DSGVO law

1. This Regulation contains provisions on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
2. This Regulation protects the fundamental rights and freedoms of natural persons and, in particular, their right to the protection of personal data.
3. The free movement of personal data within the Union shall not be restricted or prohibited on grounds relating to the protection of natural persons with regard to the processing of personal data.

1. This Regulation shall apply to the processing of personal data wholly or partly by automated means and to the non-automated processing of personal data which are or are intended to be stored in a filing system.
2. This Regulation shall not apply to the processing of personal data
   1. in the context of an activity that does not fall within the scope of Union law,
   2. by the Member States in the context of activities falling within the scope of Chapter 2 of Title V of the TEU,
   3. by natural persons for the exercise of exclusively personal or family activities,
   4. by the competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.
3. Regulation (EC) No 45/2001 shall apply to the processing of personal data by the Union institutions, bodies, offices and agencies. Regulation (EC) No 45/2001 and other Union legal acts governing such processing of personal data shall be adapted to the principles and rules laid down in this Regulation in accordance with Article 98.
4. This Regulation shall be without prejudice to the application of Directive 2000/31/EC and in particular to the provisions of Articles 12 to 15 of that Directive concerning the liability of intermediaries.

1. This Regulation shall apply to the processing of personal data carried out in the context of the activities of an establishment of a controller or processor in the Union, regardless of whether the processing takes place in the Union.
2. This Regulation shall apply to the processing of personal data of data subjects located in the Union by a controller or processor not established in the Union where the data processing is related to
   1. offer goods or services to data subjects in the Union, irrespective of whether a payment is to be made by those data subjects;
   2. observe the behaviour of data subjects insofar as their behaviour takes place in the Union.
3. This Regulation shall apply to the processing of personal data by a controller not established in the Union in a place governed by the law of a Member State on the basis of public international law.

For the purposes of this Regulation, the term:

1. "personal data" means any information relating to an identified or identifiable natural person (hereinafter "data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
2. "Processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
3. "Restriction of processing" means the marking of stored personal data with the aim of restricting its future processing;
4. "Profiling" means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
5. "Pseudonymisation" means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
6. "file system" means any structured collection of personal data that is accessible according to specific criteria, regardless of whether this collection is managed centrally, decentrally or according to functional or geographical aspects;
7. "controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
8. "Processor" means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
9. "recipient" means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. ²However, public authorities which may receive personal data in the framework of a particular enquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
10. "third party" means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
11. "Consent" of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
12. "personal data breach" means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed, whether accidental or unlawful;
13. 'genetic data' means personal data relating to the inherited or acquired genetic characteristics of a natural person, which provide unique information about the physiology or health of that natural person and which have been obtained in particular from the analysis of a biological sample from the natural person concerned;
14. 'biometric data' means personal data relating to the physical, physiological or behavioural characteristics of a natural person, obtained using specific technical procedures, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;
15. "health data" means personal data relating to the physical or mental health of a natural person, including the provision of healthcare services, and from which information about their health status is derived;
16. "Head office"
    1. in the case of a controller with establishments in more than one Member State, the place of its head office in the Union, unless the decisions as to the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and that establishment is authorised to have those decisions implemented, in which case the establishment taking such decisions shall be considered to be the main establishment;
    2. in the case of a processor with establishments in more than one Member State, the place of its head office in the Union or, where the processor has no head office in the Union, the place of establishment of the processor in the Union where the processing activities in the context of the activities of an establishment of a processor are principally carried out, insofar as the processor is subject to specific obligations under this Regulation;
17. 'representative' means a natural or legal person established in the Union who has been appointed in writing by the controller or processor in accordance with Article 27 and who represents the controller or processor in relation to their respective obligations under this Regulation;
18. "company" means a natural or legal person that carries out an economic activity, regardless of its legal form, including partnerships or associations that regularly carry out an economic activity;
19. "group of companies" means a group consisting of a controlling company and the companies dependent on it;
20. 'binding corporate rules' means measures for the protection of personal data with which a controller or processor established in the territory of a Member State undertakes to comply in respect of transfers or a set of transfers of personal data to a controller or processor within the same group of undertakings or the same group of undertakings engaged in a joint economic activity in one or more third countries ;
21. 'supervisory authority' means an independent public authority established by a Member State in accordance with Article 51;
22. "supervisory authority concerned" means a supervisory authority that is concerned by the processing of personal data because
    1. the controller or processor is established in the territory of the Member State of that supervisory authority,
    2. this processing has or may have a significant impact on data subjects residing in the Member State of that supervisory authority, or
    3. a complaint has been submitted to this supervisory authority;
23. "cross-border processing" either
    1. processing of personal data carried out in the context of the activities of establishments of a controller or processor in the Union in more than one Member State, where the controller or processor is established in more than one Member State, or
    2. processing of personal data carried out in the context of the activities of a single establishment of a controller or processor in the Union, but which produces or is likely to produce significant effects on data subjects in more than one Member State;
24. 'relevant and reasoned objection' means an objection to a draft decision as to whether there is an infringement of this Regulation or whether intended action against the controller or processor is in compliance with this Regulation, which clearly demonstrates the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects and, where applicable, the free flow of personal data in the Union;
25. 'information society service' means a service as defined in point (1)(b) of Article 1 of Directive (EU) 2015/1535 of the European Parliament and of the Council¹ ;
26. 'international organisation' means an international organisation and its subordinate bodies or any other body established by, or on the basis of, an agreement concluded between two or more countries.

1. Personal data must
   1. processed lawfully, fairly and in a manner that is comprehensible to the data subject ("lawfulness, fairness and transparency");
   2. be collected for specified, explicit and legitimate purposes and shall not be further processed in a manner incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes in accordance with Article 89(1) ("purpose limitation");
   3. be adequate, relevant and limited to what is necessary for the purposes of the processing ("data minimisation");
   4. be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay ("accuracy");
   5. stored in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data are processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1), subject to the implementation of appropriate technical and organisational measures required by this Regulation to safeguard the rights and freedoms of the data subject ('storage limitation');
   6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures ("integrity and confidentiality");
2. The controller is responsible for compliance with paragraph 1 and must be able to demonstrate compliance ("accountability").

1. Processing is only lawful if at least one of the following conditions is met:
   1. The data subject has given their consent to the processing of their personal data for one or more specific purposes;
   2. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
   3. processing is necessary for compliance with a legal obligation to which the controller is subject;
   4. processing is necessary in order to protect the vital interests of the data subject or of another natural person;
   5. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
   6. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

   Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.

2. Member States may maintain or introduce more specific provisions to adapt the application of the rules of this Regulation in relation to processing for the fulfilment of points (c) and (e) of paragraph 1 by further specifying specific requirements for processing and other measures to ensure lawful and fair processing, including for other specific processing situations referred to in Chapter IX.
3. The legal basis for the processing operations referred to in paragraph 1(c) and (e) shall be laid down by
   1. Union law or
   2. the law of the Member States to which the controller is subject.

   The purpose of the processing shall be specified in that legal basis or, as regards the processing referred to in point (e) of paragraph 1, be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. That legal basis may contain specific provisions adapting the application of the rules of this Regulation, including provisions on the general conditions governing the lawfulness of processing by the controller, the types of data processed, the data subjects concerned, the entities to which the personal data may be disclosed and the purposes for which they may be disclosed, the purpose limitation, the storage period and the processing operations and procedures that may be applied, including measures to ensure lawful and fair processing, such as those for other specific processing situations referred to in Chapter IX. Union or Member State law must pursue a public interest objective and be proportionate to the legitimate aim pursued.

4. Where processing for a purpose other than that for which the personal data were collected is not based on the data subject's consent or on Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1), the controller shall, in order to determine whether processing for another purpose is compatible with that for which the personal data were originally collected, take into account, inter alia
   1. any link between the purposes for which the personal data were collected and the purposes of the intended further processing,
   2. the context in which the personal data were collected, in particular with regard to the relationship between the data subjects and the controller,
   3. the nature of the personal data, in particular whether special categories of personal data are processed pursuant to Article 9 or whether personal data relating to criminal convictions and offences are processed pursuant to Article 10,
   4. the possible consequences of the intended further processing for the data subjects,
   5. the existence of suitable guarantees, which may include encryption or pseudonymisation.

1. If the processing is based on consent, the controller must be able to prove that the data subject has consented to the processing of their personal data.
2. Where the data subject's consent is given by means of a written declaration which also concerns other matters, the request for consent must be made in an intelligible and easily accessible form, using clear and plain language, in such a way that it can be clearly distinguished from the other matters. Parts of the declaration shall not be binding if they constitute a breach of this Regulation.
3. The data subject has the right to withdraw their consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. The data subject will be informed of this before consent is given. The withdrawal of consent must be as simple as the granting of consent.
4. When assessing whether consent has been given voluntarily, the greatest possible account must be taken of whether, among other things, the fulfilment of a contract, including the provision of a service, is dependent on consent to the processing of personal data that is not necessary for the fulfilment of the contract.

