REGULATION (EU) 2016 - 679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL - of April 27, 2016 - Concerning The Prot PDF

11/21/2019 REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL - of April 27, 2016 - concerning the
concerning the prot
Page 1
4.5.2016 IS Official Journal of the European Union L 119/1
(Legislative acts)
REGULATIONS
REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
April 27, 2016
concerning the protection of natural persons with regard to the processing of personal data
and the free circulation of these data and repealing Directive 95/46 / EC (Regulation
general data protection)
(Text with EEA relevance)
THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,
Having regard to the Treaty on the Functioning of the European Union, and in particular Article 16,
Having regard to the proposal of the European Commission,
After transmission of the draft legislative text to the national Parliaments,
Having regard to the opinion of the European Economic and Social Committee ( 1 ),
Having regard to the opinion of the Committee of the Regions ( 2 ),
In accordance with the ordinary legislative procedure ( 3 ),
Considering the following:
(1) The protection of natural persons in relation to the processing of personal data is a right
fundamental. Article 8 (1) of the Charter of Fundamental Rights of the European Union ("the
Letter ») and Article 16 (1) of the Treaty on the Functioning of the European Union (TFEU) state that
Everyone has the right to the protection of personal data concerning him.
(two) The principles and norms related to the protection of natural persons with regard to the treatment of their
personal data must, whatever their nationality or residence, respect their freedoms and
fundamental rights, in particular the right to the protection of personal data. The present
Regulation aims to contribute to the full realization of an area of freedom, security and justice and a
https://translate.googleusercontent.com/translate_f 1/96
11/21/2019 REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL - of April 27, 2016 - concerning the prot
economic union, to economic and social progress, to the reinforcement and convergence of economies within the
internal market, as well as the welfare of natural persons.
(3) Directive 95/46 / EC of the European Parliament and of the Council ( 4 ) seeks to harmonize the protection of rights
and the fundamental freedoms of natural persons in relation to data processing activities of
personal nature and guarantee the free circulation of these data among the Member States.
( 1 ) OJ C 229, 31.7.2012, p. 90.

( 2 ) OJ C 391, 18.12.2012, p. 127.
( 3 ) Position of the European Parliament of March 12, 2014 (pending publication in the Official Journal) and position of the Council in
First reading of April 8, 2016 (pending publication in the Official Gazette). Position of the European Parliament of April 14
of 2016.
( 4 ) Directive 95/46 / EC of the European Parliament and of the Council of October 24, 1995, on the protection of natural persons as regards
Regarding the processing of personal data and the free circulation of these data (OJ L 281, 23.11.1995, p. 31).
Page 2
L 119/2 IS Official Journal of the European Union 4.5.2016
(4) The processing of personal data must be designed to serve humanity. The right to protection of
personal data is not an absolute right but must be considered in relation to its function in the
society and maintain balance with other fundamental rights, in accordance with the principle of proportionality.
This Regulation respects all fundamental rights and observes freedoms and principles
recognized in the Charter as enshrined in the Treaties, in particular respect for private life and
family, home and communications, protection of personal data, freedom of
thought, conscience and religion, freedom of expression and information, freedom of enterprise,
right to effective judicial protection and fair trial, and cultural, religious and linguistic diversity.
(5) The economic and social integration resulting from the functioning of the internal market has led to an increase
substantial cross-border flows of personal data. The exchange has increased throughout the Union
of personal data between public and private operators, including natural persons, associations and
Business. Union law urges the national authorities of the Member States to cooperate and
exchange personal data in order to fulfill their functions or perform others on behalf of a
authority of another Member State.
(6) Rapid technological evolution and globalization have posed new challenges for data protection
personal The magnitude of the collection and exchange of personal data has increased significantly
cativa Technology allows both private companies and public authorities to use data
personnel on an unprecedented scale when carrying out their activities. Natural persons spread a
increasing volume of personal information worldwide. Technology has transformed both the
economy as social life, and has to facilitate even more the free circulation of personal data within the
Union and transfer to third countries and international organizations, while guaranteeing
High level of protection of personal data.
(7) These advances require a stronger and more coherent framework for data protection in the European Union,
backed by strict execution, given the importance of building the trust that allows the economy
Digital develop throughout the internal market. Natural persons must have control of their own data
personal Legal and practical security must be strengthened for natural persons, economic operators
and public authorities.
(8) In cases where this Regulation establishes that its rules are specified or restricted by the
Right of the Member States, these, to the extent necessary for reasons of consistency and for
national provisions are understandable to their recipients, may incorporate into their national law
Elements of this Regulation.
(9) Although the objectives and principles of Directive 95/46 / EC remain valid, this has not prevented the
Data protection in the territory of the Union is applied in a fragmented manner, nor legal uncertainty
nor a widespread perception among public opinion that there are significant risks to the protection of
natural persons, in particular in relation to online activities. Differences in the level of protection
of the rights and freedoms of natural persons, in particular the right to the protection of the data of
Personal nature, as regards the processing of such data in the Member States, may prevent
free movement of personal data in the Union. These differences may therefore constitute
an obstacle to the exercise of economic activities at Union level, distort competition and prevent
the authorities fulfill the functions incumbent upon them under Union law. This difference in
Protection levels are due to the existence of divergences in the implementation and application of Directive 95/46 / EC.
(10) To ensure a uniform and high level of protection of natural persons and eliminate obstacles to
circulation of personal data within the Union, the level of protection of the rights and freedoms of
Natural persons as regards the processing of such data must be equivalent in all States
members. It must be ensured throughout the Union that the application of the rules of protection of rights and
fundamental freedoms of natural persons in relation to the processing of personal data be
consistent and homogeneous. Regarding the processing of personal data for the fulfillment of a
legal obligation, for the fulfillment of a mission carried out in the public interest or in the exercise of powers
public conferred on the controller, Member States must be empowered to maintain or
adopt national provisions in order to specify to a greater extent the application of the rules of the present
Regulation. Together with the general and horizontal regulations on data protection by which the
Directive 95/46 / EC, the Member States have different specific sector standards in areas that
They require more specific provisions. This Regulation also recognizes a room for maneuver for
Member States specify their rules, including for the treatment of special categories of data
personal ("sensitive data"). In this regard, this Regulation does not exclude the law of the States.
members that determines the circumstances related to specific treatment situations, including
detailed indication of the conditions in which the processing of personal data is lawful.
Page 3
(11) The effective protection of personal data in the Union requires that the rights of
the interested parties and the obligations of those who treat and determine the processing of personal data,
and that equivalent powers to monitor and ensure compliance be recognized in the Member States
of the rules regarding the protection of personal data and infringements are punishable by
equivalent penalties.
(12) Article 16 (2) of the TFEU instructs the European Parliament and the Council to establish the rules
on protection of natural persons with respect to the processing of personal data and standards
concerning the free circulation of said data.
(13) To ensure a consistent level of protection of natural persons throughout the Union and avoid divergences that
hinder the free movement of personal data within the internal market, it is necessary a regulation that
provide legal certainty and transparency to economic operators, including microenterprises and
small and medium-sized enterprises, and offer natural persons of all Member States the same level of
enforceable rights and obligations and responsibilities for those responsible and in charge of treatment, with
in order to ensure consistent supervision of the processing of personal data and equivalent sanctions in
all Member States, as well as effective cooperation between the control authorities of the different
Member states. The proper functioning of the internal market requires that the free movement of data
personnel in the Union is not restricted or prohibited for reasons related to the protection of
natural persons with regard to the processing of personal data. In order to take into account the situation
specific to micro and small and medium-sized enterprises, this Regulation includes a series of
Exceptions regarding record keeping for organizations with less than 250 employees. Further,
encourages the institutions and bodies of the Union and the Member States and their supervisory authorities to have
take into account the specific needs of micro and small and medium enterprises in the application
of this Regulation. The concept of micro and small and medium enterprises must be extracted from the
Article 2 of the annex to Commission Recommendation 2003/361 / EC ( 1 ).
(14) The protection granted by this Regulation should apply to natural persons, regardless of
your nationality or your place of residence, in relation to the processing of your personal data. The present
Regulation does not regulate the processing of personal data related to legal persons and in particular companies
constituted as legal persons, including the name and form of the legal entity and its data
Contact.
(15) In order to avoid a serious risk of circumvention, the protection of natural persons must be technological
It is neutral and should not depend on the techniques used. The protection of natural persons must be applied
to the automated processing of personal data, as well as to its manual processing, when personal data
they appear
covers, in are
which a file
notorstructured
are intended to be included
according in it.
to specific Files or
criteria, sets ofnot
should files,
fallas well the
within as their
scope of
Application of this Regulation.
(16) This Regulation does not apply to issues of protection of fundamental rights and freedoms or
the free circulation of personal data related to activities excluded from the scope of the Law of the
Union, such as national security activities. It also does not apply to data processing of
personal character by the Member States in the exercise of activities related to foreign policy
and common security of the Union.
(17) Regulation (EC) n. o 45/2001 of the European Parliament and of the Council ( 2 ) applies to the processing of data from
personal character by the institutions, bodies and agencies of the Union. Regulation (EC) n. or 45/2001 and
other legal acts of the Union applicable to such processing of personal data must be adapted to
the principles and norms established in this Regulation and apply in light of it. In order to set
a solid and coherent framework for data protection in the Union, once adopted this
Regulation the necessary adaptations of Regulation (EC) n. or 45/2001, in order that
It can be applied at the same time as this Regulation.
(18) This Regulation does not apply to the processing of personal data by a natural person in the
course of an exclusively personal or domestic activity and, therefore, without any connection to an activity
( 1 ) Commission Recommendation of May 6, 2003 on the definition of micro, small and medium enterprises
[C (2003) 1422] (OJ L 124, 20.5.2003, p. 36).
( 2 ) Regulation (EC) n. o 45/2001 of the European Parliament and of the Council of 18 December 2000, concerning the protection of persons
physical with regard to the processing of personal data by the institutions and community organizations and the free movement of
these data (OJ L 8, 12.1.2001, p. 1).
Page 4
Professional or commercial Personal or domestic activities include correspondence and

