement authorities. For example, the need to mitigate an imminent risk of loss would require immediate notice to data subjects, and the need to implement appropriate measures against continuing or similar data breaches of personal nature may justify a longer notice.
87. (87) It should be ascertained whether they have implemented all appropriate measures technological protection and organizational measures for the immediate identification of any personal data breach and the immediate notification of the supervisory authority and the data subject. It should be noted that the disclosure was made without undue delay, taking into account in particular the nature and gravity of the violation of personal data, and the consequences and adverse effects for the data subject. The notification may lead to intervention by the supervisory authority, in accordance with the tasks and powers defined in this Regulation.
88. (88) In setting detailed rules concerning the format and procedures applicable to the notification of personal data breaches, They should take due account of the circumstances of such breach, including whether personal data protected by appropriate technical protection measures, effectively limiting the likelihood of identity fraud or other forms of abuse. Furthermore, these rules and procedures should take into account the legitimate interests of law enforcement authorities, where early disclosure could unnecessarily impede the investigation of the circumstances of a breach of personal data.
89. (89) Directive 95/46 / EC provided for a general obligation to disclose the personal data to the supervisory authorities. Although this obligation entails administrative and financial burdens, It did not help in all cases to improve the protection of personal data. Therefore, general obligations such disclosure, undifferentiated, They should be abolished and replaced with effective procedures and mechanisms that focus on those types of processing operations that may result in a high risk to the rights and freedoms of individuals because of the nature, the scope, the context and their objectives. These kinds of processing operations may be those, Especially, including the use of new technologies or new type is when it has previously carried out an impact assessment as regards the protection of data from the controller or when they are necessary because of the time elapsed from the initial processing.
90. (90) In these cases, the controller, before treatment, should carry out an impact assessment regarding data protection, to assess the particular probability and severity of high risk, taking into account the nature, extent, context and purpose of the processing and risk sources. This impact assessment should include, Especially, the planned measures, safeguards and mechanisms that mitigate this risk, ensuring the protection of personal data and demonstrate compliance with this Regulation.
91. (91) This will be particularly true for large scale processing operations aimed at processing a significant amount of personal data at regional, national or supranational level, which could affect a large number of data subjects and which is likely to result in high risk, for example because of their sensitivity, when according to the existing technological knowledge levels used a new technology widely, and other processing operations which result in a high risk to the rights and freedoms of data subjects, particularly where such acts impede the exercise of data subjects' rights. It should also be carried out an impact assessment regarding data protection when personal data are processed in coming to decisions relating to specific individuals following a systematic and extensive evaluation of personal aspects relating to individuals based training

Official Journal of the European Union

profiles based on those data, or after the processing of specific categories of personal data, biometric data or data relating to offenses and criminal convictions or related security measures. impact assessment on data protection is also needed for monitoring publicly accessible areas on a large scale, especially when used for optoelectronic devices or any other work whenever the competent authority considers that the processing may result in a high risk to the rights and freedoms of data subjects, in particular because it prevents data subjects to exercise any right or use a service or contract or because systematically carried out on a large scale. The processing of personal data should not be considered to be major, if the processing relates to personal data of patients and doctors as private clients, other professional healthcare or lawyer. In such cases, the impact assessment of data protection should not be mandatory.

There are cases where it may be sensible and economic subject of an impact assessment regarding data protection exceeding a single project, for example where public authorities or bodies intend to establish a common application or processing platform or if more controllers plan to introduce a common application or processing environment to an industrial sector or industry or for a widely used horizontal activity.

Under the version of the legislation of a Member State underlying the performance of the duties of a public authority or public body, which regulates the act or series of processing operations, Member States may deem it necessary to carry out this assessment before treatment activities.

If the impact assessment relating to the protection of the data suggests that treatment, without safeguards, security measures and mechanisms to mitigate the risk, would result in a high risk to the rights and freedoms of individuals and the controller is of the opinion that the risk can not be mitigated by reasonable measures as regards the available technology and the cost of implementation, should be consulted by the supervisory authority before the start of the processing activities. Such high risk is likely to occur from certain processing and a certain degree of processing and frequency, so even damage or interference with the rights and freedoms of the individual. The supervisory authority should respond to the request for consultation within a given period. However, The lack of reaction of the supervisory authority within the said time limit should not affect any intervention of the supervisory authority, in accordance with the tasks and powers defined in this Regulation, including the prohibition of processing operations of power. As part of this consultation process, may be submitted to the supervisory authority the result of the impact assessment on data protection conducted in connection with the issue processing, in particular the measures provided to mitigate the risk to the rights and freedoms of individuals.

The processor should provide assistance to the Controller, when necessary and upon request, to ensure compliance with the obligations arising from the conduct of impact assessments on the protection of data and the prior consultation of the supervisory authority.

Consultation with the supervisory authority should also be performed during the preparation of a legislative or regulatory measure under which the processing of personal data, to ensure compliance of the intended processing with this Regulation and, Especially, To mitigate the risks to the data subject.

If the processing is carried out by a public authority, excluding the courts or independent judicial authorities when acting in their judicial competence, provided that, the private sector, the processing performed by the controller whose main activities involve processing operations which require regular and systematic monitoring of data subjects on a large scale, or if the basic activities of the controller or the processor are large-scale processing of special categories of personal data and data relating to criminal convictions and offenses,

Official Journal of the European Union

a person with expertise in law and data protection practices should assist the controller or the processor in the monitoring of internal compliance with this Regulation. In the private sector, the basic operations of a controller related to the core business and not the processing of personal data as an ancillary activity. The necessary level of experience should be determined in particular according to the data processing carried out by the protection which require that personal data processed by the controller or the processor. These Data Protection Officers, regardless of whether they are employees of the controller, You should be able to perform its obligations and duties in an independent manner.

98. (98) The compounds or other entities that represent categories of controllers or processors should be encouraged to draw codes, within the limits of this Regulation, to facilitate effective implementation of this Regulation, taking into account the specific characteristics of the processing carried out in certain areas and particular needs of micro, small and medium enterprises. particularly, these codes could regulate the obligations of controllers and processors, taking into account the risk that could result from the treatment to the rights and freedoms of individuals.
99. (99) When drawing up a code of conduct or the amendment or extension of such a code, associations and other bodies representing categories of controllers or processors should consult interested parties, including by data subjects, where feasible, and take account of any comments submitted and those views expressed in these consultations.
100. (100) To improve transparency and compliance with this Regulation, They should be encouraged to establish certification mechanisms and seals and data protection signals, allowing data subjects to quickly assess the level of data protection of relevant products and services.
101. (101) The personal data flows to and from countries outside the EU and international organizations are necessary for the expansion of international trade and international cooperation. The expansion of these flows has created new challenges and concerns relating to the protection of personal data. However, when personal data are transferred from the Union to controllers, processors or other recipients in third countries or international organizations, level should not undermine the protection of individuals which guarantees the Union this Regulation, including where further transfers of personal data to a third country or international organization to controllers and processors in the same or another third country or another international organization. In each case, transfers to third countries and international organizations can be notified effected only in full compliance with this Regulation. Transmission can take place only if, subject to the other provisions of this Regulation, the controller or the processor shall comply with the terms of the provisions of this Regulation regarding the transfer of personal data to third countries or international organizations.
102. (102) This Regulation is without prejudice to international agreements concluded between the Union and third countries governing the transmission of personal data and provide adequate safeguards for data subjects. Member States may conclude international agreements which provide for transfer of personal data to third countries or international organizations, insofar as those agreements do not affect the provisions of this Regulation or other provisions of Union law and include an appropriate level of protection for the fundamental rights of data subjects.
103. (103) The Commission may decide, with effect for the entire Union, that a third country, soil or specific sector in a third country or international organization, offer an adequate level of data protection and thereby preserve legal certainty and uniformity throughout the Union as regards the third country or international organization which is considered to provide such level of protection. In such cases, the personal data in that third country or international organization can be made without having to request another license. The Commission may also decide to revoke this decision, upon notice and justification statement to the third country or international organization.
104. (104) According to the fundamental principles of the Union, in particular the protection of human rights, the Commission should, when assessing third country or a territory or a specific sector in a third country, take into account whether a given third country respects the rule of law, Access to Justice, and international norms and standards on human rights and the general and sectoral laws, on, including legislation on public security, defense and national security, and public policy and criminal law. Version adequacy decision for a soil or third-country field should be

Official Journal of the European Union

account clear and objective criteria, as specific processing activities and the scope of the applicable legal standards and legislation in force in the third country. The third country must offer guarantees that ensure an adequate level of protection, substantially equivalent to that ensured in the Union, particular where the processing of personal data is done in one or several specific areas. particularly, the third country should ensure the effective independent supervision of data protection and provides mechanisms for cooperation with data protection authorities in Member States, not the data subjects should have at their disposal effectively and legally enforceable right, and the possibility of an effective administrative and judicial redress.

In addition to international commitments the third country or international organization, the Commission should take into account the obligations arising from its participation in the third country or international organization in multilateral or regional systems, particularly in relation to the protection of personal data, as the application of such obligations. It must, Especially, take account of the accession of the third country in the Council of Europe Convention of 28 January 1981 on the protection of individuals with regard to automatic processing of personal data and its Additional Protocol. The Commission should consult the Data Protection Council consulted whenever assess the level of protection in third countries or international organizations.

The Commission should monitor the operation of the decisions on the level of protection in a third country, soil or specific area of ​​a third country or an international organization and to monitor the operation of the decisions adopted pursuant to Article 25 paragraph 6 or Article 26 paragraph 4 Directive 95/46 / EC. The decisions of proficiency, the Commission should provide for periodic review mechanism of operation. This periodic review should be done in consultation with the third country or international organization and should take into account all relevant developments in the third country or international organization. For the purposes of monitoring and conducting periodic reviews, the Commission should take into account the opinions and conclusions of the European Parliament and of the Council, and other relevant bodies and sources. The Commission should assess, within a reasonable time, operation of recent decisions and report any pertinent findings to the Committee within the meaning of Regulation (EU) No. 182/2011 European Parliament and Council (1), as established by this Regulation, the European Parliament and the Council.

IEpitropimporeinadiapistoseiotimiatritichora,edafosisygkekrimenostomeasmiastritischorasienasdiethnis body does not ensure an adequate level of data protection. Hence, It should prohibit the transfer of personal data in that third country or international organization, unless the requirements of this Regulation concerning transfers subject to appropriate safeguards, including binding corporate rules, and on exceptions for special situations. In this case, They should involve consultation between the Commission and such third countries or international organizations. The Commission should, timely, inform the third country or international organization on the grounds and to enter into consultations to address the situation.

Absence adequacy decision, the controller or processor should take measures to compensate for the lack of data protection in a third country through appropriate safeguards for the data subject. Such appropriate safeguards may involve the use of binding corporate rules, standard data protection clauses adopted by the Commission, standard data protection clauses adopted by a supervisory authority or contractual clauses approved by supervisory authority. Such safeguards should ensure compliance with data protection requirements and the rights of data subjects, in light of the processing within the Union, Including mathe- availability legally robust data subjects' rights and real remedies, such as including the right to an effective administrative or judicial action and claim for compensation, in the Union or in a third country. They should relate in particular to compliance with the general principles governing the processing of personal data and the principles of data protection by design and by default. Transfers can also be carried out by public authorities or institutions with public authorities or bodies to third countries or international organizations which have similar tasks or responsibilities, including under provisions to be incorporated into administrative arrangements, as a memorandum, where they are provided effectively and legally strong rights for data subjects. The permission of the competent supervisory authority should be obtained if the guarantees provided in non-legally binding administrative settings.

The ability of the controller or the processor to use standard data protection clauses approved by the Commission or the audit authority should not prevent controllers or processors incorporate standard data protection clauses in a wider contract, as a contract between the processor and other executing

Official Journal of the European Union

processing, nor to add other clauses or additional guarantees, if they do not contradict, directly or indirectly, to approval by the Commission or by a supervisory authority or contractual clauses infringe the fundamental rights and freedoms of data subjects. The controllers and processors should be encouraged to provide additional guarantees through contractual commitments are complementary to existing data protection clauses.

110. (110) A group of companies, as well as a group of companies engaged in joint economic activity, You should be able to make use of approved binding corporate rules for its international transfers from the Union to organizations within the same group of companies or group of companies engaged in joint economic activity, if such corporate rules include all the basic principles and rights to receive legal protection, to ensure appropriate safeguards for transfers or categories of personal data transfers.
111. (111) The possibility of transfers in some cases be made, when the data subject has provided their explicit consent, if the transmission is occasional and necessary in connection with a contract or a legal claim, either in legal proceedings or in any administrative or extra-judicial process, including in proceedings before regulatory bodies. The possibility of transfers should also be made, where important reasons of public interest laid down by Union law or Member States so require or where the transfer is made from a register established by law and intended for extracting information from the public or persons having a legitimate interest. In the latter case, this transmission should not cover the entirety of the data or entire categories of personal data contained in the registry and, when the register is intended to obtain information from persons who have a legitimate interest, the transfer should be made only at the request of those persons or, whether it be those recipients transmission, taking full account of the interests and fundamental rights of the data subject.
112. (112) These derogations should in particular apply to data transfers requested and necessary for important reasons of public interest, for example in cases of international data exchange between competition authorities, tax or customs authorities, among financial supervisors, between agencies responsible for social security or public health, for example in case of contact tracing to detect infectious diseases or in order to reduce and / or eliminate doping (doping) in sport. The transfer of personal data should also be considered lawful where it is necessary to protect the interest which is essential for the vital interests of the data subject or another person, including for the physical integrity or life, if the data subject is unable to give consent. Absence adequacy decision, Union law or the law of a Member State may, for serious reasons of public interest, explicitly provides for restrictions on the transmission of specific categories of data to a third country or international organization. Member States shall notify those provisions to the Commission. Any transfer to international humanitarian personnel data organization character of a subject that does not have the natural or legal capacity to give consent, which is designed to fulfill a duty under the Geneva Conventions or to comply with international humanitarian law in armed conflicts, It could be regarded as necessary for a good cause the public interest or because it intends to vital interests of the data subject.
113. (113) Transfers which are identifiable non-recurring and which concern a limited number of data subjects may also be allowed due to overriding legitimate interests pursued by the controller, when the interests or the rights and freedoms of the data subject do not override these interests when the controller has assessed all the circumstances surrounding the transfer of data. The controller should take particular account of the nature of the personal data, the purpose and duration of the proposed operation or processing operations, and the situation in the country of origin, the third country and the country of final destination, and provide the services appropriate safeguards for the protection of fundamental rights and freedoms of individuals with regard to the protection of personal data. These transfers should only be possible in cases where none of the other transfer purposes. For purposes of scientific or historical research or statistical purposes, They should take into account the legitimate expectations of society for an increase of knowledge. The controller should inform the supervisory authority and the data subject for the transfer.
114. (114) In each case, if the Commission has not received an adequacy decision on the level of data protection in a third country, the controller or the processor will have to find solutions that can provide regarding the processing of their data in the Union to data subjects effectively and legally enforceable right after the transmission of such data, to continue to benefit the fundamental rights and guarantees.

L 119/22 (115)

Official Journal of the European Union 4.5.2016

Some third countries enact laws, regulations and other legal instruments which purport to directly regulate the processing activities of natural and legal persons under the jurisdiction of Member States. This may include court decisions or decisions of administrative authorities in third countries that require a controller or processor to transfer or disclose personal data which are not based on international agreement, eg Convention on Mutual Assistance in force between the country concerned and the Union or a Member State requesting. The extraterritorial application of these laws, regulations and other legal acts may violate international law and impede the attainment of the protection of individuals guaranteed in the Union by this Regulation. Transfers should only be allowed if the conditions of this Regulation to transfers to third countries. This can happen, including, if the disclosure is necessary for an important ground of public interest which is recognized in Union law or Member State in which the controller is subject.

The transboundary movement of personal data outside the EU possibly putting at greater risk the ability of individuals to exercise data protection rights in particular to protect tefontai against unauthorized use or disclosure of such information. At the same time, the supervisory authorities may find that they are unable to act on complaints or to conduct investigations into activities outside their borders. Their efforts to work together in a cross-border context may also be hampered by insufficient preventive or remedial powers, of contradictory legal regimes and practical obstacles, such as the lack of resources. Therefore, there is a need to promote closer cooperation between data protection supervisory authorities, to make it easier to exchange information and carry out investigations with their international counterparts. To develop international cooperation mechanisms to facilitate and provide international mutual assistance in the enforcement of data protection legislation, The Commission and supervisory authorities should exchange information and cooperate in activities related to the exercise of their powers by the competent authorities of third countries, in accordance with the principle of reciprocity and in accordance with this Regulation;

The establishment of supervisory authorities in Member States, authorized to carry out their duties and exercise their powers in full independence, It is an essential component of the protection of individuals with regard to the processing of their personal data. Member States should be able to establish more supervisors, depending on the constitutional, organizational and administrative structure.

The independence of the supervisory authorities should not imply that the supervisory authorities can not be subject to inspection or monitoring mechanisms in terms of their financial expenses or judicial review.

Where a Member State introduces more supervisors, should establish by law mechanisms, to ensure the effective participation of those supervisory authorities in the consistency mechanism. The Member State should designate, Especially, the supervisory authority which is the single contact point for the effective participation of those authorities in the mechanism, to ensure rapid and smooth cooperation with other supervisory authorities, the Data Protection Council and Commission.

In each supervisor financial and human resources should be provided, facilities and infrastructure that are essential to the effective performance of its functions, including those relating to mutual assistance and cooperation with other supervisory authorities throughout the Union. Each supervisor should have separate, public annual budget, which can be part of the overall state or national budget.

The general conditions for the member or members of the supervisory authority should be established by law in each Member State and should provide, Especially, that those members appointed, transparent process, either by parliament, the government or the head of state of the Member State on a proposal from the government, State government, parliament or part of parliament, either by an independent body responsible for this purpose by the law of the Member States. To ensure the independence of supervisors, the member or members should act with integrity, to refrain from any action incompatible with their duties and, during their term of office, They should not engage in any incompatible occupation, profitable or not. The supervisory authority must have its own staff, selected by the supervisory authority or by an independent body set up under the law of a Member State, and be under the exclusive direction of the member or members of the supervisory authority.

Each supervisor will be responsible, in the Member State responsible, to exercise the powers and perform the functions assigned in accordance with this Regulation. This should cover in particular the treatment in the activities of an establishment of the controller or the processor in the territory of their own Member State, the processing of personal data carried out by public authorities or private bodies acting in the public interest, processing that affects the underlying data in the territory or processing carried out by

Official Journal of the European Union

controller or processor is not established in the Union, when targeted data subjects residing in its territory. This should include addressing complaints submitted by the data subject, Investigations on the implementation of this Regulation and promoting public awareness of the dangers, the rules, guarantees and rights related to the processing of personal data.

123. (123) The supervisory authorities should monitor the application of the provisions of this Regulation and to contribute to a consistent application across the Union, order to protect individuals with regard to the processing of their personal data and to facilitate the free movement of personal data within the internal market. For this purpose, supervisors should cooperate with each other and with the Commission, without requiring an agreement between the Member States for mutual assistance or for such cooperation.
124. (124) Όταν η επεξεργασία δεδομένων προσωπικού χαρακτήρα πραγματοποιείται στο πλαίσιο των δραστηριοτήτων μιας εγκατάστασης ενός υπευθύνου επεξεργασίας ή εκτελούντος την επεξεργασία στην Ένωση και ο υπεύθυνος επεξεργασίας ή ο εκτελών την επεξεργασία είναι εγκατεστημένος σε περισσότερα κράτη μέλη ή όταν η επεξεργασία που πραγματο­ ποιείται στο πλαίσιο των δραστηριοτήτων της μόνης εγκατάστασης υπευθύνου επεξεργασίας ή εκτελούντος την επεξεργασία στην Ένωση επηρεάζει ουσιωδώς ή είναι πιθανόν να επηρεάσει ουσιωδώς υποκείμενα των δεδομένων σε περισσότερα του ενός κράτη μέλη, as head authority acts as supervisor for the main establishment of the controller or the processor or the only installation of the controller or the processor. It should cooperate with other authorities concerned, because the controller or processor has an establishment in the territory of the Member State, because data subjects residing in their territory materially affected or because the complaint has been lodged. Also, when a data subject who does not reside in that Member State submits a complaint, the supervisory authority to which an application should also be concerned supervisor. As part of his duties to issue guidelines on any issue related to the implementation of this Regulation, the Data Protection Council should be able to issue guidelines, in particular the criteria to be taken into account in determining whether such treatment affects materially the data subjects in several Member States and what constitutes relevant and reasoned objection.
125. (125) The chief authority should be empowered to take binding decisions on measures to implement the tasks conferred upon it under this Regulation. In its capacity as lead authority, the supervisory authority should ensure the active participation and coordination of the parties concerned supervisors in the decision making process. If the decision rejects, wholly or partly, the termination of the data subject, this decision should be approved by the supervisory authority to which the complaint was lodged.
126. (126) The decision should be agreed jointly by the chief supervisor and the supervisory authorities and should be addressed to the principal or sole installation of the controller or the processor and be binding on the controller and the processor. The controller or processor should take the necessary measures to ensure compliance with this regulation and the implementation of the decision notified by the chief supervisor in the main installation of the controller or the processor regarding processing activities the Union.
127. (127) Each supervisory authority does not act as the lead supervisor must be competent to deal with local affairs where the controller or processor is established in more than one Member State, but the subject of the treatment only processing that takes place in a single Member State and relates to data subjects in that Member State only, for example, when the subject of the processing of personal data of workers in particular employment within a Member State. In such cases, The supervisory authority must inform thereof the chief supervisory authority without delay. Once updated, the chief supervisor should decide whether to deal with the case in accordance with the arrangement on cooperation between the chief supervisor and the other supervisory authorities ("One-stop mechanism '), or whether it should deal with the case at the local level the supervisory authority informed. When deciding whether to hear the case, the chief supervisor should take into account whether there is a facility of the controller or the processor in the Member State of the supervisory authority informed, to ensure efficient enforcement of the decision against the controller or the processor. When the

Official Journal of the European Union

chief supervisory authority decides to hear the case, the supervisory authority informed should be able to submit a draft decision, which should head the supervisory authority to take the utmost account when preparing the draft decision in the context of the one-stop mechanism.

The rules on the chief supervisor and the one-stop mechanism should not be applied where the processing is carried out by public authorities or private institutions in the public interest. In such cases, the sole supervisory authority is competent to exercise the powers conferred under this Regulation should be the supervisory authority of the Member State where it is established that a public authority or private body.