1. Where point (a) of Article 6(1) applies to an offer of information society services made directly to a child, the processing of the child's personal data shall be lawful if the child has reached the age of sixteen. Where the child has not yet reached the age of sixteen, such processing shall be lawful only if and to the extent that such consent is given by or with the agreement of the holder of parental responsibility over the child, Member States may provide by law for a lower age limit for these purposes, but not below the age of thirteen.
2. The controller shall make reasonable efforts, taking into account available technology, to verify in such cases that consent has been given by or with the consent of the holder of parental responsibility for the child.
3. Paragraph 1 is without prejudice to the general contract law of the Member States, such as the rules on the validity, formation or legal consequences of a contract in relation to a child.

1. The processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation is prohibited.
2. Paragraph 1 does not apply in the following cases:
   1. The data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law does not allow the prohibition referred to in paragraph 1 to be lifted by the data subject's consent,
   2. the processing is necessary for the controller or the data subject to exercise the rights and fulfil the obligations arising from labour law and social security and social protection law to the extent permitted by Union or Member State law or a collective agreement under Member State law providing for appropriate safeguards for the fundamental rights and interests of the data subject,
   3. the processing is necessary to protect the vital interests of the data subject or of another natural person and the data subject is physically or legally incapable of giving consent,
   4. the processing is carried out on the basis of appropriate safeguards by a foundation, association or other non-profit organisation with a political, philosophical, religious or trade union aim in the course of its legitimate activities and on condition that the processing relates solely to members or former members of the organisation or to persons who have regular contact with it in connection with its purpose and that the personal data are not disclosed externally without the consent of the data subjects,
   5. the processing relates to personal data which the data subject has manifestly made public,
   6. processing is necessary for the establishment, exercise or defence of legal claims or for the exercise of judicial proceedings,
   7. processing is necessary for reasons of substantial public interest on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject,
   8. the processing is necessary for the purposes of preventive or occupational medicine, the assessment of an employee's fitness for work, medical diagnosis, the provision of health or social care or treatment, or the management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3,
   9. processing is necessary for reasons of public interest in the area of public health, such as the protection against serious cross-border threats to health or to ensure high standards of quality and safety of health care and of medicinal products and medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy, or
   10. processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
3. The personal data referred to in paragraph 1 may be processed for the purposes referred to in point (h) of paragraph 2 where those data are processed by or under the responsibility of specialised staff and those specialised staff are bound by professional secrecy in accordance with Union or Member State law or the rules of national competent authorities, or where the processing is carried out by another person who is also bound by professional secrecy in accordance with Union or Member State law or the rules of national competent authorities.
4. Member States may introduce or maintain additional conditions, including restrictions, as far as the processing of genetic, biometric or health data is concerned.

1. The processing of personal data relating to criminal convictions and offences or related security measures pursuant to Article 6(1) shall be carried out only under the control of public authorities or when authorised by Union or Member State law providing for suitable safeguards for the rights and freedoms of data subjects. A comprehensive register of criminal convictions may only be kept under the supervision of public authorities.

1. Where the purposes for which a controller processes personal data do not require or no longer require the identification of the data subject by the controller, the controller shall not be obliged to store, obtain or process additional information in order to identify the data subject for the sole purpose of complying with this Regulation.
2. In cases referred to in paragraph 1 of this Article, where the controller demonstrates that it is not in a position to identify the data subject, it shall inform the data subject accordingly, where possible. In such cases, Articles 15 to 20 shall not apply, unless the data subject provides additional information enabling his or her identification in order to exercise his or her rights under those Articles.

1. The controller shall take appropriate measures to communicate any information referred to in Articles 13 and 14 and any communication referred to in Articles 15 to 22 and Article 34 relating to the processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for information specifically addressed to children. ²The information shall be provided in writing or in another form, including electronically if necessary. ³If requested by the data subject, the information may be provided verbally, provided that the identity of the data subject has been proven in another form.
2. The controller shall facilitate the exercise of the data subject's rights under Articles 15 to 22. In the cases referred to in Article 11(2), the controller may refuse to act on the data subject's request to exercise his or her rights under Articles 15 to 22 only if the controller credibly demonstrates that it is not in a position to identify the data subject.
3. The controller shall provide the data subject with information on the action taken on the request in accordance with Articles 15 to 22 without undue delay and in any event within one month of receipt of the request. ²This period may be extended by a further two months if this is necessary in view of the complexity and number of applications. ³The controller shall inform the data subject of any extension of the deadline within one month of receipt of the request, together with the reasons for the delay. ⁴If the data subject submits the application electronically, he or she shall be informed electronically wherever possible, unless he or she specifies otherwise.
4. If the controller does not act on the data subject's request, the controller shall inform the data subject without delay, but at the latest within one month of receipt of the request, of the reasons for this and of the possibility of lodging a complaint with a supervisory authority or seeking a judicial remedy.
5. ¹Information pursuant to Articles 13 and 14 and all communications and measures pursuant to Articles 15 to 22 and Article 34 shall be provided free of charge. In the case of manifestly unfounded or, in particular in the case of frequent repetition, excessive requests by a data subject, the controller may either
   1. 1. charge a reasonable fee that takes into account the administrative costs of providing the information or notification or implementing the requested measure, or
      2. refuse to act on the application.

   The person responsible must provide evidence of the manifestly unfounded or excessive nature of the request.

6. Without prejudice to Article 11, where the controller has reasonable doubts as to the identity of the natural person making the request referred to in Articles 15 to 21, the controller may request additional information necessary to confirm the identity of the data subject.
7. The information to be provided to data subjects in accordance with Articles 13 and 14 may be provided in combination with standardised icons to provide a meaningful overview of the intended processing in an easily perceivable, comprehensible and clearly understandable form. ²If the icons are displayed in electronic form, they must be machine-readable.
8. The Commission shall be empowered to adopt delegated acts in accordance with Article 92 concerning the determination of the information to be represented by icons and the procedures for the provision of standardised icons.

1. If personal data is collected from the data subject, the controller shall inform the data subject of the following at the time the data is collected:
   1. the name and contact details of the person responsible and, if applicable, their representative;
   2. the contact details of the data protection officer, if applicable;
   3. the purposes for which the personal data are to be processed and the legal basis for the processing;
   4. if the processing is based on Article 6(1)(f), the legitimate interests pursued by the controller or by a third party;
   5. where applicable, the recipients or categories of recipients of the personal data; and
   6. where applicable, the intention of the controller to transfer the personal data to a third country or an international organisation and the existence or absence of an adequacy decision by the Commission or, in the case of transfers pursuant to Article 46 or Article 47 or the second subparagraph of Article 49(1), a reference to the appropriate or suitable safeguards and how to obtain a copy of them or where they are available.
2. In addition to the information referred to in paragraph 1, the controller shall provide the data subject with the following further information necessary to ensure fair and transparent processing at the time of collection of the data:
   1. the duration for which the personal data will be stored or, if this is not possible, the criteria for determining this duration;
   2. the existence of a right of access by the controller to the personal data concerned and to rectification or erasure or restriction of processing or a right to object to processing and the right to data portability;
   3. if the processing is based on Article 6(1)(a) or Article 9(2)(a), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
   4. the existence of a right of appeal to a supervisory authority;
   5. whether the provision of the personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, whether the data subject is obliged to provide the personal data and the possible consequences of failure to provide such data, and
   6. the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
3. Where the controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the controller shall provide the data subject with information on that other purpose and any other relevant information in accordance with paragraph 2 prior to that further processing.
4. Paragraphs 1, 2 and 3 shall not apply if and insofar as the data subject already has the information.

1. If personal data is not collected from the data subject, the controller shall inform the data subject of the following:
   1. the name and contact details of the person responsible and, if applicable, their representative;
   2. additionally the contact details of the data protection officer;
   3. the purposes for which the personal data are to be processed and the legal basis for the processing;
   4. the categories of personal data that are processed;
   5. where applicable, the recipients or categories of recipients of the personal data;
   6. where applicable, the controller's intention to transfer the personal data to a recipient in a third country or an international organisation and the existence or absence of an adequacy decision by the Commission or, in the case of transfers pursuant to Article 46 or Article 47 or the second subparagraph of Article 49(1), a reference to the appropriate or suitable safeguards and the possibility of obtaining a copy of them or where they are available.
2. In addition to the information referred to in paragraph 1, the controller shall provide the data subject with the following information necessary to ensure fair and transparent processing in relation to the data subject:
   1. the duration for which the personal data will be stored or, if this is not possible, the criteria for determining this duration;
   2. if the processing is based on Article 6(1)(f), the legitimate interests pursued by the controller or by a third party;
   3. the existence of a right of access by the controller to the personal data concerned and to rectification or erasure or restriction of processing and a right to object to processing and the right to data portability;
   4. if the processing is based on Article 6(1)(a) or Article 9(2)(a), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
   5. the existence of a right of appeal to a supervisory authority;
   6. the source of the personal data and, if applicable, whether it originates from publicly accessible sources;
   7. the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
3. The controller shall provide the information referred to in paragraphs 1 and 2
   1. taking into account the specific circumstances of the processing of the personal data, within a reasonable period after obtaining the personal data, but at the latest within one month,
   2. if the personal data are to be used for communication with the data subject, at the latest at the time of the first communication to the data subject, or,
   3. if disclosure to another recipient is intended, at the latest at the time of the first disclosure.
4. Where the controller intends to further process the personal data for a purpose other than that for which the personal data were obtained, the controller shall provide the data subject with information on that other purpose and any other relevant information in accordance with paragraph 2 prior to that further processing.
5. Paragraphs 1 to 4 shall not apply if and to the extent that
   1. the person concerned already has the information,
   2. the provision of such information proves impossible or would involve disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the conditions and safeguards referred to in Article 89(1), or where the obligation referred to in paragraph 1 of this Article is likely to render impossible or seriously impair the achievement of the objectives of that processing. In such cases, the controller shall implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, including by making the information publicly available,
   3. the obtaining or disclosure is expressly authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's legitimate interests, or
   4. the personal data is subject to professional secrecy under Union or Member State law, including a statutory duty of confidentiality, and must therefore be treated confidentially.

