General Data Protection Regulation

Source: github.com/stuhlmeier/gdpr (CC BY-SA 4.0)

Full Regulation text: eur-lex.europa.eu

Table of Contents

• Article 1: Subject matter and objectives
• Article 2: Material scope
• Article 3: Territorial scope
• Article 4: Definitions
• Article 5: Principles relating to processing of personal data
• Article 6: Lawfulness of processing
• Article 7: Conditions for consent
• Article 8: Conditions applicable to child’s consent in relation to information society services
• Article 9: Processing of special categories of personal data
• Article 10: Processing of personal data relating to criminal convictions and offenses
• Article 11: Processing which does not require identification
• Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject
• Article 13: Information to be provided where personal data are collected from the data subject
• Article 14: Information to be provided where personal data have not been obtained from the data subject
• Article 15: Right of access by the data subject
• Article 16: Right to rectification
• Article 17: Right to erasure ("right to be forgotten")
• Article 18: Restriction of processing
• Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing
• Article 20: Right to data portability
• Article 21: Right to object
• Article 22: Automated individual decision-making, including profiling
• Article 23: Restrictions
• Article 24: Responsibilities of the controller
• Article 25: Data protection by design and by default
• Article 26: Joint controllers
• Article 27: Representatives of controllers or processors not established in the Union
• Article 28: Processor
• Article 29: Processing under the authority of the controller or processor
• Article 30: Records of processing activities
• Article 31: Cooperation with the supervisory authority
• Article 32: Security of processing
• Article 33: Notification of a personal data breach to the supervisory authority
• Article 34: Communication of a personal data breach to the data subject
• Article 35: Data protection impact assessment
• Article 36: Prior consultation
• Article 37: Designation of the data protection officer
• Article 38: Position of the data protection officer
• Article 39: Tasks of the data protection officer
• Article 40: Codes of conduct
• Article 41: Monitoring of approved codes of conduct
• Article 42: Certification
• Article 43: Certification bodies
• Article 44: General principle for transfers
• Article 45: Transfers on the basis of an adequacy decision
• Article 46: Transfers subject to appropriate safeguards
• Article 47: Binding corporate rules
• Article 48: Transfers or disclosures not authorised by Union law
• Article 49: Derogations for specific situations
• Article 50: International cooperation for the protection of personal data
• Article 51: Supervisory authority
• Article 52: Independence
• Article 53: General conditions for the members of the supervisory authority
• Article 54: Rules on the establishment of the supervisory authority
• Article 55: Competence
• Article 56: Competence of the lead supervisory authority
• Article 57: Tasks
• Article 58: Powers
• Article 59: Activity reports
• Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned
• Article 61: Mutual assistance
• Article 62: Joint operations of supervisory authorities
• Article 63: Consistency mechanism
• Article 64: Opinion of the Board
• Article 65: Dispute resolution by the Board
• Article 66: Urgency procedure
• Article 67: Exchange of information
• Article 68: European Data Protection Board
• Article 69: Independence
• Article 70: Tasks of the Board
• Article 71: Reports
• Article 72: Procedure
• Article 73: Chair
• Article 74: Tasks of the Chair
• Article 75: Secretariat
• Article 76: Confidentiality
• Article 77: Right to lodge a complaint with a supervisory authority
• Article 78: Right to an effective judicial remedy against a supervisory authority
• Article 79: Right to an effective judicial remedy against a controller or processor
• Article 80: Representation of data subjects
• Article 81: Suspension of proceedings
• Article 82: Right to compensation and liability
• Article 83: General conditions for imposing administrative fines
• Article 84: Penalties
• Article 85: Processing and freedom of expression and information
• Article 86: Processing and public access to official documents
• Article 87: Processing of the national identification number
• Article 88: Processing in the context of employment
• Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
• Article 90: Obligations of secrecy
• Article 91: Existing data protection rules of churches and religious associations
• Article 92: Exercise of the delegation
• Article 93: Committee procedure
• Article 94: Repeal of Directive 95/46/EC
• Article 95: Relationship with Directive 2002/58/EC
• Article 96: Relationship with previously concluded Agreements
• Article 97: Commission reports
• Article 98: Review of other Union legal acts on data protection
• Article 99: Entry into force and application

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

Article 1: Subject matter and objectives

The GDPR regulates the fundamental rights of natural persons regarding the protection and free movement of personal data throughout the European Union and European Economic Area.

Article 2: Material scope

The GDPR applies to the wholly or partly automated processing of personal data, and to the manual processing of personal data that is part of a filing system.

The GDPR does not apply to the processing of personal data for purposes that are:

1. outside the scope of European Union law

2. in accordance with Chapter 2 of Title V of the Treaty on European Union (General provisions on the Union’s external action and specific provisions on the common foreign and security policy)

3. personal/household activities carried out by a natural person

4. required by competent authorities for the investigation and prevention of criminal offenses or to execute relevant penalties

The GDPR does not affect the application of the 2000 directive on electronic commerce (see Articles 12–15).

Article 3: Territorial scope

The GDPR applies to:

1. the processing of personal data by controllers and processors established in the European Union (cf. main establishment), regardless of the actual location of processing

2. the processing of personal data by controllers and processors in any location where Member State law applies

3. the processing of personal data of data subjects in the European Union by controllers and processors established elsewhere, if:

   1. goods or services are being offered

   2. subjects' behavior within the European Union is otherwise being monitored

Article 4: Definitions

personal data

any information relating to an identified or identifiable natural person (the data subject)

identifiable natural person

a natural person who can be directly or indirectly identified through use of a name, ID, location data, or other identifier specific to the person (see also: genetic data).

processing

any operation performed on personal data, regardless of whether it is automated; this includes collection, recording, structuring, storage, alteration, retrieval, and dissemination of personal data.

restriction of processing

the marking of stored personal data so as to limit its future processing

profiling

automated processing of personal data to evaluate personal aspects of the data subject; this includes the analysis or prediction of the subject’s performance, economic situation, health, interests, location, etc.

pseudonymization

the processing of personal data in order to prevent identification of the respective data subject without additional information; said additional information must be stored separately and adequately secured

filing system

a structured, accessible and identifiable set of personal data

controller

an entity which, alone or jointly with others, determines the purposes and means of the processing of personal data

processor

an entity which processes personal data on behalf of a controller

recipient

an entity to which personal data is provided; public authorities which receive personal data as part of an inquiry are not considered recipients but must comply with applicable data protection rules

third party

an entity other than the data subject, controller, or processor which is authorized to process personal data

consent

freely given, specific, informed and unambiguous indication that the data subject agrees to have their personal data processed

Caution

Consent must be unambiguous; silence, pre-ticked boxes or inactivity therefore do not constitute consent (see Recital 32).

personal data breach

a breach of security leading to the destruction, loss, alteration, unauthorized disclosure of or access to processed personal data

genetic data

personal data relating to unique inherited or acquired genetic characteristics of a natural person, particularly that which results from an analysis of a biological sample

biometric data

personal data resulting from technical processing, relating to physical, physiological or behavioral characteristics of a natural person; this includes facial images or fingerprints

main establishment (controllers)

the establishment of the controller in the European Union where the decisions on the purposes and means of processing are made; by default, this is the place of central administration within the European Union

main establishment (processors)

the establishment of the processor in the European Union where the main processing activities take place; by default, this is the place of central administration within the European Union

representative

a natural or legal person established in the European Union who represents (see Article 27) a controller or processor

enterprise

a natural or legal person engaged in an economic activity; this includes partnerships or associations

group of undertakings

a controlling undertaking and its controlled undertakings ^[1]

binding corporate rules

data protection policies which are followed by a controller or processor established in a Member State for transfers of personal data to a controller or processor in a third country within a group of undertakings (see also Article 47).

supervisory authority

see Article 51

supervisory authority concerned

a supervisory authority concerned by the processing of personal data because:

1. the controller or processor is established on the territory of the supervisory authority’s Member State

2. data subjects in said Member State are (likely to be) substantially affected by said processing

3. a complaint has been filed with the supervisory authority

cross-border processing

personal data processing that involves data subjects or controllers/processors in multiple Member States

relevant and reasoned objection

an objection regarding whether the GDPR has been infringed upon

information society service

a paid service provided electronically, upon request by the recipient, for the processing and storage of data (see Article 1(1) of Directive (EU) 2015/1535)

international organization

an organization and its subordinates governed by international law

Article 5: Principles relating to processing of personal data

The controller is responsible ("accountability") for ensuring that personal data is:

1. lawfully, fairly and transparently processed ("lawfulness, fairness and transparency").