To ensure consistent monitoring and enforcement of this Regulation throughout the Union, supervisory authorities should have in each Member State the same duties and the same real powers, including investigation powers, corrective powers and sanctions, and licensing and advisory powers, particularly in cases of complaints from individuals, and, without prejudice to the powers of prosecution under the law of a Member State, the power to refer violations of the provisions of this Regulation to the judicial authorities and to engage in legal proceedings. Those powers should also include the power to impose a temporary or definitive restriction processing, including prohibiting the taking of. Member States may designate particular other tasks related to the protection of personal data under this Regulation. The powers of supervisory authorities should be exercised in accordance with appropriate procedural safeguards set out in EU law and the law of the Member States, impartially, fairly and within a reasonable time. Especially, every measure must be appropriate, necessary and proportionate, to ensure compliance with this Regulation, taking into account the circumstances of each individual case, to respect the right to be heard every person before any individual measure against him and to avoid unnecessary costs and excessive burdens on the persons concerned. The investigative powers as regards access to premises should be exercised in accordance with the specific requirements of the procedural law of the Member State, such as requiring prior judicial authorization issuance. Any legally binding measure of the supervisory authority should be made in writing, be clear and unambiguous, state supervisory authority which issued, the date of issue, be signed by the head or member of the supervisory authority authorized by the, state the reasons for the measure and the right to an effective remedy. This should not exclude the possibility of additional requirements in accordance with the procedural law of the Member State. The adoption of a legally binding decision that may involve, possibly, be subject to judicial control in the Member State of the supervisory authority which issued the judgment.

Where the supervisory authority to which the complaint was not the lead supervisor, the chief supervisory authority should cooperate closely with the supervisory authority to which the complaint was lodged in accordance with the provisions on cooperation and coherence provisions in this Regulation. In such cases, the chief supervisor should, taking measures destined to produce legal effects, such as administrative fines, take particular account of the opinions of the supervisory authority to which the complaint was lodged and which should remain responsible for carrying out any of the Member State research on the ground in connection with the competent supervisory authority.

When another supervisory authority must act as chief supervisor for processing activities of the controller or the processor, but this matter of the action or any infringement concerns only processing activities of the controller or the processor in the Member State where the complaint was lodged or found any violation and the matter does not significantly affect or are likely to significantly affect the data subjects in other Member States, the supervisory authority that receives a complaint or finds or is informed otherwise situations involving infringements of this Regulation should pursue a friendly settlement with the controller and, if this proves unsuccessful, to exercise the full range of powers. This should include: special processing carried out in the territory of the Member State of the supervisory authority or in respect of data subjects in the territory of that Member State; of the supervisory authority or the processing to be assessed, taking into account the respective legal obligations under Member State law.

Awareness raising activities by supervisory authorities addressed to the public should shall include concrete measures for controllers and processors, Included enon micro, small and medium enterprises, and individuals particularly in education.

Official Journal of the European Union

133. (133) Supervisors should support each other in the performance of their duties and provide mutual assistance, to ensure the consistent application and enforcement of this Regulation in the internal market. Supervisory authority requesting mutual assistance may take interim measure, if he does not receive a reply to a request for assistance within one month of receipt of the request by the other supervisor.
134. (134) Each supervisor should, where appropriate, to participate in joint operations with other supervisors. The supervisory authority to which the request should be required to respond to the request within a specified period.
135. (135) To ensure consistent application of this Regulation throughout the Union, will coherence mechanism should be established for cooperation between supervisory authorities. This mechanism should apply in particular where a supervisory authority intends to adopt a measure to have legal consequences for processing operations that materially affect a significant number of data subjects in several Member States. You should also apply where any supervisory authority or the Commission requesting the handling of the case under the consistency mechanism. This mechanism should not prejudice any measures that may be taken by the Commission in the exercise of its powers under the Treaties.
136. (136) When applying the consistency mechanism, the Data Protection Board should issue an opinion, within a specified period, decide if this is the majority of its members or at the request of a supervisory authority or by the Commission. The Data Protection Board should also be empowered to issue legally binding decisions when there are differences between supervisors. For this purpose, should issue, flat’ principle by a majority of two thirds of its members, legally binding decisions in clearly defined cases where there are conflicting opinions between supervisors, particularly under the cooperation mechanism between the chief supervisor and the supervisory authorities on the merits of the case, in particular whether there is a breach of this Regulation.
137. (137) There may be an urgent need for measures to protect the rights and freedoms of data subjects, especially when there is a risk to be significantly impeded the exercise of a right of a data subject. Therefore, a supervisory authority should be able to properly adopt temporary measures justified in its territory with a specified validity period which should not exceed three months.
138. (138) The application of this mechanism should be a condition for the legality of the measure taken by the supervisory authority in order to have legal effect in cases in which its application is mandatory. In other cases of cross-border interest, cooperation mechanism should apply between the Lead Authority and relevant supervisors, not the supervisory authorities could resort to mutual assistance and joint ventures, bilateral or multilateral, without triggering the consistency mechanism.
139. (139) In order to foster consistent implementation of this Regulation, the Data Protection Board should be set up as an independent body of the Union. To meet the objectives of, the Data Protection Council shall have legal personality. The Data Protection Board should be represented by its President. You need to replace the protective group of persons against the processing of personal data established by Directive 95/46 / EC. It should be composed of the head of the supervisory authority from each Member State and the European Data Protection Supervisor or their respective representatives. The Commission should participate in its activities Data Protection Council without voting rights and the European Data Protection Supervisor should have special voting rights. The Data Protection Board should contribute to the consistent application of this Regulation throughout the Union, including providing advice to the Commission, particularly on the level of protection in third countries or international organizations, and promoting cooperation among supervisory authorities across the Union. The Data Protection Board should act independently in the performance of his duties.
140. (140) The Data Protection Board should be assisted by a secretariat provided by the European Data Protection Supervisor. The European Data Protection Supervisor personnel involved in performing the tasks entrusted to the Data Protection Board under this Regulation should exercise their duties solely under the instructions of the President of the Data Protection Council and inform him about.
141. (141) Every data subject should have the right to complain to a single supervisory authority, especially in the Member State of habitual residence, and the right to an effective judicial remedy pursuant to Article 47 Charter, if he considers that violated his rights under this Regulation or where the supervisory authority does not act on a complaint, wholly or partly reject or declare a complaint inadmissible or

Official Journal of the European Union

It does not act and must act to protect the rights of the data subject. The investigation following a complaint should be carried out, subject to judicial review, to the extent appropriate to the specific case. The supervisory authority must inform the data subject of the progress and outcome of the complaint within a reasonable time. If the case requires further investigation or coordination with another supervisory authority, interim will update the data subject must be provided. In order to facilitate the submission of complaints, each supervisory authority should take measures such as providing Complaint Form, which can be completed electronically, without excluding other means of communication.

When the data subject believes that violated his rights under this Regulation, You should have the right to assign a non-profit organization, body or organization incorporated under the law of a Member State, It has statutory objectives that are in the public interest and active roots in the field of protection of personal data, complain on his behalf to a supervisor, exercise the right of litigation on behalf of the data subject or, if provided for by the law of a Member State, the right to receive compensation on behalf of data subjects. Member State may provide that this body, agency or organization has the right to refer to that State complaint, regardless of any assignment of the data subject, and right to an effective judicial remedy, when it has reason to believe that the rights of the data subject are violated as a result of the processing of personal data in violation of this Regulation. The body, agency or organization may not have the right to demand compensation on behalf of the data subject, regardless of any assignment of the data subject.

Any natural or legal person is entitled to bring an action for annulment of the Data Protection Council's decision before the Court in accordance with the conditions laid down in Article 263 TFEU. As recipients of these decisions, the supervisory authorities that wish to offend must appeal within two months of their notification, according to the article 263 TFEU. If the decisions of the Data Protection Council directly and individually concerned a controller, processor or complaint, they may bring an action for annulment of those decisions within two months from the publication of these decisions on the website of SymvouliouProstasias Data, according to the article 263 TFEU. Subject to that right under Article 263 TFEU, any natural or legal person should have the right to an effective remedy before the competent national court against a supervisory authority decision which produces legal effects concerning that person. These decisions concerning in particular the exercise of powers of investigation and remedial and licensing powers of the supervisory authority or in cases where complaints are deemed inadmissible or rejected. However, an effective remedy does not cover measures that supervisors are not legally binding, such opinions or advice provided by the supervisory authority. Proceedings against the supervisory authority should be brought before the courts of the Member State where the supervisory authority is established and conducted in accordance with the procedural law of that Member State. These courts should exercise full jurisdiction, which should include the authority to examine all the factual and legal issues relating to the case pending before them.

When a complaint has been rejected or deemed inadmissible by supervisor, the complainant can initiate court proceedings in that Member State. In judicial actions related to the implementation of this Regulation, national courts, which consider that a decision on the question is necessary for the adoption of their decision may or, in the case provided for in Article 267 TFEU, obliged to ask the Court for a preliminary ruling on the interpretation of European Union law, including this Regulation. Furthermore, when a decision supervisory authority which implements Council Decision Privacy challenged before a national court and challenged the validity of the Data Protection Council Decision, that national court has no jurisdiction to declare void the Data Protection Council Decision but it must refer the question of validity to the Court under Article 267 TFEU ​​as interpreted by the Court, if he considers the decision invalid. However, a national court can not refer the question of the validity of a Council decision Privacy request natural or legal person who was able to bring an action for annulment of that decision, especially if that decision is of direct and individual concern, but has not done so within the period provided for by Article 263 TFEU.

If a court hearing proceedings brought against Supervisory Authority Decision and has reason to believe that proceedings have been initiated for the same treatment, as for the same purpose as regards the processing of the same data controller or data processor or the same cause, before a competent court in another Member State, You should communicate with the national court to confirm the existence of a similar process. If the relevant proceedings pending before a court in another Member State, each

Official Journal of the European Union

court other than that first seised may stay proceedings or may, upon request by a party, to decline jurisdiction in favor of the court first seised, if that court has jurisdiction for this procedure and its law permits the joinder of these related procedures. Considered relevant procedures associated with each other so closely, that it is expedient be tried and judged together, to avoid the risk of irreconcilable judgments, as would happen if separate proceedings.

145. (145) For procedures within the controller or processor, the applicant should be able to choose to bring proceedings before the courts of the Member State where the controller or the processor has an establishment or in the Member State of residence of the data subject, unless the controller is a public authority of a Member State, acting in the exercise of public powers.
146. (146) Any damage sustained by a person as a result of processing in breach of this Regulation should be compensated by the controller or the processor. The controller or the processor should be exempt from liability for damages if they can show that they bear no responsibility for damage. The concept of damage should be broadly interpreted in the light of the case so as to fully take into account the objectives of this Regulation. This does not affect any claims for damages, practitioners for violating other rules of Union law or Member States. Processed in breach of this Regulation shall also include any treatment in violation of flat’ delegated and implementing acts adopted pursuant’ implementation of this Regulation and Member States' law which specifies the rules of this Regulation. Data subjects should receive full and effective compensation for the damage suffered. If controllers or processors involved in the same process, each data controller or processor should be liable for the total loss. However, when referred by public justice, under the laws of the Member States, compensation may be apportioned according to the responsibility of each data controller or processor for the damage caused by the treatment, provided that ensure full and effective compensation to the data subject who has suffered the damage. Each controller or processor paid full compensation can then take action against other controllers or processors participating in the same process.
147. (147) Should this Regulation contains specific rules on jurisdiction, particularly regarding procedures in institute court proceedings, including for compensation, by the controller or processor, The general rules on jurisdiction as laid down in Regulation (EU) No. 1215/2012 European Parliament and Council (1) should not affect the application of these special rules.
148. (148) In order to strengthen the enforcement of this Regulation, sanctions, including administrative fines, They should be applied for any breach of this Regulation, in addition to or instead of the appropriate measures required by the supervisory authority in accordance with this Regulation. In case of minor infringement or whether the fine which may be imposed would constitute a disproportionate burden in individual, could be imposed instead reprimand fine. However, they should be duly taken into account the nature, the severity and duration of the infringement, the deliberate nature of the infringement, the actions undertaken to mitigate the harm, the degree of responsibility or any other relevant previous offenses, the way in which the supervisory authority is informed of the infringement, compliance with measures against the controller or the processor, compliance with Code of Conduct and any other aggravating or mitigating circumstance. The sanctions, including administrative fines, should be subject to adequate procedural safeguards in accordance with the general principles of EU law and the Charter, symperilam CD- of effective judicial protection and due process.
149. (149) Member States should lay down the rules on penalties for infringements of this Regulation, including for breaches of national rules adopted in’ application and within the limits of this Regulation. These criminal penalties may also consist of deprivation of the benefits gained for the sake of infringements of this Regulation. However, Criminal penalties for violations of such national rules and administrative sanctions should not lead to a breach of the principle ne bis in idem, as interpreted by the Court.
150. (150) To strengthen and harmonize administrative sanctions against infringements of this Regulation, each supervisory authority should have the power to impose administrative fines. This Regulation should indicate violations, and the ceiling and the criteria for determining the relevant administrative fines, which should be determined by the competent authority in each individual case, taking into account all relevant circumstances of the situation, with due consideration especially in nature, the severity and duration of the breach and its consequences and the measures taken to

(1) regulation(EU)arith.1215 / 2012touEfropaikouKoinovoulioukaitouSymvouliou,tis12isDekemvriou2012, giatidiethnidikaiodosia, recognition and enforcement of judgments in civil and commercial matters (OJ L 351 of 20.12.2012, p. 1).

Official Journal of the European Union

ensuring compliance with the obligations arising from this Regulation and to prevent or mitigate the effects of the infringement. If the fines imposed on an undertaking, a business should mean undertaking in accordance with Articles 101 and 102 TFEU ​​for these purposes. If the fines imposed on persons who are not undertakings, the supervisor should take into account the general level of income in the Member State, and the economic situation of the person, when considering the appropriate amount of the fine. The consistency mechanism may also be used to promote a consistent enforcement of administrative fines. It should be up to Member States to decide whether and to what extent fines to public authorities may be imposed. The imposition of an administrative fine or warning does not affect the application of other powers of supervisory authorities or other sanctions under this Regulation.

In the legal systems of Denmark and Estonia are not provided for fines as defined in this Regulation. The rules relating to administrative fines can be applied so as to Denmark the fine imposed by the competent national courts as a criminal penalty in Estonia and the fine imposed by the supervisory authority in proceedings for misdemeanors, provided that such application of the rules in those Member States having equivalent effect to fines imposed by the supervisory authorities. Hence, the competent national courts must take into account the recommendation of the supervisory authority from which the fine. in any case, fines imposed should be effective, proportionate and dissuasive.

When this Regulation does not harmonize administrative sanctions or if necessary in other cases, for example in cases of serious infringements of this Regulation, Member States should implement a system of effective, proportionate and dissuasive penalties. The nature of those penalties, criminal or administrative, It should be determined by the law of the Member States.

The Member States' law should reconcile the rules governing freedom of expression and information, including journalism, university, artistic or literary expression, the right to protection of personal data under this Regulation. The processing of personal data solely for journalistic purposes or for academic purposes, artistic or literary expression should be subject to derogations or exemptions from certain provisions of this Regulation, if it is necessary to reconcile the right to protection of personal data with the right to freedom of expression and information, as enshrined in Article 11 Charter. This should be particularly true with regard to the processing of personal data in the audiovisual field and in news archives and press libraries. Therefore, Member States should adopt legislative measures to provide for the necessary exceptions and derogations for balancing these fundamental rights. Member States should introduce such exceptions and derogations on the general principles, the rights of the data subject, the controller and the processor, the transfer of personal data to third countries or international organizations, independent supervisory authorities, cooperation and coherence and specific data processing situations. Where such exemptions or exceptions differ from one Member State to another, should apply the law of the Member State in which the controller is subject. To reflect the importance of the right of freedom of expression in every democratic society, necessary be interpreted broadly the concepts relating to the said freedom, such as journalism.

This regulation allows to take into account the principle of public access to official documents in the application of this Regulation. The public access to official documents can be considered as a public interest. Personal data in documents held by a public authority or a public body should be disclosed publicly by that authority or body if disclosure provided by Union law or Member State law to which the public authority is subject or the public body. Such laws must reconcile public access to official documents and the re-use of public sector information with the right of personal data protection and may, consequently, provide the necessary reconciliation with the right to protection of personal data under this Regulation. The reference to public authorities and bodies should in this case include all authorities or other entities covered by the law of a Member State concerning public access to documents. Directive 2003/98 / EC of the European Parliament and of the Council (1) not prejudice or affect

Official Journal of the European Union

in any way the level of protection of individuals with regard to the processing of personal data under the provisions of EU law and the law of Member States and in particular does not alter the obligations and rights set out in this Regulation. particularly, this Directive should not apply to documents to which access is restricted or prohibited under the access schemes for personal data protection character, nor to parts of documents that are accessible under those arrangements and containing personal data re-use of which is provided by the law that is incompatible with the law on the protection of individuals with regard to the processing of personal data.

155. (155) At national law or collective agreements, including "labor agreements', Specific rules may be adopted for processing of personal data of workers in the employment context, in particular the conditions under which personal data in the employment context can be processed based on the consent of the employee, for recruitment purposes, execution of the employment contract, including the implementation of obligations prescribed by law or by collective agreements, management, planning and organizing work, equality and diversity in the workplace and health and safety at work, and for exercise purposes and pleasure, individually or collectively, Rights and benefits related to employment for purposes of termination of the employment relationship.
156. (156) The processing of personal data for archival purposes in the public interest, historical or scientific research or statistical purposes should be subject to appropriate safeguards for the rights and freedoms of the data subject in accordance with this Regulation. Those safeguards should ensure that the technical and organizational measures that guarantee established, particularly, the principle of data minimization. The further processing of personal data for archival purposes in the public interest, historical or scientific research or statistical purposes occurs when the controller has assessed whether it is possible to meet these objectives through data which do not permit or no longer allow identification of data subjects, provided that there are adequate safeguards (such as, for example, the psefdonymopoiisi data). Member States should provide for appropriate safeguards on the processing of personal data for archival purposes in the public interest, purposes of scientific or historical research or statistical purposes. It should allow Member States to provide, under certain circumstances and with appropriate guarantees for data subjects, requirements and exceptions regarding information requirements and the rights of correction and deletion, the right to be forgotten, may limit processing,the right to data portability and the right to object to the processing of personal data for archival purposes in the public interest, purposes of scientific or historical research or statistical purposes. Such conditions and guarantees may involve special procedures, that data subjects can exercise such rights, where appropriate for the purposes pursued by this treatment, along with technical and organizational measures designed to minimize the processing of personal data in accordance with the principles of proportionality and necessity. The processing of personal data for scientifically purposes must also comply with other relevant laws, as for clinical trials.
157. (157) Combining information from registers, researchers can gain new knowledge of great importance in terms prevalent pathologies such as cardiovascular diseases, cancer and depression. Based on records, research results can be enhanced, since they rely on a wider population base. In the social sciences, research based on registers gives researchers the opportunity to acquire essential knowledge for long-term correlation of certain social situations, such as unemployment and education with other living conditions. The research results obtained through registers provide reliable and quality knowledge which can form the basis for developing and implementing policy based on knowledge, to improve the quality of life of some people and improve the effectiveness of social services. With the aim of scientific research, personal data may be processed for purposes of scientific research, under appropriate conditions and safeguards laid down in Union law or Member State law.
158. (158) Where personal data are processed for archival purposes, this Regulation should also apply to such processing, bearing in mind that this regulation should not apply to deceased. Public authorities and public or private bodies maintain public interest files should be services which, under Union law or the law of a Member State, held a statutory obligation to acquire, to maintain, to evaluate, to classify, describe, to communicate, to promote, disseminate and provide access to a fixed value records for the general public interest. Member States should also be given the right to provide further processing of personal data for archival purposes, for example in order to provide specific information on political behavior in former authoritarian regimes, genocide, crimes against humanity, especially the Holocaust, or war crimes.

Official Journal of the European Union

Where personal data are processed for purposes of scientific research, this Regulation should apply to this treatment. For the purposes of this Regulation, the processing of personal data for purposes of scientific research should be broadly interpreted, i.e. comprising for example technological development and demonstration of, fundamental research, applied research, and privately funded research. Furthermore, should take into account the Union's target under Article 179 paragraph 1 TFEU ​​to achieve a European Research Area. In scientific research should include studies conducted in the public interest in the public health sector. To take into account the specificities of personal data for purposes of scientific research, special conditions should apply in particular as regards the publication or otherwise of personal data disclosure in the context of scientific research purposes. If the result of scientific research particularly in the health sector justifies further action in the interest of the data subject, the general rules applicable to this Regulation as regards the measures.

Where personal data processed for historical research purposes, this Regulation should also apply to such processing. Include here the historical research and research for genealogical purposes, bearing in mind that this regulation should not apply to deceased.

For the purpose of consent to participation in scientific research in clinical trials, the relevant provisions of the Regulation should apply (EU) No. 536/2014 European Parliament and Council (1).

Where personal data are processed for statistical purposes, this Regulation should apply to this treatment. Union law or Member State law should, within the limits of this Regulation, define the statistical content, access control, specifications for the processing of personal data for statistical purposes and appropriate measures to ensure the rights and freedoms of the data subject and designed to ensure statistical confidentiality. The term "statistical purposes" means any act of collection and processing of personal data necessary to carry out surveys or to produce statistical results. This statistical effect can be further used for various purposes, including for purposes of scientific research. The statistical objective implies that the result of processing for statistical purposes is not personal data, but aggregated data and that this result or that personal data is not used in support of measures or decisions regarding any particular individual.

Will confidential information collected by EU and national statistical offices should be protected for the training of official EU and national statistics. European statistics should be developed, they are developed and disseminated in accordance with the statistical principles laid down in Article 338 paragraph 2 TFEU, while national statistics should also comply with the law of the Member States. The rule (FROM) No. 223/2009 European Parliament and Council (2) It provides further diefkri niseis on statistical confidentiality on European statistics.

As regards the powers of supervisory authorities to ensure the controller or processor access personal data and access to its premises, Member States may adopt by law, within the limits of this Regulation, specific rules in order to preserve professional secrecy obligations or other equivalent secrecy obligations, to the extent necessary for the compromise of personal data protection right character with the obligation of professional secrecy. This is without prejudice to existing obligations of the Member State to adopt rules of professional secrecy, where required by EU law.

This Regulation respects and does not prejudice the status under the current constitutional law of churches and religious associations or communities in the Member States, as recognized in Article 17 TFEU.