1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
   1. the purposes of processing;
   2. the categories of personal data that are processed;
   3. the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
   4. where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
   5. the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
   6. the existence of a right of appeal to a supervisory authority;
   7. if the personal data are not collected from the data subject, all available information about the origin of the data;
   8. the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
2. Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.
3. The controller shall provide a copy of the personal data undergoing processing. ²For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. If the data subject makes the request electronically, the information shall be provided in a commonly used electronic format, unless the data subject indicates otherwise.
4. The right to receive a copy pursuant to paragraph 3 shall not adversely affect the rights and freedoms of others.

1. The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
   1. The personal data are no longer necessary for the purposes for which they were collected or otherwise processed.
   2. The data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing.
   3. The data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2).
      object to the processing.
   4. The personal data was processed unlawfully.
   5. The deletion of personal data is necessary to fulfil a legal obligation under Union law or the law of the Member States to which the controller is subject.
   6. The personal data have been collected in relation to the offer of information society services referred to in Article 8(1).
2. Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
3. Paragraphs 1 and 2 do not apply if the processing is necessary
   1. to exercise the right to freedom of expression and information;
   2. for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
   3. for reasons of public interest in the area of public health in accordance with Article 9(2)(h) and (i) and Article 9(3);
   4. for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89
      paragraph 1, insofar as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing, or
   5. for the assertion, exercise or defence of legal claims.

1. The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
   1. the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data,
   2. the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
   3. the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims, or
   4. the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.
2. Where processing has been restricted pursuant to paragraph 1, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
3. A data subject who has obtained restriction of processing pursuant to paragraph 1 shall be informed by the controller before the restriction of processing is lifted.

1. The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject of these recipients if the data subject so requests.

1. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where
   1. the processing is based on consent pursuant to Article 6(1)(a) or Article 9(2)(a) or on a contract pursuant to Article 6(1)(b), and
   2. the processing is carried out using automated procedures.
2. In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
3. The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. This right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
4. The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of other persons.

1. The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
3. If the data subject objects to processing for direct marketing purposes, the personal data will no longer be processed for these purposes.
4. The data subject must be expressly informed of the right referred to in paragraphs 1 and 2 at the latest at the time of the first communication with him or her; this information must be provided in a comprehensible form that is separate from other information.
5. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.
6. The data subject shall have the right to object, on grounds relating to his or her particular situation, to processing of personal data concerning him or her for scientific or historical research purposes or statistical purposes pursuant to Article 89(1), unless the processing is necessary for the performance of a task carried out for reasons of public interest.

1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
2. Paragraph 1 does not apply if the decision
   1. is necessary for the conclusion or fulfilment of a contract between the data subject and the controller,
   2. is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, or
   3. with the express consent of the data subject.
3. In the cases referred to in paragraph 2(a) and (c), the data controller shall implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
4. Decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 9(1), unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard the data subject's rights and freedoms and legitimate interests are in place.

1. Union or Member State law to which the controller or processor is subject may restrict the obligations and rights referred to in Articles 12 to 22 and Article 34 and Article 5, insofar as its provisions correspond to the rights and obligations provided for in Articles 12 to 22, by means of legislative measures, provided that such a restriction respects the essence of the fundamental rights and freedoms and constitutes a necessary and proportionate measure in a democratic society to ensure that
   1. national security;
   2. national defence;
   3. public safety;
   4. the prevention, investigation, detection or prosecution of criminal offences or the execution of sentences, including the protection against and the prevention of threats to public security;
   5. the protection of other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, such as monetary, budgetary, fiscal, public health and social security matters;
   6. the protection of the independence of the judiciary and the protection of court proceedings;
   7. the prevention, detection, investigation and prosecution of violations of the professional rules of regulated professions;
   8. control, monitoring and regulatory functions which are permanently or temporarily connected with the exercise of official authority for the purposes referred to in points (a) to (e) and (g);
   9. the protection of the data subject or the rights and freedoms of others;
   10. the enforcement of civil law claims.
2. Any legislative measure referred to in paragraph 1 shall in particular contain, where appropriate, specific provisions at least as regards
   1. the purposes of the processing or the categories of processing,
   2. the categories of personal data,
   3. the scope of the restrictions imposed,
   4. the safeguards against misuse or unlawful access or transmission;
   5. the details of the controller or categories of controllers,
   6. the respective retention periods and the applicable safeguards, taking into account the nature, scope and purposes of the processing or the categories of processing,
   7. the risks to the rights and freedoms of data subjects, and
   8. the right of data subjects to be informed about the restriction, unless this is detrimental to the purpose of the restriction.

1. Taking into account the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is carried out in accordance with this Regulation. These measures shall be reviewed and updated as necessary.
2. Provided that this is proportionate to the processing activities, the measures referred to in paragraph 1 shall include the application of appropriate data protection safeguards by the controller.
3. Compliance with the approved codes of conduct referred to in Article 40 or an approved certification mechanism referred to in Article 42 may be used as a factor to demonstrate the fulfilment of the controller's obligations.

1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons posed by the processing, the controller shall implement appropriate technical and organisational measures, such as pseudonymisation, both at the time of the determination of the means for processing and at the time of the processing itself, which are designed to implement data protection principles, such as data minimisation, effectively and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and to protect the rights of data subjects. The controller shall implement appropriate technical and organisational measures, such as pseudonymisation, both when determining the means of processing and at the time of the processing itself, which are designed to implement data protection principles, such as data minimisation, effectively and to incorporate the necessary safeguards into the processing in order to meet the requirements of this Regulation and to protect the rights of the data subjects.
2. The controller shall implement appropriate technical and organisational measures to ensure that, by default, only personal data whose processing is necessary for each specific processing purpose is processed. This obligation applies to the amount of personal data collected, the scope of their processing, their retention period and their accessibility. In particular, such measures must ensure that personal data is not made accessible by default to an indefinite number of natural persons without the intervention of the person.
3. An approved certification procedure referred to in Article 42 may be used as a factor to demonstrate compliance with the requirements referred to in paragraphs 1 and 2 of this Article.

1. Where two or more controllers jointly determine the purposes and means of the processing, they shall be joint controllers. They shall specify in a transparent manner in an agreement which of them fulfils which obligation under this Regulation, in particular as regards the exercise of the rights of the data subject, and which fulfils which information obligations under Articles 13 and 14, unless and insofar as the respective tasks of the controllers are laid down by Union or Member State law to which the controllers are subject. The agreement may specify a contact point for data subjects.
2. ¹The agreement referred to in paragraph 1 shall duly reflect the respective actual functions and relationships of the joint controllers vis-à-vis data subjects. The substance of the agreement shall be made available to the data subject.
3. Notwithstanding the details of the agreement referred to in paragraph 1, the data subject may assert his or her rights under this Regulation with and against each of the controllers.

1. Where processing is carried out on behalf of a controller, the controller shall only work with processors that provide sufficient guarantees that appropriate technical and organisational measures are implemented in such a way that the processing is carried out in accordance with the requirements of this Regulation and ensures the protection of the rights of the data subject.
2. The Processor shall not engage any other Processor without the prior separate or general written authorisation of the Controller. In the case of a general written authorisation, the Processor shall always inform the Controller of any intended change with regard to the involvement or replacement of other Processors, giving the Controller the opportunity to object to such changes.
3. Processing by a processor is based on a contract or other legal instrument under Union or Member State law which binds the processor in relation to the controller and which sets out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data, the categories of data subjects and the obligations and rights of the controller. ²This contract or other legal instrument provides in particular that the processor shall
   1. processes the personal data only on documented instructions from the controller, including in relation to the transfer of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall communicate those legal requirements to the controller before processing, unless the law in question prohibits such communication on grounds of important public interest;
   2. ensures that the persons authorised to process the personal data have committed themselves to confidentiality or are subject to an appropriate statutory duty of confidentiality;
   3. takes all necessary measures in accordance with Article 32;
   4. complies with the conditions set out in paragraphs 2 and 4 for the use of the services of another processor;
   5. in view of the nature of the processing, assists the controller, where possible, with appropriate technical and organisational measures to comply with its obligation to respond to requests to exercise the data subject's rights referred to in Chapter III;
   6. taking into account the nature of the processing and the information available to it, assists the controller in complying with the obligations referred to in Articles 32 to 36;
   7. after completion of the provision of the processing services, either deletes or returns all personal data at the controller's discretion and deletes the existing copies, unless there is an obligation to store the personal data under Union law or the law of the Member States;
   8. provides the controller with all information necessary to demonstrate compliance with the obligations laid down in this Article and facilitates and contributes to audits, including inspections, carried out by the controller or another auditor authorised by the controller.