2. collected for specific, explicit and legitimate purposes

3. relevant and limited to the specified purpose ("data minimization")

4. accurate and kept up to date; inaccurate personal data must be erased or updated without delay ("accuracy")

5. suitably anonymized; data subjects must not be identifiable for longer than necessary

   1. Personal data may be archived for longer periods in the public interest or for research purposes (see Article 89) with the appropriate privacy safeguards

6. appropriately secured; this includes protection against unauthorized access and data loss, destruction or other damage ("integrity and confidentiality")

Article 6: Lawfulness of processing

Data processing is lawful if at least one of the following applies:

1. the data subject has given consent to the processing of their personal data for a specific purpose

2. processing is necessary to fulfill a contract with the data subject

3. processing is requested by the data subject prior to entering into a contract

4. processing is necessary to comply with the controller’s legal obligations ^[2]

5. processing is necessary to protect the vital interests of the data subject

6. processing is necessary to carry out an action in the public interest ^[2]

7. processing is necessary to exercise an official authority of the controller ^[2]

8. processing is necessary to pursue the interests of the controller or of a third party, given that these interests do not infringe on the fundamental rights of the data subject, in particular when the data subject is a child.

   1. This does not apply to processing carried out by public authorities.

If data processing occurs for purposes other than that for which the personal data was initially collected, and is not based on consent of the data subject or on European Union or Member State law, the controller must take into account (among other things) the following, in order to determine whether the processing is compatible:

1. any link between the initial purpose and the intended further processing

2. the context of the data collection

3. whether "special personal data" (see Article 9) is processed

4. whether personal data related to criminal convictions or offenses (see Article 10) is processed

5. any possible consequences of the intended further processing

6. any appropriate safeguards; this includes encryption or pseudonymization

Article 7: Conditions for consent

If the lawfulness of data processing is based on consent, the controller must be able to clearly demonstrate that the data subject has freely consented to the processing of their personal data. Data subjects must be clearly informed when consent is required, and must be allowed to withdraw their consent at any time; withdrawal must not be made any more difficult than the initial request for consent.

Consent should not be "bundled up as a condition of service", unless it is absolutely necessary ^[3]; if consent is required as part of the conditions for a contract, but is not absolutely necessary for its fulfillment, it is not considered freely given.

Article 8: Conditions applicable to child’s consent in relation to information society services

See also information society services.

If the data subject is a child, and has consented to the processing of their personal data, said processing is legal if:

1. the data subject is at least 16 years old; Member States may provide lower ages, provided that said age is not below 13 years.

2. consent has been given by the child’s legal guardian

   1. The controller must make reasonable efforts to verify that any given consent has been properly authorized.

Article 9: Processing of special categories of personal data

Processing of personal data concerning:

1. racial or ethnic origin

2. political opinions

3. religious or philosophical beliefs

4. trade union membership

5. genetic, biometric and health data for the purpose of identifying a natural person

6. a natural person’s sex life or sexual orientation

is prohibited, unless at least one of the following applies:

1. the data subject has explicitly given consent, unless European Union or Member State law otherwise dictate that the prohibition may not be lifted

2. processing is necessary to carry out the obligations or execute specific rights of the controller or data subject related to employment or social security and social protection law, provided that it is authorized by European Union or Member State law, or by a collective agreement in accordance with Member State law

3. processing is necessary to protect the vital interests of the data subject

4. processing is carried out, with the appropriate safeguards, as part of a non-profit organization’s legitimate activities, provided that the processing relates only to the current or former members of the organization, or to members that have regular contact with it; personal data must not be disclosed outside the scope of said organization without the consent of the data subject

5. processing relates to personal data that is in the public domain (has been manifestly made public by the data subject)

6. processing is necessary for the establishment, exercise or defense of legal claims, or when a court acts in its judicial capacity

7. processing is in the public interest, with the appropriate safeguards, in accordance with European Union or Member State law

8. processing is necessary for the purposes of preventive or occupational medicine, provided that the professional is subject to confidentiality (professional secrecy) under European Union or Member State law, or rules established by national competent bodies

9. processing is necessary for archiving or for research purposes, with the appropriate safeguards

Member States may introduce more specific restrictions regarding the processing of genetic, biometric and health data.

Article 10: Processing of personal data relating to criminal convictions and offenses

Processing of personal data relating to criminal convictions and offenses may only be carried out with the appropriate safeguards, and must occur under the control of an official authority, or when it is otherwise authorized by European Union or Member State law.

Article 11: Processing which does not require identification

If a controller does not require the identification of a data subject, they are not required to maintain or process additional information in order to identify the data subject to comply with the GDPR.

If a controller demonstrably is not in a position to be able to identify the data subject, they must attempt to inform the data subject of this; Articles 16, 17, 18, 19 and 20 do not apply in such a situation, unless the data subject provides additional identifying information in order to exercise their rights under said articles.

Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject

All processed personal data referred to by Articles 13, 14, 15, 16, 17, 18, 19, 20, 21, 22 and 34 must be provided (in writing, orally, or by other means) to the data subject in a concise, transparent, intelligible and easily accessible form, particularly for any information addressed to a child. Controllers must facilitate the exercise of data subjects' rights according to Articles 15–22, unless they demonstrably cannot identify the data subject.

A standardized set of icons may be used to clearly and visibly present the required information; the European Commission may adopt delegated acts (see Article 92) to determine the procedures for providing said standardized icons.

Controllers must provide information on the status of requests made unter Articles 15–22 without undue delay; this must occur within one month of the receipt of the request. If the controller does not take action, they must likewise notify the data subject within one month and inform them of the reasons for not taking action and of any possible legal remedies.

Any information provided and actions taken under the aforementioned articles must be available free of charge, unless the requests are demonstrated to be manifestly unfounded or excessive (i.e. repetitive), the controller may charge a reasonable fee or refuse to act on the request. If the controller has reasonable doubts about the identity of the requester, they may request additional information.

Article 13: Information to be provided where personal data are collected from the data subject

When personal data is obtained, if they have not already done so, the controller must provide the following information:

1. the identity and contact details of the controller, and, if applicable, of its representative

2. the contact details of the data protection officer, if applicable

3. the purposes and legal basis of the processing

4. the legitimate interests of the controller or of a third party

5. where applicable, any intention by the controller to transfer personal data to a third country or international organization and of any relevant adequacy decision, or in the case of transfers to which Articles 46, 47 and 49, a reference to the appropriate safeguards.

6. how long the personal data will be stored

7. the rights of the data subject to submit an information, rectification or erasure request, to restriction of processing and data portability,^[4] and to withdraw consent or object to processing at any time; withdrawal of consent does not affect the lawfulness of processing prior to the withdrawal

8. the right to file a complaint with a supervisory authority (see Article 77)

9. whether the acquisition of personal data is a contractual requirement, and the consequences if it is not provided

10. whether the controller intends to further process the personal data for another purpose

Article 14: Information to be provided where personal data have not been obtained from the data subject

When personal data has been obtained from a source other than the data subject, if they have not already done so, the controller must provide the following information:

1. the identity and contact details of the controller, and, if applicable, of its representative

2. the contact details of the data protection officer, if applicable

3. the purposes and legal basis of the processing

4. the categories of the personal data

5. the recipients of the personal data, if applicable

6. where applicable, any intention by the controller to transfer personal data to a third country or international organization and of any relevant adequacy decision, or in the case of transfers to which Articles 46, 47 and 49, a reference to the appropriate safeguards.

7. how long the personal data will be stored

8. the legitimate interests of the controller or of a third party

9. the rights of the data subject to submit an information, rectification or erasure request, to restriction of processing and data portability,^[4]

10. the right to file a complaint with a supervisory authority (see Article 77)

11. the source of the personal data, and whether it came from publicly accessible sources

12. whether profiling, automated processing or decision-making is involved (see Article 22), and, if applicable, information about its operation and possible consequences

13. whether the controller intends to further process the personal data for another purpose

Controllers must provide data subjects with this information without undue delay; this must occur within one month of the processing of the personal data, unless:

1. informing the data subject would be impossible, or involve a disproportionate effort, especially for archival or research purposes; in these cases, the controller must ensure the data subjects' rights and freedoms are protected appropriately, including making the information publicly available.