led by a repertoire of addresses, or activity on social networks and online activity carried out in the
context of the aforementioned activities. However, this Regulation applies to those responsible or responsible
of the treatment provided by the means to process personal data related to such activities
Personal or domestic.
(19) The protection of natural persons with regard to the processing of personal data by
the competent authorities for the purposes of prevention, investigation, detection or prosecution of infringements
criminal or criminal penalties, including protection against security threats
public and the free circulation of these data and their prevention, is the subject of a specific legal act at the level of
Union. This Regulation should not, therefore, apply to treatment activities intended for such
Finnish. However, personal data processed by public authorities in application of this
Regulations must, if they are intended for such purposes, be governed by a more specific, specific Union legal act
The Directive (EU) 2016/680 of the European Parliament and of the Council ( 1 ). Member States can
entrust to the competent authorities, as defined in Directive (EU) 2016/680, functions that do not
are necessarily carried out for the purpose of prevention, investigation, detection or prosecution of
criminal offenses or enforcement of criminal penalties, including protection against security threats
public and its prevention, in such a way that the processing of personal data for these other purposes, to the extent
in which it is included in the scope of Union Law, it falls within the scope of this
Regulation.
With regard to the processing of personal data by said competent authorities for purposes that
fall within the scope of this Regulation, Member States should have the possibility of
maintain or introduce more specific provisions to adapt the application of the present regulations
Regulation. Such provisions may more precisely establish specific requirements for treatment.
of personal data for other purposes by said competent authorities, taking into account the
constitutional, organizational and administrative structure of the Member State in question. When the treatment
of personal data by private organizations within the scope of this Regulation, this must
provide that Member States may, under specific conditions, limit under certain law
obligations and rights provided that such limitation is a necessary and proportionate measure in a company
democratic to protect important specific interests, including public safety and prevention, the
investigation, detection and prosecution of criminal offenses or the execution of criminal penalties,
including protection against threats against public safety and its prevention. This applies, for
for example, in the framework of the fight against money laundering or the activities of police laboratories
scientific
(20) Although this Regulation applies, inter alia, to the activities of the courts and other authorities
judicial, under the law of the Union or of the Member States the operations of
processing and processing procedures in relation to the processing of personal data by
courts and other judicial authorities. In order to preserve the independence of the judiciary in the performance
of its functions, including decision making, the competence of the supervisory authorities should not cover the
processing of personal data when the courts act in the exercise of their judicial function. The control of
These data processing operations must be entrusted to specific organizations established within
of the judicial system of the Member State, which must, in particular, ensure compliance with the rules
of this Regulation, raise awareness among the members of the judiciary about their obligations under
of this and address the claims in relation to such data processing operations.
(21) This Regulation should be without prejudice to the application of Parliament Directive 2000/31 / EC
European and Council ( 2 ), in particular the rules on liability of providers of
intermediary services established in its articles 12 to 15. The objective of that directive is to contribute to
proper functioning of the internal market by guaranteeing the free movement of the services of the society of
Information between member states.
(22) Any processing of personal data in the context of the activities of an establishment of a person in charge or
a treatment manager in the Union must be carried out in accordance with this Regulation,
regardless of whether the treatment takes place in the Union. An establishment involves the exercise of
effective and real way of an activity through stable modalities. The legal form of such
Modalities, whether a branch or a subsidiary with legal personality, is not the determining factor in this regard.
( 1 ) Directive (EU) 2016/680 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons in
Regarding the processing of personal data by the competent authorities for prevention, investigation,
detection or prosecution of criminal offenses or execution of criminal penalties, and the free circulation of such data and by the
that the Council Framework Decision 2008/977 / JHA is repealed (see page 89 of this Official Journal).
( 2 ) Directive 2000/31 / EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of the
Information society services, in particular e-commerce in the internal market (Trade Directive
electronic) (OJ L 178, 17.7.2000, p. 1).
Page 5
(23) In order to ensure that natural persons are not deprived of the protection to which they are entitled in
Under this Regulation, the processing of personal data of interested parties residing in the Union by a
responsible or a manager not established in the Union must be governed by this Regulation if the activities
of treatment refers to the offer of goods or services to said interested parties, regardless of whether
payment. To determine if said person in charge offers goods or services to interested parties residing in the
Union, it must be determined if it is clear that the person in charge or the person in charge plans to offer services to interested parties
in one or more of the member states of the Union. While the mere accessibility of the responsible's website
or in charge or of an intermediary in the Union, of an email address or other contact information,
or the use of a language generally used in the third country where the person responsible for the treatment resides, not
enough to determine this intention, there are factors, such as the use of a language or a currency used
generally in one or several Member States with the possibility of ordering goods and services in that other
language, or the mention of clients or users residing in the Union, who may reveal that the person responsible for the
Treatment plans to offer goods or services to those interested in the Union.
(24) The processing of personal data of interested parties residing in the Union by a person in charge or not
established in the Union must also be the subject of this Regulation when it is related to the
observation of the behavior of said interested parties to the extent that this behavior takes place in
the Union. To determine whether a treatment activity can be considered to control the behavior of
Those interested should assess whether natural persons are monitored on the Internet, including the
potential subsequent use of personal data processing techniques that consist of the elaboration of a
profile of a natural person in order, in particular, to make decisions about him or to analyze or predict his
personal preferences, behaviors and attitudes.
(25) Where applicable the law of the Member States under public international law, the
This Regulation should also apply to anyone responsible for treatment not established in the Union,
as in a diplomatic mission or consular office of a member state.
(26) The principles of data protection should apply to all information relating to a natural person
identified or identifiable Pseudonymised personal data, which could be attributed to a natural person
through the use of additional information, information about an identifiable natural person should be considered
Ficable To determine if a natural person is identifiable, all means, such as
singularization, which the person responsible for the treatment or any other person can reasonably use to
Directly or indirectly identify the natural person. To determine if there is a reasonable probability of
that means be used to identify a natural person, all objective factors must be taken into account,
as the costs and time required for identification, taking into account both the available technology
at the time of treatment as technological advances. Therefore the principles of data protection
they should not be applied to anonymous information, that is, information that is not related to a natural person
identified or identifiable, nor to the data converted into anonymous so that the interested party is not identi
Ficable, or stop being. Consequently, this Regulation does not affect the processing of such information.
anonymous, including for statistical or research purposes.
(27) This Regulation does not apply to the protection of personal data of deceased persons. The states
Members are competent to establish rules regarding the processing of their personal data.
(28) The application of pseudonymisation to personal data can reduce the risks for the interested parties
affected and help those responsible and those in charge of treatment fulfill their protection obligations
of the data. Thus, the explicit introduction of "pseudonymisation" in this Regulation is not intended
exclude any other measure related to data protection.
(29) To encourage the application of pseudonymisation in the processing of personal data, it must be possible
establish pseudonymisation measures, while allowing a general analysis by the same
responsible for the treatment, when it has adopted the necessary technical and organizational measures to
ensure that this Regulation is applied to the corresponding treatment and kept separately
Additional information for the attribution of personal data to a specific person. The person in charge
Treat personal data should indicate what your authorized persons are.
Page 6
(30) Natural persons may be associated with online identifiers provided by their devices, applications,
tools and protocols, such as internet protocol addresses, session identifiers in the form of
"Cookies" or other identifiers, such as radio frequency identification tags. This can leave traces
which, in particular, when combined with unique identifiers and other data received by the servers, can
be used to prepare profiles of natural persons and identify them.
(31) The public authorities to whom personal data are communicated under a legal obligation for the
exercise of its official mission, such as tax and customs authorities, financial investigation units,
independent administrative authorities or financial market oversight bodies
in charge of the regulation and supervision of the stock markets, should not be considered recipients of
data if they receive personal data that are necessary to carry out a specific investigation of interest
In general, in accordance with the law of the Union or of the Member States. Communication requests
Public authorities must always present themselves in writing, in a motivated and occasional manner, and
They should not refer to the entirety of a file or lead to the interconnection of several files. The tratment of
Personal data by said public authorities must comply with the regulations on protection
of data that is applicable depending on the purpose of the treatment.
(32) Consent must be given through a clear affirmative act that reflects a manifestation of free will,
specific, informed, and unequivocal of the interested party to accept the processing of personal data that
concern, such as a written statement, including by electronic means, or a verbal statement. This
it could include ticking a box on a website on the internet, choosing technical parameters for the use of
services of the information society, or any other statement or conduct that clearly indicates in
This context that the interested party accepts the proposal for the processing of their personal data. Therefore, the silence,
the boxes already marked or inaction should not constitute consent. Consent must be given to
all treatment activities carried out for the same or the same purposes. When the treatment has
several purposes, consent must be given for all of them. If the consent of the interested party is to be given as a result
of a request by electronic means, the request must be clear, concise and not unnecessarily disturb the
use of the service for which it is provided.
(33) It is often not possible to fully determine the purpose of the processing of personal data for purposes
of scientific research at the time of collection. Therefore, interested parties should be allowed to give
your consent for certain fields of scientific research that respect ethical standards
recognized for scientific research. Those interested should have the opportunity to give their consent
only for certain areas of research or parts of research projects, to the extent that
allowed the purpose pursued.
(34) Genetic data should be understood as personal data related to genetic characteristics, inherited or
acquired from a natural person, from the analysis of a biological sample of the natural person in
issue, in particular through a chromosomal analysis, an analysis of deoxyribonucleic acid (DNA) or
ribonucleic acid (RNA), or the analysis of any other element that allows obtaining equivalent information.
(35) All personal data related to health should include all data related to the health status of the
interested who give information about their past, present or future physical or mental health. It includes the
information about the natural person collected on the occasion of their registration for health care purposes, or with
occasion of the provision of such assistance, in accordance with Directive 2011/24 / EU of the European Parliament and
of the Council ( 1 ); any number, symbol or data assigned to a natural person that uniquely identifies it
for sanitary purposes; information obtained from tests or examinations of a body part or substance
body, including from genetic data and biological samples, and any relative information, to
example title, to a disease, a disability, the risk of disease, medical history,
clinical treatment or the physiological or biomedical status of the interested party, regardless of its source, by
for example a doctor or other healthcare professional, a hospital, a medical device, or a diagnostic test in
vitro.
(36) The main establishment of a controller in the Union should be the place of administration
central in the Union, except that decisions regarding the purposes and means of processing personal data
they are taken in another establishment of the person in charge in the Union, in which case, that other establishment must
( 1 ) Directive 2011/24 / EU of the European Parliament and of the Council of March 9, 2011, concerning the application of the rights of
patients in cross-border healthcare (OJ L 88, 4.4.2011, p. 45).
Page 7
Consider the main establishment. The principal establishment of a person responsible in the Union must
be determined based on objective criteria and must involve the effective and real exercise of management activities
that determine the main decisions regarding the purposes and means of treatment through modalities
stable. This criterion should not depend on whether the processing of personal data is carried out in that place. The
presence and use of technical means and technologies for the processing of personal data or activities
of treatment are not, in themselves, the main establishment and are not, therefore, certain criteria
Nantes of a main establishment. The main establishment of the treatment manager should be the
place of its central administration in the Union or, if it lacked central administration in the Union, the place in the
that the main treatment activities in the Union are carried out. In cases that involve both the
responsible as the person in charge, the competent principal control authority must remain the authority of
control of the Member State in which the person in charge has his principal establishment, but the authority of
Control of the person in charge should be considered as the control authority concerned and participate in the procedure of
cooperation
Member established
or Member in this
States Regulation.
where the personIninany case,has
charge the one
stateorcontrol authorities
more establishments must not
considered control authorities concerned when the draft decision affects only the person responsible.
When the treatment is carried out by a business group, the main establishment of the company that exercises the
control should be considered the main establishment of the business group, except when the purposes and means
the treatment is determined by another company.
(37) A business group must be constituted by a company that exercises control and controlled companies,
it must be the company that exercises control that can exert a dominant influence on the other
companies, for reasons, for example, of ownership, financial participation, rules by which it is governed, or power of attorney
to enforce personal data protection regulations. A company that controls the treatment of
personal data in companies that are affiliated should be considered, together with those companies, «group
business ».
(38) Children deserve specific protection of their personal data, as they may be less aware of
the risks, consequences, guarantees and rights concerning the processing of personal data. Bliss
Specific protection should apply in particular to the use of personal data of children for the purpose of
marketing or development of personality or user profiles, and obtaining personal data
relating to children when services offered directly to a child are used. The consent of the holder of the
parental rights or guardianship should not be necessary in the context of preventive or advisory services
offered directly to children.
(39) All processing of personal data must be lawful and loyal. For natural persons it must be totally clear
that personal data concerning them is being collected, used, consulted or otherwise processed,
as well as the extent to which said data is or will be treated. The principle of transparency requires that all
information and communication regarding the processing of such data is easily accessible and easy to understand, and
that a simple and clear language be used. This principle refers in particular to the information of
interested in the identity of the person responsible for the treatment and the purposes thereof and to the added information
to ensure fair and transparent treatment with respect to the affected individuals and their right to
Obtain confirmation and communication of personal data concerning them that are subject to processing.
Natural persons must be aware of the risks, rules, safeguards and rights
relating to the processing of personal data as well as how to enforce your rights in relation to the
treatment. In particular, the specific purposes of the processing of personal data must be explicit and
legitimate, and must be determined at the time of collection. Personal data must be adequate,
relevant and limited to what is necessary for the purposes for which they are treated. This requires, in particular,
ensure that its conservation period is limited to a strict minimum. Personal data should only be processed
if the purpose of the treatment could not be reasonably achieved by other means. To ensure that the data
personnel are not kept longer than necessary, the person responsible for the treatment has to set deadlines for
its suppression or periodic review. All reasonable measures should be taken to ensure that they are rectified.
or delete personal data that is inaccurate. Personal data must be treated in a way that
guarantee adequate security and confidentiality of personal data, including to prevent access or
unauthorized use of such data and the equipment used in the treatment.
(40) For the processing to be lawful, personal data must be treated with the consent of the interested party or
on some other legitimate basis established under Law, either in this Regulation or by virtue of
Page 8
other law of the Union or of the Member States referred to in this Regulation, including
need to comply with the legal obligation applicable to the controller or the need to execute a
contract in which the interested party is a party or in order to take action at the request of the interested party with
prior to the conclusion of a contract.
(41) When this Regulation refers to a legal basis or a legislative measure, this does not require
necessarily a legislative act adopted by a parliament, without prejudice to the compliance requirements
of the constitutional order of the Member State concerned. However, said legal basis or measure
Legislative must be clear and precise and its predictable application to its recipients, in accordance with the
jurisprudence of the Court of Justice of the European Union (hereinafter 'Court of Justice') and of the Court
European Human Rights.
(42) When the treatment is carried out with the consent of the interested party, the person responsible for the treatment must
be able to show that he has given his consent to the treatment operation. In particular in the
context of a written statement made on another matter, there must be guarantees that the interested party is
aware of the fact that he gives his consent and the extent to which he does so. According to the
Council Directive 93/13 / EEC ( 1 ), a model declaration of consent must be provided
previously by the person responsible for the treatment with an intelligible and easily accessible formulation that uses a
clear and simple language, and that does not contain abusive clauses. For consent to be informed, the
interested party should know at least the identity of the person responsible for the treatment and the purposes of the treatment to
which are intended personal data. Consent should not be considered freely given
when the interested party does not enjoy true or free choice or cannot deny or withdraw his or her consent without
suffer any harm.
(43) To ensure that consent has been freely given, it should not constitute a legal basis
valid for the processing of personal data in a specific case in which there is an imbalance
of course between the interested party and the person responsible for the treatment, particularly when said person is a
public authority and therefore it is unlikely that consent has been freely given in all
circumstances of that particular situation. It is presumed that consent has not been given freely when
do not allow to authorize separately the different operations of personal data processing despite being
appropriate in the specific case, or when the fulfillment of a contract, including the provision of a service,
is dependent on consent, even if it is not necessary for such compliance.
(44) The treatment must be lawful when necessary in the context of a contract or the intention to conclude a
contract.
(45) When performed in compliance with a legal obligation applicable to the controller, or if it is
necessary for the fulfillment of a mission carried out in the public interest or in the exercise of public powers,
The treatment must be based on the law of the Union or of the Member States. This Regulation
It does not require that each individual treatment be governed by a specific standard. One rule may be enough.
as the basis for several data processing operations based on a legal obligation applicable to the
responsible for the treatment, or if the treatment is necessary for the fulfillment of a mission carried out in
public interest or in the exercise of public powers. The purpose of the treatment should also be determined in
under the law of the Union or of the Member States. In addition, that standard could specify the
General conditions of this Regulation governing the legality of the processing of personal data,
establish specifications for the determination of the controller, the type of personal data
object of treatment, affected stakeholders, entities to which personal data can be communicated,
the limitations of the purpose, the term of conservation of the data and other measures to guarantee a
lawful and loyal treatment. It must also be determined under the law of the Union or of the States
members if the person responsible for the treatment that performs a mission in the public interest or in the exercise of powers
public must be a public authority or other natural or legal person under public law, or, when done in
public interest, including health purposes such as public health, social protection and service management
of health, of private law, as a professional association.
(46) The processing of personal data should also be considered lawful when necessary to protect an interest
essential for the life of the interested party or that of another natural person. In principle, personal data only
( 1 ) Council Directive 93/13 / EEC of 5 April 1993 on abusive clauses in contracts concluded with consumers
(OJ L 95, 21.4.1993, p. 29).
Page 9
should be treated on the basis of the vital interest of another natural person when the treatment cannot be based
manifestly on a different legal basis. Certain types of treatment may respond to both reasons
important public interest as vital interests of the interested party, such as when the
treatment is necessary for humanitarian purposes, including epidemic control and its spread, or in
humanitarian emergency situations, especially in case of natural disasters or of human origin.
(47) The legitimate interest of a controller, including that of a controller to whom they can communicate
Personal data, or of a third party, may constitute a legal basis for the processing, provided that
the interests or rights and freedoms of the interested party prevail, taking into account reasonable expectations
of interested parties based on their relationship with the person in charge. Such legitimate interest could occur, for example,
when there is a relevant and appropriate relationship between the interested party and the person in charge, as in situations where
that the interested party is a customer or is at the service of the person in charge. In any case, the existence of an interest
legitimate would require a meticulous evaluation, even if an interested party can reasonably provide, in the
moment and in the context of the collection of personal data, that the processing may occur for that purpose. In
In particular, the interests and fundamental rights of the interested party may prevail over the interests of the
responsible for the processing when the personal data is processed in circumstances in which
The interested party does not reasonably expect further treatment. Since it corresponds to the legislator
establish by law the legal basis for the processing of personal data by public authorities,
This legal basis should not be applied to the treatment carried out by the public authorities in the exercise of their
functions. The processing of personal data strictly necessary for fraud prevention
It also constitutes a legitimate interest of the person responsible for the treatment in question. Data processing
Personnel for direct marketing purposes may be considered to be carried out for legitimate interest.
(48) Those responsible who are part of a business group or entities affiliated with a central body
They may have a legitimate interest in transmitting personal data within the business group for administrative purposes.
internal transactions, including the processing of personal data of customers or employees. The general principles
applicable to the transmission of personal data, within a business group, to a company located in a
Third country are not affected.
(49) It is a legitimate interest of the person in charge of the interested treatment to process personal data in the
strictly necessary and proportionate measure to guarantee the security of the network and information, is
say the ability of a network or information system to resist, at a certain level of trust, to
accidental events or illicit or malicious actions that compromise availability,
authenticity, integrity and confidentiality of personal data kept or transmitted, and the security of
related services offered by, or accessible through, these systems and networks, by authorities
public, computer emergency response teams (CERT), security incident response teams
IT (CSIRT), providers of electronic communications networks and services and providers of
Security technologies and services. This could include, for example, preventing unauthorized access to
electronic communications networks and malicious code distribution, and stop attacks from
"Denial of service" and damage to computer systems and electronic communications.
(50) The processing of personal data for purposes other than those for which they were initially collected
It should only be allowed when it is compatible with the purposes of its initial collection. In such a case, a
separate legal basis, different from the one that allowed the collection of personal data. If the treatment is
necessary for the fulfillment of a mission carried out in the public interest or in the exercise of public powers
conferred on the person responsible for the treatment, the tasks and the purposes for which it should be considered compatible
and licit further treatment can be determined and specified in accordance with the law of the Union or the
Member states. Subsequent processing operations for archival purposes in the public interest, purposes of
scientific and historical research or statistical purposes should be considered lawful treatment operations
compatible. The legal basis established in the law of the Union or of the Member States for the
Personal data processing can also serve as a legal basis for further processing. With the object of
determine if the purpose of further processing is compatible with the purpose of the initial collection of personal data,
the person responsible for the treatment, after having fulfilled all the requirements for the legality of the original treatment,
must take into account, among other things, any relationship between these purposes and the purposes of further treatment
provided, the context in which the data was collected, in particular the reasonable expectations of the interested party
Page 10
based on their relationship with the person responsible for their subsequent use, the nature of personal data, the
consequences for those interested in the planned further treatment and the existence of adequate guarantees both in
the original treatment operation as in the planned further treatment operation.
If the interested party gave his consent or the treatment is based on the law of the Union or of the States
members that constitutes a necessary and proportionate measure in a democratic society to safeguard,
in particular, important objectives of general public interest, the person responsible must be empowered to
further processing of personal data, regardless of the compatibility of the purposes. In any case, it
it must ensure the application of the principles established by this Regulation and, in particular, the
information of the interested party on those other purposes and on their rights, including the right to object. The
indication of possible criminal acts or threats to public safety by the person responsible for the
processing and transmission to the competent authority of the data regarding individual cases or cases
several related to the same criminal act or threat to public safety should be considered to be
in the legitimate interest of the responsible. However, such transmission in the legitimate interest of the responsible party must be prohibited.
or the subsequent processing of personal data if the processing is not compatible with an obligation of secrecy
legal, professional or binding for another concept.
(51) Special protection deserves personal data that, by their nature, are particularly sensitive in
relationship with fundamental rights and freedoms, since the context of their treatment could entail
important risks for fundamental rights and freedoms. It must be included among such personal data
personal data that reveal racial or ethnic origin, it being understood that the use of the term "origin
racial "in this Regulation does not imply acceptance by the Union of theories that seek to
determine the existence of separate human races. Photo processing should not be considered systematic.
Only treatment of special categories of personal data, since they are only included
in the definition of biometric data when the fact of being treated with specific technical means allows the
unique identification or authentication of a natural person. Such personal data should not be processed, to
unless treatment is allowed in specific situations referred to in this Regulation, given
account that Member States may establish specific provisions on data protection with
in order to adapt the application of the rules of this Regulation to the fulfillment of a legal obligation or
to fulfill a mission carried out in the public interest or in the exercise of public powers conferred on the
Responsible for the treatment. In addition to the specific requirements of that treatment, the
general principles and other rules of this Regulation, especially as regards the conditions of
legality of the treatment. Exceptions to the general prohibition of treatment must be explicitly established
of those special categories of personal data, among other things when the interested party gives his consent
explicitly or in the case of specific needs, in particular when the treatment is carried out within the framework of
legitimate activities by certain associations or foundations whose objective is to allow the exercise of
fundamental liberties.
(52) Exceptions to the prohibition of processing special categories of personal data should also be authorized.
when established by the law of the Union or of the Member States and provided that guarantees are given
appropriate, in order to protect personal data and other fundamental rights, when in the public interest, in
in particular the processing of personal data in the field of labor legislation, protection legislation
social, including pensions and for security, supervision and health alert purposes, prevention or control of
Communicable diseases and other serious threats to health. Such an exception is possible for purposes in the
field of health, including public health and health care services management, especially
in order to guarantee the quality and profitability of the procedures used to resolve the claims
benefits and services in the health insurance scheme, or for archiving purposes in interest
public, scientific and historical research purposes or statistical purposes. It must also be authorized in title
exceptional treatment of such personal data when necessary for the formulation, exercise or
defense of claims, either by a judicial procedure or an administrative or extrajudicial procedure.
(53) Special categories of personal data that deserve greater protection should only be processed for purposes
related to health when necessary to achieve these ends for the benefit of natural persons and the
society as a whole, particularly in the context of the management of health services and systems or of
social protection, including the processing of such data by the health management authorities and the
Central national health authorities for quality control, information management and
general national and local supervision of the health or social protection system, and guarantee of the continuity of the
healthcare or social protection and cross-border healthcare or security purposes, supervision
and health alert, or for archival purposes in the public interest, scientific or historical research purposes or purposes
statistics, based on the law of the Union or of the Member State that has to fulfill an objective of interest
public, as well as for studies conducted in the public interest in the field of public health. Therefore the
This Regulation should establish harmonized conditions for the treatment of special categories of
personal data related to health, in relation to specific needs, in particular if the treatment of
these data are carried out, for health-related purposes, people subject to the legal obligation of secrecy
Page 11
professional. The law of the Union or of the Member States must establish specific and appropriate measures
to protect the fundamental rights and personal data of natural persons. Member states
they must be empowered to maintain or introduce other conditions, including limitations, with respect to
treatment of genetic data, biometric data or health related data. However, this does not mean
an obstacle to the free movement of personal data within the Union when such conditions are met
apply to the cross-border treatment of these data.
(54) The processing of special categories of personal data, without the consent of the interested party, may be
necessary for reasons of public interest in the field of public health. That treatment must be subject to
adequate and specific measures to protect the rights and freedoms of natural persons. In that
context, "public health" should be interpreted in the definition of Regulation (EC) n. o 1338/2008 of Parliament
European and Council ( 1 ), that is, all health-related elements, specifically the state of
health, including morbidity and disability, the determinants that influence this state of health,
health care needs, resources allocated to health care, the provision of
health care and universal access to it, as well as the expenses and financing of health care, and
Causes of mortality This treatment of health-related data for reasons of public interest should not give
place for third parties, such as business owners, insurance companies or banks, to process personal data
for other purposes
(55) The processing of personal data by public authorities is also carried out for reasons of public interest
in order to achieve the objectives, established in constitutional law or in international law
public, of officially recognized religious associations.
(56) If, in the framework of electoral activities, the functioning of the democratic system requires in a Member State
that political parties collect personal data about people's political opinions, can
Authorize the processing of these data for reasons of public interest, provided that guarantees are offered
adequate.
(57) If the personal data processed by a person in charge does not allow him to identify a natural person, the person in charge
You should not be required to obtain additional information to identify the interested party for the sole purpose of
comply with any provision of this Regulation. However, the controller must not
refuse to receive additional information provided by the interested party in order to support him in the exercise of his
rights. The identification must include the digital identification of an interested party, for example by means of a
authentication mechanism, such as the same credentials, used by the interested party to open a session in
the online service offered by the person in charge.
(58) The principle of transparency requires that all information addressed to the public or the interested party be concise,
easily accessible and easy to understand, and that clear and simple language be used, and also, where appropriate,
visualize This information could be provided electronically, for example, when it is addressed to the public,
Through a website. This is especially relevant in situations where the proliferation of agents and the
technological complexity of the practice make it difficult for the interested party to know and understand if they are
collecting, by whom and for what purpose, personal data concerning you, as it is in the case of
online advertising. Since children deserve specific protection, any information and
Communication whose treatment affects them should be provided in a clear and simple language that is easy to understand.
(59) Formulas should be used to facilitate the interested party's exercise of their rights under this
Regulation, including mechanisms to request and, where appropriate, obtain free of charge, in particular, the
access to personal data and its rectification or deletion, as well as the exercise of the right to object. He
Responsible for the treatment must also provide means for applications to be submitted by means
electronic, in particular when personal data is processed electronically. The person in charge of
Treatment must be obliged to respond to the requests of the interested party without undue delay and at the latest
within a month, and explain your reasons in case you were not going to attend them.
( 1 ) Regulation (EC) n. or 1338/2008 of the European Parliament and of the Council, of December 16, 2008, on Community statistics of
public health and health and safety at work (OJ L 354, 31.12.2008, p. 70).
Page 12
(60) The principles of fair and transparent treatment require that the interested party be informed of the existence of the
Treatment operation and its purposes. The controller must provide the interested party how much
Additional information is necessary to ensure fair and transparent treatment, taking into account
the specific circumstances and context in which personal data is processed. You must also inform the
interested in the existence of profiling and the consequences of such elaboration. If the data
personal are obtained from those interested, they must also be informed if they are obliged to provide them and
consequences in case they did not. This information can be transmitted in combination with some
standardized icons that offer, in an easily visible, intelligible and clearly legible way, an adequate
overview of the planned treatment. The icons presented in electronic format must be
mechanically readable.
(61) Information on the processing of your personal data must be provided to interested parties at the time
obtained from them or, if obtained from another source, within a reasonable period of time, depending on the circumstances
Socia of the case. If personal data can be legitimately communicated to another recipient, it must be
inform the interested party at the moment they are communicated to the recipient for the first time. The person in charge of
treatment that you plan to process the data for a purpose other than that for which they were collected should
provide the interested party, before such further treatment, information about that other purpose and other information
necessary. When the origin of the personal data cannot be provided to the interested party for having used several
sources, general information should be provided.
(62) However, it is not necessary to impose the obligation to provide information when the interested party already has
the information, when the registration or communication of personal data is expressly established by
law, or when providing information to the interested party is impossible or requires a disproportionate effort. Such
This could be particularly the case when the processing is done for archival purposes in the public interest, for purposes
of scientific or historical research or statistical purposes. In this regard, the
number of interested parties, the age of the data and the appropriate guarantees adopted.
(63) Those interested should have the right to access the personal data collected that concern them and to exercise
said right with ease and at reasonable intervals, in order to know and verify the legality of the treatment.
This includes the right of interested parties to access health-related data, for example the data of their
medical records containing information such as diagnoses, test results, evaluations of
doctors and any treatments or interventions practiced. Everyone interested should therefore have the
right to know and to be communicated, in particular, the purposes for which personal data is processed,
its term of treatment, its recipients, the logic implicit in all automatic processing of personal data
and, at least when it is based on profiling, the consequences of such treatment. Yes it is
possible, the person responsible for the treatment should be empowered to provide remote access to a secure system that
offer the interested party direct access to their personal data. This right should not adversely affect the
rights and freedoms of third parties, including trade secrets or intellectual property and, in particular,
Intellectual property rights that protect computer programs. However, these considerations do not
they must result in the refusal to provide all the information to the interested party. If you try a lot of
information regarding the interested party, the person responsible for the treatment must be authorized to request that, before
provide the information, the interested party specify the information or treatment activities referred to in the
request.
(64) The controller must use all reasonable measures to verify the identity of the
interested parties requesting access, particularly in the context of online services and identifiers in
line. The person responsible should not keep personal data for the sole purpose of being able to respond to possible
requests.
(65) Those interested should have the right to have their personal data rectified and a “right to
forgetfulness ”if the retention of such data violates this Regulation or the law of the Union or of the States
members applicable to the controller. In particular, those interested should have the right to have their
Personal data is deleted and ceased to be processed if it is no longer necessary for the purposes for which it was
collected or otherwise treated, if the interested parties have withdrawn their consent for the treatment or are
oppose the processing of personal data that concerns them, or if the processing of their personal data
otherwise violates this Regulation. This right is relevant in particular if the interested party gave his
Page 13
consent as a child and you are not fully aware of the risks involved in the treatment, and more
late you want to delete such personal data, especially on the internet. The interested party should be able to exercise this
right even if he is no longer a child. However, the subsequent retention of personal data must be lawful
when necessary for the exercise of freedom of expression and information, for the fulfillment of a
legal obligation, for the fulfillment of a mission carried out in the public interest or in the exercise of powers
audiences conferred on the person responsible for the treatment, for reasons of public interest in the field of health
public, for archival purposes in the public interest, scientific or historical research purposes or statistical purposes, or
for the formulation, exercise or defense of claims.
(66) In order to strengthen the "right to be forgotten" in the online environment, the right of deletion should be extended in such
so that the person responsible for the treatment that has made personal data public is obliged to indicate to the
responsible for the processing that are treating such personal data that suppresses any link to them, or the
copies or replicas of such data. In doing so, said person responsible must take reasonable measures, taking into account
it has the technology and the means at its disposal, including technical measures, to inform the request
from the interested party to those responsible for the processing of personal data.
(67) Methods to limit the processing of personal data could include those consisting of transferring
temporarily selected data to another treatment system, in preventing users from accessing the data
selected personnel or temporarily withdraw published data from an internet site. In the files
automated treatment limitation should be carried out, in principle, by technical means, so that
Personal data is not subject to further processing operations or can be modified. The fact that the
Treatment of personal data is limited must be clearly indicated in the system.
(68) To further strengthen control over your own data, when the processing of personal data takes place
by automated means, those interested in providing personal data should also be allowed
that concern a person responsible for the treatment, receive them in a structured, commonly used format of
mechanical and interoperable reading, and transmit them to another person responsible for the treatment. The people should be encouraged
responsible for creating interoperable formats that allow data portability. That right must apply
when the interested party has provided the personal data giving his consent or when the treatment is
necessary for the execution of a contract. It should not be applied when the treatment has a legal basis
other than consent or contract. By its very nature, said right should not be exercised against
responsible for processing personal data in the exercise of their public functions. Therefore, it should not be applied,
when the processing of personal data is necessary to fulfill a legal obligation applicable to the
responsible or for the fulfillment of a mission carried out in the public interest or in the exercise of powers
audiences conferred on the person in charge. The right of the interested party to transmit or receive personal data that
concern should not oblige the person responsible to adopt or maintain treatment systems that are technically
compatible. When a particular set of personal data concerns more than one interested party, the right
to accordance
in receive suchwith
datathis
should be understood
Regulation. On thewithout prejudice
other hand, to the
that right rightsnot
should andundermine
freedoms of
theother
rightinterested
of parties of
interested in obtaining the deletion of personal data and the limitations of that right contained in the
this Regulation, and in particular should not imply the deletion of personal data concerning the
interested that this has facilitated for the execution of a contract, to the extent and during the time in which the
personal data are necessary for the execution of said contract. The interested party must have the right to
Personal data is transmitted directly from one controller to another, when technically
possible.
(69) In cases where personal data can be treated lawfully because the processing is necessary for
the fulfillment of a mission carried out in the public interest or in the exercise of public powers conferred on the
responsible for the treatment or for reasons of legitimate interests of the person in charge or of a third party, the interested party
You must, however, have the right to object to the processing of any personal data relating to your situation
particular. It must be the person in charge who demonstrates that their compelling legitimate interests prevail over the
interests or fundamental rights and freedoms of the interested party.
(70) If personal data is processed for direct marketing purposes, the interested party must have the right to
oppose such treatment, including the elaboration of profiles insofar as it is related to
said direct marketing, either with respect to an initial or subsequent treatment, and this at any time
and at no cost. Said right must be explicitly communicated to the interested party and presented clearly and to the
margin of any other information.
Page 14
(71) The interested party must have the right not to be the subject of a decision, which may include a measure, that evaluates
personal aspects related to it, and based solely on automated processing and producing effects
legal in it or significantly affect you in a similar way, such as automatic denial of a request for
online credit or network contracting services where there is no human intervention. This type
of processing includes profiling consisting of any form of data processing
personnel that evaluate personal aspects related to a natural person, in particular to analyze or predict
aspects related to work performance, economic status, health, preferences or
personal interests, reliability or behavior, situation or movements of the interested party, in the
to the extent that it produces legal effects on it or significantly affects it in a similar way. However, it
they must allow decisions based on such treatment, including profiling, if authorized
expressly the law of the Union or of the Member States applicable to the controller, including
for the purpose of control and prevention of fraud and tax evasion, carried out in accordance with the regulations
tions, standards and recommendations of the Union institutions or national supervisory bodies
and to guarantee the safety and reliability of a service provided by the controller, or
necessary for the conclusion or execution of a contract between the interested party and a controller, or
in cases in which the interested party has given explicit consent. In any case, said treatment
must be subject to the appropriate guarantees, which must include the specific information to the interested party and
the right to obtain human intervention, to express their point of view, to receive an explanation of the decision
taken after such evaluation and to challenge the decision. Such a measure should not affect a minor.
In order to guarantee a fair and transparent treatment with respect to the interested party, taking into account the circumstances
tancias and specific context in which personal data are processed, the data controller must
use appropriate mathematical or statistical procedures for profiling, apply measures
appropriate technical and organizational methods to ensure, in particular, that the factors they introduce are corrected
inaccuracies in personal data and the risk of error is minimized, ensuring personal data of
so that the possible risks to the interests and rights of the interested party are taken into account and prevented,
among other things, discriminatory effects on individuals based on race or ethnic origin, opinions
policies, religion or beliefs, union affiliation, genetic condition or state of health or sexual orientation, or that
give rise to measures that produce such an effect. Automated decisions and profiling on the
The basis of particular categories of personal data should only be allowed under specific conditions.
(72) Profiling is subject to the rules of this Regulation governing data processing
personal, such as the legal basis of the treatment or the principles of data protection. The committee
European Data Protection Regulation established by this Regulation (hereafter referred to as the "Committee") must have the
possibility of formulating guidelines in this context.
(73) The law of the Union or of the Member States may impose restrictions on certain principles and
rights of information, access, rectification or deletion of personal data, to the right to portability of
data, the right to object, decisions based on profiling, as well as communication
of a violation of the security of personal data to an interested party and certain related obligations
of those responsible for the treatment, to the extent necessary and proportionate in a society
democratic to safeguard public safety, including the protection of human life, especially in
response to natural disasters or human origin, prevention, investigation and prosecution of
criminal offenses or the execution of criminal penalties, including protection against threats against
public safety or violations of deontological norms in regulated professions, and their prevention, others
important objectives of general public interest of the Union or of a Member State, in particular a
important economic or financial interest of the Union or of a Member State, the keeping of public records
for reasons of general public interest, the further processing of personal data filed to offer
specific information related to political behavior during the regimes of former states
totalitarian, or the protection of the interested party or of the rights and freedoms of others, including social protection,
public health and humanitarian purposes. These restrictions must comply with the provisions of the Charter and the
European Convention for the Protection of Human Rights and Fundamental Freedoms.
(74) The responsibility of the data controller must be established for any data processing
personnel made by himself or on his own. In particular, the person responsible must be obliged to apply
timely and effective measures and must be able to demonstrate the conformity of the treatment activities with the
This Regulation, including the effectiveness of the measures. Such measures must take into account the nature, the
scope, context and purposes of the treatment as well as the risk to people's rights and freedoms
physical
Page 15
(75) The risks to the rights and freedoms of natural persons, of varying severity and probability, may
be due to the processing of data that could cause physical, material or immaterial damages and losses, in
particularly in cases where the treatment may lead to discrimination problems, usurpation of
identity or fraud, financial losses, damage to reputation, loss of confidentiality of data subject to
professional secrecy, unauthorized reversal of pseudonymisation or any other economic or social damage
significant; in cases where those interested are deprived of their rights and freedoms or are prevented from exercising
control over your personal data; in cases where the personal data processed reveal the origin
ethnic or racial, political opinions, religion or philosophical beliefs, union militancy and
treatment of genetic data, health-related data or data on sexual life, or convictions and
criminal offenses or related security measures; in cases where personal aspects are evaluated, in
particular analysis or prediction of aspects related to work performance, economic situation,
health, preferences or personal interests, reliability or behavior, situation or movements, in order to
create or use personal profiles; in cases where personal data of vulnerable people is processed, in
particular children; or in cases where the processing involves a large amount of personal data and affects
to a large number of stakeholders.
(76) The probability and severity of the risk to the rights and freedoms of the interested party must be determined with
reference to the nature, scope, context and purposes of data processing. The risk must be weighted
on the basis of an objective evaluation by which it is determined whether the data processing operations
they pose a risk or if the risk is high.
(77) Guidelines could be provided for the application of appropriate measures and to demonstrate compliance
by the person responsible or in charge of the treatment, especially with regard to the identification of the
risk related to the treatment, to its evaluation in terms of origin, nature, probability and severity
and to the identification of good practices to mitigate risk, which in particular take the form of codes of
approved conduct, approved certifications, guidelines given by the Committee or indications provided
by a data protection delegate. The Committee may also issue guidelines on operations of
treatment deemed unlikely to pose a high risk to the rights and freedoms of people
physical, and indicate what measures may be sufficient in such cases to address the risk in question.
(78) The protection of the rights and freedoms of natural persons with respect to the processing of personal data
requires the adoption of appropriate technical and organizational measures in order to ensure compliance with the
requirements of this Regulation. In order to demonstrate compliance with this Regulation, the
Responsible for treatment must adopt internal policies and apply measures that comply in particular with
Principles of data protection from design and default. Such measures could consist, among others, of
minimize the processing of personal data, pseudonymize personal data as soon as possible, give
transparency to functions and the processing of personal data, allowing interested parties to monitor the
data processing and the data controller create and improve security elements. When developing,
design, select and use applications, services and products that are based on data processing
personal or that process personal data to fulfill its function, producers of the
products, services and applications that take into account the right to data protection when developing
and design these products, services and applications, and ensure, with due attention to the state of the
technique, that those responsible and those in charge of treatment are able to fulfill their
obligations regarding data protection. The principles of data protection from design and by
Defect must also be taken into account in the context of public contracts.
(79) The protection of the rights and freedoms of the interested parties, as well as the responsibility of those responsible and
in charge of treatment, also with regard to supervision by the supervisory authorities and
to the measures taken by them, they require a clear attribution of responsibilities under this
Regulation, including cases in which a responsible person determines the purposes and means of treatment in a manner
jointly with other responsible parties, or in which the treatment is carried out on behalf of a responsible person.
(80) The person responsible or the person in charge of the treatment not established in the Union that is processing personal data of
interested parties residing in the Union and whose treatment activities are related to the supply of goods
or services to those interested in the Union, regardless of whether payment by them is required, or
with the control of its behavior insofar as it takes place in the Union, it must designate a
representative, unless the treatment is occasional, does not include large-scale treatment of categories
special personal data or the processing of personal data relating to convictions and criminal offenses, and
it is unlikely that it entails a risk to the rights and freedoms of natural persons, given the nature, the
Page 16
context, scope and purposes of the treatment, or if the controller is an authority or agency
public. The representative must act on behalf of the person in charge or the person in charge and can be contacted by
Any control authority. The representative must be expressly appointed by written mandate of the
responsible or responsible for acting on your behalf with respect to the obligations incumbent on them
under this Regulation. The appointment of said representative does not affect the responsibility of the
responsible or responsible under this Regulation. Said representative must perform their
functions in accordance with the mandate received from the person in charge or the person in charge, including cooperation with
competent control authorities in relation to any action taken to ensure the
Compliance with this Regulation. The designated representative must be subject to coercive measures in
case of default by the person in charge or the person in charge.
(81) To ensure compliance with the provisions of this Regulation regarding the treatment that leads to
the person in charge on behalf of the person in charge, this, when entrusting treatment activities to a person in charge,
it should only resort to managers who offer sufficient guarantees, in particular as regards
specialized knowledge, reliability and resources, in view of the application of technical and organizational measures
that meet the requirements of this Regulation, including the safety of the treatment. The adhesion of
entrusted to an approved code of conduct or an approved certification mechanism can serve as
element to demonstrate compliance with the obligations of the responsible party. The treatment for a
The person in charge must be governed by a contract or other legal act in accordance with the law of the Union or of the States
members linking the person in charge with the person in charge, who sets the object and the duration of the treatment, the
nature and purposes of the treatment, the type of personal data and the categories of stakeholders, taking into account the
specific roles and responsibilities of the person in charge in the context of the treatment to be carried out and
of the risk to the rights and freedoms of the interested party. The person in charge and the person in charge can choose to be based
in an individual contract or in standard contractual clauses that the Commission directly adopts or that first
adopt a supervisory authority in accordance with the coherence mechanism and subsequently the Commission.
Once the treatment is finished on behalf of the person in charge, the person in charge must, at his election, return or
delete personal data, unless the law of the Union or of the Member States applicable to the person in charge
of the processing force to keep the data.
(82) To demonstrate compliance with this Regulation, the controller or the controller must
Keep records of treatment activities under your responsibility. All responsible and responsible
They are obliged to cooperate with the supervisory authority and make available, upon request, such
records, so that they can be used to monitor treatment operations.
(83) In order to maintain safety and prevent the treatment from violating the provisions of this Regulation, the
The person responsible or the person in charge must evaluate the risks inherent in the treatment and apply measures to mitigate them,
as encryption These measures must ensure an adequate level of security, including confidentiality,
taking into account the state of the art and the cost of its application with respect to the risks and the nature of
the personal data that must be protected. When assessing risk in relation to data security, you should
take into account the risks that arise from the processing of personal data, such as destruction, loss or
accidental or unlawful alteration of personal data transmitted, preserved or otherwise treated, or the
unauthorized communication or access to such data, particularly susceptible to causing damages
physical, material or immaterial.
(84) In order to improve compliance with this Regulation in those cases in which it is likely that the
treatment operations involve a high risk for the rights and freedoms of natural persons, must
it is incumbent upon the controller to carry out an impact assessment related to the protection of
data, assessing, in particular, the origin, nature, particularity and severity of said risk. He
The result of the evaluation must be taken into account when deciding on the appropriate measures to be taken
in order to demonstrate that the processing of personal data is in accordance with this Regulation. Yes
an impact assessment related to data protection shows that processing operations involve
a high risk that the responsible cannot mitigate with appropriate measures in terms of available technology
and application costs, the control authority should be consulted before treatment.
(85) If adequate measures are not taken in time, violations of the security of personal data may
entail physical, material or immaterial damages for physical persons, such as loss of control
about your personal data or restriction of your rights, discrimination, usurpation of identity, losses
financial, unauthorized reversal of pseudonymisation, damage to reputation, loss of confidentiality
of data subject to professional secrecy, or any other significant economic or social damage to the person
Page 17
Physics in question. Therefore, as soon as the controller is aware that

there has been a violation of the security of personal data, the person responsible must, without undue delay
and, if possible, no later than 72 hours after it has been recorded, notify the violation of the
security of personal data to the competent control authority, unless the person responsible can
demonstrate, according to the principle of proactive responsibility, the improbability of the violation of the
Security of personal data involves a risk to the rights and freedoms of natural persons. Yes
Such notification is not possible within 72 hours, it must be accompanied by an indication of the reasons for
procrastination, information may be provided in phases without further undue delay.
(86) The controller must notify the interested party without undue delay of the violation of the security of
personal data in case it may involve a high risk for your rights and freedoms, and allow you
Take the necessary precautions. The communication must describe the nature of the security breach of
personal data and recommendations for the affected individual to mitigate the potential effects
adverse consequences of the violation. Such communications to interested parties should be made as soon as
is reasonably possible and in close cooperation with the supervisory authority, following their guidance or
those of other competent authorities, such as police authorities. Thus, for example, the need to mitigate
a risk of immediate damages would justify rapid communication with the interested parties, while
it is worth justifying that the communication takes more time due to the need to apply appropriate measures to prevent
violations of the security of continuous or similar personal data.
(87) It should be verified whether all appropriate technological protection has been applied and organizational measures have been taken
Timely to determine immediately if there has been a breach of data security
personal and to inform the control authority and the interested party without delay. It must be verified that the
notification has been made without undue delay taking into account, in particular, the nature and severity of the
violation of the security of personal data and its consequences and adverse effects for the interested party. Bliss
notification may result in an intervention by the supervisory authority in accordance with the functions and
powers established by this Regulation.
(88) When establishing implementing provisions on the format and procedures applicable to the notification of
violations of the security of personal data, due account must be taken of the circumstances of such
violation, even if personal data had been protected by technical protection measures
adequate, effectively limiting the likelihood of identity theft or other forms of misuse.
Also, these rules and procedures must take into account the legitimate interests of the authorities
police in case premature communication can unnecessarily impede the investigation of
the circumstances of a violation of the security of personal data.
(89) Directive 95/46 / EC established the general obligation to notify the processing of personal data to
control authorities Despite involving administrative and financial burdens, this obligation, however, does not
contributed in all cases to improve the protection of personal data. Therefore, these obligations
General indiscriminate notification must be eliminated and replaced by effective procedures and mechanisms
that focus instead on the types of treatment operations that, by their nature, scope, context and
Finally, they probably entail a high risk for the rights and freedoms of natural persons. These types of
treatment operations may be, in particular, those that involve the use of new technologies, or are of a
new class and the person responsible for the treatment has not previously carried out an impact assessment related to the
data protection, or if necessary, given the time elapsed since the initial treatment.
(90) In such cases, the person responsible must carry out, before treatment, an impact assessment related to the
data protection in order to assess the particular severity and probability of high risk, taking into account
the nature, scope, context and purposes of the treatment and the origins of the risk. This impact assessment
it must include, in particular, the measures, guarantees and mechanisms provided to mitigate the risk, guarantee the
protection of personal data and demonstrate compliance with this Regulation.
(91) The foregoing should apply, in particular, to large-scale treatment operations that seek to treat a
considerable amount of personal data at regional, national or supranational level and that could affect a
large number of stakeholders and probably carry a high risk, for example, due to their sensitivity,
when, depending on the level of technical knowledge achieved, a large new technology has been used
scale and other treatment operations that pose a high risk to the rights and freedoms of
interested parties, particularly when these operations make it more difficult for interested parties to exercise their
Page 18
rights. The impact assessment related to data protection must also be carried out in cases where
that personal data is processed to make decisions regarding specific natural persons following a
systematic and exhaustive evaluation of personal aspects of natural persons, based on the elaboration
of profiles of said data or following the treatment of special categories of personal data, biometric data
or data on convictions and criminal offenses or related security measures. You also need a
Impact assessment related to data protection for the control of large-scale public access areas,
in particular when optoelectronic devices are used or for any other type of operation when the
competent supervisory authority considers that the treatment probably involves a high risk for
rights and freedoms of the interested parties, in particular because it prevents the interested parties from exercising a right or
use a service or execute a contract, or because it is done systematically on a large scale. The tratment of
Personal data should not be considered on a large scale if you do so, regarding personal data of patients or
clients, a single doctor, another health professional or lawyer. In these cases, the impact assessment of the
Data protection should not be mandatory.
(92) There are circumstances in which it may be reasonable and economical for an impact assessment concerning the
data protection covers more than a single project, for example, in the event that the authorities or
public bodies plan to create a common application or treatment platform, or if several responsible
plan to introduce a common application or treatment environment in a business sector or segment or
for a horizontal activity of generalized use.
(93) The Member States, when adopting the Law on which the performance of the functions of the authority is based
public or public body and that regulates the operation or set of treatment operations in
question, they may consider it necessary to carry out such evaluation prior to the activities of
treatment.
(94) The supervisory authority should be consulted before initiating treatment activities if an evaluation of
impact on data protection shows that, in the absence of guarantees, security measures and
mechanisms aimed at mitigating risks, treatment would entail a high risk for rights and
freedoms of natural persons, and the person responsible for the treatment considers that the risk cannot be mitigated by
reasonable means in terms of available technology and application costs. There is the probability that that high
risk is due to certain types of treatment and the scope and frequency of this, which can also
cause damages or an interference in the rights and freedoms of the natural person. The authority of
Control must respond to the request for consultation within a specified period. However, the absence of
The response of the supervisory authority within that period must not prevent any intervention of said
authority based on the functions and powers attributed to it by this Regulation, including the power to prohibit
treatment operations As part of this consultation process, it can be submitted to the authority of
control the result of an impact assessment related to data protection carried out in relation to the
treatment in question, in particular the measures planned to mitigate the risks to rights and freedoms
of natural persons.
(95) The person in charge of the treatment must assist the person in charge when necessary and at his request, in order to ensure
that the obligations arising from the performance of the impact assessments related to the
data protection and prior consultation with the supervisory authority.
(96) Consultations should also take place with the supervisory authority in the course of processing a measure
legislative or regulatory that establishes the processing of personal data, in order to ensure compliance
of the treatment provided for in this Regulation and, in particular, of mitigating the risk involved in
Treatment for the interested party.
(97) When supervising the internal observance of this Regulation, the person responsible or the person in charge of the treatment must
have the help of a person with specialized knowledge of law and practice in matters of
data protection if the processing is carried out by a public authority, except for the courts or others
independent judicial authorities in the exercise of their judicial function, if the treatment is carried out in the sector
private a responsible whose main activities consist of large-scale treatment operations that
require regular and systematic monitoring of stakeholders, or if the principal activities of the person in charge
or the manager consists of the large-scale treatment of special categories of personal data and data
relating to convictions and criminal offenses. In the private sector, the main activities of a manager
are related to their primary activities and are not related to the processing of personal data
Page 19
as auxiliary activities. The level of expertise required must be determined, in particular,