   With regard to point (h) of the first subparagraph, the processor shall inform the controller without undue delay if it considers that an instruction infringes this Regulation or other Union or Member State data protection provisions.

4. Where the processor uses the services of another processor to carry out certain processing activities on behalf of the controller, the same data protection obligations shall be imposed on that other processor by means of a contract or other legal instrument under Union or Member State law as those laid down in the contract or other legal instrument between the controller and the processor referred to in paragraph 3, in particular by providing sufficient guarantees that the appropriate technical and organisational measures will be implemented in such a way that the processing will meet the requirements of this Regulation. ²If the other processor does not fulfil its data protection obligations, the first processor shall be liable to the controller for compliance with the obligations of that other processor.
5. A processor's compliance with an approved code of conduct pursuant to Article 40 or an approved certification mechanism pursuant to Article 42 may be used as a factor to demonstrate sufficient guarantees within the meaning of paragraphs 1 and 4 of this Article.
6. Without prejudice to an individual contract between the controller and the processor, the contract or other legal instrument referred to in paragraphs 3 and 4 of this Article may be based, in whole or in part, on the standard contractual clauses referred to in paragraphs 7 and 8 of this Article, including where they form part of a certification granted to the controller or processor pursuant to Articles 42 and 43.
7. The Commission may, in accordance with the examination procedure referred to in Article 93(2), adopt standard contractual clauses to address the issues referred to in paragraphs 3 and 4 of this Article.
8. A supervisory authority may, in accordance with the consistency mechanism referred to in Article 63, adopt standard contractual clauses to address the issues referred to in paragraphs 3 and 4 of this Article.
9. The contract or other legal instrument within the meaning of paragraphs 3 and 4 must be drawn up in writing, which may also be in an electronic format.
10. Without prejudice to Articles 82, 83 and 84, a processor who determines the purposes and means of processing in breach of this Regulation shall be considered to be a controller in respect of that processing.

1. The processor and any person subordinate to the controller or the processor who has access to personal data may only process these data on the instructions of the controller, unless they are obliged to do so under Union law or the law of the Member States.

1. Each controller and, where applicable, their representative shall keep a record of all processing activities for which they are responsible. ²This list contains all of the following information:
   1. the name and contact details of the controller and, where applicable, the joint controller, the controller's representative and any data protection officer;
   2. the purposes of the processing;
   3. a description of the categories of data subjects and the categories of personal data;
   4. the categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organisations;
   5. where applicable, transfers of personal data to a third country or an international organisation, including the identification of the third country or international organisation concerned and, for the transfers referred to in the second subparagraph of Article 49(1), the documentation of appropriate safeguards;
   6. if possible, the envisaged time limits for erasure of the various categories of data;
   7. where possible, a general description of the technical and organisational measures referred to in Article 32(1).
2. Each processor and, where applicable, its representative shall keep a record of all categories of processing activities carried out on behalf of a controller, which shall include the following:
   1. the name and contact details of the processor or processors and of any controller on whose behalf the processor is acting and, where applicable, of the representative of the controller or processor and of any data protection officer;
   2. the categories of processing carried out on behalf of each controller;
   3. where applicable, transfers of personal data to a third country or an international organisation, including the identification of the third country or international organisation concerned and, for the transfers referred to in the second subparagraph of Article 49(1), the documentation of appropriate safeguards;
   4. where possible, a general description of the technical and organisational measures referred to in Article 32(1).
3. The list referred to in paragraphs 1 and 2 must be kept in writing, which may also be in an electronic format.
4. The controller or processor and, where applicable, the representative of the controller or processor shall make the list available to the supervisory authority upon request.
5. The obligations referred to in paragraphs 1 and 2 shall not apply to undertakings or entities with fewer than 250 employees, unless the processing they carry out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional or involves the processing of special categories of data referred to in Article 9(1) or the processing of personal data relating to criminal convictions and offences referred to in Article 10.

1. The controller and the processor and, if applicable, their representatives shall cooperate with the supervisory authority in the fulfilment of their tasks upon request.

1. In the event of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent pursuant to Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. If the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
2. If the processor becomes aware of a personal data breach, it shall report this to the controller without delay.
3. The notification referred to in paragraph 1 shall contain at least the following information:
   1. a description of the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects concerned, the categories concerned and the approximate number of personal data records concerned;
   2. the name and contact details of the data protection officer or other contact point for further information;
   3. a description of the likely consequences of the personal data breach;
   4. a description of the measures taken or proposed to be taken by the controller to address the personal data breach and, where appropriate, measures to mitigate its possible adverse effects.
4. If and to the extent that the information cannot be provided at the same time, the controller may provide this information in stages without undue further delay.
5. The controller shall document personal data breaches, including all facts relating to the personal data breach, its effects and the remedial measures taken. This documentation shall enable the supervisory authority to verify compliance with the provisions of this Article.

1. If the personal data breach is likely to result in a high risk to the personal rights and freedoms of natural persons, the controller shall notify the data subject of the personal data breach without undue delay.
2. The communication to the data subject referred to in paragraph 1 shall describe in clear and plain language the nature of the personal data breach and shall contain at least the information and measures referred to in points (b), (c) and (d) of Article 33(3).
3. The notification of the data subject in accordance with paragraph 1 is not required if one of the following conditions is met:
   1. the controller has implemented appropriate technical and organisational security measures and those measures have been applied to the personal data affected by the breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
   2. the controller has taken subsequent measures to ensure that the high risk to the rights and freedoms of data subjects referred to in paragraph 1 is no longer likely to materialise;
   3. the notification would involve a disproportionate effort. In this case, a public announcement or similar measure must be made instead, through which the persons concerned are informed in a comparably effective manner.
4. If the controller has not already notified the data subject of the personal data breach, the supervisory authority may, taking into account the likelihood that the personal data breach will result in a high risk, require the controller to do so or may issue a decision finding that certain of the conditions referred to in paragraph 3 are met.

1. Where a form of processing, in particular when using new technologies, is likely to result in a high risk to the rights and freedoms of natural persons due to the nature, scope, context and purposes of the processing, the controller shall carry out an assessment of the impact of the envisaged processing operations on the protection of personal data beforehand. A single assessment may be carried out to analyse several similar processing operations with similarly high risks.
2. When carrying out a data protection impact assessment, the controller shall seek the advice of the data protection officer, if one has been appointed.
3. A data protection impact assessment in accordance with paragraph 1 is required in the following cases in particular:
   1. systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and which in turn serves as the basis for decisions that produce legal effects concerning natural persons or similarly significantly affect them;
   2. extensive processing of special categories of personal data referred to in Article 9(1) or of personal data relating to criminal convictions and offences referred to in Article 10; or
   3. Systematic, comprehensive monitoring of publicly accessible areas.
4. The supervisory authority shall draw up and make public a list of the processing operations for which a data protection impact assessment is to be carried out in accordance with paragraph 1. The supervisory authority shall communicate those lists to the committee referred to in Article 68.
5. The supervisory authority may also draw up and publish a list of the types of processing operations for which no data protection impact assessment is required. The supervisory authority shall communicate these lists to the Board.
6. Before establishing the lists referred to in paragraphs 4 and 5, the competent supervisory authority shall apply the consistency mechanism referred to in Article 63 where such lists include processing activities which are related to the offering of goods or services to data subjects or to the monitoring of the behaviour of such data subjects in several Member States or which could significantly affect the free flow of personal data within the Union.
7. The impact assessment contains at least the following:
   1. a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interests pursued by the controller;
   2. an assessment of the necessity and proportionality of the processing operations in relation to the purpose;
   3. an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; and
   4. the measures envisaged to address the risks, including safeguards, security measures and procedures to ensure the protection of personal data and to demonstrate compliance with this Regulation, taking into account the rights and legitimate interests of data subjects and other persons concerned.
8. Compliance with authorised codes of conduct referred to in Article 40 by the relevant controllers or processors shall be duly taken into account when assessing the impact of the processing operations carried out by them, in particular for the purposes of a data protection impact assessment.
9. The controller shall, where appropriate, seek the views of data subjects or their representatives on the intended processing, without prejudice to the protection of commercial or public interests or the security of processing operations.
10. Where the processing referred to in point (c) or (e) of Article 6(1) has a legal basis in Union law or in the law of the Member State to which the controller is subject, and where that law governs the specific processing operation or operations and a data protection impact assessment has already been carried out in the context of the general impact assessment related to the adoption of that legal basis, paragraphs 1 to 7 shall apply only if Member States deem it necessary to carry out such an impact assessment prior to the processing activities concerned.
11. If necessary, the controller shall carry out a review to assess whether the processing is carried out in accordance with the data protection impact assessment, at least if there have been changes in the risk associated with the processing operations.