2. obtaining or disclosure is explicitly laid down by European Union or Member State law

3. the personal data must remain confidential

Article 15: Right of access by the data subject

If requested, the controller must inform the data subject whether any personal data has been processed, and, if applicable, provide access to said data and the following additional information:

1. the purpose of the processing

2. the categories of the personal data

3. the recipients of the personal data, if applicable, especially those which are international organizations or are located in third countries

4. how long the personal data will be stored

5. the rights of the data subject to submit a rectification or erasure request and to restriction of processing

6. the right to file a complaint with a supervisory authority (see Article 77)

7. the source of the personal data, and whether it came from publicly accessible sources, if the data was not collected from the data subject

8. whether profiling, automated processing or decision-making is involved (see Article 22), and, if applicable, information about its operation and possible consequences

9. what safeguards are in place to protect the integrity and confidentiality of personal data, if it has been transferred to a third country or to an international organization

The controller must also provide a copy of the processed personal data; the right to obtain a copy must not adversely affect the rights and freedoms of others.

Article 16: Right to rectification

The data subject has the right to request rectification of personal data and to have incomplete personal data completed, from the controller, without undue delay.

Article 17: Right to erasure ("right to be forgotten")

The data subject has the right to request erasure of personal data from the controller without undue delay; additionally, the controller is required to erase personal data without undue delay when:

1. the personal data is no longer necessary

2. the data subject withdraws consent (see Articles 6, 9 and 13)

3. the data subject objects to processing

4. the personal data has been unlawfully processed

5. the personal data must be erased to comply with European Union or Member State law

If the personal data has been made public by the controller, and is obliged by the aforementioned conditions to erase the data, the controller must make a reasonable effort to inform other controllers which are processing said data that the data subject has requested its erasure.

These conditions do not apply if:

1. processing is necessary to exercise the right to freedom of expression and information

2. processing is necessary to comply with legal obligations, to exercise an official authority of the controller, or for a task carried out in the public interest (see Article 9)

3. processing is necessary for archiving or for research purposes

4. processing is necessary for the establishment, exercise or defense of legal claims

Article 18: Restriction of processing

Restriction of processing is an alternative to erasure; the data subject has the right to limit how their data is processed by requesting restriction of processing from the controller, provided that one of the following applies:

1. the accuracy of the personal data is contested by the data subject, enabling the controller to verify its accuracy

2. the processing is unlawful, but the data subject objects to its erasure and requests restriction of processing instead

3. the personal data is no longer necessary for the controller, but it is required by the data subject for the establishment, exercise or defense of legal claims

4. the data subject objects to processing

If processing of personal data has been restricted, said data may only be processed with the consent of the data subject, for the establishment, exercise or defense of legal claims, for the protection of the rights of another natural or legal person, or for purposes that are in the public interest.

The data subject must be informed by the controller prior to the lifting of restriction of processing.

Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing

The controller must inform all recipients of personal data of any relevant rectification, erasure, or restriction of processing requests made by the data subject. If the data subject requests it, they must additionally inform the data subject about said recipients.

Article 20: Right to data portability

The data subject has the right to obtain the personal data they have provided to a controller, and have it freely transferred to another controller, provided that:

1. the processing is based on consent or on a contract to which the data subject is a party

2. the data processing is automated

The right to data portability must not adversely affect the rights and freedoms of others.

Article 21: Right to object

The data subject has the right to object to processing which is "carried out in the public interest" or for the purposes of the controller’s legitimate interests as specified in Article 6; the controller must cease processing of personal data unless it can demonstrate compelling legitimate grounds for the processing which override the rights and freedoms of the data subject.

If personal data is processed for direct marketing, the data subject may object to processing of all related personal data, including profiling; the controller must then stop all processing of said personal data for direct marketing purposes.

If personal data is processed for research purposes, the data subject may object to processing unless it is a necessary task carried out in the public interest.

These rights must be explicitly brought to the attention of the data subject and must be displayed clearly and separately from any other information.

Data subjects may exercise their right to object by automated means (see information society services).

Article 22: Automated individual decision-making, including profiling

The data subject has the right to not be subject to decisions based solely on automatic processing that significantly affect them (including profiling), unless:

1. the decision is necessary for the fulfillment of a contract between the data subject and the controller

2. the decision is authorized by European Union or Member State law

3. the automatic processing is based on the data subject’s explicit consent

given that these decisions are not based on special categories of personal data and that sufficient safeguards are in place to protect the data subject’s rights, freedoms and legitimate interests.

Article 23: Restrictions

European Union or Member State law may restrict the scope of any obligations and rights provided by Articles 5, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22 and 34 when such a restriction is necessary to safeguard:

1. national and public security

2. defense

3. the investigation, detection and prevention of criminal offenses and breaches of ethics and the execution of relevant penalties

4. important objectives of general public interest to the European Union or a Member State; this includes, among others, economic or financial interests, public health and social security

5. the protection of judicial independence and legal proceedings

6. a regulatory function connected to an official authority

7. the protection of the data subject, or of the rights and freedoms of others

8. the enforcement of civil law claims

All such legislation must include:

1. the purpose of the processing

2. the categories of the personal data

3. the scope of the introduced restrictions

4. any safeguards in place to prevent unlawful access to the personal data

5. the specification of the controller(s)

6. how long the personal data will be stored

7. any risks to the rights of data subjects

8. the right of data subjects to be informed about said restriction, unless this would be detrimental to the effectiveness of the restriction

Article 24: Responsibilities of the controller

The controller is responsible for taking steps to appropriately ensure that all processing is performed in accordance with the GDPR; this includes the application of appropriate data protection policies.

Adherence to approved codes of conduct or approved certification mechanisms may be used to demonstrate Regulation compliance.

Article 25: Data protection by design and by default

Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks …​ for rights and freedoms of natural persons posed by the processing, the controller shall …​ implement appropriate …​ measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner …​ in order to meet the requirements of this Regulation and protect the rights of data subjects.

The controller shall implement appropriate …​ measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.

— Article 25

Approved certification mechanisms may be used to demonstrate Regulation compliance.

Article 26: Joint controllers

Multiple controllers that jointly determine the purposes and means of processing are considered joint controllers. They must determine their respective responsibilities for compliance with the GDPR, especially regarding the rights of the data subject under Articles 13 and 14.

Data subjects may exercise their rights in respect of and against each joint controller individually.

Article 27: Representatives of controllers or processors not established in the Union

Controllers and processors established outside the European Union to which Article 3 applies must designate a representative within the European Union, unless processing is not regular, does not involve special categories of data or data relating to criminal convictions and offenses, is unlikely to be a risk to the rights of natural persons, or is carried out by a public authority. The representative must be established in one of the Member States where data subjects are located, and must be mandated by the controller or processor to be addressed in addition to or instead of the controller or processor by supervisory authorities and data subjects.

Article 28: Processor

See also processor (Article 4).

Controllers must only make use of processors that provide sufficient guarantees that processing will meet the requirements of the GDPR and protect the rights of the data subject.

Processors may not delegate processing to another processor without the authorization of the responsible controller.

Processing of personal data by a processor is governed by a binding, written contract between the controller and processor, or between a processor and a subordinate processor, that specifies the purpose and means of the processing; such a contract must specify that the processor shall:

1. process personal data only when instructed to do so by the controller, unless required to do so by European Union or Member State law

2. ensure that persons authorized to process the data have committed themselves to confidentiality

3. appropriately assist the controller with responding to requests for exercising the data subject’s rights (see Articles 15, 16, 17, 18, 19, 20, 21 and 22) and with compliance with Articles 32, 33, 34, 35 and 36

4. delete or return all personal data to the controller when processing is no longer required, if requested by the controller, and deletes any existing copies unless European Union or Member State law requires said copies to be retained

5. make all information necessary to demonstrate GDPR compliance available to the controller

6. allow for and contribute to audits conducted by the controller or by a third party

7. immediately inform the controller if an instruction violates the GDPR or other European Union or Member State law

Adherence to approved codes of conduct or approved certification mechanisms may be used to demonstrate Regulation compliance.

The European Commission or a supervisory authority may offer or adopt standard contractual clauses ^[5] that can be used as a basis for a contract between the controller and processor.

If a processor violates the GDPR by determining the purposes and/or means of processing, it is considered a controller for the purposes of that processing.

Article 29: Processing under the authority of the controller or processor

Any authorized entity that has access to personal data may not process it unless instructed to do so by the controller, or if required to do so by European Union or Member State law.

Article 30: Records of processing activities

Caution

The following obligations apply only to organizations employing at least 250 persons, unless processing occurs regularly, involves special categories of data or data relating to criminal convictions and offenses, or is likely to be a risk to the rights of data subjects.