depending on the data processing operations carried out and the protection required for the
personal data processed by the person in charge or the person in charge. Such data protection delegates, whether or not
Employees of the person responsible for the treatment must be able to perform their duties and duties
independently.
(98) Associations or other bodies representing categories of managers or managers should be encouraged to
that develop codes of conduct, within the limits set by this Regulation, in order to facilitate
its effective application, taking into account the specific characteristics of the treatment carried out in
certain sectors and the specific needs of microenterprises and small and medium enterprises.
These codes of conduct could in particular establish the obligations of those responsible and responsible,
taking into account the probable risk to the rights and freedoms of natural persons arising from the
treatment.
(99) When developing a code of conduct, or when modifying or extending said code, associations and other agencies
representing categories of managers or managers should consult interested parties, including
interested when possible, and take into account the considerations transmitted and opinions expressed
in response to such inquiries.
(100) In order to increase transparency and compliance with this Regulation, the establishment of
certification mechanisms and data protection seals and marks, which allow interested parties
evaluate more quickly the level of data protection of the corresponding products and services.
(101) Transboundary flows of personal data to, and from, non-Union countries and organizations
International are necessary for the expansion of international trade and cooperation. the rise of
These flows raise new challenges and concerns regarding the protection of character data
personal. However, if personal data is transferred from the Union to managers, managers or others
recipients in third countries or international organizations, this should not undermine the level of
protection of natural persons guaranteed in the Union by this Regulation, not even in transfers
subsequent data of personal data from the third country or international organization to responsible and
in charge in the same or another third country or international organization. In any case, transfers to
Third countries and international organizations can only be carried out in full compliance with this
Regulation. A transfer could only take place if, subject to the other provisions of this
Regulation, the person in charge or manager complies with the provisions of this Regulation regarding the transfer
Reence of personal data to third countries or international organizations.
(102) This Regulation is without prejudice to the international agreements concluded between the Union and
third countries that regulate the transfer of personal data, including the appropriate guarantees for
interested. Member States may conclude international agreements that involve the transfer of
personal data to third countries or international organizations provided that such agreements do not affect the
this Regulation or any other provision of Union law and include an adequate level of
protection of the fundamental rights of the interested parties.
(103) The Commission may decide, with effects for the whole Union, that a third country, a territory or a specific sector
from a third country, or an international organization offers an adequate level of data protection, providing
in this way throughout the Union legal security and uniformity as regards the third country or
International organization considered to offer such a level of protection. In these cases, they can be performed
transfers of personal data to these countries without requiring another type of authorization. The
Commission may also decide to revoke that decision, prior notice and complete reasoned statement to the third country
or international organization.
(104) In line with the fundamental values on which the Union is based, in particular the protection of
human rights, the Commission, in its evaluation of the third country, or of a specific territory or sector of a
third country, you must take into account how a certain third country respects the rule of law,
access to justice and international norms and criteria regarding human rights and their law
general and sectoral, including legislation related to public safety, defense and national security, as well
such as public order and criminal law. In the adoption of an adequacy decision with respect to a
territory or a specific sector of a third country must take into account clear and objective criteria, such as
specific treatment activities and the scope of the applicable legal norms and the legislation in force in the
Page 20
third country The third country must offer guarantees that ensure an adequate level of protection equivalent to
essential to that offered in the Union, in particular when personal data is processed in one or
Several specific sectors. In particular, the third country must ensure that there is truly control
independent of data protection and establish cooperation mechanisms with the authorities of
data protection of the Member States, as well as recognizing the interested parties effective and enforceable rights
and effective administrative and judicial actions.
(105) Apart from the international commitments acquired by the third country or international organization, the
Commission must take into account the obligations resulting from the participation of the third country or organization
international in multilateral or regional systems, in particular in relation to data protection
personal, and the fulfillment of those obligations. In particular, the country's accession to the
Council of Europe Convention of January 28, 1981, for the protection of persons with respect to
automated processing of personal data and its Additional Protocol. The Commission should consult the
Committee when assessing the level of protection existing in third countries or international organizations.
(106) The Commission should monitor the implementation of decisions on the level of protection in a third country, a
territory or a specific sector of a third country, or an international organization, and the application of
decisions taken on the basis of article 25, paragraph 6, or article 26, paragraph 4, of the
Directive 95/46 / EC. In its adequacy decisions, the Commission must establish a mechanism for review
periodic application. Such periodic review must be carried out in collaboration with the third country or
international organization in question and take into account all changes in the matter that occur in
said third country or international organization. For the purpose of monitoring and conducting reviews
periodically, the Commission must take into account the opinions and conclusions of the European Parliament and the
Council, as well as other relevant agencies and sources. The Commission must evaluate, within a reasonable period of time,
the application of said decisions and to inform of any pertinent conclusion to the Committee that, within the meaning of
Regulation (EU) n. o 182/2011 of the European Parliament and of the Council ( 1 ), establishes this Regulation, and
European Parliament and the Council.
(107) The Commission may recognize that a third country, a specific territory or sector in a third country, or a
International organization no longer guarantees an adequate level of data protection. Consequently, you must
prohibit the transfer of personal data to said third country or international organization, unless
comply with the requirements of this Regulation regarding transfers based on adequate guarantees,
including binding corporate standards, and exceptions applied to specific situations. Then,
Consultations between the Commission and those third countries or internal organizations should be established
Regional The Commission must inform the third country or international organization in a timely manner of the
reasons and start consultations in order to remedy the situation.
(108) In the absence of a decision confirming the adequacy of data protection, the person responsible or
The data controller must take measures to compensate for the lack of data protection in a third country
through adequate guarantees for the interested party. Such adequate guarantees may consist of recourse to
binding corporate standards, to data protection type clauses adopted by the Commission or by a
supervisory authority, or contractual clauses authorized by a supervisory authority. Those guarantees must
ensure compliance with data protection requirements and rights of interested parties appropriate to
treatment within the Union, including the availability by interested parties of enforceable rights and of
effective legal actions, including the right to obtain effective administrative or judicial redress and
claim compensation, in the Union or in a third country. In particular, they must refer to compliance with
the general principles related to the processing of personal data and the principles of data protection
from design and default. Transfers can also be made by public authorities or entities with
public entities or authorities of third countries or with international organizations with powers or
corresponding functions, also on the basis of provisions incorporated into administrative agreements,
as a memorandum of understanding, recognizing enforceable and effective rights to the interested parties. If the
guarantees are contained in administrative agreements that are not legally binding, the
authorization of the competent control authority.
(109) The possibility that the person in charge or the person in charge of the treatment will resort to type clauses of protection of
data adopted by the Commission or a supervisory authority must not oblige those responsible or responsible
( 1 ) Regulation (EU) n. o 182/2011 of the European Parliament and of the Council, of February 16, 2011, which establishes the rules and
the general principles concerning the modalities of control by the Member States of the exercise of the powers of
Execution by the Commission (OJ L 55, 28.2.2011, p. 13).
Page 21
include the data protection type clauses in a broader contract, such as a contract between two
managers, or to add other clauses or additional guarantees, provided they do not contradict, direct or indirect
Thus, the standard contractual clauses adopted by the Commission or by a supervisory authority, or mermen
the fundamental rights or freedoms of the interested parties. Those responsible and responsible for the
treatment to offer additional guarantees through contractual commitments that complement the clauses
type of data protection.
(110) Every business group or union of companies engaged in a joint economic activity must have the
possibility of invoking binding corporate standards authorized for international transfers of the
Union to organizations within the same business group or union of companies dedicated to an activity
joint economic, provided that such corporate standards incorporate all essential principles and rights
applicable in order to offer adequate guarantees for transfers or categories of data transfers
of a personal nature.
(111) The possibility of making transfers in certain circumstances, of mediating consent, should be established
explicit information of the interested party, if the transfer is occasional and necessary in relation to a contract or a
claim, regardless of whether it is a judicial proceeding or an administrative proceeding or
extrajudicial, including procedures before regulatory bodies. The possibility must also be established
to make transfers when required by important reasons of public interest established by the
Law of the Union or of the Member States, or when the transfer is made from a registration
established by law and intended for consultation by the public or by persons who have a legitimate interest. In this
In the latter case, the transfer should not affect all personal data or data categories
included in the registry and, when the registry is intended for consultation by people who have an interest
legitimate, the transfer should only be made at the request of said persons or, if these are going to be the recipients,
taking full account of the interests and fundamental rights of the interested party.
(112) These exceptions should apply in particular to the transfers of data required and necessary for reasons
important public interest, for example in case of international data exchanges between authorities
in the field of competition, tax or customs administrations, between supervisory authorities
financial, between competent services in the field of social security or public health, for example in case
contacts intended to locate contagious diseases or to reduce and / or eliminate doping in sports. The
Transfer of personal data should also be considered lawful if necessary to protect a
essential interest for the vital interests of the interested party or another person, including physical integrity or life, if
The interested party is not in a position to give his consent. In the absence of an adequacy decision, the
Union or Member State law may expressly limit, for important reasons of interest
public, the transfer of specific categories of data to a third country or to an international organization. The
Member States must notify these provisions to the Commission. It may be considered necessary, for a reason
important of public interest or for being of vital interest to the interested party, any transfer to an organization
International humanitarian of personal data of an interested party that does not have physical or legal capacity to give
your consent, in order to perform a task based on the Geneva Conventions or
comply with the applicable international humanitarian law in case of armed conflicts.
(113) Transfers that can be classified as non-repetitive and only refer to a limited number of stakeholders,
they must also be possible if they serve the compelling legitimate interests of the controller, if
the interests or rights and freedoms of the interested party do not prevail over them and the person responsible has evaluated
all the concurrent circumstances in the data transfer. The person in charge must pay special attention to
the nature of personal data, the purpose and duration of the operation or processing operations
proposals, as well as the situation in the country of origin, the third country and the country of final destination, and offer, guarantees
appropriate to protect the fundamental rights and freedoms of natural persons with respect to
Treatment of your personal data. Such transfers should only be possible in isolated cases, when
None of the other reasons for the transfer are applicable. The legitimate expectations of society in a
Increased knowledge should be taken into account for scientific or historical research purposes or purposes
Statisticians The person responsible must report the transfer to the supervisory authority and the interested party.
(114) In any case, when the Commission has not taken any decision on the appropriate level of
data protection in a third country, the data controller or the data controller must arbitrate solutions that
guarantee interested parties enforceable and effective rights with respect to the processing of their data in the Union,
Once these are transferred, so that they continue to benefit from fundamental rights and guarantees.
Page 22
(115) Some third countries adopt laws, regulations and other legal acts with which it is intended to regulate
directly the activities of treatment of natural and legal persons under the jurisdiction of the States
members. This may include judgments of courts or decisions of administrative authorities
from third countries that require a data controller or data controller to transfer or communicate data
personal, and not based on an international agreement, such as a mutual legal assistance treaty, in force
between the third requesting country and the Union or a Member State. The extraterritorial application of these laws,
regulations and other legal acts may be contrary to international law and prevent the protection of
natural persons guaranteed in the Union under this Regulation. Transfers should only
be authorized when the conditions of this Regulation regarding transfers to third parties are met
countries Such may be the case, among others, when communication is necessary for an important reason of
public interest recognized by the law of the Union or of the Member States applicable to the person responsible for the
treatment.
(116) When personal data circulates across borders outside the Union, it can be put into
greater risk the ability of natural persons to exercise data protection rights, in particular
in order to protect against the illegal use or communication of such information. At the same time, it is
it is possible that the control authorities are unable to process claims or conduct investigations
tions related to activities carried out outside its borders. Your efforts to collaborate in the context
Cross-border can also be hampered by insufficient preventive or corrective powers,
inconsistent legal regimes and practical obstacles, such as a shortage of resources. Therefore it is
It is necessary to foster closer cooperation between the supervisory authorities responsible for the protection of
data to help them exchange information and conduct research with their internal counterparts
Regional In order to develop international cooperation mechanisms that facilitate and provide assistance
international organization in the implementation of legislation on the protection of personal data, the Commission and
the control authorities must exchange information and cooperate in activities related to the exercise of their
competencies with the competent authorities of third countries, on the basis of reciprocity and
in accordance with this Regulation.
(117) The establishment in the Member States of control authorities trained to perform their functions
and exercising their powers with full independence constitutes an essential element of the protection of
natural persons with respect to the processing of personal data. Member States must have the
possibility of establishing more than one supervisory authority, in order to reflect its constitutional structure,
Organizational and administrative.
(118) The independence of the supervisory authorities should not mean that such authorities may be exempted
of control or supervision mechanisms in relation to their financial expenses, or judicial control.
(119) If a Member State establishes several control authorities, it must provide by law mechanisms to ensure
the effective participation of these control authorities in the coherence mechanism. Such Member State
It must, in particular, designate the supervisory authority that will act as the single point of contact for the
effective participation of these authorities in the aforementioned mechanism, thus guaranteeing rapid cooperation and
fluid with other control authorities, the Committee and the Commission.
(120) All control authorities should be provided with financial and human resources, premises and
infrastructures that are necessary for the effective performance of its functions, particularly those related to
reciprocal assistance and cooperation with other control authorities of the Union. Each control authority
must have its own annual public budget, which may be part of the general budget of the
State or other national level.
(121) The general conditions applicable to the member or members of the supervisory authority should be established
by law in each Member State and provide, in particular, that said members must be appointed by a
transparent procedure, by Parliament, the Government or the head of State of the Member State, on proposal
from the Government, from a member of the Government or from Parliament or one of its chambers, or by an independent body
Tooth responsible for appointment under the law of the Member States. In order to guarantee the
independent of the supervisory authority, its members must act with integrity, refrain from any
action that is incompatible with its functions and does not participate, during its mandate, in any activity
incompatible professional, whether or not paid. The supervisory authority must have its own staff,
selected by this or by an independent body established by the law of the Member States,
that is subordinate exclusively to the member or members of the supervisory authority.
(122) Each supervisory authority must be competent, in the territory of its Member State, to exercise powers and
perform the functions entrusted to it in accordance with this Regulation. The above must
Page 23
cover, in particular, the treatment in the context of the activities of an establishment of the person in charge or of the
responsible for the processing of personal data carried out by authorities in the territory of your Member State
public or by private organizations acting in the public interest, the treatment that affects those interested in their
territory, or the treatment carried out by a person in charge or a manager who is not established in the Union
when its recipients are interested residents in their territory. The claims examination must be included
submitted by an interested party, conducting investigations on the application of this Regulation and the
promotion of public awareness of risks, standards, guarantees and rights in
relationship with the processing of personal data.
(123) In order to protect natural persons with respect to the processing of their personal data and to facilitate free
circulation of personal data in the internal market, control authorities must supervise the
application of the provisions adopted in accordance with this Regulation and contribute to its application
consistent throughout the Union. For this purpose, the supervisory authorities must cooperate with each other and with the Commission,
without the need for any agreement between Member States on the provision of mutual assistance or on such
cooperation.
(124) If the processing of personal data is carried out in the context of the activities of an establishment of a
responsible or a person in charge in the Union and the person in charge or the person in charge is established in more than one State
member, or if the treatment in the context of the activities of a single establishment of a responsible or
a person in charge in the Union affects or is likely to substantially affect those interested in more than one State
member, the supervisory authority of the main establishment or the sole establishment of the person in charge or of the
Manager must act as the principal authority. That authority must cooperate with the other authorities
interested, either because the person in charge or the person in charge has an establishment in the territory of his State
member, because it substantially affects interested parties residing in their territory, or because it has been submitted
a claim before them. Likewise, when an interested party not residing in that Member State has
filed a claim, the supervisory authority before which it has been filed must also be
interested control authority. Within the framework of its functions of formulating guidelines on any
Issue related to the application of this Regulation, the Committee should be empowered to formulate
guidelines, in particular on the criteria to be taken into account to determine whether the treatment in
issue substantially affects interested parties from more than one Member State and on what constitutes a
relevant and motivated objection.
(125) The lead authority should be competent to take binding decisions concerning the measures of
application of powers conferred pursuant to this Regulation. In its capacity as principal authority, the
supervisory authority should closely involve and coordinate the control authorities interested in the
Decision-making process. In cases where the decision consists in rejecting all or part of the
claim of the interested party, that decision must be taken by the supervisory authority before which
Filed the claim.
(126) The decisionand
interested must be agreed
should go tojointly by or
the main thesole
main supervisory of
establishment authority and responsible
the person the supervisory authorities
or the person in charge of the treatment and
Be binding on both. The person in charge or the person in charge must take the necessary measures to guarantee the
compliance with this Regulation and the application of the decision notified by the supervisory authority
principal to the principal establishment of the person in charge or of the person in charge as regards the activities of
Union treatment.
(127) Each supervisory authority that does not act as the principal authority must be competent to deal with local matters
in which, although the person responsible or the person in charge of the treatment is established in more than one Member State,
The purpose of the specific treatment refers exclusively to the treatment carried out in a single State
member and affects only those interested in that single Member State, for example when the treatment
Its purpose is personal data of employees in the specific employment context of a Member State. In
In such cases, the supervisory authority must inform the principal supervisory authority without delay. A
Once informed, the main supervisory authority must decide whether to deal with the matter in accordance with the provision
applicable to cooperation between the main control authority and other interested control authorities
("Single window mechanism"), or if the control authority that informed you should treat it locally.
When deciding whether to address the matter, the main supervisory authority should consider whether there is an establishment of the
responsible or of the person in charge in the Member State of the supervisory authority that informed him, in order
to guarantee the effective execution of the decision regarding the person responsible or in charge of the treatment. If the
main control authority decides to deal with the matter, the informant control authority must be offered the
Page 24
possibility of presenting a draft decision, which the main supervisory authority must take into account in
as much as possible when preparing your draft decision under the one-stop mechanism.
(128) The rules on the main supervisory authority and the one-stop mechanism should not apply when
The treatment is carried out by public authorities or private organizations in the public interest. In such cases, the
sole competent supervisory authority to exercise the powers conferred pursuant to this Regulation
it must be the supervisory authority of the Member State in which the public authority or the
private body
(129) To ensure consistent supervision and enforcement of this Regulation throughout the Union, the authorities
of control must have the same effective functions and powers in all Member States, including
investigative powers, corrective and sanctioning powers, and authorization and advisory powers,
especially in cases of claims of natural persons, and without prejudice to the powers of the
authorities responsible for prosecuting crimes under the law of the Member States to
inform the judicial authorities of violations of this Regulation and take action
judicial. Such powers must also include the power to impose a temporary or definitive limitation on the
treatment, including its prohibition. Member States may specify other functions related to
the protection of personal data in accordance with this Regulation. The powers of the supervisory authorities
they must be exercised in accordance with adequate procedural guarantees established in Union law and
Member States, impartially, fairly and within a reasonable time. In particular, any measure must be
adequate, necessary and proportionate with a view to ensuring compliance with this Regulation, taking
taking into account the circumstances of each specific case, respect the right of all persons to be heard before
that any measures be taken that negatively affect them and avoid superfluous costs and excessive inconvenience to
The affected people. Investigative powers regarding access to facilities must be exercised
in accordance with the specific requirements of the procedural law of the Member States, such as that of the
prior judicial authorization. Any legally binding measure of the supervisory authority must consist of
written, be clear and unambiguous, indicate the supervisory authority that issued the measure and the date on which it was issued,
bear the signature of the director or a member of the supervisory authority authorized by him, specify the
reasons for the measure and mention the right to effective judicial protection. This should not prevent them from being imposed.
additional requirements under the procedural law of the Member States. The adoption of a decision
legally binding implies that it may be subject to judicial control in the Member State of the authority
of control that adopted the decision.
(130) When the control authority to which the claim has been filed is not the control authority
principal, the latter must cooperate closely with the former in accordance with the provisions on
cooperation and coherence established in this Regulation. In such cases, the primary control authority,
by taking measures designed to produce legal effects, including the imposition of administrative fines,
must take into account to the greatest extent possible the opinion of the supervisory authority before which
filed the claim and which must remain competent to conduct any investigation in the
territory of its own Member State in liaison with the competent control authority.
(131) In cases where another supervisory authority should act as the principal supervisory authority for
treatment activities of the person in charge or the person in charge but the specific object of a claim or the
possible infraction affects only the treatment activities of the person in charge or of the person in charge in the State
member in which the claim has been filed or detected the possible infraction and the matter does not affect
substantially not likely to substantially affect interested parties from other Member States, the authority
of control that receives a claim or that detects situations that lead to possible violations of this
Regulation or otherwise receive information about these should try to reach a friendly settlement with the
responsible for the treatment and, if it does not prosper, exercise all its powers. The above must include the
specific treatment carried out in the territory of the Member State of the supervisory authority or with respect to
interested in the territory of that Member State; the treatment carried out in the context of an offer of
goods or services specifically intended for those interested in the territory of the Member State of the authority of
control; or the treatment to be evaluated taking into account the relevant legal obligations under the
Law of the Member States.
(132) Public awareness activities by control authorities should include

specific measures aimed at those responsible and those in charge of treatment, including microenterprises and
Small and medium enterprises, as well as natural persons, particularly in the educational context.
Page 25
(133) Control authorities should assist each other in the performance of their duties and provide assistance
mutual, in order to ensure the consistent application and execution of this Regulation in the market
inside. A supervisory authority requesting mutual assistance may take a provisional measure if not
You receive a response to your request for assistance within one month of receipt by the other authority
of control.
(134) Each supervisory authority should participate, where appropriate, in joint operations with other authorities of
control. The supervisory authority to which assistance is requested must have the obligation to respond to the request in
a certain period of time.
(135) In order to ensure the consistent application of this Regulation throughout the Union, a
coherence mechanism for cooperation between control authorities. This mechanism should be applied in
particularly when a supervisory authority plans to adopt a measure aimed at producing legal effects in
which refers to treatment operations that substantially affect a significant number of stakeholders
in several member states. It should also be applied when any control authority concerned or the
Commission request that this matter be addressed under the coherence mechanism. Said mechanism must
understood without prejudice to any measures that the Commission may take in the exercise of its powers
under the Treaties.
(136) In application of the coherence mechanism, the Committee must, within a certain period of time, issue an opinion, if so
It is decided by a majority of its members or if requested by any interested control authority or the
Commission. The Committee must also be empowered to take legally binding decisions in case of
differences between control authorities. To this end, it must dictate, in principle, by a majority of two thirds of its
members, legally binding decisions in clearly specified cases in which there is a conflict of
opinions between the supervisory authorities, in particular in the mechanism of cooperation between the authority of
main control and control authorities concerned on the merits of the matter, especially in the case of
violation of this Regulation.
(137) The urgent need to act may be due to the need to protect the rights and freedoms of
interested parties, particularly when there is a risk that recognition may be significantly impeded
I lie with some of your rights. Therefore, a supervisory authority must be able to adopt in its territory
provisional measures, duly justified, with a determined period of validity not exceeding three months.
(138) The application of such a mechanism should be a condition for the legality of a measure of a supervisory authority
intended to produce legal effects, in those cases in which its application is mandatory. In other cases
of cross-border relevance, the main control authority and the control authorities concerned should
apply the cooperation mechanism to each other, and the control authorities concerned can provide assistance
mutual and carry out joint operations with each other, on a bilateral or multilateral basis, without having to apply it.
(139) In order to promote the consistent application of this Regulation, the Committee should be established as an agency
Union independent. To meet its objectives, the Committee must have legal personality. Your president
You must show your representation. The Committee must replace the Group for the Protection of Persons in what
It concerns the processing of personal data created by Directive 95/46 / EC. It must be composed of
Director of a supervisory authority of each Member State and the European Data Protection Supervisor, or
by their respective representatives. The Commission must participate in the activities of the Committee without the right to vote
and specific voting rights must be recognized to the European Data Protection Supervisor. The Committee must
contribute to the consistent application of this Regulation throughout the Union, inter alia by advising the
Commission, in particular on the level of protection in third countries or international organizations, and
promoting the cooperation of control authorities throughout the Union. The Committee must act independently
Dement in the fulfillment of its functions.
(140) The Committee must have a secretariat, under the responsibility of the European Data Protection Supervisor. The staff of
European Data Protection Supervisor who participates in the performance of the functions conferred on the Committee
by this Regulation you must perform your duties exclusively following the instructions of the
Chairman of the Committee and answer before him.
(141) Any interested party must have the right to file a claim with a single supervisory authority, in
individual in the Member State of their habitual residence, and the right to effective judicial protection in accordance
Page 26
with Article 47 of the Charter if you consider that your rights are violated under this Regulation or in
In the event that the supervisory authority does not respond to a claim, rejects or rejects all or part of a
claim or do not act when necessary to protect the rights of the interested party. The research following
A claim must be carried out, under judicial control, if appropriate in the specific case. The authority of
Control must inform the interested party of the evolution and the result of the claim within a reasonable time. If he
matter requires further investigation or coordination with another supervisory authority, should be facilitated
intermediate information to the interested party. To facilitate the submission of claims, each supervisory authority
it must adopt measures such as the supply of a claim form, which can be completed
also by electronic means, without excluding other means of communication.
(142) The interested party who considers that the rights recognized by this Regulation are violated must have the right to
confer mandate to a non-profit entity, organization or association that is constituted pursuant to
Law of a Member State, has statutory objectives that are of public interest and acts in the field of
the protection of personal data, so that you file a claim with the authority of
control, exercise the right to judicial protection on behalf of the interested parties or, if so established by the Law of
Member State, exercise the right to receive compensation on their behalf. A Member State can
recognize such entity, organization or association the right to file a claim with it independently
Dement of the mandate of an interested party and the right to effective judicial protection, when there are grounds to believe
that the rights of an interested party have been violated as a result of the processing of personal data
that is contrary to this Regulation. That entity, organization or association cannot be authorized to
claim compensation on behalf of an interested party regardless of the latter's mandate.
(143) Every natural or legal person has the right to bring an action for annulment before the Court of Justice
Committee decisions, under the conditions established in Article 263 of the TFEU. As recipients of said
decisions, interested control authorities who want to challenge them have to appeal in the
within two months from the moment they were notified, in accordance with article 263
of the TFEU. In the event that the decisions of the Committee directly and individually affect a person responsible, a
in charge or to the claimant, these can file an appeal for annulment of said decisions within two
months after its publication on the Committee's website, in accordance with Article 263 TFEU. Without
subject to the provisions of Article 263 of the TFEU, any natural or legal person must have the right to guardianship
effective judicial before the competent national court against the decisions of a supervisory authority that
produce legal effects that affect it. Such decisions relate in particular to the exercise of the powers of
investigation, correction and authorization by the supervisory authority or the rejection or rejection of
claims However, the right to effective judicial protection does not include measures taken by the
control authorities that are not legally binding, such as published opinions or advice
facilitated by them. Actions against a supervisory authority must be brought before the State courts
member in which it is established and processed in accordance with the procedural law of that Member State.
These courts must have full jurisdiction, including the competence to examine all the elements of
fact and of law relative to the cause of which they know.
If a supervisory authority rejects or dismisses a claim, the claimant can take action before
the courts of the same Member State. In the context of legal actions related to the application
of this Regulation, the national courts that deem necessary a decision in this regard to be able to
Issuing their judgment may, or in the case established in Article 267 of the TFEU, must request the Court of Justice
to rule on a preliminary ruling on the interpretation of Union law, including this
Regulation. In addition, if a decision of a supervisory authority by which a decision of the Committee is executed
it is challenged before a national court and the validity of the decision of the Committee is questioned, said national court
he is not competent to declare the decision of the Committee invalid, but, if he considers it invalid, he must
refer the question of validity to the Court of Justice in accordance with Article 267 TFEU, according to the
interpretation of this. However, a national court may not refer the question of the validity of the decision
of the Committee at the request of a natural or legal person who, having had the opportunity to appeal
of annulment of said decision, in particular if said decision affected it directly and individually, it did not do so in
the period established in Article 263 of the TFEU.
(144) If a court before which actions were taken against a decision of a supervisory authority has grounds
to believe that actions were taken before a competent court of another Member State relating to it
treatment, such as having the same matter with respect to a treatment by the same person in charge,
or the same cause of the action, you should contact that court to confirm the existence of such
related actions. If such related actions are pending before a court in another Member State,
Page 27
any other court other than the one before which the action was first brought may suspend the
procedure or, at the request of one of the parties, be inhibited in favor of the court before which the action was taken
First, if the latter is competent for its knowledge and its accumulation is in accordance with Law. He
they consider related actions related to each other by such a close relationship that they should be processed and
resolve them together to avoid resolutions that could be incompatible if they were substantiated as
separate causes
(145) With regard to actions against those responsible or responsible for processing, the claimant must have
the option of exercising them before the courts of the Member States in which the person in charge or the person in charge
the interested party has an establishment or resides, unless the person in charge is a public authority of a
Member State that acts in the exercise of public powers.
(146) The person responsible or the person in charge of the treatment must indemnify any damages that may be suffered
a person as a result of a treatment in violation of this Regulation. The person in charge or the
manager should be exempt from liability if it is demonstrated that they are in no way responsible for the
damages. The concept of damages must be interpreted broadly in the light of jurispru
Decision of the Court of Justice, so that the objectives of this Regulation are fully respected. The
above is without prejudice to any claim for damages arising from the violation of
other rules of the law of the Union or of the Member States. A treatment in violation of this
Regulation also includes treatment that infringes delegated and implementing acts adopted by
in accordance with this Regulation and the law of the Member States that specify the rules of
this regulation. Those interested should receive full and effective compensation for damages.
suffered If those responsible or responsible participate in the same treatment, each responsible or responsible
It must be held liable for all damages. However, if they accumulate in the
same cause in accordance with the law of the Member States, compensation can be prorated in
function of the responsibility of each person responsible or responsible for the damages caused by the
treatment, provided that the total and effective compensation of the interested party who suffered the damages is guaranteed and
damages Any person in charge or manager who has paid the entire compensation may file
Appeal subsequently against other responsible persons or managers who have participated in the same treatment.
(147) In cases where this Regulation contains specific rules on judicial jurisdiction, in particular
as regards actions that seek to obtain satisfaction through the judicial process, including compensation,
against a person responsible or in charge of the treatment, the general rules of judicial competence such as
established in Regulation (EU) n. o 1215/2012 of the European Parliament and of the Council ( 1 ) must be understood without
prejudice of the application of said specific norms.
(148) In order to reinforce the application of the rules of this Regulation, any violation of this Regulation must be
punished with penalties, including administrative fines, in addition to appropriate measures imposed
by the supervisory authority under or under these Regulations. In case of infringement
slight, or if the fine that was likely to be imposed constituted a disproportionate burden on a person
physical, instead of penalty by fine a warning can be imposed. It must nevertheless lend
special attention to the nature, severity and duration of the infraction, its intentional nature, the measures
taken to alleviate the damages suffered, to the degree of responsibility or to any previous infraction
relevant, to the way in which the supervisory authority has been aware of the infringement, to compliance
of measures ordered against the person responsible or responsible, to adhere to codes of conduct and any other
aggravating or mitigating circumstance. The imposition of sanctions, including administrative fines, must be
subject to sufficient procedural safeguards in accordance with the general principles of Union Law and the
Letter, including the right to effective judicial protection and a process with all guarantees.
(149) Member States should have the possibility of establishing rules on criminal penalties for
breaches of this Regulation, including breaches of national rules adopted pursuant to it
and within its limits. Such criminal penalties may also authorize the deprivation of benefits.
obtained in violation of this Regulation. However, the imposition of criminal penalties for
violations of these national norms and administrative sanctions should not entail the violation of the
Ne bis in idem principle , according to the interpretation of the Court of Justice.
(150) In order to strengthen and harmonize administrative sanctions for breach of this Regulation, each
supervisory authority must be empowered to impose administrative fines. This Regulation should
( 1 ) Regulation (EU) n. or 1215/2012 of the European Parliament and of the Council, of December 12, 2012, regarding judicial jurisdiction, the
recognition and enforcement of judicial decisions in civil and commercial matters (OJ L 351, 20.12.2012, p. 1).
Page 28
indicate the infractions as well as the maximum limit and the criteria to fix the corresponding adminis fines
traits, which the competent control authority must determine in each individual case taking into account
all the concurrent circumstances in it, paying particular attention to the nature, severity and duration of the
violation and its consequences and the measures taken to ensure compliance with the obligations
imposed by this Regulation and prevent or mitigate the consequences of the infringement. If the fines
administrative measures are imposed on a company, so a company must be understood in accordance with articles 101
and 102 of the TFEU. If administrative fines are imposed on people who are not a company, the authority of
control should take into account when assessing the appropriate amount of the fine the general level of income prevailing
in the Member State as well as the economic situation of the person. The coherence mechanism also
It can be used to promote a consistent application of administrative fines. It must correspond to
Member States determine whether and to what extent administrative fines should be imposed on the authorities
public. The imposition of an administrative fine or a warning does not affect the exercise of others
powers of the supervisory authorities or the application of other sanctions under this
Regulation.
(151) The legal systems of Denmark and Estonia do not allow administrative fines as provided
in this Regulation. The rules on administrative fines can be applied in Denmark for such
so that the fine is imposed by the competent national courts as criminal sanctions, and in
Estonia in such a way that the fine is imposed by the supervisory authority in the context of a fault trial,
provided that such application of the rules in those Member States has an effect equivalent to fines
administrative measures imposed by the control authorities. Therefore the competent national courts
they must take into account the recommendation of the supervisory authority that initiates the fine. In any case, the fines
imposed must be effective, proportionate and dissuasive.
(152) In cases where this Regulation does not harmonize administrative sanctions, or in other cases where
requires, for example in cases of serious breaches of this Regulation, Member States must
apply a system that establishes effective, proportionate and dissuasive sanctions. The nature of said
Sanctions, whether criminal or administrative, must be determined by the law of the Member States.
(153) The law of the Member States must reconcile the rules governing freedom of expression and information,
including journalistic, academic, artistic or literary expression, with the right to data protection
personnel under this Regulation. The processing of personal data for purposes exclusively
journalistic or for the purpose of academic, artistic or literary expression must be subject to exceptions or exemptions
of certain provisions of this Regulation if required to reconcile the right to protection
of personal data with the right to freedom of expression and information enshrined in article 11
of the letter. This should apply in particular to the processing of personal data in the audiovisual field and in the
News archives and newspaper archives. Therefore, Member States must adopt legislative measures that
establish the exemptions and exceptions necessary to balance these fundamental rights. The states
members must adopt such exemptions and exceptions in relation to general principles, the rights of
interested, the person in charge and the person in charge of the treatment, the transfer of personal data to third countries or
international organizations, independent control authorities, cooperation and coherence, and
specific situations of data processing. If such exemptions or exceptions differ from a State
Member to another must govern the law of the Member State that is applicable to the controller. Finally
to keep in mind the importance of the right to freedom of expression in every democratic society, it is necessary
that notions regarding such freedom, such as journalism, be interpreted broadly.
(154) This Regulation allows, when applying, the principle of public access to public
official documents. Public access to official documents can be considered of public interest. The
personal data of documents that are held by a public authority or a public body
they must be able to be publicly communicated by said authority or agency if so established by the Law of the
Union or the Member States applicable to that authority or body. Both Rights must reconcile the
public access to official documents and the reuse of public sector information with the right to
the protection of personal data and, therefore, can establish the necessary reconciliation with the right to
protection of personal data in accordance with this Regulation. The reference to authorities and
Public bodies should include, in this context, all authorities or other bodies to which it applies
the law of the member states on public access to documents. Directive 2003/98 / EC of
European Parliament and of the Council ( 1 ) does not alter or affect in any way the level of protection of persons
( 1 ) Directive 2003/98 / EC of the European Parliament and of the Council of 17 November 2003 on the reuse of information
of the public sector (OJ L 345, 31.12.2003, p. 90).
Page 29
physical with respect to the processing of personal data in accordance with the provisions of Union Law and
Member States and, in particular, does not alter the obligations or rights set forth herein
Regulation. In particular, that Directive should not apply to documents that cannot be accessed or
whose access is limited by virtue of access regimes for reasons of personal data protection, or
parts of documents accessible under such regimes containing personal data whose reuse
has been established by law as incompatible with the Law concerning the protection of persons
physical with respect to the processing of personal data.
(155) The law of the Member States or collective agreements, including 'business agreements', may
establish specific rules regarding the processing of personal data of workers in the workplace,
in particular in relation to the conditions in which personal data in the work context can be
object of treatment based on the worker's consent, the purposes of hiring, execution
of the employment contract, including compliance with the obligations established by law or by collective agreement,
work management, planning and organization, equality and safety in the workplace, health and
job security, as well as for the purposes of the exercise and enjoyment, whether individual or collective, of rights and
benefits related to employment and for the purpose of termination of the employment relationship.
(156) The processing of personal data for purposes of archiving in the public interest, scientific research purposes or
Historical or statistical purposes must be subject to adequate guarantees for the rights and freedoms of the
interested in accordance with this Regulation. These guarantees must ensure that measures are applied.
technical and organizational to observe, in particular, the principle of data minimization. He
further processing of personal data for the purpose of archiving in the public interest, scientific research purposes or
historical or statistical purposes must be carried out when the person responsible for the treatment has evaluated the viability of
fulfill those purposes through a data processing that does not allow to identify the interested parties, or that no longer
allow, provided there are adequate guarantees (such as pseudonymization of data). The
Member States must establish adequate guarantees for the processing of personal data for the purpose of
Public interest archives, scientific or historical research purposes or statistical purposes. It must be authorized that
Member States establish, under specific conditions and subject to adequate guarantees for
interested parties, specifications and exceptions regarding the information requirements and rectification rights
cation, deletion, oblivion, limitation of processing, data portability and opposition,
when personal data is processed for archival purposes in the public interest, scientific research purposes and
Historical or statistical purposes. The conditions and guarantees in question may involve specific procedures
so that the interested parties exercise said rights if it is appropriate in the light of the purposes pursued by the
specific treatment, together with technical and organizational measures aimed at minimizing the treatment of
personal data according to the principles of proportionality and need. The processing of personal data
For scientific purposes, you must also observe other relevant standards, such as those related to clinical trials.
(157) By combining information from records, researchers can gain new knowledge of
great value over extended medical conditions, such as cardiovascular disease, cancer and
depression. Starting from records, the results of investigations can be stronger, since they are based on
a larger population Within the social sciences, record-based research allows researchers to
Gators obtain essential knowledge about the long-term correlation with other living conditions,
of various social conditions, such as unemployment and education. The results of research obtained
Records provide solid and high quality knowledge that can serve as the basis for conception and
knowledge-based policy execution, improve the quality of life of many people and improve the
efficiency of social services. To facilitate scientific research, personal data can be processed
for scientific purposes, subject to appropriate conditions and guarantees established in Union law or
the member states.
(158) This Regulation should also apply to the processing of personal data made for archival purposes,
keeping in mind that it should not apply to deceased persons. Public authorities or agencies
public or private records of public interest must be services that are required, according to
Right of the Union or of the Member States, to acquire, maintain, evaluate, organize, describe, communicate,
promote and disseminate records of enduring value for the general public interest and facilitate access to them. The
Member States must also be authorized to establish the further processing of personal data with
archival purposes, for example in order to offer specific information related to political behavior
under former regimes of totalitarian states, genocide, crimes against humanity, in particular the
Holocaust, or war crimes.
Page 30