To fulfill the objectives of this Regulation, namely the protection of fundamental rights and freedoms of individuals and, Especially, the right to protection of personal data

1. (1) regulation (EU) No. 536/2014 European Parliament and Council, of April 16 2014, Clinical trials of medicinal products for human use, and repealing Directive 2001/20 / EC (OJ L 158 of 27.5.2014, p. 1).
2. (2) regulation (FROM) No. 223/2009 European Parliament and Council, of March 11 2009, on European statistics and repealing Regulation (FROM, Euratom) No. 1101/2008 the European Parliament and of the Council on the transmission to the Statistical Office of the European Communities of data subject to statistical confidentiality, Regulation (FROM) No. 322/97 Council on Community statistics, and Decision 89/382 / EEC, Euratom establishing a Committee of the European Statistical Program (OJ L 87 of 31.3.2009, p. 164).

Official Journal of the European Union

concern, and ensuring freedom of movement in the Union personal data, will the power to adopt acts should be delegated to the Commission in accordance with Article 290 TFEU. particularly, They should be adopted in’ delegated acts concerning the criteria and requirements for certification mechanisms, the information presented in standard icons and the procedures for providing such icons. It is particularly important that the Commission carry out appropriate consultations during its preparatory work, including at expert level. The committee, when preparing and drawing in’ delegated acts, should ensure a simultaneous, timely and appropriate transmission of relevant documents to the European Parliament and the Council.

167. (167) In order to ensure uniform conditions of application of this Regulation should be conferred implementing powers on the Commission where provided for by this Regulation. Those powers should be exercised in accordance with Regulation (EU) No. 182/2011. In this context, the Commission should consider specific measures for micro, small and medium enterprises.
168. (168) The examination procedure should apply for the adoption of implementing acts regarding the standard contractual clauses between controllers and processors, as well as among processors; codes of conduct; technical standards and certification mechanisms; the appropriate level of protection afforded by a third country, a territory or a specific sector within that third country or an international organization; standard protection clauses; formats and procedures for the electronic exchange of information between controllers, mutual assistance and arrangements for the exchange of information by electronic means between supervisory and supervisory authorities and the Data Protection Council;.
169. (169) The Commission should adopt immediately applicable implementing acts where the available data reveals that third country, soil or specific sector in the third country or international body does not ensure an adequate level of protection and require compelling urgency.
170. (170) Since the objective of this Regulation, namely to ensure an equivalent level of protection of individuals and the free movement of personal data throughout the Union, can not be sufficiently achieved by the Member States, may however, reason of the scale or effects of the proposed action, be better achieved at Union level, the Union may adopt measures, accordance with the principle of subsidiarity, as provided for in Article 5 of the Treaty on European Union (TEU). According to the principle of proportionality, provided in that Article, this Regulation does not go beyond what is necessary to achieve that objective.
171. (171) Directive 95/46 / EC should be repealed by this Regulation. Processing already underway on the date of application of this Regulation should be harmonized with this Regulation within two years from the entry into force of this Regulation. When the processing is based on consent under Directive 95/46 / EC, it is not necessary new consent of the data subject, if the way in which consent has been obtained is in accordance with the terms of this Regulation, order the controller to continue processing after the date of application of this Regulation. The Commission's decisions and supervisors authorizations issued under Directive 95/46 / EC shall remain in force until the amendment, replace or remove them.
172. (172) We consulted the European Data Protection Supervisor under Article 28 paragraph 2 Regulation (FROM) No. 45/2001, which he delivered on 7 Of March 2012 (1).
173. (173) This Regulation should apply to all matters concerning protection of fundamental rights and freedoms with regard to the processing of personal data and which are not subject to specific obligations with the same objective, as described in Directive 2002/58 / EC of the European Parliament and of the Council (2), including obligations of the controller and the rights of individuals. To clarify the relationship between this Regulation and Directive 2002/58 / EC, that Directive should be amended accordingly. Once this Regulation is adopted, You should review the Directive 2002/58 / EC, in particular to ensure its consistency with this Regulation,

HAVE ADOPTED THIS REGULATION:

Official Journal of the European Union

CHAPTER I

General provisions

Article 1

Purpose and Objectives

4.5.2016

THE

1. This Regulation establishes rules concerning the protection of individuals with regard to the processing of personal data and rules on the free movement of personal data.

2. This Regulation protects the fundamental rights and freedoms of natural persons and particularly their right to protection of personal data.

3. The free movement of personal data within the Union is not limited nor prohibited for reasons connected with the protection of individuals with regard to the processing of personal data.

Article 2

Substantive scope

1. This Regulation applies to, wholly or partly, automated processing of personal data, and the manual processing of such data included or to be included in a filing system.

2. a) b)

c) d)

This Regulation shall not apply to the processing of personal data: under activity which falls outside the scope of Union law,

Member States when carrying out activities which fall within the scope of capital 2 Title V TEU,

natural person in the course of a purely personal or household activity,

by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal sanctions, including protection and prevention against risks to public safety.

3.
Union, the Regulation applies (FROM) No. 45/2001. The rule (EC) No. 45/2001 and other legal acts of the Union applicable to such processing of personal data are adjusted to the principles and rules of this Regulation in accordance with Article 98.

4. This Regulation shall not prejudice the application of Directive 2000/31 / EC, particularly the rules on the liability of intermediary service providers laid down in Articles 12 until 15 of that Directive.

Article 3

Territorial scope

1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing is performed within the Union.

For the processing of personal data by the institutions, bodies, departments and agencies

4.5.2016 Official Journal of the European Union L 119/33

THE

2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor is not established in the Union, if the processing activities related to:

a) the supply of goods or services in these subjects in the Union database, whether payment is required by data subjects, or

b) monitoring their behavior, to the extent that this behavior takes place within the Union.

3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where the law of the Member State applies by virtue of public international law.

Article 4

definitions

1. 1) "Personal data": any information relating to an identified or identifiable natural person ('Data subject')· The identifiable natural person is the one whose identity can be verified, directly or indirectly, in particular by reference to ID authentication element, such as name, number identity, in location data, an online identifier or to one or more factors specific to physical, normal, genetic, psychological, economic, cultural or social identity of that individual,
2. 2) "processing": any act or series of acts performed by or without automatic means, personal data or personal data sets character, such as collection, registration, the organization, structure, save, adaptation or variation, recovery, search information, the use, disclosure by transmission, dissemination or otherwise making available, correlation or combination, restriction, erasure or destruction,
3. 3) 'Restriction of processing': the marking of stored personal data with the aim of limiting their processing in future,
4. 4) 'Profiling': any form of personal data automatic processing that involves the use of personal data for the evaluation of certain personal aspects of an individual, especially for analyzing or predicting aspects related to work performance, the economic situation, health, personal preferences, interests, the reliability, the behaviour, the position or movements of the natural person,
5. 5) "Psefdonymopoiisi": the processing of personal data so that the data can no longer be attributed to an identified data subject without the use of supplementary information, where such additional information is maintained separately and subject to technical and organizational measures to ensure that they can not be attributed to an identified or identifiable natural person,
6. 6) "Filing system": any structured set of personal data which is accessible by specific criteria, either centralized, decentralized or dispersed on a functional or geographical basis,
7. 7) "Controller": the natural or legal person, public authority, agency or other entity, alone or jointly with others, the purposes and manner of processing personal data; where the purposes and manner of such processing are determined by Union or Member State law, the controller or the specific criteria for his appointment may be provided by Union law or the law of a Member State,
8. 8) "Processor": the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller,
9. 9) "addressee": the natural or legal person, public authority, agency or other entity, which disclosed the personal data, whether or not third. However, the public authorities may take

For the purposes of this Regulation::

L 119/34

Official Journal of the European Union 4.5.2016

10)

11)

12)

13)

14)

15)

16)

personal data in the context of a specific investigation under Union or Member State law shall not be considered as recipients; the processing of such data by such public authorities shall be,

"third": any natural or legal person, Public authority, department or agency, excluding the data subject, the controller, the processor and the persons who, under the direct authority of the controller or the processor, They are authorized to process personal data,

"Consent" of the data subject: every indication of intent, free, specific, explicit and informed, by which the data subject expresses his agreement, a statement or a clear positive energy, be processed personal data relating,

"Personal data breach": a breach of security leading to the accidental or unlawful destruction, loss, change, unauthorized disclosure or access to personal data which were transmitted, stored or subjected flat’ otherwise processed,

"Genetic data": personal data relating to individual genetic characteristics inherited or acquired, as they appear, Especially, of biological sample analysis of the individual and which provide unique information about the physiology or health of that individual,

"Biometrics": personal data which arise from special processing technique associated with natural, biological or behavioral characteristics of a person and which permit or confirm the unequivocal identification of said individual, such as facial images, or finger purpose data,

'Data concerning health': personal data relating to physical or mental health of an individual, including health care services, and which reveal information about the state of health,

"Main establishment":

1. a) when it comes to controller with sites in more than one Member State, the place of central administration of the Union, unless decisions regarding the purposes and means of processing personal data obtained in another establishment of the controller in the Union and the facility has the authority to enforce those decisions, so as the main installation is considered the installation that took those decisions,
2. b) when it comes to the processor with sites in more than one Member State, the place of central administration of the Union or, if the processor has no central administration in the Union, installing a processor in the Union which carried the main processing activities within the installation activities of the processor, in so far as the processor is subject to specific requirements under this Regulation,

"representative": natural or legal person established within the Union, defined in writing by the controller or the processor pursuant to Article 27 and represents the controller or the processor as to their respective obligations under this Regulation,

"business": natural or legal person pursuing an economic activity, regardless of its legal form, including partnerships or associations regularly engaged in economic activity,

"business group": a controlling undertaking and its controlled undertakings that,

"Binding corporate rules": the data protection policies of personal character which follows a data controller or processor established in a Member State for transfers or set of transfers of personal data to a controller or processor to one or more third countries within a group of companies, or group of companies engaged in joint economic activity,

17)

18)

19) 20)

21)

"supervising Authority": independent public entity set up by Member States in accordance with Article 51,

THE

4.5.2016 Official Journal of the European Union L 119/35

22. 22) "Supervisory authority": supervisory authority concerning the processing of personal data, because:
    1. a) the controller or processor is established in the territory of the Member State of that supervisory authority,
    2. b) the data subjects residing in the Member State of that supervisory authority are or may be substantially affected by working or
    3. c) It has submitted a complaint to the supervisory authority,
23. 23) "Cross processing":
    1. a) the processing of personal data which is in the activities of various establishments in more than one Member State controller or a processor in the Union where the controller or the processor is established in several Member States or
    2. b) the processing of personal data which is in the activities of a single installation controller or a processor in the Union but which affects or may materially affect the data subjects in several Member States,
24. 24) "Relevant and reasoned objection": protest a draft decision regarding the existence of infringements of this Regulation, or for compliance with this Regulation the proposed action in relation to the controller or the processor, which clearly demonstrates the importance of the risks posed by the draft decision as regards fundamental rights and freedoms of data subjects and, where appropriate, the free movement of personal data within the Union,
25. 25) "Service of the information society": service within the meaning of Article 1 paragraph 1 b) of the instruction (EU) 2015/1535 European Parliament and Council (1),
26. 26) "International Organisation": organization and their subordinate that bodies governed by public international law or other body established by, or on the basis of an agreement between two or more countries.

    CHAPTER II

    authorities

    Article 5

    Principles governing the processing of personal data

1. Personal data:

1. a) subjected to fairly and lawfully in a transparent manner with respect to data subject ("legality, objectivity and transparency "),
2. b) collected for specified, explicit and lawful purposes and shall not be further processed in a manner incompatible with those purposes; 89 paragraph 1 ('Purpose limitation'),
3. c) suitable, related and limited to what is necessary for the purpose for which they are treated ('Data minimization'),
4. d) is accurate and, when necessary, all reasonable steps must be taken to promptly delete or correct personal data which is inaccurate;, in relation to the processing purposes ("accuracy"),

(1) Directive (EU) 2015/1535 European Parliament and Council, 9 September 2015, for the provision of information in the field of technical regulations and rules on services of the information society (OJ L 241 of 17.9.2015, p. 1).

THE

L 119/36 e)

f)

Official Journal of the European Union 4.5.2016

are kept in a format that allows the data subjects to be identified only for the period required for the purposes of processing the personal data; the personal data may be stored for longer periods of time;, if personal data will be processed only for archival purposes in the public interest, for purposes of scientific or historical research or statistical purposes, according to the article 89 paragraph 1 and if appropriate applied technical and organizational measures required by this Regulation to ensure the rights and freedoms of the data subject ("Limitation of the storage period '),

processed in a way that ensures proper security of personal data, including their protection against unauthorized or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organizational measures ("Integrity and confidentiality ').

The Controller is responsible and able to demonstrate compliance with paragraph 1

Article 6

Lawfulness of processing

2. ("Accountability").

THE

1. The processing is lawful only if and where applicable at least one of the following conditions:

1. a) the data subject has consented to the processing of personal data for a specific purpose or purposes,
2. b) processing is necessary for the execution of a contract to which the data subject is party or in order to take measures in’ request of the data subject prior to contract,
3. c) processing is necessary for compliance with a legal obligation of the controller,
4. d) processing is necessary to protect the vital interests of the data subject or another individual,
5. e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller,

f) processing is necessary for the purposes of legitimate interests pursued by the controller or third, unless against those interests prevail over the interests or fundamental rights and freedoms of the data subject which require protection of personal data, especially if the data subject is a child.

The component f) The first subparagraph shall not apply to the processing carried out by public authorities in the performance of their duties.

2. Member States may maintain or introduce more specific provisions to adapt the application of the rules of this Regulation concerning the treatment to comply with paragraph 1 data c) and e), defining more precisely the specific requirements for treatment and other measures to ensure lawful and fair processing, including for other special treatment cases as provided for in Chapter IX.

3. The basis for the processing referred to in paragraph 1 data c) and e) is defined according to: a) Union law, or
b) the law of the Member State in which the controller is subject.

The purpose of processing is defined in this legal basis or, regarding the treatment referred to in paragraph 1 point e), It is the necessity of processing for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. This legal basis may include special provisions to adapt the application of the rules of this Regulation, including: the general conditions governing lawful processing by the controller;

4.5.2016 Official Journal of the European Union L 119/37

THE

data subjects; the data subjects concerned; the entities to which the personal data and the purposes of such disclosure may be disclosed; the limitation of the purpose; the storage periods; and the processing operations and processing, including measures to ensure lawful and fair processing, such as those for processing other special cases as provided for in Chapter IX. Union law or Member State law responds to the aim of public interest and is proportionate to the legitimate aim pursued.

4. When the processing for a purpose other than that for which it was collected personal data is not based on the consent of the data subject or of Union law or the law of a Member State which is a necessary and proportionate measure within a democratic society to safeguard purposes referred to in Article 23 paragraph 1, the controller, in order to determine whether the processing for another purpose is compatible with the purpose for which it was originally collected personal data, take into account, including:

1. a) any link between the purposes for which the personal data and the aims of the intended further processing collected,
2. b) the context in which personal data collected, in particular as regards the relationship between the data subject and the controller,
3. c) the nature of the personal data, especially for special categories of personal data processed, according to the article 9, or whether personal data relating to criminal convictions and offenses processed, according to the article 10,
4. d) the potential consequences of the intended further processing of the data subjects,
5. e) the existence of adequate safeguards, which may include encryption or psefdonymopoiisi.

   Article 7

   Conditions for approval

1. When the processing is based on consent, the controller is able to prove that the data subject has consented to the processing of personal data.

2. If the consent of the data subject is provided in a written declaration which also concerns other issues, the request for consent shall be submitted in a manner that is clearly distinct from other subjects, a understood and readily accessible form, using clear and simple wording. Each section of this statement which violates this regulation is not binding.

3. The data subject has the right to withdraw consent at any time. The withdrawal of consent shall not affect the lawfulness of the processing based on consent before its revocation. Before providing consent, the data subject shall be informed. The withdrawal of consent is as easy as providing the.

4. In assessing whether the consent is given freely, particular take into account whether, including, for a contract, including the provision of a service, made conditional consent to the processing of personal data is not necessary for the execution of this contract.

Article 8

Conditions applicable to the child's consent in relation to the services of the information society

1. Where Article applies 6 paragraph 1 point a), in relation to the provision of services of the information society in child online, the processing of personal data the child is legitimate if the child is at least 16 years. If the child is under the age of 16 years, the processing is lawful only if and to the extent such consent is provided or approved by the person who has custody of the child.

Member States may provide by law minimum age for such purposes, provided that said earlier age is not below 13 years.

L 119/38 Official Journal of the European Union 4.5.2016

THE

2. The controller shall make reasonable efforts to verify these cases that the consent provided or approved by the person who has custody of the child, taking into account the available technology.

3. paragraph 1 It does not affect the general contract law of Member States, such as the rules on entry, training or consequences of a contract in relation to child.

Article 9

Processing of special categories of personal data

1. The processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, and the processing of genetic data, biometric data for the unambiguous identification person, data concerning health or data relating to individual sexual life or sexual orientation.

2. paragraph 1 not apply to the following:

1. a) the data subject has given explicit consent to the processing of such personal data for one or more specific purposes, except where Union law or Member State provide that the prohibition referred to in paragraph 1 It can not be lifted by the data subject,
2. b) processing is necessary for the performance of obligations and exercise of certain rights of the controller or the data subject in the area of ​​labor law and social security law and social protection, if allowed by Union law or Member State or by a collective agreement in accordance with national law providing appropriate safeguards for fundamental rights and interests of the data subject,
3. c) processing is necessary for protection of vital interest of the data subject or another individual, if the data subject is physically or legally incapable of consent,
4. d) processing carried, with appropriate safeguards, under the legal foundation activities, organization or other non-profit body with political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or former members of the organization or persons who have regular contact with it in connection with its purposes and that the personal data is not shared outside of this body without the consent of the data subjects,
5. e) the processing relates to personal data which are manifestly made public by the data subject,

f) processing is necessary for the foundation, training or support legal claims or when the courts acting in their judicial capacity,

6. g) processing is necessary for reasons of substantial public interest, by Union law or Member State, which is proportionate to the objective pursued, preserves the content of the right to data protection and provides for appropriate specific measures to safeguard the fundamental rights and interests of the data subject,
7. or) processing is necessary for the purposes of preventive or occupational medicine, assessment of working capacity of the employee, medical diagnosis, providing health or social care or treatment or the management of health and social systems and services under EU law or national law or under contract with professional health and subject to the conditions and guarantees referred to in paragraph 3,
8. i) processing is necessary for the public interest in the public health sector, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and medicines or medical devices, by Union law or Member State law, which provides for appropriate specific measures to protect the rights and freedoms of the data subject, in particular professional secrecy, or

4.5.2016 j)

Official Journal of the European Union L 119/39

processing is necessary for archiving purposes in the public interest, for purposes of scientific or historical research or for statistical purposes in accordance with Article 89 paragraph 1 entitled under Union or Member State, which are proportionate to the aim pursued, respect the essence of the right to data protection and provide for appropriate and specific measures to safeguard fundamental rights and interests of the data subject.

THE

3.
purposes of paragraph 2 point h), where those data are processed by or under the responsibility of professional subject to the obligation of professional secrecy under Union law or Member State or under rules established by national competent bodies or by another person who also has an obligation of confidentiality by Union law or Member State or under rules established by national competent bodies.

4. Member States may maintain or introduce further conditions, including restrictions, regarding the processing of genetic data, biometric data or data concerning health.

Article 10

Processing of personal data relating to criminal convictions and offenses

The processing of personal data relating to criminal convictions and offenses or related security measures based on Article 6 paragraph 1 carried out only under the control of official authority, or if the process is allowed by Union law or Member State law which provides adequate safeguards for the rights and freedoms of data subjects. Full criminal record kept only under official control authority.

Article 11

Treatment which does not require identification

1. If the purposes for which the controller processes personal data shall not require or no longer require the identification of the data subject by the controller, the controller is not required to maintain, to acquire and process additional information for verification of the data subject's identity solely for the purpose of compliance with this Regulation.

2. When, in the cases referred to in paragraph 1 of this Article, the controller can show that he is unable to verify the identity of the data subject, the controller shall inform the data subject, if it is possible. In such cases, the articles 15 as 20 not applicable, unless the data subject, for the purpose of the exercise of its rights under these Articles, provide supplementary information allowing verification of identity.

CHAPTER III

Rights of the data subject

Part 1

Transparency and settings

Article 12

transparent information, communication and arrangements for exercising the data subject's rights

1. The controller shall take appropriate measures to provide the data subject with any information referred to in Articles 13 and 14 and any communication under Articles 15 until 22 and Article 34 about editing in brief, transparent, understood and readily accessible form, using clear and simple wording, especially for information specifically aimed at children. The information provided in writing or by other means, including, where appropriate, electronically. When requested by the data subject, the information can be given orally, provided that the identity of the data subject is proven by other means.

Personal data referred to in paragraph 1 can be processed for

L 119/40 Official Journal of the European Union 4.5.2016

THE

2. The controller facilitates the exercise of data subjects' rights set out in Articles 15 until 22. In the cases provided for in Article 11 paragraph 2, the controller does not refuse to act on a request of the data subject to exercise his rights under Articles 15 until 22, unless the controller proves that he is not able to verify the identity of the data subject.

3. The controller provides the data subject about the action performed on request under Articles 15 until 22 without delay and in any event within one month of receipt of the request. This period may be extended by another two months, if necessary, taking into account the complexity of the request and the number of requests. The controller shall inform the data subject of such extension within one month of receipt of the request, as well as reasons for the delay. If the data subject making the request by electronic means, update is, if it is possible, electronically, unless the data subject requests otherwise.

4. If the controller does not act on the request of the data subject, the controller shall inform the data subject, without delay and at the latest within one month of receipt of the request, the reasons why it has not acted and the possibility of complaint to a supervisor and exercise judicial review.

5. The information provided in accordance with Articles 13 and 14 and any communication and any action taken in accordance with Articles 15 until 22 and Article 34 free of charge. If requests of the data subject is manifestly unfounded or too, in particular because of their repetitive nature, the controller may either:

a) to impose the payment of a reasonable fee, taking into account administrative costs for the provision of information or communication or perform the requested action, or

b) refuse to follow up the request.

The controller has the burden of proving the manifestly unfounded or excessive character of the request.

6. Notwithstanding Article 11, when the Controller has reasonable doubt about the identity of the person making the request referred to in Articles 15 until 21, the controller may require the provision of additional information necessary to confirm the data subject's identity.

7. The information to be provided to the data subjects in accordance with Articles 13 and 14 They can be provided in conjunction with standardized icons to be placed prominently, understandable and legible way a substantial overview of the intended processing. If the icons are available electronically, is machine-readable.

8. The Commission is empowered to adopt delegated’ delegated acts in accordance with Article 92 determining the information to be presented with icons and procedures for the provision of standard icons.