Controllers and their respective representatives must maintain written electronic records of processing activities carried out as part of its operations, which must contain:

1. the identity and contact details of the controller, and, if applicable, of its representative or joint controller

2. the contact details of the data protection officer, if applicable

3. the purposes of the processing

4. the categories of the personal data

5. any transfers of personal data to a third country or international organization and any suitable safeguards

6. any time limits for erasure of the stored data

7. a description of technical and organizational security measures (see Article 32)

Processors and their respective representatives must maintain written electronic records of processing activities carried out on behalf of a controller, which must contain:

1. the identity and contact details of the processor and controller(s), and, if applicable, of the controller’s and/or processor’s representative

2. the contact details of the data protection officer, if applicable

3. the categories of processing carried out on behalf of each controller

4. any transfers of personal data to a third country or international organization and any suitable safeguards

5. a description of technical and organizational security measures (see Article 32)

These records must be made available to the supervisory authority upon request.

Article 31: Cooperation with the supervisory authority

The controller, processor, and their respective representatives must cooperate with the supervisory authority.

Article 32: Security of processing

See also Articles 6, 28 and 25.

Controllers and processors must implement appropriate technical and organizational security measures to ensure an appropriate level of security, including but not limited to:

1. the pseudonymization and encryption of personal data

2. insurance of the confidentiality, integrity, availability and resilience of processing systems

3. restoration of availability and access to personal data in the event of a technical incident

4. regularly testing and evaluating the effectiveness of security measures

The risks presented by data processing should be taken into account when determining an appropriate level of security; these include accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data (cf. personal data breach).

Adherence to approved codes of conduct or approved certification mechanisms may be used to demonstrate Regulation compliance.

Article 33: Notification of a personal data breach to the supervisory authority

In the event of a personal data breach, the controller must notify the supervisory authority, without undue delay (within 72 hours after discovery) in accordance with Article 55, of the following, unless the data breach is unlikely to result in a risk to the rights of affected data subjects:

1. the nature of the personal data breach, including the categories & number of data subjects, and categories & number of personal data records, affected.

2. the contact details of the data protection officer, or other contact information where more information is available

3. any likely consequences of the data breach

4. any measures taken or to be taken by the controller to address the data breach

This information must be documented to verify Regulation compliance.

If it is not possible to provide all information at once, it may be provided in phases without undue further delay.

Processors must notify their respective controller without undue delay after discovering a data breach.

Article 34: Communication of a personal data breach to the data subject

If a personal data breach is likely to result in a high risk to the rights of affected data subjects, the controller must inform affected data subjects without undue delay, using clear and plain language, containing all information as specified in Article 33, excepting the nature of the data breach itself.

The data subject is not required to be informed of a data breach if at least one of the following applies:

1. the controller has employed appropriate techniques to ensure that unauthorized reading of the affected data is impossible (e.g. encryption)

2. the controller has ensured that the aforementioned "high risk" is no longer present

3. informing the data subject would involve a disproportionate effort; in this case, a more effective mode of communication may be used

Article 35: Data protection impact assessment

If new technologies are used in processing, an assessment must be carried out the extent to which personal data is protected. Assessments should be carried out with help of the data protection officer, where designated.

This is particularly needed in cases of:

1. evaluations of personal aspects of a natural person, used for processing and profiling, which significantly affect the person.

2. large-scale processing of special categories of personal data or data relating to criminal convictions and offenses

3. large-scale systematic monitoring of a public area

The assessment must contain at least:

1. the description and purposes of the processing, inluding the interest of the controller

2. an assessment of:

   1. the neccessity and proportionality of the processing in relation to the purposes.

   2. the risks to the rights and freedoms of data subjects

Caution

If there has already been an impact assessment carried out by the European Union or a Member State and is regulated by law, the above does not apply.

Compliance with the approved codes of conduct (see Article 40) shall be taken into account by both the controllers and processors.

Where appropriate, the controller shall seek the opinon of the data subject, without prejudice to the protection of their own interest or the security of processing operations.

The supervisory authority must release and communicate to the Board a list of:

1. the kinds of processing operations which require such an impact assessment

2. optionally, a list of operations where no impact assessment is required.

Where goods or services are offered, data subjects' behaviour is monitored, or the free movement of personal data is affected, the competent supervisory authority must apply the consistency mechanism referred to in Article 63.

Article 36: Prior consultation

If a data protection impact assessment determines that data protection would result in a high risk if no measures are taken, the controller should consult the supervisory authority.

If the supervisory authority decides that the processing infringes the GDPR, especially when the risk has not been sufficiently evaluated, the supervisory authority has 8 weeks ^[6] to provide written advice to the controller and/or processor and may use any of its powers.

The controller must provide the supervisory authority with:

1. the responsibilities of any controllers, joint controllers, and processors involved in processing, especially within a group of undertakings

2. the purposes and means of the intended processing

3. any applicable measures and safeguards for data protection

4. the contact details of the data protection officer, if applicable

5. the data protection impact assessment

6. any other requested information

In the case of data processing regarding social protection and public health, controllers may be required to consult the supervisory authority.

Article 37: Designation of the data protection officer

The controller and processor must designate a data protection officer whenever:

1. processing is carried out by a public authority, excepting courts acting in their judicial capacity

2. the core activities of the controller or processor consist of large-scale processing operations which require regular and systematic monitoring, or of processing of special categories of personal data or data relating to criminal convictions and offenses.

A group of undertakings may appoint a single data protection officer, provided that they are easily accessible from each establishment; in the case of a public authority, a single data protection officer may likewise be designated for several such authorities.

Controllers, processors, and their respective representatives may designate data protection officers even if not otherwise required.

The data protection officer is designated on the basis of professional qualities and expert knowledge of data protection law and practices and the ability to perform the tasks specified by Article 39. They may be a staff member of the controller or processor, or of an external entity bound by a service contract. The identity of the data protection officer must be published and provided to the supervisory authority.

Article 38: Position of the data protection officer

The data protection officer is to be properly involved in all issues related to the protection of personal data; the controller and processor are to support them in performing their tasks and maintaining their expert knowledge by providing necessary resources, and must ensure that any extracurricular activities carried out by the data protection officer do not result in a conflict of interest.

Data protection officers must report directly to the highest level of management of the controller or processor and may not be dismissed or penalized for performing their tasks and may not receive instructions regarding the completion of their tasks, and are bound by confidentiality in accordance with European Union or Member State law.

Data subjects may contact the data protection officer directly regarding all issues related to the processing of their personal data and their rights under the GDPR.

Article 39: Tasks of the data protection officer

Data protection officers must have at least the following tasks:

1. advising the controller and/or processor and any relevant employees of said entities

2. advising the controller and/or processor regarding the data protection impact assessment in accordance with Article 35

3. monitoring compliance with the GDPR, with other European Union or Member State data protection laws, and with the policies of the controller and/or processor

4. cooperating with and acting as the contact point for the supervisory authority on issues related to processing (see Article 36) or regarding any other appropriate matter

Data protection officers should take into account any possible risk associated with data processing while fulfilling their obligations.

Article 40: Codes of conduct

Member States, their supervisory authorities, the Board and the European Commission shall encourage the creation of proper codes of conduct, taking account the size of the enterprise.

Controllers and processors, or their respective representatives, may prepare, amend or extend codes of conduct; these should include:

1. fair and transparent processing

2. the legitimate interests pursued by controllers in specific contexts

3. the collection and pseudonymization of personal data

4. the information provided to the public and to the data subjects

5. the exercise of the rights of data subjects

6. the handling of children in terms of data protection and information

7. the measures and procedures referred to in Articles 24 and 25 and the measures to ensure security of processing referred to in Article 32

8. the notification of data breaches to supervisory authorities and data subjects

9. the transfer of personal data to third countries or international organizations (see Article 44)

10. dispute resolution procedures between controllers and data subjects with regard to processing; see also Article 65

11. In addition to adherence by controllers or processors subject to this Regulation, controllers and processors which are not subject to the GDPR under Article 3 may nonetheless adhere to standard codes of conduct in order to provide proper privacy safeguards for data transfers to third countries or international organizations in accordance with Article 46.

12. A code of conduct should include mechanisms which enable the body to carry out mandatory monitoring of compliance by the controllers or processors, without prejudice to the tasks and powers of supervisory authorities (see Articles 55 and 56).