1. The controller shall consult the supervisory authority prior to processing if a data protection impact assessment pursuant to Article 35 indicates that the processing would result in a high risk, unless the controller takes measures to mitigate the risk.
2. If the supervisory authority is of the opinion that the intended processing referred to in paragraph 1 would not be in compliance with this Regulation, in particular because the controller has not sufficiently identified or mitigated the risk, it shall, within a period of up to eight weeks from receipt of the request for consultation, make written recommendations to the controller and, where applicable, to the processor and may exercise its powers referred to in Article 58. This period may be extended by six weeks, taking into account the complexity of the intended processing. The supervisory authority shall inform the controller or, where applicable, the processor of any such extension within one month of receipt of the request for consultation, together with the reasons for the delay. These time limits may be suspended until the supervisory authority has received the information requested for the purposes of the consultation.
3. The controller shall provide the supervisory authority with the following information during a consultation pursuant to paragraph 1:
   1. where applicable, information on the respective responsibilities of the controller, joint controllers and processors involved in the processing, in particular in the case of processing within a group of companies;
   2. the purposes and means of the intended processing;
   3. the measures and safeguards provided for the protection of the rights and freedoms of data subjects under this Regulation;
   4. the contact details of the data protection officer, if applicable;
   5. the data protection impact assessment pursuant to Article 35 and
   6. any other information requested by the supervisory authority.
4. Member States shall consult the supervisory authority when drawing up a proposal for legislative measures to be adopted by a national parliament or regulatory measures based on such legislative measures relating to processing.
5. Notwithstanding paragraph 1, controllers may be required by Member State law to consult and obtain prior authorisation from the supervisory authority when processing for the performance of a task carried out in the public interest, including processing for social security and public health purposes.

1. The controller and the processor shall in any case appoint a data protection officer if
   1. the processing is carried out by a public authority or body, with the exception of courts acting in their judicial capacity,
   2. the core activity of the controller or processor consists of carrying out processing operations which, by virtue of their nature, their scope and/or their purposes, require extensive regular and systematic monitoring of data subjects, or
   3. the core activity of the controller or processor is the processing on a large scale of special categories of data referred to in Article 9 or of personal data relating to criminal convictions and offences referred to in Article 10.
2. A group of companies may appoint a joint data protection officer, provided that the data protection officer can be easily reached from each branch office.
3. If the controller or processor is an authority or public body, a joint data protection officer may be appointed for several such authorities or bodies, taking into account their organisational structure and size.
4. In cases other than those referred to in paragraph 1, the controller or processor or associations and other organisations representing categories of controllers or processors may designate a data protection officer and, where required by Union or Member State law, shall designate one. The data protection officer may act on behalf of such associations and other organisations representing controllers or processors.
5. The Data Protection Officer shall be appointed on the basis of his or her professional qualifications and, in particular, his or her expertise in the field of data protection law and practice and his or her ability to fulfil the tasks referred to in Article 39.
6. The data protection officer may be an employee of the controller or the processor or fulfil their tasks on the basis of a service contract.
7. The controller or processor shall publish the contact details of the data protection officer and communicate these details to the supervisory authority.

1. The controller and the processor shall ensure that the data protection officer is properly involved in all matters relating to the protection of personal data at an early stage.
2. The controller and the processor shall assist the data protection officer in the performance of the tasks referred to in Article 39 by providing the resources and access to personal data and processing operations necessary for the performance of those tasks and by providing the resources necessary to maintain the data protection officer's expertise.
3. The controller and the processor shall ensure that the data protection officer does not receive any instructions regarding the fulfilment of these tasks. The data protection officer may not be dismissed or penalised by the controller or processor for the performance of his or her tasks. The data protection officer shall report directly to the highest management level of the controller or processor.
4. Data subjects may consult the Data Protection Officer on all matters relating to the processing of their personal data and the exercise of their rights under this Regulation.
5. The Data Protection Officer shall be bound by Union or Member State law to observe secrecy or confidentiality in the performance of his or her duties.
6. The data protection officer may fulfil other tasks and duties. The controller or processor shall ensure that such tasks and duties do not lead to a conflict of interest.

1. The data protection officer is responsible for at least the following tasks:
   1. informing and advising the controller or processor and employees carrying out processing operations of their obligations under this Regulation and other Union or Member State data protection legislation;
   2. Monitoring compliance with this Regulation, other Union or Member State data protection legislation and the policies of the controller or processor for the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations and related audits;
   3. Advice - on request - in connection with the data protection impact assessment and monitoring of its implementation in accordance with Article 35;
   4. Co-operation with the supervisory authority;
   5. Acting as a contact point for the supervisory authority on issues related to processing, including prior consultation in accordance with Article 36, and advising on any other issues as appropriate.
2. The Data Protection Officer shall take due account of the risk associated with the processing operations in the fulfilment of his/her tasks, taking into account the nature, scope, context and purposes of the processing.

1. The Member States, the supervisory authorities, the Committee and the Commission shall encourage the development of codes of conduct to contribute to the proper application of this Regulation, taking into account the specificities of each processing sector and the particular needs of micro, small and medium-sized enterprises.
2. Associations and other organisations representing categories of controllers or processors may draw up, amend or extend codes of conduct clarifying the application of this Regulation, for example on the following:
   1. fair and transparent processing;
   2. the legitimate interests of the controller in certain contexts;
   3. Collection of personal data;
   4. Pseudonymisation of personal data;
   5. Informing the public and the persons concerned;
   6. Exercising the rights of data subjects;
   7. Information and protection of children and how to obtain the consent of the holder of parental responsibility for the child;
   8. the measures and procedures referred to in Articles 24 and 25 and the measures concerning security of processing referred to in Article 32;
   9. reporting personal data breaches to supervisory authorities and notifying the data subject of such personal data breaches;
   10. the transfer of personal data to third countries or international organisations, or
   11. out-of-court procedures and other dispute resolution procedures for the settlement of disputes between controllers and data subjects in relation to processing, without prejudice to the rights of data subjects under Articles 77 and 79.
3. In addition to compliance by controllers or processors covered by this Regulation, codes of conduct approved pursuant to paragraph 5 of this Article and having general application pursuant to paragraph 9 of this Article may also be complied with by controllers or processors not covered by this Regulation pursuant to Article 3 in order to provide appropriate safeguards in the context of transfers of personal data to third countries or international organisations in accordance with point (e) of Article 46(2). Such controllers or processors shall, by means of contractual or other legally binding instruments, enter into a binding and enforceable obligation to apply the appropriate safeguards, including with regard to the rights of data subjects.
4. The codes of conduct referred to in paragraph 2 of this Article shall provide for procedures enabling the body referred to in Article 41(1) to carry out the mandatory monitoring of compliance with its provisions by controllers or processors who undertake to apply the code of conduct, without prejudice to the tasks and powers of the supervisory authority competent pursuant to Article 55 or 56.
5. Associations and other organisations referred to in paragraph 2 of this Article which intend to draw up codes of conduct or to amend or extend existing codes of conduct shall submit the draft code of conduct or the draft amendment or extension thereof to the supervisory authority competent under Article 55. The supervisory authority shall issue an opinion on whether the draft code of conduct, or the draft amendment or extension thereof, is compatible with this Regulation and shall approve the draft code of conduct, or the draft amendment or extension thereof, if it considers that it provides sufficient appropriate safeguards.
6. If the opinion referred to in paragraph 5 approves the draft code of conduct or the draft amendment or extension thereof and the code of conduct does not cover processing activities in more than one Member State, the supervisory authority shall include the code of conduct in a register and make it public.
7. Where the draft code of conduct covers processing activities in several Member States, the supervisory authority competent pursuant to Article 55 shall, before approving the draft code of conduct or the draft amendment or extension thereof, submit it in accordance with the procedure referred to in Article 63 to the Board, which shall issue an opinion on whether the draft code of conduct or the draft amendment or extension thereof complies with this Regulation or, in the case referred to in paragraph 3 of this Article, provides for appropriate safeguards.
8. If the opinion referred to in paragraph 7 confirms that the draft code of conduct or the draft amendment or extension thereof is compatible with this Regulation or, in the case referred to in paragraph 3, provides for appropriate safeguards, the Committee shall forward its opinion to the Commission.
9. The Commission may, by means of implementing acts, decide that the approved codes of conduct submitted to it in accordance with paragraph 8, or their approved amendment or extension, shall have general application in the Union. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 93(2).
10. The Commission shall ensure that the approved codes of conduct which have been recognised as having general validity in accordance with paragraph 9 are published in an appropriate manner.
11. The Committee shall record all approved rules of conduct or their approved amendments or extensions in a register and publish them in an appropriate manner.