Part 2

Information and access to personal data

Article 13

Information provided if the personal data collected from the data subject

1. Where personal data relating to a data subject are collected from the data subject, the controller, when receiving personal data, provide the data subject of the following information:

1. a) the identity and contact details of the controller and, where appropriate, the representative of the controller,
2. b) contact details of the data protection officer, where appropriate,
3. c) purposes of the processing for which they are personal data, and the legal basis for processing,

4.5.2016 d)

e) f)

Official Journal of the European Union L 119/41

where the processing is based on Article 6 paragraph 1 f), the legitimate interests pursued by the controller or by a third,

the recipients or categories of recipients of personal data, if they exist,

where appropriate, the intention of the controller to transfer personal data to a third country or international organization and the existence or absence of a Commission decision adequacy or, when it comes to the information referred to in Article 46 or 47 or Article 49 paragraph 1 second subparagraph, reference to appropriate or appropriate safeguards and means to obtain a copy or where available.

THE

2.
personal data, provide the data subject with the following additional information is necessary to ensure fair and transparent treatment:

In addition to the information referred to in paragraph 1, the controller, when taking

1. a) the period for which it will store the personal data or, when this is impossible, criteria defining this period,
2. b) the entitlement request to the controller for access to and correction or erasure of personal data or restriction of processing concerning the data subject or right to object to the processing, and the right to data portability,
3. c) where the processing is based on Article 6 paragraph 1 point a) or Article 9 paragraph 2 point a), the existence of the right to withdraw consent at any time, without undermining the legitimacy of the processing based on consent before its withdrawal,
4. d) the right to complain to a supervisor,
5. e) whether the provision of personal data is a legal or contractual obligation or requirement for contracting, and whether the data subject is obliged to provide personal data and what possible consequences would be the failure to provide such data,

f) the existence of an automated decision-making, including training profile, referred to in Article 22 paragraphs 1 and 4 and, at least in those cases, important information concerning the logic followed, and the importance and foreseeable consequences of such processing for the data subject.

3. When the controller intends to process the personal data for any purpose other than that for which the personal data collected, the controller provides the data subject, prior to said further processing, information for that purpose and any other necessary information, as mentioned in paragraph 2.

4. paragraphs 1, 2 and 3 not applicable, when and where the data subject already has the information,

Article 14

Information provided if the personal data are not collected from the data subject

1. Where personal data are not collected from the data subject, the controller provides the data subject with the following information:

1. a) the identity and contact details of the controller and, where appropriate, the representative of the controller,
2. b) contact details of the data protection officer, where appropriate,
3. c) purposes of the processing for which they are personal data, and the legal basis for processing,
4. d) the categories of personal data,
5. e) the recipients or categories of recipients of personal data, possibly,

L 119/42 Official Journal of the European Union 4.5.2016

THE

f) where appropriate, that the controller intends to transmit personal data to a recipient in a third country or international organization and the existence or absence of a Commission decision adequacy or, when it comes to the information referred to in Article 46 or 47 or Article 49 paragraph 1 second subparagraph, reference to appropriate or appropriate safeguards and means to obtain a copy or where available.

2. In addition to the information referred to in paragraph 1, the controller provides the data subject with the following information necessary to ensure fair and transparent process concerning the data subject:

1. a) the period for which it will store the personal data or, when this is impossible, the criteria determining this time,
2. b) where the processing is based on Article 6 paragraph 1 f), the legitimate interests pursued by the controller or by a third,
3. c) the entitlement request to the controller for access to and correction or erasure of personal data or restriction of processing concerning the data subject and the right to object to the processing, and the right to data portability,
4. d) where the processing is based on Article 6 paragraph 1 point a) or Article 9 paragraph 2 point a), the existence of the right to withdraw consent at any time, without undermining the legitimacy of the processing based on consent before its withdrawal,
5. e) the right to complain to a supervisor,

f) the source from which the personal data and, it depends on the situation, if the data came from sources available to the public,

g) the existence of an automated decision-making, including training profile, provided for in Article 22 paragraphs 1 and 4 and, at least in those cases, important information concerning the logic followed, and the importance and foreseeable consequences of such processing for the data subject.

3. The controller provides the information referred to in paragraphs 1 and 2:

1. a) within a reasonable period after the collection of personal data, but no later than one month, taking into account the specific circumstances in which personal data are processed,
2. b) if personal data will be used for communication with the data subject, no later than the first contact with that data subject, or
3. c) if required disclosure to another recipient, at the latest when the personal data are disclosed for the first time.

4. When the controller intends to process the personal data for a purpose other than that for which the personal data collected, the data controller should provide the data subject, prior to said further processing, information for that purpose and any other necessary information, as mentioned in paragraph 2.

5. paragraphs 1 until 4 shall not apply if and when:

1. a) the data subject already has the information,
2. b) the provision of such information proves impossible or would involve disproportionate effort, in particular as regards processing for archiving purposes in the public interest, for purposes of scientific or historical research or statistical purposes, under the conditions and guarantees referred to in Article 89 paragraph 1 or if the obligation referred to in paragraph 1 This article is likely to make it impossible or greatly damage the achievement of the purposes of the processing. In such cases, the controller shall take appropriate measures to protect the rights and freedoms and legitimate interests of the data subject, including making the information available to the public,
3. c) acquisition or disclosure is expressly provided for by the law of the Union or of the Member State in which the controller is subject and which provides appropriate measures to protect legitimate interests of the data subject or
4. d) if personal data must remain confidential under professional secrecy obligation is governed by the law of the Union or a Member State, including from the obligation of confidentiality law.

4.5.2016 Official Journal of the European Union L 119/43

THE

Article 15

Right of access of the data subject

1. The data subject has the right to obtain from the Controller confirmation as to whether or not personal data concerning him are processed and, if this happens, the right of access to personal data and information on these:

1. a) purposes of the processing,
2. b) the categories of personal data,
3. c) the recipients or categories of recipients to whom disclosed or to be disclosed personal data, in particular the recipients in third countries or international organizations,
4. d) if it is possible, the period for which it will store the personal data or, when this is impossible, criteria defining this period,
5. e) the entitlement request to the controller for data correction or deletion of personal data or restriction of processing of personal data concerning the data subject or the right to object to such processing,

f) the right to complain to a supervisor,

6. g) when the personal data are not collected from the data subject, any available information about their origins,
7. or) the existence of an automated decision-making, including training profile, provided for in Article 22 paragraphs 1 and 4 and, at least in those cases, important information concerning the logic followed, and the importance and foreseeable consequences of such processing for the data subject.

2. Where personal data are transferred to a third country or international organization, the data subject has the right to obtain adequate safeguards in accordance with Article 46 on transfer.

3. The controller shall provide a copy of personal data processed. For additional copies may be obtained from the data subject, the controller may require the payment of a reasonable fee for administrative costs. If the data subject making the request electronically and unless the data subject requests otherwise, update is provided in electronic format commonly used.

4. The right to obtain a copy referred to in paragraph 3 not adversely affect the rights and freedoms of others.

Part 3

Correction and deletion

Article 16

right of rectification

The data subject has the right to demand from the controller without undue delay rectify inaccurate personal data concerning him. Having regard to the purposes of the processing, the data subject has the right to require the completion of incomplete personal data, including through supplementary declaration.

Article 17

right of erasure ("Right to oblivion")

1. The data subject has the right to request from the controller the erasure of personal data concerning him or her without undue delay and the controller is obliged to delete personal data without undue delay, if applicable one of the following reasons:

a) personal data is no longer necessary in relation to the purposes for which it was collected or received by’ otherwise processed,

L 119/44 b)

c)

d) e)

f)

Official Journal of the European Union 4.5.2016

the data subject withdraws consent on which the processing is based according to Article 6 paragraph 1 point a) or Article 9 paragraph 2 point a) and there is no legal basis for processing,

the data subject objects to the processing in accordance with Article 21 paragraph 1 and there are compelling and legitimate grounds for processing or the data subject objects to the processing in accordance with Article 21 paragraph 2,

personal data processed illegally,

personal data must be erased, order to comply with a legal obligation under Union law or Member State law, in which the controller is subject,

personal data collected in connection with the provision of services of the information society as referred to in Article 8 paragraph 1.

THE

2.
section 1 erase personal data, the controller, given the available technology and the cost of implementation, take reasonable measures, including technical measures, to inform controllers who process personal data, that the data subject requested deletion of these controllers any links with these data or copies or reproductions of such personal data.

3. a) b)

c) d)

e)

paragraphs 1 and 2 not apply to the extent that the processing is necessary:

for exercising the right to freedom of expression and right to information,

for compliance with a legal obligation imposed by the treatment under European Union law or Member State law to which the controller is subject, or to fulfill a task carried out in the public interest or in the exercise of official authority vested in the controller,

public interest in the public health sector in accordance with Article 9 paragraph 2 the elements) and i), and Article 9 paragraph 3,

for archival purposes in the public interest, for purposes of scientific or historical research or for statistical purposes in accordance with Article 89 paragraph 1, if the right referred to in paragraph 1 It is likely to make it impossible or greatly hinder the intended purpose of the processing, or

for the foundation, training or support legal claims.

Article 18

Right restriction processing

When the controller has to disclose personal data and is bound by

1.
processing, when one of the following:

The data subject is entitled to obtain from the controller limitation of

1. a) the accuracy of personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of personal data,
2. b) the processing is unlawful and the data subject opposes the deletion of personal data and calls, instead’ this, limiting their use,
3. c) the controller no longer needs the personal data for purposes of the processing, but the data required by the data subject for the foundation, exercise or support legal claims,
4. d) the data subject objects to the processing in accordance with Article 21 paragraph 1, pending verification of whether the legal grounds of the controller override the grounds of the data subject.

2. When the processing has been limited in accordance with paragraph 1, these personal data, outside the storage, They are processed only with the consent of the data subject or on the basis, training or support legal claims or to protect the rights of another natural or legal person, or for reasons of overriding public interest of the Union or a Member State.

4.5.2016 Official Journal of the European Union L 119/45

THE

3. The data subject who has secured the processing restriction in accordance with paragraph 1 informed by the controller before lifting the restriction processing.

Article 19

disclosure obligation regarding the correction or deletion of personal data or restriction of processing

The controller shall communicate any rectification or erasure of personal data or restriction of processing data carried out pursuant to Article 16, the article 17 paragraph 1 and Article 18 to each recipient to whom personal data are disclosed, unless this proves impossible or would involve a disproportionate effort. The controller shall inform the data subject on those recipients, upon request by the data subject.

Article 20

Right to data portability

1. The data subject has the right to obtain the personal data concerning him, and which has provided a controller, a structured, commonly used and readable format machines, and the right to transmit such data to another controller without objection from the controller to which the personal data provided, when:

a) processing based on consent under Article 6 paragraph 1 point a) or Article 9 paragraph 2 point a) or contract in accordance with Article 6 paragraph 1 b) and

b) The processing carried out by automated means.

2. In the exercise of the right to data portability under paragraph 1, the data subject has the right to ask for the direct transmission of personal data from one controller to another, if this is technically feasible.

3. The right referred to in paragraph 1 of this Article shall be exercised subject to Article 17. This right does not apply to the processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

4. The right referred to in paragraph 1 not adversely affect the rights and freedoms of others. Part 4

Right opposition and automated individual decisions

Article 21

right of opposition

1. The data subject is entitled to object, at any time and for its specific situation related reasons, the processing of personal data concerning him, which is based on Article 6 paragraph 1 point e) or f), including the profiles training under those provisions. The controller no longer submit personal data processed, unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, the rights and freedoms of the data subject or on the basis, training or support legal claims.

2. If personal data are processed for direct marketing purposes, the data subject is entitled to object at any time to the processing of personal data concerning him for that marketing, including training profile, if it relates to direct marketing.

3. When data subjects object to processing for direct marketing purposes, personal data no longer processed for these purposes.

L 119/46 Official Journal of the European Union 4.5.2016

THE

4. The latest on the first contact with the data subject, the right referred to in paragraphs 1 and 2 clearly indicated to the data subject and is described clearly and separately from any other information.

5. As part of the service user of the information society, and without prejudice to Directive 2002/58 / EC, the data subject may exercise his right to object to automated instruments that use specifications.

6. Where personal data processed for scientific or historical research or statistical purposes under Article 89 paragraph 1, the data subject is entitled to oppose, for its specific situation related reasons, the processing of personal data relating to him, unless the processing is necessary for the performance of tasks is exercised in the public interest.

Article 22

Automated individual decisions, including training profile

1. The data subject has the right not to be subject to a decision taken solely on automation topoiimenis processing, including training profile, which produces legal effects concerning him or significantly affects a similar way.

2. a)

b)

c)

paragraph 1 not apply where the decision:

necessary for the conclusion or performance of a contract between the data subject and the data controller,

allowed by Union law or the law of the Member State where the controller is subject and which also provides for appropriate measures to protect the rights, freedoms and legitimate interests of the data subject or

based on the explicit consent of the data subject.

3.
implement appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, at least the right to human intervention assurance on the part of the controller, view expression and challenge Decision.

4. The decisions referred to in paragraph 2 not based on specific categories of personal data referred to in Article 9 paragraph 1, unless Article applies 9 paragraph 2 point a) or g) and whether there are adequate measures to protect the rights, freedoms and legitimate interests of the data subject.

Part 5

limitations

Article 23

limitations

1. Union law or Member State which governs the controller or the processor of data may restrict by a legislative measure the scope of the obligations and rights provided for in Articles 12 until 22 and Article 34, and Article 5, if its provisions are the rights and obligations provided for in Articles 12 until 22, when such a restriction preserves the content of fundamental rights and freedoms and is a necessary and proportionate measure within a democratic society to ensure:

1. a) State security,
2. b) defense,
3. c) public safety,

In the cases referred to in paragraph 2 evidence a) and G), the data controller

4.5.2016 Official Journal of the European Union L 119/47

THE

4. d) prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal sanctions, including protection against threats to public security and the prevention of these,
5. e) other important objectives of general public interest of the Union or a Member State, in particular an important economic or financial interest of the Union or a Member State, including monetary, public legal and tax issues, public health and social security,

f) the protection of judicial independence and judicial proceedings,

6. g) prevention, investigation, detection and prosecution of ethics violations in regulated professions,
7. or) tracking, inspection or regulatory task connected, even occasionally, with the exercise of official authority in cases referred to in points) to e) and g),
8. i) the protection of the data subject or the rights and freedoms of others,
9. j) the execution of civil claims.

2. particularly, any legislative measure referred to in paragraph 1 contain specific provisions at least, it depends on the situation, concerning:

1. a) purposes of the processing or treatment categories,
2. b) the categories of personal data,
3. c) the scope of the restrictions imposed,
4. d) safeguards to prevent misuse or unauthorized access or transmission,
5. e) specification of the controller or the categories of controllers,

f) storage periods and applicable guarantees, taking into account the nature, the scope and purposes of the processing or treatment categories,

6. g) risks to the rights and freedoms of data subjects and
7. or) the right of data subjects to be informed of the restriction, unless this can be detrimental for the purposes of limitation.

   CHAPTER IV

   Controller and processor

   Part 1

   general obligations

   Article 24

   Responsibility of the controller

1. Given the nature, the scope, the context and purpose of the processing, and the likelihood of different risks and the seriousness of the rights and freedoms of individuals, the controller shall implement appropriate technical and organizational measures to ensure and be able to prove that the treatment carried out pursuant to this Regulation. These measures are reviewed and epikai AYS when necessary.

2. When justified in relation to processing operations, the measures referred to in paragraph 1 They include the implementation of appropriate policies for the protection of data from the controller.

3. Compliance approved codes of conduct referred to in Article 40 or an approved accreditation scheme as referred to in Article 42 It may be used as evidence to prove compliance with the obligations of the controller.

L 119/48 Official Journal of the European Union 4.5.2016

Article 25

Data protection already designing and default

1. Considering the latest developments, implementation costs and nature, the scope, the context and purpose of the processing, and the likelihood of different risks and the seriousness of the rights and freedoms of individuals from treatment, the controller shall implement effectively, both at the time of setting processing means and at the time of treatment, appropriate technical and organizational measures, like psefdonymopoiisi, designed to implement data protection principles, such as data minimization, and incorporate appropriate guarantees in processing so as to meet the requirements of this Regulation and to protect the rights of data subjects.

2. The controller shall implement appropriate technical and organizational measures to ensure that, by definition, only processed personal data necessary for the specific purposes of the processing. This requirement applies to the extent of personal data collected, the degree of processing, the period of storage and accessibility. particularly, these measures ensure that, by definition, personal data become inaccessible without the intervention of an individual to an indefinite number of individuals.

3. Approved certification mechanism pursuant to Article 42 It can be used as evidence of compliance with the requirements set out in paragraphs 1 and 2 of this Article.

Article 26

Together controllers

1. If two or more controllers together determine the purposes and means of processing, are joint controllers. They define in a transparent manner their respective responsibilities for compliance with obligations arising from this Regulation, in particular regarding the exercise of the data subject's rights and their corresponding duties to provide the information referred to in Articles 13 and 14, by agreement between them, unless and to the extent that the respective responsibilities of the controllers are determined by Union law or Member State law governing the controllers. The Agreement may be referred to a contact point for data subjects.

2. The agreement referred to in paragraph 1 properly reflects their respective roles and relationships of joint controllers over the data subjects. The essence of the agreement is available to the data subject.

3. Regardless of the terms of the agreement referred to in paragraph 1, the data subject may exercise his rights under this Regulation and over in each of the controllers.

Article 27

Representatives of controllers or processors not established in Compound

1. In cases where Article 3 paragraph 2, the controller or the processor shall designate a representative in writing to the Union.

2. a)

The obligation laid down in paragraph 1 This Article shall not apply to:

treatment which is casual, it does not include, largely, processing of special categories of data under Article 9 paragraph 1 or processing of personal data relating to criminal convictions and offenses referred to in Article 10 and not likely to cause danger to the rights and freedoms of individuals, taking into account the nature, the frame, the scope and purposes of the processing, or

b)

public authority or body.

THE

4.5.2016 Official Journal of the European Union L 119/49

THE

3. The representative is established in one of the Member States and are the data subjects, whose personal data are processed in connection with offering goods or services to them or whose behavior is monitored.

4. The representative receives instruction from the controller or the processor to turn to him supervisors and data subjects, additionally or instead of the controller or the processor, on all issues related to treatment, to ensure compliance with this Regulation.

5. The representative is appointed by the controller or the processor shall not affect the applications that can be exercised against the same of the controller or the processor.

Article 28

Processor

1. When processing is carried out for the account controller, the controller uses only processors that provide sufficient assurances to implement appropriate technical and organizational measures, so that the process meets the requirements of this Regulation and diasfa lizetai the protection of the data subject's rights.

2. The processor does not recruit another processor without any general or special written permission of the controller. In the case of written authorization, the processor shall inform the data controller of any intended changes concerning the addition or substitution of other processors, providing in this way enables the controller to oppose these changes.

3. The processing by the processor be governed by a contract or other legal act governed by the law of the Union or the Member State, binding the processor with respect to the controller and determines the subject and the duration of treatment, the nature and purpose of the processing, the kind of personal data and categories of data subjects and the obligations and rights of the controller. This contract or other legal act provides in particular that the processor:

1. a) process personal data only on the recorded signal of the controller, including regarding the transfer of personal data to a third country or international organization, unless required to do so by Union law or the law of the Member State to which the processor is subject; in which case, the processor shall inform the data controller for this legal requirement before treatment, unless that law prohibits this kind of information for serious reasons of public interest,
2. b) ensure that persons authorized to process personal data are committed to confidentiality or are under a proper regulatory obligation of confidentiality ness,
3. c) take all necessary measures pursuant to Article 32,
4. d) respect the conditions referred to in paragraphs 2 and 4 for the recruitment of another processor,
5. e) taking into account the nature of the treatment and assist the controller to implement appropriate technical and organizational measures, the extent possible, to fulfill the obligation of the controller to respond to requests for exercising those referred to in Chapter III Rights of the data subject,

f) assist the controller in ensuring compliance with the obligations deriving from Articles 32 until 36, taking into account the nature of the processing and the information available to the processor,

6. g) flat’ selection of the controller, delete or return all personal data to the Controller after providing processing services and clears existing copies, except where Union law or Member State requires the storage of personal data,
7. or) shall provide the controller with all necessary information to demonstrate compliance with the obligations established in this Article and shall allow inspections, including inspections, carried out by the controller or another controller authorized by the controller.

L 119/50 Official Journal of the European Union 4.5.2016

THE

On the first subparagraph the), the processor shall immediately inform the data controller, if, in my opinion, a command violates this Regulation or other Union or national data protection provisions.

4. When the processor takes another data to perform specific processing activities on behalf of the controller, the same obligations with regard to data protection laid down in the contract or other legal instrument between the controller and processor, as provided in paragraph 3, imposed on other performer through this contract or other legal act pursuant to Union law or Member State, especially to provide sufficient assurances to implement appropriate technical and organizational measures, that processing meets the requirements of this Regulation. When the other processor fails to meet the relevant requirements of protection of data, the original performer remains fully accountable to the controller for carrying out the obligations of the other processor.

5. The compliance of the processor approved code of conduct as referred to in Article 40 or an approved accreditation scheme as referred to in Article 42 It may be used as evidence to prove that provide adequate assurances in accordance with paragraphs 1 and 4 of this Article.

6. Subject to individual agreement between the controller and the processor, such contract or other legal instrument referred to in paragraphs 3 and 4 of this Article may be based, wholly or partly, on standard contractual clauses set out in paragraphs 7 and 8 of this Article, including when they are part of the certification issued to the controller or the processor in accordance with Articles 42 and 43.

7. The Commission may adopt the standard contractual clauses for the issues referred to in paragraphs 3 and 4 of this Article and in accordance with the examination procedure referred to in Article 93 paragraph 2.

8. A supervisory authority may establish standard contractual clauses for the issues referred to in paragraphs 3 and 4 of this Article and in accordance with the consistency mechanism referred to in Article 63.

9. This contract or other legal instrument referred to in paragraphs 3 and 4 is writing, including in electronic form.

10. Notwithstanding Articles 82, 83 and 84, if the processor set in breach of this Regulation the purposes and means of processing, the processor is considered controller for this processing.

Article 29

Processed under the supervision of the controller or the processor

The processor and any person acting under the authority of the controller or the processor, which has access to personal data, processing said data only in’ command the controller, unless required to do so by the law of the Union or the Member State.