13. Associations and other bodies which intend to edit or extend the code of conduct must send it to the competent supervisory authority for approval.

14. Where the code of conduct does not relate to processing in several Member States, the supervisory authority shall register and publish the code.

15. If the processing extends into several Member States, the supervisory authority must send the code of conduct to the Board (see Article 63) for an opinion on whether the code provides appropriate safeguards; the Board must submit its opinion to the European Commission, which may decide to register and publish the code if it is valid, in accordance with the examination procedure specified by Article 93.

16. The Board must collect all approved codes in a publicly available register.

Article 41: Monitoring of approved codes of conduct

See also Article 40.

Caution

This Article does not apply to processing carried out by public authorities and bodies.

Monitoring of codes of conduct laid out in <<art40,Article 40 should be carried out by a body with an appropriate level of expertise. This should be done without prejudice to the tasks and power of the supervisory authority (see Articles 57 and 58).

This body should monitor only:

1. when it has proven expertise regarding the subject

2. established procedures, which allows for analysis of the data at hand

3. established procedures to help handle complaints as well as making those clear to the public

4. has proven that actions do not result in a conflict of interests.

The competent supervisory authority must submit the draft criteria for accreditation of a body to the Board, taking the consistency mechanism into consideration.

If this body finds infringements of the code of conduct, they are to inform the supervisory authority about any actions they have taken and why.

If the body is not operating according to the GDPR, the accreditation can be revoked by a supervisory authority.

Article 42: Certification

1. The Member States, supervisory authorities, Board and the European Commission shall encourage certifications for excelling in data protection. The needs for medium- and smaller-sized enterprises should be taken into account.

2. These Certifications are not bound to members within the Union and can also be given to subjects falling under Article 3 (see also relevant safeguards specified by Article 46)).

3. The certifications should be voluntary and transparent.

4. The certification is not a reduction in responsibility; see also competence (Articles 55 and 56).

5. The certification should be issued by a body as specified by Article 43 or by a competent supervisory authority based on criteria specified by Article 58 and by the Board in accordance with Article 63. Approval by the Board may result in a common certification, the European Data Protection Seal.

6. The controller or processor must provide the certification body or supervisory authority with access to all information which are needed to conduct a certification.

7. Certifications are handed out for 3 years, and may be renewed, provided that conditions for certification are still met.

8. All certification mechanisms and data protection seals/marks are to be made public by the Board.

Article 43: Certification bodies

See also Article 42.

1. Certification bodies with an appropriate level of expertise in data protection should be able to issue and renew certifications. Member States should ensure that they are accredited by at least one of:

   1. The supervisory authority according to Article 55 or 56

   2. The national accreditation body according to the European Parliament and the Council with additional requirements from the supervisory authority according to Article 55 or 56

2. They should only be accredited where:

   1. demonstrated independence and expertise towards the supervisory authority in the subject-matter of the certification

   2. respect the defined and approved criteria

   3. established procedures for:

      1. issuing, periodic review and withdrawal of data protection certifications/seals/marks

      2. handle complaints about infringements and wrong implementation of certification and to make those procedures and structures transparent to data subjects and the public

   4. proved that their doing does not result in a conflict of interests

3. The Accreditation should take place on the basis of criteria approved by supervisory authority (Article 55 or 56) or by the Board

4. The certification body can hand out certificates to processors and controllers for a period of 5 years before having to renew their allowance to hand out certificates.

5. The certification body shall provide the supervisory authorities with a reason for granting or withdrawing a requested certification.

6. The supervisory authority has to make the requirements from paragraph 3 as well as Article 42(5) publicly available. The board shall collect all certification mechanisms as well as data protection seals in a public register.

7. If the certification body doesn’t operate according to paragraph 1 (and the entire Regulation), their accreditation shall be revoked by a supervisory authority or national accreditation body.

8. The Commission is allowed to adopt delegated acts (see Article 92) to specify requirements for data protection certification mechanisms (Article 42(1)).

9. The Commission may adapt technical standards and mechanisms for promotion and recognision of certification mechanisms, seals and marks according to Article 93(2).

Article 44: General principle for transfers

Any transfer of personal data that is currently, or will be, undergoing processing after transfer to a third country or to an international organization may only take place if the conditions laid down in Chapter V of the GDPR (Articles 44, 45, 46, 47, 48, 49 and 50) are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organization to another third country or to another internat­ional organization.

Article 45: Transfers on the basis of an adequacy decision

Transfers of personal data to a third country or international organization may take place if the European Commission decides that the target entity ensures an adequate level of protection; if this is the case, no specific authorization is required for the transfer.

The following aspects are taken into account by the European Commission when assessing the adequacy of the provided level of protection:

1. the rule of law, respect for human rights and freedoms

2. legislation concerning national and public security, defense, criminal law, and the access of public authorities to personal data, including the implementation of said legislation, data protection rules, and security measures; this includes rules for the further transfer of personal data to another third country or international organization, as well as data subject rights

3. the existence of any independent supervisory authorities responsible for ensuring and enforcing compliance with data protection rules

4. any international commitments the third country or international organization has entered into, particularly those which relate to the protection of personal data

After an adequacy assessment is made, the European Commission may declare that the third country or international organization ensures an adequate level of data protection by passing an implementing act;^[7] this act must provide a process of periodic review of the entity’s adequacy, which must take place at least every four years; it may also identify a supervisory authority, if relevant. If it is found that the entity no longer provides an adequate level of data protection, the European Commission shall repeal or amend its decision. This does not affect the transfer of data to said entity in accordance with Articles 46, 47, 48 and 49.

The list of approved third countries and international organizations is published in the Official Journal of the European Union and on the website of the European Commission. ^[8][9]

Article 46: Transfers subject to appropriate safeguards

If no relevant adequacy decision has been made, a controller or processor may only transfer personal data to a third country or international organization if said controller or processor has provided appropriate safeguards, and data subjects' rights are enforceable.

The appropriate safeguards may be provided for, without any requirement for authorization from a supervisory authority, by:

1. an enforceable, legally binding agreement between public authorities

2. binding corporate rules (Article 47)

3. standard data protection clauses adopted by the European Commission or by a supervisory authority

4. an approved, binding and enforceable code of conduct (Article 40)

5. an approved, binding and enforceable certification mechanism (Article 42)

Subject to authorization from a competent supervisory authority, appropriate safeguards may also be provided for by:

1. contractual clauses between the controller or processor and the recipient (controller, processor or other) of the personal data in the third country or international organization

2. administrative arrangements between public authorities which include enforceable and effective data subject rights

See also Article 63.

Authorizations by the European Commission, a Member State, or a supervisory authority remain valid until amended, replaced or repealed.

Article 47: Binding corporate rules

1. The supervisory authority approves corporate rules according to Article 63, if they:

   1. are legally binding and concern every employee of all companies

   2. expressly confer enforcable rights on data subjects with regard to processing their personal data

   3. fulfil the requirements of paragraph 2.

2. The corporate rules should specify:

   1. structure and contact details of companies in joint ventures and their respective members.

   2. the data that is being handled, including categories as well as the type of processing, why the processing is done, the data subjects affected and any third countries in question.

   3. their legally binding nature, both internally and externally

   4. the application of the GDPR, such as:

      1. purpose limitation

      2. data minimisation

      3. limited storage periods

      4. data quality

      5. data protection by design/default

      6. legal basis for processing

      7. processing of special categories of personal data

      8. measures to ensure data security

      9. requirements of transfers to third parties

   5. the rights of data subjects regarding the use of their data (in terms of processing: Article 22; in terms of filing a complaint: Article 79)

   6. in case of a data breach, the controller/processor is to be held liable, except when proven that they are not at fault

   7. how points d-f are explained to the data subject as well as Article 13 and 14

   8. the tasks of the data protection officer (Article 37) or any other person responsible for data protection.

   9. the complaint procedures

   10. there should be mechanisms to verify compliance with the corporate rules, as well as audits to ensure correct actions for data protection. The results should be communicated to the person mentioned in point (h) as well as the board of the company and should be available to the supervisory authority.

   11. mechanisms for recording and reporting changes to the rules to the supervisory authority

   12. make the results of the measures from point (j) available to the supervisory authority to ensure compliance by any member of the company

   13. mechanisms to report members of the company that have activity in a third country, which could affect the handling of personal data

   14. appropriate training for the employees having permanent or regular access to personal data.

3. The Commission may specify the format and procedures for the exchange between controllers, processors and supervisory authorities for corporate rules. Adoption according to Article 93(2).