(159) This Regulation should also apply to the processing of personal data that is carried out for research purposes.
Scientific Lotion The processing of personal data for scientific research purposes must be interpreted, to
effects of this Regulation, broadly, including, for example, technological development and
Demonstration, fundamental research, applied research and sector-funded research
private. In addition, it must take into account the objective of the Union established in Article 179 (1),
TFEU to conduct a European research space. Among the purposes of scientific research is also
they must include studies conducted in the public interest in the field of public health. To meet the specifi
The conditions of the processing of personal data for scientific research purposes should apply conditions
specific, in particular as regards the publication or communication of other data
personnel in the context of scientific research purposes. If the result of scientific research, in
particular in the field of health, justifies other measures for the benefit of the interested party, the general rules of
This Regulation should be applied taking into account such measures.
(160) This Regulation should also apply to the processing of personal data that is carried out for the purpose of
historical research This also includes historical research and research for genealogical purposes,
taking into account that this Regulation does not apply to deceased persons.
(161) In order to grant consent for participation in scientific research activities in trials
clinical, the relevant provisions of Regulation (EU) n. o 536/2014 of the European Parliament
and of the Council ( 1 ).
(162) This Regulation should apply to the processing of personal data for statistical purposes. The content
statistical, access control, specifications for the processing of personal data for purposes
statistics and appropriate measures to safeguard the rights and freedoms of stakeholders and ensure
Statistical confidentiality must be established, within the limits of this Regulation, by the
Law of the Union or of the Member States. Statistical purposes means any operation of
collection and processing of personal data necessary for statistical surveys or for the production of
statistical results These statistical results can also be used for different purposes, including purposes
of scientific research. The statistical purpose implies that the result of the treatment for statistical purposes is not
personal data, but aggregated data, and that this result or personal data is not used to support
measures or decisions regarding specific natural persons.
(163) Confidential information that the Union and national statistical authorities collect must be protected
for the preparation of official European and national statistics. European statistics must be developed
be called, developed and disseminated in accordance with the statistical principles set forth in article 338, paragraph 2,
TFEU, while national statistics must also comply with the law of the Member States.
Regulation (EC) n. o 223/2009 of the European Parliament and of the Council ( 2 ) provide additional specifications
on statistical confidentiality applied to European statistics.
(164) As regards the powers of the supervisory authorities to obtain from the person in charge or the person in charge of the
treatment access to personal data and its premises, Member States may adopt by law, within
the limits set by this Regulation, specific rules with a view to safeguarding the duty of secrecy
professional or equivalent obligations, to the extent necessary to reconcile the right to protection of
Personal data with the duty of professional secrecy. The foregoing is without prejudice to the obligations
existing for member states to adopt rules on professional secrecy when required by the
Union Law
(165) This Regulation respects and does not prejudge the statute recognized in the Member States, pursuant to the
Constitutional right, to churches and religious associations or communities, as recognized in the
Article 17 of the TFEU.
(166) In order to fulfill the objectives of this Regulation, namely to protect rights and freedoms
fundamentals of natural persons and, in particular, their right to the protection of personal data, and
( 1 ) Regulation (EU) n. o 536/2014 of the European Parliament and of the Council, of April 16, 2014, on clinical trials of
medicines for human use, and repealing Directive 2001/20 / EC (OJ L 158, 27.5.2014, p. 1).
( 2 ) Regulation (EC) n. or 223/2009 of the European Parliament and of the Council, of March 11, 2009, concerning European statistics and by the
Regulation (EC, Euratom) is repealed n. o 1101/2008 concerning the transmission to the Statistical Office of the European Communities
of the information protected by statistical secrecy, Regulation (EC) n. or 322/97 of the Council on Community statistics and the
Council Decision 89/382 / EEC, Euratom establishing a Statistical Program Committee of the European Communities
(OJ L 87, 31.3.2009, p. 164).
Page 31
ensure the free movement of personal data in the Union, the power to
adopt acts in accordance with Article 290 TFEU. In particular, delegated acts must be adopted in
relationship with the criteria and requirements for certification mechanisms, the information that must be presented
through standardized icons and the procedures to provide such icons. Special cover
importance of the Commission carrying out the appropriate consultations during the preparatory phase, in particular with
experts In preparing and drafting delegated acts, the Commission must ensure simultaneous transmission,
Timely and appropriate documents relevant to the European Parliament and the Council.
(167) In order to ensure uniform conditions for the implementation of this Regulation, they must be conferred on the Commission
Execution powers when established by this Regulation. These powers must be exercised.
in accordance with Regulation (EU) n. o 182/2011 of the European Parliament and of the Council. In this context, the
Commission should consider adopting specific measures for micro and small and medium enterprises
Business.
(168) The examination procedure must be followed for the adoption of implementing acts on contractual clauses
type between those responsible and those in charge of the treatment and between those responsible for the treatment; codes of conduct;
technical standards and certification mechanisms; the appropriate level of protection offered by a third country, a
territory or a specific sector in that third country, or an international organization; type of protection clauses;
formats and procedures for the exchange of information between managers, managers and authorities of
control over binding corporate standards; mutual assistance; and modalities of exchange of
information by electronic means between the control authorities, and between the control authorities and the
Committee.
(169) The Commission must adopt immediately applicable implementing acts when the available evidence shows
that a third country, a specific territory or sector in that third country, or an international organization does not
they guarantee an adequate level of protection and so urgent reasons require it.
(170) Since the objective of this Regulation, namely to guarantee an equivalent level of protection of
natural persons and the free movement of personal data in the European Union, cannot be reached in a manner
sufficient by the Member States, but, due to the dimensions or effects of the action, can be achieved
better at Union level, it can take measures, in accordance with the principle of subsidiarity established
in Article 5 of the Treaty on European Union (TEU). In accordance with the principle of proportionality
established in the same article, this Regulation does not exceed what is necessary to achieve that objective.
(171) Directive 95/46 / EC should be repealed by this Regulation. All treatment already started on the date of
Application of this Regulation must comply with this Regulation within two years of the
date of its entry into force. When the treatment is based on consent in accordance with the
Directive 95/46 / EC, it is not necessary for the interested party to give his consent again if the way in which the
consent conforms to the conditions of this Regulation, so that the person in charge can continue
such treatment after the date of application of this Regulation. The decisions of the Commission and the authorities
Control authorities based on Directive 95/46 / EC remain in force until they are
modified, substituted or repealed.
(172) In accordance with Article 28 (2) of Regulation (EC) n. or 45/2001, the Supervisor was consulted
European Data Protection, and it issued its opinion on March 7, 2012 ( 1 ).
(173) This Regulation should apply to all matters relating to the protection of rights and
fundamental freedoms in relation to the processing of personal data that are not subject to obligations
with the same objective set out in Directive 2002/58 / EC of the European Parliament and of
Council ( 2 ), including the obligations of the controller and the rights of natural persons. For
clarify the relationship between this Regulation and Directive 2002/58 / EC, the latter must be amended in
consequence. Once this Regulation is adopted, Directive 2002/58 / EC should be revised, in
in order to ensure consistency with this Regulation.
( 1 ) OJ C 192, 30.6.2012, p. 7.
( 2 ) Directive 2002/58 / EC of the European Parliament and of the Council of 12 July 2002, concerning the processing of personal data and the
protection of privacy in the electronic communications sector (Directive on privacy and communications
electronic) (OJ L 201, 31.7.2002, p. 37).
Page 32
HAVE ADOPTED THIS REGULATION:
CHAPTER I
General disposition
Article 1
Object
1. This Regulation establishes the rules relating to the protection of natural persons with regard to
processing of personal data and the rules regarding the free movement of such data.
two. This Regulation protects the fundamental rights and freedoms of natural persons and, in particular, their
right to protection of personal data.
3. The free movement of personal data in the Union may not be restricted or prohibited for reasons
related to the protection of natural persons with regard to the processing of personal data.
Article 2
Material scope
1. This Regulation applies to the total or partially automated processing of personal data, as well as to the
non-automated processing of personal data contained or intended to be included in a file.
two. This Regulation does not apply to the processing of personal data:
a) in the exercise of an activity not included in the scope of application of Union Law;
b) by the Member States when carrying out activities within the scope of the
Chapter 2 of Title V of the TEU;
c) carried out by a natural person in the exercise of exclusively personal or domestic activities;
d) by the competent authorities for the purpose of prevention, investigation, detection or prosecution of
criminal offenses, or enforcement of criminal penalties, including protection against security threats
Public and its prevention.
3. Regulation (EC) n. o 45/2001 is applicable to the processing of personal data by the

institutions, bodies and agencies of the Union. Regulation (EC) n. o 45/2001 and other legal acts of the Union
applicable to such processing of personal data will be adapted to the principles and rules of this
Regulation in accordance with its article 98.
Four. This Regulation shall be without prejudice to the application of Directive 2000/31 / EC, in particular its
rules relating to the liability of intermediary service providers established in its articles 12 to 15.
Article 3
Territorial scope
1. This Regulation applies to the processing of personal data in the context of the activities of a stable
Foundation of the person in charge or of the person in charge in the Union, regardless of whether the treatment takes place in the
Union or not.
Page 33
two. This Regulation applies to the processing of personal data of interested parties residing in the Union by
part of a manager or manager not established in the Union, when the treatment activities are
related to:
a) the offer of goods or services to those interested in the Union, regardless of whether they are required to
payment, or
b) the control of their behavior, insofar as this takes place in the Union.
3. This Regulation applies to the processing of personal data by a responsible person who is not
established in the Union but in a place where the law of the Member States is applicable under the
Public international law
Article 4
Definitions
For the purposes of this Regulation, the following definitions shall apply:
1) "personal data" means any information about an identified or identifiable natural person ("the interested party"); he
Any person whose identity can be determined, directly or indirectly, shall be considered as an identifiable individual
in particular by means of an identifier, such as a name, an identification number, data of
location, an online identifier or one or several elements of physical, physiological, genetic identity,
psychic, economic, cultural or social of said person;
2) "treatment" means any operation or set of operations performed on personal data or sets of
personal data, whether by automated procedures or not, such as collection, registration, organization, structure
ration, conservation, adaptation or modification, extraction, consultation, use, communication by transmission,
dissemination or any other form of access authorization, collation or interconnection, limitation, deletion or
destruction;
3) "limitation of processing" means the marking of personal data kept in order to limit its
future treatment;
4) "profiling" means any form of automated processing of personal data consisting of using data
personnel to evaluate certain personal aspects of a natural person, in particular to analyze or
predict aspects related to professional performance, economic situation, health, personal preferences, interests,
reliability, behavior, location or movements of said natural person;
5) "pseudonymisation" means the processing of personal data so that it can no longer be attributed to an interested party
without using additional information, provided that such additional information appears separately and is subject to
technical and organizational measures aimed at ensuring that personal data is not attributed to a person
identified or identifiable physics;
6) "file" means any structured set of personal data, accessible according to certain criteria, either
centralized, decentralized or distributed in a functional or geographical way;
7) "responsible for the treatment" or "responsible": the natural or legal person, public authority, service or other
body that, alone or together with others, determines the purposes and means of treatment; if the law of the Union or of
Member States determine the purposes and means of treatment, the controller or the criteria
specific for their appointment may be established by the law of the Union or of the Member States;
8) "person in charge of treatment" or "person in charge" means the natural or legal person, public authority, service or other body
that treats personal data on behalf of the controller;
9) "recipient" means the natural or legal person, public authority, service or other body to which data is communicated
personal, whether or not it is a third party. However, the public authorities that
Page 34
may receive personal data within the framework of a specific investigation in accordance with the Law of the
Union or of the Member States; the processing of such data by said public authorities will be in accordance with
the data protection regulations applicable to the purposes of the processing;
10) "third party" means a natural or legal person, public authority, service or body other than the interested party, of the person in charge
of the treatment, of the person in charge of the treatment and of the persons authorized to process the personal data under the
direct authority of the person in charge or of the person in charge;
11) "consent of the interested party" means any manifestation of free, specific, informed and unambiguous will by which
the interested party accepts, either through a statement or a clear affirmative action, the processing of data
personnel that concern you;
12) "violation of the security of personal data" means any breach of security caused by destruction,
accidental or unlawful loss or alteration of personal data transmitted, retained or otherwise treated, or the
unauthorized communication or access to said data;
13) "genetic data" means personal data concerning the genetic characteristics inherited or acquired from a person
physics that provide unique information about the physiology or health of that person, obtained in particular
of the analysis of a biological sample of such a person;
14) "biometric data" means personal data obtained from a specific technical treatment, related to the characteristics
physical, physiological or behavioral characteristics of a natural person that allow or confirm the unique identification of
said person, such as facial images or fingerprint data;
15) "health-related data" means personal data relating to the physical or mental health of a natural person, including the
provision of health care services, which disclose information about your health status;
16) "main establishment":
a) as regards a person responsible for treatment with establishments in more than one Member State, the
place of its central administration in the Union, except that decisions on the purposes and means of
treatment is taken in another establishment of the person in charge in the Union and this last establishment has the
power to enforce such decisions, in which case the establishment that has taken such decisions will
will consider principal establishment;
b) as regards a person in charge of treatment with establishments in more than one Member State, the place
of its central administration in the Union or, if lacking this, the establishment of the person in charge in the Union in
that the main treatment activities be carried out in the context of the activities of an establishment
ment of the manager to the extent that the manager is subject to specific obligations under the
this Regulation;
17) "representative" means a natural or legal person established in the Union who, having been designated in writing by the
responsible or the person in charge of the treatment according to article 27, represents the person in charge or the person in charge of
as regards their respective obligations under this Regulation;
18) "company" means a natural or legal person engaged in an economic activity, regardless of its legal form,
including societies or associations that regularly carry out an economic activity;
19) "business group" means a group consisting of a company that exercises control and its controlled companies;
20) "binding corporate rules" means the personal data protection policies assumed by a person in charge or
responsible for the treatment established in the territory of a Member State for transfers or a set of
transfers of personal data to a person in charge or manager in one or more third countries, within a group
business or a union of companies engaged in a joint economic activity;
21) "supervisory authority" means the independent public authority established by a Member State in accordance with
provided in article 51;
Page 35
22) "interested control authority" means the control authority affected by the processing of personal data due
to what:
a) the person responsible or the person in charge of the treatment is established in the territory of the Member State of that
supervisory authority;
b) interested parties residing in the Member State of that supervisory authority are substantially affected or
they are likely to be substantially affected by the treatment, or
c) a claim has been filed with that supervisory authority;
23) "cross-border treatment":
a) the processing of personal data carried out in the context of the activities of establishments in more than one
Member State of a person responsible or a person in charge of the treatment in the Union, if the person responsible or the person in charge
is established in more than one Member State, or
b) the processing of personal data carried out in the context of the activities of a single establishment of a
responsible or responsible for treatment in the Union, but which substantially affects or is likely to
substantially affect those interested in more than one Member State;
24) "relevant and motivated objection" means the objection to a proposal for a decision on the existence or not of infringement of the
this Regulation, or on the conformity with this Regulation of planned actions in relation to the
responsible or the person in charge of the treatment, that clearly demonstrates the importance of the risks that the
draft decision for the fundamental rights and freedoms of the interested parties and, where appropriate, for free
circulation of personal data within the Union;
25) "information society service" means any service in accordance with the definition in Article 1, paragraph 1,
letter b), of Directive (EU) 2015/1535 of the European Parliament and of the Council ( 1 );
26) "international organization" means an international organization and its subordinate entities of international law
public or any other body created through an agreement between two or more countries or under such agreement.
CHAPTER II
Beginning
Article 5
Principles related to treatment
1. The personal data will be:
a) treated in a lawful, loyal and transparent manner in relation to the interested party ("lawfulness, loyalty and transparency");
b) collected for specific, explicit and legitimate purposes, and will not be subsequently treated in an incompatible manner
for these purposes; in accordance with article 89, paragraph 1, the further processing of personal data for purposes
File in the public interest, scientific and historical research purposes or statistical purposes will not be considered
incompatible with the initial purposes ("limitation of purpose");
c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are treated ('minimization
of data");
d) accurate and, if necessary, updated; all reasonable measures will be taken to eliminate or
promptly rectify personal data that is inaccurate with respect to the purposes for which they are processed
("accuracy");
( 1 ) Directive (EU) 2015/1535 of the European Parliament and of the Council of September 9, 2015, establishing a procedure
of information regarding technical regulations and rules related to information society services (OJ L 241
from 17.9.2015, p. 1).
Page 36
e) maintained in a way that allows the identification of the interested parties for no longer than necessary to
the purposes of the processing of personal data; Personal data may be kept for longer periods.
long provided they are treated exclusively for archival purposes in the public interest, scientific research purposes or
historical or statistical purposes, in accordance with article 89, paragraph 1, without prejudice to the application of
appropriate technical and organizational measures imposed by this Regulation in order to protect the rights and
freedoms of the interested party ("limitation of the conservation period");
f) treated in such a way as to ensure adequate security of personal data, including protection against
unauthorized or unlawful treatment and against its loss, destruction or accidental damage, by applying
appropriate technical or organizational measures ("integrity and confidentiality").
two. The controller will be responsible for compliance with the provisions of section 1 and capable of
prove it ("proactive responsibility").
Article 6
Legality of the treatment
1. The treatment will only be lawful if at least one of the following conditions is met:
a) the interested party gave his consent for the processing of his personal data for one or several specific purposes;
b) the treatment is necessary for the execution of a contract in which the interested party is a party or for the application to
request for this pre-contractual measures;
c) the treatment is necessary for the fulfillment of a legal obligation applicable to the person responsible for the treatment;
d) the treatment is necessary to protect vital interests of the interested party or of another natural person;
e) the treatment is necessary for the fulfillment of a mission carried out in the public interest or in the exercise of
public powers conferred on the controller;
f) the treatment is necessary for the satisfaction of legitimate interests pursued by the controller or
by a third party, provided that interest or rights and freedoms do not prevail over said interests
fundamentals of the interested party that require the protection of personal data, in particular when the interested party is
child.
The provisions of letter f) of the first paragraph shall not apply to the treatment carried out by public authorities
in the exercise of its functions.
two. Member States may maintain or introduce more specific provisions in order to adapt the application of
the rules of this Regulation regarding the treatment in compliance with paragraph 1, letters c) and e), setting
more precisely specific treatment requirements and other measures that guarantee licit treatment and
equitable, including other specific treatment situations under chapter IX.
3. The basis of the treatment indicated in section 1, letters c) and e), must be established by:
a) Union law, or
b) the law of the Member States that applies to the controller.
The purpose of the treatment must be determined in said legal basis or, in relation to the treatment to which
refers to paragraph 1, letter e), it will be necessary for the fulfillment of a mission carried out in the public interest or in the
exercise of public powers conferred on the controller. This legal basis may contain provisions
specific to adapt the application of rules of this Regulation, among others: the general conditions that
they govern the legality of the treatment by the person in charge; the types of data processed; the interested
affected; the entities to which personal data can be communicated and the purposes of such communication; the limitation of
purpose; the data retention periods, as well as the operations and processing procedures,
Page 37
including measures to ensure fair and equitable treatment, such as those related to other specific situations
of treatment according to chapter IX. The law of the Union or of the Member States shall fulfill an objective of
public interest and will be proportional to the legitimate purpose pursued.
Four. When the processing for a purpose other than that for which the personal data was collected is not based
in the consent of the interested party or in the law of the Union or of the Member States that constitutes a measure
necessary and proportional in a democratic society to safeguard the objectives indicated in article 23,
section 1, the person responsible for the treatment, in order to determine if the treatment for another purpose is compatible with the
purpose for which the personal data was initially collected, will take into account, among other things:
a) any relationship between the purposes for which personal data has been collected and the purposes of the processing
planned further;
b) the context in which personal data has been collected, in particular as regards the relationship between
interested and responsible for the treatment;
c) the nature of personal data, specifically when dealing with special categories of personal data, of
compliance with article 9, or personal data relating to convictions and criminal offenses, in accordance with the
article 10;
d) the possible consequences for the interested parties of the planned further treatment;
e) the existence of adequate guarantees, which may include encryption or pseudonymization.
Article 7
Conditions for consent
1. When the treatment is based on the consent of the interested party, the person responsible must be able to demonstrate
that he consented to the processing of his personal data.
two. If the consent of the interested party is given in the context of a written statement that also refers to others
matters, the request for consent will be presented in such a way that it is clearly distinguished from the other matters, of
intelligible and easily accessible and using clear and simple language. No part of the
declaration that constitutes a violation of this Regulation.
3. The interested party will have the right to withdraw their consent at any time. Withdrawal of consent no
It will affect the legality of the treatment based on the consent prior to its withdrawal. Before giving your consent, the
interested will be informed of it. It will be as easy to withdraw consent as to give it.
Four. In assessing whether consent has been freely given, the fact that
if, among other things, the execution of a contract, including the provision of a service, is subject to the consent of the
processing of personal data that is not necessary for the execution of said contract.
Article 8
Conditions applicable to the child's consent in relation to the services of the society of the
information
1. When Article 6, paragraph 1, letter a) is applied, in relation to the direct offer to children of services of the
Information society, the processing of a child's personal data will be considered lawful when it has as
Minimum 16 years. If the child is under 16, such treatment will only be considered lawful if the consent
it was given or authorized by the holder of parental rights or guardianship over the child, and only to the extent that it was given or authorized.
Member States may establish by law a lower age for such purposes, provided that it is not lower
to 13 years
Page 38
two. The controller will make reasonable efforts to verify in such cases that the consent was
given or authorized by the holder of parental rights or guardianship over the child, taking into account the available technology.
3. Paragraph 1 shall not affect the general provisions of the contractual law of the Member States, such as
rules regarding the validity, training or effects of contracts in relation to a child.
Article 9
Treatment of special categories of personal data
1. The processing of personal data that reveals ethnic or racial origin, political opinions, is prohibited.
religious or philosophical convictions, or union membership, and the treatment of genetic data, biometric data
aimed at uniquely identifying a natural person, health related data or sexual life data
or the sexual orientation of a natural person.
two. Section 1 shall not apply when one of the following circumstances occurs:
a) the interested party gave explicit consent for the processing of said personal data with one or more of the
specified purposes, except when the law of the Union or of the Member States establishes that the prohibition
mentioned in section 1 cannot be lifted by the interested party;
b) the treatment is necessary for the fulfillment of obligations and the exercise of specific rights of the person in charge
of the treatment or the interested party in the field of labor law and social security and protection, to the extent
where authorized by the law of the Union of the Member States or a collective agreement under the
Law of the Member States that establishes adequate guarantees of respect for fundamental rights and
the interests of the interested party;
c) the treatment is necessary to protect vital interests of the interested party or of another natural person, in the event of
that the interested party is not physically or legally qualified to give his consent;
d) the treatment is carried out, within the scope of its legitimate activities and with due guarantees, by a foundation,
an association or any other non-profit organization whose purpose is political, philosophical, religious or
union, provided that the treatment refers exclusively to current or former members of such organizations
or to people who maintain regular contacts with them in relation to their purposes and provided that the data
personnel do not communicate outside of them without the consent of the interested parties;
e) the processing refers to personal data that the interested party has made manifestly public;
f) the treatment is necessary for the formulation, exercise or defense of claims or when the courts
act in the exercise of their judicial function;
g) the treatment is necessary for reasons of essential public interest, based on Union law or
Member States, which must be proportional to the objective pursued, essentially respect the right to
data protection and establish appropriate and specific measures to protect fundamental interests and rights
Of the interested;
h) the treatment is necessary for preventive or occupational medicine purposes, evaluation of the work capacity of the
worker, medical diagnosis, provision of health or social assistance or treatment, or management of
health and social assistance systems and services, based on the law of the Union or of the Member States
or under a contract with a healthcare professional and without prejudice to the conditions and guarantees contemplated
in section 3;
i) treatment is necessary for reasons of public interest in the field of public health, such as protection against
to serious cross-border threats to health, or to ensure high levels of quality and safety of
health care and medicines or health products, based on Union law or
Member States that establish appropriate and specific measures to protect the rights and freedoms of the
interested, in particular professional secrecy,
Page 39
j) the treatment is necessary for archival purposes in the public interest, scientific or historical research purposes or purposes
statistics, in accordance with Article 89, paragraph 1, on the basis of the law of the Union or of the States
members, which must be proportional to the objective pursued, essentially respect the right to protection of
data and establish appropriate and specific measures to protect the fundamental interests and rights of the
interested.
3. The personal data referred to in section 1 may be processed for the purposes mentioned in section 2, letter h),
when your treatment is performed by a professional subject to the obligation of professional secrecy, or under your responsibility
bility, in accordance
competent with the
national bodies, orlaw of the
by any Union
other or ofalso
person thesubject
Member to States or with the
the obligation rules established
of secret agreement by the
with the law of the Union or of the Member States or of the norms established by the national organizations
competent.
Four. Member States may maintain or introduce additional conditions, including limitations, with respect to
to the treatment of genetic data, biometric data or data related to health.
Article 10
Processing of personal data related to convictions and criminal offenses
The processing of personal data related to convictions and criminal offenses or related security measures on the
basis of article 6, paragraph 1, may only be carried out under the supervision of public authorities or when
authorize the law of the Union or of the Member States that establishes adequate guarantees for the rights and
Interested freedoms. Only a complete record of criminal convictions may be kept under the control of the
Public authorities.
Article 11
Treatment that does not require identification
1. If the purposes for which a person responsible processes personal data do not require or no longer require identification
of an interested party for the person in charge, he will not be obliged to maintain, obtain or treat additional information with
with a view to identifying the interested party with the sole purpose of complying with this Regulation.
two. When, in the cases referred to in section 1 of this article, the person responsible is able to demonstrate that
You are not in a position to identify the interested party, they will inform you accordingly, if possible. In such cases I don't know
Articles 15 to 20 will apply, except when the interested party, for the purpose of exercising their rights under said
articles, provide additional information that allows identification.
CHAPTER III
Rights of the interested party
Section 1
Transparency and modalities
Article 12
Transparency of information, communication and modalities of exercising the rights of the