Article 30

Records of processing activities

1. Each controller and, where appropriate, his representative, keep a record of the processing activities for which they are responsible. This file includes all of the following information:

1. a) the name and contact details of the controller and, where appropriate, the joint controller, the representative of the controller and the data protection officer,
2. b) purposes of the processing,
3. c) description of the categories of data subjects and of the categories of personal data,

4.5.2016 d)

e)

f) g)

Official Journal of the European Union L 119/51

the categories of recipients who are to be disclosed or communicated personal data, including recipients in third countries or international organizations,

where applicable, the personal data to a third country or international organization, including having the identification of that third country or international organization, in case of transfers referred to in Article 49 paragraph 1 second subparagraph, documentation of appropriate safeguards,

where possible, the deadlines deleting various types of data,

where possible, general description of the technical and organizational security measures referred to in Article 32 paragraph 1.

THE

2.
of
The following:

a)

b) c)

d)

3.

the name and contact details of the person or processors and controllers on whose behalf the person performing acts, where appropriate, the representative of the controller or the processor, and the Data Protection Officer,

the categories of processing performed by each controller,

where applicable, the personal data to a third country or international organization, including having the identification of that third country or international organization, in case of transfers referred to in Article 49 paragraph 1 second subparagraph, documentation of appropriate safeguards,

where possible, general description of the technical and organizational security measures referred to in Article 32 paragraph 1.

The records referred to in paragraphs 1 and 2 there writing, including in electronic form.

Each processor and, where appropriate, spokesman processor keep records of all categories of processing operations carried out by the controller, which includes

4.
or processor make the file available to the supervisory authority on request.

The controller or the processor and, where appropriate, the representative of the controller

5. The obligations referred to in paragraphs 1 and 2 does not apply to business or organization that employs fewer than 250 people, unless the processing carried out is likely to cause danger to the rights and freedoms of the data subject, processing is not casual or processing including special categories of data under Article 9 paragraph 1 or processing of personal data relating to criminal convictions and offenses referred to in Article 10.

Article 31

Cooperation with the supervisory authority

The controller and the processor and, where appropriate, their representatives cooperate, on request, Supervisory Authority to perform its tasks.

Part 2

Security of personal data

Article 32

security of processing

1. Considering the latest developments, implementation costs and nature, the scope, the context and purpose of the processing, and the likelihood of different risks and the seriousness of the rights and freedoms of individuals, the controller and the processor shall implement appropriate technical and organizational measures to ensure the appropriate level of security against risks, including, including, where appropriate:

a) the psefdonymopoiisis and personal data encryption,

L 119/52 b)

c)

d)

Official Journal of the European Union 4.5.2016

the possibility of confidentiality assurance, integrity, the availability and reliability of systems and processing services on a continuous basis,

rehabilitation possibility of availability and access to personal data in a timely manner in the event of natural or technical incident,

process for periodic testing, assess and evaluate the effectiveness of technical and organizational measures to ensure security of processing.

2.
processing, notably against accidental or unlawful destruction, loss, deterioration, unauthorized disclosure of or access to personal data transmitted, stored or subjected flat’ otherwise processed.

3. a)

b)

c) d)

The notification referred to in paragraph 1 flat’ minimum:

It describes the nature of the violation of personal data, included, where possible, categories and approximate number of affected data subjects, and categories and approximate number of affected personal data files,

communicate the name and contact details of the data protection officer or other contact point where they can obtain more information,

describes the possible consequences of the violation of personal data,

It describes the measures adopted or proposed measures to be taken by the controller to address the violation of personal data, and, where appropriate, measures to mitigate possible adverse effects of.

THE

In assessing the appropriate security level taking particular account of the risks arising from

3. Compliance with the approved code of conduct as referred to in Article 40 or an approved accreditation scheme as referred to in Article 42 It may be used as evidence to prove compliance with the requirements of paragraph 1 of this Article.

4. The controller and the processor shall take measures to ensure that any natural person acting under the authority of the controller or the processor which has access to personal data is processed only in’ command the controller, unless required to do so by the law of the Union or the Member State.

Article 33

Disclosure of personal data breach to the supervisory authority

1. In case of personal data breaches, the Controller shall promptly notify and, if it is possible, within 72 hours of acquiring knowledge of the fact of violation of personal data to the supervisory authority competent under Article 55, unless the violation of personal data is not likely to cause danger to the rights and freedoms of individuals. When notifying the supervisory authority does not take place within 72 hours, accompanied by a justification for the delay.

2. The processor shall inform the controller immediately, just realize violation of personal data.

4.
gradually without undue delay.

If and when it is not possible to provide information simultaneously, They can be provided

5. The controller shall document any personal data breach, consisting of the facts concerning the violation of personal data, the consequences and the corrective measures. This documentation allows the supervisory authority to verify compliance with this Article.

Article 34

Communication of personal data breach to the data subject

1. When the personal data breach is likely to pose a high risk to the rights and freedoms of individuals, the controller immediately announces the violation of personal data to the data subject.

4.5.2016 Official Journal of the European Union L 119/53

THE

2. The communication to the data subject referred to in paragraph 1 of this Article clearly described the nature of the violation of personal data and shall contain at least the information and measures referred to in Article 33 paragraph 3 data b), c) and D).

3. The communication to the data subject referred to in paragraph 1 not required, if you met any of the following conditions:

1. a) the controller shall implement appropriate technical and organizational measures, and those measures were applied to the affected by the violation of personal data, particularly measures allowing non-understandable personal data to those who do not have permission to access them, such as encryption,
2. b) the controller then took steps to ensure that it is no longer likely to occur as referenced in paragraph 1 high risk for the rights and freedoms of data subjects,
3. c) involves a disproportionate effort. In this case, becomes instead’ this public notice or there is a similar measure by which data subjects are informed equally effectively.

4. If the controller has already announced the violation of personal data to the data subject, the supervisory authority may, having considered the possibility of risk occurrence of the violation of personal data, ask him to do so or may decide that it met any of the conditions referred to in paragraph 3.

Part 3

impact assessment on data protection and prior consultation

Article 35

Impact assessment on data protection

1. When a processing type, in particular using new technologies and taking into account the nature, the scope, the context and purpose of the processing, may result in a high risk to the rights and freedoms of individuals, the controller performs, before treatment, impact assessment of plans tiated processing operations on personal data protection. In an assessment may be considered a set of similar processing operations which pose similar high risks.

2. The controller shall consult the Data Protection Officer, if it is set, when conducting impact assessment on data protection.

3. The reference to paragraph 1 impact assessment regarding data protection is required particularly in the case:

1. a) systematic and extensive evaluation of personal aspects relating to natural persons, based on automatic processing esterified, including training profile, and in which decisions are based that produce legal effects concerning the individual or likewise significantly affect the individual,
2. b) large-scale processing of special categories of data referred to in Article 9 paragraph 1 or personal data relating to criminal convictions and offenses referred to in Article 10 or
3. c) systematic monitoring publicly accessible area on a large scale.

4. The supervisory authority shall establish and publish a list of the types of processing operations subject to the requirement to conduct an impact assessment on data protection under paragraph 1. The supervisory authority shall communicate that list to the Data Protection Board referred to in Article 68.

5. The supervisory authority may also establish and publish a list of the types of processing operations which do not require an impact assessment on data protection. The supervisory authority shall communicate that list to the Data Protection Board.

6. Before issuing the lists referred to in paragraphs 4 and 5, the competent authority shall apply the consistency mechanism referred to in Article 63, if these lists include processing activities related to the supply of goods or services to data subjects or moni toring of their behavior in more than one Member State or which may significantly affect the free movement of personal data in Join.

L 119/54

Official Journal of the European Union 4.5.2016

THE

7. a)

b) c)

d)

The assessment contains at least:

systematic description of the envisaged processing operations and objectives of treatment, including, where appropriate, the legitimate interests pursued by the controller,

assessing the necessity and proportionality of processing operations in connection with the purposes,

assessment of risks to the rights and freedoms of data subjects mentioned in paragraph 1 and

provided risk mitigation measures, including guarantees, measures and security mechanisms, to ensure the protection of personal data and to demonstrate compliance with this Regulation, taking into account the rights and legitimate interests of data subjects and other persons concerned.

8.
processing or processors duly taken into account when assessing the impact of processing operations performed by these controllers or processors, especially for impact assessment purposes on data protection.

9. where appropriate, the controller shall seek the views of data subjects or their representatives on the intended processing, subject to the protection of commercial or public interests or the security of processing operations.

10. When processing under Article 6 paragraph 1 point c) or e) It has a legal basis in Union law or Member State law to which the controller is subject, this law regulates the respective specific processing operation or series of operations and has already carried out an impact assessment on data protection as part of a general impact assessment in the approval of the legal base, paragraphs 1 until 7 not applicable, unless Member States consider it essential to carrying out this evaluation before treatment activities.

11. Where required, the controller carry out a review to assess whether the processing of personal data carried out according to the impact assessment to protect data at least when changing the risk posed by processing operations.

Article 36

prior consultation

1. The Controller shall consult the supervisory authority before processing, when under Article 35 impact assessment on data protection indicates that the treatment would cause a high risk of absence of risk mitigation measures by the controller.

2. Where the supervisory authority considers that the intended process referred to in paragraph 1 breach of this Regulation, especially if the controller has not identified or adequately mitigate the risk, the supervisory authority shall provide written advice to the controller within the first eight weeks of receipt of the consultation request, and, where required, the processor, and may use any of the powers referred to in Article 58. This period can be extended by six weeks, because of the complexity that characterizes the planned treatment. The supervisory authority shall inform the data controller and, where required, the processor for such an extension within one month of receipt of the consultation request, as well as reasons for the delay. These limits may be inhibited until the supervisor has received the information requested for consultation purposes.

3. In consultation with the supervisory authority under paragraph 1, the controller provides the supervisory authority:

1. a) where appropriate, the respective responsibilities of the controller, the joint controllers and processors involved in the work, in particular concerning processed within enterprise group,
2. b) the purposes and means of the proposed treatment,
3. c) measures and safeguards to protect the rights and freedoms of data subjects under this Regulation,

Compliance with agreed codes of conduct referred to in Article 40 by relevant officers

d) where appropriate, contact details of the data protection officer,

4.5.2016 Official Journal of the European Union L 119/55

THE

e) the impact assessment on data protection laid down in Article 35, and

f) any other information requested by the supervisor.

4. Member States shall consult the supervisory authority when preparing proposals for legislative measures to be adopted by national parliaments or regulatory measures based on such legislative measures, which concern the processing.

5. Notwithstanding paragraph 1, the Member State law may require controllers to consult and receive prior authorization from the supervisory authority in relation to the processing of controller for performance of tasks exercised by that manager in the public interest, including treatment in relation to social protection and public health.

Part 4

Data Protection Officer

Article 37

Set the Data Protection Officer

1. The controller and the processor shall designate a data protection officer in any case where:

1. a) the processing carried out by a public authority or body, except courts acting in their judicial competence,
2. b) The core activities of the controller or the processor are processing operations, due to the nature, the scope and / or their purposes, They require regular and systematic moni toring of data subjects on a large scale, or
3. c) The core activities of the controller or the processor are large-scale processing of special categories of personal data under Article 9 and data relating to criminal convictions and offenses referred to in Article 10.

2. conglomerate may appoint a single data protection officer, provided that each establishment has easy access to the DPO.

3. If the controller or the processor is a public authority or public body, a single data protection officer may be designated for several such authorities or several such bodies, taking into account their organizational structure and size.

4. In cases other than those referred to in paragraph 1, a controller or processor or associations and other bodies representing categories of controllers or processors may designate DPO or, where required by Union law or Member State, appoint a Data Protection Officer. The DPO may act on those associations and other bodies representing controllers or processors.

5. The DPO is appointed based on professional qualifications, in particular on the basis of the expertise available in the field of law and practices on data protection, and based on the ability to fulfill the tasks listed in Article 39.

6. The Data Protection Officer may be a member of the staff of the controller or processor or to hold office under service contract.

7. The controller or the processor shall publish the contact details of the data protection officer and notify the supervisory authority.

Article 38

Location of the data protection officer

1. The controller and the processor shall ensure that the DPO is involved, duly and timely, on all issues related to the protection of personal data.

L 119/56 Official Journal of the European Union 4.5.2016

THE

2. The controller and the processor shall support the DPO in carrying out the tasks referred to in Article 39 providing necessary resources to perform these tasks and access to personal data and processing operations, and resources necessary to maintain expertise.

3. The controller and the processor shall ensure that the DPO is not receiving commands to perform these tasks. Not dismissed or penalized by the controller or the processor because the tasks done. The DPO shall report directly to the senior management level of the controller or the processor.

4. Data subjects may contact the DPO for all matters concerning the processing of their personal data and exercise of their rights under this Regulation.

5. The Data Protection Officer is bound by secrecy or confidentiality on the performance of his duties, under the law of the Union or the Member State.

6. The DPO may perform other tasks and obligations. The controller or the processor shall ensure that these duties and obligations do not involve a conflict of interest.

1. a)

b)

c)

d) e)

Article 39

Duties of the data protection officer

The DPO has at least the following tasks:

inform and advise the controller or the processor and officials proces amplifier operate their obligations under this Regulation and other Union legislation or the Member State on data protection,

monitor compliance with this Regulation, with other provisions of Union or national legislation on data protection and the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, the sensitive poetry and the training of staff involved in processing operations, and related controls,

provides advice, when requested, with regard to the impact assessment on data protection and monitor its implementation in accordance with Article 35,

cooperate with the supervisory authority,

act as a contact point for the supervisory authority on issues related to treatment, including prior consultation referred to in Article 36, and consult, it depends on the situation, any other matter.

2.
connected to the processing operations, taking into account the nature, the scope, the context and purpose of the processing.

In the performance of his duties, the DPO shall take due account of the risk

Part 5

Codes of conduct and certification

Article 40

codes of conduct

1. The member states, supervisors, the Data Protection Board and the Commission encourage the development of codes of conduct intended to contribute to the proper implementation of this Regulation, taking into account the specific characteristics of the various processing sectors and the specific needs of micro, small and medium enterprises.

2. Compounds and others representing categories of controllers or processors can establish codes or to modify or extend existing codes, in order to determine the application of this Regulation, such respect:

a) to fair and transparent treatment,

4.5.2016 Official Journal of the European Union

L 119/57

THE

2. b) the legitimate interests pursued by the controllers in specific contexts,
3. c) the collection of personal data,
4. d) psefdonymopoiisi the personal data,
5. e) informing the public and of data subjects,

f) the exercise of data subjects' rights,

6. g) information and the protection of children and how to obtain the consent of the parental authority of the child,
7. or) measures and procedures referred to in Articles 24 and 25 and measures to ensure security of processing referred to in Article 32,
8. i) the notification of personal data breaches to the supervisory authorities and the communication of such personal data breaches to data subjects,
9. j) the transfer of personal data to third countries or international organizations, or

k) litigation proceedings and other dispute resolution procedures for resolving disputes between controllers and data subjects regarding the processing, without prejudice to the rights of data subjects under Articles 77 and 79.

3. Besides their observance of controllers or processors subordinate to this Regulation, codes of conduct adopted under paragraph 5 of this Article and of general application under paragraph 9 of this Article may also be followed by controllers or processors are not covered by this Regulation in accordance with Article 3, in order to provide adequate guarantees under personal data transfers to third countries or international organizations, under the conditions set out in Article 46 paragraph 2 point e). These controllers or processors undertake binding and enforceable commitments by contract or other legally binding instruments, to implement these appropriate safeguards, including as regards the rights of data subjects.

4. The code of conduct referred to in paragraph 2 of this article contain mechanisms that allow the said Article 41 paragraph 1 operator to carry out the mandatory monitoring of compliance with the provisions of the controllers or processors that are responsible for applying the, without prejudice to the functions and powers of supervisory authorities responsible under Article 55 or 56.

5. Associations and other entities referred to in paragraph 2 of this Article and intends to develop a code of conduct or to amend or extend existing code submit the draft code to the supervisory authority competent under Article 55. The Supervisory Authority opinion on the compliance of the draft code, modification or extension to this Regulation and approve the draft code, modification or extension, if it considers that it provides sufficient appropriate safeguards.

6. When the draft code or change or extension of approved under paragraph 5 and when the resulting code of conduct is not related to processing activities in more than one Member State, the supervisory authority shall record and publish the code.

7. If draft code of conduct refers to processing activities in several Member States, the supervisory authority competent under Article 55 submit, before the adoption of the draft Code, modification or expansion, the procedure laid down in Article 63 the Data Protection Council, which opinion on the compliance of the draft code, modification or extension to this Regulation or, in the case referred to in paragraph 3 of this Article, as to provide sufficient guarantees that.

8. If the opinion referred to in paragraph 7 confirms that the code, modification or extension is in accordance with this Regulation or, in the case referred to in paragraph 3, provide sufficient guarantees, the Data Protection Board shall forward its opinion to the Commission.

9. The Commission may, through implementing acts, decide that the approved codes of conduct and amendments or extensions that were submitted under paragraph 8 of this Article shall have general application within the Union. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 93 paragraph 2.

L 119/58 Official Journal of the European Union 4.5.2016

THE

10. The Commission shall ensure appropriate publicity for the codes approved for its decision to have general application under paragraph 9.

11. The Data Protection Board collects all approved codes, modifications and extensions to the registry and makes them available to the public by any appropriate means.

Article 41

Monitoring of approved codes of conduct

1. Without prejudice to the functions and powers of the competent supervisory authority in accordance with Articles 57 and 58, monitor compliance with the code of conduct under Article 40 It can be conducted by a body that has the appropriate level of expertise in relation to the object code and is accredited for this purpose by the competent supervisory authority.

2. with

a) b)

c)

d)

The entity referred to in paragraph 1 It can be accredited to monitor the compliance code of conduct, if said carrier:

It has proven its independence and expertise in relation to the object code to the satisfaction of the competent supervisory authority,

It has established procedures that allow the assessment of the eligibility of the controllers and processors to implement the code, monitoring of their compliance with its provisions and the periodic review of the operation,

It has established procedures and structures to deal with complaints of violations of the code or concerning the manner in which the code is implemented or applied by a controller or processor, and to make these processes and structures transparent to data subjects and the general public, and

proves, at the discretion of the competent supervisory authority, that the duties and obligations do not involve a conflict of interest.

3.
of this Article to the Data Protection Board in accordance with the consistency mechanism referred to in Article 63.

The competent authority shall submit the draft of certification criteria entity referred to in paragraph 1

4. Without prejudice to the functions and powers of the competent supervisory authority and the provisions of Chapter VIII, the entity referred to in paragraph 1 this article assumes, subject to appropriate safeguards, appropriate action in the event of violation of the code from the controller or the processor, including employment purposes suspension or exclusion of the relevant data controller or processor to code. Inform the competent supervisory authority for these actions and their reasons for withdrawal.

5. The competent authority shall revoke the certification body as referred to in paragraph 1, if the certification conditions are not met or are no longer met or actions taken by the institution contravening this regulation.

6. This Article shall not apply to the processing carried out by public authorities and public bodies.

Article 42

Certification

1. The member states, supervisors, the Data Protection Council and the Commission urge, particularly at EU level, the establishment of data protection certification mechanisms and data protection seals and marks, in order to demonstrate compliance with this Regulation of processing operations by data controllers and processors. Take into account the specific needs of micro, small and medium enterprises.

4.5.2016 Official Journal of the European Union L 119/59

THE

2. In addition to their application by controllers or processors subject to this regulation, certification mechanisms and data protection seals and data protection signals authorized under paragraph 5 of this Article may be adopted for the purpose of proving that appropriate safeguards are provided by controllers or processors that are not subject to this Regulation, according to the article 3, in the context of personal data transfers to third countries or international organizations, under the conditions set out in Article 46 paragraph 2 f). These controllers or processors undertake binding and enforceable commitments by contract or other legally binding instruments, to implement these appropriate safeguards, including as regards the rights of data subjects.

3. Certification is voluntary and available through a transparent procedure.
4. The certification in accordance with this Article shall not limit the responsibility of the controller or of the person

processing for compliance with this regulation and shall not affect the tasks and responsibilities of the supervisory authorities responsible under Article 55 or 56.

5. The certification in accordance with this Article shall be granted by the certification bodies referred to in Article 43 or by the competent supervisory authority, criteria approved by this competent authority pursuant to Article 58 paragraph 3 or the Data Protection Board in accordance with Article 63. When the criteria are approved by the Data Protection Board, This can lead to joint certification, European Data Protection Seal.

6 The controller or the processor making the processing of the authentication mechanism provides the certification body referred to in Article 43 or, it depends on the situation, the competent supervisory authority all information and access to treatment activities required to carry out the certification process.

7. The certification issued to the controller or processor for a maximum period of three years and can be renewed on the same terms, provided that the relevant requirements are still met. The certification revoked, it depends on the situation, by certification bodies provided for in Article 43 or by the competent supervisory authority, when not or are no longer met the requirements for certification.

8. The Data Protection Board collects all authentication mechanisms and seals and data protection signals in a register and kept available to the public by any appropriate means.

Article 43

certification bodies

1. Without prejudice to the functions and powers of the competent supervisory authority in accordance with Articles 57 and 58, certification bodies have the appropriate level of expertise in relation to data protection, after informing the supervisory authority to be able to exercise its powers under Article 58 paragraph 2 point h) where required, issue and renew certificates. The Member State shall ensure that the accreditation of the certification bodies carried out by one or both of the following:

a) b)

a) They have demonstrated the independence and expertise in relation to the subject of certification for the judgment of the competent supervisory authority,

(1) REGULATION (FROM) No. 765/2008 European Parliament and Council, of July 9 2008, laying down the requirements for accreditation and market surveillance relating to the marketing of products and repealing Regulation (EEC) No. 339/93 Council (OJ L 218 of 13.8.2008, p. 30).

the supervisory authority which is competent pursuant to Articles 55 or 56,

the national accreditation body appointed pursuant to Regulation (FROM) No. 765/2008 European Parliament and Council (1), according to the standard EN-ISO / IEC 17065/2012 and in accordance with the supplementary requirements set by the supervisory authority competent under Article 55 or 56.

The certification bodies referred to in paragraph 1 accredited in accordance with this paragraph,

2.
only if:

L 119/60 b)

c) d)

e)

Official Journal of the European Union 4.5.2016

They have pledged to respect the criteria referred to in Article 42 paragraph 5 and approved by the supervisory authority competent under Article 55 or 56 or from the Data Protection Council under Article 63,

They have procedures for issuing, periodic review and revocation of certificates, stamps and data protection signals,

They have procedures and structures for the management of complaints concerning infringements of the certification or on the way in which certification is applied or implemented by the controller or the processor, and to make these processes and structures transparent to data subjects and the general public, and

prove, at the discretion of the competent supervisory authority, that the duties and obligations do not involve a conflict of interest.

THE

3.
poieitai criteria approved by the supervisory authority competent under Article 55 or 56, or from the Data Protection Council under Article 63. If accreditation under point b) of paragraph 1 of this Article, those requirements complement the requirements laid down in Regulation (FROM) No. 765/2008 and technical rules that describe the methods and procedures of certification bodies.