1. Without prejudice to the tasks and powers of the competent supervisory authority under Articles 57 and 58, the monitoring of compliance with rules of conduct referred to in Article 40 may be carried out by a body which has the appropriate expertise in the subject matter of the rules of conduct and which has been accredited for that purpose by the competent supervisory authority.
2. A body referred to in paragraph 1 may be accredited for the purpose of monitoring compliance with codes of conduct if it
   1. has demonstrated its independence and expertise with regard to the subject matter of the code of conduct to the satisfaction of the competent supervisory authority;
   2. has established procedures that enable it to assess whether controllers and processors can apply the code of conduct, to monitor compliance with the code of conduct by controllers and processors and to regularly review the application of the code of conduct;
   3. has established procedures and structures by which it investigates complaints about breaches of the code of conduct or the manner in which the code of conduct is, or has been, applied by the controller or processor, and makes those procedures and structures transparent to data subjects and the public; and
   4. has demonstrated to the satisfaction of the competent supervisory authority that its tasks and duties do not give rise to a conflict of interest.
3. The competent supervisory authority shall submit the draft requirements for the accreditation of a body referred to in paragraph 1 to the Committee in accordance with the consistency mechanism referred to in Article 63.
4. Without prejudice to the tasks and powers of the competent supervisory authority and the provisions of Chapter VIII, a body referred to in paragraph 1 shall, subject to appropriate safeguards, take appropriate measures in the event of a breach of the code of conduct by a controller or processor, including a temporary or permanent exclusion of the controller or processor from the code of conduct. It shall inform the competent supervisory authority of such measures and the reasons for them.
5. The competent supervisory authority shall revoke the accreditation of a body in accordance with paragraph 1 if the requirements for its accreditation are not or are no longer met or if the body takes measures that are incompatible with this Regulation.
6. This Article shall not apply to processing by public authorities or bodies.

1. The Member States, the supervisory authorities, the Board and the Commission shall promote, in particular at Union level, the introduction of data protection certification mechanisms and of data protection seals and marks to demonstrate compliance with this Regulation by controllers or processors. The specific needs of micro, small and medium-sized enterprises shall be taken into account.
2. In addition to compliance by controllers or processors covered by this Regulation, data protection certification mechanisms, seals or marks approved in accordance with paragraph 5 of this Article may also be provided for to demonstrate that controllers or processors not covered by this Regulation pursuant to Article 3 provide appropriate safeguards in the context of transfers of personal data to third countries or international organisations in accordance with point (f) of Article 46(2). Those controllers or processors shall enter into a binding and enforceable commitment, by means of contractual or other legally binding instruments, to apply those appropriate safeguards, including with regard to the rights of data subjects.
3. Certification must be voluntary and accessible via a transparent procedure.
4. Certification pursuant to this Article shall not diminish the responsibility of the controller or processor to comply with this Regulation and shall not affect the tasks and powers of the supervisory authorities which are competent pursuant to Article 55 or 56.
5. Certification under this Article shall be granted by the certification bodies referred to in Article 43 or by the competent supervisory authority on the basis of criteria approved by that competent supervisory authority in accordance with Article 58(3) or by the Board in accordance with Article 63. If the criteria are approved by the Board, this may lead to a common certification, the European Data Protection Seal.
6. The controller or processor subjecting the processing it carries out to the certification mechanism shall provide the certification body referred to in Article 43 or, where applicable, the competent supervisory authority with all the information necessary for the performance of the certification mechanism and shall grant it the necessary access to its processing activities in this context.
7. The certification shall be granted to a controller or processor for a maximum period of three years and may be renewed under the same conditions, provided that the relevant criteria continue to be met. The certification shall be revoked, where appropriate, by the certification bodies referred to in Article 43 or by the competent supervisory authority if the criteria for certification are not or are no longer met.
8. The Committee shall record all certification procedures and data protection seals and certification marks in a register and publish them in an appropriate manner.

1. Without prejudice to the tasks and powers of the competent supervisory authority pursuant to Articles 57 and 58, certification bodies which have the appropriate data protection expertise shall grant or renew the certification after informing the supervisory authority so that it can, if necessary, make use of its powers pursuant to Article 58(2)(h). Member States shall ensure that those certification bodies are accredited by one or both of the following bodies:
   1. the competent supervisory authority pursuant to Article 55 or 56;
   2. the national accreditation body recognised in accordance with Regulation (EC) No 765/2008 of the European Parliament and of the Council¹ has been designated in accordance with EN-ISO/IEC 17065/2012 and with the additional requirements laid down by the competent supervisory authority in accordance with Article 55 or 56.
2. Certification bodies referred to in paragraph 1 may only be accredited in accordance with that paragraph if they
   1. have demonstrated their independence and expertise in the subject matter of the certification to the satisfaction of the competent supervisory authority;
   2. have undertaken to comply with the criteria referred to in Article 42(5) and approved by the competent supervisory authority in accordance with Article 55 or 56 or by the Board in accordance with Article 63;
   3. have established procedures for the issuance, periodic review and revocation of data protection certification and data protection seals and marks;
   4. have established procedures and structures to investigate complaints about breaches of certification or the manner in which certification is, or has been, implemented by the controller or processor, and to make those procedures and structures transparent to data subjects and the public; and
   5. have demonstrated to the satisfaction of the competent supervisory authority that their tasks and duties do not give rise to a conflict of interest.
3. The accreditation of certification bodies referred to in paragraphs 1 and 2 shall be based on the requirements approved by the competent supervisory authority in accordance with Article 55 or 56 or by the Committee in accordance with Article 63. In the case of accreditation under point (b) of paragraph 1 of this Article, those requirements shall be complementary to those provided for in Regulation (EC) No 765/2008 and in the technical rules describing the methods and procedures of certification bodies.
4. ¹The certification bodies referred to in paragraph 1 shall be responsible for the appropriate assessment underlying the certification or the withdrawal of a certification, without prejudice to the responsibility of the controller or processor for compliance with this Regulation. The accreditation shall be granted for a maximum period of five years and may be renewed under the same conditions, provided that the certification body fulfils the requirements of this Article.
5. The certification bodies referred to in paragraph 1 shall inform the competent supervisory authorities of the reasons for granting or revoking the requested certification.
6. The requirements referred to in paragraph 3 of this Article and the criteria referred to in Article 42(5) shall be published by the supervisory authority in an easily accessible form. The supervisory authorities shall also communicate those requirements and criteria to the Board.
7. Without prejudice to Chapter VIII, the competent supervisory authority or the national accreditation body shall withdraw the accreditation of a certification body referred to in paragraph 1 if the conditions for accreditation are not, or are no longer, fulfilled or if a certification body takes measures that are incompatible with this Regulation.
8. The Commission shall be empowered to adopt delegated acts in accordance with Article 92 to specify the requirements to be taken into account for the data protection certification mechanisms referred to in Article 42(1).
9. The Commission may adopt implementing acts laying down technical standards for certification mechanisms and data protection seals and marks and mechanisms for the promotion and recognition of those certification mechanisms and data protection seals and marks. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 93(2).

1. Any transfer of personal data which are already being processed or are intended to be processed after their transfer to a third country or an international organisation shall be permitted only if the controller and the processor comply with the conditions laid down in this Chapter and with the other provisions of this Regulation, including any onward transfer of personal data from the third country or international organisation concerned to another third country or international organisation. All provisions of this Chapter shall be applied in order to ensure that the level of protection of natural persons ensured by this Regulation is not undermined.

