Page 1

Nr. 90

June 27, 2018

LAW
on privacy and the processing of personal information.

F Orser In SLANDS
announces: Althingi has approved this law and I confirm it with my consent:

CHAPTER I
Objectives, definitions and scope.
Article 1
Objectives.
The purpose of this Act is to promote the consistent handling of personal information
with the basic principles and rules of privacy and privacy and to ensure
the reliability and quality of such information and its free movement in the internal market of European
of the economic area.
A special body, the Data Protection Authority, oversees the implementation of the Regulation of the European Parliament.
ins and Council (EU) 2016/679, this Act and rules that will be set according to it, cf.
further provisions VII. section of this Act. European Supervisory Authority according to VII. section of the
inside is the European Privacy Council.
Article 2
Legislation.
The provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on
protection of individuals in connection with the processing of personal data and on the free dissemination of such data
information and repeal of Directive 95/46 / EC (General Data Protection Regulation) as
and it is incorporated into the Agreement on the European Economic Area shall have legal force here
with the adaptations resulting from the Decision of the EEA Joint Committee
ing on XI. (Electronic Communications, Audiovisual Media and the Information Society) and
Protocol 37 (containing the list provided for in Article 101) to the EEA Agreement.
The Regulation is published as an annex to this Act.
Article 3
Glossary.
The meaning of words in this Act is as follows:
1. Regulation: Regulation (EU) 2016/679 of 27 April 2016
on the protection of individuals with regard to the processing of personal data and on the free dissemination
such information and repealing Directive 95/46 / EC.
2. Personal information: Information about personally identifiable or personally identifiable
individual ("registered person"); an individual is considered personally identifiable if possible

Page 2

Nr. 90

June 27, 2018

identify him, directly or indirectly, such as by reference to an identifier such as a name,
ID number, location data, online ID or one or more of its features
in physical, physiological, genetic, spiritual, material, cultural or
socially.
3. Sensitive personal information:
a. Information about race, ethnic origin, political views, religion,
life examination or membership in a trade union.
b. Health information, ie. personal information relating to physical or mental health
the individual's status, including the health care he or she has received, and information
on the use of drugs, alcohol and drugs.
c. Information about human sex and sexual orientation.
d. Genetic information, ie. personal information relating to hereditary or acquired
the genetic characteristics of an individual that provide unique information on physiology or
the health of the individual and are obtained mainly through the analysis of biological samples from
incoming person.
e. Biometric information, ie. personal information obtained through special technical processing
and are related to the physical, physiological or behavioral characteristics of
individual and enable the identification or verification of the identity of a person with unequivocal
such as portraits or fingerprint data, provided that information is processed
in order to uniquely identify an individual.
4. Processing: The action or series of actions in which personal data are processed, whether
the processing is automatic or not, such as collection, registration, classification, system binding,
party, adaptation or modification, collection, inspection, use, transmission by forwarding, distribution
or other means of making the information available, interconnection or synchronization,
gait restriction, destruction or devastation.
5. File: An organized collection of personal information that is accessible according to specific
labels, whether centralized, distributed or split according to use or location
ingu.
6. Controller: natural or legal person, authority or other body which alone or
in collaboration with other purposes and methods of processing personal information.
7. Processor: An individual or legal entity, authority or other person working with a
zone information on behalf of the responsible party.
8. Consent: Unforced, specific, informed and unequivocal declaration of intent by the data subject that he
consent, by declaration or unequivocal confirmation, of the processing of personal data about
himself.
9. Electronic monitoring: Monitoring that is continuous or repeated on a regular basis and involves monitoring
with individuals with remote controlled or automatic equipment and takes place in public
or in an area normally visited by a limited group of people. The term includes:
a. monitoring that leads to, should lead to or may lead to the processing of personal data and
b. TV surveillance using TV cameras, webcams or
other equivalent equipment, without the collection of footage or other
acts equivalent to the processing of personal data.
10. Type profile: Automatic processing of personal data which involves the use of personal data
information to assess certain aspects of an individual's well-being, in particular to identify or
predict factors related to his job performance, financial status, health, taste,
hobby, reliability, behavior, location or mobility.

Page 3

Nr. 90

June 27, 2018

11. Lack of security in the processing of personal data: Lack of security leading to unintentional
or the unlawful deletion of personal information or the loss, alteration, disclosure or disclosure of such information
or access to them will be granted without permission.
Article 4
Material scope.
This Act and the Regulation apply to the processing of personal data which is partly automatic or
as a whole and for the processing by means other than automatic of personal information that is
or should become part of a file.
This Act and the Regulation do not apply to the processing of personal data by an individual who
concern only his private or family life or are intended solely for personal
legra nota.
This Act applies to the processing of personal data of deceased persons as far as possible
have for five years from their death or longer in the case of personal information as reasonable
and it is normal to consider it a secret.
This Act and the Regulation do not apply to the processing of personal data that takes place immediately
courts exercise their jurisdiction.
This Act and the Regulation do not apply to the processing of personal data that takes place in connection with
on the work of the Althingi and its institutions and investigative committees.
This Act and the Regulation do not apply to the processing of personal data by the state
in connection with the prevention, investigation, prosecution or prosecution of criminal offenses
offenses or comply with criminal sanctions, including protecting against and preventing threats to
human security.
The provisions of this Act and the Regulation apply regardless of whether an issue falls under
scope of the EEA Agreement, with the exception of Annex VII. chapter of the regulation.
Article 5
Relationship with other laws.
Special provisions of other laws on the processing of personal data set within the framework of
of the Act take precedence over the provisions of this Act.
This Act does not limit the right of access to data laid down in the
ingalar and administrative law.
The provisions of the Regulation take precedence over the provisions of this Act.
Article 6
Relationship to freedom of expression.
To the extent necessary to harmonize views on the right to privacy of another
on the one hand and freedom of expression, on the other hand, may deviate from the provisions of this Act and the Regulation
for the benefit of the media, the arts or literature.
When personal information is processed solely for the purpose of journalism or literary
only the provisions of paragraph 1 (a) and (d) shall apply to artistic or artistic activities. Articles 5, 24, 26, 28,
29., 32., 40. – 43. and Article 82. of the Regulation and Articles 48 and 51. of this Act.
Article 7
Geographical scope.
This Act and the Regulation apply to the processing of personal information in connection with activities
responsible party or processing party established in this country, regardless of whether the processing takes place itself
in the European Economic Area or not.

Page 4

Nr. 90

June 27, 2018

This Act and the Regulation apply to the processing of personal data of registered individuals who
are in this country which is carried out in the activities of a guarantor or processor, which has not
established in the European Economic Area, or when the processing activity is related to:
1. offer these registered persons in the European Economic Area a product or service, free of charge
whether it is done for a fee; or
2. monitor their behavior to the extent that their behavior takes place within
of that area.
When the circumstances referred to in the second paragraph apply. the guarantor or processor shall nominate a
within the European Economic Area or in the Member State of the Treaty establishing the Free Trade
European Union, with the exceptions provided for in Article 27. of the Regulation.
The provisions of this Act regarding the responsible party or processor apply to that representative
according to further instructions in Article 27. of the Regulation.
II. CHAPTER
General rules for processing.
Article 8
Principles for the processing of personal information.
In the processing of personal information, all of the following factors shall be observed as further described
in Article 5 of the Regulation:
1. that they are processed in a lawful, fair and transparent manner towards the others
registered;
2. that they are obtained for clearly stated, legitimate and objective purposes and not
processed further for other and incompatible purposes; further processing in historical,
for statistical or scientific purposes is not considered incompatible provided that:
appropriate security is maintained;
3. that they are adequate, appropriate and not in excess of what is necessary
the process of processing;
4. that they are reliable and updated as needed; personal information that is
unreliable or imperfect, given the purpose of their processing, should be deleted or corrected
without delay;
5. that they are preserved in such a way that it is not possible to identify registered persons
longer than necessary for the purpose of processing; personal information may be stored
longer provided that their processing serves only archiving in the public interest
interests, research in the field of science or history or for statistical purposes and that
appropriate security is maintained;
6. that they are processed in such a way as to ensure the appropriate security of the personal information.
The responsible party is responsible for ensuring that the processing of personal data always complies with the provisions of 1.
mgr. and shall be able to demonstrate it.
Article 9
General rules on authorizations for the processing of personal information.
The processing of personal information is only permitted if any of the following factors are present
as further described in Article 6. of the Regulation:
1. the data subject has given his consent for the processing of his personal data for the benefit of
one or more specific objectives;
The processing is necessary to fulfill a contract to which the data subject is a party or to conclude
measures at the request of the data subject before concluding a contract;

Page 5

Nr. 90

June 27, 2018

3. the processing is necessary to fulfill the legal obligation incumbent on the guarantor;
4. processing is necessary to protect the vital interests of the data subject or other
lings;
5. the processing is necessary for work carried out in the public interest or for the
exercise of official authority by the responsible party;
6. the processing is necessary due to legitimate interests as a guarantor or third party
may protect the interests or fundamental rights and freedoms of the data subject which require protection
personal information is more important, especially when the data subject is a child.
Article 10
Conditions for approval.
When processing is based on consent, the controller must be able to demonstrate that the registered
an individual has agreed to the processing of his personal information in accordance with further conditions 7. and
Article 8 of the Regulation.
If the data subject gives his consent by a written statement, which also applies to others
issues, the request for approval shall be presented in such a way that it is distinguishable from the others
issues, in an understandable and accessible form and in a clear and simple language.
A registered person has the right to withdraw his consent at any time. Revocation
approval shall not affect the lawfulness of the processing on the basis of the approval until the
the vocation.
When assessing whether consent is given voluntarily, the utmost consideration must be given
as to whether it is a condition for the performance of a contract that consent be given for processing
personal information that is not necessary for the contract.
When a child is offered services in the information society directly and the processing of
zone information is based on its consent, the processing is therefore only considered legitimate if the child has obtained it
13 years of age. If the child is under 13 years of age, the processing is considered lawful only to the extent that the
its provider authorizes approval. The guarantor shall do what can be considered reasonable to do
verify in such cases that the consent is given or authorized by the custodian of the child
ins, taking into account the technology available.
Article 11
Special conditions for the processing of sensitive personal information.
Processing of sensitive personal information according to 3. tölul. Article 3 of this Act is not permitted except
if one of the conditions of Article 9 is met. of this Act and furthermore any of the following
conditions in accordance with further instructions in Article 9. of the Regulation:
1. the data subject has given his unequivocal consent for the processing in favor of one or more
specific goals;
2. the processing is necessary for the guarantor or the data subject to be able to meet the
their obligations and exercise certain rights under labor and international law.
social security and social protection and is carried out on the basis of laws
owner and specific measures to protect the fundamental rights and interests of the other
registered;
The processing is necessary to protect the urgent interests of the data subject or another person
who is not himself able to give his consent;
The processing takes place as part of the lawful activities of an institution, association or other party
which is non-profit and has political, philosophical, religious or
trade union goals, provided that the processing only reaches members or former members

Page 6

Nr. 90

June 27, 2018

the person concerned or individuals who are in regular contact with him in connection with
its purpose, personal information is not obtained by third parties without consent
of the data subject and appropriate safeguards are in place;
5. the processing only covers information which the data subject has obviously disclosed himself.
berar;
6. the processing is necessary for the creation, maintenance or defense of legal claims;
7. the processing is necessary, for reasons of significant public interest, and takes place
on the basis of legislation providing for appropriate and specific measures to protect
field rights and interests of the data subject;
8. processing is necessary in order to prevent diseases or due to occupational diseases
forensics, to assess an employee's work ability, diagnose illnesses and provide care
or treatment in the field of health or social services and for which there is a special legal authority,
provided that it is performed by an employee of such a service that is bound by confidentiality;
9. the processing is necessary for reasons of public interest in the field of public health, such as
to defend against cross-border serious health threats or to ensure quality and
safety of health services and medicines or medical devices, and is carried out on the basis of law
providing for appropriate and specific measures to protect fundamental rights; and
the interests of the data subject;
10. the processing is necessary for statistical, historical or scientific research, provided that the
zone protection guaranteed by specific measures as appropriate in accordance with this Act
and is carried out on the basis of a law providing for appropriate and specific measures to:
protect the fundamental rights and interests of the data subject;
11. the processing is necessary for the purpose of archiving in the public interest and is requested
on the basis of a law providing for appropriate and specific measures to protect
field rights and the interests of the data subject, in particular the duty of confidentiality.
Privacy resolves disputes over whether personal information should be considered sensitive
or not.
Article 12
Processing of information on criminal conduct.
The government may not process information about criminal conduct unless it is necessaryvisible for the benefit of their statutory tasks.
Information according to Paragraph 1 may not be shared unless:
1. the data subject has given his unequivocal consent to the transmission;
The dissemination is necessary in the interests of the legitimate interests of the public or private sector which
obviously outweighs the vested interests of the information, there
including the interests of the data subject;
The dissemination is necessary for the purpose of the statutory tasks of the relevant authority or to
it is possible to make a government decision; or
The dissemination is necessary for a public-sector project that has been private
hidden in a lawful manner.
Private parties may not process information about criminal conduct unless the data subject
has given its unequivocal consent or the processing is necessary for the benefit of the legitimate
interests that obviously outweigh the fundamental rights and freedoms of the data subject.
Information according to Paragraph 3 may not be disseminated unless the data subject unconditionally consents to it.
its thickness. However, information may be disseminated without consent if it is necessary in the interests of legitimate

Page 7

Nr. 90

June 27, 2018

remember the public or private sector that outweighs the interests of secrecy
the information, including the interests of the data subject.
Processing under this Article shall always be based on one of the sources in Article 9. fix
of these, cf. Paragraph 1 Article 6 of the Regulation.
Article 13
Use of ID number.
The use of an ID number is permitted if it has a legitimate purpose and is necessary to
ensure secure identification. Privacy may prohibit or prescribe the use of
number.
Article 14
Electronic monitoring.
Electronic monitoring is always subject to the condition that it is carried out for objective purposes. Electronic
Monitoring of an area where a limited group of people usually roams is also subject to the
should it be of special need due to the nature of the activities carried out there.
The processing of personal data that takes place in connection with electronic monitoring shall be fulfilled
the provisions of this Act.
In connection with the implementation of electronic monitoring, material that may be created may be collected
monitoring, such as audio and video, with sensitive personal information and information
on criminal conduct if the following conditions are met:
1. the monitoring is necessary and is carried out for security or asset protection purposes;
2. the material generated during the monitoring will not be handed over to others or processed further except
with the consent of the person being recorded by or on the basis of authorizations in rules pursuant to Art. Paragraph 5;
however, material containing information on accidents or criminal offenses may be handed over to the police.
that but then care shall be taken to destroy all other copies of the material;
3. the material accumulated during the monitoring will be deleted when there is no longer a valid reason for it
to preserve it.
When electronic monitoring takes place in the workplace or in public, a signal or other means shall be provided
prominently make clear the monitoring and who is responsible.
Privacy sets rules and gives instructions on electronic monitoring and processing of material that
is created during the monitoring, such as audio and video material, including its safety, the rights of the other
recorded to watch or listen to recordings, retention time and deletion, retention method,
the disposal of the material and its use.
Article 15
Processing of information on financial matters and creditworthiness.
Operation of a financial information office and processing of information relating to financial matters and
creditworthiness of individuals and legal entities, including default registration and credit rating, for this purpose
to disseminate them to others, shall be subject to the permission of the Data Protection Authority. In the case of a legal entity
only the following provisions of this Act shall apply: Article 17 on the data subject's right to information, 20.
gr. on the right to correction and deletion of data, Article 25. on the processing of information by processors
ingum, Article 31. on licensed processing, Article 32 on the preconditions for granting a license, Article 33 for divorce
cases, points 5 and 6. Paragraph 1 Article 41 on the Data Protection Authority's access to information, etc., point 6.
Article 42 on the suspension of production, etc., Article 45 on daily fines, Article 48 on penalties and Article 51 on benefits.
The Minister shall issue a regulation which further lays down the conditions for processing pursuant to Art.
Paragraph 1

Page 8

Nr. 90

June 27, 2018

Article 16
Dissemination of personal information from a country or to international organizations.
Commission decisions on the dissemination of information to third countries or international
of an institution according to Article 45 of the Regulation shall apply in this country in accordance with the
the location of the EEA Committee. The Minister shall confirm such decisions and publish an advertisement thereon
in the Government Gazette.
III. CHAPTER
The rights of the data subject and restrictions on them.
Article 17
Principles of information transparency, data subjects' right to information and access
and exceptions to the data subject's rights.
The responsible party shall take appropriate measures to ensure the transparency of information and
presentations to a registered individual in accordance with the instructions of Article 12. of the Regulation so that he
can exercise its right to information and the right of access.
The data subject has the right to information about processing, regardless of whether personal information is obtained from
himself or not, as well as the right to access personal information about himself according to
instructions 13. – 15. gr. of the Regulation with the exceptions specified in para.
Provisions 1–3 mgr. Articles 13, 1-4 mgr. Article 14 and Article 15. of the Regulation on the Rights of the Other
listed does not apply if the vital interests of individuals related to the information, including the other
registered self, weigh heavier.
The right granted by law may be limited by Articles 13–15. gr. of the Regulation
such restriction respects the nature of fundamental rights and freedoms and is considered necessary and reasonable
a measure in a democratic society to ensure:
1. national security;
2. land defense;
3. public safety;
4. to prevent, investigate, prosecute or prosecute criminal offenses or
comply with criminal sanctions, including protecting against and preventing threats to public
security;
5. other important objectives that serve the public interest, in particular economic or
financial, including foreign exchange, budgetary and fiscal matters, public health and
human insurance;
6. protection of the data subject, the overriding public interest or the fundamental rights of others;
7. compliance with private law requirements;
8. legal provisions on confidentiality.
The provisions of the fourth paragraph may be applied. on personal information in the working documents used
in the preparation of decisions by the responsible party, and has not been distributed to others
to the extent necessary to ensure the preparation of the proceedings.
Information in cases pending before the government may be exempted from the right to
access according to Paragraph 1 Article 15 of the Regulation to the same extent as applies to exceptions to
the right to information under the Information Act and the Administrative Procedure Act.
The provisions of Article 34 of the Regulation on the obligation to notify the data subject of a security breach
does not apply if the provisions of points 1 and 4 Paragraph 4 apply.

Page 9

Nr. 90

June 27, 2018

Article 18
Safeguard measures and exemptions for research processing,
statistics or archiving in the public interest.
Processing for research in the field of science or history, for statistical purposes or for
archiving in the public interest shall be subject to appropriate measures, including:
technical and organizational, to protect the rights and freedoms of registered persons accordingly
to Article 89 of the Regulation, in particular to ensure compliance with the principle of
data marking.
The provisions of Articles 15, 16, 18 and 21 of the Regulation on the rights of the data subject do not already apply
the processing of personal data is carried out only for the benefit of science or history or for statistical purposes
purpose to the extent that these rights are deemed impossible or restrictive
significantly that it is possible to achieve the relevant goals.
The provisions of Articles 15, 16, 18, 19, 20 and 21 of the Regulation on the rights of the data subject apply
not when the processing of personal data takes place solely for the purpose of archiving in the public interest
interests to the extent that these rights can be considered impossible or hinder
significantly that it is possible to achieve the relevant goals. However, the data subject has the right to submit
a description for the storage of data containing personal information about him.
Information covered by this Act may be submitted to the public archives in accordance with
compliance with the provisions of the Act on Public Archives.
Article 19
Exemption from the obligation to provide information due to processing
personal information with the government.
The duty to provide information according to Paragraph 3 Article 13 and the 4th paragraph. Article 14 of the Regulation does not apply to
The public authority transfers personal information to another public authority for the purpose of a statutory role
in the implementation of laws and information is disseminated only to the extent necessary
to fulfill the legal obligation of the government.
Article 20
Right to correction, deletion, transfer of own data, etc.
The data subject has the right to have unreliable personal information about himself corrected as well as correctly
for the controller to delete personal information about him without undue delay (right to
to be forgotten) and the right for the responsible party to limit processing according to further conditions
16. – 19. gr. of the Regulation.
A registered person shall have the right to receive personal information about himself that he has
provide the guarantor himself, in an orderly, common, computer-readable format and at the same time
send this information to another responsible party in accordance with the further conditions of Article 20. regular
of the act.
Article 21
On the right to object of the registered and the prohibition register of the National Register of Iceland.
The data subject may object to the processing of personal data about him / herself based on eor paragraph 1 (f). Article 6 of the Regulation, including the creation of a personal profile. The guarantor shall not
process the personal information further unless it can prove important legitimate reasons
for the processing that takes precedence over the interests, rights and freedoms of the data subject, or it is
necessary to establish, maintain or defend legal claims in accordance with further instructions 21.

Page 10

Nr. 90

June 27, 2018

gr. of the Regulation. If the objection is justified, the guarantor is not permitted to further process the
discussed information.
The National Register of Iceland shall keep a register of those who object to their names being used in
settlement activities. The Minister shall, in consultation with the Data Protection Authority, set further rules on the preparation and
the use of such a file and the information contained therein. Guarantors who work
in direct marketing and those who use files with names, addresses, e-mail addresses, telephone
numbers and the like or communicate them to third parties in connection with such activities shall,
before such a register is used for such purposes, compare it with the register of the National Register of Iceland to
prevent the sending of targeted e-mails or calls to individuals who have
recommended such. Privacy may authorize an exemption from this obligation in special cases.
All use of the ban file according to Paragraph 2 is not permitted for purposes other than those described therein.
It is obligatory for the name of the responsible party to appear in a prominent place on the sent target mail and where
those who oppose receiving such targeted emails and targeted calls can turn around. Recipient target
mail has the right to be informed of where the information coming from the call or
broadcast as a basis. This does not apply to the guarantor's marketing of its own product
and services that use their own customer registers, provided that the broadcast material carries with it from where it is
comes. If targeted mail is sent electronically, it must be stated in an unambiguous manner
as soon as he is received that such an email is in question. In other respects it is a matter of shipment
such targeted mail according to the Electronic Communications Act.
The guarantor may deliver company, employee, student or customer
files for use in connection with marketing activities. However, this only applies if:
1. is not considered to be the delivery of sensitive personal information;
2. the data subject has, before delivery, been given an opportunity to object;
each in turn, that information about the person in question appears on the submitted file;
3. this does not contravene the rules of procedure or articles of association in force in the person in question
guarantor;
The 4th responsible party examines whether any of the registered persons have submitted objections
The National Registry of Iceland, cf. Paragraph 2, and deletes information about the person in question before he leaves
the file if it turns out to be so.
The provisions of para. does not apply if the delivery of the company, employee or customer register
for use in the distribution of targeted mail is based on the consent of the data subject, cf. 1. tölul. Article 9 its lawyears.
Provisions 2–5 mgr. apply, as appropriate, also to marketing, consumption and inspection
surveys.
Article 22
Rights related to individual decisions that
based on automatic data processing.
A registered person shall have the right not to make a decision solely on the basis of
automated data processing, including the creation of a personal profile, which has legal effect
itself or to a similar extent to a significant extent according to further
we recommend Article 22. of the Regulation, with the exceptions mentioned therein.

Page 11

Nr. 90

June 27, 2018

IV. CHAPTER
General rules on the obligations of the guarantor and
processor and the security of personal information.
Article 23
Responsibility of the guarantor.
The responsible party shall take appropriate technical and organizational measures taking into account
of the nature, scope, context and purpose of the processing and the risk to the rights and freedoms of data subjects
individuals to ensure and demonstrate that the processing of personal data meets the requirements of
of the Act in accordance with further instructions in Articles 24 and 25. of the Regulation. When two or
more are joint guarantors, their obligations under Article 26 apply. of the Regulation.
Article 24
Built-in and default privacy.
The responsible party shall, both when the methods of processing are determined and when the processing itself
take appropriate technical and organizational measures, designed to
enforce privacy principles, and incorporate the necessary safeguards
processing to comply with the requirements of the Regulation and to protect the rights of
according to further instructions in the first paragraph. Article 25 of the Regulation.
The responsible party shall take appropriate technical and organizational measures to ensure
that it is a matter of course that only the personal information that is necessary for processing is processed
the purpose of the processing in each case according to further instructions in the second paragraph. Article 25 regulatory
inside.
Article 25
General rules for processors.
Where others are entrusted with the processing of personal data on behalf of the responsible party, the
only seek out processors who provide adequate assurance that they will
the owner of technical and organizational measures to ensure that the processing meets the requirements of
and the rights of registered persons are guaranteed.
A processor shall not hire another processor unless there is a specific or general one for this purpose
written permission of the guarantor. In the case of a general written authorization, the processing
the party shall notify the responsible party of any proposed changes that involve improvement
with processors or they are replaced, thus giving the responsible party the opportunity to object
such changes.
Processing by the processor shall be based on a contract or other legal procedure according to
a law that obliges the processor to the controller and specifies the subject matter
and the duration of the processing, its nature and purpose, type of personal information, categories of registered
individuals and the obligations and rights of the responsible party in accordance with further instructions in Article 28. regulatory
of the fireplace.
Article 26
Records of processing activities.
Each controller and processor and, where applicable, their representative shall keep a record of
its processing activities. For information that a list of processing activities must contain, form
files, accessibility, etc. the provisions of Article 30 shall apply. of the Regulation.
Obligations according to Paragraph 1 do not apply to a company or institution with less than 250 employees
unless the processing carried out there is likely to give rise to a risk to rights

Page 12

Nr. 90

June 27, 2018

and the freedom of registered persons, the processing is not incidental or involves sensitive personal data
descriptions according to Paragraph 1 Article 11 of this Act or personal information concerning convictions in criminal
cases and criminal conduct as referred to in Article 12. of this Act.
Article 27
Security of personal information and notifications of security breaches.
The responsible party and the processor shall take appropriate technical and organizational measures.
to ensure adequate security of personal information in the light of the latest technology,

implementation, nature, scope, context and purpose of the processing and risks, less likely
and more serious, for the rights and freedoms of individuals according to further instructions in Article 32.
of the Regulation.
In the event of a security breach in the processing of personal data, the responsible party shall, without
obedient delay and, if possible, no later than 72 hours. after he became the failure was,
report it to the Data Protection Authority unless it is considered unlikely that the failure will lead to a risk
rights and freedoms of individuals. If the Data Protection Authority is not notified of the failure within 72 hours. skulu
reasons for the delay are attached to the notification. The processing party shall notify the responsible party
without undue delay in the event of a security breach in the processing of personal data.
inga. The provisions of Article 33 apply to the content of a notification to the Data Protection Authority. of the Regulation.
If a breach of security in the processing of personal data is likely to lead to a high risk
for the rights and freedoms of individuals, the responsible party shall notify the registered individual of the
in without undue delay. On the content of such notification and exemptions from the notification
the provisions of Article 34 shall apply. of the Regulation.
Article 28
Cooperation with the Data Protection Authority.
The guarantor and processor and, as the case may be, their representatives shall, upon request
Privacy, co-operate with the Agency in the implementation of its tasks.
CHAPTER V
Assessment of the impact on privacy, licensing, etc.
Article 29
Impact assessment of privacy.
If a particular type of processing is likely to involve a high risk for rights
and the freedom of individuals, in particular where new technologies are used and in view of their nature, scope,
context and purpose of the processing, the responsible party shall have an impact assessment carried out
other processing measures on the protection of personal data before the processing begins according to further
the instructions of Article 35 of the Regulation. One and the same assessment can include several similar ones
processing operations that may involve similar risk factors.
The Data Protection Authority publishes a list of the types of processing operations that require an impact assessment.
on privacy protection according to Paragraph 1
Privacy may also decide to publish a list of the types of processing operations where
an impact assessment on privacy is not required.
Article 30
Advance consultation.
If an assessment of the impact on privacy indicates that processing would pose a significant risk
unless the responsible party takes measures to reduce it, he shall consult

Page 13

Nr. 90

June 27, 2018

with the Data Protection Authority before the processing begins according to further instructions in Article 36. regulatory
inside.
If the Data Protection Authority considers that the planned processing referred to in the first paragraph would be in breach of
the Regulation, in particular if the guarantor has not identified or reduced the
adequately, the Agency shall, within eight weeks of receiving the request for consultation,
provide the guarantor and, as appropriate, the processor with written advice and may use to do so
all the powers referred to in Articles 41 to 43 gr. of this Act. The deadline can be extended by six
weeks depending on the complexity of the proposed processing. Privacy shall be notified
the guarantor and, as the case may be, the processor of such extensions within one month of the
take a request for consultation, together with the reasons for the delay. This period may be extended until the
zone protection has received the information it requests for the consultation.
Article 31
Licensed processing.
In the case of the processing of personal data for a project in the public interest which
may involve a particular risk of infringing on the rights and freedoms of registered persons.
The Data Protection Authority may decide that the processing may not begin until it has been
considered by the Agency and approved by issuing a special authorization. Privacy may
decided that such a licensing obligation be waived once general rules and safety
standards to be followed in such processing.
The Data Protection Authority sets rules on the obligation to obtain a license according to Art. Paragraph 1
Article 32
Prerequisites for licensing, etc.
The guarantor may only grant a permit in accordance with Art. Article 31 of this Act if it is probable that he can
fulfilled its obligations under the Regulation and this Act or the instructions of the
protects.
When processing permits according to Article 31 of this Act relating to the processing of sensitive personal
of information, the Data Protection Authority shall assess whether the processing can cause such a disadvantage to the data subject
that it will not be remedied in a justifiable manner with conditions set according to Art. Article 33
of this Act. If such inconvenience may occur, the Data Protection Authority shall assess whether the interests
recommend the processing outweighs the interests of the data subject.
Article 33
Terms of the Data Protection Authority regarding the processing of personal information.
When the guarantor is granted a license according to Art. Article 31 of this Act, the Data Protection Authority shall bind it
the conditions it deems necessary at any given time to reduce or prevent
possible disadvantages of the data subject from the processing.
When assessing the conditions to be set for processing, the Data Protection Authority shall, among other things, consider:
1. whether it is ensured that the data subject can exercise his rights under this Act, including
to revoke consent and, where appropriate, have registered personal information deleted, as well as
to be educated about their rights and their exercise;
2. whether personal data will be sufficiently secure, reliable and up-to-date
compliance with the purpose of the processing;
3. whether the personal information will be treated with the same care as the rules on confidentiality
and the purpose of the processing requires;

Page 14

Nr. 90

June 27, 2018

4. whether it has been planned how the data subject will be provided with information and guidance
within the limits that are reasonable to expect based on the scope of the processing
and other safety precautions taken;
5. whether safety measures have been taken which are reasonable in view of the purpose of the
unnar;
6. whether an impact assessment on privacy is carried out before processing begins.
Article 34
Permit for scientific research in the field of health.
Licenses for scientific research in the field of health are governed by the Act on Scientific
health research.
VI. CHAPTER
Privacy Officers and Certifiers.
Article 35
Privacy Officers.
The responsible party and the processing party shall appoint a privacy officer in each case where
sem:
1. processing is in the hands of the government;
2. the principal activity of the guarantor or processor is the processing operations required;
due to their nature, scope or purpose, extensive, regular and systematic
supervision of registered persons, or
3. The main activity of the responsible party or processor is the extensive processing of sensitive
personal information or information relating to criminal convictions and criminal offenses.
A group of companies may appoint one privacy officer provided that
every establishment has easy access to it. More than one authority is also permitted
to appoint a joint privacy officer, taking into account their organizational structure and
size.
In other respects, the qualifications of the data protection officer, his / her position and tasks apply
37. – 39. gr. of the Regulation.
Article 36
Confidentiality of the privacy officer.
The Privacy Officer is not permitted to disclose anything he has witnessed.
ask about in their work and secret to go.
The duty of confidentiality does not apply even if the data subject has given his or her consent to the secrecy being lifted,
as well as when necessary for the performance of the privacy officer's duties.
Article 37
Certification and certifiers.
The Accreditation Division of the Icelandic Patent Office, after receiving the opinion of the Data Protection Authority, is authorized
to accredit a certification body that issues a certification according to Art. Article 42 of the Regulation.
The conditions for accreditation of the certification body, the arrangements and content of the certification apply in other respects
the provisions of Articles 42 and 43 of the Regulation.

Page 15

Nr. 90

June 27, 2018

VII. CHAPTER
Surveillance and sanctions.
Article 38
Organization of Data Protection and Administration.
Privacy is an independent organization with a special board. She does not accept instructions from
government or other parties. The decisions of the Data Protection Authority according to this Act
will not be appealed to other authorities, but the parties to the case may submit their dispute
before the courts in the usual manner.
The Minister appoints five members to the Board of the Data Protection Authority and an equal number of alternates for a term of five years
senn. Board members may not be appointed for more than three consecutive terms. Chairman and
the Deputy Chairman of the Board appoints the Minister without nomination and they shall be lawyers and
meet the qualifications of a district court judge. The Minister in charge of network security and telecommunications
nominates one board member and the minister in charge of health services to
mentions one board member. The Icelandic Reporting Technology Association also nominates one board member and shall
he is an expert in the field of computer and technology. Board members and their deputies shall have
knowledge of issues related to privacy and education useful in that field. Minister
determines the remuneration of directors.
The role of the board is to formulate emphases in the work in consultation with the CEO and monitor the work.
semi and operation of the Data Protection Authority. Then the board takes a major material or strategic approach
decisions in cases pending before the Agency, including the imposition of daily fines
and administrative fines. The Board of the Data Protection Authority sets further rules on the division of tasks between
the board and office of the agency and their implementation.
A member of the Board of Directors will only be removed from office due to serious insults or if he
no longer meets the conditions required for his work.
When the board members do not agree, the majority decides the outcome of the case. If there are votes
equal votes of the chairman.
The Minister appoints the Director General of the Data Protection Authority for a term of five years at a time, upon receipt of a proposal from the Board.
The CEO shall have an education at university level and have knowledge and experience in matters
related privacy.
The CEO attends board meetings with freedom of speech and the right to make proposals.
The Director General of the Data Protection Authority is responsible for and handles the day-to-day management of operations, finances
and the operation of the agency and hires its employees.
Article 39
The task of the Data Protection Authority.
Privacy is a supervisory authority according to Art. VI. chapter of the regulation and supervises
its implementation, this Act, special provisions in laws dealing with the processing of personal dataand other rules on the subject.
Every registered person or his representative has the right to lodge a complaint with
Privacy if he considers that the processing of personal information about him in this country or according to
special rules of Article 7 of this Act violates the Regulation or the provisions of this Act. Then can
institution, organization or association according to Article 80 of the Regulation submitted a complaint to the Data Protection Authority
if they have reason to believe that the rights of a registered person have been violated. Privacy
a ruling on whether a violation has taken place.
Privacy can deal with individual cases and make a decision on their own initiative
or according to the message of the person who believes that personal information about himself has not been processed
in accordance with this Act and rules issued in accordance with it or individual instructions.

Page 16

Nr. 90

June 27, 2018

Other tasks of the Data Protection Authority include:
1. Raise public awareness and understanding of risks, rules, safeguards and rights
in connection with the processing of personal information, as well as the awareness of the responsible party and the processing party
about their duties;
2. provide advice to the Althingi, the government and other parties in the field of legislation and
a county related to the protection of individuals with regard to the processing of personal data;
3. provide, upon request, to a registered person information on how he can
exercised their rights under this Act and the Regulation and, if applicable, work with
supervisory authorities of other Member States for this purpose;
4. cooperate with the supervisory authorities of other Member States, including by exchange
they have information, and provide mutual assistance with a view to ensuring
diligence in the application and implementation of this Act and the Regulation;
5. monitor developments in the field of personal data protection, in particular the development of
lighting and telecommunications technology and business practices;
6. adopt fixed contractual provisions as referred to in paragraph 8. Article 28 and paragraph 2 (d). 46.
gr. of the Regulation;
7. prepare and maintain a list of the types of processing operations for which an impact assessment is required;
on privacy protection according to Paragraph 4 Article 35 of the Regulation;
8. provide advice on processing operations as referred to in paragraph 2. Article 36 of the Regulation;
9. encourage the drafting of rules of conduct pursuant to Art. Paragraph 1 Article 40 of the Regulation and
give an opinion on and approve rules of conduct that ensure adequate protection measures according to Art.
Paragraph 5 Article 40 her;
10. approve the criteria for certification according to Art. Paragraph 5 Article 42 of the Regulation and as appropriate
have a regular review of the certificates issued in accordance with 7.
mgr. Article 42 her;
11. prepare and publish draft criteria for the accreditation of persons supervising the
according to the rules of conduct according to Article 41 of the Regulation and certification bodies according to Art. Article 43 her
and handles the accreditation of the same party;
12. adopt provisions, including in agreements, as referred to in paragraph 3. Article 46 regular
of the act;
13. approve binding company rules according to Article 47 of the Regulation;
14. participate in the activities of the European Privacy Council;
15. document violations of the Regulation and measures taken in accordance with paragraph 2; 58.
gr. her;
16. publish an annual report on its activities;
17. perform other duties related to the protection of personal data.
Article 40
Fees.
The Minister may set a tariff that prescribes a fee to be paid by the responsible party
Privacy for the cost of monitoring compliance
of this Act and rules issued in accordance with it or individual instructions. With a fee
the register may also stipulate that the responsible party pays the cost of the audit of activities
in preparation for the issuance of a production license and other processing.