4. The certification bodies referred to in paragraph 1 He is responsible for the proper assessment leading to certification or revocation of certification, without prejudice to the responsibility of the controller or the processor to comply with this Regulation. Accreditation is granted for a maximum period of five years and may be renewed on the same terms, provided that the certification body meets the requirements of this Article.

5. The certification bodies referred to in paragraph 1 They provide the competent authorities the reasons for granting or revocation of certification sought.

6. The requirements of paragraph 3 of this article and the criteria set out in Article 42 section 5 published by the supervisory authority in easily accessible format. The supervisory authorities shall also forward these requirements and criteria to the Data Protection Board. The Data Protection Board collects all certification mechanisms and data protection seals in a register and kept available to the public by any appropriate means.

7. Without prejudice to Chapter VIII, the competent supervisory authority or national accreditation body shall withdraw accreditation to a certification body in accordance with paragraph 1 of this Article, provided that the certification conditions are not met or are no longer fulfilled or if the certification body actions violate this regulation.

8. The Commission is empowered to adopt delegated’ delegated acts in accordance with Article 92, to determine the requirements to be taken into consideration for the data protection certification mechanisms referred to in Article 42 paragraph 1.

9. The Commission may adopt implementing acts laying down technical standards for certification mechanisms, seals and data protection signals, and mechanisms for the promotion and recognition of the certification mechanisms, seals and labels. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 93 paragraph 2.

CHAPTER V

Transfers of personal data to third countries or international organizations

Article 44

General principles for transfers

Any transfer of personal data which are undergoing processing or are intended to be processed after they are sent to a third country or international organization is only possible if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter shall be kept by the controller and the processor, including on further transfers of personal data to a third country or international organization to another third country or another international organization. All provisions of this Chapter in order to ensure that the level of protection of individuals guaranteed by this Regulation is not compromised.

The accreditation of certification bodies as referred to in paragraphs 1 and 2 of this article carried

4.5.2016 Official Journal of the European Union L 119/61

THE

Article 45

Transfers based on an adequacy decision

1. The transfer of personal data to a third country or international organization may take place if the Commission decides that ensure an adequate level of protection by the third country, from the ground or from one or more specific sectors in the third country or by that international organization. For such a transfer does not require a special permit.

2. a)

b)

c)

In assessing the adequacy of protection, the Commission notes, Especially, the following elements:

the rule of law, respect for human rights and fundamental freedoms, the relevant legislation, both general and sectoral, including as regards public security, the defense, national security and criminal law and access of public authorities to personal data, and the implementation of this legislation, rules on data protection, professional rules and security measures, CD- contained rules on further transfers of personal data to another country or international organization held in that third country or international organization, case law, and substantive and enforceable rights to data subjects and effective administrative and judicial redress for data subjects whose personal data are transferred,

the existence and effective functioning of one or more independent supervisory authorities that are in that third country or where an international organization subject, responsible to ensure and enforce compliance with data protection rules, including sufficient enforcement powers, assisting and advising the data subjects in the exercise of their rights and to cooperate with the supervisory authorities of the Member States, and

the international commitments undertaken by that third country or international organization or other liabilities arising from legally binding contracts or transactions and by their participation in multilateral or regional systems, especially as regards the protection of personal data.

3.
ensure an adequate level of protection within the meaning of paragraph 2 of this article from a third country or territory or one or more specific areas of a third country or international organization. The implementing act provides for periodic review mechanism, at least every four years, which takes account of all relevant developments in the third country or international organization. The implementing act shall specify the territorial and sectoral implementation of, and, where applicable, the supervisory authority or authorities referred to in b) of paragraph 2 of this Article. The implementing act adopted in accordance with the examination procedure referred to in Article 93 paragraph 2.

4. The Commission closely monitors developments in third countries and international organizations that could affect the operation of decisions adopted in accordance with paragraph 3 of this Article and the decisions adopted pursuant to Article 25 paragraph 6 Directive 95/46 / EC.

5. The committee, when reportedly reveal, mainly following the review referred to in paragraph 3 of this Article, that a third country, soil or specific sector in a third country or international organization no longer ensures an adequate level of protection within the meaning of paragraph 2 of this Article, abolishes, modify or suspend, to the extent necessary, Decision paragraph 3 of this Article by means of implementing acts without retroactive effect. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 93 paragraph 2.

On duly justified imperative grounds of urgency, the Commission shall adopt immediately applicable implementing acts in accordance with the procedure referred to in Article 93 paragraph 3.

6. The Commission initiated consultations with the third country or international organization in order to remedy the situation which is the result of the decision taken under paragraph 5.

7. The decision according to paragraph 5 This Article shall not affect the personal data in the third country, the ground or to one or more specified areas in that third country or international organization in accordance with Articles 46 until 49.

8. The Commission shall publish in the Official Journal of the European Union and on its website a list of third countries, territories and specific areas in a third country, and international organizations, for which it has decided that ensure or no longer ensures an adequate level of protection.

The committee, After assessing the adequacy of protection, may decide, by implementing act, that

L 119/62 Official Journal of the European Union 4.5.2016

THE

9. Decisions issued by the Commission under Article 25 paragraph 6 Directive 95/46 / EC shall remain in effect until amended, replaced or repealed by a Commission decision adopted pursuant to paragraph 3 or 5 of this Article.

Article 46

Transfers subject to appropriate safeguards

1. Absence of a decision under Article 45 paragraph 3, the controller or the processor may transfer personal data to a third country or an international organization only if the controller or the processor has provided the appropriate guarantees, and provided that there are enforceable rights and effective remedies for the subjects data.

2. The appropriate safeguards referred to in paragraph 1 can be provided, without special permission supervisor, via:

1. a) a legally binding and enforceable instrument between public authorities or bodies,
2. b) binding corporate rules pursuant to Article 47,
3. c) standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93 paragraph 2,
4. d) standard data protection clauses adopted by a supervisory authority and approved by the Commission in accordance with the examination procedure referred to in Article 93 paragraph 2,
5. e) approved code of conduct, according to the article 40, together with binding and enforceable obligations of the controller or the processor in the third country to apply appropriate safeguards, including as regards the rights of data subjects, or

f) approved certification mechanism, according to the article 42, together with binding and enforceable obligations of the controller or the processor in the third country to apply appropriate safeguards, including as regards the rights of data subjects.

3. Subject to authorization by the competent supervisory authority, Appropriate safeguards paragraph 1 in particular, they can also be provided through:

a)

b)

contractual terms between the controller or the processor and the controller, the processor or the recipient of personal data to a third country or international organization or

provisions for inclusion in administrative arrangements between public authorities or entities that include enforceable and substantive rights of data subjects.

4.
referred to in paragraph 3 of this Article.

The supervisory authority shall apply the consistency mechanism referred to in Article 63 where

5. Authorizations from Member States or supervisory authority under Article 26 paragraph 2 Directive 95/46 / EC shall remain in effect until amended, replaced or repealed, if required, by that supervisory authority. Decisions issued by the Commission under Article 26 paragraph 4 Directive 95/46 / EC shall remain in effect until amended, replaced or repealed, if required, by a Commission decision adopted pursuant to paragraph 2 of this Article.

Article 47

Binding Corporate Rules

1. The competent supervisory authority shall approve binding corporate rules pursuant to the consistency mechanism referred to in Article 63, under the condition that:

a) legally binding and applicable in every Member State and applied by each Member State of the group, or group of companies engaged in joint economic activity, including their staff,

4.5.2016 Official Journal of the European Union L 119/63

THE

2. b) expressly confer enforceable rights to data subjects regarding the processing of personal data concerning them and
3. c) meet the requirements set out in paragraph 2.

2. Binding corporate rules referred to in paragraph 1 specify at least:

1. a) the structure and the contact details of the group, or group of companies engaged in joint economic activity and each member,
2. b) data transfers or set of data transfer operations, including the categories of personal data, the type of treatment and the purpose of, the type of data subjects affected and the setting of that third country or third countries,
3. c) the legally binding nature of the, both internally and externally,
4. d) the application of general data protection principles, in particular the purpose limitation, minimizing data, the limited storage period, data quality, data protection by design and by default, the legal basis for processing, processing of special categories of personal data, Safeguards data security, and the implementation of the requirements of onward transfers to organizations which are not bound by the binding corporate rules,
5. e) the rights of data subjects regarding the processing and the means to exercise these rights, including the right not subject to any decisions solely on automation topoiimenis processing, including training profiles in accordance with Article 22, the right to submit complaints to the competent supervisory authority and before the competent courts of the Member States in accordance with Article 79, and ensuring redress and, where required, damages for breach of the binding corporate rules,

f) the acceptance of liability by the controller or processor established in the territory of a Member State for any breach of binding corporate rules by any relevant member not established within the Union; the controller or processor is exempt from this liability, wholly or partly, only proving that that member is not responsible for the event giving rise to the damage,

6. g) how to provide information on the binding corporate rules for data subjects, in particular the provisions mentioned in subparagraphs d), e) and St) this paragraph, Additional Articles 13 and 14,
7. or) the tasks of data protection officer designated in accordance with Article 37 or any person or entity responsible for monitoring compliance with the binding corporate rules within the group of companies, or group of companies engaged in joint economic activity, and the moni toring of training and handling of complaints,
8. i) complaint procedures,
9. j) the mechanisms within the group of companies, or group of companies engaged in joint economic activity for checking compliance with the binding corporate rules. These mechanisms include controls to protect data and methods ensuring corrective actions to protect the data subject's rights. The results of this verification must be communicated to the person or entity referred to in point h) and the Management Board of the controlling company of the group or the group of companies engaged in joint economic activity, while also be provided upon request to the competent supervisory authority,

226. k) reporting mechanisms and registration of changes to the rules and reporting these changes to the supervisory authority,
227. l) the cooperation mechanism with the supervisory authority, to ensure the compliance of each member of the group, or group of companies engaged in joint economic activity, particularly by providing the supervisory authority of the results of the measures referred to under point controls),
228. m) reporting mechanisms to the competent supervisory authority in any legal requirement that a member of the group, or group of companies engaged in joint economic activity is subject to a third country and which could have a significant negative effect on the guarantees provided by the binding corporate rules
229. n) proper training in the protection of personal data has permanent or regular access to personal data.

L 119/64 Official Journal of the European Union 4.5.2016

THE

3. The Commission may specify the format and procedures for sharing information between controllers, processors and supervisory authorities for binding corporate rules within the meaning of this Article. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 93 paragraph 2.

Article 48

Communications or notifications that are not allowed by Union law

Every court and every decision of an administrative authority of a third country requires the data controller or processor to transmit or communicate personal data can be recognized or be enforceable in’ any way unless based on an international agreement, such as mutual legal assistance contract, in force between the requesting third country and the Union or a Member State, without prejudice to other transmission ratios in accordance with this Chapter.

Article 49

Exemptions for specific situations

1. In the absence of adequacy decision under Article 45 paragraph 3 or appropriate safeguards pursuant to Article 46, including binding corporate rules, the transfer or all transfers of personal data to a third country or an international organization is only possible if one of the following conditions:

1. a) the data subject expressly consented to the proposed transfer, after being informed of the potential risks of such transfers for the data subject in the absence adequacy decision and appropriate safeguards,
2. b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of precontractual measures taken at the request of the data subject,
3. c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person,
4. d) the transfer is necessary for important reasons of public interest,
5. e) the transfer is necessary for the foundation, exercise or support legal claims,

f) the transfer is necessary to protect the vital interests of the data subject or other persons, if the data subject does not have the physical or legal capacity to give consent,

g) the transfer is made from a register which according to Union law or Member State intended to provide information to the public and is open to search for information either to the public or to any person may claim a legitimate interest, but only provided that in each case the conditions laid down in Union law or Member State law to search for information.

When the transfer can not be based on a provision of Article 45 or 46, including provisions on binding corporate rules, and does not apply any of the exceptions for special condition referred to in the first subparagraph of this paragraph, the transfer to a third country or an international organization may take place only if the transfer is not repeated, concerns only a limited number of data subjects, is necessary for the purpose of overriding legitimate interests pursued by the controller which does not override the interests or the rights and freedoms of the data subject and the controller has evaluated all circumstances related to the transmission of data and has provided, on the basis of this assessment, appropriate safeguards for the protection of personal data. The controller shall inform the supervisory authority for the transmission. The Controller, in addition to the information referred to in Articles 13 and 14, inform the data subject on the transmission and on the compelling legitimate interests pursued.

2. Transmission carried out under paragraph 1 first paragraph, point g) It does not include all the personal data or entire categories of personal data contained in the register. When the register is intended for obtaining information from persons who have a legitimate interest, the transfer is made only at the request of those persons or if going to be the recipients.

4.5.2016 Official Journal of the European Union L 119/65

THE

3. paragraph 1 first subparagraph, points a), b) and G) and paragraph 1 second subparagraph shall not apply to activities which are undertaken by public authorities in the exercise of their public powers.

4. The public interest referred to in paragraph 1 first paragraph, point d) recognized in Union law or the national law of the Member State in which the controller is subject.

5. Absence adequacy decision, Union law or Member State may, for serious reasons of public interest, explicitly provides for restrictions on the transmission of special categories of personal data to a third country or international organization. Member States shall notify those provisions to the Commission.

6. The controller or the processor registers the assessment, and appropriate safeguards mentioned in the second sentence of paragraph 1 of this Article, in the records referred to in Article 30.

Article 50

International cooperation on the protection of personal data

In relation to third countries and international organizations, The Commission and the supervisory authorities shall take appropriate measures to:

1. a) developing international cooperation mechanisms to facilitate the effective enforcement of legislation on the protection of personal data,
2. b) provide international mutual assistance in the enforcement of the protection of personal data, including through notification, transmission complaints, assistance in investigations and exchange of information, subject to appropriate safeguards to protect personal data and other fundamental rights and freedoms,
3. c) the involvement of relevant stakeholders in discussion and activities aimed at promoting international cooperation for enforcement on the protection of personal data,
4. d) promote the exchange and documentation of the legislation and practice on the protection of personal data, including jurisdictional conflicts with third countries.

   CHAPTER VI

   Independent supervisory authorities

   Part 1

   independent status

   Article 51

   Supervising Authority

1. Each Member State shall ensure that one or more independent public authorities are responsible for moni toring the application of this Regulation, in order to protect fundamental rights and freedoms of individuals with regard to the processing relating to them and to facilitate the free movement of personal data in the Union ("supervising Authority").

2. Each supervisory authority contributes to the consistent application of this Regulation throughout the Union. For this purpose,, supervisory authorities shall cooperate with each other and with the Commission in accordance with Chapter VII.

3. If a Member State established several supervisors, that Member State shall designate the supervisory authority to represent those authorities in the Data Protection Board lays down the mechanism to ensure compliance of the other principles with rules relating to the consistency mechanism referred to in Article 63.

4. Each Member State shall notify the Commission of the provisions laid down in its law under this Chapter, until 25 May 2018 and, without delay, any subsequent amendment.

L 119/66 Official Journal of the European Union 4.5.2016

THE

Article 52

Independence

1. Each supervisory authority shall perform the duties and exercise the powers under this Regulation in full independence.

2. The member or members of any supervisory authority carry out their duties and exercise their powers in accordance with this regulation without external influences, either direct or indirect, and they shall not seek or receive instructions from any.

3. The member or members of any supervisory authority shall refrain from any action incompatible with their duties and, during their term of office, not hold any incompatible occupation, profitable or not.

4. Each Member State shall ensure that each supervisor has the necessary human, technical and financial resources and the necessary facilities and infrastructure for the effective performance of the functions and exercise of its powers, including those available under the mutual assistance, cooperation and participation in the Data Protection Council.

5. Each Member State shall ensure that each supervisor chooses and has its own employees who are managed exclusively by the member or members of the supervisory authority concerned.

6. Each Member State shall ensure that each supervisory authority is subject to financial control which shall not affect its independence and has separate, public annual budgets, which may be part of the overall state or national budget.

Article 53

General conditions for the members of the supervisory authority

1. Member States shall provide that each member of the supervisory authorities should be appointed through a transparent procedure by: - their parliament,
- their government,
- their head of state or

- independent body entrusted, under the law of the Member State, appointment.

2. Each member has, particularly in the field of personal data protection, the qualifications, the experience and skills required to perform the duties and exercise the powers of.

3. The duties of a member shall cease when the office closing, resignation or compulsory retirement, under the law of the Member State.

4. Member may be dismissed only in cases of serious misconduct or if they no longer fulfill the conditions required for the performance of his duties.

Article 54

Rules for the establishment of the supervisory authority

1. Each Member State shall provide by law all of the following: a) set up any supervisory authority,

4.5.2016

Official Journal of the European Union L 119/67

THE

b) c) d)

e) f)

the qualifications and eligibility requirements for the appointment of a member of any supervisory authority,

rules and procedures for the appointment of the member or members of any supervisory authority,

the term of office of the member or members of any supervisory authority, which is not less than four years, except the first appointment after 24 May 2016, part of which may cover a shorter period if this is necessary to protect the independence of the supervisory authority over the process of staggered appointments,

whether and for how many terms a member or members of any supervisory authority shall be eligible for reappointment,

the conditions governing the obligations of membership or members and employees of any supervisory authority, prohibit acts, professional activities and benefits is incompatible with these obligations, both during the mandate and after this, and rules governing the termination of employment.

2.
Member State, by professional secrecy both during the mandate and after this, in respect of confidential information which has come to their knowledge during the performance of his duties or the exercise of their powers. During their term of office, this obligation of professional secrecy applies in particular to the report by individuals of this breaches Regulation.

Part 2

Competence, duties and powers

Article 55

Competence

1. Each supervisory authority is competent to perform the duties and exercise the powers conferred on it by this Regulation in the Member State of.

2. When processed by public authorities or private bodies acting under Article 6 paragraph 1 point c) or e), It is the competent supervisory authority of the Member State. In these cases do not apply Article 56.

3. The supervisory authorities are not competent to monitor the processing operations carried out by the courts in their judicial competence.

Article 56

Powers of chief supervisor

1. Notwithstanding Article 55, the supervisory authority of the main or the only installation of the controller or the processor is competent to act as chief supervisory authority for cross-border processing operations of the controller or the processor in accordance with the procedure laid down in Article 60.

2. Notwithstanding paragraph 1, each supervisory authority is responsible for examining the submitted complaint or to address any infringements of this Regulation, if the subject relates only establishment in the Member State or substantially affect the data subject only to the Member State.

3. Where paragraph 2 of this Article, the supervisory authority shall inform thereof the chief supervisory authority without delay. Within three weeks of the updating of, the chief supervisor decides whether to hear the case against the Article 60, taking into account whether or not install the controller or the processor in the Member State of the supervisory authority informed.

The member or members and staff each supervisory authority are bound, accordance with Union law or

L 119/68 Official Journal of the European Union 4.5.2016

THE

4. Should the chief supervisor decided to deal with the case, the procedure laid down in Article applies 60. The supervisory authority has informed the chief supervisory authority may submit to the head top draft decision. The chief supervisor shall pay particular attention to this plan in preparing the draft decision referred to in Article 60 paragraph 3.

5. Should the chief supervisor decides not to hear the case, the supervisory authority has informed the chief supervisory authority dealing with the case in accordance with Articles 61 and 62.

6. The head of supervisory authority is the sole interlocutor of the controller or processor for processing cross-border operation of the controller or the processor.

Article 57

Duties

1. Without prejudice to other tasks defined in this Regulation, each supervisory authority on its territory:

1. a) monitors and enforces the application of this Regulation,
2. b) promotes awareness and understanding of risks, the rules, guarantees and rights related to the processing. Special attention is given to activities specifically aimed at children,
3. c) advises, under the law of the Member State, the national parliament, the government and other institutions and bodies on legislative and administrative measures relating to the protection of the rights and freedoms of individuals with regard to the processing,
4. d) promotes awareness of controllers and processors of their obligations under this Regulation,
5. e) on request, provides information to data subjects in the exercise of their rights under this Regulation and, possibly, cooperate to this end with the supervisory authorities in other Member States,

f) handles complaints submitted by the data subject or body or organization or association in accordance with Article 80 and investigating, to the extent appropriate, the complaint and inform the complainant of the progress and outcome of the investigation within a reasonable time, particularly if further research or coordination with another supervisory authority,

6. g) cooperates, including through exchange of information, with other supervisors and provides mutual assistance to other supervisory authorities, in order to ensure consistency of application and enforcement of this Regulation,
7. or) conduct investigations on the application of this Regulation, including on the basis of information received from another regulatory authority or other public authority,
8. i) monitor relevant developments, insofar as they have impact on the protection of personal data, in particular the developments in information and communication technologies and commercial practices,
9. j) establishes standard contractual clauses Article 28 paragraph 8 and Article 46 paragraph 2 point d),

226. k) establish and maintain a list in relation to the requirement to conduct an impact assessment on data protection under Article 35 paragraph 4,
227. l) provides advice on processing operations Article 36 paragraph 2,
228. m) encourages the development of codes of conduct pursuant to Article 40 paragraph 1 and formulate an opinion and approve such codes of conduct that provide adequate safeguards, according to the article 40 paragraph 5,
229. n) encourage the establishment of data protection certification mechanisms and seals and data protection marks under Article 42 paragraph 1 and approve the criteria for certification in accordance with Article 42 paragraph 5,
230. o) where appropriate, conduct periodic review of certifications issued in accordance with Article 42 paragraph 7,

4.5.2016 Official Journal of the European Union L 119/69

THE

p) designs and publishes the institution accreditation criteria for monitoring codes of conduct pursuant to Article 41 and certification body in accordance with Article 43,

231. q) conducts the accreditation body for monitoring codes of conduct pursuant to Article 41 and certification body in accordance with Article 43,
232. r) allows contract terms and provisions of Article 46 paragraph 3,
233. s) approve binding corporate rules pursuant to Article 47,

K) contributes to the Data Protection Council activities,

251. Ms.) keep internal records of infringements of this Regulation and the measures taken in accordance with Article 58 paragraph 2, and
252. v) ekplironeikatheallokathikonschetikometinprostasiadedomenonprosopikoucharaktira.

2. Each supervisor facilitate the submission of complaints referred to in paragraph 1 f) through measures such as the complaint form which can also be completed electronically, without excluding other means of communication.

3. Each supervisory authority exercises its functions without charge for the data subject and, where appropriate, for the DPO.

4. If the request is manifestly unfounded or too, in particular because of their repetitive nature, the supervisory authority may impose a reasonable charge for administrative costs or to refuse to respond to the request. The supervisory authority bears the burden of proving the manifestly unfounded or excessive character of the request.