interested
1. The person responsible for the treatment will take the appropriate measures to provide the interested party with all the indicated information.
in articles 13 and 14, as well as any communication under articles 15 to 22 and 34 concerning the
Treatment, in concise, transparent, intelligible and easily accessible form, with clear and simple language, in particular
Any information specifically directed to a child. The information will be provided in writing or by other means,
including, if applicable, by electronic means. When requested by the interested party, the information may be provided
verbally whenever the identity of the interested party is demonstrated by other means.
Page 40
two. The controller shall facilitate the exercise of their rights by virtue of articles 15 to 22.
In order
in the cases referredyour
to exercise to inrights
articleunder
11, paragraph
articles 152,tothe
22,person
unlessresponsible will that
you can prove not refuse
you aretonot
actinat the request of the interested party
Conditions to identify the interested party.
3. The person responsible for the processing will provide the interested party with information regarding their actions based on a
application under articles 15 to 22, and, in any case, within one month of receipt of the
request. This period may be extended for another two months if necessary, taking into account the complexity and
number of requests The person responsible will inform the interested party of any of said extensions within one month to
upon receipt of the request, indicating the reasons for the delay. When the interested party submits the request for
electronic means, the information will be provided electronically when possible, unless the interested party
request that it be provided in another way.
Four. If the person responsible for the treatment does not process the request of the interested party, they will inform you without delay, and at the latest
One month after receiving the request, the reasons for your non-action and the possibility of submitting
a claim before a supervisory authority and to bring legal actions.
5. The information provided under articles 13 and 14 as well as any communication and any action
made under articles 15 to 22 and 34 will be free of charge. When the requests are manifestly
unfounded or excessive, especially due to its repetitive nature, the person responsible for the treatment may:
a) charge a reasonable fee based on the administrative costs incurred to provide information or
communication or perform the requested action, or
b) refuse to act on the request.
The controller shall bear the burden of demonstrating the manifestly unfounded or excessive nature of the
request.
6. Without prejudice to the provisions of article 11, when the data controller has reasonable doubts in
In relation to the identity of the individual who is making the request referred to in articles 15 to 21, you may request
that the additional information necessary to confirm the identity of the interested party be provided.
7. Information to be provided to interested parties under articles 13 and 14 may be transmitted in

combination with standardized icons that allow to provide easily visible, intelligible and clearly
readable an adequate overview of the planned treatment. The icons presented in electronic format
They will be readable mechanically.
8. The Commission shall be empowered to adopt delegated acts in accordance with Article 92 in order to specify the
information to be presented through icons and procedures to provide standardized icons.
Section 2
Information and access to personal data
Article 13
Information to be provided when personal data is obtained from the interested party
1. When personal data related to him, the person responsible for the treatment, is obtained from an interested party
When these are obtained, it will provide you with all the information indicated below:
a) the identity and contact details of the person in charge and, where appropriate, of his representative;
b) the contact data of the data protection delegate, if applicable;
c) the purposes of the processing to which the personal data and the legal basis of the processing are destined;
Page 41
d) when the treatment is based on article 6, paragraph 1, letter f), the legitimate interests of the person responsible or of a
third;
e) the recipients or categories of recipients of personal data, if applicable;
f) where appropriate, the intention of the person responsible for transferring personal data to a third country or international organization and
the existence or absence of a decision of adequacy of the Commission, or, in the case of transfers indicated in
Articles 46 or 47 or Article 49, paragraph 1, second paragraph, reference to adequate or appropriate guarantees
and the means to obtain a copy of these or the fact that they have been provided.
two. In addition to the information mentioned in section 1, the data controller shall provide the interested party, in
the moment in which the personal data is obtained, the following information necessary to guarantee a treatment
Loyal and transparent data:
a) the period during which personal data will be kept or, when not possible, the criteria used to
determine this term;
b) the existence of the right to request access to personal data related to the data controller to the data controller
interested, and its rectification or deletion, or the limitation of its treatment, or to oppose the treatment, as well as the
right to data portability;
c) when the treatment is based on article 6, paragraph 1, letter a), or article 9, paragraph 2, letter a),
existence of the right to withdraw consent at any time, without affecting the legality of the
treatment based on consent prior to withdrawal;
d) the right to file a claim with a supervisory authority;
e) if the communication of personal data is a legal or contractual requirement, or a necessary requirement to sign a
contract, and if the interested party is obliged to provide personal data and is informed of the possible consequences
that you do not provide such data;
f) the existence of automated decisions, including profiling, referred to in article 22, paragraphs 1
and 4, and, at least in such cases, significant information on the logic applied, as well as the importance and
expected consequences of such treatment for the interested party.
3. When the data controller projects the subsequent processing of personal data for a purpose other than
the one for which they were collected, will provide the interested party, prior to said further treatment, information
on that other purpose and any additional relevant information under paragraph 2.
Four. The provisions of sections 1, 2 and 3 shall not apply when and to the extent that the interested party already
Have the information.
Article 14
Information to be provided when personal data has not been obtained from
interested
1. When the personal data has not been obtained from the interested party, the person responsible for the processing will provide the
Next information:
a) the identity and contact details of the person in charge and, where appropriate, of his representative;
b) the contact data of the data protection delegate, if applicable;
c) the purposes of the processing to which the personal data is intended, as well as the legal basis of the processing;
d) the categories of personal data in question;
e) the recipients or categories of recipients of personal data, if applicable;
Page 42
f) where appropriate, the intention of the person responsible for transferring personal data to a recipient in a third country or
international organization and the existence or absence of a decision of adequacy of the Commission, or, in the case of
the transfers indicated in articles 46 or 47 or article 49, paragraph 1, second paragraph, reference to
adequate or appropriate guarantees and the means to obtain a copy of them or the fact that they have been
borrowed
two. In addition to the information mentioned in section 1, the controller will provide the interested party with
The following information is necessary to ensure fair and transparent data processing regarding the interested party:
a) the period during which personal data will be kept or, when that is not possible, the criteria used to
determine this term;
b) when the treatment is based on article 6, paragraph 1, letter f), the legitimate interests of the person responsible for
treatment or a third party;
c) the existence of the right to request access to personal data related to the data controller to the data controller
interested, and its rectification or deletion, or the limitation of its treatment, and to oppose the treatment, as well as the
right to data portability;
d) when the treatment is based on article 6, paragraph 1, letter a), or article 9, paragraph 2, letter a),
existence of the right to withdraw consent at any time, without affecting the legality of the
consent based treatment before withdrawal;
e) the right to file a claim with a supervisory authority;
f) the source from which the personal data comes and, if applicable, if they come from sources of public access;
g) the existence of automated decisions, including profiling, referred to in article 22,

paragraphs 1 and 4, and, at least in such cases, significant information on the logic applied, as well as the
importance and the expected consequences of such treatment for the interested party.
3. The data controller shall provide the information indicated in sections 1 and 2:
a) within a reasonable period of time, once the personal data has been obtained, and at the latest within one month,
account of the specific circumstances in which such data is processed;
b) if personal data are to be used for communication with the interested party, at the latest at the time of
first communication to said interested party, or
c) if it is planned to communicate them to another recipient, at the latest when the personal data is
communicated for the first time.
Four. When the person responsible for the processing projects the further processing of personal data for a purpose that does not
be that for which they were obtained, will provide the interested party, before such further treatment, information on
that other purpose and any other relevant information indicated in section 2.
5. The provisions of paragraphs 1 to 4 shall not apply when and to the extent that:
a) the interested party already has the information;
b) the communication of such information is impossible or involves a disproportionate effort, in particular to

treatment for archival purposes in the public interest, scientific or historical research purposes or statistical purposes,
subject to the conditions and guarantees indicated in article 89, paragraph 1, or to the extent that the obligation
mentioned in section 1 of this article may seriously impede or impede the achievement of
objectives of such treatment. In such cases, the person responsible shall take appropriate measures to protect the rights,
legitimate freedoms and interests of the interested party, including making the information public;
c) the obtaining or communication is expressly established by the law of the Union or of the Member States
that applies to the controller and that establishes appropriate measures to protect interests
legitimate of the interested party, or
d) when personal data must remain confidential on the basis of an obligation of secrecy
professional regulated by the law of the Union or of the Member States, including an obligation of secrecy of
statutory nature.
Page 43
Article 15
Right of access of the interested party
1. The interested party will have the right to obtain confirmation from the person responsible for the treatment if they are being treated or not.
personal data that concern you and, in this case, right of access to personal data and the following information:
a) the purposes of the treatment;
b) the categories of personal data in question;
c) the recipients or categories of recipients to whom personal data was communicated or will be communicated,
in particular recipients in third parties or international organizations;
d) if possible, the expected period of retention of personal data or, if not possible, the criteria used
to determine this term;
e) the existence of the right to request from the responsible party the rectification or deletion of personal data or the limitation of
processing of personal data related to the interested party, or opposing said processing;
f) the right to file a claim with a supervisory authority;
g) when personal data has not been obtained from the interested party, any information available on its origin;
h) the existence of automated decisions, including profiling, referred to in article 22,

paragraphs 1 and 4, and, at least in such cases, significant information on the logic applied, as well as the
importance and the expected consequences of such treatment for the interested party.
two. When personal data is transferred to a third country or to an international organization, the interested party will have
right to be informed of the appropriate guarantees under article 46 regarding the transfer.
3. The data controller will provide a copy of the personal data processed. The responsible
may receive for any other copy requested by the interested party a reasonable fee based on adminis costs
tractive When the interested party submits the request electronically, and unless he requests that it be provided
otherwise, the information will be provided in a common electronic format.
Four. The right to obtain a copy mentioned in section 3 shall not adversely affect the rights and freedoms of
others.
Section 3
Rectification and suppression
Article 16
Right of rectification
The interested party will have the right to obtain the rectification of the data without undue delay from the data controller.
inaccurate personnel that concern you. Taking into account the purposes of the treatment, the interested party will have the right to
personal data that is incomplete is completed, including through an additional declaration.
Article 17
Right of suppression ("the right to be forgotten")
1. The interested party will have the right to obtain, without undue delay from the person responsible for the treatment, the suppression of
personal data concerning you, which will be obliged to delete personal data without undue delay when
one of the following circumstances occurs:
a) personal data is no longer necessary in relation to the purposes for which it was collected or processed by another
mode;
Page 44
b) the interested party withdraws the consent on which the treatment is based in accordance with article 6, paragraph 1,
letter a), or article 9, paragraph 2, letter a), and this is not based on another legal basis;
c) the interested party opposes the treatment in accordance with article 21, paragraph 1, and no other reasons prevail
legitimate for the treatment, or the interested party opposes the treatment in accordance with article 21, paragraph 2;
d) personal data have been treated illegally;
e) personal data must be deleted for compliance with a legal obligation established in the Law of the
Union or Member State that applies to the controller;
f) personal data has been obtained in relation to the offer of services of the information society
mentioned in article 8, paragraph 1.
two. When you have made personal data public and you are required, under the provisions of section 1, to
delete said data, the person responsible for the treatment, taking into account the available technology and the cost of its
application, will take reasonable measures, including technical measures, with a view to informing those responsible
treating the personal data of the interested party's request to delete any link to that personal data, or
any copy or replica of them.
3. Sections 1 and 2 shall not apply when the treatment is necessary:
a) to exercise the right to freedom of expression and information;
b) for the fulfillment of a legal obligation that requires the processing of data imposed by the Law of the
Union or of the Member States that applies to the controller, or for compliance with a
mission carried out in the public interest or in the exercise of public powers conferred on the person responsible;
c) for reasons of public interest in the field of public health in accordance with Article 9, paragraph 2,
letters h) and i), and section 3;
d) for archival purposes in the public interest, scientific or historical research purposes or statistical purposes, of
in accordance with article 89, paragraph 1, to the extent that the right indicated in paragraph 1 could do
impossible or seriously hamper the achievement of the objectives of such treatment, or
e) for the formulation, exercise or defense of claims.
Article 18
Right to limitation of treatment
1. The interested party will have the right to obtain from the data controller the limitation of the data processing
when any of the following conditions is met:
a) the interested party challenges the accuracy of the personal data, during a period that allows the person responsible to verify the
accuracy thereof;
b) the processing is illicit and the interested party opposes the deletion of personal data and requests instead the
limitation of its use;
c) the person in charge no longer needs the personal data for the purposes of the treatment, but the interested party needs them to
the formulation, exercise or defense of claims;
d) the interested party has opposed the processing under article 21, paragraph 1, while verifying whether the reasons
legitimate of the responsible prevail over those of the interested party.
two. When the processing of personal data has been limited under paragraph 1, such data may only be
subject to treatment, with the exception of its conservation, with the consent of the interested party or for the formulation,
exercise or defense of claims, or with a view to protecting the rights of another natural or legal person or
for reasons of important public interest of the Union or of a particular Member State.
Page 45
3. Any interested party that has obtained the limitation of treatment according to paragraph 1 will be informed by the
responsible before lifting this limitation.
Article 19
Obligation of notification regarding the rectification or deletion of personal data or limitation

of the treatment
The data controller will communicate any rectification or deletion of personal data or limitation of the
treatment carried out in accordance with article 16, article 17, paragraph 1, and article 18 to each of the intended
to which personal data has been communicated, unless it is impossible or requires a disproportionate effort
cionado. The person responsible will inform the interested party about said recipients, if requested.
Article 20
Right to data portability
1. The interested party will have the right to receive the personal data that concerns him, which he has provided to a person in charge
of the treatment, in a structured format, of common use and mechanical reading, and to transmit them to another person in charge of
treatment without being prevented by the person responsible for providing them, when:
a) the treatment is based on consent in accordance with article 6, paragraph 1, letter a), or article 9,
paragraph 2, letter a), or in a contract under article 6, paragraph 1, letter b), and
b) the treatment is carried out by automated means.
two. When exercising their right to data portability in accordance with paragraph 1, the interested party shall have the right to
that personal data is transmitted directly from responsible to responsible when technically possible.
3. The exercise of the right mentioned in section 1 of this article shall be without prejudice to the
Article 17. Such right shall not apply to the treatment that is necessary for the fulfillment of a mission carried out in
public interest or in the exercise of public powers conferred on the controller.
Four. The right mentioned in section 1 will not adversely affect the rights and freedoms of others.
Section 4
Opposition law and automated individual decisions
Article 21
Right of opposition
1. The interested party will have the right to object at any time, for reasons related to his situation
particular, that personal data concerning you are subject to a treatment based on the provisions of the
Article 6, paragraph 1, letters e) of), including the elaboration of profiles based on these provisions. He
Responsible for the processing will stop processing personal data, unless it proves compelling legitimate reasons for the
treatment that prevails over the interests, rights and freedoms of the interested party, or for the formulation, the
exercise or defense of claims.
two. When the processing of personal data is aimed at direct marketing, the interested party will have the right
to object at all times to the processing of personal data concerning you, including the preparation of
profiles to the extent that it is related to the aforementioned marketing.
3. When the interested party opposes the processing for direct marketing purposes, the personal data will stop
Be treated for such purposes.
Page 46
Four. At the latest at the time of the first communication with the interested party, the right indicated in the
Sections 1 and 2 will be explicitly mentioned to the interested party and will be presented clearly and regardless of any
other information.
5. In the context of the use of information society services, and notwithstanding the provisions of the
Directive 2002/58 / EC, the interested party may exercise his right to oppose by automated means that apply
technical specifications
6. When personal data is processed for scientific or historical research purposes or statistical purposes of
in accordance with article 89, paragraph 1, the interested party shall be entitled, for reasons related to his situation
particular, to oppose the processing of personal data that concerns you, unless it is necessary for the
fulfillment of a mission carried out for reasons of public interest.
Article 22
Automated individual decisions, including profiling
1. Any interested party will have the right not to be the subject of a decision based solely on the treatment
automated, including profiling, that produces legal effects on it or significantly affects it
similar way.
two. Section 1 shall not apply if the decision:
a) it is necessary for the conclusion or execution of a contract between the interested party and a person responsible for the processing;
b) is authorized by the law of the Union or of the Member States that applies to the controller
and also establish appropriate measures to safeguard the rights and freedoms and legitimate interests of the
interested, or
c) is based on the explicit consent of the interested party.
3. In the cases referred to in paragraph 2, letters a) and c), the controller shall adopt the measures
adequate to safeguard the rights and freedoms and legitimate interests of the interested party, at least the right to
Obtain human intervention from the person responsible, to express their point of view and challenge the decision.
Four. The decisions referred to in paragraph 2 shall not be based on the special categories of personal data
referred to in Article 9, paragraph 1, unless Article 9, paragraph 2, letter a) or g) is applied, and have been taken
adequate measures to safeguard the rights and freedoms and legitimate interests of the interested party.
Section 5
Limitations
Article 23
Limitations
1. The law of the Union or of the Member States that applies to the person responsible or in charge of the treatment
may limit, through legislative measures, the scope of the obligations and rights established in the
Articles 12 to 22 and Article 34, as well as Article 5 to the extent that their provisions correspond to
the rights and obligations referred to in articles 12 to 22, when such limitation respects in essence the
fundamental rights and freedoms and be a necessary and proportionate measure in a democratic society to
safeguard:
a) State security;
b) the defense;
c) public safety;
Page 47
d) the prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal penalties,
including protection against threats to public safety and its prevention;
e) other important objectives of general public interest of the Union or of a Member State, in particular an interest
economic or financial importance of the Union or of a Member State, including in tax fields,
budgetary and monetary, public health and social security;
f) protection of judicial independence and judicial proceedings;
g) prevention, investigation, detection and prosecution of breaches of deontological norms in the

regulated professions;
h) a supervision, inspection or regulation function linked, even occasionally, with the exercise of
public authority in the cases referred to in letters a) to e) and g);
i) the protection of the interested party or of the rights and freedoms of others;
j) the execution of civil lawsuits.
two. In particular, any legislative measure indicated in paragraph 1 shall contain at least, where appropriate, provision
specific actions related to:
a) the purpose of the treatment or treatment categories;
b) the categories of personal data in question;
c) the scope of the established limitations;
d) guarantees to prevent illegal or abusive access or transfer;
e) the determination of the person responsible or categories of persons responsible;
f) the terms of conservation and the applicable guarantees given the nature of the scope and objectives of the
treatment or treatment categories;
g) the risks to the rights and freedoms of the interested parties, and
h) the right of the interested parties to be informed about the limitation, except if it may be detrimental to its purposes.
CHAPTER IV
Responsible for the treatment and responsible for the treatment
Section 1
General Obligations
Article 24
Responsibility of the controller
1. Taking into account the nature, scope, context and purposes of the treatment as well as the risks of various
probability and seriousness for the rights and freedoms of natural persons, the person responsible for the treatment will apply
appropriate technical and organizational measures to ensure and be able to demonstrate that the treatment is in accordance with the
this regulation. These measures will be reviewed and updated when necessary.
two. When provided in relation to treatment activities, among the measures mentioned in the
Section 1 will include the application, by the controller, of the appropriate protection policies
of data.
3. Adherence to approved codes of conduct under article 40 or to an approved certification mechanism

under article 42 may be used as elements to demonstrate compliance with the obligations by
party responsible for the treatment.
Page 48
Article 25
Data protection from design and default
1. Taking into account the state of the art, the cost of the application and the nature, scope, context and purpose of the
treatment, as well as the risks of varying probability and severity of treatment for rights and
freedoms of natural persons, the person responsible for the treatment will apply, both at the time of determining the means
of treatment as at the time of the treatment itself, appropriate technical and organizational measures, such as
pseudonymisation, designed to effectively apply the principles of data protection, such as minimization
of data, and integrate the necessary guarantees in the treatment, in order to meet the requirements of this Regulation and
Protect the rights of interested parties.
two. The controller shall apply the appropriate technical and organizational measures with a view to ensuring that,
by default, only the personal data that are necessary for each of the purposes are processed
specific to the treatment This obligation will apply to the amount of personal data collected, to the extent of your
treatment, its shelf life and its accessibility. Such measures will ensure in particular that, by default,
personal data is not accessible, without the intervention of the person, to an undetermined number of people
physical
3. An approved certification mechanism may be used in accordance with Article 42 as an element that accredits the
compliance with the obligations established in sections 1 and 2 of this article.
Article 26
Responsible for the treatment
1. When two or more responsible jointly determine the objectives and means of treatment will be
considered responsible for the treatment. The co-responsible will determine in a transparent and mutual way
agree their respective responsibilities in fulfilling the obligations imposed by this Regulation,
in particular as regards the exercise of the rights of the interested party and their respective obligations to supply
information referred to in articles 13 and 14, except, and to the extent that, their respective responsibilities are
They are governed by the law of the Union or of the Member States that apply to them. Said agreement may designate a
Contact point for those interested.
two. The agreement indicated in section 1 shall duly reflect the respective functions and relationships of the correspondents.
sabers in relation to those interested. The essential aspects of the agreement will be made available to the interested party.
3. Regardless of the terms of the agreement referred to in paragraph 1, the interested parties may exercise the
rights recognized by this Regulation against, and against, each of those responsible.
Article 27
Representatives of those responsible or responsible for the treatment not established in the Union
1. When Article 3 (2) applies, the person responsible or the person in charge of the treatment shall designate
written a representative in the Union.
two. The obligation established in section 1 of this article shall not apply:
a) the occasional treatment, which does not include the large-scale management of special categories of indicated data
in article 9, paragraph 1, or personal data relating to convictions and criminal offenses referred to in the
Article 10, and that it is unlikely to involve a risk to the rights and freedoms of natural persons,
taking into account the nature, context, scope and objectives of the treatment, or
b) to public authorities or bodies.
Page 49
3. The representative shall be established in one of the Member States in which the interested parties are whose data
personnel are treated in the context of an offer of goods or services, or whose behavior is being controlled.
Four. The person in charge or the person in charge of the treatment will entrust the representative they attend, together with the person in charge or
responsible, or instead, to inquiries, in particular, from control authorities and stakeholders, on all
matters related to treatment, in order to ensure compliance with the provisions of this Regulation.
5. The appointment of a representative by the person in charge or the person in charge of the treatment will be understood without prejudice to
the actions that could be taken against the person responsible or in charge.
Article 28
Treatment Manager
1. When a treatment is to be carried out on behalf of a person responsible for the treatment, he will choose only one
manager who offers sufficient guarantees to apply appropriate technical and organizational measures, so that the
treatment is in accordance with the requirements of this Regulation and guarantees the protection of the rights of the
interested.
two. The person in charge of the treatment will not resort to another person in charge without the prior written authorization, specific or
general, of the person in charge. In the latter case, the person in charge will inform the person in charge of any change foreseen in the
incorporation or replacement of other managers, thus giving the person in charge the opportunity to oppose such changes.
3. The treatment by the person in charge will be governed by a contract or other legal act in accordance with Union law
or of the Member States, which links the person in charge with respect to the person in charge and establishes the purpose, duration,
nature and purpose of the treatment, the type of personal data and categories of stakeholders, and the obligations and
Rights of the responsible. Said contract or legal act shall stipulate, in particular, that the person in charge:
a) treat personal data only following documented instructions of the person in charge, including with respect to
to transfers of personal data to a third country or an international organization, unless you are obliged to
this under the law of the Union or of the Member States that applies to the person in charge; in that case, the
the person in charge will inform the person in charge of that legal requirement prior to the treatment, unless such Law prohibits it by
important reasons of public interest;
b) ensure that the persons authorized to process personal data have committed to respect the confide
ciality or are subject to an obligation of confidentiality of a statutory nature;
c) take all necessary measures in accordance with article 32;
d) respect the conditions indicated in sections 2 and 4 to resort to another treatment officer;
e) assist the person in charge, taking into account the nature of the treatment, through technical and organizational measures
appropriate, whenever possible, so that it can fulfill its obligation to respond to requests
whose purpose is the exercise of the rights of the interested parties established in chapter III;
f) help the person responsible to ensure compliance with the obligations set forth in articles 32 to 36,
taking into account the nature of the treatment and the information available to the manager;
g) at the election of the person responsible, will delete or return all personal data once the provision of the
processing services, and will delete existing copies unless data retention is required
personnel under the law of the Union or of the Member States;
h) will make available to the person responsible all the information necessary to demonstrate compliance with the
obligations established in this article, as well as to allow and contribute to the performance of audits,
including inspections, by the person in charge or another auditor authorized by said person in charge.
Page 50
In relation to the provisions of letter h) of the first paragraph, the person in charge shall immediately inform the person responsible if,
in its opinion, an instruction violates this Regulation or other provisions on data protection
of the Union or of the Member States.
Four. When a treatment manager uses another person in charge of carrying out certain activities of
Treatment on behalf of the responsible, will be imposed on this other person in charge, by contract or other legal act
established under the law of the Union or of the Member States, the same obligations of protection of
data stipulated in the contract or other legal act between the person in charge and the person in charge referred to in the
Section 3, in particular the provision of sufficient guarantees for the application of technical and organizational measures
appropriate so that the treatment is in accordance with the provisions of this Regulation. Yes that other
manager breaches its data protection obligations, the initial manager will remain fully responsible
before the person responsible for the treatment as regards the fulfillment of the obligations of the other person in charge.
5. The adhesion of the person in charge of the treatment to an approved code of conduct under article 40 or to a
certification mechanism approved under article 42 may be used as an element to demonstrate the
existence of sufficient guarantees referred to in sections 1 and 4 of this article.
6. Notwithstanding that the person in charge and the person in charge of the treatment concludes an individual contract, the contract or
Another legal act referred to in paragraphs 3 and 4 of this article may be based, in whole or in part, on the
type contractual clauses referred to in paragraphs 7 and 8 of this article, even when they are part of
a certification granted to the person in charge or manager in accordance with articles 42 and 43.
7. The Commission may establish standard contractual clauses for the matters referred to in paragraphs 3 and 4 of the
this article, in accordance with the examination procedure referred to in article 93, paragraph 2.
8. A supervisory authority may adopt standard contractual clauses for the matters referred to in the
Sections 3 and 4 of this article, in accordance with the coherence mechanism referred to in Article 63.
9. The contract or other legal act referred to in paragraphs 3 and 4 shall be in writing, including in format
electronic.
10. Without prejudice to the provisions of articles 82, 83 and 84, if a person in charge of the processing infringes the present
Regulation when determining the purposes and means of treatment, will be held responsible for the treatment with respect
to said treatment.
Article 29
Treatment under the authority of the person responsible or in charge of the treatment
The person in charge of the treatment and any person who acts under the authority of the person in charge or of the person in charge and has
Access to personal data may only process such data following the instructions of the person responsible, unless they are
obliged to do so under the law of the Union or of the Member States.
Article 30
Registration of treatment activities
1. Each person in charge and, where appropriate, their representative will keep a record of the treatment activities carried out
under its responsibility. This record must contain all the information indicated below:
a) the name and contact details of the person in charge and, where appropriate, of the co-responsible, of the representative of the
responsible, and of the delegate of data protection;
b) the purposes of the treatment;
c) a description of the categories of stakeholders and the categories of personal data;
Page 51
d) the categories of recipients to whom personal data were communicated or communicated, including the intended
tariffs in third countries or international organizations;
e) where applicable, transfers of personal data to a third country or an international organization, including identification
fication of said third country or international organization and, in the case of transfers indicated in the
Article 49, paragraph 1, second paragraph, the documentation of adequate guarantees;
f) when possible, the expected deadlines for deletion of the different categories of data;
g) whenever possible, a general description of the technical and organizational security measures referred to in the
Article 32, paragraph 1.
two. Each person in charge and, where appropriate, the representative of the person in charge, will keep a record of all categories of
treatment activities carried out on behalf of a responsible person that contains:
a) the name and contact details of the person in charge or persons in charge and of each person responsible for whom the
in charge, and, where appropriate, of the representative of the person in charge or of the person in charge, and of the delegate of data protection;
b) the categories of treatments carried out on behalf of each person responsible;
c) where applicable, transfers of personal data to a third country or international organization, including identification
cation of said third country or international organization and, in the case of transfers indicated in article 49,
paragraph 1, second paragraph, documentation of adequate guarantees;
d) whenever possible, a general description of the technical and organizational security measures referred to in the
Article 30, paragraph 1.
3. The records referred to in sections 1 and 2 shall be in writing, including in electronic format.
Four. The person in charge or the person in charge of the treatment and, where appropriate, the representative of the person in charge or the person in charge
They will make the record available to the supervisory authority that requests it.
5. The obligations indicated in sections 1 and 2 shall not apply to any company or organization that employs
less than 250 people, unless the treatment you carry out may pose a risk to rights and freedoms
of those interested, is not occasional, or includes special categories of personal data indicated in Article 9,
paragraph 1, or personal data relating to convictions and criminal offenses referred to in article 10.
Article 31
Cooperation with the supervisory authority
The person responsible and the person in charge of the treatment and, where appropriate, their representatives will cooperate with the supervisory authority
that requests it in the performance of its functions.
Section 2
Security of personal data
Article 32
Treatment safety
1. Taking into account the state of the art, the application costs, and the nature, scope, context and
purposes of treatment, as well as risks of variable probability and severity for the rights and freedoms of
natural persons, the person in charge and the person in charge of the treatment will apply appropriate technical and organizational measures to
guarantee a level of security appropriate to the risk, which may include, among others:
a) pseudonymisation and encryption of personal data;
Page 52
b) the ability to guarantee the permanent confidentiality, integrity, availability and resilience of the systems and
treatment services;
c) the ability to restore availability and access to personal data quickly in the event of an incident
physical or technical;
d) a process of regular verification, evaluation and assessment of the effectiveness of technical and organizational measures
to ensure the safety of the treatment.
two. When assessing the adequacy of the security level, the risks presented by the
data processing, in particular as a result of the destruction, loss or accidental or unlawful alteration of
personal data transmitted, preserved or otherwise processed, or unauthorized communication or access to
such data.
3. Adherence to an approved code of conduct under article 40 or to a certification mechanism

approved under article 42 may serve as an element to demonstrate compliance with the established requirements
in section 1 of this article.
Four. The person responsible and the person in charge of the treatment will take measures to ensure that any person acting
under the authority of the person in charge or of the person in charge and have access to personal data can only process said data
following the instructions of the person responsible, unless obliged to do so under the law of the Union or the
Member states.
Article 33
Notification of a violation of the security of personal data to the supervisory authority
1. In case of violation of the security of personal data, the data controller will notify the
competent supervisory authority in accordance with Article 55 without undue delay and, if possible, at the latest
72 hours after you have had proof of it, unless it is unlikely that such a security breach
It constitutes a risk for the rights and freedoms of natural persons. If notification to the supervisory authority
It does not take place within 72 hours, it must be accompanied by an indication of the reasons for the delay.
two. The person in charge of the treatment shall notify the person responsible for the treatment without delay of the violations of the
security of personal data of which you have knowledge.
3. The notification referred to in paragraph 1 must, at a minimum:
a) describe the nature of the violation of the security of personal data, including, where possible, the
categories and the approximate number of stakeholders affected, and the categories and the approximate number of records of
affected personal data;
b) communicate the name and contact details of the data protection delegate or other contact point in the
that more information can be obtained;
c) describe the possible consequences of the violation of the security of personal data;
d) describe the measures taken or proposed by the controller to remedy the violation of
the security of personal data, including, if appropriate, the measures taken to mitigate the possible effects
negative
Four. If it is not possible to provide the information simultaneously, and to the extent that it is not, the information will be
will facilitate gradually without undue delay.
5. The data controller will document any breach of the security of personal data, including
the facts related to it, its effects and the corrective measures taken. Such documentation will allow the
Control authority verify compliance with the provisions of this article.
Article 34
Communication of a violation of the security of personal data to the interested party