Page 17

Nr. 90

June 27, 2018

Article 41
Powers of the Data Protection Authority in supervisory work.
Privacy protects authority according to Paragraph 1 Article 58 of the Regulation in supervisory work
including:
1. to order the guarantor and processor and, as the case may be, their representative
what information it needs for the implementation of this Act and the
of the act;
2. to carry out audits of the processing of personal data;
3. to have a review of the certificates issued pursuant to Art. Paragraph 7 Article 42 regular
of the act;
4. to notify the responsible party or processor of the alleged breach of the Regulation;
5. to obtain access to all such data from the guarantor and processor
personal information necessary for the implementation of this Act;
6. for access to premises where the processing of personal data takes place or data are storedprovided, including any data processing equipment; Privacy can be performed by anyone
a test or control measure that it deems necessary and requires the necessary assistance
personnel in such a field to perform testing or monitoring.
The Data Protection Authority may request the assistance of the police if anyone seeks to prevent them from
their work.
If it is found that the processing of personal data is in violation of the provisions of the
of the Act, this Act or rules set in accordance with which the Data Protection Authority may hide
the chief of police to temporarily stop the person's activities and seal his office
immediately.
The right of the Data Protection Authority to demand information or access to establishments and equipment
equipment will not be restricted by reference to confidentiality rules.
Article 42
Instructions from the Data Protection Authority on corrective measures.
The Data Protection Authority may prescribe corrective measures in accordance with the provisions of the second paragraph.
Article 58 of the Regulation, including:
1. issued a warning to the guarantor or processor that the proposed processing
actions violate the provisions of the Regulation;
2. reprimand the guarantor or processor if the processing operations have violated
the regulation;
3. instructed the controller or processor to comply with the data subject's requests
may exercise their rights under the Regulation;
4. instructed that the guarantor or processor complies with the processing operations
to the provisions of the Regulation, as appropriate, in a specific manner and within a specific
time;
5. instructed the responsible party to notify the data subject of a security breach during processing
personal information;
6. restrict or prohibit processing temporarily or permanently;
7. give instructions for the correction or deletion of personal information or restriction of processing
of them according to Articles 16, 17 and 18 of the Regulation and that such measures be notified to
recipients who have received the personal information according to Paragraph 2 Article 17 and 19.
gr. her;

Page 18

Nr. 90

June 27, 2018

Revoked certification or ordered a certification body to revoke a certification issued pursuant to Art.
Articles 42 and 43 of the Regulation;
9. instructed to temporarily suspend the flow of data to a recipient in a third country or to
international organization.
Article 43
Licensing and advice of the Data Protection Authority.
Privacy has the following authorizations related to licensing and consulting:
1. to provide advice to the responsible party in accordance with the pre-consultation process referred to
in Article 36 of the Regulation;
2. to submit, on its own initiative or upon request, opinions to Althingi or
the government or other parties on any matter relating to the protection of personal data;
3. to permit processing where prior authorization is required by law;
4. to give an opinion and approve draft rules of conduct pursuant to Art. Paragraph 5 Article 40 regulatory
innar;
5. to provide comments on the accreditation of certification service providers according to Art. Article 43 of the Regulation and
adopt criteria for certification in accordance with paragraph 5. Article 42 her;
6. to adopt standard provisions on personal data protection as referred to in paragraph 8. Article 28 and
paragraph 2 (d) Article 46 of the Regulation;
7. to permit the contractual provisions referred to in paragraph 3 (a). Article 46 of the Regulation;
8. to authorize administrative measures referred to in paragraph 3 (b). Article 46 of the Regulation;
9. to approve binding company rules according to Art. Article 47 of the Regulation.
Article 44
Confidentiality.
Board members and employees of the Data Protection Authority, as well as others who work on projects
on behalf of the Agency, it is not permitted to disclose anything of which they have become aware
his work and secret to go.
Provisions on confidentiality do not prevent the Data Protection Authority from granting foreign
information protection agencies when this is necessary in order for it or the foreign
a protection agency may decide or implement measures to ensure privacy.
When making terms according to Article 33 of this Act, the Data Protection Authority may decide on a responsible party
and the processor, as well as employees on their behalf, shall sign a declaration that they
agrees to the confidentiality of personal information which they become aware of during processing
their. The responsible party or his representative must certify the employee's correct signature and date
such a statement and submit it to the Data Protection Authority within the prescribed time limit.
Duty of confidentiality according to Paragraphs 1 and 3 preferably even if he resigns.
Article 45
Daily fines.
If the instructions of the Data Protection Authority according to Art. Points 6, 7 and 9 Article 42 of this Act
it may, before deciding on an administrative fine pursuant to Art. Article 46 of this Act, imposed daily fines on the
which the instructions focus on until it has been improved in its opinion. Fines can amount to anything
to ISK 200,000 for each day that passes or begins to pass without following the instructions.
If the Data Protection Authority's decision on daily fines is appealed to the courts, daily fines do not begin
fall on until the verdict is final. Daily fines accrue to the Treasury and may be imposed without a prior judgment
enforce them.

Page 19

Nr. 90

June 27, 2018

Article 46
Administrative fines.
The Data Protection Authority may impose administrative fines on each responsible party or processor in accordance with Art.
Paragraph 4 which violates any of the provisions of the Regulation and this Act that are considered
are up to the 2nd and 3rd paragraphs.
Government fines can range from 100 thous. kr. to 1.2 billion ISK. or in the case of
companies up to 2% of the company's total annual global turnover in the last financial year,
whichever is higher, when the following provisions have been violated:
1. on the obligations of guarantors and processors according to Art. Articles 8, 25 to 39, 42 and 43 regulatory
fireplace;
2. on the obligations of certification bodies according to Art. Articles 42 and 43 of the Regulation;
3. on the obligations of supervisory bodies according to Art. Paragraph 4 Article 41 of the Regulation.
Government fines can range from 100 thous. kr. to ISK 2.4 billion. or in the case of
companies up to 4% of the company's annual total global turnover in the last financial year,
whichever is higher, when the following provisions have been violated:
1. on basic principles for processing, including conditions for approval, cf. Articles 5, 6, 7 and 9
of the Regulation;
2. on the rights of registered individuals according to Art. 12. – 22. gr. of the Regulation;
3. on the dissemination of personal information to a recipient in a third country or an international organization according to Art.
44. – 49. gr. of the Regulation;
4. if the obligation to provide the Data Protection Authority with access to all data and premises is not complied with
according to Points 5 and 6 Paragraph 1 Article 41 of this Act;
5. if the instructions of the Data Protection Authority regarding restrictions or prohibitions on the processing of personal data are not complied with.
zone information, on correction or deletion thereof or on suspension of data flow according to Art.
Points 6, 7 and 9 Article 42 of this Act.
Fines may be imposed on individuals and legal entities, including governments and institutions
which fall within the scope of the Administrative Procedure Act.
Administrative fines will be imposed regardless of whether the offenses are committed intentionally or negligently.
Decisions on administrative fines shall be made by the Board of the Data Protection Authority and shall be enforceable.
qualified. Fines accrue to the Treasury less the cost of collection. Are administrative fines
not paid within one month of the decision of the Data Protection Authority shall pay penalty interest on the amount
sectarian. The determination and calculation of penalty interest is subject to the Act on Interest and Indexation.
The authority of the Data Protection Authority to impose administrative fines under this Act falls
down when five years have elapsed since the end of the conduct. The limitation period expires when the Personal
protection notifies the party of the commencement of an investigation into an alleged violation. Breach of the time limit has the legal effect of
hardly anyone who has committed a crime.
Article 47
Factors affecting the decision on administrative fines.
When deciding whether to impose a government fine and the amount of the fine is determined in
In each case, due account shall be taken of the following:
1. of what nature, how serious and how long-lasting the violation is, in terms of nature,
the catch or purpose of the processing in question and the number of registered persons who
suffered and how serious the damage was;
2. whether the offense was committed intentionally or through negligence;
3. actions taken by the controller or processor in order to reduce
damage to registered persons;

Page 20

Nr. 90

June 27, 2018

4. how much responsibility the guarantor or processor has with regard to technical and
organizational measures that they have implemented according to Art. Articles 25 and 32 regular
of the act;
5. previous offenses of the responsible party or processor, if any;
6th scope of cooperation with the Data Protection Authority in order to remedy violations and reduce possible ones
its harmful effects;
7. what categories of personal information were violated;
8. the manner in which the infringing authority was notified of the infringement, in particular whether, and then
to what extent, the guarantor or processor reported the breach;
9. compliance with the instructions of the Data Protection Authority on corrective measures pursuant to Art. Article 42 of this Act
instructions for such measures have previously been addressed to the responsible party concerned
or a processor in respect of the same substance;
10. compliance with recognized rules of conduct according to Art. Article 40 of the Regulation or recognized
certification arrangement according to Article 42 her;
11. other burdensome or mitigating factors relating to the circumstances of the case, such as
other gain or loss that was avoided, directly or indirectly, due to
the offense.
If the guarantor or processor violates, intentionally or negligently, more than one
the provisions of the Regulation and this Act in the same or related processing operations, the total
the amount of the fine shall not exceed the amount specified for the most serious offense.
Article 48
Penalties.
If a person's offense is serious, it can result in imprisonment for up to three years. Violation counts
large-scale when committed intentionally and for profit with special penalty prices
manner and personal information of a large number of registered individuals who are to be kept secret
by law or the nature of the case fall into the hands of third parties or appear in public.
If a representative of a legal entity, his employee or another person on his behalf has committed an offense pursuant to Art.
Paragraph 1 in the activities of the legal entity, he may be punished, in addition to the administrative fine imposed by the legal entity.
anum is made according to Article 46 of this Act.
Violation of an individual's duty of confidentiality according to Art. Articles 36 and 44 of this Act concerns fines or imprisonment
elsi up to one year. If he has committed the offense in order to obtain unfair earnings for himself or others
imprisonment may be imposed for up to three years.
The confiscation of the proceeds of the offense and the parts used to commit the offense shall be subject to the provisions of
um VII. Chapter A of the General Penal Code.
Article 49
Complaint to the police.
The Data Protection Authority assesses whether an alleged violation of an individual according to Art. Article 48 of this Act shall be appealed
the police or whether the agency is requesting an investigation that ends with a government
decision. A complaint from the Data Protection Authority shall be accompanied by copies of the documents suspected of an infringement
supported by. Provisions IV. – VII. Chapter I of the Administrative Procedure Act does not apply to the decision of the Data Protection Authority
to report a case to the police.
The Data Protection Authority may provide the police and the prosecuting authority with information and documents that
the institution has acquired and related to violations according to Article 48 of this Act. Privacy is permitted
to take part in police actions relating to the investigation of those offenses.

Page 21

Nr. 90

June 27, 2018

The police and the prosecuting authority may provide the Data Protection Authority with information and data that they provide
have acquired and are related to violations according to Article 48 of this Act. Police are also allowed to participate
in the actions of the Data Protection Authority concerning the investigation of the offenses specified in Article 46. fix
of these.
If the prosecutor considers that there are no grounds for legal action for alleged criminal conduct which
in addition to administrative sanctions, he may refer the matter to the Data Protection Authority
treatment and decision.
Article 50
The right of individuals not to incur guilt.
In a case that is directed at an individual and can end with the imposition of administrative fines or a complaint
to the police according to Article 49 of this Act has a person who has a reasonable suspicion that it has happened
guilty of violating the law the right to refuse to answer questions or hand over documents or items
unless it can be ruled out that it may be relevant to a decision on his offense. Privacy
shall instruct the suspect on this right.
Article 51
Compensation.
If the responsible party or processor has processed personal information in contravention of the provisions
of the Regulation, this Act or rules established on the basis thereof or instructions of the
protection, he shall compensate the data subject for the financial loss which the latter has suffered
for which reason. However, the guarantor or processor will not be made to compensate for damage that
he proves that neither fault nor negligence will be traced by him.
However, the processor shall only be liable for damage resulting from processing if he has not complied
obligations under the Regulation and this Act that are specifically aimed at processors
or if he has not complied with or violated the lawful instructions of the guarantor.
VIII. CHAPTER
Entry into force, etc.
Article 52
Regulations based on the law.
A regulation may prescribe the processing of personal data and security measures in
taken up activities or with individual professions.
Article 53
Entry into force.
This Act shall enter into force on 15 July 2018. At the same time, the Act on Personal Data Protection and Treatment shall be repealed.
journey of personal information, no. 77/2000, with subsequent amendments.
Article 54
Amendment to other laws.
Upon the entry into force of this Act, the following amendments will be made to other Acts:
1. Act on Mortgages to Consumers, no. 118/2016, with subsequent amendments:
a. Instead of the words "1. and point 2. Paragraph 1 Article 8 Act on Privacy and Treatment of
zone information "in the 2nd sentence. Paragraph 1 Article 24 of the Act comes: points 1 and 2. Paragraph 1 9.
gr. Act on Personal Data Protection and Processing of Personal Data.
b. For the word "treatment" in the final sentence of the first paragraph. Article 28 of the law comes: processing.

Page 22

Nr. 90

June 27, 2018

2. Act on Financial Undertakings, no. 161/2002, as amended: For the word "withtrip "for the second time in the third paragraph. Article 60 a of the law comes: processing.
3. Act on Insurance Mediation, no. 32/2005, with subsequent amendments: For the words "withjourney of personal information, no. 77/2000 "in the third paragraph. Article 27 and the third paragraph. Article 48 of the law comes:
processing of personal information.
4. Act on Official Supervision of Financial Activities, no. 87/1998, with subsequent amendments: In
the word "treatment" is replaced the second time in the final sentence of paragraph 2. Article 13 a law comes:
processing.
5. Act on Social Security, no. 100/2007, with subsequent amendments: Instead of the words
"Privacy and treatment" twice in the third paragraph. Article 46 of the Act comes: privacy and
processing.
6. Act on Vocational Rehabilitation and the Activities of Vocational Rehabilitation Funds, no.
60/2012, with subsequent amendments: For the word "treatment" in the 4th paragraph. Article 12 of the law
ur: processing.
7. Act on the Debtors' Ombudsman, no. 100/2010, with subsequent amendments:
a. Instead of the words "8. and, as the case may be, Article 9. Act no. 77/2000, on personal data protection and
journey of personal information "in the 3rd sentence. Paragraph 3 Article 2 of the Act comes: the Act on Personal
protection and processing of personal information.
b. Instead of the words "13. gr. of the same Act "in the 4th sentence. Paragraph 3 Article 2 of the law comes: the same law.
c. 2nd sentence Paragraph 2 Article 3 of the Act is repealed.
8. Act on Payment Mitigation for Individuals, no. 101/2010, with subsequent amendments: 2nd sentence.
Paragraph 2 Article 5 of the Act is repealed.
9. Act on the Welfare Appellate Committee, no. 85/2015: For the word "treatment" in the first paragraph.
Article 4 of the law comes: processing.
10. Act on Services for the Disabled with Long-Term Support Needs, no. 38/2018: In place
the word "treatment" for the second time in Article 29. of the law comes: processing.
11. Medicinal Products Act, no. 93/1994, with subsequent amendments: For the word "treatment" in the 2nd and 4th paragraphs.
Article 24, paragraph 2 Article 25 and the 9th paragraph. Article 27 of the law comes: processing.
12. Legal Life Museums and Health Information Museums, No. 110/2000, with subsequent amendments:
a. Instead of the words "20. gr. of the Act on Personal Data Protection and Handling of Personal Data "in 3.
sentence Paragraph 1 Article 7 of the Act comes: the Act on Personal Data Protection and Processing of
inga.
b. For the word "treatment" in the third paragraph. Article 10 and the second time in point 6. Paragraph 9 Article 13
a of the law comes: processing.
c. Instead of the words "11. and Article 12. Act on Personal Data Protection and Handling of Personal Data "
in the first paragraph Article 12 of the Act comes: the Act on Personal Data Protection and Processing of Personal Data.
d. Instead of the words "4. mgr. Article 35, paragraphs 2 and 3 Article 37 and 38. – 43. gr. Act on Personal
protection and handling of personal data "in the second paragraph. Article 12 of the Act comes: Act on
privacy and processing of personal information.
13. Act on Healers, no. 34/2005, with subsequent amendments: For the words "and treatment" in 2.
sentence Article 6 of the law comes: and processing.
14. Act on the Medical Director of Health and Public Health, no. 41/2007, with subsequent amendments: Instead of the word
"Treatment" the second time in the 9th paragraph. Article 8 of the law comes: processing.
15. Act on Medical Records, no. 55/2009, with subsequent amendments: For the word "treatment" in
the first time in the third paragraph. Article 1, 2nd sentence Paragraph 2 Article 18, point 2 Paragraph 2 Article 20, paragraph 3 and
3rd sentence Paragraph 4 Article 22 and the 4th sentence. Paragraph 1 Article 24 of the law comes: processing.

Page 23

Nr. 90

June 27, 2018

16. Act on Scientific Research in the Field of Health, no. 44/2014: For the word "treatment" in 1.
sentence Paragraph 3 Article 2, Article 8, 3rd sentence and the second time in the 5th sentence. Paragraph 2 Article 13, paragraph 3
Article 18, the final sentence of the fourth paragraph. Article 19 and the 2nd sentence. Article 26 of the law comes: processing.
17. Legal Health Insurance, No. 112/2008, with subsequent amendments: Instead of the words "and cotrip "in Article 50. of the law comes: and processing.
18. Act on the Hearing and Speech Disorders Center, no. 42/2007, with subsequent amendments: Instead of the word
"Treatment" in the 3rd sentence. 5. tölul. Article 2 of the law comes: processing.
19. Act on a service and knowledge center for the blind, visually impaired and individuals with
integrated visual and hearing impairment, no. 160/2008, with subsequent amendments: 2nd sentence. 1.
mgr. Article 6 of the Act reads as follows: The registration and processing of information is governed by
on the protection of personal data and the processing of personal data.
20. Act on the Protection of the Rights of Persons with Disabilities, no. 88/2011, with subsequent amendments: In place
the word "treatment" in the third paragraph. Article 12 and the second time in the 2nd sentence. 3. tölul. Paragraph 2 Article 14
of the law comes: processing.
21. Act on Food, no. 93/1995, with subsequent amendments: After the word "privacy" in
2nd sentence Paragraph 1 Article 27 d of the Act comes: and the processing of personal information.
22. Act on Electronic Signatures, no. 28/2001, with subsequent amendments: For the word "withtrip "for the second time in the second paragraph. Article 5 of the law comes: processing.
23. Legal restaurants, accommodation and entertainment, no. 85/2007, with subsequent amendments:
For the word "treatment" in the 4th paragraph. Article 9 of the law comes: processing.
24. Act on Kindergartens, no. 90/2008, with subsequent amendments: For the word "treatment" in 1.
sentence Paragraph 2 Article 16 of the law comes: processing.
25. Act on Compulsory Schools, no. 91/2008, with subsequent amendments: For the word "treatment" in 2.
sentence Paragraph 2 Article 18 and the second paragraph. Article 27 of the law comes: processing.
26. Act on Public Archives, no. 77/2014, with subsequent amendments:
a. Instead of the words "8. tölul. Article 2 Act on Personal Data Protection and Handling of Personal Data "
in the second paragraph. Article 26 of the Act comes: point 3. Article 3 Act on Personal Data Protection and Processing
zone information.
b. For the word "treatment" in paragraphs 1 and 6 Article 32 of the law comes: processing.
27. Copyright Act, no. 73/1972, with subsequent amendments: For the words "18. gr. law of perzone protection and processing of personal data "in the third paragraph. Article 22 a of the Act comes: Article 17. fix
on privacy and the processing of personal information.
28. Act on the recognition of professional education and qualifications for work in this country, no. 26/2010,
with subsequent amendments:
a. Instead of the words "29. gr. Act no. 77/2000, on personal protection and treatment of
information "in the second paragraph. Article 7 of the Act comes: Article 16. Act on Privacy and Processing

personal information.
b. Instead of the words "Act no. 77/2000, including on providing those individuals who
information is registered for education on the handling of the information, cf. Article 18 their
of the Act "in the 4th paragraph. Article 7 of the Act comes: the Act on Personal Data Protection and Processing
information, including providing the individuals to whom the information is recorded
on education on the processing of information, cf. Article 17 of the law.
c. Instead of the words "Act no. 77/2000, on personal protection and handling of personal information "
in the 5th paragraph. Article 9 of the Act comes: the Act on Personal Data Protection and Processing of Personal Data.
29. Act on the Genetic Register of the Police, no. 88/2001, with subsequent amendments: Instead of the word
"Treatment" in the second paragraph. Article 1 and the third paragraph. Article 9 of the law comes: processing.

Page 24

Nr. 90

June 27, 2018

30. Act on Coordinated Emergency Response, no. 40/2008, with subsequent amendments: Instead of the word
"Treatment" in the 2nd sentence. Article 6 of the law comes: processing.
31. Act on the Investigation of the Background and Causes of the Collapse of the Icelandic Banks 2008 and Related
events, no. 142/2008, with subsequent amendments:
a. Instead of the words "11. gr. of the Act on Personal Data Protection and Handling of Personal Data "in item c
Paragraph 4 Article 18 of the Act comes: the Act on Personal Data Protection and Processing of Personal Data.
b. For the word "treatment" in the 7th paragraph. Article 18 of the law comes: processing.
32. Act on Civil Protection, no. 82/2008, as amended: For the word "treatment"
in the third paragraph. Article 34 of the law comes: processing.
33. Act on the Enforcement of Sentences, no. 15/2016, with subsequent amendments: For the word "treatment"
for the second time in the 2nd sentence. Article 97 of the law comes: processing.
34. Act on Foreigners, no. 80/2016, with subsequent amendments: For the word "treatment" in 1.
and the 2nd sentence. Paragraph 1 and the 4th sentence. Paragraph 2 Article 17 and the 2nd sentence. Paragraph 2 Article 111 of the law
ur: processing.
35. Act on Investigative Committees, no. 68/2011, with subsequent amendments:
a. Instead of the words "18-21. gr. Act on Personal Data Protection and Handling of Personal Data "
in the first, second and third paragraphs. Article 15 of the Act reads: paragraphs 1 and 2. Article 17 Act on Privacy
and processing of personal information.
b. Instead of the words "18. and Article 21. Act on Personal Data Protection and Handling of Personal Data "
in the final sentence of the third paragraph. Article 15 of the Act comes: the Act on Personal Data Protection and Processing
zone information.
36. Act on the re-use of public information, no. 45/2018: For the word "treatment" in point 1.
Article 4 of the law comes: processing.
37. Act on Statistics Iceland and Official Statistics, no. 163/2007, with subsequent amendments
ingum:
a. Instead of the words "9. gr. Act on Personal Data Protection and Handling of Personal Data, no.
77/2000 "in the second paragraph. Article 13 of the Act comes: Article 11. Act on Privacy and Processing
personal information.
b. Instead of the words "11. – 13. gr. Act no. 77/2000, on personal protection and treatment of
information "in the fourth paragraph. Temporary Provision II of the Act reads: Article 27 laga um
privacy and processing of personal information.
38. Information Act, no. 140/2012, with subsequent amendments: For the word "treatment" in the second paragraph.
Article 33 of the law comes: processing.
39. Taxi Act, no. 134/2001, as amended: For the word "treatment"
for the second time in the final sentence of the first paragraph. Article 2 of the law comes: processing.
40. Act on the Maritime Watch Station, no. 41/2003, as amended: For the word "treatment"
in the second paragraph. Article 16 e of the law comes: processing.
41. Act on Electronic Communications, no. 81/2003, with subsequent amendments:
a. For the words "legislation on privacy" in the final sentence of paragraph 3 Article 38 of the law
ur: Act on Personal Data Protection and Processing of Personal Data.
b. For the word "treatment" in the 5th paragraph. Article 48 of the law comes: processing.
c. After the words "on privacy" in the 1st sentence. Article 51 of the law comes: and processing
personal information.
42. Legal merger of the National Registry and Real Estate Registry of Iceland, no.77 / 2010, with subsequent amendments: Instead of the word "treatment" in the 1st sentence. Article 2 of the law comes: processing.

Page 25

Nr. 90

June 27, 2018

Transitional provisions.
I.
The Minister appoints the Board of the Data Protection Authority in accordance with Article 38. of this Act when the
the time of the sitting board expires.
II.
Regulations, as well as rules, instructions and permits issued by the Data Protection Authority or the Minister
issued on the basis of Act no. 77/2000, shall remain in force, provided that they do not contravene this Act and
the regulation.
III.
Notwithstanding paragraph 6 Article 4 of this Act, the second paragraph of Art. Articles 1, 3, 1 to 5 and the 7th paragraph. Article 4, 5
gr., 1. mgr. Articles 7, 8-13 Art., 1st and 2nd paragraphs. Article 14, points 1 and 3. Paragraph 3 the same articles, Article 22,
Articles 23, 25, 27 to 33 gr., VI. chapters 38–45. gr., 48 gr. and 51. – 53. gr. of this Act on
processing of personal data relating to public security, national defense, state security and employment
of the State in the field of criminal justice, until Directive of the European Parliament and of the Council (EU) 2016/680
has been transposed into Icelandic law. For the above processing, and until the same time limit,
the instructions of the first paragraph shall also apply. Article 20 of this Act on the right of the data subject to obtain false, misleading
or incomplete personal information is corrected.
Done at Bessastaðir, 27 June 2018.
Guðni Th. Jóhannesson.
(LS)
Þórdís Kolbrún Reykfjörð Gylfadóttir .

Attachment.

REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
from 27 April 2016
on the protection of individuals with regard to the processing of personal data and on the free dissemination of such data
information and repeal of Directive 95/46 / EC (General Privacy Regulation)

THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,
Having regard to the Treaty on the Functioning of the European Union, and in particular Article 16 thereof,
Having regard to the proposal from the European Commission,
after drafting legislation before the National Assembly,
Having regard to the opinion of the European Economic and Social Committee ( 1 ),
Having regard to the opinion of the Committee of the Regions ( 2 ),
in accordance with the general legislative procedure ( 3 ),
and taking into account the following:

( 1 ) OJ OJ C 229, 31.7.2012, p. 90.
( 2 ) OJ OJ C 391, 18.12.2012, p. 127.
( 3 ) The position of the European Parliament of 12 March 2014 (not yet published in the Official Journal) and the position of the Council after the first
discussion from April 8, 2016 (has not yet been published in the Government Gazette). Position of the European Parliament of 14 April 2016.

Page 26

Nr. 90

June 27, 2018

1)

The protection of individuals with regard to the processing of personal data is a fundamental right. In the first paragraph. 8.
gr. the Charter of Fundamental Rights of the European Union ("the Charter of Fundamental Rights") and in
Paragraph 1 Article 16 The Treaty on the Functioning of the European Union provides for each individual
has no right to personal data about him being protected.

2)

Principles and rules on the protection of individuals with regard to the processing of their personal data should be
respect the fundamental rights and freedoms of individuals irrespective of their nationality or residence, in particular their rights
their protection of personal information. This regulation is intended to promote the establishment of an area
freedom, security and justice and economic alliance, to economic and social development, to strengthening
and increased convergence of economic systems that form the internal market and the well-being of individuals.

3)

Directive 95/46 / EC of the European Parliament and of the Council ( 4 ) seeks to harmonize the protection of fundamental rights
and the freedom of individuals in connection with processing activities and ensure the free flow of personal information between them
Member States.

4)

The processing of personal data should be aimed at serving humanity. The right to protection
personal information is not indispensable, it needs to be considered in connection with its role in
the company and weigh and evaluate against other fundamental rights in accordance with the principle of proportionality.
In this Regulation, all fundamental rights and freedoms are respected and the principles that are followed are respected
recognized in the Charter of Fundamental Rights as enshrined in the Treaties, in particular
concerning privacy and the family, home and communication, protection of personal data, intellectual property,
freedom of conscience and religion, freedom of expression and information, freedom of enterprise, right to effective remedies
to seek justice and a fair trial in court and the diversity of cultures, religions and
languages.

5)

With the economic and social adjustment that accompanies the activities of the internal market, there is a flow
cross-border personal data increased significantly. Exchange of personal information between public bodies
and private individuals, including individuals, organizations and companies in the Union, have been growing. According to
According to EU law, the authorities of the Member States must cooperate and exchange personal data.
so that they can carry out their duties and carry out tasks on behalf of the authorities of another Member State.

6)

Rapid technological development and globalization have led to new challenges for the protection of personal data.
The scope of data collection and dissemination has increased significantly. Technology makes it equally
companies that allow public authorities to use personal information in their activities in the past
to an unknown extent. Individuals are increasingly making personal information accessible to all and on
internationally. Technology has changed both the economy and the social life of the people and should pay even more
for the free movement of personal data within the Union and its dissemination to third countries and international
institutions, as well as ensuring effective protection of the information.

7)

This development calls for the establishment of a strong and comprehensive framework for privacy in the
the band and follow it vigorously, given the importance of building trust that makes the other
digital economy enables the development of the entire internal market. Individuals should control their own
personal information. Legal certainty and predictability towards individuals and operators should be strengthened
and public authorities.

8)

Where this Regulation provides that explanatory notes or
restrictions on its rules, Member States may incorporate into their national law elements of this Regulation.
made to the extent necessary for compliance and to make the provisions of national law comprehensible
to those to whom they apply.

9)

The objectives and principles of Directive 95/46 / EC still stand, but have not been met
against the disparate implementation of privacy protection within the Union, legal uncertainty or the widespread
ideas among the public that there is a significant risk to the protection of individuals, in particular in
in connection with Internet use. The rights and freedoms of individuals, in particular the right to the protection of personal data

( 4 ) Directive 95/46 / EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to processing
personal data and on the free movement of such data (OJ L 281, 23.11.1995, p. 31).

Page 27

Nr. 90

June 27, 2018
enjoy the same level of protection in the Member States in relation to the processing of personal data and may
it impedes the free flow of personal information about the Union. This difference can therefore become an obstacle in the way
various economic activities at Union level, distort competition and prevent
authorities perform their duties under Union law. This difference in protection can be attributed to
the difference between the implementation and application of Directive 95/46 / EC.

(10) In order to ensure uniform and effective protection for individuals and to eliminate barriers to movement
personal data within the Union should protect the rights and freedoms of individuals in connection with processing
such information should be comparable in all Member States. Insurance should be provided throughout the Union
harmonized and homogeneous application of rules on the protection of fundamental rights and freedoms of individuals in relation
in the processing of personal information. In respect of the processing of personal data for the purpose of satisfaction
legal obligation, Member States should be allowed to carry out projects carried out on their behalf
in the public interest or in the exercise of official authority exercised by the responsible party, to maintain or implement
new provisions in national law to further specify how this Regulation shall be applied. In addition to general and
horizontal legislation on privacy, which implements Directive 95/46 / EC, Member States have
various sectoral legislation in areas where more specific provisions are needed. This Regulation provides for
States also have a certain amount of leeway to define their rules, including the processing of special categories
personal information ("sensitive information"). In this respect, this Regulation does not preclude
the laws of the Member States prescribe conditions which justify special processing, where e.g.
further define the conditions under which the processing of personal data is lawful.
(11) In order to ensure the effective protection of personal data throughout the Union, it is necessary to strengthen and promote it
in detail the rights of data subjects and the obligations of those who process personal data and
make decisions about their processing, as well as the corresponding powers to monitor and ensure that
comply with the rules on the protection of personal data, and set out similar penalties for violations in
Member States.
12) In the second paragraph. Article 16 of the Treaty on the Functioning of the European Union, the European Parliament and the Council are authorized
to prescribe rules concerning the protection of individuals with regard to the processing of personal data and about
rules concerning the free dissemination of such information.
(13) To ensure uniform protection of individuals throughout the Union and to prevent inconsistencies
inhibiting the free dissemination of personal data in the internal market requires a regulation that creates legal certainty
and transparency towards operators, including micro-enterprises, small and medium-sized enterprises, ensures
individuals in all Member States the same legally enforceable rights and obligations
responsible responsibility on the part of guarantors and processors, and ensures uniform control of processing
personal data and similar penalties in all Member States, as well as effective co-operation between
color authorities of individual Member States. The normal functioning of the internal market requires not to be set
restrictions or prohibits the free movement of personal data within the Union for reasons which
concern the protection of individuals with regard to the processing of personal data. In view of the special circumstances
on micro-enterprises, small and medium-sized enterprises, an exemption is set out in this Regulation regarding
record keeping of companies with less than 250 employees. Furthermore, the institutions and members of the Union and
Member States and their supervisory authorities are encouraged to take into account the specific needs of micro-enterprises, small and medium-sized enterprises.
medium-sized enterprises in the application of this Regulation. The concepts of micro-enterprise, small and medium-sized
companies should be based on Article 2. Annex to Commission Recommendation 2003/361 / EC ( 5 ).
(14) The protection afforded by this Regulation in relation to the processing of personal data should apply to
regardless of citizenship or residence. This Regulation does not cover the processing of personal data
concerning legal entities, in particular companies established as legal entities, including information on the names of legal entities,
its form of operation and contact information.
(15) In order to avoid a serious risk of circumvention, individuals should be protected
to be technically neutral and not dependent on the methods used. The protection of individuals should apply

( 5 ) Commission Recommendation of 6 May 2003 defining the definition of companies, small and medium-sized enterprises
companies (OJ L 124, 20.5.2003, p. 36).

Page 28

Nr. 90

June 27, 2018
applies to automatic as well as manual processing of personal information if the information is stored or
it is planned to keep them in a registration system. Documents or series of documents, as well as their front pages, which are not
organized according to certain criteria, should not fall within the scope of this Regulation.

(16) This Regulation does not apply to the protection of fundamental rights and freedoms or to the free movement of personal data.
in connection with activities that fall outside the scope of Union law, such as activities in question
national security. This Regulation does not apply to the processing of personal data by Member States for the purpose of
in the context of the Union's common foreign and security policy.
(17) Regulation (EC) No 882/2004 of the European Parliament and of the Council 45/2001 ( 6 ) applies to the processing of institutions, parties, offices
and the Union's specialized agencies on personal data. Regulation (EC) no. 45/2001 and others
the Union's legal acts applicable to such processing of personal data, in accordance with the principles and
rules established by this Regulation and applied in the light of this Regulation. In order to install
a strong and coherent framework for privacy in the Union should make the necessary adjustments to regulations
(EB) no. 45/2001 to follow the adoption of this Regulation so that they can be
executed at the same time as her.
(18) This Regulation does not apply to the processing of personal data by an individual if it is solely for his benefit
himself or his family and thus has no connection with employment or business activities. Processing,
which is solely for the benefit of the individual or his family, may, for example, include correspondence and keeping
records of addresses, use of social media and Internet use that takes place in connection with such
processing. However, this Regulation applies to guarantors or processors who set out ways to
to process personal information for the benefit of an individual or his family.
(19) The protection of individuals with regard to the processing of personal data by the competent authorities for that purpose
to prevent, investigate, prosecute or prosecute criminal offenses or to enforce criminal
sanctions, including protecting against and preventing threats to public security and the free movement of such
information, is the subject of a special case law of the Union. This Regulation should therefore not apply to
activities for this purpose. Personal data processed by public authorities under this
Regulation, should, however, be subject to more specific Union legislation when used
for this purpose, i.e. Directive of the European Parliament and of the Council (EU) 2016/680 ( 7 ). Member States may entrust
competent authorities within the meaning of Directive (EU) 2016/680 tasks which are not necessarily
for the purpose of preventing, investigating, prosecuting or prosecuting criminal offenses or
adequate sanctions, including protection against and prevention of threats to public security, so that
the processing of personal data for this other purpose falls, insofar as it falls under the law
Of the Union, within the scope of this Regulation.
With regard to the processing of personal data by these competent authorities for the purpose covered
within the scope of this Regulation, Member States should be allowed to maintain or implement
more specific provisions to adapt the application of the rules of this Regulation. Such provisions could be specified
further specific requirements for the processing of personal data by these competent authorities in these others
purposes, taking into account the constitution, constitution and administrative structure of the Member State concerned.
When the processing of personal data by private individuals falls within the scope of this Regulation, it should
to give Member States the option of restricting by law, in special circumstances, certain obligations and legal
when such a restriction is considered a necessary and moderate measure in a democratic society to safeguard
on certain important interests, including public security, and to prevent, investigate, bring about or
prosecute for criminal offenses or comply with criminal sanctions, including protecting against and preventing
threats to public security. This applies, for example, within the framework of the fight against money laundering or in business
forensic laboratory.
( 6 ) Regulation (EC) No 882/2004 of the European Parliament and of the Council 45/2001 of 18 December 2000 on the protection of individuals in connection with
the processing of personal data processed by Community institutions and parties and the free movement of such data;
(OJ L 8, 12.1.2001, p. 1).
( 7 ) Directive 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to processing
competent authorities on personal data in connection with the prevention, investigation, disclosure or prosecution of
criminal offenses or comply with criminal sanctions and the free dissemination of such information and on the repeal of a framework decision
Council 2008/977 / DIM (OJ L 119, 4.5.2016, p. 89).

Page 29

Nr. 90

June 27, 2018

(20) Although this Regulation applies, inter alia, to the activities of courts and other judicial authorities in law
The Union or the law of a Member State shall specify processing procedures and procedures for processing
courts and other judicial authorities on personal information. In order to safeguard the independence of the judiciary,
in carrying out its tasks in the field of justice, including decision-making, the powers of the supervisory
do not cause the courts to process personal data when exercising their jurisdiction. Possible
It should be appropriate to entrust the supervision of such data processing to specific parties within the judicial system of the Member State.
which should, in particular, ensure compliance with the rules of this Regulation, increase the awareness of judges
its obligations under it and handles complaints in connection with such data processing.
(21) This Regulation is without prejudice to Directive 2000/31 / EC of the European Parliament and of the Council ( 8 ),
in particular the rules in Articles 12-15. gr. on the liability of service providers who are intermediaries. With that
Directive seeks to promote the normal functioning of the internal market by ensuring freedom of movement
service activities between Member States in the field of the information society.
22) Any processing of personal data in connection with the activities of the responsible party's establishment or processing
members of the Union should be conducted in accordance with this Regulation, regardless of whether the processing
itself takes place in the Union. Confirmation refers to active and actual activities with a fixed
komulagi. Legally determined form of operation of such an arrangement, whether it is a branch or a subsidiary
with the legal status of a legal entity, does not determine the outcome in this regard.
(23) To ensure that individuals are not deprived of the protection to which they are entitled under this Convention
Regulation, the processing of a guarantor or a processor not established in the Union should perpersonal data of registered persons, who are in the Union, to be subject to this Regulation if
the processing activity is related to offering the registered goods or services, regardless of whether it is
against payment. To determine whether such a guarantor or processor invites registered individuals
in the Union products and services should check whether it is clear that the guarantor or
the processor intends to offer services to registered persons in one or more Member States
Union. Although the sole access to the website of the guarantor, processor or intermediary
in the Union, his e-mail address or other information on how to approach the person, or use
language commonly used in the third country of establishment of the controller is not sufficient
to confirm that such an intention exists, factors such as the use of language or currency, which
is commonly used in one or more Member States, and the possibility to order goods and services on it
language or to name customers or users in the Union, made clear that the guarantor has
intends to offer products or services to registered persons in the Union.
(24) Processing of personal data by a responsible party or a non-established processor
of registered persons in the Union should also be covered by this Regulation if related
to monitor the behavior of the data subjects, to the extent that such behavior occurs within the Union. To
determine whether processing activities can be considered as monitoring of the behavior of registered persons should be
check whether an individual's URL is traced on the Internet, including whether processing methods are used as a result
on personal information contained in the creation of a personal profile of an individual, in particular for the purpose of taking
decisions regarding the person or to analyze or predict his taste, behavior and attitudes.
(25) Where the laws of a Member State apply by virtue of international law, this Regulation should also apply to guarantors
which is not established in the Union, such as the embassy or consulate of a Member State.
(26) Privacy principles should apply to any personally identifiable information or
personally identifiable individual. Personal information that has been entered under a pseudo-identity, which
may be traceable to an individual through the use of additional information, shall be considered information
about a personally identifiable individual. To determine if an individual is personally identifiable
should take into account all the methods that there is reason to believe that either the guarantor or
another party may apply to identify the person directly or indirectly. To
to ascertain whether it is more likely that methods will be used to identify individual
( 8 ) Directive 2000/31 / EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of services, in particular electronic
trade, in the context of the information society in the internal market (Directive on electronic commerce) (OJ L 178,
17.7.2000, p. 1).

Page 30

Nr. 90

June 27, 2018
an individual should take into account all objective factors, such as the cost and the time it takes, to
taking into account the technology available at the time of processing and technological developments. Principles
on privacy should therefore not apply to anonymous information, ie. related information
non-personally identifiable or personally identifiable individual, or personal information that has been
disconnected from personal identifiers so that it is no longer possible to identify the data subject. These rules
therefore does not concern the processing of such anonymous information, such as for statistical or research purposes.
sókna.