Article 48: Transfers or disclosures not authorised by Union law

Any judgement of a court or administrative authority of a third country requiring a controller and/or processor to transfer or disclose personal data is only enforceable if it is based on an international agreement, such as a mutual legal assistance treaty, in force between said third country and the European Union or a Member State.

Article 49: Derogations for specific situations

1. If the rules set out in either Article 45(3) or Article 46, a transfer of personal data to a third country is only allowed when:

   1. explicit consent by the data subject, after being informed thoroughly

   2. a transfer is needed to fulfill a contract between the data subject and the controller

   3. a transfer is needed to fulfill a contract in the interest of the data subject between the controller and another natural/legal person

   4. public interest

   5. needed for establishment, exercise, defence of legal claims

   6. protection of vital interests of the data subjects or another person, where the data subjects is not able to give consent

   7. the request is from a register that has been given access to by the Union/Member State laws to a certain degree

2. In case of transfers according to point (g), the results should not include all information, but just the one intended for the request.

3. Points (a), (b), (c) do not apply to public authorities exercising their public powers.

4. The public interest in point (d) shall be recognised by Union or relative Member State law

5. In absence of an adequacy decision, Union/Member State law may for public interest expressly set limits of categories of personal data to be transfered to third countries. → Member States shall notify the Commission.

6. The controller/processor shall document the assessment and suitable safeguards (see Article 30)

If a transfer could not be based on provisions of Article 45, 46 or corporate rules applies, as well as none of the reasons stated above a transfer may still take place as long as the request is not repetitive, concerns only a limited amount of data subjects, legitimate interest for the controller which is not conflicting with the interest of data subjects, as well as appropriate safeguards from the controller. The controller shall inform the supervisory authority of the transfer as well the data subject and explain their reasoning according to articles 13 and 14.

Article 50: International cooperation for the protection of personal data

The European Commission and supervisory authorities will take appropriate steps to facilitate international cooperation for the enforcement of data protection laws, and provide relevant assistance and resources in such matters.

Article 51: Supervisory authority

See also Article 57.

supervisory authority

an independent public authority responsible for monitoring Regulation compliance in order to protect the rights and freedoms of data subjects, and to facilitate the free flow of personal data within the European Union.

Cooperation between supervisory authorities and the European Commission is subject to the consistency requirements specified in Chapter VII, Section 2 of the GDPR (Articles 63, 64, 65, 66, and 67).

Article 52: Independence

Each supervisory authority must act independently to perform its tasks; members must remain free from external influence and must not seek or accept instructions from third parties and may not engage in any occupation incompatible with the tasks of the supervisory authority.

Member States must ensure that supervisory authorities are provided with necessary infrastructure and human, technical and financial resources, as well as allocated separate, public annual budgets.

Article 53: General conditions for the members of the supervisory authority

Members of a supervisory authority of a given Member State are appointed by:

1. the State parliament

2. the State government

3. the head of State

4. an independent body authorized to do so under Member State law

All members must be sufficiently qualified to perform the duties of the supervisory authority.

Article 54: Rules on the establishment of the supervisory authority

Each Member State must, by law, provide for:

1. the establishment of each supervisory authority

2. necessary qualifications, rules, and procedures for the members of said supervisory authorities, including any applicable term limits for reappointment

Members and staff of a supervisory authority are bound by confidentiality both during and after their term of office.

Article 55: Competence

Each supervisory authority is competent to exercise, on the territory of its own Member State, the powers conferred on it in accordance with the GDPR.

Article 56: Competence of the lead supervisory authority

Caution

This article does not apply to processing carried out by public authorities in the public interest, or to comply with legal obligations, as specified in Articles 6 and 55.

The supervisory authority of the controller or processor’s main establishment is authorized to act as the lead supervisory authority for any cross-border processing carried out by said controller or processor; however, such a supervisory authority is authorized to handle filed complaints only if said note concerns the Member State in which it is established. In such cases, the supervisory authority must inform the lead supervisory authority without delay.

Within three weeks from the time of receipt of a complaint, the lead supervisory authority must decide whether it will handle the case, taking into account the rules for cooperation specified in Article 60. If it decides not to handle the case, the supervisory authority which informed it must handle the case instead, as specified by Articles 61 and 62.

Article 57: Tasks

A supervisory authority is, on its territory, obligated to, among others:

1. monitor and enforce GDPR compliance

2. advise national institutions and bodies on relevant legislative and administrative measures

3. handle and investigate complaints filed by data subjects or other entities in accordance with Articles 77 and 80

4. cooperate with, and provide information an assistance to, other supervisory authorities

5. provide information to data subjects, concerning their rights under the GDPR, by request

6. make controllers and/or processors aware of their obligations under the GDPR

7. promote public awareness and understanding of data protection rights, especially to children

8. adopt and authorize standard contractual clauses (see also Article 46)

9. approve binding corporate rules

10. maintain a list of requirements for data protection impact assessments

11. keep record of infringements of the Regulation (see also Article 58)

Supervisory authorities must provide a method by which complaints can be submitted, e.g. an electronic complains submission form.

The tasks of a supervisory authority must be carried out free of charge for the data subject and data protection officer; they may nonetheless charge a reasonable fee if the requests are demonstrated to be manifestly unfounded or excessive.

Article 58: Powers

Supervisory authorities have the following powers:

1. to order the controller and/or processor and their respective representative(s) to provide any required information, including access to all required personal data and to all premises and processing equipment of the controller and/or processor

2. to carry out data protection audits and review data protection certification mechanisms

3. to notify the controller or processor of an alleged infringement of the Regulation, or to issue warnings to such entities that intended processing is likely to infringe upon the GDPR, or to take appropriate corrective action

4. to order the controller or processor to comply with a data subject’s requests to exercise their data rights

5. to order the controller or processor to bring processing operations into Regulation compliance within a specified time period

6. to order the controller to inform the data subject of a personal data breach (see Article 33)

7. to impose a restriction or ban on processing or transfer of personal data to a third country or international organization

8. to order the rectification, erasure, or restriction of processing of personal data in accordance with Article 19

9. to issue certifications and accredit certification bodies

10. to order withdrawal of a certification (see Articles 42 and 43)

11. to impose an administrative fine

12. to adopt standard data protection clauses and authorize contractual clauses

13. to authorize administrative arrangements, as specified in Article 46

14. to advise the controller (see Article 36)

15. to issue opinions to the public and to national authorities and bodies, in accordance with Member State law, on any issue related to data protection

16. to approve binding corporate rules

Supervisory authorities must be given the power to bring infringements of the Regulation to the attention of judicial authorities, and, if necessary for enforcement, to engage in legal proceedings.

Member State law may grant additional powers to its respective supervisory authority (see Article 90).

Article 59: Activity reports

A supervisory authority must compile annual reports of its activities, to be made public and transmitted to national authorities as designated by Member State law.

Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned

See also Article 61.

The lead supervisory authority must cooperate with other supervisory authorities in order to reach consensus, and may request assistance from them in accordance with Articles 61 and 62, in particular for the purpose of monitoring or investigation of a controller or processor established in another Member State; the supervisory authorities concerned must exchange all relevant information with each other without delay.

If any of the other supervisory authorities concerned expresses a relevant and reasoned objection to a draft decision, the lead supervisory authority must:

1. if it accepts the objection, submit a revised draft decision within 2 weeks

2. otherwise, it may request examination by the European Data Protection Board as specified in Articles 63, 64 and 65

Otherwise, all involved supervisory authorities are considered in agreement with the draft decision and are bound by it; the decision is then adopted by the lead supervisory authority.

The Board and other supervisory authorities must be informed of any adopted or rejected decisions, as well as provided a summary of the relevant information. After being notified of a decision, the controller and/or processor must ensure that it fully complies with said decision, and inform the supervisory authority of all tasks it has taken to comply.

See also Article 66.

Article 61: Mutual assistance

Supervisory authorities shall assist and provide all relevant information to each other (see Chapter VII, Section 2); requests for assistance must contain all necessary information, including the purpose of the request. The requested supervisory authority may not decline the request, unless:

1. it is not authorized to comply

2. compliance with the request would violate this Regulation or European Union or Member state law

The requested supervisory authority must respond to the request and, if it refuses to comply, must provide reasons for said refusal.

Supervisory authorities may not charge a few for any action taken as part of a request for mutual assistance, unless both parties have agreed on compensation.