1. A transfer of personal data to a third country or an international organisation may take place if the Commission has decided that the third country, a territory or one or more specific sectors within that third country or the international organisation in question offers an adequate level of protection. Such a data transfer does not require any special authorisation.
2. When assessing the appropriateness of the level of protection required, the Commission takes the following into account in particular:
   1. the rule of law, respect for human rights and fundamental freedoms, the relevant legislation in force in the country or international organisation concerned, both general and sectoral, including in relation to public security, defence, national security and criminal law and access to personal data by public authorities, as well as the application of such legislation, data protection rules, professional rules and security rules, including rules on onward transfers of personal data to another third country or international organisation, jurisdiction, and effective enforceable data subject rights and effective administrative and judicial redress for data subjects whose personal data are transferred. another international organisation, jurisdiction and effective and enforceable data subject rights and effective administrative and judicial redress for data subjects whose personal data are transferred,
   2. the existence and effective functioning of one or more independent supervisory authorities in the third country concerned or under the authority of an international organisation, responsible for compliance with and enforcement of data protection rules, including appropriate enforcement powers, for assisting and advising data subjects in the exercise of their rights and for cooperating with the supervisory authorities of the Member States; and
   3. the international commitments entered into by the third country or international organisation concerned or other obligations arising from legally binding agreements or instruments and from the third country's or international organisation's participation in multilateral or regional systems, in particular with regard to the protection of personal data.
3. Following the assessment of the adequacy of the level of protection, the Commission may decide by means of an implementing act that a third country, a territory or one or more specific sectors in a third country or an international organisation offer an adequate level of protection within the meaning of paragraph 2 of this Article. The implementing act shall provide for a regular review mechanism, at least every four years, taking into account any relevant developments in the third country or international organisation. The implementing act shall specify the territorial and sectoral scope and, where applicable, the supervisory authority or authorities referred to in point (b) of paragraph 2 of this Article. The implementing act shall be adopted in accordance with the examination procedure referred to in Article 93(2).
4. The Commission shall continuously monitor developments in third countries and international organisations which may affect the operation of the decisions adopted pursuant to paragraph 3 of this Article and the findings made pursuant to Article 25(6) of Directive 95/46/EC.
5. The Commission shall, by means of implementing acts, revoke, amend or suspend the decisions referred to in paragraph 3 of this Article, where necessary and without retroactive effect, on the basis of information, in particular following the review referred to in paragraph 3 of this Article, that a third country, a territory or one or more specific sectors within a third country or an international organisation no longer ensures an adequate level of protection within the meaning of paragraph 2 of this Article. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 93(2) and, on duly justified imperative grounds of urgency, the Commission shall adopt immediately applicable implementing acts in accordance with the procedure referred to in Article 93(3).
6. The Commission shall enter into consultations with the third country or international organisation concerned with a view to remedying the situation which led to the decision adopted pursuant to paragraph 5.
7. Transfers of personal data to the third country, the territory or one or more specified sectors within that third country or to the international organisation concerned in accordance with Articles 46 to 49 shall not be affected by a decision pursuant to paragraph 5 of this Article.
8. The Commission publishes in the Official Journal of the European Union and on its website a list of all third countries or territories and specific sectors in a third country and all international organisations for which it has determined by decision that they ensure or no longer ensure an adequate level of protection.
9. Findings adopted by the Commission on the basis of Article 25(6) of Directive 95/46/EC shall remain in force until they are amended, replaced or repealed by a Commission decision adopted in accordance with the examination procedure referred to in paragraphs 3 or 5 of this Article.

1. In the absence of a decision pursuant to Article 45(3), a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards and if enforceable rights and effective legal remedies are available to the data subjects.
2. The appropriate safeguards referred to in paragraph 1 may, without the need for specific authorisation from a supervisory authority, consist of
   1. a legally binding and enforceable document between the authorities or public bodies,
   2. binding internal data protection rules in accordance with Article 47,
   3. standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93(2),
   4. standard data protection clauses adopted by a supervisory authority and authorised by the Commission in accordance with the examination procedure referred to in Article 93(2),
   5. approved codes of conduct referred to in Article 40, together with legally binding and enforceable obligations of the controller or processor in the third country to apply the appropriate safeguards, including with regard to the rights of data subjects; or
   6. an approved certification mechanism pursuant to Article 42, together with legally binding and enforceable obligations on the controller or processor in the third country to apply the appropriate safeguards, including in relation to the rights of data subjects.
3. Subject to authorisation by the competent supervisory authority, the appropriate safeguards referred to in paragraph 1 may also consist in particular of
   1. contractual clauses agreed between the controller or processor and the controller, processor or recipient of the personal data in the third country or international organisation, or
   2. Provisions to be included in administrative arrangements between public authorities or bodies, including enforceable and effective rights for data subjects.
4. The supervisory authority shall apply the consistency mechanism referred to in Article 63 in the case referred to in paragraph 3 of this Article.
5. Authorisations granted by a Member State or a supervisory authority on the basis of Article 26(2) of Directive 95/46/EC shall remain valid until amended, replaced or revoked by that supervisory authority, if necessary. Findings adopted by the Commission on the basis of Article 26(4) of Directive 95/46/EC shall remain in force until amended, replaced or revoked, if necessary, by a Commission decision adopted in accordance with paragraph 2 of this Article.

1. The competent supervisory authority shall authorise binding corporate rules in accordance with the consistency mechanism referred to in Article 63, provided that they
   1. are legally binding, apply to and are enforced by all relevant members of the group of companies or a group of companies engaged in a joint economic activity, and also apply to their employees,
   2. expressly confer enforceable rights on data subjects in relation to the processing of their personal data; and
   3. fulfil the requirements set out in paragraph 2.
2. The binding internal data protection rules referred to in paragraph 1 shall contain at least the following information:
   1. Structure and contact details of the group of companies or group of companies engaged in a joint economic activity and each of its members;
   2. the data transfers or series of data transfers concerned, including the types of personal data concerned, the nature and purpose of the data processing, the type of data subjects and the third country or third countries concerned;
   3. internal and external legally binding nature of the relevant internal data protection regulations;
   4. the application of the general data protection principles, in particular purpose limitation, data minimisation, limited storage periods, data quality, data protection through technology design and through data protection-friendly default settings, legal basis for processing, processing of special categories of personal data, measures to ensure data security and requirements for onward transfer to bodies not bound by these internal data protection regulations;
   5. the rights of data subjects in relation to processing and the means available to them to exercise those rights, including the right not to be subject to a decision based solely on automated processing, including profiling, in accordance with Article 22, and the right to lodge a complaint with the competent supervisory authority or to seek a judicial remedy before the competent courts of the Member States, as laid down in Article 79, and to obtain redress and, where appropriate, compensation in the event of a breach of the binding corporate rules on data protection;
   6. the liability assumed by the controller or processor established in a Member State for any breach of the binding corporate rules by a member of the group of undertakings not established in the Union; the controller or processor shall be exempt from such liability, in whole or in part, only if it proves that the event giving rise to the damage cannot be attributed to that member;
   7. the way in which data subjects are informed, in addition to the provisions of Articles 13 and 14, of the binding corporate rules on data protection and, in particular, of the aspects referred to in points (d), (e) and (f) of this paragraph;
   8. the tasks of any data protection officer designated in accordance with Article 37 or any other person or body responsible for monitoring compliance with binding corporate rules on data protection within the group of undertakings or group of companies engaged in a joint economic activity and for monitoring training and complaint handling;
   9. the complaints procedure;
   10. the procedures in place within the group of companies or group of companies engaged in a joint economic activity to verify compliance with binding internal data protection rules. Such procedures shall include data protection audits and procedures to ensure remedial action to protect the rights of the data subject. The results of such reviews should be communicated to the person or entity referred to in point (h) and to the board of directors of the controlling undertaking of a group of undertakings or of the group of undertakings engaged in a joint economic activity and should be made available to the competent supervisory authority upon request;
   11. the procedures for reporting and recording changes to the regulations and reporting them to the supervisory authority;
   12. the procedures for cooperating with the supervisory authority to ensure compliance by all members of the group of undertakings or group of companies engaged in a joint economic activity, in particular by disclosing to the supervisory authority the results of reviews of the measures referred to in point (j);
   13. the notification procedures for informing the competent supervisory authority of any legal provisions applicable to a member of the group of undertakings or group of companies engaged in a joint economic activity in a third country which could adversely affect the safeguards provided by the binding corporate rules; and
   14. appropriate data protection training for staff with permanent or regular access to personal data.
3. The Commission may specify the format and procedures for the exchange of information on binding corporate rules referred to in this Article between controllers, processors and supervisory authorities. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 93(2).

1. Each supervisory authority shall ensure that the imposition of fines pursuant to this Article for infringements of this Regulation in accordance with paragraphs 4, 5 and 6 is effective, proportionate and dissuasive in each individual case.
2. Fines shall be imposed in addition to or instead of the measures referred to in Article 58(2)(a) to (h) and (j), depending on the circumstances of the individual case. In deciding whether to impose a fine and the amount of the fine, due account shall be taken of the following in each individual case:
   1. the nature, gravity and duration of the infringement, taking into account the nature, scope or purpose of the processing concerned, the number of data subjects affected by the processing and the extent of the damage suffered by them;
   2. Intentional or negligent nature of the offence;
   3. any measures taken by the controller or processor to minimise the damage caused to the data subjects;
   4. the degree of responsibility of the controller or processor, taking into account the technical and organisational measures implemented by them in accordance with Articles 25 and 32;
   5. any relevant previous infringements by the controller or processor;
   6. The extent of co-operation with the supervisory authority to remedy the breach and mitigate its possible adverse effects;
   7. Categories of personal data affected by the breach;
   8. How the infringement became known to the supervisory authority, in particular whether and, if so, to what extent the controller or processor notified the infringement;
   9. compliance with measures previously ordered pursuant to Article 58(2) against the controller or processor concerned in relation to the same subject matter, where such measures have been ordered;
   10. compliance with approved codes of conduct referred to in Article 40 or approved certification procedures referred to in Article 42; and
   11. any other aggravating or mitigating circumstances in the particular case, such as financial benefits gained or losses avoided directly or indirectly as a result of the offence.
3. Where a controller or processor intentionally or negligently infringes several provisions of this Regulation in relation to the same or linked processing operations, the total amount of the fine shall not exceed the amount of the most serious infringement.
4. For infringements of the following provisions, fines of up to EUR 10 000 000 or, in the case of an undertaking, up to 2 % of its total worldwide annual turnover in the preceding business year shall be imposed in accordance with paragraph 2depending on which of the amounts is higher:
   1. the obligations of controllers and processors under Articles 8, 11, 25 to 39, 42 and 43;
   2. the obligations of the certification body under Articles 42 and 43;
   3. the obligations of the monitoring body referred to in Article 41(4).
5. For infringements of the following provisions, fines of up to EUR 20 000 000 or, in the case of an undertaking, up to 4 % of its total worldwide annual turnover in the preceding financial year, whichever is the higher, shall be imposed in accordance with paragraph 2:
   1. the principles for processing, including the conditions for consent, in accordance with Articles 5, 6, 7 and 9;
   2. the rights of the data subject in accordance with Articles 12 to 22;
   3. the transfer of personal data to a recipient in a third country or to an international organisation in accordance with Articles 44 to 49;
   4. all obligations under the legislation of the Member States adopted under Chapter IX;
   5. failure to comply with an instruction or a temporary or definitive restriction or suspension of the transfer of data by the supervisory authority pursuant to Article 58(2) or failure to grant access in breach of Article 58(1).
6. Failure to comply with an order of the supervisory authority pursuant to Article 58(2) shall be subject to fines of up to EUR 20 000 000 or, in the case of an undertaking, up to 4 % of its total worldwide annual turnover in the preceding business year, whichever is the higher, in accordance with paragraph 2 of this Article.
7. Without prejudice to the remedial powers of supervisory authorities under Article 58(2), each Member State may lay down rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that Member State.
8. The exercise by a supervisory authority of its own powers under this Article shall be subject to appropriate procedural safeguards in accordance with Union and national law, including effective judicial remedies and due process.
9. Where the legal system of a Member State does not provide for fines, this Article may be applied in such a way that the fine is initiated by the competent supervisory authority and imposed by the competent national courts, while ensuring that these remedies are effective and have the same effect as fines imposed by supervisory authorities. In any event, the fines imposed shall be effective, proportionate and dissuasive. By 25 May 2018, the Member States concerned shall notify to the Commission the provisions of national law which they adopt pursuant to this paragraph and, without delay, any subsequent amendments or modifications thereto.