(27) This Regulation does not apply to the personal data of deceased persons. Member States may:
provide for rules on the processing of personal data of deceased persons.
(28) The use of pseudo-identifiers for personal data may reduce the risk for the data subjects concerned
and make it easier for guarantors and processors to fulfill their privacy obligations. Special input
Guidance on the "use of pseudo-identifiers" in this Regulation is not intended to exclude other
measures.
(29) In order to create incentives for the use of pseudo-identifiers in the processing of personal data, measures
due to the use of pseudo-identifiers, which also allow general analysis, to be possible with the same
the guarantor when he has taken the necessary technical and organizational measures to
ensure, for the processing in question, that this Regulation is implemented and that additional
information that makes it possible to trace the personal information to a specific registered person
kept separate. The controller who processes the personal information should disclose which parties
in its activities have the required authorizations.
30) Devices and tools, applications and protocols used by individuals may associate an Internet ID with them, such as IP
Internet protocol addresses, cookie identifiers or other identifiers, such as
telecommunication frequency identification. This can leave traces that can be used to create personal profiles
about individuals and identify them, especially when adding footprints to unique identifiers and others
information received by servers.
(31) Public authorities which receive personal data on the basis of a legal obligation should not be considered
in connection with their public work, such as the tax and customs authorities, units conducting research in the field of
cases, independent administrative authorities or financial market authorities, responsible for regulation and
supervision of securities markets, which recipients, if they receive personal information that is
visible element in a particular inquiry in the public interest, in accordance with Union law or
the law of a Member State. Requests from public authorities for the provision of information should always be in writing,
reasoned and incidental and should not concern the registration system as a whole or lead to interconnection
between registration systems. The processing of personal data by these public authorities should be compatible
applicable privacy rules according to the purpose of the processing.
(32) Consent should be given by clear confirmation, such as a written statement, including by electronic means, or
oral statement, that there is an unenforceable, demarcated, informed and unequivocal declaration of intent of the other
registered that he consents to the processing of personal data concerning himself. This could include
check a box when accessing an Internet site, select technical settings for services in the
the lighting community or any other statement or act that clearly indicates in this context that
a registered individual agrees to the proposed processing of personal information about himself. Silence, squares that
when checked or inactive should not constitute consent. Approval should be obtained
for all processing activities carried out for the same purpose, one or more. When the processing is in various
for each purpose, consent should be given to each and every one of them. If the data subject is to give consent
In the case of an electronic request, the request must be clear and unambiguous and must not interfere with unnecessary use
of the service for which it is provided.
(33) Often, the purpose of processing personal data for the purpose of scientific research cannot be fully identified
when the information is collected. Therefore, registered persons should be able to give their consent to certain
in the field of scientific research when it complies with accepted, ethical standards
scientific research. Registered individuals should have the opportunity to give their consent only on

Page 31

Nr. 90

June 27, 2018
specific areas of research or for parts of research projects, to the extent that the proposed
operation allows.

(34) Genetic information should be defined as personal data relating to hereditary or acquired
the genetic characteristics of an individual, obtained by analyzing a biological sample from that individual,
in particular chromosomal analysis, analysis of deoxyribonucleic acid (DNA) or ribose nucleic acid (RNA), or
by analyzing other factors that make it possible to obtain equivalent information.
(35) Personal health data should cover all data related to the health of a registered individual
provide information about his physical or mental health in the past, present or future. There on
This includes information about the individual that is collected upon registration for health care
or in granting it, as referred to in Directive 2011/24 / EU of the European Parliament and of the Council ( 9 ); numis, a symbol or item assigned to a person to uniquely identify him or her in connection with
in health; information that can be traced to a test or examination of a body part or material, incl
genetic information and biological samples; and any information on, for example, illness, disability,
risk of disease, medical history, clinical or physiological or biomedical or medical
the condition of the data subject, regardless of their origin, such as whether they come from a doctor or other healthcare
an employee, a hospital, from a medical device or with a diagnostic test in a glass.
(36) The headquarters of the guarantor of the Union should be the place where he has his control in
Unless decisions are made about the purpose and methods of processing personal information
another office of the guarantor in the Union, but in that case the latter office should be considered to be
headquarters. The headquarters of the guarantor in the Union should be determined accordingly
objective criteria and there should be active and effective management with a fixed arrangement there
as the main decisions are made about the purpose and methods of processing. That criterion should not be overturned
on whether the processing of personal data takes place at that place. Existence and use of necessary technical
methods and techniques for the processing of personal data or processing activities are not equivalent to headquarters in
itself and is therefore not a decisive criterion for what is considered to be headquarters. Processing headquarters
a party should be the place where he has his control in the Union or, if he has no control,
board of the Union, the place where the main processing activities take place in the Union. In cases there
involving both the responsible party and the processing party, the leading competent supervisory authority should continue to do so
be the supervisory authority of the Member State in which the controller has its head office and the supervisory authority
the processor should be considered as the relevant supervisory authority and that supervisory authority should be
the co-operation process provided for in this Regulation. However, the supervisory authorities of a Member State or
Member States where a processor has one or more establishments shall never be considered as the
authorities if the draft decision concerns only the responsible party. If a group of companies handles the processing
the headquarters of the controlling company should be considered the headquarters of the group unless
procedures and methods for processing the personal information are in the hands of another company.
(37) A group of undertakings should include a controlling undertaking and its subsidiaries where the controlling
the instrument should be the company that has a controlling influence over the other companies, such as through ownership, financial
economic participation or the rules applicable to the company or the power to establish rules for the protection of
information for implementation. A company that controls the processing of personal information in existing companies
in ownership relations with it, should, together with those companies, be considered a group of companies.
(38) Children's personal data should be given special protection as they may be less aware
on the risks, consequences and the relevant protective measures and their rights in connection with the processing of personal data.
information. This special protection should apply in particular to the use of children's personal data in
for the purpose of installation or when creating personal or user profiles and collecting personal information
concern children when using services directly offered to children. The consent of the custodian should not be
necessary in the case of prevention or counseling services offered directly to the child.

( 9 ) Directive 2011/24 / EU of the European Parliament and of the Council of 9 March 2011 on the rights of patients with regard to healthcare
cross-border (OJ L 88, 4.4.2011, p. 45).

Page 32

Nr. 90

June 27, 2018

(39) Any processing of personal data should be lawful and fair. It should be individualclear when personal information about them is collected, used, viewed or otherwise processed,
and the extent to which personal information is or will be processed. The principle of transparency requires it
that any information and communication related to the processing of this personal information is easyeasily accessible and easy to understand and in clear and simple language. This principle applies in particular to
information to registered individuals about who the responsible party is and the purpose of the processing and further
information to ensure fair and transparent processing towards the relevant individuals and rights
to receive confirmation and notification of the processing of personal information about themselves. Individual
clear risks, rules, safeguards and rights in connection with the processing of personal data
and how they can exercise their rights in connection with such processing. In particular, the purpose of processing should
the personal information to be clear and legitimate and available when collecting it. Personal informationshould be adequate, relevant and limited to what is necessary for the purpose
with the processing. This requires in particular that the retention period of the personal information be limited to
absolutely low. Personal data should only be processed if the purpose can not be achieved
processing in another accessible way. To ensure that personal information is no longer stored
but if necessary, the guarantor should set deadlines for deletion or regular review
their. Moderate measures must be taken to ensure that unreliable personal information is
corrected or deleted. The processing of personal data should be done in a manner that provides adequate security and
confidentiality of the information is ensured, including the prevention of unauthorized access or use of perzone information and the equipment used in the processing.
(40) In order for the processing of personal data to be lawful, it should be carried out with the consent of the
a registered person or on any other lawful basis laid down by law,
either in this Regulation or in other Union law or the law of a Member State, as in
may in this regulation, e.g. á m. when it is necessary to comply with the provisions on legal obligation which
rests with the guarantor or for the performance of a contract to which the data subject is a party or
a view of the measures taken at his request before the contract is concluded.
(41) Where reference is made to a legal basis or a legislative measure referred to in this Regulation,
a requirement for the parliament to approve legislation, subject to the constitutional requirements of the
Member State. However, such a legal basis or legislative measure should be clear and precise and the application
foreseeable to those covered by it, as required by the case law of the European Court of Justice (
of the Chair ”) and the European Court of Human Rights.
(42) When processing is based on the consent of the data subject, the controller should be able to demonstrate that the
registered has approved the processing operation. Safeguards should be ensured, in particular in relation to
a statement on another matter, that the data subject is aware that consent has been given and that
to what extent. In accordance with Council Directive 93/13 / EC ( 10 ), the responsible party should
a description of consent in an understandable and accessible form and in a clear and simple language which should not be
include unfair terms. In order for a consent to be considered informed, the registered person should know his or her identity
at least the responsible party and be aware of the purpose of the processing of the personal information
intended to serve. Consent should not be deemed to have been given voluntarily if the person registered
has no real or free choice or can not refuse or withdraw consent without
be damaged.
(43) In order to ensure that consent is given voluntarily, it should not be considered a valid legal
basis for the processing of personal data in a specific case where there is a clear difference in circumstances between the other
registered and the guarantor, in particular when the guarantor is a public authority and therefore unlikely to
thickness has been granted voluntarily in all circumstances in that particular case. Consent is considered
not granted voluntarily if it is not possible to give specific consent for separate operationsfor the processing of personal data, even if applicable in that individual case, or if the implementation of a contract,
including the provision of services, is covered by the agreement, although the consent is not necessary due to
according to the agreement.
( 10 ) Council Directive 93/13 / EEC of 5 April 1993 on unfair terms in consumer contracts (OJ L 95, 21.4.1993,
p. 29).

Page 33

Nr. 90

June 27, 2018

(44) Processing should be considered lawful when it is necessary in the context of an agreement or scheme
make a deal.
(45) When processing is carried out in accordance with a legal obligation which rests on the controller or is necessary
for a project carried out in the public interest or in the exercise of official authority, the processing should
to be based on the law of the Union or the law of a Member State. It is not required by this Regulation to set
there will be special laws for each individual processing. It may be sufficient to have a law as a basis for it
various processing operations, based on the legal obligation of the controller, or when the processing
is necessary for a project carried out in the public interest or in the exercise of official authority.
The law of the Union or the law of a Member State should also determine the purpose of the processing. In that law could
further specify the general conditions of this Regulation on the lawful processing of personal data and
how to determine who the responsible party is, what type of personal information will be processed, then
list the individuals involved, which parties may receive the personal information, what restrictions
apply for the purpose, retention period and other measures to ensure that the processing takes place
in a lawful and equitable manner. It should also be provided for in Union or Member State law
whether the person responsible for the implementation of a project carried out in the public interest or with
exercise of public authority, should be a public authority or another person or legal entity that falls
under public law or, where this is in the public interest, including health issues such as public
health and social protection and in the management of health services, under exclusive rights, such as a professional association.
(46) The processing of personal data must also be considered lawful if it is necessary to protect interests
which are crucial for the life of a registered person or another person. Processing of personal information on
on the basis of the overriding interests of another person should, in principle, take place only when
it is clear that it cannot be based on any other legal basis. Some types of processing can both serve
important public interests and the urgent interests of a registered individual, for example when processing
necessary for humanitarian purposes, such as monitoring epidemics and their spread or due to emergency
a situation that calls for humanitarian aid, especially in the case of natural disasters or major shocks
man-made.
47) The legitimate interests of the guarantor, including the interests of the guarantors who receive the personal information in
hands, or third parties may be the legal basis for their processing, provided that the interests
or the fundamental rights and freedoms of the data subject do not prevail, taking into account reasonable expectations
registered persons on the basis of their relationship with the guarantor. Legitimate interests could include
be involved when there is an relevant relationship between the data subject and the controller, e.g.
cases where the data subject is a customer of the guarantor or in his service. Whatever
It would be necessary to carefully assess whether there are legitimate interests involved, including whether a registered individual
when the collection of personal data takes place and in connection with it, may have a valid reason
to assume that processing will take place for that purpose. The interests of the data subject and his fundamental rights
could, in particular, take precedence over the interests of the data controller when the processing of personal data takes place
in situations where registered individuals have no reason to believe that further processing will take place
case. Provided that it is in the hands of the legislature to provide for a legal basis for the processing of public
According to the competent authorities on personal data, this legal basis should not apply to the processing of public data
authorities when carrying out their tasks. Processing of personal information, which is absolutely necessary
for the purpose of preventing fraud, is also considered to be in the legitimate interests of the responsible party
data. The processing of personal data for direct marketing purposes can be considered to be in the interests of legitimate persons
interests.
(48) Guarantors who are part of a group of companies or bodies affiliated with a central body may
had a legitimate interest in disseminating personal information within the group of companies for the benefit of the internal
management, among other things for the processing of personal information about customers or employees. This has none
influence on general principles for the dissemination of personal information, within a group of companies, to a company
which is located in a third country.
(49) The processing of personal data, to the extent that it is strictly necessary and reasonable to ensure the
and information security, ie. the ability of a network or information system to withstand, at a given level of security, an event
who are involved in accidents or actions that are illegal or harmful and endanger accessibility,

Page 34

Nr. 90

June 27, 2018
verified origin, integrity and confidentiality of stored or transmitted personal information, and related security
services offered or available through these networks and systems, by the public authorities,
Computer Security Emergency Response Team (CERT), Emergency Response Team
computer security (CSIRT), those who operate electronic communications networks and services and those who provide security
technology and services, is considered to be in the legitimate interests of the data controller concerned. This could include, for example
prevents unauthorized access to electronic communications networks and the distribution of malicious software
and to stop denial of service attacks and computer damage
and electronic communications systems.

(50) The processing of personal data for purposes other than those for which it was originally intended should be permitted
their collection only if the processing is in accordance with the purpose that was the premise of the collection at the beginning.
In that case, no legal basis is required other than that which permitted the collection of the personal information.
If the processing is necessary for a project carried out in the public interest or in application
The official authority exercised by the responsible party may be determined by the law of the Union or the law of a Member State.
and indicate when further processing is considered compatible and legitimate with regard to specific projects and
access. Further processing for archiving in the public interest, research in the field of science or
history or for statistical purposes should be considered as compatible, lawful processing operations.
Legal basis under Union law or the law of a Member State for the processing of personal data
can also be the legal basis for further processing. To ascertain whether the purpose
with further processing in accordance with the purpose that was the premise of the collection at the beginning should be responsiblethe party, when it has complied with all the requirements of the lawfulness of the initial processing, to take into account
ma: any connection between this purpose and the purpose of the proposed further processing, its in
the context in which the personal information was collected, in particular the reasonable expectations of data subjects
their further use on the basis of their relationship with the controller, the nature of the personal information,
guidelines for their further processing for registered persons and whether the appropriate protection
measures have been or are being taken, both in the initial processing operations and the planned further ones
actions.
When a registered person has given his consent or the processing is based on Union law or
the law of a Member State, which constitutes a necessary and modest measure in a democratic society and which is
intended to safeguard important objectives that serve the public interest, should the guarantor
to be authorized to further process the personal data, regardless of whether the purpose is considered compatible
bearings. In any case, the application of the principles set out herein should be ensured
Regulation, in particular to inform the data subject of this additional purpose and his rights, including
the right to measure. If the responsible party points out possible criminal conduct or threats to public safety
and sends to the competent authority the relevant personal data in individual or more relevant cases
the same criminal act or threats to public safety, should be considered in the interests of legitimate interests
of the guarantor. However, such transmission should be prohibited in the interests or legitimate interests of the controller
further processing of personal data if the processing is not in accordance with legal, professional or other means
binding duty of confidentiality.
51) Personal data, which are inherently particularly sensitive with regard to fundamental rights and
human freedoms, should enjoy special protection as their processing could result in significant
risks to fundamental rights and freedoms. This personal information should include information
about race or ethnic origin, but the use of the term "race" in this should not be construed
Regulation in recognition of the Union's theories which seek to prove the existence of different
human factors. The processing of photographs should not be systematically considered as the processing of specific categories of
information as it falls solely under the definition of biometric information when processing it
is carried out using a special technical method that makes it possible to identify or confirm the identity of an individual
unequivocally. The processing of such personal information should not take place unless it is permitted in
individual cases, as set out in this Regulation, taking into account that in the law of
States may lay down specific provisions on privacy in order to adapt the application of rules
of this Regulation so that they comply with the legal obligation or for a project carried out for the benefit of
human interests or in the exercise of official authority exercised by the responsible party. General principles and
other rules of this Regulation should apply, in addition to the specific requirements for such processing, in particular:

Page 35

Nr. 90

June 27, 2018
as regards the conditions for the legality of the processing. Exemptions from the general
prohibits the processing of such special categories of personal data, for example when the data subject unequivocally provides
their consent or taking into account special needs, in particular when the processing takes place as part of
legitimate activities of certain organizations or institutions aimed at ensuring human freedom.

(52) An exemption from the ban on the processing of specific categories of personal data should also be allowed if provided for
is governed by the law of the Union or the law of a Member State and without prejudice to
measures to protect personal data and other fundamental rights, when serving
public interest, in particular the processing of personal data in the field of labor law, social legislation
protection, including pensions, and with regard to health security, monitoring and warnings, prevention and prevention
against infectious diseases and other serious health threats. Such an exemption may be granted from
health reasons and public health management, in particular to ensure quality and
cost-effectiveness of the procedures used to settle claims for benefits and services
of the health insurance system, or for archiving in the public interest, research in the field of science
or history or for statistical purposes. With an exemption, such should also be permitted
personal information when it is necessary to create, maintain or defend legal claims,
whether in court or in administrative or out-of-court proceedings.
(53) The processing of specific categories of personal data, which need to be protected, should only be processed
for health-related goals when necessary to achieve those goals in the interests of
individuals and society as a whole, in particular in relation to the management of health or social services and systems,
including the processing of such information by the administration and central national health
authorities for the benefit of quality control, data management of the administration and general supervision of health and
national and local social services and to ensure continuity in health and social services and health
cross-border healthcare or health security, for monitoring and alerting purposes, or for
placement in the public interest, research in the field of science or history or for statistical purposes,
on the basis of the law of the Union or the law of a Member State, which must serve the interests of the public, which
and for research conducted in the public interest in the field of public health. This Regulation should therefore
to provide for harmonized conditions for the processing of specific categories of personal data
issues, taking into account special needs, in particular when processing such information for the benefit of
certain health-related goals on the part of parties covered by the duty of confidentiality according to law. Law
The Union or the law of a Member State should provide for specific and appropriate measures to protect
fundamental rights and personal information of individuals. Member States should be allowed to maintain
or impose additional conditions, including restrictions on the processing of genetic information, biological
educational information or health information. However, this should not impede the free movement of
zone information within the Union when these conditions apply to the processing of such information over
border.
(54) The processing of specific categories of personal data may be necessary for the public interest in the field
public health without the consent of the data subject. Such processing should be subject to appropriate and specific requirements
measures to safeguard the rights and freedoms of individuals. In this context, the term should be interpreted
"Public health" as defined in Regulation (EC) No 882/2004 of the European Parliament and of the Council 1338/2008 ( 11 ), i.e.
as all health-related factors, more specifically health conditions, including disease cases and disabilities, decisive
factors affecting health, need for health care, funding for health care
services, provision and general access to health services and the costs and financing of health
services, as well as causes of death. Such processing of health information in the public interest should not be
lead to the processing of personal data for other purposes by third parties, such as employers or insurance
companies and banking institutions.
55) Processing of personal data by public authorities for the purpose of pursuing objectives
officially recognized religious organizations, as laid down in the Constitution or under
international law, is also made with reference to the public interest.

( 11 ) Regulation (EC) No 882/2004 of the European Parliament and of the Council Council Regulation (EC) No 1338/2008 of 16 December 2008 on Community statistics on
public health and health and safety at work (OJ L 354, 31.12.2008, p. 70).

Page 36

Nr. 90

June 27, 2018

(56) When necessary for the operation of a democratic system of government in a Member State, in connection with
that political parties collect personal information about people's political views may be permitted
processing of such information in the public interest, provided that appropriate protection is
measures.
57) If the personal data processed by the responsible party does not enable him to identify an individual
he should not be obliged to provide additional information to identify a registered person only
for the purpose of complying with any of the provisions of this Regulation. However, the guarantor should not refuse
to receive additional information provided by the data subject in order to assert his rights. In person
analysis should include digital identification of a registered person, including with the help of authentication
a method such as the same credentials that he uses to log in to a service provider
data on the Internet.
(58) The principle of transparency requires that any information intended for the public or
a registered person, are concise, accessible and easy to understand, that they are clear and simple
relevant and in addition to the application of visual methods, as appropriate. Such information could be provided at
in electronic form, for example on a website, when they are intended for the general public. This is especially true in cases where
it is difficult for a registered person to know and understand, due to the large number of parties involved and
the complex technology used, whether, by whom and for what purpose information is collected about it,
such as in the case of online advertising. Since children need special protection, each should
information and notifications, when processing is directed at the child, to be in a clear and simple language that
the child can easily understand.
(59) Further rules should be laid down to facilitate the exercise of the rights of a data subject by a data subject.
in accordance with this Regulation, including measures enabling it to request and, where appropriate,
it is provided free of charge that he is granted access to personal information, it is corrected
or destroyed them, as well as that he can exercise his right to object. The guarantor should also take care of this
that requests can be submitted electronically, especially when processing personal information
electronically. The guarantor should be obliged to respond to the requests of the registered person without
delay and within one month at most and present arguments if he does not intend to take such requests
to consider.
(60) The principles of fairness and transparency in processing require the notification of a data subject
that a processing operation is in progress and what its purpose is. The guarantor should provide the data subject
further information necessary to ensure fairness and transparency in processing
personal information with regard to the special circumstances and context that apply to its processing.
Furthermore, the data subject should be informed that a personal profile has been created and the consequences thereof. When
personal information obtained from a registered person should also inform him of whether he
is obliged to provide the personal information and the consequences of not providing it.
Standard icons can be included with this information to provide a clear overview
planned processing in a visible, comprehensible and legible manner. The icons should be on
computer-readable format when presented electronically.
(61) Information should be provided to a data subject in connection with the processing of personal data about him / her on it
time when the information is obtained from him or, when the personal information is obtained from others
sources, within a reasonable time, taking into account the circumstances of each case. If you can get others
the recipient of personal information lawfully should notify the data subject immediately
the recipient receives the personal information for the first time. If the responsible party intends to process personal information
purposes other than those behind their collection, he should provide the data subject with
descriptions of this new purpose before further processing, together with any other necessary information
ingum. If it is not possible to explain to the data subject the origin of the personal information because it
come from different sources should provide general information.
(62) However, it is not necessary to impose an obligation to provide information if the data subject has it
already in hand, if specifically prescribed for the registration or publication of personal information in
law, if it proves impossible to provide the data subject with information or it would result in disproportionate

Page 37

Nr. 90

June 27, 2018
effort. The latter could be particularly relevant when processing for archiving purposes
public interest, research in the field of science or history or for statistical purposes. In that regard
should take into account the number of registered persons, the age and relevance of the information
safeguard measures that have been taken.

(63) A registered person should have the right to access personal data that has been collected
him and to exercise these rights in an easy and reasonable manner so that he may do so
understands whether the processing is carried out in a lawful manner and verifies it. This includes the right
registered persons for access to information concerning their health, for example information in
medical records such as diagnosis, results of research, evaluation by treating physicians and each
any kind of treatment or intervention. Every registered person should therefore, in particular, have the right to be informed
and notification of the purpose of the processing of the personal information, the processing period of the information if possible
is, their recipients, what the reasons are for the automatic processing of personal information and the consequences
such processing, especially when it is based on the type of character. The guarantor should, if possible,
to be able to provide the data subject with remote access to a secure system that would give him direct access to
access to personal information about themselves. That right should not adversely affect the rights or freedoms of others.
including trade secrets or intellectual property rights, and in particular copyright protection of softwareinum. The conclusion of these matters should not, however, be that a registered person is denied all information.
descriptions. When the responsible person works with a large amount of information concerning a registered person should
he be able to request that the data subject specify in more detail what information or processing operations
the request is reversed, before the information is provided.
(64) The guarantor should take all reasonable steps to verify the identity of a registered person who:
requests access, in particular in connection with Internet services and online identification. The guarantor should not
to retain personal information for the sole purpose of responding to potential requests.
(65) A registered person should be entitled to a correction of personal data concerning him / herself and
"Right to be forgotten" if the storage of such information violates this Regulation, Union law
or the law of a Member State to which the controller is subject. In particular, a registered person should have the right to
to have personal information concerning him deleted and that processing with it is stopped if the information
are no longer necessary for the purpose of collecting or otherwise processing them
to the extent that he has withdrawn his consent or objects to the processing of personal data about him or if
the processing of personal data about him is not in accordance with this regulation in other respects. This right to private
applies when the data subject has given his or her consent as a child and is not fully aware of the risks
which the processing involves and later requests that the personal information be deleted, especially on the Internet.
A registered person should be able to exercise this right even though he is no longer a child. Although should
further storage of the personal data must be lawful, if necessary, in order to exercise the right to
freedom of information and information, in order to fulfill a legal obligation, for a project carried out in the public interest
interests or in the exercise of official authority exercised by the responsible party, in the public interest in the field;
public health, for archiving in the public interest, research in the field of science or history, or
for statistical purposes or for the purpose of establishing, maintaining or defending legal claims.
(66) In order to strengthen the right to be forgotten in the online environment, the right to destruction should also be extended accordingly.
that the guarantor who made the personal information public is obliged to inform the guarantor who
process such information that all links to this personal information or copies thereof shall be deleted or
their remakes. In this connection, the responsible party should take reasonable steps with regard to it
to the technology available and the methods available to it, including technical measures
to inform the persons responsible for processing the personal data of the data subject of his request.
(67) Methods for restricting the processing of personal data may include the entry of selected data
temporarily in another processing system, make selected personal information inaccessible to users or remove
publish information temporarily from a website. In automatic registration systems should generally be ensured
limitation of processing by technical means in such a way that no further processing perthe zone information and cannot be changed. The system should be clearly stated
that the processing of personal information is limited.

Page 38

Nr. 90

June 27, 2018

(68) To further strengthen a data subject's control over data relating to himself / herself when processing
personal information is provided by automatic means, he should also have the right to receive
information concerning himself, which he has provided to the guarantor, in a systematic, common, computerreadable and collaborative format and send them to other guarantors. The data controller should be encouraged
to develop collaborative formats that make it possible to transfer your own data. This right should apply immediately
the data subject provided the personal information on the basis of his own consent or if the processing is necessary
due to the implementation of the contract. It should not apply when processing is based on other legal
on the basis of consent or agreement. By its very nature, this right should not be exercised against
responsible persons who process personal information in the course of their public duties. It should therefore not apply
when the processing of personal data is necessary to fulfill the legal obligation incumbent on the responsible partyon or in connection with a project carried out in the public interest or in the exercise of official authority which
the guarantor goes with. The right of a registered person to send or receive personal information is
concern for itself should not imply that the guarantors are obliged to record or maintain
technologically compatible processing systems. If a certain amount of personal information concerns more than one
a registered person, their right to receive the personal information should be subject to rights
and the freedom of other registered persons in accordance with this Regulation. Furthermore, this right should not
to affect the right of a registered person to have personal information and restrictions on that right deleted
as set out in this Regulation, in particular it should not indicate that personal data
information concerning the data subject which he has given up in connection with the performance of the contract shall be deleted, that
to the extent and for as long as the personal information is necessary to fulfill the contract. If it is
technically feasible, a registered individual should have the right to have the personal information sent directly
from one guarantor to another.
(69) When the processing of personal data may be lawful because it is necessary for the purpose of the project,
which is carried out in the public interest or in the exercise of official authority exercised by the responsible party, or
due to the legitimate interests of the guarantor or a third party, the registered person should nevertheless
have the right to object to the processing of personal data relating to his specific circumstances. It should be
in the hands of the guarantor to demonstrate that his important legitimate interests take precedence over the interests
or the fundamental rights and freedoms of the data subject.
(70) When personal data is processed for the purpose of direct marketing, a registered individual should have
the right to object to such processing, including the creation of a personal profile, to the extent that it relates to such direct
marketing, whether initial or further processing or not, at any time and
free of charge. The data subject should be made specifically aware of this right in a clear manner and
reported other information.
(71) A registered person should have the right not to be subject to a decision which may involve a measure
whose personal aspects are assessed solely on the basis of automated data processing and have
effect on himself or a significant comparable effect, such as automatic rejection of a loan application
Internet or electronic recruitment process without human intervention. Such processing includes the "creation of a personal profile"
which includes any automated processing of personal information to assess personal matters
the individual's well-being, in particular to analyze or predict factors relating to his / her job performance, financial
position, health, taste, interests, reliability or behavior, location or mobility, when
has legal effect in itself or a significant comparable effect. Decision-making, based
such processing, including the creation of a personal profile, should be permitted by special law
Of the Union or the law of a Member State to which the controller is subject, inter alia for the purpose of monitoring
with and prevent fraud and tax evasion in accordance with the rules, standards and recommendations of the
ins or national regulators and to ensure the safety and reliability of services as a guarantor
provides or, where necessary, for the conclusion or performance of a contract between a registered person and
guarantor or when the data subject has given his unequivocal consent. In any case, it should apply
such processing to take appropriate protective measures, e.g. á m. to provide the data subject with clear
descriptions and the right to human intervention, to express their views, to receive explanations of the decision taken
is after such an assessment and challenge the decision. Such a measure should not concern a child. To ensure
that the processing is fair and transparent to the registered person, taking into account special circumstances
and in the context of the processing of personal data, the controller should use the appropriate mathematical

Page 39

Nr. 90

June 27, 2018
personal or statistical modeling methods, make appropriate technical and organizational
measures, in particular to ensure that factors which render personal data unreliable are corrected and
reducing the risk of errors, ensuring the security of personal data so as to take into account the
risks to the interests and rights of the data subject and, among other things, to prevent the existence of individuals
discriminated on the basis of race or ethnic origin, political opinion, religion or belief,
participation in a trade union, genetics or health or sexual orientation, or processing leading to
the letters that have a corresponding effect. Automatic decision-making and character creation, based on
special categories of personal information, should only be allowed under special conditions.

72) The creation of a personal profile is subject to the rules on the processing of personal data in this Regulation, including what
concerns the legal basis of the processing or the principles of privacy. European Privacy Council,
established by this Regulation (the "Privacy Council"), should be able to issue guidelines
in that regard.
(73) Union law or the law of a Member State may provide that specific principles and rights may be restricted.
on information, access to and correction of personal data or their deletion, the right to
transfer own data, right to object, decisions based on the type of personal profile, as well as notifications
to a registered individual regarding security breaches in the processing of personal data and certain related obligations
responsible, to the extent necessary and reasonable in a democratic society for the protection of the
security, including human life, in particular in response to natural and man-made disasters,
for the prevention, investigation and prosecution of criminal cases or the enforcement of criminal sanctions, inter alia to protect
and prevent threats to public security or breaches of the Code of Conduct in the legally protected sector.
for other important purposes which serve the public interest of the Union or of a Member State,
in particular the important economic or financial interests of the Union or of a Member State,
for the maintenance of public records in the public interest, further processing of personal data in archivesto provide specific information on political behavior under the regimes of former dictatorships
or to protect the data subject or the rights and freedoms of others, including for the benefit of social protection, public health
and humanity. These restrictions should be in line with the requirements set out in the Treaty.
the Fundamental Rights and the European Convention for the Protection of Human Rights and Fundamental Freedoms.
(74) Rules should be laid down for the liability and liability of the guarantor for the processing of personal data by him
or on his behalf. In particular, the guarantor should be obliged to act appropriately and efficiently
measures and he should be able to demonstrate that the processing is carried out accordingly
Regulation, including the effectiveness of the measures. The measures should take into account the nature,
prisoner, context and purpose of the processing and risk to the rights and freedoms of individuals.
(75) The processing of personal data may lead to varying degrees of likelihood and seriousness of rights
and the freedom of individuals which may give rise to material damage, property damage and immaterial damage, in particular when
the processing may result in discrimination, identity theft or fraud, financial loss, damage to reputation,
lost confidentiality of personal information that is protected on the basis of confidentiality, to use
pseudo-identification is lifted without permission or other significant economic or social disadvantage, when
registered persons may lose their rights and freedoms or be prevented from managing their own personal
information, when processing personal data that reveals race or ethnic origin,
political views, religion or philosophical beliefs, trade union participation and processing
genetic information, health information or information about sex or conviction in
criminal cases and criminal offenses or related security measures, when assessing personal matters,
in particular in analyzing or predicting factors relating to job performance, financial position, health status,
taste or hobby, reliability or behavior, location or mobility, to make or use
personal profile, when the personal information of vulnerable persons, especially children, is processed or already
processing involves a large amount of personal information and affects many registered individuals.
(76) The likelihood and seriousness of the risk to the data subject's rights and freedoms should be determined by reference to the nature;
the scope, context and purpose of the processing. The risk should be assessed on the basis of an objective assessment where it leads
it is clear whether actions in the processing of personal data involve risk or high risk.

Page 40

Nr. 90

June 27, 2018

(77) The guarantor or processor could be instructed on the implementation of appropriate measures and on
how to demonstrate compliance with rules, in particular as regards risk analysis
during processing, their assessment of the cause of the risk, its nature, its likelihood and severity
is also to identify best practices to reduce it, in particular by using recognized
principles, recognized certification, guidelines from the Data Protection Board or suggestions from
zone protection officer. The Privacy Council may also issue guidelines for processing operations
which is unlikely to pose a significant risk to the rights and freedoms of registered persons and points out
which may be sufficient in such cases to respond to such risks.
(78) In order to protect the rights and freedoms of individuals with regard to the processing of personal data, it is necessary
that appropriate technical and organizational measures be taken to ensure compliance with this requirement
of the Regulation is complied with. In order to demonstrate compliance with this Regulation, the responsible party should:
establish internal policies and implement measures that comply in particular with the principles of
protection and default privacy. Such measures could include a reduction as much as possible
processing of personal data, transferring personal data under a pseudo-identity as soon as possible,
see as to the characteristics of personal data and their processing, enable a registered person
to monitor the processing of information, enable the controller to record and improve security aspects.
When manufacturers of products, services and software develop, design, select and use software, products and services
service, which is based on the processing of personal data, or processing personal data in the course of their work should
to encourage them to take into account the right to privacy in the development and design of such products,
services and software and ascertain, taking due account of the latest technical knowledge,
that guarantors and processors can fulfill their obligations regarding privacy. Should also be taken into account
to the principles of built-in and default privacy in connection with public tenders.
79) Protection of the rights and freedoms of registered persons, together with the liability and liability of the guarantor and processing
parties, also with regard to supervision and the actions of supervisory authorities, requires the division of responsibilities
according to this Regulation is clear, inter alia when the guarantor decides, together with other guarantors,
purpose and methods of processing or when processing is performed on behalf of the responsible party.
(80) If a controller or processor not established in the Union processes personal data
about registered persons who are in the Union and its processing activities are related to offering such
registered persons in the Union goods or services, regardless of whether they are required to
payment, or monitor their conduct, in so far as the conduct takes place within the
of the band, the controller or processor should nominate a representative unless the processing is
incidental, does not involve the massive processing of specific categories of personal data or the processing of personal data.
information relating to criminal convictions and criminal offenses, and is unlikely to result in
risks to the rights and freedoms of individuals, with regard to the nature, context, scope and purpose of
processed, or if the responsible party is a public authority or institution. The representative should be present
the controller or processor and may be contacted by any supervisory authority.
The guarantor or processor should nominate the representative separately with a written power of attorney to
act on its behalf in respect of its obligations under this Regulation. Nomination
such representation does not affect the liability or liability of the guarantor or processor under
this Regulation. Such a representative should perform his duties in accordance with the mandate received from him
the controller or processor, including working with the competent supervisory authorities with regard to
any action taken to ensure compliance with this Regulation. Nominated
a representative should be subject to enforcement action if the responsible party or processor has not complied with the regulation.
(81) In order to ensure compliance with the requirements of this Regulation as regards the processing carried out by the processor
to be handled on behalf of the controller, the controller should, when entrusting the processor
actions, only to look for processors who provide adequate insurance, in particular with regard to
expertise, reliability and resources, for the implementation of technical measures and
organizational measures which comply with the requirements of this Regulation, in particular as regards the safety of
processed. If the processor complies with approved rules of conduct or approved certification arrangements, it is possible
use it to demonstrate that the guarantor is fulfilling its obligations. Provision that processing is in
in the hands of the processor should be set out in a contract or other legal act under Union law

Page 41

Nr. 90

June 27, 2018
or the law of a Member State which commits the processor to the controller and specifies the
the nature and duration of the processing, the nature and purpose of the processing, the type of personal data and the categories of
individuals, with regard to the specific tasks and responsibilities of the processor in connection with the processing in question
to take place and the risks created regarding the rights and freedoms of the data subject. The guarantor and
the processor may choose to use a single contract or a fixed contract clause which is either
the Commission shall approve directly or the regulatory authority shall approve in accordance with the coordination system; and
the Commission then agrees. When processing by the guarantor is complete, the processing
the party, as decided by the responsible party, to return or delete the personal information except for
there is a requirement for the storage of personal data in accordance with Union law or the law of a Member State
which the processor must comply with.

(82) In order to demonstrate compliance with this Regulation, the controller or processor should keep
records of processing operations under his responsibility. Each guarantor and processor should be
obliged to work with the supervisory authority and make these files, upon request, accessible to the supervisory
authority so that they can be used for the purpose of monitoring these processing operations.
(83) In order to maintain safety and prevent processing in breach of this Regulation,
the guarantor or processor to assess the risks involved in the process and take steps to reduce it
from such a risk, such as encryption. These measures should ensure appropriate safety levels, including:
confidentiality, taking into account the latest technology and the cost of implementation related to the risks and nature of personal
the information to be protected. When assessing data security risks, the risks involved should be taken into account
accompanies the processing of personal information, such as unintentional or unlawful deletion of personal information when it
are sent, stored or otherwise processed, such as being lost, altered, published or accessed.
to those without permission, which may in particular lead to material damage, property damage or immaterial damage.
(84) In order to promote compliance with this Regulation when processing operations are likely to result in significant
risk to the rights and freedoms of individuals, the controller should be responsible for assessing
impact on privacy, in particular to assess the origin, nature, characteristics and severity of that risk. Take
should take into account the outcome of the assessment when determining the appropriate measures to be taken
that it may be demonstrated that the processing of personal data is in accordance with this Regulation. When food
on the impact on privacy indicates that processing operations involve a high level of risk, which
the party can not reduce with appropriate measures in view of the available technology and the cost of
implementation, the supervisory authority should be consulted before processing.
85) Security breaches in the processing of personal data may, if not dealt with in the correct manner and
timely, causing material damage to property, property damage or intangible damage, such as loss of control
personal data or the restriction of their rights, discrimination, identity theft or fraud
on, financial loss, that the use of pseudo-tokens is lifted without permission, damage to reputation, lost confidentiality about
personal data that is protected by confidentiality or other significant economic or
social disadvantage for the individual concerned. Therefore, the guarantor should, as soon as
he must be aware that a breach of security has occurred in the processing of personal data, to report
the regulatory authority about him without undue delay and, if possible, no later than 72 hours. after
he will be the failure was unless the guarantor can demonstrate, in accordance with the principle of
liability, that the failure in question is not likely to result in a risk to the rights and freedoms of
individuals. If this is not possible within 72 hours. the reasons for the delay should accompany the notification
and information can be provided in stages without further unreasonable delay.
(86) The controller should notify a data subject of a breach of security in the processing of personal data
without undue delay if the breach is likely to result in a significant risk to rights and freedoms
of the individual and thus give the person the opportunity to take the necessary precautions. In the notificationThe nature of the security breach in the processing of personal data should be stated, as well as recommendations for
the individual's spirit of mitigating potential adverse effects. Such notifications to registered individuals
should be sent as soon as possible and in close cooperation with the supervisory authority, in accordance with
instructions from it or other relevant authorities, such as law enforcement authorities. Need to reduce
from the acute risk of damage calls for prompt communication with registered individuals, but the need to take action

Page 42

Nr. 90

June 27, 2018
appropriate measures against persistent or similar safety deficiencies in the treatment of
personal information may justify spending more time communicating.