Article 62: Joint operations of supervisory authorities

Supervisory authorities may conduct joint operations, including joint investigations and enforcement measures in which members or staff of other Member States' supervisory authorities are involved; in cases where a controller or processor has establishments in multiple Member States, or data subjects in multiple Member States are likely to be significantly affected by data processing, the supervisory authorities of each of those Member States have the right to participate in joint operations.

The host supervisory authority may additionally confer powers on any other involved supervisory authorities' members or staff involved in joint operations.^[10]

The seconding supervisory authority’s members are subject to the Member State law of the host supervisory authority. The host Member State assumes responsibility for the actions of said members and is liable for any damage caused by them as part of their operations; the Member State of the seconding supervisory authority must reimburse any sums it has paid to persons entitled on its behalf.

See also Article 66.

Article 63: Consistency mechanism

In order to ensure the consistent application of the GDPR, supervisory authorities must cooperate with each other as necessary.

Article 64: Opinion of the Board

See also Article 68.

1. If a supervisory authority intends to adopt one of the following measures, the Board shall issue an opinion

   1. aims to adopt a list of processing operations (requirement for data protection impact assessments, see Article 35(4))

   2. whether a draft code of conduct or an amendment/extension to a code of conduct complies with this Regulation (see Article 40(7))

   3. aims to approve criteria regarding Article 41(3) or 43(3)

   4. determination of standard data protection clauses (see Article 46(2)(d) and 28(8))

   5. authorise contractual clauses (see Article 46(3)(a))

   6. approve corporate rules (see Article 47)

2. The Board can be asked for opinions by any supervisory authority, the Chair of the Board or the Commission, especially where supervisory authorities do not comply with Article 61 and 62

3. Given the matter has not already been discussed by the board, it has a period of 8 weeks, as well as further 6 weeks on complex cases. A member which has not objected in reasonable time is deemed in agreement to the draft decision.

4. Supervisory authorities and the Commission shall with undue delay send all important (and needed) information to the board in an electronic manner. → Standardised form

5. The Chair of the Board shall inform with undue delay by electronic means:

   1. the members of the board about information about the case → also translations where needed

   2. the supervisory authority and the Commission of the opinion and make it public

6. A supervisory authority shall not adopt its draft decision from paragraph 1 within the period from paragraph 3.

7. The supervisory authority shall take account of the opinion and within two weeks communicate by electronic means whether it will maintain or amend its draft decision → amended draft decision using standardised format.

8. If the supervisory authority decides to not follow the opinion of the board, it shall communicate this to the Board within two weeks (paragraph 7) → Article 65(1) shall apply.

Article 65: Dispute resolution by the Board

See also Article 68.

The Board may adopt a binding decision by two-thirds supermajority of its members when:

1. a supervisory authority concerned has raised an objection to a draft decision by the lead supervisory authority

2. there are conflicting views on which supervisory authority concerned is competent for the main establishment

3. a competent supervisory authority does not request or follow the opinion of the Board; the European Commission or any supervisory authority concerned may inform the Board of such matters

Such binding decisions must be relayed to the European Commission and published on the website of the Board, and must be adopted within one month;^[11] they are binding on the lead supervisory authority and all supervisory authorities concerned.

Article 66: Urgency procedure

If a supervisory authority concerned considers that there is an urgent need to act to protect data subjects' rights, it may immediately adopt provisional measures on its own territory for a time period of no longer than three months; the Board and the European Commission must be informed of such an act without delay. If the supervisory authority believes that said measures need to urgently be finalized, it may request an urgent opinion or urgent binding decision from the Board.

The Board may approve said urgent opinion or binding decision by a simple majority of its members.

Article 67: Exchange of information

The European Commission may adopt general implementing acts in order to specify conditions for the exchange of information between supervisory authorities and between supervisory authorities and the Board.

Article 68: European Data Protection Board

This article establishes the European Data Protection Board as a body of the European Union.

The Board:

1. is represented by its Chair

2. is composed of the head of one supervisory authority from each Member State, and of the European Data Protection Supervisor, or of their respective representatives; if multiple supervisory authorities are responsible for monitoring Regulation compliance in a given Member State, they may appoint a joint representative

The European Commission has the right to participate in Board activities by means of an appointed representative, without voting rights. The European Data Protection Supervisor has voting rights only on decisions which concern principles and rules applicable to Regulation-relevant European Union institutions, bodies, offices and agencies.

Article 69: Independence

The Board must act independently when performing its tasks or exercising its powers, and shall neither seek nor take instructions from a third party.

Article 70: Tasks of the Board

See also Article 68.

The Board must ensure the consistent application of the GDPR, and shall:

1. advise the European Commission on issues related to personal data protection, and on procedures for the exchange of information between controllers, processors and supervisory authorities for binding corporate rules

2. provide an opinion on adequacy decisions; the European Commission must provide the Board with all necessary resources for this task

3. maintain a public register of decisions taken by supervisory authorities and courts on issues of consistency (see Articles 63, 64, 65, 66 and 67)

4. provide an opinion on draft decisions of supervisory authorities in accordance with Articles 64, 65 and 66

5. issue guidelines and recommendations on:

   1. procedures for removal of personal data (see also Right to erasure)

   2. criteria and conditions for profiling

   3. handling personal data breaches, including determination of what constitutes an "undue delay" as specified in Article 33

   4. data transfers based on binding corporate rules, see also further criteria specified by Article 49

   5. the setting of administrative fines

   6. common procedures for reporting infringements of the Regulation

   7. creation of common codes of conduct and certification mechanisms (see also Article 43)

   8. the standardized icons referred to in Article 12

6. promote the cooperation and exchange of information and best practices between supervisory authorities

The Board must make public and forward its opinions and guidelines to the European Commission and to the committee.

Article 71: Reports

See also Article 68.

The Board must prepare an annual report regarding the protection of the personal data of natural persons within the European Union and in any relevant third countries or international organizations; this report must include a review of the application of the guidelines laid down by Article 70 and of any binding decisions made in accordance with Article 65.

Article 72: Procedure

Board decisions are approved by a simple majority unless otherwise specified; board rules of procedure are adopted by a two-thirds supermajority of its members.

Article 73: Chair

1. The Board elects a chair and two deputy chairs from amongst its members by simple majority.

2. The position of Chair has a term limit of five years, renewable once.

Article 74: Tasks of the Chair

See also: Article 73.

The Chair has the following tasks:

1. to convene of Board meetings and the preparation of its agenda

2. to notify the lead supervisory authority of decisions adopted by the Board

3. to ensure the timely performance of tasks (see also Article 63)

The Board shall specify in its rules of procedure the distribution of tasks between the Chair and deputy chairs.

Article 75: Secretariat

The Board must have a secretariat provided to it by the European Data Protection Supervisor, which is responsible for the following:

1. analytical, administrative and logistical support

2. day-to-day business of the Board; this includes the preparation and follow-up of meetings and the preparation and publication of opinions and decisions adopted by the Board

3. communication between the members of the Board, the Chair, and the European Commission, and with other institutions and the public

4. the translation of relevant information

Article 76: Confidentiality

Board discussions may be made confidential by the Board if deemed necessary. Access to Board documents is governed by Regulation (EC) No 1049/2001.

Article 77: Right to lodge a complaint with a supervisory authority

Data subjects have the right to file a complaint with a supervisory authority in the Member State of their residence, place of work, or place of the alleged infringement; said supervisory authority must inform the complainant of the progress and outcome of the complaint (see Article 78).

Article 78: Right to an effective judicial remedy against a supervisory authority

All natural or legal persons have the right to an effective judicial remedy against a legally binding decision concerning them made by a supervisory authority, or when the competent (see Articles 55 and 56) supervisory authority does not handle a filed complaint, or does not inform the data subject of the progress and/or outcome of a filed complaint in accordance with Article 77.

Proceedings against a supervisory authority must be brought before the courts of the Member State in which the supervisory authority is established.

Article 79: Right to an effective judicial remedy against a controller or processor

See also Article 77.

All natural or legal persons have the right to an effective judicial remedy against a controller or processor when their rights have been infringed upon as a result of non-Regulation-compliant processing.

Proceedings against a supervisory authority must be brought before the courts of a Member State in which the controller or processor has an establishment, or of the Member State of the data subject’s residence, unless the controller or processor is a public authority acting in the exercise of its public powers.

Article 80: Representation of data subjects

Data subjects have the right to mandate a non-profit organization to file a complaint on their behalf, provided that said organization:

1. has been properly constituted

2. has statutory objectives which are in the public interest

3. is active in the field of data rights protection

See also Articles 77, 78, 79 and 82.