Article 58

powers

1. Each authority has all these powers of investigation:

1. a) to instruct the controller and the processor and, where applicable, the representative of the controller or the processor to provide any information they require to perform its duties,
2. b) to conduct research in the form of controls to protect data,
3. c) to conduct a review of certifications issued in accordance with Article 42 paragraph 7,
4. d) notify the controller or the processor for alleged infringements of this Regulation,
5. e) to acquire, the controller and the processor, access to all personal data and all information required to perform its duties,

f) have access to the controller facilities and a processor, including all equipment and data processing means, according to the procedural law of the Union or a Member State.

2. Each authority has all the following corrective powers:

1. a) issue warnings to the controller or the processor that intended processing operations are likely to contravene the provisions of this Regulation,
2. b) to issue reprimands to the controller or the processor when processing operations have violated provisions of this Regulation,
3. c) to instruct the controller or the processor to comply with the requests of the data subject to exercise in accordance with this Regulation Rights,

L 119/70 d)

e)

f) g)

or)

i)

j) 3. a)

b)

c)

d) e) f) g)

or) i) j)

Official Journal of the European Union 4.5.2016

to instruct the controller or the processor to make the processing operations comply with the provisions of this Regulation, if needed, a certain way and within a certain period,

to instruct the controller to notify the personal data breach to the data subject,

impose a temporary or permanent restriction, including the prohibition of processing,

to command a correction or deletion of personal data or restriction of treatment pursuant to Articles 16, 17 and 18 and command notification of such actions to recipients to whom the personal data communicated under Article 17 paragraph 2 and Article 19,

to withdraw the certificate or to order the certification body to withdraw a certificate issued in accordance with Articles 42 and 43 or order the certification body can not issue certification, provided that the certification requirements are not met or are no longer met,

impose an administrative fine pursuant to Article 83, addition to or instead of the measures referred to in this paragraph, depending on the circumstances of each individual case,

instruct to suspend data traffic to the recipient in a third country or international organization. Each supervisory authority shall have all the following licensing and advisory powers:

advise the controller according to the prior consultation referred to in Article 36,

issue, on its own initiative or upon request, opinions to the national parliament, the State Government or, under the law of the Member State, to other institutions and bodies, as well as to the public, on any matter relating to the protection of personal data,

permit the processing referred to in Article 36 paragraph 5, if the Member State law requires that prior authorization,

to issue opinions on draft codes of conduct and approve these projects under Article 40 paragraph 5,

provide accreditation to certification bodies in accordance with Article 43,

to issue certificates and approve accreditation criteria in accordance with Article 42 paragraph 5,

adopt standard data protection clauses of Article 28 paragraph 8 and Article 46 paragraph 2 point d),

to allow contractual clauses Article 46 paragraph 3 point a),
allow administrative arrangements referred to in Article 46 paragraph 3 b), approve binding corporate rules pursuant to Article 47.

THE

4.
including an effective judicial remedy and the observance of due process, as provided for by Union law and the law of the Member States in accordance with the Charter.

The exercise by the supervisory authority of its powers under this Article shall be subject to appropriate safeguards,

5. Each Member State shall provide by law that the relevant supervisory authority has the power to inform the judicial authorities of infringements of this Regulation and, where appropriate, to initiate or participate in’ otherwise in legal proceedings, to enforce the provisions of this Regulation.

6. Each Member State shall provide by law that the supervisor has the additional powers other than those referred to in paragraphs 1, 2 and 3. The exercise of these powers does not affect the efficient operation of Chapter VII.

Article 59

activity reports

Each supervisory authority shall draw up an annual report of its activities, which may include a list of the types of notified irregularities and the type of measures taken under Article 58 paragraph 2. These reports are submitted to the national parliament, the government and other authorities, as defined by the law of the Member State. Made available to the public, the Commission and the Data Protection Council.

4.5.2016

Official Journal of the European Union

L 119/71

THE

CHAPTER VII

Cooperation and consistency

Part 1

Cooperation

Article 60

Cooperation between the chief supervisor and the other supervisory authorities

1.
endeavor to reach a consensus. The chief supervisor and the supervisory authorities exchange each other all relevant information.

2. The head of supervisory authority may request at any time by other supervisory authorities to provide mutual assistance under Article 61 and may conduct joint operations pursuant to Article 62, particularly to carry out inquiries or to monitor implementation of a measure concerning data controller or processor is established in another Member State.

3. The chief supervisor shall communicate without delay the relevant information on this topic in other supervisory authorities. Submit without delay a draft decision to the other supervisory authorities for opinion and duly take into account their views.

4. If any of the other supervisory authorities, within four weeks of referral, in accordance with paragraph 3 of this Article, displays relevant and reasoned objection to the draft decision, the chief supervisor, if not followed relevant and reasoned objection or considers that the objection is not relevant or justified, submit the matter to the consistency mechanism referred to in Article 63.

5. If the chief supervisor intends to follow those made relevant and reasoned objection, submit to the other supervisory authorities revised draft decision to give their opinion. This revised draft decision is subject to the procedure referred to in paragraph 4, within two weeks.

6. When any of the other supervisory authorities concerned have not expressed an objection to the draft decision submitted by the chief supervisory authority within the period referred to in paragraphs 4 and 5, presumed that the chief supervisor and the supervisory authorities agree with this draft decision and are bound by this.

7. The chief supervisor shall issue and notify its decision in the main or, considering, the only installation of the controller or the processor and informs the other supervisory authorities concerned and the Data Protection Council for decision, providing inter alia a summary of the facts and legal claims. The supervisory authority that has received a complaint informs the complainant of the decision.

8. Notwithstanding paragraph 7, if a complaint has been declared inadmissible or rejected, the supervisory authority to which the complaint was submitted shall adopt a decision, notify the complainant and inform the controller.

9. If the chief supervisor and the supervisory authorities agree to deem unacceptable or reject parts of a complaint and act on other parts of the same complaint, a separate decision shall be issued for each of the sections. The chief supervisor makes the decision for the section on actions of the controller, to notify the principal or sole installation of the controller or the processor in the territory of the Member State concerned and shall inform the complainant, while the supervisor of the complainant makes the decision for the part regarding the admissibility or rejection of the complaint and notify the complainant in question and inform the controller or the processor.

10. After notification of the chief supervisory authority in accordance with paragraphs 7 and 9, the controller or the processor shall take the necessary measures to ensure compliance with the decision concerning the processing operations in all of the Union facilities. The controller or the processor shall communicate the measures taken to comply with the judgment in chief supervisor, which shall inform the other supervisory authorities.

The head of supervisory authority shall cooperate with other supervisory authorities in accordance with this article

L 119/72 Official Journal of the European Union 4.5.2016

THE

11. If, in exceptional circumstances, a supervisory authority has reason to consider that there is an urgent need for measures to protect the interests of data subjects, apply the urgent procedure referred to in Article 66.

12. The chief supervisor and the other supervisory authorities shall provide the information required under this Article any other authority electronically, using a standard format.

Article 61

mutual assistance

1. The supervisory authorities shall provide each other relevant information and mutual assistance, to implement and apply this Regulation in a consistent manner, and adopt measures for their effective cooperation. Mutual assistance covers, Especially, requests for information and control measures, for example requests prior consultations and approvals, audits and investigations.

2. Each supervisory authority shall take all appropriate measures required to reply to a request of another supervisory authority without delay and no later than one month after receipt of the request. Such measures may include, Especially, the transmission of relevant information regarding the investigation.

3. The requests for assistance contain all the necessary information, including the purpose and reasons of the request. Information exchanged shall be used only for the purpose for which it was requested.

4. Supervisory authority to which a request does not refuse to comply with the request, unless:

a) is not responsible for the subject of the claim or action to be performed or

b) compliance with the request would infringe this Regulation or by Union law or Member State law which governs supervisory authority receiving the request.

5. The supervisory authority to which the request was made shall notify the supervisory authority which made the request for the results or, it depends on the situation, the progress of measures taken to respond to the request. The supervisory authority to which the request explaining the reasons for any refusal to comply with a request under paragraph 4.

6. The supervisory authorities submitted a request providing, generally, the information requested by other supervisory authorities by electronic means, using a standard format.

7. The supervisory authorities submitted a request not impose any fee for any action taken following a request for mutual assistance. The supervisory authorities may agree rules on compensation for certain costs resulting from mutual assistance in exceptional circumstances.

8. If a supervisor does not provide those referred to in paragraph 5 of this Article information within one month of receipt of the request of another supervisory authority, the supervisory authority which made the request may adopt an interim measure in the Member State responsible pursuant to Article 55 paragraph 1. In this case, It considered that there is an urgent need to take measures under Article 66 paragraph 1 and urgent binding decision of the Data Protection Council, according to the article 66 paragraph 2.

9. The Commission may, through implementing acts, determine the format and procedures for mutual assistance referred to in this Article and the arrangements for the exchange of information by electronic means between supervisory authorities and between supervisory authorities and the Data Protection Council, in particular the standardized format referred to in paragraph 6 of this Article. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 93 paragraph 2.

Article 62

Joint operations control authorities

1. The supervisory authorities shall, when needed, joint ventures, including joint investigations and joint enforcement measures, involving members or employees of supervisory authorities of other Member States.

4.5.2016 Official Journal of the European Union L 119/73

THE

2. When the controller or processor is established in several Member States or in cases where a significant number of data subjects in several Member States may be significantly affected by processing operations, a supervisory authority of each of these Member States is entitled to participate in joint operations. The supervisory authority competent under Article 56 paragraph 1 or 4, invite the supervisory authorities of each of those Member States to take part in joint operations and respond promptly to the supervisory authority's request for participation.

3. The supervisory authority may, in accordance with the law of the Member State and with the approval of the supervisory authority posting, confer powers, including powers of investigation, members or employees of the supervisory authority posting participating in joint operations or, if permitted by the law of the Member State of the host supervisor, to allow members or employees of posting supervisory authority to exercise their powers of investigation under the law of the Member State of posting supervisory authority. These investigative powers may be exercised only under the guidance and in the presence of members or employees of the host supervisor. Members or employees of the supervisory authority posting subject to the law of the Member State of the host supervisor.

4. When, in accordance with paragraph 1, the staff of the supervisory authority acting posting in another Member State, the Member State of the host supervisor takes responsibility for their actions, including that about any damage caused during the activities there, according to the Member State in whose territory the act.

5. The Member State in whose territory the damage caused restores under the conditions applicable to damage caused by the staff of. The Member State of posting supervisory authority whose staff has caused damage to any person in the territory of another Member State returns to that other Member State all the sums paid to beneficiaries.

6. Without prejudice to the exercise of its rights against third parties and in’ exception to paragraph 5, each Member State shall waive, in the case of paragraph 1, the ability to request another Member State of compensation for damage referred to in paragraph 4.

7. If the joint venture is to be conducted and a supervisory authority does not comply within one month with the obligation laid down in the second sentence of paragraph 2 of this Article, other supervisors may adopt a provisional measure on the territory of the Member State which fall under Article 55. In this case, It considered that there is an urgent need to take measures under Article 66 paragraph 1 and required urgent opinion or a binding decision of the Data Protection Council under Article 66 paragraph 2.

Part 2

tenacity

Article 63

consistency mechanism

To contribute to the coherent application of this Regulation throughout the Union, supervisory authorities cooperate and, if necessary, the Commission, through the consistency mechanism as provided in this section.

Article 64

Council Opinion

1. The Council shall issue an opinion whenever a competent authority intends to adopt any of the following measures. For this purpose, The competent supervisory authority shall communicate the draft decision to the Council, when:

1. a) It aims at adopting a list of processing operations that are subject to the requirement to conduct an impact assessment on data protection under Article 35 paragraph 4,
2. b) it concerns a matter under Article 40 paragraph 7 whether a draft code of conduct or a change or extension of the code of conduct in accordance with this Regulation,

L 119/74 c)

d)

e) f)

Official Journal of the European Union 4.5.2016

It seeks the approval of the entity accreditation criteria in accordance with Article 41 paragraph 3 or certification body in accordance with Article 43 paragraph 3,

It aims to define standard data protection clauses referred to in Article 46 paragraph 2 point d) and Article 28 paragraph 8,

aimed at approval of contract terms of Article 46 paragraph 3 point a) or aimed at adoption of binding corporate rules within the meaning of Article 47.

THE

2.
any matter of general application or problem that produces results in more than one Member State of the Data Protection Board, in order to issue an opinion, especially when competent authority not in compliance with the mutual assistance obligations under Article 61 or of joint ventures pursuant to Article 62.

3. In the cases referred to in paragraphs 1 and 2, the Data Protection Board shall issue an opinion on the subject submitted to it, if not already issued an opinion on the same issue. This opinion was issued within eight weeks by simple majority of the Data Protection Board. This period may be extended by six more weeks, taking into account the complexity of the matter. Regarding the draft decision referred to in paragraph 1 and communicated to the Board of Directors in accordance with paragraph 5, a member who has not objected within a reasonable deadline set by the President considered that he agrees with the draft decision.

4. The supervisory authorities and the Commission, without undue delay, communicate electronically, using a standard format, the Data Protection Board all relevant information, included, it depends on the situation, summary of the facts, The draft decision, the reasons why the implementation of this measure is necessary and the views of other supervisory authorities.

5. a)

b)

The President of the Data Protection Council without delay inform by electronic means:

the Data Protection Council members and the Commission of any relevant information that has been announced, using a standard format. The secretariat of the Data Protection Council shall provide translations of relevant information, if necessary, and

the supervisory authority referred, it depends on the situation, in paragraphs 1 and 2, and the Commission of the opinion, and publish.

Each supervisor, President of the Data Protection Council or the Commission may request the examination

6.
referred to in paragraph 3.

The competent authority does not approve the draft decision referred to in paragraph 1 within the period

7. The supervisory authority referred to in paragraph 1 take particular account of the opinion of the Data Protection Council and, within two weeks of receipt of the opinion, notifies the President of the Data Protection Council by electronic means whether to retain or amend the draft decision, if applicable, the modified draft decision, using a standard format.

8. When the supervisory authority concerned shall inform the President of the Data Protection Council, within the period referred to in paragraph 7 of this Article, it intends not to follow the opinion of the Data Protection Council, in whole or in part, giving the reasons for, apply Article 65 paragraph 1.

Article 65

Dispute resolution by the Data Protection Board

1. To ensure the correct and consistent implementation of this Regulation in individual cases, the Data Protection Board shall issue a binding decision on these cases:

a) when, in the case referred to in Article 60 paragraph 4, the supervisory authority concerned has made a relevant and reasoned objection to the draft decision of the chief principle or chief authority rejected that complaint as irrelevant or reasoned. The binding decision on all matters that are the subject of the reasoned objection, especially when there is a breach of this Regulation,

4.5.2016 b)

c)

Official Journal of the European Union L 119/75

when there are conflicting views on which of the supervisory authorities responsible for the main installation,

if a competent authority does not consult the Data Protection Council in the cases referred to in Article 64 paragraph 1 or does not follow the opinion of the Data Protection Council adopted pursuant to Article 64. In this case, each supervisory authority concerned or the Commission may communicate the matter to the Data Protection Board.

THE

2.
two thirds of the Data Protection Board. This period may be extended by another month, due to the complexity of the object. The reference to paragraph 1 decision is justified and addressed to chief supervisor and all supervisory authorities concerned and shall be binding on those.

3. When the Data Protection Board is unable to reach a decision within the period referred to in paragraph 2, issue its decision within two weeks of the end of the second month mentioned in paragraph 2 a simple majority of the Data Protection Board. When the Data Protection Council members agree, this decision is taken by the vote of the President of.

4. The supervisory authorities do not issue a decision on the matter submitted to the Data Protection Board under paragraph 1 during the periods referred to in paragraphs 2 and 3.

5. The President of the Data Protection Council shall, without undue delay, the decision referred to in paragraph 1 to the supervisory authorities. Inform the Commission. It shall be published without delay in the Data Protection Council website, since the supervisor notifies the final decision referred to in paragraph 6.

6. The head of supervisory authority or, it depends on the situation, the supervisory authority to which the complaint was lodged take its final decision on the basis of the decision referred to in paragraph 1 of this Article, without undue delay and no later than one month after the Data Protection Board has communicated its decision. The head of supervisory authority or, it depends on the situation, the supervisory authority to which the complaint was lodged shall notify the Data Protection Council of the date on which the final decision is notified to the controller or the processor and the data subject respectively. The final decision by the supervisory authorities taken in accordance with the terms of Article 60 paragraphs 7, 8 and 9. The final decision referred to in the decision referred to in paragraph 1 this article clarifies that the decision referred to in that paragraph shall be published in the Data Protection Council website in accordance with paragraph 5 of this Article. The final decision shall annex the decision referred to in paragraph 1 of this Article.

Article 66

urgency procedure

1. In exceptional cases, where a supervisory authority considers that there is an urgent need for measures to protect the rights and freedoms of data subjects, can, notwithstanding the consistency mechanism Articles 63, 64 and 65 or the Article 60, immediately adopt provisional measures intended to produce legal effects in its territory, a specific duration which does not exceed three months. The supervisory authority shall communicate those measures, and the reasons for their adoption, the other supervisory authorities, the Data Protection Council and Commission.

2. If the supervisory authority has taken a measure under paragraph 1 and considers that urgent measures are needed permanently, may request the adoption of urgent opinion or urgent binding decision of the Data Protection Board, justifying its request for an opinion or decision.

3. Each supervisory authority may require the adoption of urgent opinion or a binding decision, it depends on the situation, the Data Protection Council, when the appropriate measures by a competent supervisory authority in the case in which urgently needed measures to protect the rights and freedoms of data subjects are not taken, justifying its request for an opinion or decision, including the urgent need for measures.

4. Notwithstanding Article 64 paragraph 3 and Article 65 paragraph 2, opinion emergency or urgent binding decision under paragraphs 2 and 3 of this Article shall be adopted within two weeks by simple majority of the Data Protection Board.

The decision referred to in paragraph 1 issued within one month of referral by a majority

L 119/76 Official Journal of the European Union 4.5.2016

THE

Article 67

exchange of information

The Commission may adopt implementing acts of general scope to identify the information exchange arrangements by electronic means between supervisory authorities and between supervisory authorities and the Data Protection Council, in particular the standardized format referred to in Article 64.

Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 93 paragraph 2. Part 3

European Data Protection Board

Article 68

European Data Protection Board

1. The European Data Protection Board ("Data Protection Board") established as a Union body with legal personality.

2. The Data Protection Board is represented by its President.
3. The Data Protection Board composed of the head of a supervisory authority of each Member State and

the EDPS or their respective representatives.

4. If a Member State are more supervisory authorities responsible for monitoring the implementation of provisions under this Regulation, defined common representative under the law of that Member State.

5. The Commission is entitled to participate without voting rights in the activities and meetings of the Data Protection Council. The Commission shall appoint its representative. The President of the Data Protection Council shall notify the Commission of the Data Protection Council activities.

6. In the cases referred to in Article 65, the European Data Protection Supervisor has the right to vote only in decisions concerning the principles and rules applicable to the Union institutions, to players, services and organizations representing at’ substance to those of this Regulation.

Article 69

Independence

1. The Data Protection Board shall be independent in the performance of his duties or the exercise of its powers under Articles 70 and 71.

2. Subject of the Commission pursuant to Article 70 paragraph 1 b) and Article 70 paragraph 2, the Data Protection Council shall not seek or take instructions from anyone in the performance of his duties or the exercise of its powers.

Article 70

Tasks of the European Data Protection Board

1. The Data Protection Board shall ensure the consistent application of this Regulation. For this purpose, the Data Protection Council, on his own initiative or, where appropriate, request of the Commission, Especially:

a) monitor and ensure the proper implementation of this Regulation in the cases referred to in Articles 64 and 65, without prejudice to the tasks of national supervisory authorities,

4.5.2016 Official Journal of the European Union L 119/77

THE

2. b) advise the Commission on any matter relating to the protection of personal data in the Union, including any proposed amendments to this Regulation,
3. c) advise the Commission on the format and procedures for sharing information between controllers, processors and supervisory authorities for binding corporate rules,
4. d) issue guidelines, recommendations and best practices on procedures for deleting links, copies or replications of personal data from publicly available communication services, as referred to in Article 17 paragraph 2,
5. e) examines, on his own initiative, at the request of one of its members or at the request of the Commission, any matter relating to the implementation of this Regulation and issue guidelines, Recommendations and best practices, in order to foster consistent implementation of this Regulation,

f) issue guidelines, recommendations and best practices in accordance with subparagraph e) of this paragraph to further define the criteria and conditions for decision making based training under Article profile 22 paragraph 2,

6. g) issue guidelines, recommendations and best practices in accordance with subparagraph e) of this paragraph relating to the finding of violation of personal data and determining without delay the action referred to in Article 33 paragraphs 1 and 2 and on the specific conditions under which the controller or the processor shall communicate the violation of personal data,
7. or) issue guidelines, recommendations and best practices in accordance with subparagraph e) of this paragraph regarding the circumstances under which the violation of personal data may result in a high risk to the rights and freedoms of natural persons referred to in Article 34 paragraph 1,
8. i) issue guidelines, recommendations and best practices in accordance with subparagraph e) of this paragraph to further define the criteria and requirements for transfers of personal data based on binding corporate rules to keep controllers and binding corporate rules to keep controllers and further necessary requirements, to ensure the protection of personal data of the concerned data subjects referred to in Article 47,

226. k) issue guidelines, recommendations and best practices in accordance with subparagraph e) of this paragraph for the purpose of further specifying the criteria and requirements for transfers of personal data under Article 49 paragraph 1,
227. l) develop guidelines for supervisors regarding the implementation of the measures referred to in Article 58 paragraphs 1, 2 and 3 and determining administrative fines under Article 83,
228. m) examines the practical application of the guidelines, recommendations and best practices referred to in points) and St),
229. n) issue guidelines, recommendations and best practices in accordance with subparagraph e) of this paragraph for the development of common procedures for reporting by natural persons for infringements of this Regulation pursuant to Article 54 paragraph 2,
230. o) encourages the development of codes of conduct and the establishment of data protection certification mechanisms and data protection seals and marks under Articles 40 and 42,

p) performs the accreditation of certification bodies and periodic review under Article 43 and keep a public register of accredited bodies in accordance with Article 43 paragraph 6 and accredited controllers or processors established in third countries in accordance with Article 42 paragraph 7,

231. q) specifies the requirements stated in Article 43 paragraph 3 in order for the accreditation of certification bodies in accordance with Article 42,
232. r) advise the Commission on the certification requirements referred to in arthroou 43 paragraph 8,
233. s) advise the Commission on the icons listed in Article 12 paragraph 7,

K) give the Commission an opinion on the assessment of the protection level of competence in a third country or international organization, including the assessment of whether a third country, a ground or one or more specific sectors in that third country or international body does not ensure more adequate level of protection. For this purpose, The Commission shall provide the Data Protection Board all the necessary documentation, including correspondence with the government of a third country, with regard to that third country, the territory or the sector or the international organization,

L 119/78 Ms.)

v)

w)

x)

y)

z)

Official Journal of the European Union 4.5.2016

deliver opinions on draft decisions of supervisory authorities pursuant to the consistency mechanism referred to in Article 64 paragraph 1 and issues submitted pursuant to Article 64 paragraph 2 and issue binding decisions under Article 65, including in the cases referred to in Article 66,

promotes cooperation and an effective bilateral and multilateral exchange of information and best practices among supervisors,

promoting joint training programs and facilitate staff exchanges between supervisors and, where appropriate, with the supervisory authorities of third countries or international organizations,

It promotes the exchange of knowledge and documentation on legislation and practice in the field of data protection as the data protection supervisory authorities worldwide,

opinion on codes of conduct drawn up at Union level in accordance with Article 40 paragraph 9 and

maintains a publicly accessible electronic register of the decisions taken by the supervisory authorities and courts on issues discussed within the consistency mechanism.