(87) It should be ascertained whether all appropriate technical protection and organizational measures
has been made to immediately confirm whether there has been a security breach in the processing of personal data
takes place and to inform the supervisory authority and the data subject immediately. Make sure
that the notification was sent without undue delay, in particular as to its nature and seriousness
security breach in the processing of personal data, its consequences and its harmful effects on the other
registered. Such notification may lead to intervention by the supervisory authority in accordance with its tasks
and the powers laid down in this Regulation.
(88) When establishing detailed rules for the appropriate presentation and procedures for reporting a security breach
in the processing of personal data, due account should be taken of the circumstances of the failure in question
occurs, including whether personal information has been protected by appropriate technical measures such as
effectively limit the likelihood of identity fraud or other forms of abuse. Furthermore, such rules should
and procedures to take into account the legitimate interests of law enforcement authorities when providing early information
in the process may unreasonably stand in the way of an investigation into a situation in which a security breach occurs
processing of personal data took place.
(89) Directive 95/46 / EC provides for a general obligation to notify regulatory authorities of processing
personal information. Although this obligation leads to administrative and financial burdens, it did not lead to
in all cases to improve the protection of personal data. Therefore, such coincidences should be abolished.
teach general reporting obligations and should be replaced by effective procedures and methods
which instead focus on the types of processing operations that are likely to lead to high risk
for the rights and freedoms of individuals by reason of their nature, scope, context and purpose. Such species
processing operations can be those that involve in particular the use of new technology or are of a new type and there
as the responsible party has not previously performed an impact assessment on privacy or when they occur
necessary in view of the time elapsed since the initial processing.
(90) In such cases, the controller should have a privacy impact assessment carried out before processing.
begins to assess the likelihood and severity of high risk in terms of nature, scope, context and
the purpose of the processing and the origin of the risk. This impact assessment should in particular include measures,
safeguards and arrangements designed to reduce such risks, ensure the protection of
information and demonstrate compliance with this Regulation.
(91) This should apply in particular to large-scale processing operations aimed at
the amount of personal data at regional, national or supranational level and which could
affected a large number of registered individuals and which can be considered likely to lead to a high risk, e.g.
due to the sensitivity of the information, already in accordance with the technical knowledge gained
has used a wide range of new technologies, as well as other high-risk processing operations for
the rights and freedoms of data subjects, in particular when these actions make it more difficult for data subjects
by exercising their rights. An impact assessment on privacy should also be carried out when
are made for the purpose of making decisions concerning certain individuals following systematic and
an in-depth assessment of personal factors related to individuals and is based on the type of personal
format from this information or following the processing of specific categories of personal data, biometric
information or information on convictions in criminal cases and criminal offenses or related security measuresanir. In the same way, an assessment of the impact on privacy is required when extensive monitoring is carried out
areas accessible to the public, in particular when using photovoltaic equipment or for other
actions where the competent regulatory authority considers that the processing is likely to result in a significant risk
the rights and freedoms of data subjects, in particular because they prevent data subjects from consuming
their rights, use services or rely on a contract, or because they are extensive and
executed systematically. The processing of personal data should not be considered extensive in the case of processing
personal information from an individual physician, other professional healthcare professional or lawyer about
patients or clients. In such cases, the assessment of the effects on privacy should not be obligatory.
bound.

Page 43

Nr. 90

June 27, 2018

(92) In certain circumstances, it may be prudent and cost-effective to subject the impact assessment to:
privacy extends more than one task, for example if public authorities or agencies intend to come
at a common level for use or processing or when many guarantors plan to
establish a common operating or processing environment within an industry or sector or common,
transversal activities.
(93) In the context of the adoption of the laws of a Member State, which form the basis for the performance of public tasks
of the authority or body and apply to a specific processing operation or sequence of operations in question,
Member States may consider it necessary to carry out such an assessment before commencing the processing operations.
(94) When assessing the impact on privacy, the processing would, due to a lack of safeguard measures,
about, security measures and measures to reduce risk, lead to high risk for rights and
freedom of the individual and the responsible party considers that it will not be undermined by modest means
in terms of available technology and implementation costs, the supervisory authority should be consulted
before starting processing operations. Certain types of processing and scope and frequency are likely
processing involves such a high level of risk which may also lead to damage or disruption of rights
and the freedom of the individual. The supervisory authority should respond to a request for consultation within the specified time.
However, if no response is received from the regulatory authority within that time limit, it should not affect the intervention
of the supervisory authority in accordance with its tasks and the powers laid down in this Regulation.
made, including the authority to prohibit processing operations. Part of that consultation process is that it may be submitted
the supervisory authority results of an assessment of the effects on privacy carried out with regard to the
processing, in particular the proposed measures to reduce the risks to the rights and freedoms of individuals.
(95) The processor should assist the guarantor, as necessary and request a
that, in ensuring that the obligations arising from the performance of the impact assessment are complied with
privacy and prior consultation with the supervisory authority.
(96) The supervisory authority should also be consulted in the preparation of legislative or administrative measures.
concerning the processing of personal data in order to ensure that the proposed processing is in accordance with
this Regulation and in particular to limit the risks to a registered individual.
(97) If the processing is in the hands of a public authority, with the exception of courts or independent judicial
authorities when exercising their jurisdiction, if processing in the private sector is in the hands of the responsible party
where the main activity consists of processing operations that require extensive, regular and
systematic monitoring of registered persons or if the main task of the guarantor or processing
The party's involves the extensive processing of special categories of personal information and information concerning the
criminal convictions and criminal offenses, a party with expertise in privacy law should
assist the controller or processor in monitoring compliance with this Regulation in internal
vangi. In the private sector, the main tasks of the guarantor concern his main activity and not the processing of personal data.
information as ancillary activities. The necessary expertise should be determined, in particular from the data
processing operations carried out and the protection necessary for their personal
information processed by the controller or processor. Privacy officers, whoever they are
employees of the responsible party or not, should be in a position to carry out their duties and
materials independently.
(98) Organizations or other bodies representing the categories of guarantors or processors should be encouraged to
sees rules of conduct, within the limits of this Regulation, in order to facilitate its effective application,
taking into account the specific characteristics of the processing that takes place in specific areas and in accordance
with the special needs of micro-enterprises and small and medium-sized enterprises. Such rules of conduct could in particular
delimiting the responsibilities of the guarantor and processor, with regard to the risk to rights and freedoms
persons likely to be involved in the processing.
(99) When organizations and other parties representing the categories of guarantors or processors
rules, amend them or extend their scope, they should consult relevant stakeholders;
including registered persons if possible, and take into account the comments and opinions expressed in
following such consultation.

Page 44

Nr. 90

June 27, 2018

(100) In order to improve the transparency and compliance of this Regulation, the establishment of
arrangements and privacy seals and logos enabling registered persons to
quickly assess the level of privacy of the product and service in question.
(101) The flow of personal data to and from non-EU countries and to and from international organizations is necessary
visible due to growing international trade and international cooperation. Increased flow of this kind has had
entails new challenges and problems in relation to the protection of personal data. When personal information
is communicated by the Union to guarantors, processors or other recipients in third countries
or to international organizations, it should not undermine the protection afforded by this Regulation to
in the Union, including the transmission of personal data from third countries or international organizations
to a guarantor or processor in the same or another third country or at another international organization.
Transmission to third countries or international organizations may, however, only take place in the manner provided for in this Regulation
is followed in one and all. The information may therefore only be shared, subject to these other provisions
of the Regulation, that the guarantor or processor has complied with the conditions laid down in
on this Regulation on the transfer of personal data to third countries or international organizations.
(102) This Regulation is without prejudice to international agreements concluded by the Union with third countries on
personal information, including appropriate safeguards for the benefit of registered persons. Member States
may conclude international agreements covering the transfer of personal data to third countries or international organizations;
to the extent that such agreements do not affect this Regulation or other provisions of law
Union and contain provisions on the appropriate protection of the fundamental rights of registered persons.
(103) The Commission may, in so far as it is valid throughout the Union, decide that a third country,
territory or a designated sector within a third country or international organization provides adequate privacy,
thus creating legal certainty and uniformity throughout the Union with respect to third countries or
an international organization deemed to provide such protection. In such cases, the sharing of personal information is permitted
to the third country or international organization in question without obtaining further authorization. The Commission
may also decide to revoke such a decision after it has notified the third country or international
the agency about it and fully informed of the reasons.
(104) In the Commission's assessment of a third country or territory or specified sector within a third country
it should, in accordance with the fundamental values ​on which the Union is founded, in particular the
rights, to take into account how the third country in question respects the fundamental principles of the rule of law, ensures
access to the justice system and comply with international rules and standards on human rights, and with the general public
laws and special laws, as well as legislation on public security, national defense and state security, as well as universal
rule and criminal law. Upon adoption of a decision as to whether protection is adequate in respect of
territory or specified sector within a third country, clear and objective criteria should be taken into account.
such as certain processing operations and the scope of the relevant legal rules and legislation in force in
third country. The third country should guarantee adequate protection, which is essential
comparable to that guaranteed in the Union, in particular when the processing of personal data takes place in
about one or more specified sectors. In particular, the third country should ensure effective and independent monitoring
privacy and develop procedures for co-operation with data protection authorities in the Member States and registered
individuals should enjoy effective and enforceable rights and be able to seek redress from the
county authorities and courts effectively.
(105) In addition to the international commitments entered into by the third country or international organization,
the Commission to take into account the obligations arising from the participation of a third country or an international organization.
in multilateral or regional systems, in particular in relation to the protection of personal data, e.g.
and implementation of such obligations. In particular, the accession of a third country to the Convention should be taken into account
Council of Europe of 28 January 1981 on the protection of individuals with regard to the mechanical processing of personal data
and an additional protocol to it. The Commission should consult the Privacy Council immediately
it assesses the scope of protection in third countries or at international organizations.
(106) The Commission should monitor the implementation of decisions on the scope of protection in third countries,
territory or in a specified sector within a third country or with an international organization and should be monitored
implementation of decisions adopted on the basis of para. Article 25 or the fourth paragraph. Article 26 of the Directive

Page 45

Nr. 90

June 27, 2018
95/46 / EB. When the Commission makes decisions on the adequacy of protection, it should see to it
in order to have arrangements for a regular review of their implementation. This one
periodic review should be carried out in consultation with the third country or international organization concerned
and taking into account relevant developments in the third country or at the International Organization. That is control
and in the case of periodic reviews, the Commission should take into account the views and conclusions
Of the European Parliament and of the Council, as well as other relevant bodies and sources. The Commission should
evaluate, within a reasonable time, the implementation of the latter decisions and report on the relevant
results for the committee within the meaning of Regulation (EU) No. 182/2011 ( 12 ),
established by this Regulation, and for the European Parliament and the Council.

(107) The Commission may certify that a third country, territory or specified sector in a third country or
an international organization no longer guarantees adequate privacy. For this reason, dissemination should be banned
personal data to this third country or international organization unless the requirements of this Regulation are met.
made available to the public subject to appropriate safeguards, including binding corporate rules, and
exceptions due to special circumstances. In that case, consultation between the implementing
the government and the third countries or international organizations in question. The Commission should notify
the third country or the international organization in a timely manner on the reasons and initiate negotiations with it or her to
to remedy the situation.
(108) In the absence of a decision as to whether adequate protection exists, the responsible party should:
or a processor to take steps to compensate for a lack of privacy in a third country with appropriate
safeguard measures in favor of a registered person. Appropriate protective measures may include:
use binding corporate rules, standard provisions on privacy protection agreed by the Commission
thick, standard provisions on personal data protection approved by the supervisory authority or contractual provisions which
the supervisory authority has authorized. These safeguards should ensure compliance with the requirements
privacy and respect for the rights of registered persons relating to processing within the Union, incl
that there are enforceable rights of registered individuals and effective legal remedies, among other things that it is possible
to seek redress before the administrative authorities or the courts in an efficient manner and to seek compensation;
in the Union or in a third country. They should in particular concern compliance with general principles of processing
personal information and the principles of built-in and default privacy. Public authorities or
agencies may also disseminate information to public authorities or agencies in third countries or to
international organizations that have similar responsibilities or roles, inter alia on the basis of provisions that are incorporated
in government measures, such as agreements, which provide enrolled and enforced individuals with enforceable and effective
rights. The authorization of the competent supervisory authority should be obtained if safeguard measures are provided for in
government measures that are not legally binding.
(109) The possibility for the controller or processor to apply standard provisions on personal data protection
approved by the Commission or the supervisory authority should not impede the guarantor or the
parties to incorporate standard provisions on privacy into a broader agreement, such as an agreement between
the party and another responsible party, nor in adding other provisions or additional protection
measures, provided that they do not directly or indirectly conflict with the standard
the contractual provisions adopted or influenced by the Commission or the supervisory authority
fundamental rights or freedoms of registered persons. Guarantors and processors should be encouraged to do so
additional safeguards with the help of contractual obligations in addition to standard ones
protection provisions.
(110) A group of undertakings or a group of joint ventures should be able to use
taught binding corporate rules regarding its international dissemination from the Union to organizational units
within the same group of companies or group of companies in joint business activities, provided that
that these corporate rules cover all important principles and enforceable rights to insure
appropriate protection measures for the disclosure or disclosure of personal information.

( 12 ) Regulation of the European Parliament and of the Council (EU) no. 182/2011 of 16 February 2011 on rules and general principles
concerning the arrangements by which Member States monitor the Commission in the exercise of its executive powers (OJ
L 55, 28.2.2011, p. 13).

Page 46

Nr. 90

June 27, 2018

111) Provision should be made for the possibility of dissemination in special circumstances when a registered individual has provided
its unequivocal consent and the disclosure is incidental and necessary in connection with a contract or legal claim,
whether in court or administrative or other out-of-court proceedings, including
proceedings before regulators. The possibility of dissemination should also be taken into account when urgent public
interests laid down in the law of the Union or the law of a Member State so require or when
the disclosure is from a file established by law and intended for the public or them
who have a legitimate interest in it can view it. In the latter case, the dissemination should not
cover the personal information in its entirety or complete categories of information in the file and the disclosure should, when
it is assumed that those with legitimate interests can view the file, only to proceed
at their request or, if they are to be the recipients of the information, taking full account of the interests
and the fundamental rights of the data subject.
(112) The exemptions should apply in particular to the dissemination of information necessary for important purposes
public interest, for example in the case of international exchanges of information between competition authorities,
tax or customs authorities, between financial supervisory bodies, between institutions operating in the field of social security
or public health, for example by tracing transmission routes due to infectious diseases or for the purpose of reducing
and / or eliminate drug abuse in sports. The sharing of personal information should also be considered legitimate immediately
it is necessary to protect the interests that are crucial to the vital interests of the listed individual
or another person, including physical immunity or life, if the data subject is unable to provide
its thickness. When no decision has been made as to whether adequate protection exists, the law may
Union or the law of a Member State limited, in the light of important public interests, in particular dissemination
certain categories of information to a third country or international organization. Member States should notify the
the Commission on such provisions. The disclosure of personal information about a registered individual could be considered, as
is physically or legally unable to give its consent to an international organization in the field
humanitarian affairs for the implementation of a project under the Geneva Conventions or for enforcement
international humanitarian law applicable to armed conflict, necessary in the light of important public
interests or that it concerns the urgent interests of the data subject.

(113) Dissemination which may be considered as non-recurring and which concerns only a limited number of registered
individuals, may also be possible with regard to important legitimate interests as a guarantor
safeguards when the interests or rights and freedoms of a registered person do not override them and if
the responsible party has investigated all circumstances in connection with the dissemination of the information. The guarantor
should in particular consider the nature of the personal data, the purpose and duration of the proposed processing operation;
or operations, as well as conditions in the country of origin, third country and final country of destination and should
take appropriate safeguards to protect the fundamental rights and freedoms of individuals with respect to
processing of their personal information. Such dissemination should only be possible in individual cases already
no other mentioned reasons for disclosure apply. The legitimate expectations of society should be taken into account
for increased knowledge in the case of scientific or historical research or statistical
purpose. The controller should notify the supervisory authority and the data subject of the disclosure.
(114) In any case, the guarantor or processor should, if the Commission has not acted
a decision on whether privacy is adequate in a third country, to take advantage of solutions provided by data subjects
individuals enforceable and effective rights with respect to the processing of personal data about them in
The Union after the dissemination of this information has taken place so that it continues to enjoy fundamental
rights and safeguards.
(115) Some third countries adopt laws, regulations and other legal acts relating to the direct control of
actions of individuals and legal entities under the jurisdiction of the Member States. This may include judgments which the
chairs or decisions of third country governments requiring the guarantor or
the processor discloses or publishes personal information that is not based on an international agreement such as
to the Agreement on Mutual Legal Assistance, in force between the third country, which submits
request, and the Union or a Member State. If the application of these laws, rules and other legal acts is not
regional, it may be contrary to international law and may stand in the way of the protection
This is guaranteed in the Union by this Regulation. Disclosure should only be allowed if conditions exist
of this Regulation on transmission to third countries is complied with. This may apply, for example, when publishing

Page 47

Nr. 90

June 27, 2018
necessary for important public interests recognized by Union law or by law
of the Member State to which the guarantor belongs.

(116) The crossing of personal data across borders outside the Union may lead to an increased risk for
the ability of individuals to exercise their right to privacy, in particular to protect themselves against unlawful use
or publication of the information in question. Furthermore, the supervisory authorities can come to the conclusion that they
unable to follow up on complaints or conduct investigations in connection with activities outside its borders.
Insufficient powers of prevention or remediation, inconsistencies between legal rules and obstacles to
implementation such as limited resources can hinder their efforts to work together
across borders. Therefore, closer co-operation between regulatory authorities in the field of personal
protection to help them exchange information and conduct research with their counterparts
international parties. In order to shape the arrangements for international co-operation to facilitate and
provide mutual assistance in the international arena in the implementation of legislation on the protection of personal data should
the Commission and the supervisory authorities to exchange information and work with the competent
on third countries to projects related to the exercise of their powers, on a reciprocal basis
and in accordance with this Regulation.
117) An important factor in the protection of individuals with regard to the processing of their personal data is that
to establish supervisory authorities in the Member States with a mandate to carry out their duties and
their powers completely independent of others. Member States should be able to establish more than one
color authority to reflect its constitution, governance and administrative structure.
(118) The independence of supervisory authorities should not mean that they do not have to comply with supervisory or monitoring systems
in connection with their expenses or judicial review.
(119) If a Member State establishes more than one supervisory authority, it should establish a system of law to:
to ensure the effective participation of the supervisory authorities in the coordination system. The Member State in question should in particular
to designate the supervisory authority that acts as a joint liaison for active participation
these authorities in the system to ensure prompt and smooth cooperation with other supervisory authorities,
the Privacy Council and the Commission.
(120) Each supervisory authority should have at its disposal the resources, human resources, housing and infrastructure
necessary for them to carry out their tasks effectively, including those pertaining to them
for mutual assistance and co-operation with other supervisory authorities throughout the Union. Everybody
The supervisory authority should have a specific, public annual budget that can be part of the overall
the state or state budget.
(121) General conditions for the representative of the supervisory authority should be laid down in the law of each Member State and in
in particular, they should provide that the parliament, government or heads of state of the Member State appoint this
believe on the basis of a transparent procedure, on the proposal of the Government, its Minister,
of the Althingi or a parliamentary chamber, or that an independent party be entrusted with that task under the law of a Member State.
In order to ensure the independence of the supervisory authority, the representatives should act with integrity, not
have anything that is incompatible with their duties and not to pursue other paid or unpaid
incompatible jobs during their term of office. The supervisory authority should have its own staff, selected by it
itself or an independent party, established under the law of a Member State, and should do so only
to be under the control of a representative of the supervisory authority.
(122) Any supervisory authority should be competent in the territory of its Member State to exercise that power.
authorizations and perform the tasks entrusted to it under this Regulation. They should especially
take part in processing in connection with the activities of the office of the guarantor or processor in the territory
own Member State, the processing of personal data by public or private authorities for the benefit of the public
interests, processing affecting registered persons in its territory or processing by
a guarantor or processor, who is not established in the Union, when it is addressed to registered persons
individuals living in its territory. This should include handling complaints from registrants
individual, conducting research into the application of this Regulation and raising public awareness
on risk factors, rules, safeguards and rights in connection with the processing of personal data.

Page 48

Nr. 90

June 27, 2018

(123) The supervisory authorities should monitor the application of the provisions of this Regulation and promote
to its harmonized implementation throughout the Union, to protect individuals in connection with processing
personal information about them and facilitate the free flow of personal information in the internal market. In that
To this end, the supervisory authorities should co-operate with each other and with the Commission, without
it is possible to conclude an agreement between the Member States on mutual assistance or such cooperation.
124) When the processing of personal data takes place within the framework of the activities of the responsible party's office or
a processor in the Union and the guarantor or processor has confirmed in more than one
Member State, or when processing, which takes place within the framework of the activities of a single responsible establishment
or a processor in the Union, has a significant effect or can be expected to have a significant effect on the data subject
persons in more than one Member State, the supervisory authority over the headquarters of the guarantor or
the processor or this single establishment of the guarantor or processor to act as a
authority. It should co-operate with the other relevant authorities when the controller or processor
a party has an establishment in their territory, registered persons in their territory will be affected
significant impact or complaint is filed with them. If a registered person, who does not live in it
Member State submitting a complaint, the supervisory authority to which the complaint is lodged should also be
the supervisory authority concerned. Within the framework of their tasks to issue guidelines regarding
any issues that may arise in the application of this Regulation should be addressed by the Privacy Council
may issue guidelines, in particular on the criteria to be taken into account when finalizing
check whether the processing in question has a significant effect on registered persons in more than one Member State
and what are considered appropriate and substantiated objections.
(125) Leading authorities should be able to adopt binding decisions on measures and apply
to that end the powers conferred upon it in accordance with this Regulation. By virtue of its role
as the lead authority, the supervisory authority should mobilize the relevant supervisory authorities to participate in the
the recruitment process and coordinate them. If it is decided to reject the complaint of the registered person in question, altogether
in part or in part, the supervisory authority with which the complaint was lodged should take that decision.
(126) The Leading Supervisory Authority and other relevant supervisory authorities should agree on
the decision and it should be addressed to the head office or the only office of the responsible party or
of the processor and be binding on him. The guarantor or processor should take action
necessary measures to ensure compliance with this Regulation and the implementation of the Decision
notified by the lead supervisory authority to the headquarters of the controller or processor thereof
concerning processing activities in the Union.
(127) A supervisory authority which does not act as a leading supervisory authority should be able to:
in local cases where the controller or processor is established in more than one Member State
but the subject matter of the specific processing operation concerns only processing carried out in one Member State and takes place
only to registered persons in that one Member State, for example when it comes to the processing of personal data
on employees in a specific employment context in a Member State. In such cases, the supervisory authority should
to notify the lead supervisory authority of the matter without delay. After the leadership supervisory authority has been
notified of the matter, it should decide whether it will deal with it under the co-operation provision
between the lead supervisory authority and other relevant supervisory authorities ("one-stop shop")
or whether the supervisory authority which sent it the notification should deal with the matter on a local basis. When
the lead supervisory authority decides whether to deal with the case should it take it into account
whether the controller or processor has an establishment in the Member State of the supervisory authority which notified
on the case, to ensure the effective enforcement of a decision vis-à-vis the responsible party or the
the party. If the lead supervisory authority decides to handle the case itself, the supervisory authority should
the authority which notified the case to have the option of submitting a draft decision to the
the authority must take the utmost account when preparing its draft decision within the arrangements for
delivery in one place.
(128) The rules on the supervisory authority and one-stop shop should not apply when public authorities
power or private parties handle the processing in the public interest. In such cases, the supervisory authority should
of the Member State in which the official or private authority is established to be the sole supervisory

Page 49

Nr. 90

June 27, 2018
the authority competent to exercise the powers conferred upon it under it
regulation.

(129) In order to ensure uniform control and enforcement of this Regulation throughout the Union,
supervisory authorities to carry out in each Member State the same tasks and effective powers, including
authorizations for research, to take corrective action and to impose sanctions and licensing and
authorizations, in particular in the case of complaints from individuals and, without prejudice
the powers of the prosecuting authorities under the law of a Member State to draw attention
judicial authorities for violations of this Regulation and bring proceedings before a court. Among such powers
should also be authorized to introduce temporary or permanent restrictions on processing, including prohibition.
Member States may specify other tasks related to the protection of personal data under this
regulation. The powers of the supervisory authorities should be exercised in accordance with the relevant procedural rules which
set out in the laws of the Union and the laws of the Member States, impartially and fairly
reasonable time. In particular, every measure should be appropriate, necessary and modest to ensure
compliance with this Regulation, taking into account the circumstances of each case, respects the rights of each party
to express their views before taking any action
to his disadvantage and implemented in such a way as to avoid excessive costs and inconvenience to the person in question
individuals. Research authorizations regarding access to premises should be applied accordingly
with special requirements in the procedural law of the Member State, such as the requirement to obtain prior authorization
case authorities. Every legally binding measure of the supervisory authority should be in writing, clear and
unequivocally, it should state which regulatory authority issued it, date of issue, it should be
the signature of the supervisor or representative of the supervisory authority to whom he has given his power of attorney shall be included
state the reasons for the measure and refer to the court for an effective remedy to seek redress. This
does not preclude additional claims under the procedural law of a Member State. When taken legally binding
decision, it may involve a review by a court of a Member State of the supervisory authority
made the decision.
(130) If the supervisory authority with which the complaint is lodged is not the lead supervisory authority, the lead supervisory
the authority to work closely with the supervisory authority to which the complaint is lodged, in accordance with the provisions of
of this Regulation on co-operation and coherence. In such cases, the lead supervisory authority, when it
enables measures intended to have legal effect, including the imposition of administrative fines, to take
take the utmost account of the views of the supervisory authority with which the complaint was lodged and that authority should
continue to be competent to carry out any research in the territory of its own Member State in consultation
with the competent supervisory authority.
(131) When another supervisory authority should take on the role of the lead supervisory authority for processing activities
guarantor or processor, but the subject matter of a complaint or possible violation only concerns processing activities
the guarantor or processor in the Member State where the complaint was lodged or a possible breach
was diagnosed and the case does not have a significant effect, nor is it expected to have a significant effect, on
registered persons in other Member States, the supervisory authority which receives the complaint or which
finds out or is otherwise informed of any circumstances that may result in a possible
violation of this Regulation, seek to reach a good agreement with the guarantor and, if unsuccessful, apply
their full powers. This should cover certain processing operations taking place in the territory
Member State of the supervisory authority or, in the case of registered persons in the territory of that Member State,
state, processing carried out in connection with the offering of goods or services addressed specifically to the registered
persons in the territory of the Member State of the supervisory authority or processing which must be assessed in the light of
of applicable legal obligations under the law of a Member State.
(132) Awareness-raising activities aimed at raising public awareness should, inter alia, include:
includes special measures aimed at guarantors and processors, including micro-enterprises, small
and medium-sized enterprises, and also individuals, especially for educational purposes.
(133) Regulatory authorities should assist each other in the performance of their tasks and provide reciprocal
assistance to ensure the uniform application and implementation of this Regulation in the internal market.
The supervisory authority requesting mutual assistance may take interim measures if necessary.

Page 50

Nr. 90

June 27, 2018
no response to the request for mutual assistance within one month of receipt by the other regulatory authority;
the request.

(134) Each supervisory authority should, as appropriate, participate in joint actions with others
supervisory authorities. The requesting regulatory authority should be obliged to respond to the request within
a specific time.
(135) In order to ensure the uniform application of this Regulation throughout the Union,
a system of co-operation between supervisory authorities. In particular, the system should be applied when the supervisory authority
intends to take a measure intended to have legal effect in respect of processing operations which have significant effects
has a significant number of registered persons in several Member States. It should also be applied when something
the supervisory authorities concerned or the Commission shall request the coordination system
treatment of such a case. The system should not affect any of the measures taken by the Commission
may intervene in the exercise of its powers under the Treaties.
(136) When using the coordination system, the Privacy Council should, within a specified time, issue an opinion if:
a majority of its representatives so decides or if any of the relevant supervisory authorities or
the government requests it. The Privacy Council should also have the power to take legal action
decisions in the event of a dispute between supervisory authorities. To that end, it should be published, as a rule
a two-thirds majority of its representatives, legally binding decisions in a clear definition
analyzed cases where supervisory authorities discuss views, in particular within the co-operation system
between the lead supervisory authority and the relevant supervisory authorities, on the progress of the case, in particular whether
discuss violations of this Regulation.
(137) There may be an urgent need for action to protect the rights and freedoms of data subjects, in particular when:
there may be a risk of a significant impediment to the enforcement of a registered person's rights. Therefore, the supervisory authority should
to be allowed to take, in its territory, duly substantiated interim measures by:
specified period of validity, which should not exceed three months.
(138) The application of such a system should be a condition for the disposition of the supervisory authority
legal effect, is considered lawful in cases where its application is mandatory. In other cases that
cross-border, the system of co-operation between the Leading Authority and the relevant
supervisory authorities and mutual assistance and joint action could be applied between the parties concerned
regulatory authorities, bilateral or multilateral, without activating the coordination system.
(139) In order to promote the harmonized application of this Regulation, the Privacy Council should be
independent members of the Union. In order to achieve its objectives, the Privacy Council should have
legal entity status. The Chairman of the Privacy Council speaks on its behalf. That should be replaced
the Working Group on the Protection of Individuals with regard to the Processing of Personal Data established by
Directive 95/46 / EC. It should include the heads of the supervisory authorities of each Member State and the European Union
the Data Protection Authority or their respective representatives. The Commission should be involved
in the activities of the Privacy Council without the right to vote and the European Privacy Agency should have
special voting rights. The Privacy Council should promote the harmonized application of this Regulation
throughout the Union, including advice to the Commission, in particular on the scope of protection in third countries
countries or international organizations and by promoting co-operation between EU regulators.
The Privacy Council should be independent in its work.
(140) The Data Protection Board should be assisted by an office of the European Data Protection Authority
for. Staff of the European Data Protection Agency, which is involved in the implementation of these tasks
entrusted to the Privacy Council by this Regulation, should carry out its tasks entirely under its control
Chairman of the Privacy Council and report to him.
(141) Every registered person should have the right to lodge a complaint with one supervisory authority,
in the Member State in which he has his habitual residence, and are entitled to an effective remedy in
Article 47 of the Charter of Fundamental Rights if he considers that his rights under this Convention have been violated
regulation or if the supervisory authority does not deal with a complaint, rejects the complaint in part or in full, or
rejects it or does not take action where action is needed to protect his rights. Research

Page 51

Nr. 90

June 27, 2018
a complaint should be made, subject to judicial review, to the extent appropriate in each
case. The supervisory authority should inform the data subject of the progress and outcome of the complaint
within a reasonable time. If further investigation of the case or coordination with another supervisory authority is required
should in the meantime provide the data subject with information on the status of the case. For ease of submission
complaints, each regulatory authority should take steps such as providing a complaint form;
which can also be filled in electronically, without excluding other communication options.

142) If a registered person considers that his rights have been violated under this Regulation, he should
to have the right to provide a non-profit-making institution, organization or association
comply with the laws of a Member State, have statutory objectives and are active in the field of
information, a power of attorney to lodge a complaint on its behalf with the supervisory authority, exercise the right to
remedy on behalf of registered persons or, if provided for in the law of a Member State, exercise the right to
to accept damages on behalf of registered persons. A Member State may prescribe such
an institution, organization or association has the right to lodge a complaint in that Member State, regardless of whether the
has given a power of attorney to do so, and the right to an effective legal remedy has reason to believe that the rights of the registered
an individual has been violated in the processing of personal data that violates this regulation. No
may authorize the institution, organization or association to claim compensation on behalf of a registered individual without
his power of attorney.
(143) An individual or legal entity has the right to bring an action for annulment of the decisions of the
of the Council before the Court of Justice under the conditions laid down in Article 263. of the Treaty
on the functioning of the European Union. As recipients of such decisions, the relevant supervisory
authorities wishing to challenge them to bring an action within two months of being notified
them, in accordance with Article 263. of the Treaty on the Functioning of the European Union. When personal decisions
of the Security Council directly concern the special interests of the guarantor, processor or complainant, he may
brought an action for annulment of these decisions within two months of their publication on the website of the
of the Zone Protection Council, in accordance with Article 263. of the Treaty on the Functioning of the European Union. With prewarn of this right according to Article 263 of the Treaty on the Functioning of the European Union, each
an individual or legal entity to have access to an effective remedy before a competent national court
concerning the decision of a supervisory authority having legal effect against it. Such a decision concerns in particular
the exercise by the supervisory authority of investigative powers, powers to prescribe measures to
their remedial and licensing rights or the rejection or rejection of complaints. However, the right to effective
legal remedy does not apply to those measures of the supervisory authorities that are not legally binding, such as opinions
or advisers to the supervisory authority. Lawsuits should be brought against the supervisory authority before the courts of the Member State
where the supervisory authority is established and operates in accordance with the procedural law of that Member State.
These courts should have full jurisdiction, inter alia, to investigate all issues of fact.
or the law of the dispute in question which they have received for treatment.
If the supervisory authority has rejected or dismissed a claim, the person who lodged the complaint may bring an action
before the courts of the same Member State. Within the framework of legal remedies for the application of this Regulation may
national courts, which consider that a decision on the matter is necessary for them to rule
ruling, requested, or must be requested in the case referred to in Article 267. of the Treaty on Employment
the European Union, that the Court should give a preliminary ruling on the interpretation of Union law, e.g.
of this Regulation. When the decision of the supervisory authority to implement the decision of the
of the Council is challenged in a national court and the validity of the decision of the Privacy Council is disputed.
the national court does not have the power to declare its decision invalid, but must dismiss the matter
on its validity to the Court in accordance with Article 267. of the Treaty on the Functioning of the European Union,
as interpreted by the Court, if it considers the decision invalid. However, a national court may
do not refer questions concerning the validity of the decision of the Privacy Council at the request of an individual or legal entity
who had had the opportunity to bring an action for annulment of that decision, in particular in so far as the decision concerned
directly to his special interests, but did not do so within the time limit laid down in Article 263. covenant
on the functioning of the European Union.
(144) If a court instituted against a decision of a supervisory authority has reason to intend to institute proceedings
have been the subject of the same proceedings before a competent court in another Member State, where, for example,
discuss the same subject with regard to processing by the same guarantor or processor or the same

Page 52

Nr. 90

June 27, 2018
reasons, he should contact that court to find out whether there are any related cases
in the case. If a related case is pending before a court in another Member State, any court may,
other than the person before whom the case was first brought, adjourned its proceedings or, at the request of one of the parties
dismissed the case from the court in favor of the court before which the case was first brought if that court is competent
to handle the case and the law applicable to that court allows related cases to be brought jointly.
Related matters refer to matters that are so interconnected that it is desirable to deal with them and
rule in them jointly to prevent the imposition of incompatible judgments if
each of them is judged separately.

(145) In the case of a guarantor or processor, the plaintiff should be able to choose
whether he is suing the courts of the Member States in which the guarantor or the processor has
place of business or where the data subject resides unless the responsible party is the official authority of a Member State which:
exercises official authority.
(146) The guarantor or processor should compensate for any damage suffered by the party as a result of the processing
violates this Regulation. The guarantor or processor should be exempt from liability
if he proves that he is not liable for damages. The term damage should be interpreted broadly in the light of
implementation of the Court in such a way that it fully reflects the objectives of this Regulation. This
does not affect any claims for damages for violations of other rules of Union law or the law of membership
state. Processing which is contrary to this Regulation also includes processing which is contrary to the
sold acts and implementing acts approved in accordance with this Regulation and those laws
Member States specifying the rules of this Regulation. Registered individuals should get full
damages for the damage they suffer. When more than one guarantor or processor comes
for the same processing, each guarantor or processor should be liable for all damages. When they
are involved in the same court case, in accordance with the law of a Member State, damages may, however, be divided
the liability of each guarantor or processor for the damage caused by the processing, provided that
that the registered person who suffered the damage will receive full compensation. Guarantor or processor,
who has paid full damages, may subsequently make a claim against another guarantor or processing
parties involved in the same processing.
(147) Since this Regulation contains specific rules on jurisdiction, in particular as regards cases there
seeking legal redress against the guarantor or processor, including damages, should have general jurisdiction
rules, such as those referred to in Regulation of the European Parliament and of the Council (EU) no. 1215/2012 ( 13 ), no
to influence the application of these specific rules.
(148) In order to enhance the enforcement of the rules of this Regulation, penalties, including administrative fines, should be
any breach of this Regulation, in addition to or in lieu of appropriate measures which
the supervisory authority does in accordance with this Regulation. A reprimand may be issued instead of a fine in due course
in the case of a minor offense or if the fine, which is likely to be imposed, would be an excessive burden for an individual.
Nevertheless, due account should be taken of the nature of the violation, its seriousness and
how long it has lasted, whether it was committed intentionally, what action was taken
reduce damages, the extent of the liability or whether previous infringements are relevant, how
the supervisory authority found out about the violation, whether the measures taken against the responsible party
or the processor was followed, whether the rules of conduct were followed along with other mitigating or burdensome factors.
The imposition of penalties, including administrative fines, should be subject to appropriate procedural rules in accordance with
general principles of Union law and the Charter of Fundamental Rights, including effective judicial
protection and due process.
(149) Member States should be able to lay down rules on penalties applicable to infringements of this Regulation, including
violations of national rules adopted under it and within its limits. Such penalties
sanctions may also provide that the person is deprived of the benefits he or she has suffered from the offenses
of this Regulation. However, the imposition of sanctions for violations of such national rules and
administrative sanctions do not lead to a violation of the principle of not being prosecuted or punished
twice for the same offense (ne bis in idem), as interpreted by the Court.

( 13 ) Regulation (EC) No 882/2004 of the European Parliament and of the Council 1215/2012 of 12 December 2012 on the jurisdiction and recognition of and
enforcement of judgments in civil and commercial matters (OJ L 351, 20.12.2012, p. 1).