Article 81: Suspension of proceedings

If multiple competent courts have information on proceedings, concerning the same subject matter and regarding processing by the same controller or processor, all except the court first seized may suspend proceedings; they may also decline jurisdiction in favor of the court first seized, if that court has jurisdiction over said proceedings.

Proceedings are deemed to be related where they are so closely connected that it is expedient to hear and determine them together in order to avoid the risk of irreconcilable judgments resulting from separate proceedings.

— Recital 144

Article 82: Right to compensation and liability

Any person who has suffered as a result of an infringement of the GDPR has the right to receive compensation from the controller or processor; processors are only liable for any damage caused if it has not complied with elements of the GDPR that specifically target processors, or if it has acted without proper authorization from the controller.

If multiple controllers or processors are involved in the same processing and are responsible for any damage caused, they must all be held liable for said damage; each controller or processor is entitled to claim back their part of the compensation from the other controllers or processors involved.

Article 83: General conditions for imposing administrative fines

Supervisory authorities must ensure that any administrative fines imposed for infringements of the GDPR are considered effective, proportionate and dissuasive.

When deciding whether to impose an administrative fine, the supervisory authority must take into account:

1. the nature, scope or purpose of the processing, the number of data subjects affected, and the level of damage caused

2. any action taken by the controller or processor to mitigate the damage

3. the degree of responsibility of the controller or processor, taking into account measures implemented by them in accordance with Articles 25 and 32

4. any previous infringements by the controller or processor

5. any cooperation with the supervisory authority to mitigate the damage

6. the categories of affected personal data

7. the manner in which the infringement became known

8. previous compliance with supervisory powers specified in Article 58

9. adherence to approved codes of conduct or approved certification mechanisms

10. any other relevant factors

Infringements of the following provisions are subject to administrative fines of the greater of ten million Euro and 2% of the total worldwide annual turnover of the preceding year, if applicable:

1. the basic obligations of the controller or processor (see Articles 8, 11, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 42 and 43)

2. the obligations of the certification body (see Articles 42 and 43)

3. the obligations of the monitoring body (see Article 41)

Infringements of the following provisions are subject to administrative fines of the greater of twenty million Euro and 4% of the total worldwide annual turnover of the preceding year, if applicable:

1. basic principles for processing, including conditions for consent (see Articles 5, 6, 7 and 9)

2. data subjects' rights (see Articles 12, 13, 14, 15, 16, 17, 18, 19, 20, 21 and 22)

3. transfers of personal data to a third country or international organization (see Articles 44, 45, 46, 47, 48 and 49)

4. compliance with an order to limit processing, to suspend the flow of data to a third country or international organization or to provide access (see Article 58)

5. other relevant Member State laws

Non-compliance with an order by a supervisory authority is subject to administrative fines of the greater of twenty million euro and 4% of the total worldwide annual turnover of the preceding year, if applicable.

Article 84: Penalties

See also: Article 83.

Member States must specify relevant rules for other effective, proportionate and dissuasive penalties applicable to infringements of the GDPR, in particular for infringements which are not subject to administrative fines, and must take necessary measures to ensure that they are implemented; the European Commission must be informed of such laws by 25 May 2018, and of any subsequent amendments.

Article 85: Processing and freedom of expression and information

Member States must by law ensure that the right to the protection of personal data is compatible with the right to freedom of expression and information; this includes processing for journalistic, academic, artistic and literary purposes, for which Member States must provide exemptions from Chapters II-VII and IX of the GDPR if they are necessary to ensure the aforementioned compatibility (see Articles 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 85, 86, 87, 88, 89, 90 and 91).

Article 86: Processing and public access to official documents

Personal data in official documents help by a public body, or by a private body for the performance of a task in the public interest, may be disclosed by said body in accordance with European Union or Member State law, in order to reconcile public access to official documents with the right to data protection.

Article 87: Processing of the national identification number

Member States may determine further special conditions for the processing, with the appropriate privacy safeguards, of a national identification number or of any other generally-appliable identifier.

Article 88: Processing in the context of employment

Member States may provide more specific rules to ensure the protection of the rights and freedoms with respect to the processing of employees' personal data in the context of their employment, in particular for the purposes of recruitment or the performance of the contract of employment, including:

1. equality and diversity

2. health and safety,

3. protection of an employer’s or customer’s property,

4. protection of employees' rights

5. termination of employment.

These rules must include suitable measures to safeguard the data subject’s rights, particularly regarding transparency of processing and transfers of personal data within a group of undertakings.

Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

Processing for archiving purposes in the public interest or for research purposes must be subject to appropriate privacy safeguards, including but not limited to pseudonymization and data minimization (see also Article 25); European Union or Member State law may provide certain exceptions to these rules if they are likely to impair or render impossible the fulfillment of the specified purpose.

Article 90: Obligations of secrecy

Member States may introduce specific rules to further specify the powers of supervisory authorities, as specified in Article 58 regarding controllers or processors that are subject to an obligation of secrecy and the data received as part of an activity covered by said obligation.

Article 91: Existing data protection rules of churches and religious associations

Data protection rules applied by churches or religious organizations in a Member State may continue to apply, provided that they are brought into line with the GDPR; said associations are subject to the supervision of an independent supervisory authority as specified by Chapter VI of the Regulation (see Articles 51, 52, 53, 54, 55, 56, 57, 58 and 59).

Article 92: Exercise of the delegation

Starting on 24 May 2016 the European Commission will be given the power to adopt delegated acts (see Articles 12 and 43) from 24 May 2016 onwards; this power may be revoked at any time by the European Parliament or Council of the European Union, in which case the validity of any existing delegated acts is not affected.

Delegated acts may only enter into force if neither the European Parliament nor Council of the European Union have objected to said act within three months from the notification of the act to the Parliament and the Council, or if the Parliament and Council have both informed the European Commission that they will not object.

Article 93: Committee procedure

The European Commission shall be assisted by a committee, as specified by Regulation (EU) No 182/2011.

Article 94: Repeal of Directive 95/46/EC

Starting on 25 May 2018, the 1995 Data Protection Directive (Directive 95/46/EC) is no longer in effect. References to said Directive are to be interpreted as references to the GDPR; the Working Party on the Protection of Individuals as specified by Article 29 of the Directive has been effectively replaced by the European Data Protection Board.

Article 95: Relationship with Directive 2002/58/EC

See also: Privacy and Electronic Communications Directive (Directive 2002/58/EC).

Article 96: Relationship with previously concluded Agreements

International agreements involving the transfer of personal data to third countries or international organisations which were concluded by Member States prior to 24 May 2016, and which comply with Union law as applicable prior to that date, shall remain in force until amended, replaced or revoked.

— Article 96

Article 97: Commission reports

By 25 May 2020, and every four years afterwards, the European Commission must submit and make public a report on the evaluation and review of the GDPR to the European Parliament and the Council of the European Union.

In particular, the European Commission must examine:

1. the application of Chapter V regarding the transfer of personal to third countries or international organizations (see Articles 44, 45, 46, 47, 48, 49 and 50)

2. the application of Chapter VII regarding cooperation and consistency (see Articles 60, 61, 62, 63, 64, 65, 66 and 67)

Article 98: Review of other Union legal acts on data protection

The Commission shall, if appropriate, submit legislative proposals with a view to amending other Union legal acts on the protection of personal data, in order to ensure uniform and consistent protection of natural persons with regard to processing. This shall in particular concern the rules relating to the protection of natural persons with regard to processing by Union institutions, bodies, offices and agencies and on the free movement of such data.

— Article 98

Article 99: Entry into force and application

The GDPR enters into force on 25 May 2018.

---

1. Practical Law: group of undertakings

2. The conditions for such processing are specified by European Union law; Member States may introduce more specific requirements.

3. UK Information Commissioner’s Office: What is valid consent?

4. UK Information Commissioner’s Office: Right to data portability

5. European Commission: Standard Contractual Clauses

6. This may be extended by a further 6 weeks by request if the subject matter is deemed sufficiently complex.

7. This procedure is subject to the requirements laid down by Articles 5 and 8 of Regulation (EU) No 182/2011 ("the rules and general principles concerning mechanisms for control by Member States of the Commission’s exercise of implementing powers")

8. European Commission: Adequacy decisions

9. European Commission: EU-US Privacy Shield

10. This process must first be authorized by the seconding supervisory authority.

11. This can be extended by a further month by request if the subject matter is deemed sufficiently complex.