THE

2.
taking into account the urgency of the matter.

When the Commission asks the Data Protection Consultants, may report indicative deadline,

3. The Data Protection Board shall forward its opinions, guidelines, recommendations and best practices issued by the Commission and the Committee of the article 93 and publicize.

4. Where appropriate, the Data Protection Council shall consult stakeholders and gives them the opportunity to comment within a reasonable time. The Data Protection Board, without prejudice to Article 76, communicate the results of the consultation.

Article 71

exhibitions

1. The Data Protection Board shall prepare an annual report on the protection of individuals with regard to the Union processing and, where appropriate, in third countries and international organizations. The report is published and forwarded to the European Parliament, the Council and the Commission.

2. The annual report shall include consideration of the practical application of the guidelines, recommendations and best practices referred to in Article 70 paragraph 1 point l), and binding decisions referred to in Article 65.

Article 72

Procedure

1. The Data Protection Board shall decide by simple majority of its members, unless otherwise specified in this Regulation.

2. The Data Protection Board shall adopt its rules of procedure by a majority of two thirds of its members and organizes the applicable operating rules.

Article 73

Chairman

1. The Data Protection Board shall elect a chairman and two deputy chairmen from among its members by a simple majority.

2. The term of office of the President and Deputy Presidents shall be five years and is renewable once.

4.5.2016

Official Journal of the European Union L 119/79

THE

1. a) b)

c)

Article 74

Duties of the President

The duties of the President are the following:
convene meetings of the Data Protection Council and prepare its agenda,

notify the decisions issued by the Data Protection Board under Article 65 the chief supervisor and the supervisory authorities,

ensuring timely implementation of the Data Protection Advisor, particularly in relation to the consistency mechanism Article 63.

2.
President and deputy presidents.

The Data Protection Council shall determine the rules of allocation of tasks between the

Article 75

Secretariat

1. The Data Protection Board is assisted by a secretariat, provided by the European Data Protection Supervisor.

2. The Secretariat shall function solely on the basis of the President of the Data Protection Council mandates.

3. The European Data Protection Supervisor personnel involved in performing the tasks entrusted to the Data Protection Board under this regulation is subject to separate hierarchical levels of personnel involved in carrying out the tasks entrusted to the European Data Protection Supervisor.

4. In the event, the Data Protection Council and the European Data Protection Supervisor shall draw up and publish a memorandum of cooperation for the implementation of this Article, setting out the terms of cooperation and which apply to the European Data Protection personal data involved in the exercise

of

5.

6. a) b) c) d) e) f) g)

tasks entrusted to the Data Protection Board under this Regulation.

The Secretariat shall provide analytical, administrative and logistical support to the Data Protection Board.

The secretariat is in particular responsible for the following:

the daily tasks of the Data Protection Council,

communication between the Data Protection Board, and the President of the Commission,

communication with other institutions and the public,

using electronic means for the internal and external communication,

the translation of relevant information,

preparation and follow-up to meetings of the Data Protection Council,

the preparation, drafting and publication of opinions, decisions on disputes between supervisory authorities and other texts adopted by the Data Protection Board.

Article 76

confidentiality

1.
Data deemed necessary, as provided in the Rules of.

The Data Protection Council proceedings must be confidential if Protection Board

L 119/80 Official Journal of the European Union 4.5.2016

THE

2. Access to documents submitted to the Data Protection Council members, Experts and representatives of third parties shall be governed by Regulation (FROM) No. 1049/2001 European Parliament and Council (1).

CHAPTER VIII

Refugees, liability and sanctions

Article 77

Right to complain to a supervisor

1. Notwithstanding any other administrative or judicial appeal, any data subject has the right to complain to a supervisor, especially in the Member State in which he has his habitual residence or place of work or place of alleged infringement, if the data subject considers that the processing of personal data which concerns breach of this Regulation.

2. The supervisory authority that has received a complaint informs the complainant of the progress and outcome of the complaint, and for the possibility of judicial redress in accordance with Article 78.

Article 78

Right to an effective judicial remedy against supervisory authority

1. Without prejudice to any other administrative or non-judicial redress, any natural or legal person has the right to an effective judicial remedy against legally binding decision supervisory authority in respect.

2. Without prejudice to any other administrative or non-judicial redress, any data subject has the right to an effective judicial remedy, if the supervisory authority is competent pursuant to Articles 55 and 56 not investigate the complaint or does not inform the data subject within three months on the progress or outcome of a complaint lodged under Article 77.

3. The proceedings against supervisory body move before the Member State in which it is established that the supervisory authority.

4. When proceedings are initiated by the Supervisory Authority Decision, preceded opinion or decision of the Data Protection Council under the consistency mechanism, the supervisory authority shall submit to the court the particular opinion or decision.

Article 79

Right to an effective judicial remedy against a controller or processor

1. Without prejudice to any available administrative or non-judicial redress, including the right to submit complaints to supervisory authority pursuant to Article 77, each data subject has the right to an effective judicial remedy if they consider that their rights under this regulation violated as a result of the processing of personal data of which concern in contravention of this Regulation.

2. The process controller or processor moves before the courts of the Member State where the controller or the processor are installed. Alternatively, this procedure may be initiated before the courts of the Member State where the data subject has its habitual residence, unless the controller or the processor is a public authority of a Member State acting in the exercise of public powers.

(1) regulation (FROM) No. 1049/2001 European Parliament and Council, 30 May 2001, regarding public access to European Parliament documents, Council and Commission (OJ L 145 of 31.5.2001, p. 43).

4.5.2016 Official Journal of the European Union L 119/81

THE

Article 80

Representation of data subjects

1. The data subject has the right to assign a non-profit organization, organization or association duly constituted under the law of a Member State, It has statutory objectives that are of general interest and is active in protecting the rights and freedoms of the subjects of the data in relation to the protection of personal data to submit the complaint on behalf and to exercise the rights referred to in Articles 77, 78 and 79 on its behalf and to exercise the right to compensation referred to in Article 82 behalf of, if provided for by the law of the Member State.

2. Member States may provide that any entity, organization or association referred to in paragraph 1 of this Article shall have the right, regardless of any assignment of the data subject, submit to the Member State concerned a complaint to the supervisory authority competent under Article 77 and to exercise the rights referred to in Articles 78 and 79, if it considers that the rights of data subjects under this regulation violated as a result of processing.

Article 81

Suspension of procedures

1. When a competent court of a Member State has information that it processes on the same subject on the same processed by a controller or processor pending in another Member State court, communicate with the competent court of that other Member State to confirm the existence of such procedures.

2. When processes on the same subject on the same processed by a controller or processor pending in another Member State court, any competent court other than the court first seised may stay its own procedures.

3. When these procedures are pending at first instance, any court other than the first seised may also, at the request of the parties, decline jurisdiction, if the court first seised has jurisdiction for such actions and its law permits the consolidation thereof.

Article 82

Compensation and liability

1. Any person who has suffered material or non-material damage as a result of violation of this Regulation is entitled to compensation from the controller or the processor for the damage suffered.

2. Each controller involved in the process is responsible for the damage caused by the processing of violating this Regulation. The processor is liable for damage caused by processing only if not met the requirements of this Regulation relating to particular processors or exceeded or acted contrary to the lawful commands of the controller.

3. The controller or the processor is released from their responsibility under paragraph 2, if that proves not responsible for the event giving rise to the damage.

4. If several controllers or processors or both the controller and the processor involved in the same process and, if under paragraphs 2 and 3 responsible for any loss caused by treatment, each controller or processor shall be liable for the total loss, to ensure effective compensation of the data subject.

5. If the controller or the processor has paid, in accordance with paragraph 4, full compensation for the damage caused, said controller or processor entitled to request from other controllers or processors involved in the same process to recover part of the compensation corresponding to their share of responsibility for the damage caused in accordance with the requirements of paragraph 2.

L 119/82 Official Journal of the European Union 4.5.2016

THE

6. Judicial procedures for exercising the right to compensation brought before the competent courts under the law of the Member State referred to in Article 79 paragraph 2.

Article 83

General conditions impose administrative fines

1. Each supervisory authority shall ensure that administrative fines in accordance with this Article against infringements of this Regulation referred to in paragraphs 4, 5 and 6 be for each individual case effective, proportionate and dissuasive.

2. Administrative fines, depending on the circumstances of each individual case, imposed in addition to or instead of the measures referred to in Article 58 paragraph 2 evidence a) to the) and Article 58 paragraph 2 point j). When deciding on the imposition of an administrative fine, and on the amount of the administrative fine for each individual case, taking due account of the following:

1. a) the nature, the gravity and duration of the infringement, taking into account the nature, scope or purpose of the relevant processing, and the number of data subjects raised by the offense and the degree of damage sustained,
2. b) the fault or negligence caused the breach,
3. c) any actions taken by the controller or the processor to mitigate the losses suffered by data subjects,
4. d) the degree of responsibility of the controller or the processor, taking into account the technical and organizational measures applied under Articles 25 and 32,
5. e) any relevant previous violations of the controller or the processor,

f) the degree of cooperation with the supervisory authority to remedy the violation and to limit possible adverse effects on,

6. g) the categories of personal data that affects the infringement,
7. or) the way in which the supervisory authority is informed of the infringement, specifically whether and how the controller or the processor notified infringement,
8. i) if previously ordered the taking of the measures referred to in Article 58 paragraph 2 against the offending controller or processor on the same subject, compliance with these measures,
9. j) compliance with codes of conduct approved pursuant to Article 40 or approved certification mechanisms in accordance with Article 42 and

k) any other aggravating or mitigating factors arising from the circumstances of the case, as the economic benefits gained or losses avoided, directly or indirectly, infringement.

3. If the controller or the processor, for the same or related processing operations, violates several provisions of this Regulation, the total amount of the administrative fine not exceeding the amount specified for the heavier violation.

4. Violations of the following provisions are punishable, in accordance with paragraph 2, fines to 10 000 000 EUR ή, if enterprises, until the 2 % of total global annual turnover of the previous year, whichever is higher:

a) the obligations of the controller and the processor in accordance with Articles 8, 11, 25 until 39 and 42 and 43,

b) obligations of the certification authority in accordance with Articles 42 and 43,
c) obligations of the monitoring body in accordance with Article 41 paragraph 4.

4.5.2016 Official Journal of the European Union L 119/83

THE

5. Violations of the following provisions are punishable, in accordance with paragraph 2, fines to 20 000 000 EUR ή, if enterprises, until the 4 % of total global annual turnover of the previous year, whichever is higher:

1. a) The basic principles for processing, including the conditions applicable to the approval, in accordance with Articles 5, 6, 7 and 9,
2. b) the rights of data subjects under Articles 12 until 22,
3. c) the transfer of personal data to a recipient in a third country or international organization in accordance with Articles 44 until 49,
4. d) any obligations under the law of the Member State adopted pursuant to Chapter IX,
5. e) Failure to comply with an order or temporary or permanent restriction of treatment or inhibition of data movement imposed by the supervisory authority pursuant to Article 58 paragraph 2 or failure to provide access in breach of Article 58 paragraph 1.

6. Failure to comply with an order of the supervisory authority referred to in Article 58 paragraph 2 draws, in accordance with paragraph 2 of this Article, fines to 20 000 000 EUR ή, if enterprises, until the 4 % of total global annual turnover of the previous year, whichever is higher.

7. Notwithstanding the remedial powers of supervisors in accordance with Article 58 paragraph 2, each Member State may determine the rules on whether and to what extent administrative fines can be imposed on public authorities and bodies established in that Member State.

8. The exercise by the supervisory authority of its powers under this Article shall be subject to adequate procedural safeguards in accordance with Union law and the law of the Member State, including an effective judicial remedy and the observance of due process.

9. When the legal system of the Member State does not provide for administrative fines, This Article may be applied so that the enforcement proceedings be initiated by the competent authority and enforced by the competent national courts, while ensuring that those remedies are effective and have equivalent effect to the fines imposed by the supervisory authorities. in any case, fines imposed are effective, proportionate and dissuasive. These Member States shall communicate to the Commission the provisions of their laws adopted pursuant to this paragraph, until 25 May 2018 and, without delay, every next-amendment law or amendment.

Article 84

penalties

1. Member States shall lay down the rules relating to other penalties applicable to infringements of this Regulation, especially for offenses not subject to administrative fines under Article 83, and shall take all measures necessary to ensure that they apply. Those sanctions are effective, proportionate and dissuasive.

2. Each Member State shall notify the Commission of the provisions laid down in its law under paragraph 1, until 25 May 2018 and, without delay, every subsequent amendment.

CHAPTER IX

Provisions concerning specific processing cases

Article 85

Processing and freedom of expression and information

1. Member States by law reconcile the right to protection of personal data under this Regulation the right to freedom of expression and information, including processing for journalistic purposes and for purposes of university, artistic or literary expression.

L 119/84 Official Journal of the European Union 4.5.2016

THE

2. For the processing carried out for journalistic purposes or for academic purposes, artistic or literary expression, Member States shall provide for exemptions or derogations from Chapter II (authorities), Chapter III (rights of the data subject), Chapter IV (controller and processor), Chapter V (transfer of personal data to third countries or international organizations), Chapter VI (independent supervisory authorities), Chapter VII (cooperation and consistency) and Chapter IX (specific data processing situations), if they are necessary to reconcile the right to protection of personal data, freedom of expression and information.

3. Each Member State shall notify the Commission of the provisions laid down in its law under paragraph 2 and, without delay, each subsequent amending the law or amendment.

Article 86

Processing and public access to official documents

The personal data to official documents held by a public authority or a public or private entity for the performance of a task carried out in the public interest may be served by that authority or body in accordance with Union law or Member State which governs public authority or body, to compatible public access to official documents with the right to protection of personal data under this Regulation.

Article 87

Edit the national identification number

Member States may further define the specific conditions for processing national identification number or other identifier of general application identity element. In this case, national identification number or any other identifier of general application identity element is used only with appropriate safeguards for the rights and freedoms of the data subject under this Regulation.

Article 88

Processing in the employment context

1. The member states, through legislation or through collective agreements, They may adopt specific rules in order to ensure the protection of rights and freedoms with regard to the processing of personal data of workers in the employment context, especially for recruiting purposes, execution of the employment contract, including the implementation of obligations prescribed by law or by collective agreements, management, planning and organizing work, equality and diversity in the workplace, health and safety at work, protection of employers' assets and clients for exercise purposes and pleasure, individually or collectively, Rights and benefits related to employment for purposes of termination of the employment relationship.

2. These rules include appropriate and specific measures to safeguard human dignity, the legitimate interests and fundamental rights of the data subject, with particular emphasis on transparency of processing, the transfer of personal data within a group of companies, or group of companies engaged in joint economic activity and monitoring systems in the workplace.

3. Each Member State shall notify the Commission of the provisions laid down in its law under paragraph 1, until 25 May 2018 and, without delay, every subsequent amendment.

Article 89

Safeguards and derogations concerning the processing for archiving purposes in the public interest purposes or scientific or historical research or statistical purposes

1. The processing for archiving purposes in the public interest or for the purpose of scientific or historical research or statistical purposes ypokeitaise appropriate safeguards, accordance with this Regulation, to the rights and freedoms of the data subject, accordance with this Regulation. These guarantees ensure that the technical and organizational measures in place, in particular to ensure that the principle of minimizing

4.5.2016 Official Journal of the European Union L 119/85

THE

data. These measures may include the use of pseudonyms, where these objects can be fulfilled by’ this way. Since these objects may be fulfilled by further processing which is not possible or not now permits the identification of data subjects, these objects are fulfilled by’ this way.

2. Where personal data processed for scientific or historical research or statistical purposes, Union law or Member State may derogate from the rights referred to in Articles 15, 16, 18 and 21, subject to the conditions and guarantees referred to in paragraph 1 of this Article, where such rights are likely to make impossible or seriously hinder the achievement of specific objectives, and where such derogations are necessary for the fulfillment of those objectives.

3. Where personal data are processed for archiving purposes in the public interest, Union law or Member State may derogate from the rights referred to in Articles 15, 16, 18, 19, 20 and 21, subject to the conditions and guarantees referred to in paragraph 1 of this Article, where such rights are likely to make impossible or seriously hinder the achievement of specific objectives, and where such derogations are necessary for the fulfillment of those objectives.

4. When the treatment referred to in paragraphs 2 and 3 serves at the same time and another purpose, derogations apply only to processing for the purposes provided these paragraphs.

Article 90

Confidentiality obligations

1. Member States may adopt specific rules for determining the powers of the supervisory authorities, provided for in Article 58 paragraph 1 elements with) and St), in relation to controllers or processors which are imposed, by Union law or Member State or rules established by national competent bodies, obligation of professional secrecy or other equivalent obligations of confidentiality, if necessary and proportionate, in order to reconcile the right to protection of personal data with the obligation of secrecy. These rules apply only in relation to personal data which the controller or the processor received or secured within the activity covered by that obligation of secrecy.

2. Each Member State shall notify the Commission the rules adopted pursuant to paragraph 1, until 25 May 2018 and, without delay, every subsequent amendment.

Article 91

Existing rules on the protection of data of churches and religious associations

1. If a Member State churches and religious associations or communities apply, upon entry into force of this Regulation, comprehensive rules concerning the protection of individuals with regard to the processing, these rules may continue to apply, if aligned with the provisions of this Regulation.

2. The churches and religious associations which apply comprehensive rules in accordance with paragraph 1 of this Article subject to the control of an independent supervisory authority, which may be specific, provided that it meets the requirements of Chapter VI of this Regulation.

CHAPTER X

First’ delegated acts and implementing acts

Article 92

Exercise of the delegation

1. The power to adopt’ delegated acts is conferred on the Commission subject to the conditions set out in this Article.

L 119/86 Official Journal of the European Union 4.5.2016

THE

2. The authorization referred to in Article 12 paragraph 8 and Article 43 paragraph 8 conferred on the Commission’ indefinitely from 24 May 2016.

3. The authorization referred to in Article 12 paragraph 8 and Article 43 paragraph 8 It may be revoked at any time by the European Parliament or the Council. The decision of revocation shall terminate the delegation of power specified in that decision. Enter into force on the day following its publication in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of already existing in’ delegated acts.

4. As soon as it adopts’ delegated act, the Commission shall notify it simultaneously to the European Parliament and the Council.

5. First’ delegated act adopted pursuant to Article 12 paragraph 8 and Article 43 paragraph 8 enter into force only if no objection from either the European Parliament or the Council within three months from the date of notification of that act to the European Parliament and the Council or if, before the expiry of this deadline, the European Parliament and the Council have both informed the Commission that they will not object. This period shall be extended by three months at the initiative of the European Parliament or the Council.

Article 93

Committee procedure

1. The Commission shall be assisted by a committee. That committee is a committee within the meaning of Regulation (EU) No. 182/2011.

2. Where reference is made to this paragraph, apply Article 5 Regulation (EU) No. 182/2011.
3. Where reference is made to this paragraph, apply Article 8 Regulation (EU) No. 182/2011, in

conjunction with Article 5.

CHAPTER XI

final provisions

Article 94

Repeal of Directive 95/46 / EC

1. Directive 95/46 / EC is repealed from 25 May 2018.
2. References to the repealed Directive shall be construed as references to this Regulation. References to the group

protection of individuals with regard to personal data, established by Article 29 Directive 95/46 / EC, as references to the European Data Protection Board established by this Regulation.

Article 95

Relationship with Directive 2002/58 / EC

This Regulation does not impose additional obligations on natural or legal persons in relation to the treatment in the provision of publicly available electronic communications services in public communications networks in the Union in relation to issues which are subject to specific obligations with the same objective set out in Directive 2002/58 / EC.

4.5.2016 Official Journal of the European Union L 119/87

THE

Article 96

Relationship with agreements previously

International agreements which involve the transfer of personal data to third countries or international organizations concluded by Member States before 24 May 2016, and which are compatible with applicable before that date Union law, remain in force until amended, replaced or revoked.

Article 97

Commission reports

1. Until 25 May 2020 and then every four years, the Commission reports on the evaluation and review of this Regulation to the European Parliament and the Council. The reports made public.

2. Evaluations and reviews referred to in paragraph 1, the Commission examines, particularly, implementation and operation:

a) Chapter V on personal data to third countries or international organizations, taking due account of the decisions adopted pursuant to Article 45 paragraph 3 of this Regulation and the decisions adopted pursuant to Article 25 paragraph 6 Directive 95/46 / EC,

b) Chapter VII on cooperation and consistency.

3. For the purpose of paragraph 1, the Commission may request information from the Member States and the supervisory authorities.
4. In carrying out the evaluations and revisions as referred to in paragraphs 1 and 2, The committee

consider the position and the conclusions of the European Parliament and of the Council, and other competent bodies or sources.

5. The Commission shall, if necessary, appropriate proposals to amend this Regulation, especially taking into account developments in information technology and in the light of progress in the information society.

Article 98

View other EU legal instruments on data protection

The committee, if appropriate, submit legislative proposals to amend other Union legal instruments on the protection of personal data, in order to ensure uniform and consistent protection of individuals with regard to the processing. This concerns in particular the rules relating to the protection of individuals with regard to the processing by the institutions, bodies, offices and agencies of the Union and the free movement of such data.

Article 99

Entry into force and application

1. This Regulation shall enter into force on the twentieth day following its publication in the Official Journal of the European Union.

2. It shall apply from 25 May 2018.

L 119/88

Official Journal of the European Union

4.5.2016

THE

This Regulation shall be binding in its entirety and directly applicable in all Member States.

Brussels, 27 April 2016.

For the European Parliament The President
M. SCHULZ

For the Council
The president
J.A. Hennis-Plasschaert