Page 53

Nr. 90

June 27, 2018

(150) In order to strengthen and harmonize administrative sanctions for infringements of this Regulation, each supervisory authority should:
to be authorized to impose administrative fines. The regulation should specify the violations along with the maximum
and the criteria for the imposition of related administrative fines, which the supervisory authority should decide on each
individual cases, taking into account all the relevant circumstances of the case, in particular the inclusion
due regard to the nature, severity and duration of the offense and its consequences and the measures taken
have been to ensure that the obligations under this Regulation are met and to be established
prevent or mitigate the consequences of the offense. When administrative fines are imposed on a company is meant
undertakings in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European Union. When the
county fines are imposed on non-corporate entities, the supervisory authority should take into account the general
the level of income in the Member State and the financial position of the party when determining the appropriate amount of the fine. Also
the co-ordination system may be used to promote the co-ordinated application of administrative fines. It should be
it is up to the Member States to determine whether and to what extent public authorities should be subject to administrative fines.
The imposition of an administrative fine or a warning does not affect the exercise of other powers.
the powers of regulatory authorities or other sanctions under this Regulation.
151) The legal systems of Denmark and Estonia do not permit administrative fines such as those set out in
this Regulation. The rules on administrative fines in Denmark can be applied in a competent manner
national courts impose fines as sanctions and in Estonia so that the supervisory authority imposes
the fine in the context of a minor infringement procedure, provided that such application of the
mines in these Member States shall have the same effect as administrative fines imposed by the supervisory authorities. Because
the competent national courts should take into account the recommendations of the initiating supervisory authority
to the imposition of the fine. However, fines imposed should always be effective, commensurate with the offense and have
warning effect.
(152) When this Regulation does not comply with administrative penalties or if necessary in other cases, eg when
in the event of a serious breach of this Regulation, Member States should implement a system
penalties that are effective, proportionate and dissuasive. Whether such sanctions apply
to be criminal or administrative in nature should be determined by the laws of the Member States.
(153) Freedom of expression and information should be harmonized in the laws of the Member States, including in the
humanities, academics, the arts or literature, and the right to the protection of personal data
according to this regulation. Processing of personal information, which is carried out solely for the purpose of journalism or
scholarship or artistic or literary expression, should be subject to exceptions or
weeks from certain provisions of this Regulation if necessary to harmonize the right to
protects personal data and the right to freedom of expression and information guaranteed by Article 11
of the Charter of Fundamental Rights. This should apply in particular to the processing of personal data in the field
audiovisual media and in news media databases and libraries. Therefore, Member States should agree
Legislative measures laying down the necessary derogations and derogations to maintain balance
between these fundamental rights. Member States should agree to such derogations and derogations
general principles, rights of registered persons, guarantors and processors, dissemination of personal data
information to third countries or international organizations, independent supervisory authorities, co-operation and coherence, and
data processing in certain situations. If such exemptions and derogations differ between Member States
the laws of the Member State to which the guarantor is subject shall apply. In view of the importance of the right to expression
freedom in any democratic society it is necessary to interpret concepts broadly in connection with that freedom, e.g.
journalism.
(154) This Regulation allows the principle of public access to the public to be taken into account
documents in its application. It can be considered that the public's access to public documents is in the interest of
human interests. Personal information in documents held by a public authority or body
the relevant authority or entity should be allowed to disclose to the public if the disclosure is provided
in the law of the Union or the law of a Member State under the authority of the public authority or body
under. Such laws should harmonize public access to public documents and the reuse of information
from the public sector on the one hand and the right to the protection of personal data on the other and can therefore provide
necessary harmonization with the right to the protection of personal data under this Regulation
type. The reference to public authorities and institutions should in this context apply to all authorities or
other bodies governed by the law of a Member State concerning public access to documents. European Directive

Page 54

Nr. 90

June 27, 2018
of the European Parliament and of the Council 2003/98 / EC ( 14 ) does not prejudice and does not in any way affect the
with regard to the processing of personal data in accordance with the provisions of
of the State and in particular it does not change the obligations and rights set out in this Regulation.
In particular, that Directive should not apply to data to which there is no or limited access
rules on access rights with reference to the protection of personal data, and on parts of documents, which are
accessible under such rules, when the parts of the document contain personal information and provided
has been in law that their reuse is incompatible with the law on the protection of individuals
regarding the processing of personal information.

(155) The laws of a Member State or in collective agreements, including "workplace agreements", may provide
specific rules on the processing of personal data of employees in a work-related context, in particular conditions
for the processing of personal data in a work-related context on the basis of the consent of the
of the person and in connection with employment, implementation of an employment contract, including fulfillment of obligations
laid down in law or collective agreements, management, preparation and organization of work,
equality and diversity in the workplace, health and safety at work, the exercise and use of rights and
work-related benefits, both individual and shared, and for the purpose of completion
employment relationship.
156) Processing of personal data for archiving in the public interest, research in the field of science
or history or for statistical purposes should be subject to appropriate safeguard measures
concerning the rights and freedoms of registered persons under this Regulation. These safeguards
should ensure that technical and organizational measures are taken, in particular to ensure
is to the principle of data minimization. Further processing of personal information for archiving in
in the public interest, research in the field of science or history or for statistical purposes
stated when the responsible party has assessed whether it is feasible to achieve this purpose through processing
data which do not enable, or no longer enable, the identification of data subjects, in order to
understand that appropriate protection measures are in place (such as the use of pseudo-identifiers for the information).
Member States should provide for appropriate safeguards for the processing of personal data
for archiving in the public interest, research in the field of science or history or in statistics
purposes. Member States should be allowed, subject to certain conditions and without prejudice to:
appropriate safeguards for registered persons, to set out further definitions and
in terms of information requirements and the right to rectify, erase, to forget, to
restriction on processing, to transfer own data and to object to the processing of personal data due to
archiving in the public interest, research in the field of science or history or in statistics
purpose. Relevant conditions and safeguards may require the registration of registered persons
to follow a specific procedure in order to be able to exercise these rights, if appropriate in the light of the intended purpose
is that with this particular processing, in addition to technical and organizational measures aimed at
minimize the processing of personal data in accordance with the principle of proportionality and the principle of necessity. Processing
personal data for scientific purposes should also be in accordance with other relevant legislation, such as
clinical trials.
157) By linking information from different files, researchers can acquire new and extreme
valuable knowledge of widespread health conditions such as cardiovascular disease, cancer and
depression. Using files can enhance research results, as they are based on larger ones
means. In the social sciences, research on the basis of records enables scientists to gain importance
knowledge of the long-term correlation between social conditions of various kinds, such as unemployment and education,
and other circumstances in people's lives. Research results obtained through the use of files provide reliable and
quality knowledge that can be used as a basis for formulating and implementing a knowledge policy, to improve
the quality of life of many and improve the efficiency of social services. To facilitate scientific research is
may process personal data for the purpose of research in the field of science, provided that the relevant
and safeguard measures in Union or Member State law.
(158) This Regulation should also apply to the processing of personal data for the purposes of archiving, but
keep in mind that the regulation does not apply to deceased persons. Public authorities, public bodies or

( 14 ) Directive 2003/98 / EC of the European Parliament and of the Council of 17 November 2003 on the re-use of public information
(OJ L 345, 31.12.2003, p. 90).

Page 55

Nr. 90

June 27, 2018
Private parties who hold public interest records should be service providers who have
under the law of the Union or the law of a Member State has a legal obligation to acquire, preserve, evaluate,
submit, describe, provide information about, promote, distribute and provide access to files of permanent value
public interest. Member States should also be empowered to provide for further processing of personal data.
information regarding archiving, for example in order to provide specific information on political behavior
in countries where there was a former dictatorship, genocide, crimes against humanity, in particular the Holocaust, or war
crimes.

(159) This Regulation should also apply to the processing of personal data for the purpose of scientific research. That is
For the purposes of this Regulation, the processing of personal data for the purpose of scientific research should be interpreted broadly as:
it includes, for example, technological development and pilot projects, basic research, applied research and research
financed by the private sector. In addition, it should take into account the Union's objective, cf. Paragraph 1
Article 179 of the Treaty on the Functioning of the European Union, to establish a European Research Area.
Research in the public interest in the field of public health should also be considered to serve scientific purposes.
To meet the specific requirements for the processing of personal data for the benefit of scientific
research, special conditions should apply, in particular with regard to the publication or other publication of personal data.
information for the benefit of scientific research. If the results of a scientific study, especially in the field of health,
reason for taking further action in favor of the data subject, the general rules of this Regulation should:
apply in the light of these measures.
(160) This Regulation should also apply to the processing of personal data for the purposes of historical research. This
should in addition cover historical research and research for genetic purposes but should have
note that the Regulation should not apply to deceased persons.
(161) As regards the granting of consent for the participation in scientific research activities in clinical trials,
should the relevant provisions of Regulation (EU) no. 536/2014 ( 15 ) to apply.
(162) This Regulation should apply to the processing of personal data for statistical purposes. In the law of Samof the Union or the law of a Member State should, within the limits of this Regulation, determine the statistical
seizure, access control, detailed definitions of the processing of personal data in statistical
ongoing and appropriate measures to safeguard and ensure the rights and freedoms of registered persons
confidentiality in connection with statistical information. Statistical purpose is considered to be any action
involves the collection and processing of personal information that is necessary for statistical surveys or for
to achieve statistical results. These statistical results can be used further in various forms
purposes, including for scientific research. Statistical purpose means that the results of processing in statistical
purpose is not personal information but aggregated data and that these results or personal
the information is not used to support measures or decisions concerning certain individual
individual.
(163) Confidential information which the Union's statistical authorities and the Member States' statistical authorities
States gather to compile official statistics for Europe and the Member States. Eurozone should be developed and negotiated
request statistics and disseminate them in accordance with the principles of statistics, as set out in
stated in the second paragraph. Article 338 of the Treaty on the Functioning of the European Union, but at the same time
reports also comply with the laws of a Member State. Regulation (EC) No 882/2004 of the European Parliament and of the Council 223/2009
( 16 ) provides for further definitions of statistical confidentiality with regard to
European statistics.
(164) As regards the powers of the supervisory authorities to obtain access from the controller or processor to
personal data and access to their premises may be authorized by Member States by law,
within the limits of this Regulation, specific rules for the protection of professional secrecy or other

( 15 ) Regulation of the European Parliament and of the Council (EU) no. 536/2014 of 16 April 2014 on clinical trials of medicinal products for human use and
repeal of Directive 2001/20 / EC (OJ L 158, 27.5.2014, p. 1).
( 16 ) Regulation (EC) No 882/2004 of the European Parliament and of the Council 223/2009 of 11 March 2009 on European Statistics and repeal
Regulation (EC, Euratom) of the European Parliament and of the Council no. 1101/2008 on the delivery of documents that are subject to confidentiality obligations in
Statistics to the Statistical Office of the European Communities, Council Regulation (EC) no. 322/97 on Community statistics and
Council Decision 89/382 / EEC (EEC) on the establishment of the Statistical Program Committee of the European Communities (OJ L.
87, 31.3.2009, p. 164).

Page 56

Nr. 90

June 27, 2018
corresponding confidentiality obligations, to the extent necessary to harmonize the right to the protection of
information and confidentiality. This does not affect a Member State's existing obligations
to adopt rules on professional secrecy if the law of the Union so provides.

(165) This Regulation respects the status of denominations and religious organizations or denominations in the Member States.
according to the existing constitutional law and does not question it, as recognized in Article 17.
of the Treaty on the Functioning of the European Union.
166) In order to achieve the objectives of this Regulation, i.e. to protect the fundamental rights and freedoms of individuals and
in particular their right to the protection of personal data and to ensure the free movement of personal data within
The Union should delegate to the Commission the power to adopt acts in accordance with 290.
gr. of the Treaty on the Functioning of the European Union. In particular, delegated acts should be adopted
certification requirements and requirements, information to be provided by standard
about and methods of presenting such icons. It is particularly important that the Commission has
appropriate consultation during its preparatory work, including with experts. In preparation
and the conclusion of delegated acts, the Commission should ensure parallel, timely and appropriate action
submission of relevant documents to the European Parliament and the Council.
(167) In order to ensure harmonized conditions for the implementation of this Regulation,
the Executive Board when provided for in this Regulation. This power should be exercised
in accordance with Regulation (EU) no. 182/2011. In this context, the Commission should consider
appropriate measures for micro, small and medium-sized enterprises.
(168) The investigative procedure should be applied to the adoption of implementing acts on permanent contractual provisions between
guarantors and processors and between processors, rules of conduct, technical standards and arrangements for
certification, adequate protection as a third country, territory or specified sector within that third country
or an international organization provides, standard protection provisions, formats and methods of electronic information exchange between
guarantors, processors and supervisory authorities with regard to binding corporate rules, mutual
assistance and arrangements for the electronic exchange of information between supervisory authorities and between supervisory authorities and
the Privacy Council.
(169) The Commission should adopt implementing acts which shall enter into force immediately if available
evidence that a third country, territory or specified sector within that third country or international
an institution does not guarantee adequate security and if there is an urgent need.
(170) Since the Member States cannot fully achieve the objective of this Regulation, i.e. to insure individuals
in the Union comparable protection and free movement of personal data throughout the Union, and therefore will be
better achieved at Union level, due to the scope and impact of the action, the Union may
adopt measures in accordance with the principle of subsidiarity as provided for in Article 5. of the Treaty on
The European Union. In accordance with the principle of proportionality, as set out in that Article, is not
go beyond what is necessary in this Regulation to achieve that objective.
(171) This Regulation should repeal Directive 95/46 / EC. Processing, which is already started on that day is
this Regulation is implemented, should be brought into line with this Regulation within two years
from its entry into force. When processing is based on an approval under Directive 95/46 / EC,
it is visible that the registered person gives his consent back, if it was given in a way that complies with the
of this Regulation, so that the responsible party can continue such processing after the date on which
this Regulation shall be implemented. Decisions adopted by the Commission and
fires granted by regulatory authorities under Directive 95/46 / EC remain in force until
amended, replaced or repealed.
(172) The European Data Protection Authority was consulted in accordance with paragraph 2. Article 28 Regulation (EC)
no. 45/2001 and delivered its opinion on 7 March 2012 ( 17 ).
(173) This Regulation should apply to all matters relating to the protection of fundamental rights and freedoms in connection with
in the processing of personal data which are not subject to special obligations with the same purpose as

( 17 ) OJ OJ C 192, 30.6.2012, p. 7.

Page 57

Nr. 90

June 27, 2018
are set out in Directive 2002/58 / EC of the European Parliament and of the Council ( 18 ), including á m. obligations of the guarantor and
the rights of individuals. In order to clarify the relationship between this Regulation and Directive 2002/58 / EC
that Directive should be amended accordingly. Once this regulation has been adopted it should
to revise Directive 2002/58 / EC in order to ensure its compliance with this Regulation.

HAVE ADOPTED THIS REGULATION:
CHAPTER I
General provisions
Article 1
Topics and objectives
1. This Regulation lays down rules on the protection of individuals with regard to the processing of personal data.
information and on rules concerning the free dissemination of personal information.
2. This Regulation protects the fundamental rights and freedoms of individuals, and in particular their right to the protection of
information.
3. The provision of personal data within the Union shall not be restricted or prohibited for reasons relating to:
protection of individuals in connection with the processing of personal data.
Article 2
Material scope
1. This Regulation applies to the processing of personal data which is partly or wholly automatic and to the processing
by means other than the automation of personal data which are or are to become part of the registration
system.
2. This Regulation does not apply to the processing of personal data:
(a) in activities falling outside the scope of Union law;
(b) by the Member States in respect of activities falling within the scope of Chapter 2 of Title V of the Treaty on
The European Union,
(c) by an individual if the processing is part of an activity which is solely for the benefit of himself or his family
hans,
(d) by the competent authorities in connection with the prevention, investigation, prosecution or prosecution;
for criminal offenses or comply with criminal sanctions, including protecting against and preventing threats to
public safety.
3. Regulation (EC) no. 45/2001 applies to the processing of institutions, parties, offices and special institutions of the Union
personal information. Regulation (EC) no. 45/2001 and other acts of the Union, which apply to
such processing of personal data, in accordance with the principles and rules of this Regulation in accordance with Article 98.
4. This Regulation shall not affect the application of Directive 2000/31 / EC, in particular the rules set out in Articles 12 to 15. gr. her
on the liability of service providers who are intermediaries.
Article 3
Scope
1. This Regulation applies to the processing of personal data in connection with the activities of the responsible party's establishment
or a processor in the Union, regardless of whether the processing itself takes place in the Union.

( 18 ) Directive 2002/58 / EC of the European Parliament and of the Council of 12 July 2002 on the processing of personal data and the protection of privacy
in the field of electronic communications (Directive on privacy and electronic communications) (OJ L 201, 31.7.2002, p. 37).

Page 58

Nr. 90

June 27, 2018

2. This Regulation shall apply to the processing of guarantors or processors not established in the Union,
on personal data of registered persons within the Union when the processing activities are related to:
(a) offer such goods or services to such persons registered in the Union, whether or not they do so
against payment or
(b) monitor their conduct to the extent that their conduct takes place within the Union.
3. This Regulation applies to the processing of personal data by a non-certified controller
within the Union but in a place where the law of a Member State applies under international law.
Article 4
Definitions
For the purposes of this Regulation, the following terms shall have the following meanings:
1) "personal information" means any information about a person who is personally identifiable or personally identifiable
("Registered person"); an individual is considered personally identifiable if he or she can be personally identified
or indirectly, such as by reference to an ID such as name, ID number, location data, online ID or
one or more factors that characterize him in physical, physiological, genetic, mental, material,
cultural or social,
2) "processing" means an operation or series of operations in which personal data is processed, whether the processing is automatic;
or not, such as collection, registration, classification, system binding, preservation, adaptation or modification, retrieval, inspection,
use, transmission, distribution or other means to make the information available,
connection or synchronization, access restriction, deletion or destruction,
3) "restriction on processing" means the identification of stored personal data with the aim of restricting
their processing in the future,
4) "personalization" means any automatic processing of personal data involving the use of personal data
information to assess certain aspects of an individual's well-being, in particular to identify or predict factors
concerning his job performance, financial status, health, taste, interests, reliability, behavior, location,
sentence or mobility,
5) "use of pseudo-identifiers": when personal data is processed in a way that is no longer possible
trace them to a specific registered person without additional information, provided that such additional
information is kept separate and that technical and organizational measures are applied to
ensure that the personal information cannot be traced to personally identifiable or personally identifiable
poor thing,
6) "registration system" means any systematic collection of personal data that is accessible according to a specific
the criteria, whether centralized, distributed or divided according to use or location,
7) "guarantor" means an individual or legal entity, a public authority, a specialized agency or any other determining body;
alone or in collaboration with others, the purpose and methods of processing personal information; if the purpose and methods
such processing is provided for in Union law or the law of a Member State may specify
guarantor or specific criteria for his nomination in Union law or the law of
state,
(8) "processor" means an individual or legal entity, a public authority, a specialized agency or another person
zone information on behalf of the responsible party,
9) "consignee" means an individual or legal entity, a public authority, a specialized agency or any other entity which receives
personal information, whether or not it is a third party. Public authorities, which may receive personal
information in response to individual inquiries in accordance with Union or Member State law;
shall not, however, be considered recipients; the processing of the data by these public authorities shall be in accordance with
rules on privacy according to the purpose of the processing,

Page 59

Nr. 90

June 27, 2018

10) "third party" means an individual or legal entity, a public authority, a specialized agency or a body other than the data subject;
guarantor, processor and individuals or legal entities that have, under the direct control of the guarantor or
processor, authorization to process personal information,
11) "consent" of a data subject: unenforceable, specific, informed and unequivocal declaration of intent by the data subject that
he consents, by declaration or unequivocal confirmation, to the processing of personal data about himself,
12) "breach of security in the processing of personal data" means a breach of security which results in unintentional or illegal
deletion of personal data sent, stored or otherwise processed, or lost,
changes, will be published or access to them without permission,
13) "genetic information" means personal data relating to hereditary or acquired genetic traits;
individual who provide unique information about the physiology or health of the individual and are obtained in particular
by analysis of a biological sample from the individual concerned,
14) "biometric information" means personal data obtained through special technical processing and related to physical;
physiological or behavioral characteristics of an individual and enable it to be identified or
unequivocally verify the identity of an individual, such as portraits or fingerprint data,
15) "health information" means personal information relating to the physical or mental health of an individual;
including the health services he has received, which provide information on his health,
16) "headquarters" means:
(a) in the case of a guarantor with establishments in more than one Member State, the place where he
has its control over the Union except for decisions on the purpose and methods of processing personal data.
information is taken to another office of the responsible party in the Union and the latter office is
the person empowered to implement such decisions, in which case the establishment,
which has taken such decisions shall be deemed to be the headquarters,
(b) in the case of a processor established in more than one Member State, the place where he has
his senior management in the Union or, if he has no senior management in the Union, an establishment of a processor in
The union where the main processing activities within the framework of the activities of the processing plant's establishment take place
to the extent that the processor is subject to certain obligations under this Regulation,
17) "representative" means an individual or legal entity established in the Union, nominated in writing by the guarantor;
or a processor according to Article 27, which appears as a representative of the responsible party or processor in respect of
their respective obligations under this Regulation,
(18) "enterprise" means any natural or legal person engaged in an economic activity, whatever its form of operation;
is legal, including partnerships or associations that are engaged in regular business activities,
19) "group of companies" means the controlling company and its subsidiaries,
20) "binding corporate rules" means rules on privacy as a guarantor or processor established by
in the territory of a Member State to the transmission or repeated transmission of personal data to
guarantor or processor in one or more third countries within a group of companies or group of
equipment engaged in joint business activities,
21) "supervisory authority" means an independent public authority established by a Member State under Article 51,
(22) "relevant supervisory authority" means a supervisory authority responsible for the processing of personal data because:
(a) the controller or processor is established in the territory of the Member State of that supervisory authority;
(b) registered persons residing in the Member State of that supervisory authority are significantly affected; or
they are likely to be significantly affected by the processing or
(c) a complaint has been lodged with that supervisory authority;
23) "cross-border processing" means either:

Page 60

Nr. 90

June 27, 2018

(a) the processing of personal data carried out in connection with the activities of the responsible parties' establishments; or
processor within the Union in more than one Member State, where the controller or processor has
confirmed in more than one Member State or
b) the processing of personal data carried out in connection with the activities of one of the responsible parties' establishments
or a processor within the Union but has a significant effect or is likely to have a significant effect on the data subject
persons in more than one Member State,
(24) "appropriate and substantiated objection" means an objection to a draft decision as to whether an infringement has been committed;
this Regulation or whether the proposed action in relation to the controller or the processor
which clearly demonstrate the risks involved in the draft decision
fundamental rights and freedoms of registered persons and, where appropriate, the free movement of personal data
within the Union,
(25) "information society service" means a service as defined in paragraph 1 (b); Article 1 of the Directive
European Parliament and Council (EU) 2015/1535 ( 19 ),
(26) "international organization" means an organization and its subordinate bodies governed by international law or any other body which:
is established by or on the basis of an agreement between two or more countries.
II. CHAPTER
Principles
Article 5
Principles for the processing of personal information
1. Personal information shall be:
(a) processed in a lawful, fair and transparent manner vis-à-vis a registered person ('lawfulness,
fairness and transparency "),
(b) obtained for specified, clear and legitimate purposes and not further processed in such a way as to be incompatible
is for that purpose; further processing of personal data for the purpose of archiving in the public interest,
studies in the field of science or history or for statistical purposes shall, in accordance with para. Article 89, no
are considered incompatible with the original purpose ("purpose limitation");
(c) adequate, appropriate and limited to what is necessary for the purpose of the processing
("Data minimization"),
(d) reliable and, if necessary, updated; take all reasonable steps to ensure that
personal information that is unreliable, given the purpose of its processing, will be deleted
or corrected without delay ("reliability"),
(e) kept in such a form that it is not possible to identify registered persons for longer than is necessary;
for the purpose of processing the information; personal information may be stored for a longer period
provided that their processing serves only archiving in the public interest, research in the field
scientific or historical or for statistical purposes, in accordance with paragraph 1. Article 89, and is subject to
that appropriate technical and organizational measures be taken to protect rights and freedoms
the data subject required by this Regulation ("storage restriction"),
(f) processed in such a way as to ensure the appropriate security of personal data, including protection against unauthorized use;
or illegal processing and against accidental destruction, destruction or damage, with appropriate technical
and organizational measures ("integrity and confidentiality").
2. The responsible party shall be responsible for compliance with the provisions of the first paragraph. and can demonstrate it
("Liability").

( 19 ) Directive of the European Parliament and of the Council (EU) 2015/1535 of 9 September 2015 on the arrangements for disseminating information on
technical regulations and rules on services in the information society (OJ L 241, 17.9.2015, p. 1).

Page 61

Nr. 90

June 27, 2018
Article 6
Legality of processing

Processing shall only be considered lawful if and to the extent that at least one of the following matters applies:
(a) a data subject has given his consent to the processing of his personal data for the benefit of one
or more specific goals,
(b) the processing is necessary for the performance of a contract to or by a registered individual
to take measures at the request of the data subject before concluding a contract,
(c) the processing is necessary to fulfill a legal obligation incumbent on the guarantor;
(d) the processing is necessary to protect the vital interests of the data subject or another person;
(e) the processing is necessary for a project carried out in the public interest or for public use;
power exercised by the responsible party,
(f) the processing is necessary for the legitimate interests of the guarantor or a third party other than the
objects or fundamental rights and freedoms of the data subject, which require the protection of personal data, prevail,
especially when the data subject is a child.
The provisions of point (f) of the first subparagraph shall not apply to the performance of public authorities' duties.
2. Member States may maintain or implement more specific provisions to adapt the application of rules
of this Regulation as regards processing in accordance with points (c) and (e) of paragraph 1, by
more detailed specific requirements for processing and other measures to ensure legitimate and fair
processing, including other special processing conditions as provided for in IX. chapter.
3. The basis of the processing referred to in paragraph 1 (c) and (e) shall be laid down in:
(a) Union law; or
(b) the law of a Member State to which the controller is subject.
The purpose of the processing shall be determined on the legal basis or, in the case of the processing referred to in
in paragraph 1 (e), be necessary for the implementation of a project carried out in the public interest or
in the exercise of official authority exercised by the responsible party. The legal basis can, among other things, be specific provisions
to adapt the application of the rules of this Regulation, including: general conditions regarding lawful processing
the responsible party, the type of data to be processed, the data subjects concerned, which institutions may
receive the personal information and for what purpose, limitation of purpose, retention period and
processing procedures and procedures, including measures to ensure that processing is carried out lawfully and
in a reasonable manner, such as measures regarding other special processing conditions as provided for in IX. chapter.
The laws of the Union or the laws of a Member State shall serve the interests of the public and be fit for legitimate purposes
aimed at.
4. When processing for purposes other than those behind the collection of personal information is not based on
the consent of the data subject or of the laws of the Union or of the law of a Member State, which are considered necessary and reasonable
a measure in a democratic society to safeguard the objectives mentioned in paragraph 1. Article 23, shall
the controller, in order to ascertain whether the processing for other purposes is compatible with the purpose
was a prerequisite for the collection of personal information at the beginning, including taking into account:
a) any connection between the purpose behind the collection of the personal data and the purpose of
planned further processing,
(b) the context in which the personal data were collected, in particular as regards the relationship between the data subjects
individuals and the guarantor,
c) the nature of the personal information, in particular whether special categories of personal information are processed, cf. Article 9,
or whether personal information relating to criminal convictions and criminal offenses is processed, in accordance
to Article 10,

Page 62

Nr. 90

June 27, 2018

(d) the possible consequences of the planned further processing of the data for data subjects;
(e) whether appropriate safeguards have been put in place, which may include encryption or use;
pseudo-identification.
Article 7
Conditions for approval
1. When processing is based on consent, the controller must be able to demonstrate that the registered person has
agreed to the processing of their personal information.
2. If the data subject consents by a written statement, which also covers other matters,
the request for consent is presented in such a way that it is easily identifiable from the other issues, in a comprehensible and
accessible form and clear and simple language. If any part of such statement constitutes a violation of this
regulation, it shall not be binding.
3. A registered person has the right to withdraw his consent at any time. Withdrawal of consent shall
do not affect the lawfulness of the processing on the basis of the consent until the revocation. The registered person shall
informed of this before giving his consent. It shall be equally easy to withdraw their consent and to
provide it.
4. When assessing whether consent is given voluntarily, the utmost account shall be taken, inter alia, of whether
it is a condition for the implementation of an agreement, e.g. á m. provision of services, that approval is given for processing
personal information that is not necessary for the implementation of the agreement.
Article 8
Conditions that apply to a child's consent in connection with information society services
1. Where point (a) of paragraph 1 Article 6 applies, in relation to when a child is offered services in an information societydirectly, the processing of the child's personal data shall be considered lawful if he or she has reached at least 16 years of age
never. If a child has not reached the age of 16, the processing shall only be considered lawful if, and to the extent that, the custodian
the child gives or authorizes the consent.
Member States may provide in law for a lower age in this respect, but not less than 13 years.
2. The guarantor shall do what can be considered reasonable to verify in such cases that the consent is
given or authorized by the custodian of the child, taking into account the technology available.
3. The provisions of para. do not affect the general contract law of the Member States, such as rules on validity, type or effect
contract in the case of a child.
Article 9
Processing of special categories of personal information
1. The processing of personal data relating to race or ethnic origin, political views,
religion or philosophical belief or trade union participation and the processing of genetic information,
biometric information for the purpose of uniquely identifying an individual, health information
or information concerning a person's sex or sexual orientation.
2. The provisions of para. do not apply if one of the following applies:
(a) the data subject has unequivocally consented to the processing of this personal data for the benefit of
one or more specific objectives unless otherwise provided by Union law or the law of a Member State
that the data subject is not permitted to lift the prohibition referred to in the first paragraph,
(b) the processing is necessary to enable the controller or the data subject to meet its obligations
and exercise certain rights under labor and social security and social security legislation
protection, to the extent that processing is permitted under Union or Member State law, or
a collective agreement under the law of a Member State, which provides for appropriate safeguard measures in
in relation to the fundamental rights and interests of the data subject,

Page 63

Nr. 90

June 27, 2018

(c) the processing is necessary to protect the vital interests of the data subject or of another data subject if the data subject
is physically or legally unable to give its consent,
(d) the processing is carried out, by appropriate safeguard measures, as part of the legitimate activities of the organization, organization;
or another non-profit entity that has political, philosophical, religious or
trade union goals, provided that the processing only extends to members or former members of the party in question
or those who are in regular contact with him in connection with his purpose, in addition to
information is not obtained by third parties without the consent of the data subjects,
e) the processing is related to personal information that the data subject has obviously made public;
(f) the processing is necessary in order to establish, uphold or defend legal claims or in court proceedings;
with its jurisdiction,
(g) the processing is necessary, for reasons of significant public interest, on the basis of Union law;
or the law of a Member State which are to meet the objective pursued, respect the essence of the right to personal
protection and provide for appropriate and specific measures to protect fundamental rights and interests
of the registered,
(h) the processing is necessary for the prevention of diseases or for the purpose of occupational medicine, to
to assess an employee's work ability, diagnose illnesses, provide care or treatment in the field of health or
social services or manage health or social services and systems on the basis of Union law or
of a Member State or under a contract with a healthcare professional and subject to the conditions and
the measures referred to in paragraph 3,
(i) the processing is necessary for reasons of public interest in the field of public health, such as to prevent serious
cross-border health threats or ensure strict quality requirements and
the safety of healthcare and medicinal or medical devices, in accordance with Union law or the
State, which provides for appropriate and specific measures to protect the rights and freedoms of the data subject,
on confidentiality,
(j) processing is necessary for the purpose of archiving in the public interest, scientific research or
history or for statistical purposes in accordance with para. Article 89, on the basis of Union law or
of the law of a Member State which shall meet the objective pursued, respect the essence of the right to privacy
and provide for appropriate and specific measures to protect the fundamental rights and interests of the other
registered.
3. The processing of the personal data referred to in paragraph 1 shall be permitted for the purpose referred to in point (h) of paragraph 2.
mgr. if the information is processed by or under the responsibility of a professional who falls under the duty of confidentiality according to law
Of the Union or the law of a Member State or rules laid down by national competent bodies, or by another party
which is also bound by professional secrecy under Union law or the law of a Member State or the rules which
set by national competent authorities.
4. Member States may maintain or impose additional conditions, including restrictions, taking into account:
processing of genetic information, biochemical information or health information.
Article 10
Processing of personal information concerning criminal convictions and criminal offenses
Processing of personal data relating to criminal convictions and criminal offenses or related security measures
on the basis of the first paragraph. Article 6, shall only be carried out under the supervision of a public authority or when processing is
under the laws of the Union or the law of a Member State which provides for appropriate protection
measures relating to the rights and freedoms of registered persons. A detailed list of criminal convictions shall be kept
under the supervision of a public authority.
Article 11
Processing that does not require identification
1. If the purpose of the controller's processing of personal data does not require it, or does not require it
longer, that the guarantor can personally identify a registered person, the guarantor is not obliged to maintain,

Page 64

Nr. 90

June 27, 2018

obtain or process additional information so that the data subject can be identified for the sole purpose of
comply with the provisions of this Regulation.
2. Where the responsible party, in the cases referred to in paragraph 1, of this Article, may prove that he is not
in a facility to personally identify a registered person, he shall notify the data subject if possible.
In such cases, Articles 15-20 shall apply. gr. only by the registered provider, for the purpose of exercising its rights under
these articles, additional information that allows him to be identified.
III. CHAPTER
The rights of a registered individual
Episode 1
Transparency and further rules
Article 12
Transparency of information, notifications and further rules for a registered individual to exercise his rights
The responsible party shall take appropriate measures to provide the data subject with the information
referred to in Articles 13 and 14. and notifications according to 15. – 22. gr. and Article 34. in connection with the processing of verbatim,
clear, comprehensible and accessible form and clear and simple language, especially in the case of information
addressed specifically to the child. The information shall be provided in writing or otherwise, including, as appropriate
where applicable, in electronic form. If a registered person so requests, the information may be provided orally, provided that
understood that the data subject verifies his identity in another way.
2. The guarantor shall make it easier for a registered person to exercise his rights according to Art. 15. – 22. gr. In those cases,
referred to in paragraph 2 Article 11, the responsible party shall not refuse to comply with the data subject's request to consume
of his right according to 15. – 22. gr. unless the responsible party demonstrates that he is not in a position to confirm identity
on the registered.
3. The controller shall provide the data subject with information on actions taken upon request
according to 15. – 22. Art., without undue delay and in any case within one month of receipt of the request. Extend
the deadline may be an additional two months if necessary, taking into account the number of requests and the complexity of the requests
are. The responsible party shall notify the data subject of such extensions within one month of receipt of the request,
together with the reasons for the delay. If the data subject submits the request electronically, the information shall be provided
electronically where possible unless the data subject requests otherwise.
4. If the responsible party does not comply with the request of a registered person, he shall notify him, without delay and at the latest
within one month of receipt of the request, the reasons why it was not done and the possibility
should lodge a complaint with the supervisory authority and seek legal redress.
5. Information provided pursuant to Art. Articles 13 and 14, and any notifications and actions taken
to acc. 15. – 22. gr. and Article 34, shall be free of charge. If requests from a registered person are obvious
unreasonable or excessive, in particular due to repetition, the guarantor may do either:
(a) set up a reasonable fee for the administrative costs of providing the information or notifications;
or the actions requested or
(b) refuse to comply with the request.
It shall be the responsibility of the person responsible to demonstrate that the request is unreasonable or excessive.
6. Without prejudice to Article 11 the responsible party may request that the necessary additional information be provided
to confirm the identity of the data subject, he considers that there is considerable doubt as to the identity of the person making the submission
submit the request referred to in Articles 15-21. gr.
7. Standard symbols may be included in the information to be provided to registered persons pursuant to Art.
Articles 13 and 14, to provide a meaningful overview of the planned processing of visible, understandable and easy-to-read
legan way. The icons must be in a computer-readable format when presented electronically.

Page 65

Nr. 90

June 27, 2018

8. The Commission shall be empowered to adopt delegated acts in accordance with Article 92. to
to determine what information can be presented with icons and the methods of presenting standard
icons.
Episode 2
Information and access to personal information
Article 13
Information to be provided when collecting personal information from a registered person
1. When personal information is obtained from a registered person about himself, the responsible party shall:
collection of personal information, inform the data subject of all the following:
(a) the name and contact details of the guarantor and, where applicable, his representative;
(b) the contact details of the Privacy Officer, if applicable;
(c) the purpose of the proposed processing of the personal data and its legal basis;
(d) where the processing is based on paragraph 1 (f). Article 6, what legitimate interests are there as a guarantor or
third party may,
(e) the recipients or groups of recipients of the personal data, if any;
(f) where applicable, the controller intends to disclose personal data to a third country or international organization
and whether the Commission's decision on the adequacy of protection is available or, where appropriate
dissemination referred to in Article 46 or 47 or in the second subparagraph of paragraph 1. Article 49, reference to the relevant or
appropriate safeguard measures and ways to obtain a copy of them or information on where they have been taken
accessible.
2. In addition to the information referred to in paragraph 1, the controller shall, at the time when
the personal information is collected, provide the data subject with the following additional information that is necessary
to ensure fair and transparent processing:
(a) how long the personal data will be stored or, if this is not possible, the criteria that
used to determine it,
b) that there is a right to request from the responsible party access to personal data, let
correct them, delete them or restrict their processing in respect of the data subject or to object to processing,
in addition to the right to transfer own data,
(c) where the processing is based on paragraph 1 (a). Article 6 or paragraph 2 (a). Article 9, that there is a right to withdraw
its consent back at any time, without prejudice to the legitimacy of the processing on the basis
of the agreement until the revocation,
(d) the right to lodge a complaint with the supervisory authority;
e) whether the provision of personal data is a requirement under law or under a contract or a requirement that
is a precondition for being able to enter into a contract and also whether a registered person is obliged to leave
the personal information provided and the possible consequences if he does not provide the information,
(f) whether automatic decision-making, including the format of personalities referred to in paragraphs 1 and 4, is carried out. Article 22,
and, at least in those cases, significant information about the arguments behind it and also the significance
and the intended consequences of such processing for the data subject.
3. If the controller intends to process the personal information for purposes other than those behind it
their collection, he shall provide the data subject with information on this new purpose before further processing
begins, together with other relevant additional information as provided for in paragraph 2.
4. The provisions of paragraphs 1, 2 and 3 do not apply if and to the extent that the data subject has already become aware of
these things.

Page 66

Nr. 90

June 27, 2018
Article 14

Information to be provided when personal information has not been obtained from a registered person
1. If personal data have not been obtained from a registered person, the responsible party shall inform him of the
going to:
(a) the name and contact details of the guarantor and, where applicable, his representative;
(b) the contact details of the Privacy Officer, if applicable;
(c) the purpose of the proposed processing of the personal data and its legal basis;
d) categories of relevant personal information,
(e) the recipients or groups of recipients of the personal data, if any;
(f) where applicable, the controller intends to disclose personal data to a recipient in a third country or internationally;
institution and whether the Commission's decision on the adequacy of protection is available
or not or, in the case of transmission referred to in Article 46 or 47. or in the second subparagraph of paragraph 1. Article 49,
reference to appropriate or appropriate safeguard measures and ways to obtain a copy of them or information on
where they have been made accessible.
2. In addition to the information referred to in paragraph 1, the controller shall provide a registered person:
the following information necessary to ensure fair and transparent processing to others
registered:
(a) how long the personal data will be stored or, if this is not possible, the criteria used;
there are others to decide,
(b) where the processing is based on paragraph 1 (f). Article 6, what legitimate interests are there as a guarantor or
third party may,
c) that there is a right to request from the responsible party access to personal data, let
correct them, delete them or restrict their processing in respect of the data subject and to object to processing,
in addition to the right to transfer own data,
(d) where the processing is based on paragraph 1 (a). Article 6 or paragraph 2 (a). Article 9, that there is a right to withdraw
withdraw their consent at any time, without prejudice to the lawfulness of the processing on the basis of
of the thickness until the withdrawal,
(e) the right to lodge a complaint with the supervisory authority;
(f) the source of the personal data and, if applicable, whether the information was
accessible to the public,
(g) whether automatic decision-making takes place, including the type of personalization referred to in paragraphs 1 and 4. Article 22 and,
at least in those cases, significant information about the arguments behind it and also the significance and
the intended consequences of such processing for the data subject.
3. The controller shall provide the information referred to in paragraphs 1 and 2:
(a) within a reasonable time after receiving the personal data, but at the latest one month later, and having
taking into account the special circumstances that apply to the processing of personal data,
(b) if the personal data are to be used for communication with a registered person, at the latest at the earliest opportunity
contact him or
(c) if it is intended to hand over the personal data to another recipient, at the latest when this is done
for the first time.
4. If the responsible party intends to process the personal information for purposes other than those for which it was collected
he shall provide the data subject with information on this new purpose before the further processing begins, together with
other relevant additional information as provided for in paragraph 2.