1. Member States shall lay down the rules on other penalties applicable to infringements of this Regulation, in particular to infringements not subject to a fine pursuant to Article 83, and shall take all measures necessary to ensure that they are implemented. Those penalties shall be effective, proportionate and dissuasive.
2. Each Member State shall notify the Commission by 25 May 2018 of the provisions of national law which it adopts pursuant to paragraph 1 and, without delay, of any subsequent amendment affecting them.

1. Member States shall reconcile by law the right to the protection of personal data under this Regulation with the right to freedom of expression and information, including processing for journalistic purposes and for scientific, artistic or literary purposes.
2. For processing carried out for journalistic, scientific, artistic or literary purposes, Member States shall provide for derogations or exemptions from Chapter II (Principles), Chapter III (Rights of the data subject), Chapter IV (Controller and processor), Chapter V (Transfer of personal data to third countries or international organisations), Chapter VI (Independent supervisory authorities), Chapter VII (Cooperation and consistency) and Chapter IX (Rules for specific processing situations) where necessary to reconcile the right to the protection of personal data with the freedom of expression and information.
3. Each Member State shall notify to the Commission the provisions of national law which it adopts pursuant to paragraph 2 and, without delay, any subsequent amendments or modifications thereto.

1. Personal data contained in official documents held by a public authority or body or by a private body for the performance of a task carried out in the public interest may be disclosed by the public authority or body in accordance with Union law or the law of the Member State to which the public authority or body is subject in order to reconcile public access to official documents with the right to the protection of personal data under this Regulation.

1. Member States may further determine the specific conditions under which a national identification number or other identifiers of general relevance may be the subject of processing. In that case, the national identification number or other identifier of general significance may only be used subject to appropriate safeguards for the rights and freedoms of the data subject in accordance with this Regulation.

1. Member States may, by law or by collective agreement, lay down more specific rules to ensure the protection of the rights and freedoms with regard to the processing of employees' personal data in the employment context, in particular for the purposes of recruitment, the performance of the employment contract, including the fulfilment of obligations laid down by law or by collective agreements, management, planning and organisation of work, equality and diversity at work, health and safety at work, protection of employers' or clients' property, as well as for the purposes of exercising individual or collective rights and benefits related to employment and for the purposes of terminating the employment relationship.
2. Those rules shall include appropriate and specific measures to safeguard human dignity, the legitimate interests and fundamental rights of the data subject, in particular with regard to the transparency of processing, the transfer of personal data within a group of undertakings or a group of undertakings engaged in a joint economic activity and the monitoring systems at the workplace.
3. Each Member State shall notify the Commission by 25 May 2018 of the provisions of national law which it adopts pursuant to paragraph 1 and, without delay, of any subsequent amendment affecting them.

1. Member States may regulate the powers of the supervisory authorities referred to in points (e) and (f) of Article 58(1) in respect of controllers or processors subject to an obligation of professional secrecy or an equivalent obligation of confidentiality under Union or Member State law or under an obligation imposed by the competent national authorities, to the extent necessary and proportionate to reconcile the right to the protection of personal data with the obligation of confidentiality. These provisions shall only apply to personal data obtained or collected by the controller or processor in the course of an activity subject to such an obligation of secrecy.
2. By 25 May 2018, each Member State shall notify the Commission of the provisions adopted pursuant to paragraph 1 and shall notify it without delay of any subsequent amendment affecting them.

1. Where a church or a religious organisation or community in a Member State applies comprehensive rules on the protection of natural persons with regard to processing on the date of entry into force of this Regulation, those rules may continue to apply provided that they are brought into conformity with this Regulation.
2. Churches and religious associations or communities applying comprehensive data protection rules in accordance with paragraph 1 shall be subject to supervision by an independent supervisory authority, which may be of a specific nature, provided that it fulfils the conditions laid down in Chapter VI.

1. The power to adopt delegated acts is conferred on the Commission subject to the conditions laid down in this Article.
2. The power to adopt delegated acts referred to in Article 12(8) and Article 43(8) shall be conferred on the Commission for an indeterminate period of time from 24 May 2016.
3. The delegation of power referred to in Article 12(8) and Article 43(8) may be revoked at any time by the European Parliament or by the Council. A decision of revocation shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication in the Official Journal of the European Union or at a later date specified in the decision on revocation. The validity of delegated acts already in force shall not be affected by the revocation decision.
4. As soon as the Commission adopts a delegated act, it forwards it simultaneously to the European Parliament and the Council.
5. A delegated act adopted pursuant to Article 12(8) and Article 43(8) shall enter into force only if no objection has been expressed either by the European Parliament or the Council within a period of three months of notification of that act to the European Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by three months at the initiative of the European Parliament or the Council.

1. The Commission shall be assisted by a committee. This committee shall be a committee within the meaning of Regulation (EU) No 182/2011.
2. Where reference is made to this paragraph, Article 5 of Regulation (EU) No 182/2011 shall apply.
3. Where reference is made to this paragraph, Article 8 of Regulation (EU) No 182/2011 in conjunction with Article 5 thereof shall apply.

1. Directive 95/46/EC will be repealed with effect from 25 May 2018.
2. References to the repealed Directive shall be construed as references to this Regulation. References to the Working Party on the Protection of Individuals with regard to the Processing of Personal Data established by Article 29 of Directive 95/46/EC shall be construed as references to the European Data Protection Board established by this Regulation.

1. This Regulation does not impose any additional obligations on natural or legal persons in relation to processing in connection with the provision of publicly available electronic communications services in public communications networks in the Union insofar as they are subject to specific obligations laid down in Directive 2002/58/EC which pursue the same objective.

1. International agreements involving the transfer of personal data to third countries or international organisations which were concluded by Member States before 24 May 2016 and which are in accordance with Union law in force before that date shall remain in force until amended, replaced or terminated.

1. By 25 May 2020 and every four years thereafter, the Commission shall submit a report to the European Parliament and the Council on the evaluation and review of this Regulation. The reports shall be made public.
2. As part of the assessments and verifications referred to in paragraph 1, the Commission shall, in particular, examine the application and functioning of
   1. of Chapter V on the transfer of personal data to third countries or international organisations, in particular with regard to the decisions adopted pursuant to Article 45(3) of this Regulation and the findings adopted pursuant to Article 25(6) of Directive 95/46/EC,
   2. of Chapter VII on co-operation and coherence.
3. For the purpose referred to in paragraph 1, the Commission may request information from the Member States and the supervisory authorities.
4. In the assessments and reviews referred to in paragraphs 1 and 2, the Commission shall take into account the views and findings of the European Parliament, the Council and other relevant bodies or sources.
5. The Commission shall, if necessary, submit appropriate proposals to amend this Regulation, taking particular account of developments in information technology and advances in the information society.

1. The Commission shall, where appropriate, submit legislative proposals to amend other Union acts on the protection of personal data in order to ensure a harmonised and consistent protection of natural persons with regard to processing. This concerns in particular the rules on the protection of natural persons with regard to the processing of such data by the Union institutions, bodies, offices and agencies and on the free movement of such data.

1. This Ordinance shall enter into force on the twentieth day following its publication in the Official Journal of the European Union in force.
2. It will apply from 25 May 2018.