1. When the violation of the security of personal data is likely to pose a high risk to
rights and freedoms of natural persons, the person responsible for the treatment will communicate it to the interested party without delay
improper
Page 53
two. The communication to the interested party referred to in section 1 of this article shall describe in a clear language and
simple the nature of the violation of the security of personal data and will contain at least the information and
the measures referred to in article 33, paragraph 3, letters b), c) and d).
3. The communication to the interested party referred to in paragraph 1 will not be necessary if any of the
following conditions:
a) the person responsible for the treatment has adopted appropriate technical and organizational protection measures and these
measures have been applied to personal data affected by the violation of the security of personal data, in
particular those that make personal data unintelligible to anyone who is not authorized to
access them, such as encryption;
b) the person responsible for the treatment has taken further measures to ensure that there is no longer any likelihood that
the high risk for the rights and freedoms of the interested party referred to in paragraph 1 is specified;
c) suppose a disproportionate effort. In this case, you will opt instead for a public communication or a
similar measure by which interested parties are informed equally effectively.
Four. When the person in charge has not yet notified the data breach to the data subject
personal, the supervisory authority, once considered the probability that such violation involves a high risk,
It may require you to do so or you may decide that one of the conditions mentioned in section 3 is met.
Section 3
Impact assessment related to data protection and prior consultation
Article 35
Impact evaluation related to data protection
1. When a type of treatment is likely, particularly if you use new technologies, by their nature,
scope, context or purposes, entails a high risk for the rights and freedoms of natural persons, the person responsible for
treatment will carry out, before treatment, an evaluation of the impact of the treatment operations on the
personal data protection. A single evaluation may address a series of similar treatment operations
that involve similar high risks.
two. The data controller will seek the advice of the data protection delegate, if it has been
named, when performing the impact assessment related to data protection.
3. The impact assessment related to the protection of the data referred to in paragraph 1 shall be required in
particular in case of:
a) systematic and exhaustive evaluation of personal aspects of natural persons based on a treatment
automated, such as profiling, and on the basis of which decisions are made that produce effects
legal for individuals or those that significantly affect them in a similar way;
b) large-scale treatment of the special categories of data referred to in Article 9, paragraph 1, or of the data
personnel related to convictions and criminal offenses referred to in article 10, or
c) large-scale systematic observation of a public access area.
Four. The supervisory authority shall establish and publish a list of the types of treatment operations that require
an impact assessment
communicate related
these lists to thetoCommittee
data protection in accordance
referred to in articlewith
68. paragraph 1. The supervisory authority
5. The supervisory authority may also establish and publish the list of types of treatment that do not require
impact assessments related to data protection. The supervisory authority shall communicate these lists to the Committee.
6. Before adopting the lists referred to in paragraphs 4 and 5, the competent supervisory authority shall apply the
coherence mechanism referred to in article 63 if those lists include treatment activities that are
relationship with the supply of goods or services to interested parties or with the observation of their behavior in several
Member States, or processing activities that may substantially affect the free movement of data
personnel in the Union.
Page 54
7. The evaluation must include at least:
a) a systematic description of the planned treatment operations and the purposes of the treatment, including,
where appropriate, the legitimate interest pursued by the controller;
b) an assessment of the need and proportionality of treatment operations with respect to their purpose;
c) an assessment of the risks to the rights and freedoms of the interested parties referred to in paragraph 1, and
d) the measures envisaged to address the risks, including guarantees, security measures and mechanisms that
guarantee the protection of personal data, and demonstrate compliance with this Regulation, taking into account
Account of the legitimate rights and interests of the interested parties and other affected persons.
8. Compliance with the approved codes of conduct referred to in article 40 by those responsible or
corresponding managers will be duly taken into account when assessing the impact of the operations of
treatment carried out by those responsible or responsible, in particular for the purposes of the relative impact assessment
to data protection.
9. When appropriate, the person responsible shall seek the opinion of the interested parties or their representatives in relation to the
planned treatment, without prejudice to the protection of public or commercial interests or the security of
treatment operations
10. When the treatment in accordance with Article 6, paragraph 1, letters c) or e), has its legal basis in the
Union law or in the law of the Member State that applies to the controller, such law
regulate the specific operation of treatment or set of operations in question, and a
impact assessment related to data protection as part of a general impact assessment in the context
after the adoption of that legal basis, paragraphs 1 to 7 shall not apply unless Member States
they consider it necessary to carry out this evaluation prior to the treatment activities.
eleven. If necessary, the person responsible will examine whether the treatment is in accordance with the impact assessment related to
data protection, at least when there is a change in the risk of processing operations.
Article 36
Prior consultation
1. The person responsible shall consult the supervisory authority before proceeding to the treatment when an evaluation of
impact on data protection under article 35 shows that the processing would entail a high
risk if the person in charge does not take measures to mitigate it.
two. When the supervisory authority considers that the intended treatment referred to in paragraph 1 could infringe
this Regulation, in particular when the person responsible has not sufficiently identified or mitigated the risk, the
supervisory authority shall, within eight weeks of requesting the consultation, advise in writing to
responsible,
The term mayand
bewhere appropriate
extended to the depending
by six weeks, person in charge, and may useofany
on the complexity theof its powers
planned mentioned
treatment. in article 58.authority
The supervisory Said
inform the person in charge and, where appropriate, the person in charge of such extension within one month of receiving the
Request for consultation, indicating the reasons for the delay. These deadlines may be suspended until the authority of
control has obtained the requested information for the purpose of the consultation.
3. When consulting the supervisory authority in accordance with paragraph 1, the controller shall provide the
following information:
a) where appropriate, the respective responsibilities of the person in charge, the co-responsible parties and those responsible for the
treatment, particularly in case of treatment within a business group;
b) the purposes and means of the planned treatment;
c) the measures and guarantees established to protect the rights and freedoms of the interested parties in accordance with the
this Regulation;
d) where appropriate, the contact data of the data protection delegate;
Page 55
e) the impact assessment related to data protection established in Article 35, and
f) any other information requested by the supervisory authority.
Four. Member States shall ensure that the supervisory authority is consulted during the preparation of all
proposal for a legislative measure to be adopted by a national Parliament, or a regulatory measure based on
Said legislative measure, which refers to the treatment.
5. Notwithstanding the provisions of paragraph 1, the law of the Member States may bind those responsible
of the treatment to consult the supervisory authority and obtain their prior authorization in relation to the treatment
by a person responsible in the exercise of a mission carried out in the public interest, in particular the treatment in relation
with social protection and public health.
Section 4
Data Protection Delegate
Article 37
Designation of the data protection delegate
1. The data controller and the data controller shall designate a data protection delegate whenever:
a) the treatment is carried out by a public authority or body, except the courts that act in the exercise of their
judicial function;
b) the principal activities of the person in charge or of the person in charge consist of treatment operations that, because of
their nature, scope and / or purposes, require a regular and systematic observation of large-scale stakeholders, or
c) the main activities of the person in charge or the person in charge consist of the large-scale treatment of categories
special personal data under article 9 and data relating to convictions and criminal offenses to which
Article 10 refers.
two. A business group may appoint a single data protection delegate whenever it is easily
accessible from each establishment.
3. When the person in charge or the person in charge of the treatment is a public authority or body, it may be designated
a single data protection delegate for several of these authorities or agencies, taking into account their
organizational structure and size.
Four. In cases other than those referred to in section 1, the person responsible or the person in charge of the treatment or
associations and other organizations representing categories of managers or managers may designate a delegate
of data protection or should be designated if required by the law of the Union or of the Member States. He
data protection delegate may act on behalf of these associations and other organizations representing
responsible or responsible.
5. The data protection delegate will be appointed according to their professional qualities and, in particular, their
specialized knowledge of law and practice in data protection and its ability to
perform the functions indicated in article 39.
6. The data protection delegate may be part of the staff of the person in charge or the person in charge of the
treatment or perform its functions within the framework of a service contract.
7. The data controller or the data controller will publish the contact data of the data protection delegate
and communicate them to the supervisory authority.
Article 38
Position of the data protection delegate
1. The person in charge and the person in charge of the treatment will guarantee that the data protection delegate participates in
Appropriate form and in a timely manner in all matters relating to the protection of personal data.
Page 56
two. The data controller and the data controller will support the data protection delegate in the performance of
the functions mentioned in article 39, providing the necessary resources for the performance of said functions and
access to personal data and processing operations, and for the maintenance of their knowledge
specialized.
3. The person in charge and the person in charge of the treatment will guarantee that the data protection delegate does not receive
no instruction regarding the performance of these functions. He will not be dismissed or sanctioned by the
responsible or responsible for performing their duties. The data protection delegate will report
directly to the highest hierarchical level of the person in charge or manager.
Four. Those interested may contact the data protection delegate with regard to all
issues related to the processing of your personal data and the exercise of your rights under this
Regulation.
5. The data protection officer will be obliged to maintain secrecy or confidentiality with regard to
performance of their functions, in accordance with the law of the Union or of the Member States.
6. The data protection delegate may perform other functions and duties. The person responsible or in charge of
Treatment will ensure that these functions and tasks do not give rise to a conflict of interest.
Article 39
Functions of the data protection delegate
1. The data protection delegate will have at least the following functions:
a) inform and advise the person in charge or the person in charge of the treatment and the employees who deal with the treatment
of their obligations under this Regulation and other protection provisions of
data from the Union or from the Member States;
b) supervise compliance with the provisions of this Regulation, other data protection provisions
of the Union or of the Member States and of the policies of the person in charge or of the person in charge of the treatment in matter
of protection of personal data, including the assignment of responsibilities, awareness and training of
personnel involved in the processing operations, and the corresponding audits;
c) offer the advice requested on the impact assessment related to data protection and
monitor its application in accordance with article 35;
d) cooperate with the supervisory authority;
e) act as the contact point of the supervisory authority for issues related to treatment, including
prior consultation referred to in article 36, and make inquiries, where appropriate, on any other matter.
two. The data protection delegate will perform his duties paying due attention to the associated risks
to treatment operations, taking into account the nature, scope, context and purposes of the treatment.
Section 5
Codes of conduct and certification
Article 40
Codes of conduct
1. Member States, control authorities, the Committee and the Commission shall promote the development of codes
of conduct intended to contribute to the correct application of this Regulation, taking into account the characteristics
specific characteristics of the different treatment sectors and the specific needs of microenterprises and
small and medium businesses.
two. Associations and other organizations representing categories of those responsible or in charge of treatment
may develop codes of conduct or modify or expand said codes in order to specify the application of
this Regulation, as regards:
a) fair and transparent treatment;
Page 57
b) the legitimate interests pursued by those responsible for the treatment in specific contexts;
c) the collection of personal data;
d) pseudonymisation of personal data;
e) information provided to the public and interested parties;
f) the exercise of the rights of the interested parties;
g) the information provided to children and their protection, as well as how to obtain consent
of the holders of parental rights or guardianship over the child;
h) the measures and procedures referred to in articles 24 and 25 and the measures to ensure the safety of
treatment referred to in article 32;
i) notification of violations of the security of personal data to the control and communication authorities
of said violations to the interested parties;
j) the transfer of personal data to third countries or international organizations, or
k) extrajudicial procedures and other conflict resolution procedures that allow the resolution of
disputes between those responsible for the treatment and those interested in the treatment, notwithstanding the
Rights of interested parties under articles 77 and 79.
3. In addition to the accession of those responsible or responsible for the treatment to which this is applied
Regulation, those responsible or responsible for whom this Regulation does not apply under Article 3 may
also adhere to codes of conduct approved in accordance with section 5 of this article and that
have general validity under section 9 of this article, in order to offer adequate guarantees within the framework of
transfers of personal data to third countries or international organizations under article 46,
Section 2, letter e). Those responsible or responsible must assume binding and enforceable commitments, via
contractual or through other legally binding instruments, to apply such appropriate guarantees, including
those related to the rights of the interested parties.
Four. The code of conduct referred to in section 2 of this article shall contain mechanisms that allow the
body mentioned in article 41, paragraph 1, carry out the mandatory control of compliance with its provisions
tion by those responsible or in charge of treatment who undertake to apply it, without prejudice to the functions
and the powers of the supervisory authorities that are competent under article 51 or 56.
5. The associations and other organizations mentioned in section 2 of this article that plan to develop a
code of conduct or modify or extend an existing code will present the draft code or the modification or
extension to the supervisory authority that is competent under article 55. The supervisory authority shall rule
if the draft code or the modification or extension is in accordance with this Regulation and will approve said
draft code, modification or extension if you consider the adequate guarantees offered sufficient.
6. If the draft code or the modification or extension is approved in accordance with section 5 and the
the code of conduct in question does not refer to treatment activities in several Member States, the authority
Control will record and publish the code.
7. If a draft code of conduct is related to treatment activities in several Member States,

the supervisory authority that is competent under article 55 shall present it by the procedure mentioned in
Article 63, before its approval or modification or extension, to the Committee, which shall decide whether said
project, modification or extension is in accordance with this Regulation or, in the situation indicated in the
Section 3 of this article offers adequate guarantees.
8. If the opinion referred to in paragraph 7 confirms that the draft code or the modification or extension
complies with the provisions of this Regulation or, in the situation indicated in section 3, offers adequate guarantees,
The Committee shall submit its opinion to the Commission.
9. The Commission may, by means of implementing acts, decide that the code of conduct or the modification or extension
approved and submitted in accordance with paragraph 8 of this article have general validity within the Union.
Such implementing acts shall be adopted in accordance with the examination procedure referred to in Article 93,
section 2.
Page 58
10. The Commission will give adequate publicity to the approved codes whose general validity has been decided by
compliance with section 9.
eleven. The Committee shall file in a register all codes of conduct, modifications and extensions that are
approve, and will make them publicly available by any appropriate means.
Article 41
Supervision of approved codes of conduct
1. Without prejudice to the functions and powers of the competent supervisory authority under articles 57
and 58, may supervise compliance with a code of conduct under article 40 an agency that has the
adequate level of expertise in relation to the object of the code and that has been accredited for that purpose by the authority of
competent control
two. The body referred to in paragraph 1 may be accredited to monitor compliance with a code of
conduct if:
a) has demonstrated, to the satisfaction of the competent supervisory authority, its independence and expertise in relation to the
object of the code;
b) has established procedures that allow it to assess the suitability of those responsible and responsible
teeth to apply the code, monitor compliance with its provisions and periodically examine its
application;
c) has established procedures and structures to deal with claims related to code violations or to the
way in which the code has been or is being applied by a person in charge or in charge of the treatment, and for
make such procedures and structures transparent to stakeholders and the public, and
d) has demonstrated, to the satisfaction of the competent supervisory authority, that its functions and tasks do not give rise to
conflict of interests.
3. The competent supervisory authority shall submit the Committee, in accordance with the consistency mechanism referred to
Article 63, the project that establishes the accreditation criteria of an organization referred to in section 1 of the
present article.
Four. Without prejudice to the functions and powers of the competent supervisory authority and the provisions of the
Chapter VIII, an agency under paragraph 1 of this article shall, subject to adequate guarantees,
take appropriate measures in case of violation of the code by a person responsible or in charge of the treatment, including
the suspension or exclusion of this. It shall inform the supervisory authority of said measures and the reasons for them.
competent.
5. The competent supervisory authority shall revoke the accreditation of an agency under paragraph 1 if the
accreditation conditions are not met or have been disregarded, or if the action of said agency violates
This Regulation.
6. This article will not apply to the treatment carried out by authorities and public bodies.
Article 42
Certification
1. Member States, control authorities, the Committee and the Commission shall promote, in particular at the level of the
Union, the creation of certification mechanisms for data protection and for seals and protection marks
of data in order to demonstrate compliance with the provisions of this Regulation in the operations of
Treatment of those responsible and those in charge. The specific needs of microenterprises will be taken into account
and small and medium enterprises.
Page 59
two. In addition to the accession of those responsible for or responsible for the treatment subject to this Regulation, they may
establish certification mechanisms, seals or data protection marks approved in accordance with the
Section 5, in order to demonstrate the existence of adequate guarantees offered by those responsible or not
subject to this Regulation in accordance with Article 3 in the framework of transfers of personal data to third parties
countries or international organizations under article 46, paragraph 2, letter f). Those responsible or responsible
they must assume binding and enforceable commitments, by contractual means or through other instruments legally
binding, to apply such appropriate guarantees, including those related to the rights of the interested parties.
3. The certification will be voluntary and will be available through a transparent process.
Four. The certification referred to in this article shall not limit the responsibility of the person responsible or in charge of
treatment regarding compliance with this Regulation and shall be without prejudice to the functions and
powers of the supervisory authorities that are competent under article 55 or 56.
5. The certification under this article shall be issued by the certification bodies referred to in the
Article 43 or by the competent supervisory authority, on the basis of the criteria approved by that authority of
in accordance with article 58, paragraph 3, or by the Committee in accordance with article 63. When the criteria
If approved by the Committee, this may result in a common certification: the European Data Protection Seal.
6. Those responsible or responsible for submitting their treatment to the certification mechanism will give the agency
certification mentioned in article 43, or where appropriate to the competent control authority, all information and
access to your treatment activities that you need to carry out the certification procedure.
7. The certification will be issued to a person responsible or in charge of treatment for a maximum period of three years and
It may be renewed under the same conditions, as long as the relevant requirements continue to be met. The
certification shall be withdrawn, where appropriate, by the certification bodies referred to in article 43, or in its
case by the competent supervisory authority, when the requirements for the
certification
8. The Committee shall file in a register all certification mechanisms and data protection seals and marks
and make them publicly available by any appropriate means.
Article 43
Certification body
1. Without prejudice to the functions and powers of the competent supervisory authority under Articles 57 and 58,
Certification bodies that have an adequate level of data protection expertise shall issue and
They will renew the certifications once the supervisory authority is informed, so that it can exercise, if required,
his powers under article 58, paragraph 2, letter h). Member States shall ensure that such bodies of
Certification are accredited by the authority or body indicated below, or by both:
a) the supervisory authority that is competent under article 55 or 56;
b) the national accreditation body designated in accordance with Regulation (EC) n. or 765/2008 of
European Parliament and of the Council ( 1 ) in accordance with EN ISO / IEC 17065/2012 and additional requirements
established by the supervisory authority that is competent under article 55 or 56.
two. The certification bodies mentioned in section 1 will only be accredited in accordance with
said section if:
a) have demonstrated, to the satisfaction of the competent supervisory authority, their independence and expertise in relation to
the purpose of the certification;
( 1 ) Regulation (EC) n. or 765/2008 of the European Parliament and of the Council, of July 9, 2008, laying down the requirements for
accreditation and market surveillance related to the marketing of products and repealing Regulation (EEC)
n. or 339/93 (OJ L 218, 13.8.2008, p. 30).
Page 60
b) have undertaken to respect the criteria mentioned in article 42, paragraph 5, and approved by the
supervisory authority that is competent under article 55 or 56, or by the Committee in accordance with the
article 63;
c) have established procedures for the issuance, periodic review and withdrawal of certifications, stamps and
data protection marks;
d) have established procedures and structures to deal with claims related to certification violations or
to the way in which the certification has been or is being applied by a person in charge or in charge of the treatment,
and to make such procedures and structures transparent to stakeholders and the public, and
e) have demonstrated, to the satisfaction of the competent supervisory authority, that their functions and tasks do not give rise to
conflict of interests.
3. The accreditation of the certification bodies referred to in sections 1 and 2 of this article shall be
perform on the basis of the criteria approved by the supervisory authority that is competent under the
Article 55 or 56, or by the Committee in accordance with Article 63. In the case of accreditation in accordance with the
paragraph 1, letter b), of this article, these requirements shall complement those referred to in Regulation (EC)
n. or 765/2008 and the technical standards that describe the methods and procedures of the certification bodies.
Four. The certification bodies referred to in paragraph 1 shall be responsible for the correct evaluation for that purpose.
certification or withdrawal of certification, without prejudice to the responsibility of the person responsible or the person in charge of
treatment regarding compliance with this Regulation. The accreditation will be issued for a maximum period of
five years and may be renewed under the same conditions, provided that the certification body complies with the
requirements established in this article.
5. The certification bodies referred to in paragraph 1 shall notify the supervisory authorities
The reasons for issuing the requested certification or for its withdrawal are competent.
6. The supervisory authority shall make public the requirements referred to in section 3 of this article and the
criteria referred to in article 42, paragraph 5, in an easily accessible way. Control authorities
They shall also communicate these requirements and criteria to the Committee. The Committee will file all the mechanisms in a register
certification and data protection seals and will make them publicly available by any appropriate means.
7. Notwithstanding the provisions of Chapter VIII, the competent supervisory authority or the national agency for
accreditation will revoke the accreditation to a certification body under paragraph 1 of this article if the
accreditation conditions are not met or have been disregarded, or if the performance of said certification body
cation violates this Regulation.
8. The Commission shall be empowered to adopt delegated acts, in accordance with Article 92, in order to specify
the conditions that must be taken into account for certification mechanisms regarding data protection to
referred to in article 42, paragraph 1.
9. The Commission may adopt implementing acts that establish technical standards for certification mechanisms.
cation and data protection seals and marks, and mechanisms to promote and recognize such mechanisms of
Certification, stamps and marks. Such implementing acts shall be adopted in accordance with the examination procedure to which
refers article 93, paragraph 2.
CHAPTER V
Transfers of personal data to third countries or international organizations
Article 44
General principle of transfers
Only transfers of personal data will be made that are subject to processing or will be after its transfer
to a third country or international organization if, subject to the other provisions of this Regulation, the
responsible and the person in charge of the treatment fulfill the conditions established in this chapter, including
concerning subsequent transfers of personal data from the third country or international organization to another third
Country or other international organization. All the provisions of this chapter shall apply to ensure that the
level of protection of natural persons guaranteed by this Regulation is not impaired.
Page 61
Article 45
Transfers based on an adequacy decision
1. A transfer of personal data may be made to a third country or international organization when the
Commission has decided that the third country, a territory or one or more specific sectors of that third country, or the
The international organization in question guarantees an adequate level of protection. Such transfer will not require
No specific authorization.
two. In assessing the adequacy of the level of protection, the Commission shall take into account, in particular, the following
elements:
a) the rule of law, respect for human rights and fundamental freedoms, relevant legislation,
both general and sectoral, including that related to public safety, defense, national security and
criminal legislation, and public authorities access to personal data, as well as the application of such
legislation, data protection standards, professional standards and security measures, including
rules on subsequent transfers of personal data to another third country or international organization observed
in that country or international organization, jurisprudence, as well as recognition of the interested parties whose data
personnel are being transferred from effective and enforceable rights and administrative resources and actions
judicial that are effective;
b) the existence and effective functioning of one or more independent control authorities in the third country or
which is subject to an international organization, with the responsibility of guaranteeing and enforcing the standards
in terms of data protection, including appropriate enforcement powers, to assist and advise those interested in
the exercise of their rights, and to cooperate with the supervisory authorities of the Union and of the Member States, and
c) the international commitments assumed by the third country or international organization in question, or other
obligations arising from legally binding agreements or instruments, as well as their participation in
multilateral or regional systems, in particular in relation to the protection of personal data.
3. The Commission, after assessing the adequacy of the level of protection, may decide, by means of an act of
execution, that a third country, a territory or one or several specific sectors of a third country, or an organization
international guarantee an adequate level of protection in accordance with the provisions of section 2 of this article.
The implementing act will establish a mechanism for periodic review, at least every four years, that takes into account
all relevant events in the third country or in the international organization. The act of execution will specify
its territorial and sectoral scope of application, and, where appropriate, determine the control authority or authorities to which
refers to section 2, letter b), of this article. The act of execution shall be adopted in accordance with the procedure of
examination referred to in article 93, paragraph 2.
Four. The Commission will continuously monitor events in third countries and internal organizations.
that may affect the effective application of decisions taken pursuant to paragraph 3 of this
Article and decisions taken on the basis of Article 25 (6) of Directive 95/46 / EC.
5. When the information available, in particular after the review referred to in section 3 of this article,
show that a third country, a specific territory or sector of that third country, or an international organization already
does not guarantee an adequate level of protection under paragraph 2 of this article, the Commission, through acts
of execution, repeal, modify or suspend, to the extent necessary and without retroactive effect, the decision to be
Refer to section 3 of this article. Such implementing acts shall be adopted in accordance with the procedure of
examination referred to in article 93, paragraph 2.
For duly justified urgent reasons of urgency, the Commission shall adopt implementing acts immediately
applicable in accordance with the procedure referred to in article 93, paragraph 3.
6 The Commission shall consult with the third country or international organization with a view to remedying the
situation that gives rise to the decision taken in accordance with paragraph 5.
7. Any decision in accordance with section 5 of this article shall be without prejudice to the transfers
recencies of personal data to the third country, to a territory or one or several specific sectors of that third country, or to the
international organization concerned under articles 46 to 49.
8. The Commission shall publish in the Official Journal of the European Union and on its website a list of third countries,
specific territories and sectors in a third country, and international organizations for which you have decided
that an adequate level of protection is guaranteed, or not anymore.
Page 62
9. The decisions taken by the Commission under Article 25 (6) of Directive 95/46 / EC
they will remain in force until they are modified, replaced or repealed by a decision of the Commission adopted
in accordance with sections 3 or 5 of this article.
Article 46
Transfers through adequate guarantees
1. In the absence of a decision in accordance with Article 45 (3), the person responsible or the person in charge of the processing may only
transmit personal data to a third country or international organization if it had offered adequate guarantees already
condition that the interested parties have enforceable rights and effective legal actions.
two. Appropriate guarantees under section 1 may be provided, without requiring any authorization.
expressed by a supervisory authority, by:
a) a legally binding and enforceable instrument between public authorities or bodies;
b) binding corporate standards in accordance with article 47;
c) standard data protection clauses adopted by the Commission in accordance with the examination procedure a
referred to in article 93, paragraph 2;
d) standard data protection clauses adopted by a supervisory authority and approved by the Commission with
in accordance with the examination procedure referred to in Article 93, paragraph 2;
e) a code of conduct approved in accordance with article 40, together with binding and enforceable commitments of the
responsible or responsible for the treatment in the third country of applying adequate guarantees, including those relating to
rights of the interested parties, or
f) a certification mechanism approved in accordance with Article 42, together with binding and enforceable commitments
of the person responsible or the person in charge of the treatment in the third country of applying adequate guarantees, including those relating to
The rights of the interested parties.
3. Provided that there is authorization from the competent control authority, the appropriate guarantees contemplated in the
Section 1 may also be provided, in particular, by:
a) contractual clauses between the person in charge or the person in charge and the person in charge, person in charge or recipient of the data
personnel in the third country or international organization, or
b) provisions that are incorporated into administrative agreements between public authorities or bodies that
include effective and enforceable rights for those interested.
Four. The supervisory authority shall apply the consistency mechanism referred to in Article 63 in the indicated cases.
in section 3 of this article.
5. Authorizations granted by a Member State or a supervisory authority in accordance with the