Page 67

Nr. 90

June 27, 2018

5. Provisions 1–4. mgr. do not apply if and to the extent that:
(a) the data subject has already received the information;
(b) such information cannot be provided or is disproportionate, in particular in the case of
processing for archiving in the public interest, research in the field of science or history or in
for statistical purposes, without prejudice to the conditions and safeguard measures referred to in paragraph 1. 89.
or, to the extent that it is probable that the obligation referred to in para. of this Article, make it impossiblesignificantly impedes the achievement of the objectives of such processing. In such cases, the guarantor shall do
appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, including by:
make the information available to the public,
(c) the collection or dissemination of the information is clearly laid down in the law of the Union or the law of a Member State which
the guarantor is responsible for and which provides for appropriate measures to protect the legitimate interests of the
registered or
(d) where personal data are kept confidential on the basis of professional secrecy in accordance with Union law
or the law of a Member State, including the statutory duty of confidentiality.
Article 15
The right of a registered person to access
A registered person shall have the right to receive confirmation from the responsible party as to whether the personal
information concerning him and, if so, the right to access the personal information and to the information
on the following points:
a) the purpose of the processing,
(b) the relevant categories of personal data;
(c) recipients or categories of recipients who have received or will receive the personal data, in particular
recipients in third countries or international organizations,
(d) if possible, how long the personal data are intended to be kept or, if this is not possible
possible, the criteria used to determine it,
e) that there is a right to request the responsible party to have personal information corrected, deleted
them or restrict their processing in respect of the data subject or to oppose such processing,
(f) the right to lodge a complaint with the supervisory authority;
(g) if the personal data are not obtained from the data subject, all available source information
their,
(h) whether automatic decision-making takes place, including the type-profile referred to in paragraphs 1 and 4. Article 22 and,
at least in those cases, significant information about the arguments behind it and also the significance and
the intended consequences of such processing for the data subject.
2. When personal data are transmitted to a third country or an international organization, the data subject shall own
the right to receive information on appropriate protection measures pursuant to Art. Article 46 in connection with the dissemination.
3. The responsible party shall provide a copy of the personal information that is being processed. He may
charge a reasonable fee, based on administrative costs, if the registered person requests more copies. Leggi
the registered request is submitted electronically, the information shall be provided in a commonly used electronic format
unless he requests otherwise.
4. The right to obtain a copy referred to in paragraph 3 shall not prejudice the rights and freedoms of others.

Page 68

Nr. 90

June 27, 2018
Episode 3
Correction and deletion
Article 16
Right to correction

A registered individual has the right to receive unreliable personal information concerning himself / herself corrected by him / her
guarantor without undue delay. Taking into account the purpose of the processing, the data subject shall have the right
to have incomplete personal information completed, including by submitting an additional statement.
Article 17
Right to destruction ("right to be forgotten")
1. A registered person shall have the right to have the personal data deleted by the controller without him
undue delay and the responsible party shall be obliged to delete the personal information without undue delay
if one of the following reasons applies:
(a) the personal data are no longer necessary for the purposes for which they were collected; or
their other processing,
b) the data subject withdraws the consent on which the processing is based according to Art. point a of the first paragraph. Article 6 or paragraph 2 (a).
Article 9 and there is no other legal basis for the processing,
c) the data subject objects to the processing according to Art. Paragraph 1 Article 21 and there are no legitimate reasons for this
the processing that goes ahead or he opposes the processing according to Paragraph 2 Article 21
d) the processing of personal data was illegal,
e) the personal data must be deleted in order to fulfill the legal obligation imposed on the responsible party by law
Of the Union or the law of a Member State,
(f) the personal data were collected in connection with the provision of services in the information society referred to
in the first paragraph Article 8
2. If the responsible party has made personal information public and is obliged to do so in accordance with Art. Paragraph 1 to eradicate them
he shall, taking into account the available technology and the cost of the implementation, take reasonable steps,
including technical measures, to inform the controller of the personal data that the other
the registrant has requested that such guarantors delete any links to or copies or copies thereof
personal information.
3. The provisions of paragraphs 1 and 2 do not apply to the extent that processing is necessary:
(a) to exercise the right to freedom of expression and information;
b) to fulfill the legal obligation for processing which rests with the responsible party under Union law or
the law of a Member State and requires the processing of personal data or for a project being carried out
in the public interest or in the exercise of official authority exercised by the responsible party,
(c) in the public interest in the field of public health in accordance with points (h) and (i) of paragraph 2; Article 9 and the third paragraph.
Article 9,
(d) for the purpose of archiving in the public interest, research in the field of science or history or in statistics
purposes in accordance with the first paragraph. Article 89, to the extent that it is probable that the right referred to in Article 1
paragraph, makes it impossible or significantly impedes the achievement of the objectives of that processing or
e) to establish, maintain or defend legal claims.

Page 69

Nr. 90

June 27, 2018
Article 18
Right to limit processing

A registered person shall have the right to have the controller restrict processing once one of the following
applies:
(a) the data subject disputes that personal information is correct, until the controller has been given the opportunity
to confirm that they are correct,
b) the processing is illegal and the data subject objects to the deletion of personal data and requests
their limited use instead,
(c) the controller no longer needs to keep the personal data for the processing than the registered individualneeds them to establish, uphold or defend legal claims,

d) the registered person has objected to the processing according to Art. Paragraph 1 Article 21 while awaiting verification
whether the interests of the guarantor take precedence over the legitimate interests of the data subject.
2. When processing has been limited according to Article 1 shall only process such personal information,
with the exception of a party, with the consent of the data subject or to establish, maintain or defend legal claims or to
protect the rights of another person or legal entity or by invoking the Union's overriding public interest
or a Member State.
3. The responsible party shall notify a registered person who has obtained a restriction on processing pursuant to Art. 1.
paragraph, before the restriction on processing is lifted.
Article 19
Obligation to notify regarding correction or deletion of personal data or restriction of processing
The responsible party shall notify each recipient who has received personal information of each
any correction or deletion of personal data or restriction of processing which takes place in accordance with 16.
gr., 17. gr. (Paragraph 1) and Article 18, unless this is not possible or involves excessive effort. The guarantor shall
notify the data subject of these recipients if he so requests.
Article 20
Right to transfer own data
A registered person shall have the right to receive personal information concerning himself that he has provided
responsible provider, in an organized, common, computer-readable format and have the right to send this information to
another guarantor without the guarantor to whom the personal information was provided obstructing it if:
a) the processing is based on approval according to Art. point a of the first paragraph. Article 6 or paragraph 2 (a). Article 9 or an agreement according to Art. point b 1.
mgr. Article 6 and
b) the processing is automatic.
When the registered person exercises his right to transfer his own data according to Art. Paragraph 1 he shall own
the right to have the personal information sent directly from one controller to another if it is technical
feasible.
3. The exercise of the right referred to in paragraph 1 of this Article, shall not affect Article 17. That right shall
does not apply to processing that is necessary for a project that is carried out in the public interest or with
the exercise of official authority exercised by the responsible party.
4. The right referred to in paragraph 1 shall not prejudice the rights and freedoms of others.

Page 70

Nr. 90

June 27, 2018
Episode 4
Right to object and automatic individual decision-making
Article 21
Right to object

1. A registered person shall have the right to object at any time, due to his special circumstances, processing
personal information concerning himself and which is based on e- or f-point of the first paragraph. Article 6, including the creation of a personal profile
on the basis of these provisions. The responsible party shall not process the personal information further unless he can show it
provide important legitimate reasons for the processing that take precedence over the interests, rights and freedoms of the other
registered or by creating, maintaining or defending legal claims.
2. When personal information is processed for the purpose of direct marketing, the data subject shall at any time
who has the right to object to the processing of personal data concerning him or herself as a result of such marketing
including the creation of a personal profile to the extent that it relates to such direct marketing.
3. If the data subject objects to processing in favor of direct marketing, the personal data shall not be processed
rather for such a purpose.
4. At the latest when the data subject is first contacted, he shall be specifically informed of the rights
referred to in paragraphs 1 and 2, and shall be clearly stated and distinguished from other information.
5. With reference to the use of information society services and notwithstanding Directive 2002/58 / EC,
the data subject may exercise his right to object electronically using technical specifications.
6. When personal information is processed for the benefit of research in the field of science or history or in statistics
purpose in accordance with the first paragraph. Article 89 the data subject shall have the right, due to his special circumstances, to object
the processing of personal data concerning him / herself unless the processing is necessary for a project being carried out
in the public interest.
Article 22
Automated individual decision-making, including personalization
A registered person shall have the right not to make a decision solely on the basis of an automatic
data processing, including the creation of a personal profile, which has a legal effect on or concerns him / herself
in a comparable way to a significant extent.
2. The provisions of para. do not apply if the decision:
(a) is a precondition for the conclusion or performance of an agreement between the data subject and the guarantor;
(b) is authorized by the laws of the Union or by the law of a Member State to which the guarantor belongs and where
it also provides for appropriate measures to protect the rights and freedoms and legitimate interests of the
registered or
c) is based on the unequivocal consent of the data subject.
3. In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall take appropriate measures.
to protect the rights and freedoms and legitimate interests of the data subject, at least the right to human intervention by
on the part of the guarantor, to express his opinion and to challenge the decision.
4. Decisions referred to in paragraph 2 shall not be based on specific categories of personal data;
referred to in the first paragraph. Article 9, except for item a or g of the second paragraph. Article 9 appropriate and available, appropriate measures
to protect the rights and freedoms and legitimate interests of the data subject.

Page 71

Nr. 90

June 27, 2018
Episode 5
Limitations
Article 23
Limitations

1. The federal law or the law of a Member State to which the data controller or processor belongs is:
may, by legislative measure, limit the scope of the obligations and rights referred to in Articles 12 to 22. gr.
and in Article 34, and also in Article 5. to the extent that its provisions correspond to the rights and obligations provided for
is on in 12. – 22. Art., if such a restriction respects the nature of fundamental rights and human freedoms and is considered necessary and
moderate measure in a democratic society with regard to:
(a) national security;
b) land defense,
(c) public security;
(d) to prevent, investigate, prosecute or prosecute criminal offenses or to satisfy criminal offenses;
sanctions, including protecting against and preventing public security threats,
(e) other important objectives that serve the public interest of the Union or a Member State, in particular:
important economic or financial interests of the Union or a Member State, including the
pennies, budget and taxation, public health and social security,
(f) to defend the independence of the judiciary and the administration of justice;
(g) prevention, investigation, disclosure and prosecution for breaches of the Code of Ethics for
branch,
(h) supervisory, inspection or regulatory activities related to the application, even if only occasionally, of application;
public authority in the cases referred to in points (a) to (e) and (g);
(i) the protection of a registered person or the rights and freedoms of others;
(j) compliance with private law requirements.
2. The legislative measure referred to in paragraph 1 shall contain, in particular, at least specific provisions, if applicable, concerning:
(a) the purpose of the processing or the types of processing;
b) types of personal information,
(c) the scope of the restrictions imposed;
(d) safeguards to prevent abuse or unlawful access or disclosure;
(e) the specification of the guarantor or categories of guarantors;
(f) retention periods and appropriate safeguards with regard to the nature, scope and purpose of processing;
or types of processing,
(g) risks to the rights and freedoms of registered persons; and
(h) the right of data subjects to obtain information about the restriction unless it may prejudice its purpose.

Page 72

Nr. 90

June 27, 2018
IV. CHAPTER
Responsible party and processor
Episode 1
General obligations
Article 24
Responsibility of the guarantor

1. In view of the nature, scope, context and purpose of the processing and the risks, different and less serious,
for the rights and freedoms of individuals, the responsible party shall take appropriate technical and organizational
arrangements to ensure and demonstrate that processing is carried out in accordance with this Regulation. The measures shall
review and update if necessary.
2. Where it is proportionate in relation to the processing activities, the measures referred to in
in the first paragraph, including that the responsible party implements appropriate privacy policies.
3. If the adopted rules of conduct are followed, as referred to in Article 40, or the approved certification scheme,
as referred to in Article 42, it may be used to demonstrate that the guarantor is fulfilling its obligations.
Article 25
Built-in and default privacy
1. Taking into account the latest technology, the cost of implementation and the nature, scope, context and purpose of processing
processed and risks, of different and varying degrees, for the rights and freedoms of individuals, the responsible party, both
when certain methods of processing and when the processing itself takes place, make the appropriate technical and
organizational measures, such as the use of pseudo-identifiers, designed to enforce the principles of
privacy, such as data minimization, effectively and incorporating the necessary safeguards into
processing to meet the requirements of this Regulation and to protect the rights of registered persons.
2. The guarantor shall take the appropriate technical and organizational measures to ensure that the default
is that only the personal information that is necessary for the purpose of each processing is processed
sinni. This obligation applies to the amount of personal information collected, the extent to which it is processed
them, how long they are kept and access to them. In particular, such measures shall ensure that
it goes without saying that personal information will not be made available to an unlimited number of people without
the person in question.
3. An approved certification arrangement may be used, cf. Article 42, to demonstrate that the requirements of paragraphs 1 and 2 of this
articles are met.
Article 26
Joint guarantors
1. If two or more guarantors determine the common purpose of the process and its methods, they shall:
are considered to be joint guarantors. They shall, in a transparent manner, determine their respective responsibilities
obligations under this Regulation are fulfilled, in particular as regards the exercise of the rights of data subjects
and the obligations of each to provide the information referred to in Articles 13 and 14, by agreement
between students and to the extent that the responsibility of each responsible party is determined by Union law or
the law of a Member State to which the guarantors are subject. In the agreement, a contact person can be nominated for the registered person
individuals.
2. The agreement referred to in paragraph 1 shall adequately reflect the role and relationship
of each of the joint guarantors vis-à-vis registered individuals. The main content of the agreement shall
made accessible to a registered person.
3. Notwithstanding the terms of the Agreement referred to in paragraph 1, a registered person may exercise his rights
in accordance with this Regulation in respect of and vis-à-vis each responsible party.

Page 73

Nr. 90

June 27, 2018
Article 27
Representatives of guarantors or processors who are not established in the Union

1. When the second paragraph. Article 3 where appropriate, the guarantor or processor shall appoint its written representative within
Union.
2. The obligation laid down in paragraph 1 shall not apply to:
(a) processing from time to time does not involve the extensive handling of specific categories of information;
as referred to in the first paragraph. Article 9, or the processing of personal data in connection with convictions in criminal cases
and criminal offenses referred to in Article 10 which are not likely to give rise to a risk in respect of
the rights and freedoms of individuals, taking into account the nature, context, scope and purpose of the processing or
(b) a public authority or institution.
3. The representative shall be established in one of the Member States of the data subjects as personal data
are processed in connection with offers to them of products or services or which are monitored for behavior.
4. The representative shall have the authority of the guarantor or processor to be the person who in particular
supervisory authorities and registered persons may turn to, in addition to or instead of the responsible party or
the processor, with all the issues related to the processing, in order to ensure compliance with this
type.
5. The appointment of a representative by a guarantor or processor does not affect legal proceedings that may be instituted.
against the guarantor or the processor himself.
Article 28
Processor
1. When others are entrusted with processing on behalf of the controller, the controller shall only seek processing
providing adequate assurance that they will take appropriate technical and organizational measures to
that the processing meets the requirements of this Regulation and that the protection of the data subject's rights is ensured.
2. A processor shall not hire another processor unless he has specific or general written permission to do so
guarantor. In the case of a general written authorization, the processor shall notify the responsible party
for all proposed changes that involve adding processors or replacing them and issuing them as such
the guarantor an opportunity to oppose such changes.
3. Processing by the processor shall be subject to a contract or other legal procedure under Union law
or the law of a Member State which obliges the processor to the controller and where specified
the subject and duration of the processing, the nature and purpose of the processing, the type of personal information and the categories of the registered
individuals and the responsibilities and rights of the guarantor. A contract or other legal act shall in particular prescribe
that the processor:
a) only process the personal data in accordance with the documented instructions of the responsible party, incl
concerning the transfer of personal data to a third country or an international organization, unless obliged to do so
under the laws of the Union or the law of a Member State to which the processor belongs; in that case,
the processor informs the responsible party of that legal condition before processing begins unless the law prohibits such
disclosure of information in the public interest,
(b) ensure that parties authorized to process personal data have entered into a confidentiality obligation; or
is subject to the relevant statutory confidentiality obligation,
c) take all measures required under Art. Article 32,
(d) respect the conditions of paragraphs 2 and 4. regarding the employment of another processor,
(e) assistance, taking into account the nature of the processing, the responsible party with the appropriate technical and organizational
take measures, as far as possible, to fulfill their obligation to respond to requests for
registered persons may exercise their rights laid down in Article III. chapter,

Page 74

Nr. 90

June 27, 2018

f) the guarantor's assistance in ensuring that obligations according to Art. 32. – 36. gr. are met, taking into account the nature
the processing and information to which the processor has access,
g) delete or return, at the choice of the guarantor, all personal information to the guarantor after granting
of the service, which is related to the processing, completes and deletes all copies unless required by law
of the Union or the law of a Member State that personal data are stored,
(h) make available to the guarantor all the information necessary to demonstrate that the
the provisions laid down in this Article are complied with, provide for the possibility of audits, including
by the guarantor or another auditor on his behalf, and contribute
to them.
For the purposes of point (h) of the first subparagraph, the processor shall immediately notify the controller of any instructions
violate, in his opinion, a violation of this Regulation or other provisions of the Union or a Member State concerning
protection.
4. A processor shall employ another processor to carry out certain processing activities on behalf of the
the parties have the same obligations regarding personal protection as are set out in the agreement or other legal proceedings
between the guarantor and the processor, as referred to in paragraph 3, to that processor by contract or other
proceedings under Union or Member State law, in particular where adequate
that appropriate technical and organizational measures are taken to ensure that the processing complies with
requirements of this Regulation. If this additional processor does not fulfill its privacy obligations,
the main processor continues to be fully responsible to the controller for ensuring that the other processor
their obligations.
5. Does the processor comply with the agreed rules of conduct, as referred to in Article 40, or with the approved certification
arrangements, as referred to in Article 42, may be used to demonstrate adequate collateral as referred to in
in the first and fourth paragraphs. of this Article.
6. Without prejudice to an individual contract between the guarantor and the processor, the contract may
or other legal proceedings referred to in paragraphs 3 and 4. of this Article, have been built, in whole or in part,
on fixed contractual provisions referred to in paragraphs 7 and 8. of this Article, including when they are part of a certification
which is provided to the guarantor or processor according to Art. Articles 42 and 43
7. The Commission may lay down fixed contractual provisions for the matters referred to in paragraphs 3 and 4.
of this Article and in accordance with the investigative procedure referred to in paragraph 2. Article 93
8. The supervisory authority may adopt permanent contractual provisions on the matters referred to in paragraphs 3 and 4. of this
and in accordance with the coordination system referred to in Article 63.
9. The contract or any other legal act referred to in paragraphs 3 and 4 shall be in writing, including by electronic means.
formi.
10. Without prejudice to Articles 82, 83 and 84 shall be processed by a processor who violates this Regulation when he
determines the purpose and methods of the processing, are considered to be responsible for that processing.
Article 29
Processing on behalf of the guarantor or processor
Processor and any party acting on behalf of a guarantor or processor and having access to
zone information, this information shall only be processed if there is an instruction from the responsible party except him
it is obligatory under Union law or the law of a Member State.
Article 30
Records of processing activities
1. Each controller and, as the case may be, a representative of the controller shall keep a record of the processing activities
takes place under his responsibility. The list shall include all the following information:

Page 75

Nr. 90

June 27, 2018

(a) the name and contact details of the guarantor and, as the case may be, the joint guarantor, representative;
guarantor and privacy officer,
b) the purpose of the processing,
(c) a description of the categories of registered persons and categories of personal data;
d) categories of recipients who have received or will receive the personal information, including recipients in the third
countries or international organizations,
(e) where applicable, the transfer of personal data to a third country or international organization, including any third country or
is an international organization, and, in the case of dissemination referred to in the second subparagraph of paragraph 1, Article 49,
data on appropriate protection measures,
(f) if possible, the proposed deadlines for the deletion of different categories of data;
(g) where possible, a general description of the technical and organizational security measures referred to in
Paragraph 1 Article 32
2. Each processor and, as the case may be, a representative of the processor shall keep a record of all categories of processors.
activities carried out on behalf of the responsible party, which shall include:
(a) the name and contact details of one or more processors and each responsible party as the processor;
works on behalf of and, as the case may be, a representative of the guarantor or processor and the privacy representative,
(b) categories of processing carried out on behalf of each controller;
(c) where applicable, the transfer of personal data to a third country or international organization, including any third country or
is an international organization, and, in the case of dissemination referred to in the second subparagraph of paragraph 1, Article 49,
data on appropriate protection measures,
(d) where possible, a general description of the technical and organizational security measures referred to in
Paragraph 1 Article 32
3. The records referred to in paragraphs 1 and 2 shall be in writing, including in electronic form.
4. The guarantor or processor and, as the case may be, the representative of the guarantor or processor shall:
the file accessible to the supervisory authority at its request.
5. The obligations referred to in paragraphs 1 and 2 shall not apply to an undertaking or institution having fewer
but 250 employees unless the processing carried out there is likely to give rise to a risk to rights and
freedom of registered persons, the processing is not incidental or covers specific categories of information, such as
referred to in the first paragraph. Article 9, or personal information concerning convictions in criminal cases and criminal offenses referred to
in Article 10.
Article 31
Cooperation with the supervisory authority
The guarantor and the processor and, as the case may be, their representatives shall, upon request, co-operate with
the supervisory authority in the execution of its tasks.
Episode 2
Security of personal information
Article 32
Processing safety
1. Taking into account the latest technology, the cost of implementation and the nature, scope, context and purpose of processing
and risks, of different and lesser extent, for the rights and freedoms of individuals, the responsible party and
the operator shall take the appropriate technical and organizational measures to ensure adequate safety
with the risk, including as applicable:

Page 76

Nr. 90

June 27, 2018

a) use pseudo-identity and encrypted personal information;
(b) be able to ensure lasting confidentiality, continuity, availability and the load-bearing capacity of processing systems and services;
c) be able to make personal information available and recover access to it in a timely manner if material or
technical event occurs,
(d) establish a process for testing and regularly evaluating the effectiveness of technical and organizational measures to:
ensure the safety of processing.
2. When assessing adequate safety, particular consideration shall be given to the risks involved in the processing.
in particular with regard to the unintentional or unlawful deletion of personal data transmitted
or otherwise processed, or lost, altered, published or unauthorized access to them.
3. If the adopted rules of conduct are followed, as referred to in Article 40, or the approved certification scheme,
as referred to in Article 42, it may be used to demonstrate that the requirements of paragraph 1 of this Article are fulfilled.
4. The controller and processor shall take steps to ensure that each person working
on behalf of the responsible party or processor and has access to personal information, processes this information
only if the instructions of the guarantor are available, unless he is obliged to do so in accordance with Union law
or the law of a Member State.
Article 33
Notification to the supervisory authority of a security breach in the processing of personal data
1. In the event of a security breach in the processing of personal data, the responsible party shall, without undue delay,
and, if possible, no later than 72 hours. after he becomes the failure was, notify the supervisory authority, which
is legally liable according to Article 55, unless it is considered unlikely that the failure will lead to a risk to rights and freedoms
individuals. If the supervisory authority is not notified of the failure within 72 hours. the reasons for the delay shall follow
the announcement.
2. The processor shall notify the guarantor without undue delay if he encounters a security breach.
failure to process personal information.
3. The notification referred to in paragraph 1 shall include at least:
(a) describe the nature of the security breach in the processing of personal data, including, if possible, the categories and estimates;
the number of registered persons concerned and the categories and estimated number of personal data files
in question,
(b) provide the name and contact details of the Privacy Officer or other contact person where possible
get more information,
(c) describe the probable consequences of a breach of security in the processing of personal data;
d) describe the measures that the responsible party has taken or intends to take due to a lack of security
processing of personal data, including, where appropriate, measures to mitigate potential adverse effects
hans.
4. If, and to the extent that, it is not possible to provide the information at the same time, it may be provided
in stages without undue delay.
5. The responsible party shall record any breach of security in the processing of personal data and specify the case
incidents in connection with the failure in question, its effects and remedial action taken. This registration shall
enable the supervisory authority to verify compliance with the provisions of this Article.
Article 34
Registered individual notified of security breaches in the processing of personal data
1. If a security breach in the processing of personal data is likely to result in a significant risk to rights and
freedom of persons, the responsible party shall notify the registered person of the breach without undue delay.

Page 77

Nr. 90

June 27, 2018

2. In the notification to the data subject referred to in paragraph 1 of this Article, shall be described in a clear and simple manner
the nature of the security breach in the processing of personal data shall be relevant and shall at least contain that information and
the letters referred to in points (b), (c) and (d) of paragraph 3. Article 33
3. A registered person shall not be required to be notified if any of the following conditions are met:
(a) the responsible party has taken appropriate technical and organizational protective measures and these measures
were made regarding the personal information as a security breach in the processing of personal information
affected, in particular measures to make personal information unreadable to anyone who does not have
access to them, such as encryption,
(b) the guarantor has subsequently taken steps to ensure that the same amount of return is unlikely;
risk to the rights and freedoms of registered persons referred to in paragraph 1,
(c) it would be disproportionate. In that case, a general notice or
take a similar measure where the data subject is notified in an equally effective manner.
4. If the responsible party has not already notified the data subject of a security breach in the processing of personal data, it may
the supervisory authority, after assessing the likelihood that the failure will give rise to a high risk, either required
that he does so or decides that any of the conditions referred to in paragraph 3 are met.
Episode 3
Impact assessment on privacy and prior consultation
Article 35
Impact assessment of privacy
1. If a particular type of processing is likely to involve a significant risk to the rights and freedoms of individuals,
linga, in particular where new technology is used and taking into account the nature, scope, context and purpose of the processing,
the controller shall have an assessment made of the impact of the proposed processing operations on the protection of personal data;
before processing begins. One and the same assessment can cover several similar processing operations that may result
with similar risk factors.
2. The controller shall seek the advice of a data protection officer, if such a representative has been nominated, when
performs an impact assessment on privacy.
3. In particular, an assessment of the impact on privacy referred to in paragraph 1 shall be made when:
in the case of:
(a) a systematic and comprehensive assessment of personal data relating to individuals, based on:
automatic processing, including the creation of a personal profile, which results in decisions having legal effect for
the individual or touch him significantly in a similar way,
(b) the extensive processing of specific categories of information referred to in paragraph 1; Article 9 or personal information
concerning criminal convictions and criminal offenses referred to in Article 10. or
(c) systematic and comprehensive monitoring of publicly accessible areas.
4. The supervisory authority shall establish and publish a list of the types of processing operations for which an assessment is required.
on the effect on privacy according to Paragraph 1 The supervisory authority shall send to the Privacy Council referred to in Article 68.
Art., these files.
5. The supervisory authority may also establish and publish a list of the types of processing operations where:
an impact assessment on privacy is not required. The supervisory authority shall send these to the Privacy Council
files.
6. If the records referred to in paragraphs 4 and 5 describe processing activities relating to the offering of
about individuals' products or services or monitor their conduct in more than one Member State or which
could have a significant effect on the free movement of personal data within the Union, the competent supervisory authority
apply the harmonization system referred to in Article 63 before the adoption of these files.

Page 78

Nr. 90

June 27, 2018

7. When this information is published, at least the following must be stated:
(a) a systematic description of the proposed processing operations and the purpose of the processing, including, as appropriate;
on, the legitimate interests of the guarantor,
(b) an assessment of whether the processing operations are necessary and proportionate in relation to their purpose;
(c) an assessment of the risks to the rights and freedoms of registered persons referred to in paragraph 1. and
(d) measures planned to be taken against such risks, including safeguards and precautionary measures;
and arrangements for ensuring the protection of personal data and demonstrating compliance with this Regulation;
taking into account the rights and legitimate interests of registered individuals and other individuals involved
eiga.
8. Due account shall be taken of whether the guarantors or processors concerned comply with the
on the rules of conduct referred to in Article 40, when the effects of the processing operations of those responsible or processors
are assessed, in particular as regards the assessment of the impact on privacy.
9. Where appropriate, the responsible party shall seek the opinion of registered persons or their representatives on the proposed processing;
without prejudice to the protection of commercial or public interests or the security of processing operations.
10. If processing according to c or e of the first paragraph. Article 6 has a legal basis in the law of the Union or the law of a Member State,
under the responsibility of the responsible party, and the law applies to the specific processing operation or operations in question
discussion and assessment of the impact on privacy has already taken place, as part of the general impact assessment in connection with
approval of that legal basis, 1. – 7. mgr. not unless the Member States consider it necessary to make such an assessment
before the commencement of processing operations.
11. If necessary, the controller shall have an audit carried out to assess whether the processing is taking place
in accordance with the assessment of the impact on privacy, at least when there is a change in the risks involved
the processing operations.
Article 36
Advance consultation
If the assessment of the impact on personal protection according to Art. Article 35 indicates that the processing would involve a great deal of risk
unless the guarantor takes measures to reduce it, the guarantor shall consult
the supervisory authority before processing begins.
2. If the supervisory authority considers that the proposed processing referred to in paragraph 1 would be in breach of this Regulation,
in particular if the responsible party has not adequately identified or reduced the risk, the
authority, within eight weeks of receiving the request for consultation, provide the guarantor and, where appropriate,
party written advice and may use for this purpose all its powers referred to in Article 58. It can be extended
the deadline of six weeks, depending on the complexity of the proposed processing. The supervisory authority shall notify
the guarantor and, as the case may be, the processor for such extensions within one month of receiving the request for
consultation, together with the reasons for the delay. These time limits may be extended until they have been received by the supervisory authority
information it requests for the consultation.
3. When the responsible party consults with the supervisory authority according to Art. Paragraph 1 he shall give it:
(a) where appropriate, the responsibilities of the guarantor, joint guarantor and processor involved;
the processing, individually, in particular in the case of intra-group processing,
(b) the purpose of the proposed operation and its methods;
(c) measures and safeguard measures taken to protect the rights and freedoms of registered persons
under this Regulation,
(d) where applicable, the contact details of the Privacy Officer;
(e) the impact assessment on privacy provided for in Article 35. and
(f) any other information requested by the supervisory authority.

Page 79

Nr. 90

June 27, 2018

4. Member States shall consult the regulatory authority when preparing a legislative proposal, which:
related to processing and the National Assembly shall approve, or a government measure based on such a legislative measure.
5. Notwithstanding the first paragraph. the law of a Member State may require the guarantors to consult and obtain
a permit from the supervisory authority in connection with the processing of the responsible party in charge of the implementation of a project for the benefit of the
human interests, including processing related to social protection and public health.
Episode 4
Privacy Officer
Article 37
Appointment of a Privacy Officer
1. The controller and processor shall appoint a privacy officer in each case where:
(a) processing is in the hands of a public authority or body, with the exception of courts of law;
its jurisdiction,
(b) the principal activity of the guarantor or processor is to process operations which, by their nature, require:
catch and / or purpose, extensive, regular and systematic monitoring of registered persons
or
(c) the main activity of the responsible party or processor is the extensive processing of specific categories of information;
according to Article 9 or personal information relating to criminal convictions and criminal offenses referred to in 10.
gr.
2. A group of undertakings may appoint one data protection officer provided that each establishment
have easy access to it.
3. Where the controller or processor is a public authority or institution, a single person may be nominated
security officer for more than one such authority or institution, taking into account their organizational structure and size.
4. In cases other than those referred to in paragraph 1, is a guarantor or processor or organization and other
on persons representing the categories of guarantors or processors, authorized or even obliged, if required
in the law of the Union or the law of a Member State, to designate a data protection officer. The Privacy Officer
may represent such associations and other parties representing the guarantor or processor.
5. The Privacy Officer shall be appointed on the basis of his / her professional competence and in particular his / her expertise in
law and law enforcement in the field of privacy and its ability to carry out the tasks referred to in 39.
gr.
6. The Privacy Officer may be an employee of a responsible party or processor or perform tasks
on the basis of a service agreement.
7. The responsible party or processor shall publish the communication information of the data protection officer and send it
the supervisory authority them.
Article 38
Position of Privacy Officer
1. The controller and processor shall ensure that a privacy officer is present, as appropriate, and
in a timely manner, to all matters relating to the protection of personal data.
2. The responsible party and the processing party shall support the privacy officer in the implementation of the tasks that
referred to in Article 39 by providing him with the necessary resources to provide them, as well as access to perzone information and processing operations, enabling him to maintain his expertise.
3. The controller and processor shall ensure that the data protection officer is not instructed to
implementation of these projects. The guarantor or processor shall not dismiss him or punish him
for the implementation of their tasks. The Privacy Officer shall report directly to the highest level of management
guarantor or processor.

Page 80

Nr. 90

June 27, 2018

4. Registered individuals can contact the Privacy Officer with any issues related to processing
on their personal data and how they can exercise their rights under this Regulation.
5. The Data Protection Officer shall be bound by professional secrecy or confidentiality regarding the performance of his / her tasks in accordance with
to the laws of the Union or to the laws of a Member State.
6. The Privacy Officer may perform other tasks and duties. The guarantor or processor shall
ensure that such tasks and duties do not lead to conflicts of interest.
Article 39
Tasks of a privacy officer
The Privacy Officer shall perform at least the following tasks:
(a) inform the guarantor or processor and the workers in charge of processing of their obligations under
this Regulation and other provisions of the Union or a Member State on privacy and provide them
advice thereon,
(b) monitor compliance with the provisions of this Regulation, with other provisions of the Union or with
State for the protection of personal data and the policies of the responsible party or processor regarding the protection of personal data,
including the allocation of responsibilities, awareness raising and training of staff involved in processing activities and
audit audits,
(c) provide advice, upon request, on the assessment of the impact on privacy and monitor its implementation
according to Article 35,
(d) work with the supervisory authority;
(e) liaise with the regulatory authority on matters relating to processing, including prior consultation
referred to in Article 36, and seek advice, as appropriate, on other matters.
2. The Data Protection Officer shall, in carrying out his / her duties, take due account of the risks
accompanies the processing activity, taking into account the nature, scope, context and purpose of the processing.
Episode 5
Code of conduct and certification
Article 40
Rules of conduct
1. Member States, supervisory authorities, the Privacy Council and the Commission shall encourage:
rules of conduct will be drawn up to promote the correct application of this Regulation, taking into account
the various processing divisions and special needs of micro-enterprises, small and medium-sized enterprises.
2. Organizations and other parties representing the categories of guarantors or processors may negotiate
rules of conduct, or amend or extend such rules, in order to further provide for the application of this
of the Regulation, for example with regard to:
(a) fair and transparent processing;
b) the legitimate interests of the guarantor in a particular context;
c) collection of personal information,

d) the use of pseudo-identifiers in the processing of personal data,
(e) information provided to the public and to registered persons;
(f) the ability of registered persons to exercise their rights;
(g) information provided to children and their protection and how to obtain the consent of the guardian;
(h) the measures and procedures referred to in Articles 24 and 25. and measures to ensure the safety of processing that
referred to in Article 32,

Page 81

Nr. 90

June 27, 2018

(i) notifications to the supervisory authorities of security breaches in the processing of personal data and those recorded
individuals are notified of such deficiencies,
(j) the transfer of personal data to third countries or international organizations; or
(k) extrajudicial proceedings and other dispute settlement procedures for the settlement of disputes
between the guarantor and registered individuals, cf. however, the rights of the registered according to Art. Articles 77 and 79
3. In addition to the rules of conduct applicable to guarantors or processors covered by this Regulation,
which are approved according to Paragraph 5 of this Article and have general validity according to Art. Paragraph 9 of this Article, may
guarantors or processors who are not subject to this regulation according to Art. Article 3, also made it to
ensure that appropriate safeguards are in place within the framework of the disclosure of personal information to third parties
countries or international organizations in accordance with the terms referred to in paragraph 2 (e). Article 46 Such liability
Parties or processors shall undertake, in a binding and enforceable manner, to apply this
appropriate safeguard measures, including the rights of registered persons, by agreement or other
legally binding instruments.
4. Code of conduct referred to in paragraph 2 of this Article, shall include arrangements which enable the Party,
referred to in the first paragraph. Article 41, be able to carry out compulsory supervision of the responsible parties or processing
parties who undertake to apply them shall comply with their provisions, without prejudice to tasks and
the powers of supervisory authorities competent pursuant to Art. Article 55 or 56
5. Organizations and other parties referred to in the second paragraph. of this Article, who intend to negotiate conduct
rules or amend rules or extend existing rules, shall draft rules, amend or extend
for the supervisory authority that is competent according to Art. Article 55 The supervisory authority shall give its opinion on whether the draft
rules of conduct, the amendment or extension complies with this Regulation and approve the draft, the amendment or
the extension if it considers that they provide adequate and appropriate safeguards.
6. If the draft code of conduct, amendment or extension is adopted in accordance with paragraph 5, and if
rules of conduct do not apply to processing activities in more than one Member State, the supervisory authority shall list the rules
and publish them.
7. If the draft code of conduct concerns processing activities in more than one Member State, the supervisory authority
legally liable according to Article 55, before approving the draft, amendment or extension, submit it to the
the Security Council in accordance with the procedure referred to in Article 63. and the Council shall give its opinion on whether the
that the rules, amendments or extensions comply with this Regulation or, in the circumstances referred to in
in the third paragraph. of this Article, ensure appropriate protective measures.
8. Confirmed the opinion referred to in paragraph 7 that the draft code of conduct, amendment or extension is compatible
this Regulation or, in the circumstances referred to in paragraph 3, ensure appropriate safeguard measures,
the Data Protection Board shall submit its opinion to the Commission.
9. The Commission may, by means of implementing acts, decide that the code of conduct, the amendment
or the extension, which has been approved and is discussed in accordance with Art. Paragraph 8 of this Article, have in general
values ​within the Union. These implementing acts shall be adopted in accordance with the
the trip referred to in the second paragraph. Article 93
10. The Commission shall ensure that the rules adopted, which have been decided upon, are of general application
in accordance with paragraph 9, receive appropriate information.
11. The Privacy Council shall compile all agreed rules of conduct, amendments and extensions
in a file and make them available to the public in an appropriate manner.
Article 41
Supervision of approved rules of conduct
1. Without prejudice to the tasks and powers of the competent supervisory authority pursuant to Art. Articles 57 and 58 can be monitored
because the rules of conduct according to Article 40 is followed to be in the hands of a party who has the appropriate expertise
subject to the rules and has been accredited for that purpose by the competent supervisory authority.

Page 82

Nr. 90

June 27, 2018

2. A party according to Art. Paragraph 1 may be accredited to monitor compliance with the Code of Conduct if he
has:
(a) demonstrate its independence and expertise in the subject matter of the rules in a manner that is competent to supervise;
authority is considered adequate,
(b) establish a procedure which enables it to assess the suitability of the controller and processor concerned to:
apply the Code of Conduct, monitor compliance with its provisions and review activities
of them on a regular basis,
(c) establish procedures and systems for dealing with complaints about breaches of the rules or how
the controller or processor performs, or has performed, the rules and to perform this procedure
and these systems are transparent to registered individuals and the general public and
(d) demonstrate, in a satisfactory manner in the opinion of the competent supervisory authority, that its tasks and duties
does not lead to a conflict of interest.
3. The competent supervisory authority shall submit to the Privacy Council draft draft requirements for accreditation
parties, as referred to in the first paragraph. of this Article, according to the coordination system referred to in Article 63.
4. Without prejudice to the tasks and powers of the competent supervisory authority and the provisions of VIII. Chapter shall be a party,
as referred to in the first paragraph. of this Article, without prejudice to appropriate safeguard measures, take appropriate
action if the controller or processor violates the rules, including temporary or permanent
exclusion of the guarantor or processor from the rules. He shall notify the competent supervisory authority
such actions and the reasons for them.
5. The competent supervisory authority shall revoke the accreditation of a party as referred to in paragraph 1, if the requirements
accreditation are not, or are no longer, fulfilled or if the party's actions violate this
type.
6. This Article shall not apply to processing by public authorities and bodies.
Article 42
Certification
1. Member States, supervisory authorities, the Privacy Council and the Commission shall encourage:
in particular at Union level, the establishment of a certification scheme for privacy and
privacy seals and marks to demonstrate that the processing of the guarantor and processor complies
the provisions of this Regulation. The special needs of micro-enterprises, small and medium-sized enterprises shall be taken into account.
2. In addition to the guarantors or processors covered by this Regulation, certification bodies shall be established:
privacy arrangements together with privacy seals or marks according to Art. Paragraph 5 of this Article
guarantors and processors who are not subject to this regulation according to Art. Article 3, such shall be established to
demonstrate that appropriate safeguards exist within the framework of the disclosure of personal information
third countries or international organizations in accordance with the terms referred to in paragraph 2 (e). Article 46 Such
guarantors or processors shall undertake, in a binding and enforceable manner, to apply
these appropriate safeguard measures, including the rights of registered persons, by agreement or
other legally binding instruments.
The certification shall be optional and accessible in a transparent process.
4. Certification under this Article shall not reduce the obligation of the guarantor or processor to comply with
the provisions of this Regulation and it does not affect the tasks and powers of supervisory authorities
lawful according to Article 55 or 56
5. The certification bodies referred to in Article 43 or the competent supervisory authority shall issue a certification in
this Article, on the basis of criteria approved by the competent supervisory authority pursuant to Art. Paragraph 3 Article 58 or perthe Zone Protection Council according to Article 63 If the Privacy Council approves the criteria, it may lead to a general
unar, the European Privacy Label.

Page 83

Nr. 90

June 27, 2018

6. The controller or processor requesting certification of his processing under the certification scheme shall:
provide the certification body referred to in Article 43 or, where appropriate, provide the competent regulatory authority with all
necessary and the access to their processing activities necessary for the certification of
the process of completion.
7. The certification shall be issued to the guarantor or processor for a maximum of three years and may be
renew, under the same conditions, provided that the relevant criteria are still met. If the criteria
the certification requirements are not, or are no longer, fulfilled, the certification bodies referred to in Article 43, or
the supervisory authority shall, as appropriate, revoke the certification.
8. The Privacy Board shall collect all certification arrangements and privacy seals and marks
together in a file and make it accessible to the public in an appropriate manner.
Article 43
Certifiers
1. Without prejudice to the tasks and powers of the competent supervisory authority pursuant to Art. Articles 57 and 58 shall certify
Parties with appropriate privacy expertise shall, where necessary, issue and renew certificates.
after notifying the supervisory authority to enable it to exercise its powers under Art. hpoint 2 of para. Article 58 Member States shall ensure that these certification bodies are accredited by one or both of the
counted persons:
a) the supervisory authority competent pursuant to Art. Articles 55 or 56,
(b) an accreditation body of a Member State specified in accordance with Regulation (EC) No 882/2004 of the European Parliament and of the Council
no. 765/2008 ( 20 ) in accordance with European standard EN-ISO / IEC 17065/2012 and additional requirements set
by the supervisory authority competent pursuant to Art. Article 55 or 56
2. Certification bodies referred to in paragraph 1 shall only be accredited in accordance with that paragraph if:
they have:
(a) demonstrate their independence and expertise in the subject matter of the certification in a manner appropriate to the competent
authority is considered adequate,
(b) undertake to respect the criteria referred to in paragraph 5. Article 42 and are approved by the
the authority competent according to Art. Article 55 or 56 or by the Privacy Council according to Article 63
(c) establish procedures for issuing, periodically reviewing and revoking privacy certificates;
privacy seals or logos,
(d) establish procedures and systems for dealing with complaints of breaches of certification; or
on how the guarantor or processor performs or has performed the certification and to do
this procedure and this system transparent to registered individuals and the public and
(e) demonstrate, in a manner deemed adequate by the competent supervisory authority, that their tasks and duties
does not lead to a conflict of interest.
3. Accreditation of certification service providers, as referred to in paragraphs 1 and 2. of this Article, shall be made on the basis of
claims approved by the supervisory authority competent pursuant to Art. Article 55 or 56 or the Privacy Council
according to Article 63 In the case of accreditation according to Art. paragraph 1 (b) of this Article, these requirements shall apply
benefits those provided for in Regulation (EC) No 765/2008 and the technical rules describing the methods and
the rules of law of the certification bodies.
4. The certification bodies referred to in paragraph 1 shall be responsible for the correct assessment leading to certification or re-certification.
call for certification, without prejudice to the responsibility of the guarantor or processor for compliance with this
type. The accreditation shall be issued for a maximum of five years and may be renewed under the same conditions, provided that:
provided that the certification body meets the requirements of this Article.
( 20 ) Regulation (EC) No 765/2008 of the European Parliament and of the Council of 9 July 2008 on accreditation and market surveillance requirements
in connection with the marketing of products and repealing Regulation (EEC) no. 339/93 (OJ L 218, 13.8.2008,
p. 30).

Page 84

Nr. 90

June 27, 2018

5. The certification bodies referred to in paragraph 1 shall provide the competent regulatory authorities with a justification for:
by granting or revoking the requested certification.
6. The supervisory authority shall publish the requirements referred to in paragraph 3. of this Article and the relevant criteria
referred to in the 5th paragraph. Article 42 in an accessible form. The supervisory authorities shall also send these to the Data Protection Board
requirements and criteria.
7. Without prejudice to VIII. Chapter 2, the competent supervisory authority or the accreditation body of a Member State shall withdraw
accreditation of certification bodies according to Paragraph 1 of this Article if the conditions for accreditation are not, or are not
longer, fulfilled or if the actions of the certification body violate this Regulation.
8. The Commission shall be empowered to adopt delegated acts in accordance with Article 92. í
for the purpose of specifying the requirements that need to be taken into account in the certification scheme for privacy
referred to in the first paragraph. Article 42
9. The Commission may adopt implementing acts laying down technical standards
certification arrangements and privacy seals and marks and arrangements for promoting and recognizing such
certification arrangements, seals and labels. These implementing acts shall be adopted in accordance with
the proceedings referred to in paragraph 2 Article 93
CHAPTER V
Dissemination of personal data to third countries or international organizations
Article 44
General principles for the dissemination of information
Subject to the other provisions of this Regulation, only the personal information contained in it
processing or are intended for processing after their transmission to a third country or to an international organization, if
the controller and the processor meet the conditions laid down in this Chapter, including for forwarding
personal data from a third country or an international organization to another third country or another international
institution. All provisions of this Chapter shall apply to ensure that protection is not undermined
persons covered by this Regulation.
Article 45
Dissemination on the basis of a decision on whether protection is adequate
The transfer of personal data to a third country or to an international organization is permitted if the Commission has
decided on the third country, territory or one or more specified sectors within that third country
or the international organization in question ensures adequate protection. Such dissemination does not require special authorization.
2. In assessing the adequacy of protection, the Commission shall in particular take into account the following
episodes:
(a) the fundamental principles of the rule of law, respect for human rights and freedoms, appropriate legislation,
lesser legislation as special legislation, e.g. á m. concerning public security, national defense, national security and criminal law, and
access by public authorities to personal data, as well as the implementation of the legislation in question, rules on
privacy, rules of procedure and security measures, including rules on the disclosure of personal data to other
third country or an international organization that is followed in the country in question or by an international organization, judicial
implementation, as well as the effective and enforceable rights of registered persons and effective
administrative and judicial proceedings for registered persons with regard to the disclosure of personal information about them,
(b) the existence of an independent and effective supervisory authority, one or more, in the third country or as an international
an institution which is responsible for ensuring and enforcing compliance with the rules on
protection, e.g. á m. with sufficient powers to enforce them, should be granted to registered persons
assistance and advice when exercising their rights and in cooperation with the supervisory authorities of the Member States
about and

Page 85

Nr. 90

June 27, 2018

(c) international commitments entered into by the third country or international organization or others
obligations under legally binding agreements or instruments, as well as participation in multilateral or
regional systems, in particular in relation to the protection of personal data.
3. The Commission may, after assessing the adequacy of the protection, decide
on the basis of an implementation, to a third country, territory or one or more specified sectors within the third
of a country, or an international organization, shall ensure adequate protection within the meaning of para. of this Article. In the
The Act shall provide for a periodic review, at least every four years, where:
appropriate developments in the third country or at the International Organization shall be taken into account. In the implementation plan shall
specify the regional and sectoral scope and, where appropriate, specify the supervisory authority or authorities
referred to in paragraph 2 (b). of this Article. The implementing act shall be approved in accordance with the
the trip referred to in the second paragraph. Article 93
4. The Commission shall keep under constant review developments in third countries and at international organizations
which could affect the implementation of decisions adopted pursuant to Art. Paragraph 3 of this Article and para. 25.
gr. of Directive 95/46 / EC.
5. The Commission shall, to the extent deemed necessary, revoke, amend or suspend
repeals the decision referred to in paragraph 3; of this Article, on the basis of implementing acts, without retroactive effect,
if the available information becomes apparent, in particular following the review referred to in paragraph 3. of this
Articles, to a third country, territory or one or more specified sectors within a third country or international organization
no longer provides adequate protection within the meaning of paragraph 2. of this Article. These implementing acts shall
approved in accordance with the investigative procedure referred to in paragraph 2. Article 93
Where there is an urgent need in duly substantiated cases, the Commission shall
acts which shall enter into force without delay in accordance with the procedure referred to in paragraph 3. Article 93
6. The Commission shall enter into negotiations with the third country or the international organization with a view to this
to remedy the situation that led to the decision being made pursuant to Art. Paragraph 5
7. Decision according to Paragraph 5 this Article does not affect the transfer of personal data to third countries,
territory or one or more specified sectors within that third country or the relevant international organization
according to 46. ​– 49. gr.
8. The Commission shall publish in the Official Journal of the European Union and on its website a list of them.
third countries, territories and specified sectors within the third country and international organizations designated by it;
to not provide, or no longer provide, adequate protection.
9. Decisions adopted by the Commission on the basis of paragraph 6 Article 25 of Directive 95/46 / EC
continue to apply until they are amended, replaced or repealed by a decision of the
of the Board of Directors approved in accordance with paragraphs 3 or 5. of this Article.
Article 46
Disclosure covered by appropriate safeguards
If no decision is made according to Art. Paragraph 3 Article 45 the guarantor or processor can therefore only share perpersonal information to a third country or international organization that he has taken appropriate protective measures and
provided that there are enforceable rights and effective legal remedies for registered persons.
2. The appropriate safeguard measures referred to in paragraph 1 may, without requiring specific authorization from:
supervisory authority, includes the following:
(a) a legally binding and enforceable act between public authorities or bodies;
(b) binding corporate rules in accordance with Article 47;
(c) standard privacy provisions adopted by the Commission in accordance with the
the proceedings referred to in paragraph 2 Article 93,
(d) standard provisions on privacy adopted by the supervisory authority and the Commission
recognized in accordance with the investigative procedure referred to in paragraph 2. Article 93,

Page 86

Nr. 90

June 27, 2018

e) recognized rules of conduct according to Art. Article 40, together with binding and enforceable obligations
the guarantor or processor in the third country to apply the appropriate safeguard measures, also
in respect of the rights of registered persons or
f) an approved certification system according to Art. Article 42, together with binding and enforceable obligations of the
the third party or processor in the third country to apply the appropriate safeguard measures, including
concerning the rights of the data subjects.
3. Without prejudice to the authorization of the competent supervisory authority, the appropriate safeguard measures referred to in
in the first paragraph, also includes in particular the following:
(a) contractual provisions between the guarantor or processor and the guarantor, processor or consignee;
the spirit of the personal data in the third country or at the International Organization or
(b) provisions which are incorporated into administrative measures between public authorities or bodies
enforceable and effective rights of registered persons.
4. The supervisory authority shall apply the harmonization system referred to in Article 63. in the cases referred to
in the third paragraph. of this Article.
5. Authorizations granted by a Member State or a supervisory authority on the basis of paragraph 2 Article 26 of Directive 95/46 / EC,
remain in force until amended, replaced or canceled by the supervisory authority, if necessary.
Decisions adopted by the Commission pursuant to Directive 95/46 / EC shall continue to apply until
they are amended, replaced or abolished, if necessary, by a decision of the
of the Commission approved in accordance with para. of this Article.
Article 47
Binding company rules
Competent supervisory authorities shall adopt binding corporate rules in accordance with the coordination system
provided for in Article 63, provided that they:
(a) are legally binding and enforceable and enforced by any of the parties concerned;
a group of companies or a group of companies engaged in joint business activities, including employees
their,
(b) grant enforceable rights to registered persons in an unequivocal manner with regard to the processing of
zone information about them and
(c) meets the requirements laid down in Article 2.
2. The binding company rules referred to in paragraph 1 shall specify at least:
(a) the organization and contact details of the group of undertakings or groups of undertakings engaged in the
actual business activities and any member of the group or group,
(b) dissemination or repeated dissemination of information, including the categories of personal data, type
and the purpose of processing, which group of registered persons will be affected by it and which third country
or third countries,
(c) their legally binding nature, both inward and outward;
(d) the application of general principles of privacy, in particular the limitation of purpose, the minimization of
data, retention period limitation, data quality, built-in and default privacy, legal
basis of processing, processing of special categories of personal information, measures to ensure privacy
and forwarding requirements for parties that are not subject to binding corporate rules,
(e) the rights of registered persons with regard to processing and the means of exercising those rights, including the right
to not be subject to decisions based solely on automatic processing, including the creation of a
in accordance with Article 22, to lodge a complaint with the competent supervisory authority and with the competent courts
of the Member States in accordance with Article 79 and to do his part and, as appropriate, to compensate for the offense
on binding company rules,

Page 87

Nr. 90

June 27, 2018

(f) the recognition of the responsibility of the guarantor or processor established in the territory of a Member State;
for any breach of binding corporate rules by the parties concerned who have not
attachment to the Union; the guarantor or processor shall therefore be exempt from liability only,
in whole or in part, that he proves that the party in question is not responsible for the case that led to
to the detriment,
(g) how listed individuals are provided with information on binding corporate rules, in particular the provisions
referred to in points (d), (e) and (f) of this paragraph, in addition to Articles 13 and 14,
(h) the tasks of the Data Protection Officer nominated in accordance with Article 37. or another party or organization
which supervises compliance with binding corporate rules within a group of companies
or a group of companies engaged in joint business activities, together with the supervision of vocational training and
complaints case,
(i) Complaint Procedure;
(j) arrangements within the group of undertakings or a group of undertakings engaged in joint ventures
activities, to ensure verification of compliance with binding corporate rules. This arrangement
shall include audits of privacy and methods of ensuring that corrective action is taken to:
protect the rights of the data subject. The body or entity referred to in point (h) and the Management Board of
isins, which controls a group of companies or a group of companies engaged in joint business activities,
on the results of the verification and they should be accessible to the competent supervisory authorities
they request it,
(k) the arrangements for reporting and recording changes to the rules and reporting on the changes
to the supervisory authority,
(l) arrangements for cooperation with the supervisory authority to ensure the compliance of the members of the group of undertakings
or a group of companies engaged in joint business activities, in particular by ensuring that
the authority has access to the results of the verification of the measures referred to in point (j);
(m) arrangements for reporting to the competent supervisory authority on the legal requirements imposed by a Party
equipment group or group of companies engaged in joint business activities must be complied with in a third country
which is likely to have a significant negative effect on the insurance contained in the binding company rules
and
(n) appropriate training of staff who have constant or regular access to personal data;
in the field of privacy.
3. The Commission may specify the format and methods of exchange of information between the guarantors;
processors and regulatory authorities with respect to binding corporate rules within the meaning of this Article. These
implementing acts shall be adopted in accordance with the examination procedure referred to in paragraph 2. 93.
gr.
Article 48
Disclosure or publication that is not permitted under Union law
Judgments given by the courts and decisions of a third country administrative authority requiring
the controller or processor discloses or discloses personal information may only be acknowledged or
enforce in any way that this is based on an international agreement, such as an agreement on mutual judicial
assistance in force between the requesting third country and the Union or a Member State, without
that it affects other reasons for dissemination under this chapter.
Article 49
Exceptions due to special circumstances
If there is no decision that protection is adequate according to Art. Paragraph 3 Article 45 or have not been made
appropriate protection measures according to Art. Article 46, including binding company rules, shall be disseminated or repeated
personal data to a third country or an international organization only provided that one of the following is met
conditions:

Page 88

Nr. 90

June 27, 2018

(a) the data subject has given his unequivocal consent to the proposed disclosure after being notified;
about the potential risks that the brokerage may pose to him due to non-existence
a decision that protection is adequate and no appropriate protection measures have been taken;
(b) the mediation is necessary for the implementation of an agreement between the data subject and the controller or the
made at the request of the data subject before the conclusion of the contract,
(c) the mediation is necessary for the conclusion or performance of a contract for the benefit of the data subject, as the guarantor and
another person or legal entity do to each other,
(d) dissemination is necessary for important public interests;
(e) the dissemination is necessary for the creation, maintenance or defense of legal claims;
(f) the dissemination is necessary to protect the vital interests of the data subject or of other data subjects if the data subject is
physically or legally unable to give their consent,
(g) information is disseminated from a register which is intended under Union law or the law of a Member State
provide information to the public and is accessible to either the general public or anyone who can
demonstrated that he has a legitimate interest, but only to the extent necessary
access provided for in Union or Member State law is fulfilled in that case.
If it is not possible to base the disclosure on the provisions of Article 45 or 46, including provisions on binding corporate rules,
and none of the exceptions due to special circumstances referred to in the first subparagraph of this paragraph,
where applicable, personal data may only be transmitted to a third country or to an international organization if the transmission is
not repeated, concerns only a limited number of registered persons, is necessary due to important
legitimate interests of the guarantor when the interests or rights and freedoms of the data subject do not
heavier and if the responsible party has examined all circumstances concerning the dissemination of the information and has, on
on the basis of that assessment, take appropriate protection measures with regard to the protection of personal data. Responsible
the party shall inform the supervisory authority of the communication. In addition to providing the information referred to in
Articles 13 and 14, the responsible party shall inform the data subject of the disclosure and the important, legitimate interests
which is taken care of.
Dissemination according to Point (g) of the first subparagraph of paragraph 1 shall not cover the personal information in its entirety or
complete categories of personal information in the directory. If the register is intended for inspection by those who have legitimate
remember that the transmission shall only take place at the request of these parties or if they are to be the recipients of
the descriptions.
3. The provisions of points (a), (b) and (c) of the first subparagraph of paragraph 1 and its second subparagraph shall not apply to
by public authorities in the exercise of their official powers.
4. The public interest referred to in point (d) of the first subparagraph of paragraph 1 shall be recognized in the
of the Union or in the law of the Member State to which the guarantor belongs.
5. When no decision has been taken as to whether adequate protection exists, Union law may
or the law of a Member State unequivocally restricts the disclosure of specific categories of personal data to third parties
country or international organization on the basis of important public interests. Member States shall notify the
the Commission on such provisions.
6. The controller or processor shall confirm the assessment and the appropriate protective measures referred to in
in the second subparagraph of the first paragraph. of this Article, in the registers referred to in Article 30.
Article 50
International cooperation on the protection of personal data
In the case of third countries or international organizations, the Commission and the supervisory authorities shall
owner measures to:
(a) develop arrangements for international cooperation to facilitate the effective implementation of protection legislation;
personal information,

Page 89

Nr. 90

June 27, 2018

(b) provide mutual international assistance in enforcing personal data protection legislation, including
presentations, forwarding of complaints, assistance with research and exchange of information, subject to
on appropriate protection measures for the protection of personal data and other fundamental rights and
human freedom,
(c) involve relevant stakeholders in discussions and work aimed at promoting international
co-operation with the enforcement of legislation on the protection of personal data,
(d) promote the exchange and documentation of legislation and practices in the field of personal data protection, in particular:
on disputes with third countries over jurisdiction.
VI. CHAPTER
Independent supervisory authorities
Episode 1
Independence
Article 51
Supervisory authority
Each Member State shall ensure that one or more independent public authorities are responsible for monitoring
by applying this Regulation in order to protect the fundamental rights and freedoms of individuals in relation to
processing of personal data and to facilitate the free movement of personal data within the Union
("Supervisory authority").
2. Each supervisory authority shall promote the uniform application of this Regulation throughout the Union. Í
To this end, the supervisory authorities shall cooperate with each other and with the Commission accordingly
VII. chapter.
3. Where more than one supervisory authority is established in a Member State, that Member State shall designate that supervisory authority.
to be represented on behalf of these authorities in the Privacy Council and a system to ensure
that the other authorities comply with the rules concerning the coordination system referred to in Article 63;
4. Each Member State shall notify the Commission by 25 May 2018 of the provisions of national law
which they have adopted in accordance with this Chapter and shall without delay notify any subsequent changes which have an effect
on them.
Article 52
Independence
1. Each supervisory authority shall be completely independent in its work and in the exercise of its powers.
in accordance with this Regulation.
2. The representative or representatives of each supervisory authority shall, in the performance of their duties and in the exercise of their powers,
in accordance with this Regulation, be free from external influences, both direct and indirect, and
do not seek or accept instructions from other parties.
3. The representative or representatives of each supervisory authority shall not do anything incompatible with their duties.
and shall not engage in any other incompatible activities during their term of office, whether paid or unpaid.
4. Each Member State shall ensure that each supervisory authority has at its disposal human resources, technical resources
and the resources, housing and infrastructure necessary for it to carry out its work and exercise its powers;
effectively, e.g. á m. in connection with mutual assistance, cooperation and participation in the work of
of the Security Council.
5. Each Member State shall ensure that each supervisory authority selects and has its own staff and should
walk under the control of a representative of the relevant supervisory authority.

Page 90

Nr. 90

June 27, 2018

6. Each Member State shall ensure that each supervisory authority monitors finances which have not:
impact on its independence, and that it has a separate public, annual budget that can be part of the overall
the state or state budget.
Article 53
General conditions regarding the representative of the supervisory authority
1. Member States shall provide that each representative of their supervisory authorities shall be
special procedure of:
- their parliament,
- their government,
Their heads of state or
- a dependent body entrusted with the appointment under the law of the Member State.
2. Each representative shall possess the qualifications, experience and skills, in particular in the field of the protection of personal data.
which is necessary for him to be able to perform his duties and exercise his powers.
3. The duties of a representative shall end when his term of office expires, he resigns or resigns
for retirement due to age, in accordance with the law of the Member State concerned.
4. Representatives shall be removed only if there is a serious misconduct or if he no longer satisfies them.
conditions required for his duties.
Article 54
Rules on the establishment of a supervisory authority
1. Each Member State shall provide for all of the following by law:
(a) the establishment of any supervisory authority;
(b) the training and qualifications required for the appointment of a representative of each supervisory authority;
(c) rules and procedures concerning the appointment of representatives of each supervisory authority;
(d) the term of office of the representative of each supervisory authority, which shall not be less than four years, with the exception of
first appointment after May 24, 2016, which may be for a shorter period if necessary to safeguard
on the independence of the supervisory authority through the use of a phased appointment procedure,
(e) whether and how often the appointment of representatives of each supervisory authority may be renewed;
(f) conditions relating to the duties of representatives of each supervisory authority and its staff, prohibition of action;
jobs and benefits that are incompatible with them during and after their working hours, and rules on
retirement.
2. A representative or representatives of each supervisory authority and its staff shall, in accordance with Union law
or the law of a Member State, shall be bound by the obligation of professional secrecy, both during and after the
confidential information which they have obtained in the course of their duties or in the exercise of their powers. While
during their term of office, their duty of confidentiality shall apply in particular to notifications by individuals of infringements
ari regulation.
Episode 2
Powers, tasks and powers
Article 55
Jurisdiction
1. Each supervisory authority shall be competent to carry out and apply the tasks assigned to it.
powers conferred on it in accordance with this Regulation in the territory of its own Member State.

Page 91

Nr. 90

June 27, 2018

2. When processing is in the hands of public or private authorities operating under subparagraphs (c) or (e) 1.
mgr. Article 6, the supervisory authority of the Member State concerned shall be deemed competent. In those cases, Article 56 not applicable.
3. Supervisory authorities shall not be competent to supervise judicial proceedings when
exercise their jurisdiction.
Article 56
Powers of the Leading Supervisory Authority
1. Without prejudice to Article 55 the supervisory authority of the head office or the only place of business shall be responsible
the party or processor is deemed competent to act as the lead supervisory authority for the processing of
borders handled by the controller or processor in accordance with the procedure laid down in
in Article 60
2. Notwithstanding the first paragraph. each supervisory authority shall be deemed competent to deal with a complaint lodged
it or a possible violation of this Regulation if the subject is related only to an establishment in its Member State
or has a significant effect only on registered persons in its Member State.
3. In the cases referred to in paragraph 2 of this Article, the supervisory authority shall notify the
the authority of the proceedings without delay. The lead supervisory authority shall, within three weeks of the notification
shall decide whether it will deal with the matter in accordance with the procedure provided for in Article 60;
taking into account whether the controller or processor is established in the Member State of the supervisory authority;
who announced it.
4. If the Leading Authority decides to consider the matter, the procedure provided for in Article 60 shall apply.
gr. The supervisory authority, which sent the notification to the lead supervisory authority, may therefore send a draft decision.
The lead supervisory authority shall take the utmost account of the draft in question when drafting the decision which:
referred to in the third paragraph. Article 60
5. If the lead supervisory authority decides not to deal with the matter, the supervisory authority which notified the lead
the supervisory authority, discuss the matter according to Art. Articles 61 and 62
6. The lead supervisory authority shall be the sole liaison between the controller or the processor for its processing.
across borders.
Article 57
Tasks
1. Without prejudice to other tasks set out in this Regulation, each supervisory authority shall:
own territory:
(a) monitor and enforce the application of this Regulation;
(b) promote public awareness and understanding of the risks, rules, safeguards and rights associated with
processing. Particular attention should be paid to activities aimed at children in particular,
(c) provide advice to the National Assembly, the Government and other bodies and bodies, in accordance with the national law of a Member State;
on legislative and administrative measures relating to the protection of the rights and freedoms of individuals
in terms of processing,
(d) raise the awareness of the guarantor and processor of their obligations under this Regulation;
(e) provide, upon request, to a registered person information on how he can exercise his rights
under this Regulation and, where appropriate, cooperate with the supervisory authorities of other Member States
skyni,
(f) deal with complaints submitted in accordance with a registered individual or organization, organization or association
Article 80 and investigate, as appropriate, the substance of the complaint and inform the complainant of the progress
and the results of the study within a reasonable time, in particular if further research is needed or
coordination with another supervisory authority,

Page 92

Nr. 90

June 27, 2018

(g) cooperate with other supervisory authorities, including through the exchange of information, and provide reciprocal
assistance, with a view to ensuring consistency in the application and enforcement of this Regulation,
(h) investigate the application of this Regulation, inter alia on the basis of information from another supervisory authority; or
another public authority,
(i) monitor relevant developments, in so far as they affect the protection of personal data;
in particular the development of information and telecommunications technologies and business practices,
(j) adopt the contractual provisions referred to in paragraph 8. Article 28 and paragraph 2 (d). Article 46,
k) prepare and maintain a register in connection with a requirement for an assessment of the impact on personal data protection pursuant to Art. Paragraph 4 Article 35,
(l) provide advice on processing operations referred to in paragraph 2; Article 36,
m) encourage the drafting of rules of conduct pursuant to Art. Paragraph 1 Article 40 and give an opinion on and accept the conduct
rules that ensure adequate protection measures according to Art. Paragraph 5 Article 40,
(n) encourage the certification system for privacy and privacy seals and marks;
will be established according to Paragraph 1 Article 42 and approve criteria for certification according to Art. Paragraph 5 Article 42,
(o) where appropriate, have a periodic review of the certificates issued in accordance with 7.
mgr. Article 42,
p) prepare and publish draft requirements regarding the accreditation of a party that supervises rules of conduct pursuant to Art. 41.
gr. and a certification body according to Article 43,
q) handles the accreditation of parties for supervision of rules of conduct according to Art. Article 41 and a certification body according to Article 43,
(r) authorize contractual provisions and the provisions referred to in paragraph 3. Article 46,
s) approve binding company rules according to Art. Article 47,
(t) participate in the activities of the Privacy Council;
(u) keep internal records of infringements of this Regulation and of measures taken in accordance with paragraph 2; Article 58
and
(v) perform other work related to the protection of personal data.
2. Each supervisory authority shall facilitate the submission of complaints referred to in paragraph 1 (f) by:
take measures such as a complaint form, which can also be filled in electronically, without any other communication
possibilities are excluded.
3. Each supervisory authority shall carry out its duties, the registered persons and, as the case may be, the personal
the protection officer free of charge.
4. When requests are manifestly unreasonable or excessive, in particular because they are repeated,
the supervisory authority may set a reasonable fee, on the basis of administrative costs, or refuse to consider
about the request. It shall be up to the supervisory authority to demonstrate that the request is unreasonable or excessive.
Article 58
Powers of authority
Each supervisory authority shall have all the following investigative powers:
(a) the authority to order the guarantor and the processor and, as the case may be, the representative of the guarantor;
or the processor provides any information it needs for its duties,
(b) authorization to carry out investigations in the form of privacy audits;
c) authorization to have a review of the certificates issued pursuant to Art. Paragraph 7 Article 42,
(d) the authority to notify the responsible party or processor of the alleged breach of this Regulation;

Page 93

Nr. 90

June 27, 2018

e) authorization to gain access to all personal information and all from the responsible party and the processing party
information necessary for its tasks,
(f) authorization to access the premises of the guarantor and the processor, including any data processing equipment;
and methods, in accordance with the laws of the Union or a Member State.
2. Each supervisory authority shall have all the following powers to take remedial action:
(a) the authorization to issue a warning to the guarantor or processor that the proposed processing
actions violate the provisions of this Regulation,
(b) an authorization to issue a reprimand to the guarantor or processor if the processing operations have violated
this Regulation,
(c) the authority to order the controller or processor to comply with the data subject's requests for consumption;
their rights under this Regulation,
(d) the authority to order the guarantor or processor to carry out the processing operations in accordance with the provisions
of this Regulation, as appropriate, in a specified manner and within a specified time,
(e) an authorization to order the responsible party to notify the data subject of a security breach in the handling of personal data.
information,
(f) an authorization to impose a temporary or permanent restriction on processing, including a ban;
g) an authorization to order the correction or deletion of personal data or a restriction on their processing pursuant to Art.
Articles 16, 17 and 18 and that such actions be notified to recipients who have received personal data
into the hands according to Paragraph 2 Article 17 and Article 19,
h) an authorization to revoke a certification or order the certification body to revoke a certification issued pursuant to Art.
Articles 42 and 43 or order the certification body not to issue a certification if there are no requirements for the certification,
or is no longer, fulfilled,
i) an authorization to impose an administrative fine pursuant to Art. Article 83, in addition to or in place of the measures referred to in
this paragraph, depending on the circumstances of each individual case,
(j) an authorization to order the temporary suspension of data flows to a recipient in a third country or to an international
institution.
3. Each supervisory authority shall have all of the following licensing and advisory powers:
(a) the authority to provide advice to the responsible party in accordance with the prior consultation process referred to in Article 36;
b) the authority to submit, on its own initiative or on request, opinions to the National Assembly or the Government
of the Member State or, in accordance with the law of the Member State, other institutions and entities, as well as the public, of
every issue related to the protection of personal data,
(c) an authorization to authorize processing referred to in paragraph 5. Article 36, if such prior authorization is required according to
the law of the Member State,
d) authority to issue an opinion and approve draft rules of conduct pursuant to Art. Paragraph 5 Article 40,
e) authorization to accredit a certification body pursuant to Art. Article 43,
(f) the authorization to issue certificates and to adopt certification criteria in accordance with paragraph 5; Article 42,
(g) the authority to adopt standard data protection provisions referred to in paragraph 8. Article 28 and paragraph 2 (d).
Article 46,
(h) an authorization to allow a contractual provision referred to in paragraph 3 (a). Article 46,
(i) the authority to authorize administrative measures referred to in paragraph 3 (b). Article 46,
j) authorization to approve binding company rules according to Art. Article 47

Page 94

Nr. 90

June 27, 2018

4. The exercise of the powers conferred on the supervisory authority under this Article shall be included
subject to appropriate safeguard measures, e.g. á m. effective legal remedies and fair procedures as set
is enshrined in Union law and the law of a Member State in accordance with the Charter of Fundamental Rights.
5. Each Member State shall provide by law that its supervisory authority is authorized to draw attention.
judicial authorities in breach of this Regulation and, where appropriate, initiate or engage in litigation
to enforce its provisions.
6. Each State Party may provide by law that its supervisory authority has additional powers.
to those referred to in paragraphs 1, 2 and 3. The exercise of these powers shall not diminish effective implementation
VII. chapter.
Article 59
Activity reports
Each supervisory authority shall prepare an annual report on its activities, which may include a list of species
violations that have been reported and the types of measures that have been taken in accordance with para. Article 58
These reports shall be sent to the National Assembly, the Government and other authorities as specified in the
of the state. They shall be made available to the public, the Commission and the Privacy Council.
VII. CHAPTER
Cooperation and coordination
Episode 1
Collaboration
Article 60
Co-operation between the lead supervisory authority and other relevant supervisory authorities
1. The lead supervisory authority shall cooperate with other relevant supervisory authorities in accordance with this
article with a view to reaching a consensus. The lead supervisory authority and the relevant supervisory authorities shall
exchange all relevant information.
2. The lead supervisory authority may at any time request that the other supervisory authorities concerned
mutual assistance according to Article 61 and can carry out joint actions according to Art. Article 62, in particular in
proceedings or when monitoring the implementation of a measure concerning the guarantor or processor with
fixed in another Member State.
3. The lead supervisory authority shall without delay send the relevant information to the supervisory authorities.
mines involved. It shall without delay send a draft decision to the other supervisory authorities concerned
to obtain their opinion and take due account of their views.
4. If any of the other regulatory authorities involved makes an appropriate and substantiated objection to
draft the decision within four weeks of the consultation taking place in accordance with para. of this
Article 63, the lead supervisory authority shall refer the matter to the coordination system referred to in Article 63. if not
following these relevant and substantiated objections or considers that the objections are not appropriate or
smoke support.
5. If the Leading Authority intends to comply with the relevant and substantiated objections raised
it shall send the other supervisory authorities concerned a revised draft decision in order to obtain their opinion.
The revised draft decision shall be considered in accordance with the procedure referred to in 4.
paragraph, within two weeks.
6. If none of the other supervisory authorities concerned has objected to the draft decision, the
provided to them by the supervisory authority, within the time limit referred to in paragraphs 4 and 5, the lead supervisory
the Authority and the supervisory authorities concerned agree on the draft decision in question and shall be bound by it;
of them.

Page 95

Nr. 90

June 27, 2018

7. The lead supervisory authority shall approve the decision and notify the headquarters or the sole
the place of business of the controller or processor, as the case may be, and provide the other supervisory authorities
and the Privacy Council have information on the decision in question, including a summary of those facts
and relevant reasons. The supervisory authority to which the complaint has been lodged shall notify the
anum about the decision.
8. If a complaint is dismissed or rejected, the supervisory authority to which the complaint has been lodged shall:
accept the decision, notwithstanding paragraph 7, and notify the complainant and inform the guarantor of
that.
9. If the lead supervisory authority and the relevant supervisory authorities agree to dismiss or reject parts
of a complaint and discuss other parts of it, a separate decision shall be adopted for each of these parts of the complaint.
of the substance. The lead supervisory authority shall adopt the decision on the action part
in connection with the guarantor, notify the headquarters or the sole establishment of the guarantor or
of the processor in the territory of his Member State and inform the complainant thereof, but the supervisory authority of the complainant
the decision on the part concerning the rejection or rejection of the complaint in question and the
inform the complainant of that decision and inform the responsible party or processor thereof.
10. The guarantor or processor shall, after receiving notification of the decision pursuant to Art. 7. and
Paragraph 9, take the necessary measures to ensure that the decision is complied with as regards
actions related to all his offices in the Union. The guarantor or processor shall
inform the lead supervisory authority of the measures taken to enforce the decision; and
it shall inform the other supervisory authorities concerned thereof.
11. If the supervisory authority concerned has reason to believe, in exceptional cases, that there is an urgent need
to take action to protect the interests of registered persons, the expedited procedure referred to in Article 66 shall apply.
12. The lead supervisory authority and the other relevant supervisory authorities shall send each other the information;
required by this Article, electronically and using a standard format.
Article 61
Mutual assistance
1. Regulatory authorities shall provide each other with relevant information and mutual assistance in order to
implement and apply this Regulation in a coordinated manner and shall take steps to cooperate
effectively. Mutual assistance shall in particular cover requests for information and control measures, e.g.
requests for prior permits and consultations, inspections and research.
2. Each supervisory authority shall take all appropriate measures necessary to respond to:
at the request of another regulatory authority without undue delay and no later than one month after receipt of the request.
Such measures may include, in particular, the submission of relevant research information.
The request for assistance shall include all necessary information, including the purpose and reasons for the request.
Information provided may only be used for the purpose of the request.
4. The regulatory authority to which the request is addressed shall not refuse to comply with the request unless:
(a) the subject matter of the request or the measures requested by the authority are not covered;
its sources or
(b) complying with the request would be in breach of this Regulation or of Union law or of
of the State to which the requesting supervisory authority belongs.
5. The requesting supervisory authority shall notify the supervisory authority which made the request;
on the results or, as appropriate, the progress of the measures taken in response to
the request. If the supervisory authority to which the request is addressed refuses to accede to the request pursuant to Art. Paragraph 4 it shall give
up the reasons for it.
6. The regulatory authorities to which the request is addressed shall, as a general rule, provide information provided by other regulatory authorities.
apply electronically using standard formats.