Article 26 (2) of Directive 95/46 / EC shall remain valid until they have been modified, replaced or
repealed, if necessary, by said supervisory authority. The decisions taken by the Commission under the
Article 26 (4) of Directive 95/46 / EC shall remain in force until they are modified, replaced or
Repealed, if necessary, by a Commission decision adopted in accordance with paragraph 2 of this
Article.
Article 47
Binding Corporate Rules
1. The competent supervisory authority shall approve binding corporate standards in accordance with the mechanism
of coherence established in article 63, provided that you are:
a) are legally binding and are applied and enforced by all the corresponding members of the group
business or the union of companies engaged in a joint economic activity, including its employees;
Page 63
b) expressly confer upon the interested parties enforceable rights in relation to the processing of their personal data, and
c) meet the requirements set out in section 2.
two. The binding corporate standards mentioned in section 1 shall specify, as a minimum, the following
elements:
a) the structure and contact details of the business group or the union of companies engaged in an activity
joint economic and of each of its members;
b) transfers or sets of data transfers, including categories of personal data, the type of
treatments and their purposes, the type of stakeholders affected and the name of the third or third countries in question;
c) its legally binding nature, both internally and externally;
d) the application of general principles regarding data protection, in particular the limitation of the purpose,
data minimization, limited storage periods, data quality, data protection
data from the design and by default, the basis of the treatment, the treatment of special categories of data
personal, measures aimed at guaranteeing data security and requirements with respect to transfers
subsequent reliance on agencies not bound by binding corporate standards;
e) the rights of the interested parties in relation to the treatment and the means to exercise them, in particular the right to
not be subject to decisions based exclusively on automated processing, including the development of
profiles in accordance with the provisions of article 22, the right to file a claim with the authority
of competent control and before the competent courts of the Member States in accordance with the
Article 79, and the right to obtain reparation, and, where appropriate, compensation for violation of the
binding corporate standards;
f) the acceptance by the person in charge or the person in charge of the treatment established in the territory of a State
member of the responsibility for any violation of the binding corporate norms by any
concerned member not established in the Union; the person in charge or the person in charge will only be exonerated, total or
partially, of said responsibility if it shows that the act that caused the damages is not attributable to
said member;
g) the way in which information on binding corporate standards is provided to interested parties, in particular
as regards the provisions referred to in letters d), e) and f) of this section, in addition to
Articles 13 and 14;
h) the functions of any data protection delegate designated in accordance with article 37, or of any
another person or entity responsible for monitoring compliance with binding corporate standards within
of the business group or of the union of companies engaged in a joint economic activity, as well as of the
supervision of the training and processing of claims;
i) claim procedures;
j) the mechanisms established within the business group or the union of companies engaged in an activity
joint economic to ensure verification of compliance with binding corporate standards. Sayings
mechanisms will include data protection audits and methods to ensure corrective actions to protect
The rights of the interested party. The results of such verification should be communicated to the person or entity to whom
refers to letter h) and the board of directors of the company that controls a business group, or of the union
of companies engaged in a joint economic activity, and made available to the supervisory authority
competent to request it;
k) the mechanisms established to communicate and record the changes introduced in the standards and to
notify these modifications to the supervisory authority;
l) the mechanism of cooperation with the supervisory authority to ensure compliance by any
member of the business group or of the union of companies engaged in a joint economic activity, in
particular by making available to the supervisory authority the results of the verifications of the measures
referred to in letter j);
m) the mechanisms to inform the competent supervisory authority of any legal requirement of application in
a third country to a member of the business group or the union of companies engaged in an economic activity
joint, that probably have an adverse effect on the guarantees established in the corporate standards
binding, and
n) training in data protection relevant to personnel who have permanent or regular access to data
personal
Page 64
3. The Commission may specify the format and procedures for the exchange of information between
managers, managers and control authorities in relation to binding corporate standards in accordance with
the provisions of this article. Such implementing acts shall be adopted in accordance with the examination procedure a
referred to in article 93, paragraph 2.
Article 48
Transfers or communications not authorized by Union law
Any judgment of a court or decision of an administrative authority of a third country that requires
that a person in charge or in charge of the treatment transfers or communicates personal data will only be recognized or
enforceable in any way if it is based on an international agreement, such as a mutual legal assistance treaty,
between the requesting third country and the Union or a Member State, without prejudice to other reasons for the transfer
Pray under this chapter.
Article 49
Exceptions for specific situations
1. In the absence of an adequacy decision in accordance with article 45, paragraph 3, or guarantees
appropriate in accordance with article 46, including binding corporate standards, a transfer or a
set of transfers of personal data to a third country or international organization will only be made if
meets any of the following conditions:
a) the interested party has explicitly consented to the proposed transfer, after being informed of
the possible risks for him of such transfers due to the absence of an adequacy decision and guarantees
adequate;
b) the transfer is necessary for the execution of a contract between the interested party and the controller or
for the execution of pre-contractual measures adopted at the request of the interested party;
c) the transfer is necessary for the conclusion or execution of a contract, in the interest of the interested party, between the
responsible for the treatment and another natural or legal person;
d) the transfer is necessary for important reasons of public interest;
e) the transfer is necessary for the formulation, exercise or defense of claims;
f) the transfer is necessary to protect the vital interests of the interested party or of other persons, when the
interested party is physically or legally unable to give consent;
g) the transfer is made from a public registry that, in accordance with the law of the Union or of the States
members, is intended to provide information to the public and is open to consultation of the general public or of
Any person who can prove a legitimate interest, but only to the extent that they are met, in each case
In particular, the conditions established by the law of the Union or of the Member States for consultation.
When a corporate
binding transfer cannot be based
standards, and on provisions
none of articlesfor
of the exceptions 45specific
or 46, including
situationsprovisions
that applyonto
refers to the first paragraph of this section, it can only be carried out if it is not repetitive, it only affects a number
limited of interested parties, it is necessary for the purposes of compelling legitimate interests pursued by the person responsible for
treatment over which the interests or rights and freedoms of the interested party do not prevail, and the person responsible for the
treatment evaluated all the concurrent circumstances in the data transfer and, based on this evaluation,
offered appropriate guarantees regarding the protection of personal data. The controller will inform
The transfer control authority. In addition to the information referred to in articles 13 and 14, the
Responsible for the processing will inform the interested party of the transfer and the compelling legitimate interests
persecuted
two. A transfer made in accordance with paragraph 1, first paragraph, letter g), shall not cover all
of personal data or entire categories of personal data contained in the registry. If the purpose of registration is
consultation by people who have a legitimate interest, the transfer will only be made at the request of said
people or if these are to be the recipients.
Page 65
3. In paragraph 1, the first paragraph, letters a), b) and c), and the second paragraph shall not apply to activities
carried out by public authorities in the exercise of their public powers.
Four. The public interest referred to in paragraph 1, first paragraph, letter d), shall be recognized by the Law of the
Union or Member State that applies to the controller.
5. In the absence of a decision confirming the adequacy of data protection, the Law of the
Union or of the Member States may, for important reasons of public interest, expressly set limits to
the transfer of specific categories of data to a third country or international organization. Member states
They shall notify the Commission of these provisions.
6. The person responsible or the person in charge of the treatment shall document in the records indicated in article 30 the
evaluation and appropriate guarantees referred to in paragraph 1, second paragraph, of this article.
Article 50
International cooperation in the field of personal data protection
In relation to third countries and international organizations, the Commission and the supervisory authorities
they will take appropriate measures to:
a) create international cooperation mechanisms that facilitate the effective application of legislation related to
personal data protection;
b) provide mutual assistance at international level in the application of legislation on the protection of
personal data, in particular by notification, the submission of claims, assistance in investigations
tions and the exchange of information, subject to adequate guarantees for data protection
personal and other fundamental rights and freedoms;
c) Associate stakeholders in the field with discussions and activities aimed at strengthening international cooperation
in the application of legislation relating to the protection of personal data;
d) promote the exchange and documentation of legislation and data protection practices
personnel, including in matters of jurisdiction conflicts with third countries.
CHAPTER VI
Independent Control Authorities
Section 1
Independence
Article 51
Control authority
1. Each Member State shall establish that it is the responsibility of one or more independent public authorities (in
hereinafter "supervisory authority") supervise the application of this Regulation, in order to protect the rights and
the fundamental freedoms of natural persons with regard to treatment and to facilitate the free movement of
personal data in the Union.
two. Each supervisory authority shall contribute to the consistent application of this Regulation throughout the Union. Such
Finally, the supervisory authorities shall cooperate with each other and with the Commission in accordance with the provisions of Chapter VII.
3. When there are several control authorities in a Member State, it shall designate the control authority that
represent those authorities in the Committee, and establish the mechanism that guarantees compliance by others
authorities of the rules related to the coherence mechanism referred to in article 63.
Four. Each Member State shall notify the Commission of the legal provisions it adopts in accordance with this.
chapter no later than May 25, 2018 and, without delay, any subsequent modification affecting such provisions
tion
Page 66
Article 52
Independence
1. Each supervisory authority shall act with complete independence in the performance of its functions and in the exercise of
its powers in accordance with this Regulation.
two. The member or members of each supervisory authority shall be outsiders, in the performance of their duties and in the
exercise of its powers in accordance with this Regulation, to all external influence, whether direct or indirect,
and will not request or admit any instruction.
3. The member or members of each supervisory authority shall refrain from any action that is incompatible.
with their functions and will not participate, during their term of office, in any professional activity that is incompatible,
paid or not.
Four. Each Member State shall ensure that each supervisory authority has resources at all times.
human, technical and financial, as well as the premises and infrastructure necessary for effective compliance
of its functions and the exercise of its powers, including those to be exercised in the framework of mutual assistance,
cooperation and participation in the Committee.
5. Each Member State shall ensure that each supervisory authority elects and has its own staff, which shall be
subject to the exclusive authority of the member or members of the control authority concerned.
6. Each Member State shall ensure that each supervisory authority is subject to financial control that does not affect
its independence and that it has an annual, public and independent budget, which may be part of the
general budget of the State or of another national scope.
Article 53
General conditions applicable to members of the supervisory authority
1. Member States shall provide that each member of their supervisory authorities be appointed by means of a
transparent procedure by:
- your Parliament,
- your Government,
- your Head of State, or
- an independent body responsible for appointment under the law of the Member States.
two. Each member shall possess the degree, experience and skills, in particular in the field of protection of
personal data, necessary for the fulfillment of its functions and the exercise of its powers.
3. The members will terminate their functions in case of termination of the mandate, resignation or retirement
mandatory, in accordance with the law of the Member State concerned.
Four. A member will be dismissed only in case of serious irregular conduct or if he fails to meet the conditions
required in the performance of their duties.
Article 54
Rules concerning the establishment of the supervisory authority
1. Each Member State shall establish by law all the elements indicated below:
a) the establishment of each supervisory authority;
Page 67
b) the qualifications and conditions of suitability necessary to be appointed a member of each supervisory authority;
c) the rules and procedures for the appointment of the member or members of each supervisory authority;
d) the term of office of the member or members of each supervisory authority, not less than four years, except
the first appointment after May 24, 2016, part of which may be shorter when necessary
to protect the independence of the supervisory authority through an appointment procedure
staggered
e) the renewable or non-renewable nature of the mandate of the member or members of each supervisory authority and, where appropriate, the
number of times it can be renewed;
f) the conditions under which the obligations of the member or members and staff of each authority are governed
control, prohibitions related to actions, occupations and benefits incompatible with the position during the
mandate and after it, and the rules governing the termination of employment.
two. The member or members and staff of each supervisory authority shall be subject, in accordance with the
Right of the Union or of the Member States, to the duty of professional secrecy, both during their term and
after it, in relation to the confidential information of which they had knowledge in the
fulfillment of their functions or the exercise of their powers. During his term, said duty of professional secrecy is
apply in particular to information received from natural persons in relation to violations of this Regulation.
Section 2
Competence, functions and powers
Article 55
Competition
1. Each supervisory authority shall be competent to perform the functions assigned to it and exercise powers
to be conferred in accordance with this Regulation in the territory of its Member State.
two. When the treatment is carried out by public authorities or by private bodies acting in accordance
to Article 6, paragraph 1, letters c) or e), the supervisory authority of the Member State concerned shall be competent. No
Article 56 shall apply in such cases.
3. The control authorities shall not be competent to control the processing operations carried out by the
courts in the exercise of their judicial function.
Article 56
Competence of the main supervisory authority
1. Without prejudice to the provisions of Article 55, the supervisory authority of the main establishment or the sole establishment
establishment of the person responsible or the person in charge of the treatment will be competent to act as the supervisory authority
principal for the cross-border treatment carried out by said person responsible or in charge according to
procedure established in article 60.
two. Notwithstanding the provisions of paragraph 1, each supervisory authority shall be competent to handle a claim.
that is presented or a possible violation of this Regulation, if it refers only to a
establishment located in your Member State or only substantially affect those interested in your State
member.
3. In the cases referred to in paragraph 2 of this article, the supervisory authority shall promptly inform the
with respect to the main control authority. Within three weeks after being informed, the authority
of main control will decide whether or not to treat the case in accordance with the procedure established in Article 60,
bearing in mind if there is an establishment of the person responsible or in charge of the treatment in the Member State of the
control authority that informed you.
Page 68
Four. In case the main control authority decides to deal with the case, the procedure established in the
Article 60. The supervisory authority that has informed the principal supervisory authority may submit a
draft decision The main supervisory authority shall take such project into account to the greatest extent possible.
prepare the draft decision referred to in article 60, paragraph 3.
5. In case the main control authority decides not to deal with the case, the control authority that has
informed will treat it according to articles 61 and 62.
6. The main supervisory authority shall be the sole interlocutor of the person in charge or of the person in charge of the
cross-border treatment carried out by said person in charge.
Article 57
Functions
1. Without prejudice to other functions under this Regulation, it is incumbent upon each supervisory authority, in its
territory:
a) monitor the application of this Regulation and enforce it;
b) promote public awareness and understanding of the risks, standards, guarantees and rights in relation to
With the treatment. Activities aimed specifically at children should be given special attention;
c) advise, in accordance with the law of the Member States, the national Parliament, the Government and other institutions
and bodies on legislative and administrative measures related to the protection of the rights and freedoms of
natural persons with respect to treatment;
d) promote the sensitization of those responsible and in charge of the treatment about the obligations that they
they are under this Regulation;
e) upon request, provide information to any interested party in relation to the exercise of their rights under the
this Regulation and, where appropriate, cooperate to that end with the supervisory authorities of other Member States;
f) handle claims submitted by an interested party or by an organization, organization or association of

compliance with article 80, and investigate, as appropriate, the reason for the claim and inform the
complainant about the course and the result of the investigation within a reasonable period of time, in particular if necessary
new investigations or closer coordination with another supervisory authority;
g) cooperate, in particular by sharing information, with other control authorities and provide mutual assistance with
in order to ensure consistency in the application and execution of this Regulation;
h) carry out investigations on the application of this Regulation, in particular based on information
received from another supervisory authority or other public authority;
i) track changes of interest, to the extent that they have an impact on the protection of
personal data, in particular the development of information and communication technologies and practices
commercial;
j) adopt the standard contractual clauses referred to in article 28, paragraph 8, and article 46, paragraph 2,
letter D);
k) develop and maintain a list related to the requirement of the impact assessment related to data protection, in
under article 35, paragraph 4;
l) offer advice on the treatment operations referred to in Article 36, paragraph 2;
m) encourage the development of codes of conduct in accordance with article 40, paragraph 1, and rule and approve
codes of conduct that provide sufficient guarantees under article 40, paragraph 5;
n) encourage the creation of certification mechanisms for the protection of data and of seals and protection marks of
data in accordance with article 42, paragraph 1, and approve the certification criteria in accordance with the
Article 42, paragraph 5;
o) carry out, if appropriate, a periodic review of the certifications issued under article 42, paragraph 7;
Page 69
p) develop and publish the criteria for the accreditation of supervisory bodies for codes of conduct with
under article 41 and certification bodies under article 43;
q) carry out the accreditation of supervisory bodies for codes of conduct in accordance with article 41 and
certification bodies under article 43;
r) authorize the contractual clauses and provisions referred to in article 46, paragraph 3;
s) approve binding corporate standards in accordance with the provisions of article 47;
t) contribute to the activities of the Committee;
u) keep internal records of violations of this Regulation and of the measures taken in accordance with
Article 58, paragraph 2, and
v) perform any other function related to the protection of personal data.
two. Each supervisory authority shall facilitate the presentation of the claims referred to in paragraph 1, letter f),
through measures such as a complaint submission form that can also be completed by
electronic media, not excluding other media.
3. The performance of the functions of each supervisory authority will be free for the interested party and, where appropriate, for the
data protection delegate.
Four. When the requests are manifestly unfounded or excessive, especially due to their repetitive nature,
the supervisory authority may establish a reasonable rate based on administrative costs or refuse to act
Regarding the request. The burden of demonstrating the manifestly unfounded or excessive nature of the request will fall
in the supervisory authority.
Article 58
Powers
1. Each supervisory authority shall have all the investigative powers indicated below:
a) order the person in charge and the person in charge of the treatment and, where appropriate, the representative of the person in charge or the person in charge,
that provide any information that is required for the performance of their duties;
b) carry out investigations in the form of data protection audits;
c) carry out a review of the certifications issued under article 42, paragraph 7;
d) notify the person responsible or the person in charge of the treatment of the alleged violations of this Regulation;
e) obtain access to all personal data and all information from the data controller and the data controller
information necessary for the exercise of its functions;
f) obtain access to all the premises of the person responsible and the person in charge of the treatment, including any equipment and
means of data processing, in accordance with the procedural law of the Union or of the Member States.
two. Each supervisory authority shall have all of the following corrective powers indicated below:
a) to sanction all responsible or in charge of the treatment with a warning when the operations of
planned treatment may violate the provisions of this Regulation;
b) sanction all responsible or responsible for the treatment with warning when the treatment operations
have violated the provisions of this Regulation;
c) order the person responsible or in charge of the treatment to respond to the requests to exercise the rights of the
interested under this Regulation;
Page 70
d) order the person responsible or in charge of the treatment that the treatment operations comply with the provisions
of this Regulation, where appropriate, in a certain way and within a specified period;
e) order the data controller to inform the data breach of the data security
personal;
f) impose a temporary or definitive limitation of treatment, including its prohibition;
g) order the rectification or deletion of personal data or the limitation of processing in accordance with articles 16,
17 and 18 and the notification of said measures to the recipients to whom personal data has been communicated with
in accordance with article 17, paragraph 2, and article 19;
h) withdraw a certification or order the certification body to withdraw a certification issued in accordance with the
Articles 42 and 43, or order the certification body not to issue a certification if they are not met or left
if the requirements for certification are met;
i) impose an administrative fine in accordance with Article 83, in addition to or in lieu of the measures mentioned in the
this section, according to the circumstances of each particular case;
j) order the suspension of data flows to a recipient located in a third country or to an organization
international.
3. Each supervisory authority shall have all the authorization and advisory powers indicated below:
a) advise the person responsible for the treatment in accordance with the prior consultation procedure referred to in article 36;
b) issue, on its own initiative or upon request, opinions destined to the national Parliament, to the State Government
member or, in accordance with the law of the Member States, other institutions and bodies, as well as the public,
on any matter related to the protection of personal data;
c) authorize the treatment referred to in Article 36 (5), if the law of the Member State requires such
prior authorization;
d) issue an opinion and approve draft codes of conduct in accordance with the provisions of article 40,
section 5;
e) accredit certification bodies in accordance with article 43;
f) issue certifications and approve certification criteria in accordance with article 42, paragraph 5;
g) adopt the type of data protection clauses referred to in article 28, paragraph 8, and article 46,
paragraph 2, letter d);
h) authorize the contractual clauses indicated in article 46, paragraph 3, letter a);
i) authorize the administrative agreements referred to in article 46, paragraph 3, letter b);
j) approve binding corporate standards in accordance with the provisions of article 47.
Four. The exercise of powers conferred on the supervisory authority under this article shall be subject to the
adequate guarantees, including effective judicial protection and respect for procedural guarantees, established in the Law
of the Union and of the Member States in accordance with the Charter.
5. Each Member State shall provide by law that its supervisory authority is empowered to inform
the judicial authorities infringements of this Regulation and, if appropriate, to initiate or otherwise exercise
legal actions, in order to enforce what is provided therein.
6. Each Member State may establish by law that its supervisory authority has other powers in addition to the
indicated in sections 1, 2 and 3. The exercise of said powers shall not be an obstacle to the effective application of the
Chapter VII
Article 59
Activity report
Each supervisory authority will prepare an annual report of its activities, which may include a list of types of
notified infringements and types of measures taken in accordance with article 58, paragraph 2. The reports shall be
shall transmit to the national Parliament, the Government and the other authorities designated under the Law of the
Member states. They will be made available to the public, the Commission and the Committee.
Page 71
CHAPTER VII
Cooperation and coherence
Section 1
Cooperation and coherence
Article 60
Cooperation between the main control authority and the other control authorities concerned
1. The main control authority shall cooperate with the other control authorities concerned in accordance with the
present article, striving to reach a consensus. The main control authority and the control authorities
interested parties will exchange all relevant information.
two. The main supervisory authority may at any time request other interested control authorities
providing mutual assistance under article 61, and may carry out joint operations in accordance with
Article 62, in particular to conduct investigations or supervise the application of a measure concerning a person responsible
or a treatment manager established in another Member State.
3. The main supervisory authority shall notify the other control authorities concerned without delay of the
relevant information in this regard. It shall forward without delay a draft decision to the other authorities of
interested control to obtain their opinion in this regard and will take due account of their views.
Four. In the event that any of the control authorities concerned formulates a relevant and motivated objection
on the draft decision within four weeks of the consultation pursuant to paragraph 3 of the
In this article, the main supervisory authority will submit the matter, in case it does not follow what is indicated in the objection
relevant and motivated or consider that such objection is not relevant or not motivated, to the coherence mechanism
referred to in article 63.
5. In the event that the main supervisory authority envisages following the indicated in the relevant and motivated objection
Received, submit a revised draft decision to the opinion of the other control authorities concerned. Saying
The revised draft decision will be submitted to the procedure indicated in section 4 within two weeks.
6. In the event that no other control authority concerned has objected to the draft decision
transmitted by the main supervisory authority within the period indicated in paragraphs 4 and 5, the
principal control authority and the control authorities concerned agree with that draft decision
and will be linked by this.
7. The main supervisory authority shall adopt and notify the decision to the main establishment or establishment
sole responsibility of the person responsible or the person in charge of the treatment, as appropriate, and will inform the authorities of
interested control and the Committee, including a summary of the relevant facts and motivation. The authority of
control before which a claim has been submitted will inform the claimant of the decision.
8. Notwithstanding the provisions of paragraph 7, when a claim is dismissed or rejected, the supervisory authority
before which it has been presented, it will adopt the decision, notify the claimant and inform the person responsible for the
treatment.
9. In case the main control authority and the control authorities concerned agree to dismiss or
reject certain parts of a claim and deal with other parts of it, a separate decision will be taken to
each of those parts of the matter. The main supervisory authority shall adopt the decision regarding the party referred to
actions in relation to the controller, will notify the main establishment or the sole establishment
of the person responsible or the person in charge in the territory of their Member State, and shall inform the complainant thereof,
while the claimant's supervisory authority will take the decision regarding the part concerning the dismissal
or rejection of said claim, notify said claimant and inform the responsible party or the person in charge of it.
10. After receiving notification of the decision of the main supervisory authority in accordance with paragraphs 7 and 9, the
the person responsible or the person in charge of the treatment will take the necessary measures to guarantee compliance with the
decision regarding treatment activities in the context of all its establishments in the Union. He
The person responsible or the person in charge shall notify the measures taken to comply with said decision to the authority of
main control, which in turn will inform the control authorities concerned.
Page 72
eleven. In exceptional circumstances, when a control authority concerned has reason to consider that
it is urgent to intervene to protect the interests of the interested parties, the urgent procedure to which
Article 66 refers.
12. The principal control authority and the other control authorities concerned shall provide each other with
information required under this article by electronic means, using a standardized form.
Article 61
Mutual assistance
1. The supervisory authorities shall provide useful information and provide mutual assistance in order to apply this
Regulation in a consistent manner, and will take measures to ensure effective cooperation between them. Assistance
mutual will cover, in particular, requests for information and control measures, such as requests to carry
carry out prior authorizations and consultations, inspections and investigations.
two. Each supervisory authority shall take all appropriate measures required to respond to a request from another.
supervisory authority without undue delay and at the latest within one month of the request. Such measures
They may include, in particular, the transmission of relevant information on the development of an investigation.
3. Requests for assistance must contain all necessary information, among other things regarding the
purpose and reasons for the request. The information that is exchanged will be used only for the purpose for which
has been requested.
Four. The required supervisory authority may not refuse to respond to a request, unless:
a) is not competent in relation to the object of the request or to the measures whose execution is requested, or
b) responding to the request would violate this Regulation or the law of the Union or of the States
members that apply to the supervisory authority to which the request was directed.
5. The requested control authority shall inform the requesting control authority of the results obtained or, in
your case, the progress made or the measures taken to respond to your request. The supervisory authority
required will explain the reasons for your refusal to respond to a request under paragraph 4.
6. As a general rule, the required control authorities shall provide the information requested by others.
Control authorities by electronic means, using a standardized format.
7. The required control authorities will not charge any fee for the measures taken following a request for
mutual assistance Control authorities may agree on reciprocal compensation rules for specific expenses
derived from the provision of mutual assistance in exceptional circumstances.
8. When a supervisory authority does not provide the information mentioned in section 5 of this article in
within one month of receiving the request from another supervisory authority, the supervisory authority
The applicant may adopt a provisional measure in the territory of its Member State in accordance with the
provided in article 55, paragraph 1. In that case, the urgent need referred to in the
Article 66, paragraph 1, which requires an urgent and binding decision of the Committee under article 66, paragraph 2.
9. The Commission may, by means of implementing acts, specify the format and procedures for mutual assistance
referred to in this article, as well as the modalities for the exchange of information by electronic means
between the control authorities and between the control authorities and the Committee, especially the standardized format
mentioned in section 6 of this article. Such implementing acts shall be adopted in accordance with the procedure.
of examination referred to in article 93, paragraph 2.
Article 62
Joint operations of control authorities
1. The control authorities shall, where appropriate, carry out joint operations, including joint investigations and
joint enforcement measures, involving members or staff of other control authorities
Member states.
Page 73
two. If the person responsible or the person in charge of the treatment has establishments in several Member States or if it is
a significant number of interested parties in more than one Member State are likely to be substantially affected
for the processing operations, a control authority of each of those Member States shall have the right to
Participate in joint operations. The supervisory authority that is competent under Article 56, paragraphs 1
or 4, invite the supervisory authority of each of these Member States to participate in the operations
joint and will respond without delay to the request for participation submitted by a supervisory authority.
3. A supervisory authority may, in accordance with the law of its Member State and with the authorization of the
origin control authority, confer powers, including investigative powers, to members or staff of the
origin control authority participating in joint operations, or accepting, to the extent permitted by the
Right of the Member State of the host control authority, that the members or staff of the authority of
origin control exercise their investigative powers in accordance with the law of the Member State of the
origin control authority. Such investigative powers may only be exercised under the guidance and in the presence
of members or staff of the host control authority. Members or staff of the supervisory authority
of origin will be subject to the law of the Member State of the host control authority.
Four. When participating, in accordance with paragraph 1, personnel of the origin control authority in operations
In another Member State, the Member State of the host control authority shall assume responsibility for
in accordance with the law of the Member State in whose territory the operations are carried out, for damages
that said personnel has caused in the course of them.
5. The Member State in whose territory the damages were caused shall be repaired under the conditions
applicable to damages caused by their own staff. The Member State of the supervisory authority of
origin whose personnel has caused damages to any person in the territory of another Member State
it will fully refund the amounts that the latter has paid to the beneficiaries.
6. Without prejudice to the exercise of their rights vis-à-vis third parties and in view of the exception established in the
paragraph 5, Member States shall waive, in the case referred to in paragraph 1, to request from another State
member reimbursement of the amount of damages mentioned in section 4.
7. When a joint operation is foreseen and a supervisory authority does not comply with the
obligation established in section 2, second sentence, of this article, the other control authorities may
adopt a provisional measure in the territory of its Member State in accordance with Article 55. In that case,
the existence of an urgent need shall be presumed pursuant to Article 66, paragraph 1, and an opinion or
urgent binding decision of the Committee under article 66, paragraph 2.
Section 2
Coherence
Article 63
Coherence mechanism
In order to contribute to the consistent application of this Regulation throughout the Union, the supervisory authorities
shall cooperate with each other and, where appropriate, with the Commission, within the framework of the coherence mechanism established herein.
section.
Article 64
Committee opinion
1. The Committee shall issue an opinion provided that a competent supervisory authority plans to adopt any of the
Measures listed below. To this end, the competent control authority shall communicate the draft decision to the
Committee, when the decision:
a) is intended to adopt a list of treatment operations subject to the evaluation requirement of
impact on data protection in accordance with article 35, paragraph 4;
b) affects a matter in accordance with Article 40, paragraph 7, whose purpose is to determine whether a draft
code of conduct or a modification or extension of a code of conduct is in accordance with this
Regulation;
Page 74
c) is intended to approve the criteria applicable to the accreditation of an agency in accordance with Article 41,
paragraph 3, or a certification body in accordance with article 43, paragraph 3;
d) is intended to determine the type of data protection clauses referred to in Article 46, paragraph 2,
letter d), and article 28, paragraph 8;
e) is intended to authorize the contractual clauses referred to in article 46, paragraph 3, letter a);
f) is aimed at the approval of binding corporate norms under article 47.
two. Any supervisory authority, the Chairman of the Committee or the Commission may request that any matter of
general application or having effect in more than one Member State is examined by the Committee for the purposes of an opinion,
in particular when a competent supervisory authority breaches the obligations regarding mutual assistance with
under article 61 or joint operations under article 62.
3. In the cases referred to in paragraphs 1 and 2, the Committee shall issue an opinion on the matter that has been
submitted provided that it has not already issued an opinion on the same matter. This opinion shall be adopted in the
within eight weeks by simple majority of the members of the Committee. This period may be extended by six weeks.
more, considering the complexity of the matter. As regards the draft decision referred to in
paragraph 1 and distributed to the members of the Committee under paragraph 5, any member who has not submitted
objections within a reasonable period indicated by the president will be considered in accordance with the draft
decision.
Four. The supervisory authorities and the Commission shall notify the Committee without delay electronically, using a
standardized format, all useful information, in particular, where appropriate, a summary of the facts, the draft
decision, the reasons why such a measure is necessary, and the opinions of other control authorities concerned.
5. The Presidency of the Committee shall inform without undue delay by electronic means:
a) to the members of the Committee and the Commission of any relevant information that has been communicated to it,
using a standardized format. The secretariat of the Committee shall provide, if necessary, translations of the
relevant information, and
b) to the supervisory authority referred to, where appropriate, in paragraphs 1 and 2 and to the Commission of the opinion, and
will post.
6. The competent supervisory authority shall not adopt its draft decision within the meaning of paragraph 1 within the period
mentioned in section 3.
7. The supervisory authority referred to in Article 1 shall take into account to the greatest extent possible the opinion of the
Committee and, within two weeks of receiving the opinion, will communicate electronically to the president
of the Committee if it will maintain or modify its draft decision and, if any, the modified draft decision,
using a standardized format.
8. When the control authority concerned informs the Chairman of the Committee, within the period mentioned in the
paragraph 7 of this article, which does not envisage following the Committee's opinion, in whole or in part, alleging the
corresponding reasons, Article 65, paragraph 1 shall apply.
Article 65
Resolution of conflicts by the Committee
1. In order to ensure a correct and consistent application of this Regulation in specific cases, the Committee
take a binding decision in the following cases:
a) when, in a case mentioned in Article 60, paragraph 4, an interested supervisory authority has stated
a pertinent and motivated objection to a draft decision of the principal authority, or it has rejected said
objection for not being relevant or not motivated. The binding decision will affect all matters to which
Refer to the relevant and motivated objection, in particular if there is a violation of this Regulation;
Page 75
b) when there are conflicting views on which of the control authorities concerned is competent for the
main establishment;
c) when a competent supervisory authority does not request an opinion from the Committee in the cases referred to in the
Article 64, paragraph 1, or do not follow the opinion of the Committee issued under article 64. In that case, any
Interested supervisory authority, or the Commission, shall inform the Committee.
two. The decision referred to in paragraph 1 shall be taken within one month of the referral of the matter, by
majority of two thirds of the members of the Committee. This period may be extended for another month, taking into account the
complexity of the matter The decision mentioned in paragraph 1 will be motivated and will be addressed to the supervisory authority
principal and all interested control authorities, and will be binding on them.
3. When the Committee has not been able to take a decision within the deadlines mentioned in paragraph 2, it shall adopt its
decision within two weeks after the expiration of the second month referred to in paragraph 2, by majority
Simple of its members. In case of a tie, the president's vote will decide.
Four. The control authorities concerned shall not take any decision on the matter presented to the Committee in
under paragraph 1 during the time periods referred to in paragraphs 2 and 3.
5. The chairman of the Committee shall notify the authorities referred to in paragraph 1 without undue delay to the authorities.
of interested control. It will also inform the Commission thereof. The decision will be published on the Committee's website without
delay, once the supervisory authority has notified the final decision referred to in paragraph 6.
6. The main supervisory authority or, where appropriate, the supervisory authority to which the claim was filed
adopt its final decision on the basis of the decision referred to in paragraph 1 of this article, without
undue delay and at the latest one month after notification of the decision of the Committee. The main control authority
or, where appropriate, the supervisory authority to which the claim was filed will inform the Committee of the date of
notification of its final decision to the person in charge or to the person in charge of the treatment and to the interested party, respectively. The
Final decision of the control authorities concerned shall be taken in the terms established in Article 60,
Sections 7, 8 and 9. The final decision shall refer to the decision referred to in paragraph 1 of this article.
and specify that the latter decision will be published on the Committee's website in accordance with paragraph 5 of this
Article. The final decision shall include the decision referred to in section 1 of this article.
Article 66
Emergency procedure
1. In exceptional circumstances, when an interested control authority considers that it is urgent to intervene
to protect the rights and freedoms of interested parties, may, as an exception to the coherence mechanism
referred to in articles 63, 64 and 65, or to the procedure mentioned in article 60, adopt immediately
provisional measures intended to produce legal effects in its own territory, with a period of validity
determined that it may not exceed three months. The supervisory authority shall communicate such measures without delay,
together with the reasons for its adoption, the other control authorities concerned, the Committee and the Commission.
two. When a supervisory authority has adopted a measure in accordance with paragraph 1, and considers that
definitive measures must be taken urgently, you can urgently request an opinion or a decision
urgent binding of the Committee, motivating said request for an opinion or decision.
3. Any supervisory authority may request, motivating its request, and, in particular, the urgency of the
intervention, an urgent opinion or an urgent binding decision, as the case may be, of the Committee, when an authority
competent control has not taken appropriate action in a situation where it is urgent to intervene in order to
protect the rights and freedoms of the interested parties.
Four. Notwithstanding the provisions of article 64, paragraph 3, and article 65, paragraph 2, urgent opinions or
urgent binding decisions referred to in paragraphs 2 and 3 of this article shall be taken within the period of
two weeks by simple majority of the members of the Committee.
Page 76
Article 67
Exchange of information
The Commission may adopt general implementing acts to specify the modalities for the exchange of
information by electronic means between the supervisory authorities, and between said authorities and the Committee, especially
the standardized format referred to in article 64.
Such implementing acts shall be adopted in accordance with the examination procedure referred to in Article 93,
section 2.
Section 3
European data protection committee
Article 68
European Data Protection Committee
1. The European Data Protection Committee ('Committee') is established as the Union body, which will enjoy
legal personality.
two. The Committee will be represented by its president.
3. The Committee shall consist of the director of a supervisory authority of each Member State and the
European Data Protection Supervisor or their respective representatives.
Four. When in a Member State they are responsible for monitoring the application of the provisions of this
Regulation several control authorities, a common representative will be appointed in accordance with the Law of
that Member State
5. The Commission shall have the right to participate in the activities and meetings of the Committee, without the right to vote. The
Commission will appoint a representative. The Chairman of the Committee shall communicate to the Commission the activities of the Committee.
6. In the cases referred to in Article 65, the European Data Protection Supervisor shall only be entitled to
vote in decisions regarding the principles and norms applicable to the institutions, bodies and agencies of the
Union corresponding to the fund to those contemplated in this Regulation.
Article 69
Independence
1. The Committee will act with complete independence in the performance of its functions or the exercise of its powers
in accordance with articles 70 and 71.
two. Without prejudice to the Commission's requests referred to in Article 70, paragraph 1, letter b), and paragraph 2, the
Committee will not request or admit instructions from anyone in the performance of their duties or the exercise of their
competitions
Article 70
Committee Functions
1. The Committee shall ensure the consistent application of this Regulation. To this end, the Committee, on its own initiative
or, where appropriate, at the request of the Commission, in particular:
a) supervise and guarantee the correct application of this Regulation in the cases referred to in the
Articles 64 and 65, without prejudice to the functions of national control authorities;
Page 77
b) advise the Commission on any matter concerning the protection of personal data in the Union, in particular
on any proposal to amend this Regulation;
c) advise the Commission on the format and procedures for exchanging information between those responsible,
managers and control authorities in relation to binding corporate standards;
d) issue guidelines, recommendations and good practices regarding the procedures for removing links,
copies or replicas of personal data from publicly available communication services to which
refers article 17, paragraph 2;
e) examine, on its own initiative, at the request of one of its members or of the Commission, any matter relating to the
application of this Regulation, and will issue guidelines, recommendations and good practices in order to promote the
consistent application of this Regulation;
f) issue guidelines, recommendations and good practices in accordance with letter e) of this section in order to
further specify the criteria and requirements of profile-based decisions under article 22, paragraph 2;
g) issue guidelines, recommendations and good practices in accordance with letter e) of this section in order to
verify the violations of data security and determine the undue delay under article 33,
paragraphs 1 and 2, and with respect to the particular circumstances in which the person in charge or the person in charge of
Treatment must notify the violation of the security of personal data;
h) issue guidelines, recommendations and good practices in accordance with letter e) of this section with respect to
the circumstances in which it is probable that the violation of the security of personal data entails a high
risk to the rights and freedoms of natural persons under article 34, paragraph 1;
i) issue guidelines, recommendations and good practices in accordance with letter e) of this section in order to
specify the criteria and requirements for the transfer of personal data based on standards
corporate bindings to which those responsible for the treatment and in corporate standards have adhered
binding to which those in charge of the treatment have adhered and in additional requirements necessary for
guarantee the protection of the personal data of the interested parties referred to in article 47;
j) issue guidelines, recommendations and good practices in accordance with letter e) of this section in order to
specify to a greater extent the criteria and requirements for transfers of personal data on the basis of
Article 49, paragraph 1;
k) formulate guidelines for the supervisory authorities, regarding the application of the measures referred to in the
Article 58, paragraphs 1, 2 and 3, and the setting of administrative fines in accordance with Article 83;
l) examine the practical application of the guidelines, recommendations and good practices referred to in letters e)
and f);
m) issue guidelines, recommendations and good practices in accordance with letter e) of this section in order to
establish common procedures for information from natural persons about violations of this
Regulation under article 54, paragraph 2;
n) encourage the development of codes of conduct and the establishment of protection certification mechanisms
data and stamps and data protection marks in accordance with articles 40 and 42;
o) carry out the accreditation of the certification bodies and their periodic review under article 43, and shall carry
a public registry of accredited bodies under article 43, paragraph 6, and of those responsible or
accredited processors established in third countries under article 42, paragraph 7;
p) specify the requirements referred to in article 43, paragraph 3, with a view to the accreditation of the organizations
certification under article 42;
q) provide the Commission with an opinion on the certification requirements referred to in Article 43 (8);
r) provide the Commission with an opinion on the icons referred to in Article 12 (7);
s) provide the Commission with an opinion to assess the adequacy of the level of protection in a third country or
international organization, in particular to assess whether a third country, a territory or one or more sectors
specific to that third country, or an international organization, no longer guarantees an adequate level of protection. TO
To that end, the Commission shall provide the Committee with all necessary documentation, including correspondence with the
government of the third country, which refers to said third country, territory or specific or to said internal organization
tional
Page 78
t) issue opinions on the draft decisions of the supervisory authorities under the mechanism of
coherence mentioned in article 64, paragraph 1, on matters presented under article 64,
paragraph 2, and on the binding decisions under article 65, including the cases mentioned in the
article 66;
u) promote cooperation and effective bilateral and multilateral exchanges of information and good
practices between control authorities;
v) promote common training programs and facilitate exchanges of personnel between control authorities
and, where appropriate, with third-country control authorities or with international organizations;
w) promote the exchange of knowledge and documentation on legislation and protection practices
of data with the control authorities responsible for data protection worldwide;
x) issue opinions on codes of conduct developed at Union level in accordance with the
Article 40, paragraph 9, and
and) keep an electronic, publicly accessible record of the decisions taken by the control authorities and the
courts on matters dealt with in the framework of the coherence mechanism.
two. When the Commission requests advice from the Committee, it may indicate a period taking into account the urgency of the
affair.
3. The Committee shall transmit its opinions, guidelines, recommendations and good practices to the Commission and the Committee.
referred to in article 93, and will make them public.
Four. When appropriate, the Committee will consult interested parties and give them the opportunity to present their
Comments within a reasonable time. Without prejudice to the provisions of article 76, the Committee shall publish the results of the
consultation procedure
Article 71
Reports
1. The Committee will prepare an annual report on the protection of natural persons with regard to
treatment in the Union and, where appropriate, in third countries and international organizations. The report will be made public and
It will be transmitted to the European Parliament, the Council and the Commission.
two. The annual report will include a review of the practical application of the guidelines, recommendations and good
practices indicated in article 70, paragraph 1, letter l), as well as the binding decisions indicated in the
Article 65
Article 72
Process
1. The Committee shall take its decisions by simple majority of its members, unless this Regulation provides
another thing.
two. The Committee shall adopt its rules of procedure by a two-thirds majority of its members and organize its provisions.
operating conditions.
Article 73
Presidency
1. The Committee shall elect a president and two vice-presidents by simple majority.
two. The term of office of the president and vice-presidents shall be five years and may be renewed once.
Page 79
Article 74
President's functions
1. The president will perform the following functions:
a) convene the meetings of the Committee and prepare its agenda;
b) notify the decisions taken by the Committee in accordance with Article 65 to the main supervisory authority and
interested control authorities;
c) ensure the timely exercise of the functions of the Committee, in particular in relation to the coherence mechanism
referred to in article 63.
two. The Committee will determine the distribution of functions between the president and vice-presidents in its regulations
internal.
Article 75
Secretary
1. The Committee will have a secretariat, which the European Data Protection Supervisor will take over.
two. The secretariat shall exercise its functions exclusively following the instructions of the Chairman of the Committee.
3. The staff of the European Data Protection Supervisor who participates in the performance of the functions
conferred on the Committee by this Regulation will depend on a hierarchical superior other than the personnel that
perform the functions conferred on the European Data Protection Supervisor.
Four. The Committee, in consultation with the European Data Protection Supervisor, will prepare and publish, if appropriate, a
memorandum of understanding for the implementation of this article, which will determine the terms of its
cooperation and which will be applicable to the staff of the European Data Protection Supervisor participating in the
performance of the functions conferred on the Committee by this Regulation.
5. The secretariat will provide analytical, administrative and logistical support to the Committee.
6. The secretariat will be responsible, in particular, for:
a) the current affairs of the Committee;
b) communication between the members of the Committee, its chairman and the Commission;
c) communication with other institutions and with the public;
d) the use of electronic means for internal and external communication;
e) the translation of the relevant information;
f) the preparation and monitoring of Committee meetings;
g) the preparation, drafting and publication of opinions, decisions regarding dispute settlement between authorities
of control and other texts adopted by the Committee.
Article 76
Confidentiality
1. The debates of the Committee will be confidential when it considers it necessary, as established by its
Rules of Procedure.
Page 80
two. Access to documents submitted to Committee members, experts and representatives of third parties
parties shall be governed by Regulation (EC) n. or 1049/2001 of the European Parliament and of the Council ( 1 ).
CHAPTER VIII
Resources, liability and sanctions
Article 77
Right to file a claim with a supervisory authority
1. Without prejudice to any other administrative remedy or legal action, any interested party shall have the right to present
a claim before a supervisory authority, in particular in the Member State in which you have your residence
usual, place of work or place of the alleged infringement, if you consider the processing of personal data that you
concern violates this Regulation.
two. The supervisory authority to which the claim has been submitted will inform the claimant about the course and the
result of the claim, including the possibility of accessing judicial protection under article 78.
Article 78
Right to effective judicial protection against a supervisory authority
1. Without prejudice to any other administrative or extrajudicial appeal, any natural or legal person shall have the right
to effective judicial protection against a legally binding decision of a supervisory authority that concerns him.
two. Without prejudice to any other administrative or extrajudicial appeal, all interested parties shall have the right to guardianship.
effective judicial if the supervisory authority that is competent under articles 55 and 56 does not give
course to a claim or not inform the interested party within three months about the course or the result of the
claim submitted under article 77.
3. Actions against a supervisory authority must be brought before the courts of the Member State in which
The supervisory authority is established.
Four. When actions are taken against a decision of a supervisory authority that has been preceded by a
Opinion or decision of the Committee within the framework of the coherence mechanism, the supervisory authority shall refer to the
court said opinion or decision.
Article 79
Right to effective judicial protection against a person responsible or in charge of the treatment
1. Without prejudice to available administrative or extrajudicial remedies, including the right to file a
claim before a supervisory authority under article 77, any interested party shall have the right to judicial protection
effective when you consider that your rights under this Regulation have been violated as a result
of a treatment of your personal data.
two. The actions against a person responsible or in charge of the treatment must be exercised before the courts of the State
member in which the person in charge has an establishment. Alternatively, such actions may
Exercise before the courts of the Member State in which the interested party has his habitual residence, unless the
responsible or the person in charge is a public authority of a Member State acting in the exercise of its powers
public
( 1 ) Regulation (EC) n. or 1049/2001 of the European Parliament and of the Council, of May 30, 2001, regarding public access to
European Parliament, Council and Commission documents (OJ L 145, 31.5.2001, p. 43).
Page 81
Article 80
Stakeholder Representation
1. The interested party will have the right to give mandate to a non-profit entity, organization or association that has
been properly constituted under the law of a Member State, whose statutory objectives are of
public interest and acting in the field of protection of the rights and freedoms of those interested in matters of
protection of your personal data, so that you submit the claim in your name, and exercise the rights on your behalf
referred to in articles 77, 78 and 79, and the right to be compensated mentioned in article 82 if so
It establishes the law of the Member State.
two. Any Member State may provide that any entity, organization or association mentioned in the
paragraph 1 of this article has, regardless of the mandate of the interested party, the right to present in that State
member a claim before the supervisory authority that is competent under article 77 and to exercise
rights referred to in articles 78 and 79, if you consider the rights of the interested party under this
Regulations have been violated as a result of a treatment.
Article 81
Suspension of proceedings
1. When a competent court of a Member State has information of the pendency before a court of
another Member State of a procedure related to the same matter in relation to the treatment by the same
responsible or responsible, will contact that court of another Member State to confirm the existence
of said procedure.
two. When a procedure related to the same matter in relation to the treatment by the same person responsible or
the person in charge is pending before a court of another Member State, any competent court other than that before
the one who exercised the action in the first place may suspend his procedure.
3. When said procedure is pending in the first instance, any court other than the one before which
the action was exercised in the first place may also, at the request of one of the parties, be inhibited if the first
The court is competent for its knowledge and its accumulation is in accordance with law.
Article 82
Right to compensation and liability
1. Any person who has suffered material or immaterial damages as a result of an infraction
of this Regulation shall be entitled to receive compensation from the person responsible or the person in charge of the treatment for
the damages suffered.
two. Any person responsible for participating in the treatment operation will be liable for the damages caused.
in the event that said operation does not comply with the provisions of this Regulation. A manager only
will be liable for damages caused by the treatment when it has not fulfilled the obligations of the
This Regulation is specifically aimed at those in charge or has acted outside or against the instructions
Legal mentions of the person in charge.
3. The person responsible or in charge of the treatment will be exempt from liability under paragraph 2 if it proves
that is not in any way responsible for the fact that caused the damages.
Four. When more than one person in charge or in charge of the treatment, or one person in charge and one person in charge have participated
in the same treatment operation and are, in accordance with paragraphs 2 and 3, responsible for any damage or
damage caused by said treatment, each person in charge will be held responsible for all damages
and damages, in order to guarantee the effective compensation of the interested party.
5. When, in accordance with paragraph 4, a person responsible for or processing has paid a fee
Total damage for the damage caused, said person in charge will have the right to claim others
responsible or responsible for participating in the same treatment operation the part of the compensation
corresponding to its share of responsibility for the damages caused, in accordance with the conditions
set out in section 2.
Page 82
6. The legal actions in exercise of the right to compensation will be presented before the competent courts with
according to the law of the Member State indicated in Article 79, paragraph 2.
Article 83
General conditions for the imposition of administrative fines
1. Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this
Article for the infractions of the present Regulation indicated in the sections 4, 5 and 6 are in each individual case
effective, proportionate and dissuasive.
two. Administrative fines will be imposed, depending on the circumstances of each individual case, in title
additional or substitute for the measures referred to in article 58, paragraph 2, letters a) ah) and j). When deciding the
imposition of an administrative fine and its amount in each individual case shall be duly taken into account:
a) the nature, severity and duration of the infringement, taking into account the nature, scope or purpose of the
treatment operation in question as well as the number of affected parties and the level of damage and
damages they have suffered;
b) intentionality or negligence in the infraction;
c) any measure taken by the person responsible or in charge of the treatment to mitigate the damages suffered
for those interested;
d) the degree of responsibility of the person responsible or the person in charge of the treatment, taking into account the technical measures or
organizational measures that have been applied under articles 25 and 32;
e) any previous infraction committed by the person in charge or the person in charge of the treatment;
f) the degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate the
possible adverse effects of the infraction;
g) the categories of personal data affected by the infringement;
h) the way in which the supervisory authority was aware of the infringement, in particular whether the person responsible or
manager notified the infraction and, in that case, to what extent;
i) when the measures indicated in article 58, paragraph 2, have been previously ordered against the person responsible
or the person in charge in relation to the same matter, compliance with said measures;
j) adherence to codes of conduct under article 40 or to certification mechanisms approved pursuant to

to article 42, and
k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits
obtained or losses avoided, directly or indirectly, through the infringement.
3. If a person responsible or a person in charge of the treatment fails to comply intentionally or negligently, for the
same treatment operations or related operations, various provisions of this Regulation, the amount
The total administrative fine shall not exceed the amount provided for the most serious infractions.
Four. Violations of the following provisions will be sanctioned, in accordance with paragraph 2, with fines adminis
transactions of a maximum of EUR 10 000 000 or, in the case of a company, of an amount equivalent to 2% as
maximum of the total annual total business volume of the previous financial year, opting for the largest amount:
a) the obligations of the person responsible and the person in charge of articles 8, 11, 25 to 39, 42 and 43;
b) the obligations of certification bodies under articles 42 and 43;
c) the obligations of the supervisory authority under article 41, paragraph 4.
Page 83
5. Violations of the following provisions will be sanctioned, in accordance with paragraph 2, with fines adminis
transactions of a maximum of EUR 20,000,000 or, in the case of a company, of an amount equivalent to 4% as
maximum of the total annual total business volume of the previous financial year, opting for the largest amount:
a) the basic principles for treatment, including the conditions for consent under articles 5,
6, 7 and 9;
b) the rights of the interested parties under articles 12 to 22;
c) transfers of personal data to a recipient in a third country or an international organization in accordance with
Articles 44 to 49;
d) any obligation under the law of the Member States that is adopted pursuant to Chapter IX;
e) failure to comply with a resolution or a temporary or definitive limitation of the treatment or suspension of
data flows by the supervisory authority under article 58, paragraph 2, or not providing access to
breach of article 58, paragraph 1.
6. Failure to comply with the resolutions of the supervisory authority under article 58, paragraph 2, shall be sanctioned.
in accordance with paragraph 2 of this article with administrative fines of a maximum of EUR 20 000 000 or,
in the case of a company, an amount equivalent to a maximum of 4% of the total annual total business volume
of the previous financial year, opting for the highest amount.
7. Without prejudice to the corrective powers of the supervisory authorities under Article 58 (2), each
Member State may establish rules on whether, and to what extent, administrative fines may be imposed on
public authorities and bodies established in that Member State.
8. The exercise by an authority controlling its powers under this article shall be subject to guarantees.
appropriate procedural procedures in accordance with the law of the Union and of the Member States, including judicial protection
effective and respect for procedural guarantees.
9. When the legal system of a Member State does not establish administrative fines, this article
may be applied in such a way that the initiation of the fine corresponds to the competent supervisory authority and its
imposition on the competent national courts, while ensuring that these avenues of law are
effective and have an effect equivalent to administrative fines imposed by control authorities. In
In any case, the fines imposed will be effective, proportionate and dissuasive. The Member States concerned
they shall notify the Commission of the legislative provisions they adopt under this paragraph no later than 25
May 2018 and, without delay, any subsequent modification or modification law that applies to them.
Article 84
Sanctions
1. Member States shall establish the rules for other sanctions applicable to infringements of the
this Regulation, in particular infringements that are not sanctioned with administrative fines in accordance with
Article 83, and shall take all necessary measures to ensure their observance. These sanctions will be effective,
proportionate and dissuasive.
two. Each Member State shall notify the Commission of the legislative provisions it adopts in accordance with the
section 1 no later than May 25, 2018 and, without delay, any subsequent modification that is applicable to them.
CHAPTER IX
Provisions regarding specific treatment situations
Article 85
Treatment and freedom of expression and information
1. Member States shall reconcile by law the right to protection of personal data under this
Regulation
purposes ofwith the right
academic, to freedom
artistic of expression
or literary expression.and information, including treatment for journalistic purposes and
Page 84
two. For the treatment carried out for journalistic purposes or for academic, artistic or literary expression purposes,
Member States shall establish exemptions or exceptions from the provisions of chapters II (principles), III (rights of the
interested), IV (responsible and in charge of processing), V (transfer of personal data to third countries or organi
international organizations), VI (independent control authorities), VII (cooperation and coherence) and IX (provisions
concerning specific situations of data processing), if necessary to reconcile the right to protection of
Personal data with freedom of expression and information.
3. Each Member State shall notify the Commission of the legislative provisions it adopts in accordance with the
Section 2 and, without delay, any subsequent legislative or other modification thereof.
Article 86
Treatment and public access to official documents
Personal data of official documents held by any public authority or public body or a
Private entity for the realization of a mission in the public interest may be communicated by said authority,
body or entity in accordance with the law of the Union or of the Member States that apply to them in order to
reconcile public access to official documents with the right to personal data protection under
of this Regulation.
Article 87
Treatment of the national identification number
Member States may additionally determine the specific conditions for the treatment of a number
national identification or any other means of identification of a general nature. In that case, the national number
of identification or any other means of identification of a general nature will be used only with the guarantees
suitable for the rights and freedoms of the interested party in accordance with this Regulation.
Article 88
Treatment in the workplace
1. Member States may, through legislative provisions or collective agreements, establish rules
more specific to guarantee the protection of rights and freedoms in relation to data processing
personnel of workers in the workplace, in particular for the purpose of hiring staff, execution of
employment contract, including compliance with the obligations established by law or by collective agreement,
work management, planning and organization, equality and diversity in the workplace, health and safety in the
work, protection of the assets of employees or customers, as well as for the purpose of exercise and enjoyment, individual or
collective, of the rights and benefits related to employment and for the purpose of termination of the employment relationship.
two. These rules will include adequate and specific measures to preserve the human dignity of the interested parties as well.
as their legitimate interests and their fundamental rights, paying special attention to the transparency of the
treatment, to the transfer of personal data within a business group or a business union
dedicated to joint economic activity and supervision systems in the workplace.
3. Each Member State shall notify the Commission of the legal provisions it adopts in accordance with the
section 1 no later than May 25, 2018 and, without delay, any subsequent modification thereof.
Article 89
Guarantees and exceptions applicable to processing for purposes of archiving in the public interest, purposes of
scientific or historical research or statistical purposes
1. Treatment for archival purposes in the public interest, scientific or historical research purposes or purposes
Statisticians will be subject to adequate guarantees, in accordance with this Regulation, for rights and freedoms
of those interested. These guarantees will make technical and organizational measures available, in particular for
Page 85
guarantee the respect of the principle of minimization of personal data. Such measures may include pseudonimi
zation, provided that in this way these ends can be achieved. Whenever these ends can be achieved through a
subsequent treatment that does not allow or no longer allows the identification of the interested parties, those ends will be achieved from that
mode.
two. When personal data is processed for scientific or historical or statistical research purposes, the Law of
Union or Member States may establish exceptions to the rights referred to in Articles 15, 16, 18
and 21, subject to the conditions and guarantees indicated in section 1 of this article, provided that it is probable that
these rights make it impossible or seriously impede the achievement of scientific purposes and as long as those exceptions are
necessary to achieve those ends.
3. When personal data is processed for the purpose of archiving in the public interest, the law of the Union or of the States
members may provide for exceptions to the rights referred to in articles 15, 16, 18, 19, 20 and 21, subject to the
conditions and guarantees cited in section 1 of this article, provided that those rights may make it impossible or
severely hamper the achievement of scientific purposes and how much such exceptions are necessary to achieve those
Finnish.
Four. In case the treatment referred to in sections 2 and 3 also serves another
Finally, the exceptions will only be applicable to the treatment for the purposes mentioned in said sections.
Article 90
Secret Obligations
1. Member States may adopt specific rules to set the powers of the supervisory authorities
established in article 58, paragraph 1, letters e) and f), in relation to the persons responsible or responsible, with
in accordance with the law of the Union or of the Member States or the rules established by national bodies
competent, to an obligation of professional secrecy or other equivalent secrecy obligations, when
necessary and proportionate to reconcile the right to protection of personal data with the obligation of secrecy.
These rules will only apply to personal data that the person responsible or the person in charge of the treatment has received
as a result or on the occasion of an activity covered by the aforementioned obligation of secrecy.
two. Each Member State shall notify the Commission of the rules adopted in accordance with paragraph 1 or more.
May 25, 2018 and, without delay, any subsequent modification thereof.
Article 91
Current rules on data protection of churches and religious associations
1. When in a Member State churches, associations or religious communities apply, at the time of
entry into force of this Regulation, a set of rules relating to the protection of natural persons in
With regard to treatment, such rules may continue to apply, provided they comply with this
Regulation.
two. Churches and religious associations that apply general norms in accordance with section 1 of the
This article will be subject to the control of an independent control authority, which may be specific, provided
that meets the conditions established in chapter VI of this Regulation.
CHAPTER X
Delegated acts and implementing acts
Article 92
Delegation Exercise
1. The powers to adopt delegated acts granted to the Commission shall be subject to the conditions established in
This article.
Page 86
two. The delegation of powers indicated in article 12, paragraph 8, and in article 43, paragraph 8, shall be granted to the
Commission for an indefinite period as of May 24, 2016.
3. The delegation of powers mentioned in article 12, paragraph 8, and article 43, paragraph 8, may be
revoked at any time by the European Parliament or by the Council. The revocation decision will terminate
to the delegation of powers specified therein. The decision will take effect the day after its publication in
the Official Journal of the European Union or at a later date indicated therein. It will not affect the validity of the acts
Delegates that are already in force.
Four. As soon as the Commission adopts a delegated act, it will simultaneously notify the European Parliament and the
Advice.
5. Delegated acts adopted pursuant to article 12, paragraph 8, and article 43, paragraph 8, shall enter into force
only if, within three months of its notification to the European Parliament and the Council, or the Parliament
European or the Council raise objections or if, before the expiration of that period, both the one and the other
they inform the Commission that they will not formulate them. The deadline will be extended by three months at the initiative of Parliament
European or Council.
Article 93
Committee procedure
1. The Commission will be assisted by a committee. This committee will be a committee within the meaning of Regulation (EU)
n. or 182/2011.
two. When reference is made to this section, Article 5 of Regulation (EU) No. or 182/2011.
3. When reference is made to this section, Article 8 of Regulation (EU) No. or 182/2011, in
relationship with your article 5.
CHAPTER XI
Final Provisions
Article 94
Repeal of Directive 95/46 / EC
1. Directive 95/46 / EC is repealed with effect from May 25, 2018.
two. Any reference to the repealed Directive shall be construed as reference to this Regulation. Any reference to the Group of
protection of persons with regard to the processing of personal data established by article 29 of the
Directive 95/46 / EC means the European Data Protection Committee established herein.
Regulation.
Article 95
Relationship with Directive 2002/58 / EC
This Regulation shall not impose additional obligations on natural or legal persons in matters of treatment.
within the framework of the provision of public electronic communications services in public communication networks of
the Union in areas where they are subject to specific obligations with the same objective established in the
Directive 2002/58 / EC.
Page 87
Article 96
Relationship with previously concluded agreements
International agreements that involve the transfer of personal data to third countries or organizations
internationals that have been celebrated by the Member States before May 24, 2016 and that comply with
provided in the applicable Union Law before that date, they will remain in force until they are modified,
replaced or revoked.
Article 97
Commission Reports
1. At the latest on May 25, 2020 and subsequently every four years, the Commission shall present to Parliament
European and the Council a report on the evaluation and revision of this Regulation. The reports will be made
public
two. Within the framework of the evaluations and reviews referred to in paragraph 1, the Commission shall examine in particular the
Application and operation of:
a) Chapter V on the transfer of personal data to third countries or international organizations, participates
in respect of decisions taken pursuant to Article 45 (3) of this Regulation, and of the
adopted on the basis of Article 25 (6) of Directive 95/46 / EC;
b) Chapter VII on cooperation and coherence.
3. For the purposes of paragraph 1, the Commission may request information from the Member States and the authorities
of control.
Four. In carrying out the evaluations and reviews indicated in paragraphs 1 and 2, the Commission shall take into account the
positions and conclusions of the European Parliament, the Council and other relevant bodies or sources.
5. The Commission shall, if necessary, submit the appropriate proposals to amend this Regulation, in
particular considering the evolution of information technologies and in view of the progress in the
society of Information.
Article 98
Review of other legal acts of the Union regarding data protection
The Commission will present, if appropriate, legislative proposals to modify other legal acts of the Union in the matter
of protection of personal data, in order to guarantee the uniform and coherent protection of natural persons in
relationship with treatment In particular, it will deal with the rules regarding the protection of natural persons in
concerning the treatment by the institutions, bodies, and bodies of the Union and the free movement of
such data.
Article 99
Entry into force and application
1. This Regulation shall enter into force twenty days after its publication in the Official Journal of the European Union .
two. It will be applicable as of May 25, 2018.
Page 88
This Regulation shall be binding in its entirety and directly applicable in

each member state.
Done in Brussels, on April 27, 2016.
For the European Parliament For the advice

President The president
M. SCHULZ JA HENNIS-PLASSCHAERT

REGULATION (EU) 2016 - 679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL - of April 27, 2016 - Concerning The Prot PDF

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

REGULATION (EU) 2016 - 679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL - of April 27, 2016 - Concerning The Prot PDF

Загружено:

Авторское право:

Доступные форматы

11/21/2019 REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL - of April 27, 2016 - concerning the

concerning the prot

4.5.2016 IS Official Journal of the European Union L 119/1

REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

April 27, 2016

(Text with EEA relevance)

THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,

Having regard to the proposal of the European Commission,

After transmission of the draft legislative text to the national Parliaments,

Having regard to the opinion of the Committee of the Regions ( 2 ),

In accordance with the ordinary legislative procedure ( 3 ),

Considering the following:

( 1 ) OJ C 229, 31.7.2012, p. 90.

L 119/2 IS Official Journal of the European Union 4.5.2016

4.5.2016 IS Official Journal of the European Union L 119/3

L 119/4 IS Official Journal of the European Union 4.5.2016

Professional or commercial Personal or domestic activities include correspondence and

4.5.2016 IS Official Journal of the European Union L 119/5

L 119/6 IS Official Journal of the European Union 4.5.2016

4.5.2016 IS Official Journal of the European Union L 119/7

L 119/8 IS Official Journal of the European Union 4.5.2016

4.5.2016 IS Official Journal of the European Union L 119/9

L 119/10 IS Official Journal of the European Union 4.5.2016

4.5.2016 IS Official Journal of the European Union L 119/11

L 119/12 IS Official Journal of the European Union 4.5.2016

4.5.2016 IS Official Journal of the European Union L 119/13

L 119/14 IS Official Journal of the European Union 4.5.2016

4.5.2016 IS Official Journal of the European Union L 119/15

L 119/16 IS Official Journal of the European Union 4.5.2016

4.5.2016 IS Official Journal of the European Union L 119/17

Physics in question. Therefore, as soon as the controller is aware that

L 119/18 IS Official Journal of the European Union 4.5.2016

4.5.2016 IS Official Journal of the European Union L 119/19

as auxiliary activities. The level of expertise required must be determined, in particular,

L 119/20 IS Official Journal of the European Union 4.5.2016

4.5.2016 IS Official Journal of the European Union L 119/21

L 119/22 IS Official Journal of the European Union 4.5.2016

4.5.2016 IS Official Journal of the European Union L 119/23

L 119/24 IS Official Journal of the European Union 4.5.2016

(132) Public awareness activities by control authorities should include

4.5.2016 IS Official Journal of the European Union L 119/25

L 119/26 IS Official Journal of the European Union 4.5.2016

4.5.2016 IS Official Journal of the European Union L 119/27

L 119/28 IS Official Journal of the European Union 4.5.2016

4.5.2016 IS Official Journal of the European Union L 119/29

L 119/30 IS Official Journal of the European Union 4.5.2016

4.5.2016 IS Official Journal of the European Union L 119/31

L 119/32 IS Official Journal of the European Union 4.5.2016

HAVE ADOPTED THIS REGULATION:

3. Regulation (EC) n. o 45/2001 is applicable to the processing of personal data by the

4.5.2016 IS Official Journal of the European Union L 119/33

L 119/34 IS Official Journal of the European Union 4.5.2016

16) "main establishment":

4.5.2016 IS Official Journal of the European Union L 119/35

c) a claim has been filed with that supervisory authority;

23) "cross-border treatment":

Principles related to treatment

1. The personal data will be:

L 119/36 IS Official Journal of the European Union 4.5.2016

Legality of the treatment

b) the law of the Member States that applies to the controller.

4.5.2016 IS Official Journal of the European Union L 119/37

e) the existence of adequate guarantees, which may include encryption or pseudonymization.