Page 96

Nr. 90

June 27, 2018

7. The regulatory authorities to which the request is addressed shall not charge a fee for any action they take.
according to the request for mutual assistance. Regulators can agree on rules to complement each other
damage due to special expenses incurred when mutual assistance is provided in exceptional cases.
8. If the supervisory authority does not provide the information referred to in paragraph 5, of this Article, within one month
from the time the request is received from another regulatory authority, the regulatory authority submitting the request may
provisional measure in the territory of its own Member State in accordance with paragraph 1; Article 55 In that case, it should look like this
there is an urgent need to take action according to Art. Paragraph 1 Article 66 has been complied with and that it requires prompt
spirit of the decision of the Privacy Council according to Paragraph 2 Article 66
9. The Commission may, by means of implementing acts, determine the format and arrangements for mutual assistance;
referred to in this Article, and arrangements for the electronic exchange of information between supervisory authorities
and between the supervisory authorities and the Privacy Council, in particular the standard format referred to in paragraph 6. of this
branches. These implementing acts shall be adopted in accordance with the investigative procedure referred to
in the second paragraph. Article 93
Article 62
Joint actions of regulatory authorities
1. The supervisory authorities shall, as appropriate, take joint action, including joint investigations.
actions and joint enforcement measures taken by representatives or staff of the supervisory authorities of other
states participate in.
2. If the controller or processor has offices in more than one Member State or, if expected,
that processing operations have a significant effect on a significant number of registered persons in more than one Member State
the supervisory authority of each of these Member States has the right to participate in joint actions. Supervisory
the power, which is competent according to Paragraphs 1 or 4 Article 56, shall be submitted to a supervisory authority from each of these Member States
to take part in joint actions and shall respond promptly to the request of the supervisory authority for participation.
3. The supervisory authority may, in accordance with the law of a Member State and with the authorization of the transmitting supervisory authority,
delegated to the representatives or staff of the sending control authority involved in joint operations
sources, including research authorizations, or, to the extent permitted by the law of the host Member State,
the supervisory authority, allow representatives or staff of the sending supervisory authority to exercise their investigative powers.
in accordance with the law of the Member State of the sending authority. Only such research may be used
authorizations under the guidance of a representative or staff of the accommodation inspection authority and in their presence. Representatives or
the staff of the transmitting supervisory authority shall be subject to the law of the Member State of the host supervisory authority.
4. Where the staff of the sending control authority are employed in another Member State in accordance with paragraph 1,
Member States of the accommodation authority are responsible for their work, including liability, for any damage
which they cause by their actions in accordance with the law of the Member State in which they operate.
5. The Member State where the damage occurred shall compensate the damage under the same conditions as apply to damage as its own
employees cause. If the employees of the transmission control authority have caused damage to a party in the territory of another
of a Member State, the Member State of the sending control authority shall reimburse in full to the other Member State the amounts
it has paid those who are entitled to benefits on their behalf.
6. Without prejudice to rights vis-à-vis third parties and with the exception of para. each Member State shall, in that
case provided for in paragraph 1, refrain from claiming reimbursement from another Member State for
damage referred to in the fourth paragraph.
7. If a joint action is planned and the supervisory authority does not fulfill the obligation laid down
in the second sentence of the second paragraph. of this Article, within one month, the other supervisory authorities may
to adopt a provisional measure applicable in its territory in accordance with Article 55. In that case,
consider that there is an urgent need to take action according to Art. Paragraph 1 Article 66 have been complied with and require an opinion or
a prompt binding decision of the Privacy Council according to Art. Paragraph 2 Article 66

Page 97

Nr. 90

June 27, 2018
Episode 2
Consistency
Article 63
Coordination system

In order to promote the harmonized application of this Regulation throughout the Union, supervisory authorities shall
co-operate with each other and, where appropriate, with the Commission through the co-ordination system, as
comes in this episode.
Article 64
Opinion of the Privacy Council
1. The Data Protection Board shall issue an opinion if the competent supervisory authority intends to approve any of the following:
analyzed measures. To this end, the competent supervisory authority shall send a draft to the Data Protection Board
the decision if it:
(a) aims at the adoption of records of processing operations covered by the requirement to assess the effects on privacy
according to Paragraph 4 Article 35,
b) concerns matters according to Art. Paragraph 7 Article 40 on whether a draft code of conduct, or a change or extension
Code of Conduct, comply with this Regulation,
c) aims at the approval of requirements regarding the accreditation of parties pursuant to Art. Paragraph 3 Article 41, a certification body according to Art. Paragraph 3 43.
gr. or the accreditation criteria referred to in paragraph 5. Article 42,
(d) aims to determine the standard provisions on privacy referred to in paragraph 2 (d). Article 46 and the 8th paragraph.
Article 28
(e) aims to authorize the contractual provisions referred to in paragraph 3 (a). Article 46 or
(f) aims at the adoption of binding company rules within the meaning of Article 47.
2. The supervisory authority, the chairman of the Privacy Council or the Commission may request that:
the Privacy Council investigates matters which have general appeal or consequences in more than one Member State;
with a view to obtaining its opinion, in particular if the competent supervisory authority does not comply with the obligations of mutual
assistance in accordance with Article 61 or joint actions in accordance with Article 62.
3. In the cases referred to in paragraphs 1 and 2, the Privacy Board shall issue its opinion on the matter.
which was referred to provided that it had not already issued an opinion on the same subject. Representatives in person
the Security Council shall adopt the opinion by a simple majority within eight weeks. The deadline can be extended by six
additional weeks given the complexity of the matter. With regard to the draft decision, which
referred to in paragraph 1, which shall be distributed to members of the Privacy Council in accordance with paragraph 5. shall be deemed to be a representative
approves the draft if he has not raised an objection within a reasonable time specified by the chairman.
4. The supervisory authorities and the Commission shall, without undue delay, send to the Privacy Board any
relevant information electronically and in a standard format, including, as appropriate, a summary of the
the facts of the case, the draft decision, the reasons why it is considered necessary to provide for such a measure
and the views of other relevant supervisory authorities.
5. The Chairman of the Privacy Council shall notify electronically, without undue delay:
(a) the representatives of the Privacy Council and the Commission for all relevant information
have been sent in standard format. The Secretariat of the Data Protection Board shall, if necessary, have the
spirit information and
(b) the supervisory authority referred to in paragraphs 1 and 2, as appropriate, and the Commission for the opinion;
and publish it.
6. The competent supervisory authority referred to in paragraph 1 shall not adopt its draft decision which:
referred to in the first paragraph. within the time limits referred to in paragraph 3.

Page 98

Nr. 90

June 27, 2018

7. The competent supervisory authority referred to in paragraph 1 shall take the utmost account of the opinion of the Data Protection Board.
and shall, within two weeks of receiving the opinion, send a notification to the Chairman of the Privacy Council
electronically as to whether it will abide by the draft decision or make changes to it and, if so
is, the amended draft decision in a standard format.
8. If the competent supervisory authority referred to in paragraph 1 informs the Chairman of the Privacy Board within
of the time limit referred to in paragraph 7. of this Article, stating that it does not intend to comply with the opinion of the Privacy Council,
in whole or in part, and argues for it, the first paragraph applies. Article 65
Article 65
Dispute resolution with the help of the Privacy Council
1. In order to ensure the correct and uniform application of this Regulation in each individual case,
the Privacy Council shall adopt a binding decision in the following cases:
(a) if the supervisory authority concerned has, in the case referred to in paragraph 4, Article 60, upheld as appropriate
and reasoned opposition to the draft decision of the Leading Authority and the Leading Authority
has not followed the objections or has rejected such objections as they are not appropriate or
smoke support. This binding decision shall cover all matters covered by this relevant and reasoned
support objections, in particular whether there is a breach of this Regulation,
(b) in the event of a dispute over which of the supervisory authorities concerned is deemed to be competent in respect of:
the headquarters,
(c) if the competent supervisory authority does not request the opinion of the Data Protection Board in the cases referred to in paragraph 1.
Article 64 or does not follow an opinion issued by the Privacy Council pursuant to Art. Article 64 In that case can
the supervisory authority concerned or the Commission shall refer the matter to the Privacy Council.
2. The Privacy Council shall adopt the decision referred to in paragraph 1 by a two-thirds majority.
votes of the members of the Council within one month of the matter being referred to it. The deadline can be extended by one
an additional month given the complexity of the matter. The decision referred to in paragraph 1 shall be:
shall be reasoned and addressed to the lead supervisory authority and all relevant supervisory authorities and shall be
binding on them.
3. If the Privacy Council has not been able to take a decision within the time limits referred to in paragraph 2,
it shall adopt the decision within two weeks of the end of the second month referred to in paragraph 2;
by a simple majority of the members of the Council. If the votes of members of the Privacy Council are equal
the decision shall be adopted by a vote of the chairman.
4. The supervisory authorities concerned shall not adopt a decision on the matter referred to the
of the Protection Council according to Paragraph 1 during the periods referred to in paragraphs 2 and 3.
5. The Chairperson of the Privacy Board shall notify the relevant supervisory authorities without undue delay.
on the decision referred to in the first paragraph. He shall inform the Commission thereof. Decisions shall be published
on the Privacy Council's website without delay after the supervisory authority has notified the final decision.
referred to in paragraph 6.
6. The supervisory authority or, as the case may be, the supervisory authority to which the complaint was lodged shall
consider their final decision on the basis of the decision referred to in paragraph 1. of this Article, without
undue delay and no later than one month after the Privacy Council announces its decision.
The lead supervisory authority or, as the case may be, the supervisory authority to which the complaint was lodged shall inform
the Data Protection Board on the day on which its final decision is notified to either the responsible party or
the processor and, on the other hand, the data subject. The final decision of the supervisory authorities concerned shall be
thickness in accordance with the terms of paragraphs 7, 8 and 9. Article 60 In the final decision, reference shall be made to the decision, which
referred to in the first paragraph. of this Article, and specify that the decision referred to in that paragraph shall be published on
the website of the Privacy Council in accordance with para. of this Article. The decision referred to in paragraph 1
of this Article, shall be accompanied by the final decision.

Page 99

Nr. 90

June 27, 2018
Article 66
Accelerated treatment

1. In exceptional cases, the supervisory authority concerned may, where it considers it necessary to:
take action to protect the rights and freedoms of registered persons, with the exception of the co-ordination system
referred to in Articles 63, 64 and 65 or the procedure referred to in Article 60, to be adopted without delay
transitional measures intended to have legal effect in its territory and to have a specific period of validity
shall not exceed three months. The supervisory authority shall without delay notify the other supervisory
authorities, the Privacy Council and the Commission on these measures and the reasons for
their thickness.
2. If the supervisory authority has taken a measure pursuant to Art. Paragraph 1 and considers it urgent to adopt definitive measures
it may request an expedited opinion or a binding expedited decision of the Privacy Council and state the reasons for
a request for such an opinion or decision.
3. Each supervisory authority may request an expedited opinion or a binding expedited decision of the Data Protection Board;
as appropriate, if the competent supervisory authority has not taken appropriate measures in circumstances which
should be acted upon promptly to protect the rights and freedoms of registered persons, and disclosed
reasons for requesting such an opinion or decision, including why it is urgent to take action.
4. Notwithstanding paragraph 3 Article 64 and the second paragraph. Article 65 shall adopt an expedited opinion or a binding expedited decision, which
referred to in paragraphs 2 and 3 of this Article, within two weeks by a simple majority of the votes of the
the Zone Protection Council.
Article 67
Exchange of information
The Commission may adopt general implementing acts specifying the arrangements
electronic exchange of information between supervisory authorities and between supervisory authorities and data protection
of the Council, in particular the standard format referred to in Article 64.
These implementing acts shall be adopted in accordance with the examination procedure referred to in paragraph 2.
mgr. Article 93
Episode 3
European Privacy Council
Article 68
European Privacy Council
1. The European Privacy Council ("the Privacy Council") is hereby established as an
Of the Union and it shall have the legal status of a legal entity.
2. The Chairman of the Privacy Council shall represent him.
3. It shall consist of the head of one supervisory authority of each Member State and of the European
of the Agency or their respective representatives.
4. Where more than one supervisory authority in a Member State is responsible for monitoring the application of the provisions of
this Regulation shall appoint a joint representative in accordance with the legislation of that Member State.
5. The Commission shall have the right to take part in the activities and meetings of the Data Protection Board without
correct. The Commission shall appoint its representative. The Chairman of the Privacy Council shall inform the
the Executive Board on its work.
6. In the cases referred to in Article 65, the European Data Protection Authority shall have the right to vote only
on decisions concerning principles and rules applicable to institutions, parties, offices and specialized agencies
Of the Union which materially correspond to the principles and rules of this Regulation.

Page 100

Nr. 90

June 27, 2018
Article 69
Independence

1. The Privacy Council shall be independent in its work and when it exercises its powers pursuant to Art.
Articles 70 and 71
2. In exercising its powers and exercising its powers, the Data Protection Board shall neither seek nor
receive instructions from other parties, subject to the requests of the Commission referred to in
Paragraphs 1 and 2 Article 70
Article 70
Tasks of the Privacy Council
1. The Privacy Council shall ensure consistency in the application of this Regulation. To this end, personal
the Security Council, either on its own initiative or, where appropriate, at the request of the Commission, in particular:
(a) monitor and ensure the correct application of this Regulation in the cases provided for in Articles 64 and 65;
without prejudice to the tasks of national regulatory authorities,
(b) advise the Commission on any matter relating to the protection of personal data in the
the Union, including proposals for amendments to this Regulation,
(c) advise the Commission on the format and methods of exchange of information between responsible parties;
processors and regulators with regard to binding corporate rules,
(d) issue guidelines, recommendations and best practices for link deletion procedures, transcripts
or replicas of personal information in publicly available electronic communications services, as applicable
referred to in the second paragraph. Article 17,
(e) examine, on its own initiative, at the request of its representative or of the Commission, any issues
concern the application of this Regulation and issue guidelines, recommendations and best practices
to encourage its uniform application,
(f) issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph in order to:
specify in more detail the criteria and conditions for decisions based on the type of personal profile according to Art. 2.
mgr. Article 22,
(g) issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph;
concerning the confirmation of security breaches in the processing of personal data and the determination of undue delay
referred to in paragraphs 1 and 2. Article 33 and the specific circumstances in which the guarantor or processor becomes
to report such a breach of security in the processing of personal data,
(h) issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph;
in situations where a breach of security in the processing of personal data is likely to result in a major breach
risk to the rights and freedoms of the persons referred to in paragraph 1; Article 34,
(i) issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph;
for further specification of the criteria and requirements for the disclosure of personal information on the basis
binding corporate rules that guarantors obey and binding corporate rules that processors obey
and further requirements necessary to ensure the protection of the personal data of the persons concerned
listed persons referred to in Article 47,
(j) issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph;
for the purpose of specifying further criteria and conditions regarding the dissemination of personal information according to Art. Paragraph 1 49.
gr.,
(k) draw up guidelines for regulatory authorities on the application of the measures referred to in paragraphs 1, 2 and 3.
mgr. Article 58 and the imposition of administrative fines according to Art. Article 83,
(l) review the application of guidelines, recommendations and best practices;

Page 101

Nr. 90

June 27, 2018

(m) issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph in order to:
establish a common procedure for notifying individuals of infringements
of this Regulation according to Paragraph 2 Article 54,
(n) encourage the drafting of rules of conduct and the establishment of certification schemes for
protection and privacy seals and marks according to Articles 40 and 42,
o) accept the criteria for certification according to Art. Paragraph 5 Article 42 and keep a public register of certification bodies
layer and privacy seal and mark according to Paragraph 8 Article 42 and a certified guarantor or processor
with confirmation in third countries according to Paragraph 7 Article 42,
(p) accept the requirements referred to in paragraph 3; Article 43, with regard to the accreditation of the certification body as
referred to in Article 43,
(q) provide the Commission with an opinion on the certification requirements referred to in paragraph 8; Article 43,
(r) provide the Commission with an opinion on the symbols referred to in paragraph 7. Article 12,
(s) provide the Commission with an opinion on the assessment of the adequacy of protection in a third country; or
at an international organization, also for the purpose of assessing whether a third country, territory or one or more are specified
sectors within the third country in question or an international organization no longer provides adequate protection. To that end
the Commission shall provide the Data Protection Board with all necessary documents, including correspondence with
the government of the third country in respect of the third country, territory or sector concerned, or
with the International Organization,
(t) provide an opinion on draft regulatory decisions under the relevant harmonization system
referred to in the first paragraph. Article 64, matters submitted pursuant to Art. Paragraph 2 Article 64, and issue binding decisions
according to Article 65, including in the cases referred to in Article 66,
(u) promote co-operation and the effective bilateral and multilateral exchange of information and best practices;
between the supervisory authorities,
(v) promote joint training programs and facilitate the transfer of staff between supervisory authorities
and, where applicable, vis-à-vis third country supervisory authorities or international organizations,
(w) promote the exchange of knowledge and data on data protection legislation and practices with supervisory authorities;
in the field of privacy worldwide,
x) issue an opinion on rules of conduct drawn up at Union level pursuant to Art. Paragraph 9 Article 40 and
(y) keep an electronic record, accessible to the public, of decisions taken by supervisory authorities and courts;
on matters dealt with in the coordination system.
2. When the Commission requests the advice of the Privacy Council, it may specify a time limit
given the urgency of the matter.
3. The Privacy Council shall forward its opinion, guidelines, recommendations and best practices to the
of the Commission and to the Committee referred to in Article 93. and publish publicly.
4. The Privacy Council shall, as appropriate, consult with stakeholders and give them the opportunity to:
to submit comments within a reasonable time. The Privacy Council shall, without prejudice to Article 76, act
the results of the consultation process are available to the public.
Article 71
Reports
1. The Data Protection Board shall draw up an annual report on the protection of individuals with regard to processing in the Union.
and, where applicable, third countries and international organizations. The report shall be made public and sent to the European
Parliament, the Council and the Commission.

Page 102

Nr. 90

June 27, 2018

2. The report shall include a review of the guidelines, recommendations and best practices
practices referred to in paragraph 1 (l). Article 70, is applied in practice, as well as the binding decisions referred to
in Article 65
Article 72
Procedure
1. The Privacy Council shall take decisions by a simple majority of its representatives, unless otherwise provided
otherwise in this Regulation.
2. The Privacy Council shall establish rules of procedure with two-thirds of the votes of its representatives and
organize their work arrangements.
Article 73
Chairman
1. The Privacy Council shall elect a chairman and two vice-chairmen from among its representatives by simple means
majority.
2. The term of office of the chairman and vice-chairmen is five years and may be renewed once.
Article 74
Tasks of the chairman
1. The chairman shall carry out the following duties:
a) convene meetings of the Privacy Council and prepare an agenda;
(b) notify the Leading Supervisory Authority and the relevant supervisory authorities of decisions
the Security Council agrees according to Article 65,
(c) ensure the timely implementation of the tasks of the Privacy Council, in particular as regards
the system referred to in Article 63
2. The Privacy Council shall prescribe the division of tasks between the chairman and the vice-chairmen into
its rules.
Article 75
Office
The Data Protection Board shall have an office under the auspices of the European Data Protection Authority.
2. The Secretariat carries out its tasks entirely in accordance with the instructions of the Chairman of the Privacy Council.
3. Staff of the European Agency for the Protection of Individuals with regard to
the Security Council is entrusted with this Regulation, shall follow other means of communication than the staff involved
in the implementation of tasks entrusted to the European Data Protection Agency.
4. The Data Protection Board and the European Data Protection Agency shall, as appropriate, present and publish:
a declaration of intent for the implementation of this Article, in which the terms of their co-operation are determined and which apply
applies to the staff of the European Data Protection Agency who are involved in the implementation of
the Security Council is entrusted with this Regulation.
5. The Secretariat shall assist the Data Protection Board in the areas of analysis, management and organization.
6. The Secretariat shall be responsible in particular for:
(a) the day-to-day operations of the Privacy Council;
(b) communication between the members of the Privacy Council, its Chair and the Commission;
(c) communication with other institutions and with the public;

Page 103

Nr. 90

June 27, 2018

d) the use of electronic media for internal and external communication;
(e) translations of relevant information;
(f) preparation for and follow-up to the Privacy Council;
(g) the preparation, preparation and publication of opinions, decisions on the settlement of disputes between supervisory authorities and other matters;
text approved by the Privacy Council.
Article 76
Confidentiality obligations
1. The confidentiality of the Privacy Council shall prevail if it deems it necessary, as provided
is governed by its rules of procedure.
2. Access to documents sent to representatives of the Privacy Council, experts and representatives
third party, complies with Regulation (EC) No 882/2004 of the European Parliament and of the Council. 1049/2001 ( 21 ).
VIII. CHAPTER
Remedies, liability and penalties
Article 77
The right to lodge a complaint with the supervisory authority
1. Every registered person shall, without prejudice to any other administrative or legal remedy, have:
the right to lodge a complaint with the supervisory authority, in particular in the Member State in which he has his habitual residence;
works or where the alleged breach occurred if he considers that the processing of personal data about him violates
this Regulation.
2. The supervisory authority to which the complaint was lodged shall inform the complainant of the progress and
positions due to the complaint, including the possibility of legal remedies according to Art. Article 78
Article 78
The right to an effective remedy to seek redress against the supervisory authority

Each individual or legal entity shall, without prejudice to other administrative or external remedies
courts, have the right to a practical remedy due to a legally binding decision of the supervisory authority which he
concerns.
2. Each registered person shall, without prejudice to other administrative or external remedies
courts, have the right to a practical remedy to seek redress if the supervisory authority, which is competent under Art. 55. and
Article 56, does not deal with a complaint or does not inform the data subject within three months of the progress
or the results of the complaint submitted pursuant to Art. Article 77
3. An action against a supervisory authority shall be brought before the courts of the Member State in which the supervisory authority has:
confirm.
4. If an action is brought against a decision of a supervisory authority after the Privacy Council has delivered its opinion
or a decision in the coordination system, the supervisory authority shall forward the opinion or decision in question
of the Court.
Article 79
The right to an effective remedy to seek redress against the guarantor or processor
1. Each registered person shall, without prejudice to any other existing administrative measures or
out-of-court remedies, including the right to lodge a complaint with the supervisory authority pursuant to Art. Article 77, have the right to

( 21 ) Regulation (EC) No 882/2004 of the European Parliament and of the Council 1049/2001 of 30 May 2001 on public access to European documents
of the European Parliament, of the Council and of the Commission (OJ L 145, 31.5.2001, p. 43).

Page 104

Nr. 90

June 27, 2018

an effective remedy to seek redress if he considers that his rights have been violated under this Act
Regulation on the basis that the processing of personal data about him is not in accordance with this Regulation.
2. An action shall be brought against the guarantor or the processor before the courts of the Member State in which the
the party or processor has confirmed. Otherwise, such a case may be brought before a court
of the Member State in which the data subject is domiciled, unless the guarantor or processor is public
the authority of a Member State exercising official authority.
Article 80
Representation of registered persons
A registered person shall have the right to provide to an institution, organization or association that is not run by
for profit and established in accordance with the law of a Member State, have mandatory objectives in the public interest
interests and are active in the field of the protection of the rights and freedoms of registered persons with regard to the
information about them, a power of attorney to lodge a complaint on their behalf, to exercise the rights referred to
in Articles 77, 78 and 79, on its own behalf and to exercise the right to damages referred to in Articles 82, on its behalf
if provided for in the law of the Member State.
2. A Member State may prescribe that the body, organization or association referred to in paragraph 1 of this
articles, has the right, regardless of whether the data subject has given a power of attorney, to submit, to the person in question
Member State, a complaint to the supervisory authority competent under Article 77 and to exercise the rights, as of
referred to in Articles 78 and 79, if they have reason to believe that the rights of a registered person under this Regulation
has been broken due to processing.
Article 81
Postponement of proceedings
1. The competent court of a Member State has received information concerning legal proceedings concerning the same matter
processing by the same guarantor or processor which is pending before a court in another Member State,
he shall contact the court of that Member State to ascertain whether such a case is pending.
2. If a case concerning the same matter concerning the processing of the same guarantor or processor is pending before a court,
a tribunal in another Member State may have any competent court other than the one before which the case was first brought;
adjourned its proceedings.
3. If the case is pending before the first instance court, any court other than the first instance court may
brought before the court or tribunal at the request of one of the parties if the court first seised
for, has jurisdiction over the claims and the law applicable to that court allows related claims to be filed
together.
Article 82
Right to compensation and liability
1. Anyone who has suffered property damage or material damage as a result of a breach of the provisions of this Regulation
shall be entitled to compensation from the guarantor or processor for the damage he has suffered.
2. The responsible party involved in the processing shall be liable for the damage resulting from the infringing processing.
to this Regulation. The processor shall therefore only be liable for damage resulting from processing if he does not
fulfilled obligations under this Regulation, which are specifically addressed to processors, or if he has
do not follow the lawful instructions of the responsible party or violate them.
3. The guarantor or processor shall be exempt from liability according to Art. Paragraph 2 if he can prove it
that he is not responsible for the event that caused the damage.
4. If more than one guarantor or processor, or both guarantor and processor, are involved in the same
processing and if they carry, according to Paragraphs 2 and 3, liability for damage resulting from processing shall be each responsible party or
the processor shall be liable for all damages to ensure full damages to the data subject.

Page 105

Nr. 90

June 27, 2018

5. If the guarantor or processor has paid full compensation for the damage, in accordance with paragraph 4,
he shall have the right to demand that other guarantors or processors involved in the same process,
reimburse the part of the compensation corresponding to their share of liability for the damage, in accordance with the conditions
set out in the second paragraph.
6. Proceedings for the exercise of the right to redress shall be subject to the jurisdiction of the courts
the law of the Member State referred to in paragraph 2. Article 72
Article 83
General conditions for the imposition of administrative fines
1. Each supervisory authority shall ensure that the imposition of administrative fines under this Article for infringements
of this Regulation, referred to in paragraphs 4, 5 and 6, shall in each case be effective, proportionate and dissuasive.
warning effect.
2. Administrative fines shall be imposed, as appropriate in each case, in addition to or instead of measures
referred to in points (a) to (h) and (j) of paragraph 2. Article 58 When deciding whether to impose an administrative fine and amount
the fine is determined in each case, the following shall be duly taken into account:
(a) the nature, extent and duration of the violation, in terms of its nature, extent or
the course of the processing in question and the number of registered persons who were affected by it and the
the damage they suffered,
(b) whether the offense was committed intentionally or through negligence;
(c) actions taken by the controller or processor in order to reduce the loss of data subjects;
individuals,
(d) the degree of technical and organizational responsibility of the controller or processor;
measures that he has implemented according to Articles 25 and 32,
(e) any relevant offenses committed by the guarantor or processor, if any;
(f) the scope of cooperation with the supervisory authority in order to remedy the infringement and reduce any potential harmful
its effects,
(g) the categories of personal data affected;
(h) the manner in which the infringement was notified to the Authority, in particular whether, and to what extent;
the guarantor or processor reported the breach,
(i) compliance with the measures referred to in paragraph 2; Article 58, if such measures have been prescribed before
against the relevant guarantor or processor in respect of the same matter,
j) compliance with accepted rules of conduct according to Art. Article 40 or an approved certification scheme according to Art. Article 42 and
(k) other burdensome or mitigating factors affecting the circumstances of the case, such as profits made or
loss that was avoided, directly or indirectly, due to the violation.
3. If the guarantor or processor violates, intentionally or negligently, more than one provision of this
of the Regulation for the same or related processing operations, the total amount of the administrative fine shall not be higher
but the amount specified for the most serious offense.
Violations of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines amounting to
to EUR 10 000 000 or, in the case of a company, up to 2% of the company's total annual turnover worldwide.
in the preceding financial year, whichever is higher:
a) the obligations of the guarantor and processor according to Art. Articles 8, 11, 25-39 gr. and 42-43. gr.,
b) the obligations of the certification body according to Art. Articles 42 and 43,
c) the obligations of the supervisory body according to Art. Paragraph 4 Article 41

Page 106

Nr. 90

June 27, 2018

Violations of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines amounting to
to EUR 20 000 000 or, in the case of a company, up to 4% of the company's total annual turnover worldwide.
in the preceding financial year, whichever is higher:
a) basic principles of processing, including conditions for approval, cf. Articles 5, 6, 7 and 9,
b) the rights of registered persons according to Art. 12. – 22. gr.,
c) disclosure of personal information to a recipient in a third country or international organization according to Art. 44. – 49. gr.,
(d) obligations under the law of a Member State adopted pursuant to IX. chapter,
(e) non-compliance with temporary or temporary or permanent restrictions on processing or temporary
suspension of data flow by the supervisory authority according to Art. Paragraph 2 Article 58 or does not comply with the obligation to
provide access according to Paragraph 1 Article 58
6. If the instructions of the supervisory authority are not complied with, as referred to in paragraph 2. Article 58, it shall apply, in
in accordance with para. of this Article, administrative fines amounting to up to 20 000 000 euros or, if applicable
companies, up to 4% of the company's total annual global turnover in the last financial year, whether
rather is higher.
7. Without prejudice to the powers of the supervisory authorities to take remedial measures pursuant to Art. Paragraph 2 Article 58 is
each Member State may lay down rules on whether and to what extent it may impose
administrative fines on public authorities and bodies established in the Member State.
8. The exercise by the supervisory authority of its powers under this Article shall be subject to the appropriate legal
rules of procedure in accordance with Union law and the law of a Member State, including effective legal protection and fairness
procedure.
9. If a provision on administrative fines is not contained in the legal system of the Member State, this may be applied
Article so that the competent supervisory authority initiates the fine and the competent national courts impose it
but at the same time it is ensured that these legal remedies are effective and have the same effect as administrative fines that
supervisory authorities impose. However, fines imposed must always be effective, proportionate and dissuasive.
side effects. The Member States concerned shall notify the Commission of the provisions by 25 May 2018 at the latest
of the Act which they adopt in accordance with this paragraph and shall without delay notify subsequent amendments or
changes that affect them.
Article 84
Penalties
1. Member States shall lay down the rules on penalties applicable to infringements of this Regulation, in particular infringements
which do not concern administrative fines according to Art. Article 83, and shall take all necessary measures to ensure that
that they have been implemented. Such penalties shall be effective, proportionate and dissuasive.
effect.
2. Each Member State shall notify the Commission by 25 May 2018 of the provisions of national law
which they have approved according to Paragraph 1 and shall immediately notify any subsequent changes affecting them.
IX. CHAPTER
Provisions concerning special processing conditions
Article 85
Processing and freedom of expression and information
1. Member States shall by law harmonize the right to the protection of personal data under this Act
regulation and the right to freedom of expression and information, including processing for journalism and academic activities
human or artistic or literary expression.
2. In the case of processing for the benefit of journalism or the activities of scholars or artistic or literary
Member States shall provide for derogations or derogations from Annex II. Chapter III (Principles), III. chapter

Page 107

Nr. 90

June 27, 2018

(rights of a registered person), IV. Chapter V (responsible party and processor), Chapter V (dissemination of personal information
to third countries or international organizations), VI. Chapter VII (Independent Regulatory Authorities), VII. chapter (co-operation and co-ordination)
and IX. Chapter (data processing in certain circumstances) if it is necessary to harmonize the right to protection
personal information and the right to freedom of expression and information.
3. Each Member State shall notify the Commission of the provisions of national law which it has adopted
according to Paragraph 2 and shall without delay notify subsequent amendments or amendments affecting them.
Article 86
Processing and public access to public documents
A public authority, public institution or private party may provide personal information from the public
documents held by the authority, institution or body for the implementation of a project for the
human interests, in accordance with Union law or the law of a Member State which is the official authority or body
to harmonize public access to public documents and the right to the protection of personal data.
information under this Regulation.
Article 87
Processing of national identification number
Member States may further determine the specific conditions applicable to the processing of national identification
numbers or other general identifiers. In this case, use only the national identification number or
another general indication is that appropriate safeguards are in place for the rights and freedoms of the data subject
under this Regulation.
Article 88
Processing in a work-related context
1. Member States may, by law or collective agreement, lay down specific rules to ensure:
protection of rights and freedoms in the processing of an employee's personal data in a work-related context, in particular
with regard to employment, implementation of an employment contract, including fulfillment of obligations laid down in
laws or collective agreements, management, preparation and organization of work, equality and diversity
in the workplace, health and safety at work, protection of the employer's or client's assets and the
work-related rights and benefits are used and enjoyed jointly or individually, as well as in them
purpose of terminating the employment relationship.
2. These rules shall include appropriate and specific measures to protect the human dignity of the data subject;
its legitimate interests and fundamental rights, with special regard to the transparency of processing, dissemination
personal information within a group of companies or a group of companies engaged in joint business activities
and on-site monitoring systems.
3. Each Member State shall notify the Commission by 25 May 2018 of the provisions of national law
which they have approved according to Paragraph 1 and shall immediately notify any subsequent changes affecting them.
Article 89
Safeguard measures and exemptions relating to the processing of archives for the benefit of
public interest, research in the field of science or history or for statistical purposes
1. Processing for archiving in the public interest, research in the field of science or history or in
statistical purposes shall be subject to appropriate measures to protect the rights and freedoms of the data subject in
in accordance with this Regulation. These safeguards shall ensure that technical and organizational measures
be made, in particular to ensure compliance with the principle of data minimization. Use of artificial
identification can be among these measures, provided that these objectives can be achieved with them
quit. If the objectives in question can be achieved through further processing that does not allow, or no longer allows,
personal identification of registered persons, these objectives shall be achieved in that way.
2. When the processing of personal data is carried out for the purpose of research in the field of science or history or in statistical
For specific purposes, the laws of the Union or the laws of a Member State may provide for exemptions from the rights conferred by

Page 108

Nr. 90

June 27, 2018

referred to in Articles 15, 16, 18 and 21, without prejudice to the conditions and safeguard measures referred to in paragraph 1.
of this Article, in so far as such rights are deemed impossible or significantly impede
that the relevant objectives can be achieved and such exemptions are necessary to achieve them.
3. When the processing of personal data is carried out for the purpose of archiving in the public interest, the
of the Union or the law of a Member State provides for exemptions from the rights referred to in Articles 15, 16, 18, 19,
Articles 20 and 21, without prejudice to the conditions and safeguard measures referred to in paragraph 1. of this Article, that so
to the extent that these rights can be considered impossible or significantly impede their attainment
the relevant objectives and such exemptions are necessary to achieve them.
4. Where the processing referred to in paragraphs 2 and 3 serves a different purpose at the same time, the exemptions
apply only to processing for the purpose referred to in those paragraphs.
Article 90
Confidentiality
1. Member States may adopt specific rules for determining the powers of the supervisory authorities, as
is provided for in points e and f of the first paragraph. Article 58, with regard to guarantors or processors, who fall under the
obligation under the laws of the Union or the laws of a Member State or the rules of competent national bodies
set, or other equivalent obligations of secrecy when such proves necessary and reasonable to harmonize
the right to the protection of personal data and confidentiality. These rules should apply only in the light of
personal information that the controller or processor has received as a result of or in connection with activities that
falls under this duty of confidentiality.
2. Each Member State shall notify the Commission by 25 May 2018 of any such rules
has approved according to Paragraph 1 and shall without delay notify any subsequent changes affecting them.
Article 91
Rules of denominations and religious organizations on the protection of personal information
1. If denominations and religious organizations or denominations in a Member State apply broad rules, when this Regulation
enter into force on the protection of individuals with regard to processing, such rules may continue to apply, provided that:
that they are brought into line with this Regulation.
2. Church denominations and religious organizations that apply broad rules in accordance with the first paragraph. of this Article, shall
subject to the supervision of an independent supervisory authority, which may be specific, provided that it satisfies the conditions
laid down in VI. chapter of this Regulation.
CHAPTER X
Assigned acts and acts
Article 92
Application of extradition
1. The Commission shall be empowered to approve delegated acts, cf. however, the conditions laid down
for about in this article.
2. The transfer of power referred to in paragraph 8 Article 12 and the 8th paragraph. Article 43, shall be entrusted to the Commission
indefinite period from 24 May 2016.
3. The transfer of power referred to in paragraph 8 may be revoked at any time by the European Parliament or by the Council.
Article 12 and the 8th paragraph. Article 43 A decision on revocation shall put an end to the transfer of the specified power
is in that decision. It shall enter into force on the day following that of its publication in the Official Journal of the European Union , or
later, as specified in the decision. It shall not affect the validity of existing delegated acts
valid.
4. As soon as the Commission approves the delegated act, it shall also notify the European
Parliament and the Council.

Page 109

Nr. 90

June 27, 2018

5. Assigned type, which is approved according to Paragraph 8 Article 12 and the 8th paragraph. Article 43, shall therefore only enter into force
The European Parliament or the Council has not objected within three months of the notification of the act
to the European Parliament and to the Council or if both the European Parliament and the Council have informed the Commission, before
the deadline has passed, about their intention not to raise objections. This time limit shall be extended by three
months initiated by the European Parliament or by the Council.
Article 93
Committee proceedings
1. The Commission shall be assisted by a committee. This committee shall be a committee within the meaning of the Regulation
(ESB) no. 182/2011.
Where reference is made to this paragraph, the provisions of Article 5 shall apply. Regulation (EU) no. 182/2011.
3. Where reference is made to this paragraph, Article 8 shall apply. Regulation (EU) no. 182/2011 in connection with Article 5.
her.
XI. CHAPTER
Final provisions
Article 94
Repeal of Directive 95/46 / EC
Directive 95/46 / EC is repealed with effect from 25 May 2018.
References to the repealed Directive shall be construed as references to this Regulation. References should be considered
the Working Party on the Protection of Individuals with regard to the Processing of Personal Data, set up by 29.
gr. of Directive 95/46 / EC, as references to the European Privacy Council established by this
regulation.
Article 95
Relationship with Directive 2002/58 / EC
This Regulation shall not impose additional obligations on individuals or legal entities in connection with
provision of publicly available electronic communications services on public telecommunications networks in the Union
in the case of matters where they fall under specific obligations with the same objective as set out in
Directive 2002/58 / EC.
Article 96
Relationship with previously concluded agreements
International agreements covering the transfer of personal data to third countries or international organizations to which
States did before 24 May 2016 and comply with Union law in force on that date, shall apply
continue until they are changed, they are replaced or revoked.
Article 97
Commission reports
1. The Commission shall, no later than 25 May 2020 and every four years thereafter, submit a report
The European Parliament and the Council on the evaluation and revision of this Regulation. The reports shall be made public.
2. In the context of the evaluation and review referred to in paragraph 1, the Commission shall, in particular:
application and implementation:
(a) Chapter V on the transfer of personal data to third countries or international organizations, with special reference to
decisions approved pursuant to Art. Paragraph 3 Article 45 of this Regulation and the decisions adopted
ar on the basis of para. Article 25 of Directive 95/46 / EC,
b) VII. chapter on co-operation and co-ordination.

Page 110

Nr. 90

June 27, 2018

3. That the first paragraph. In this case, the Commission may request information from Member States and
authorities.
4. When carrying out the evaluation and audit referred to in paragraphs 1 and 2, the Commission shall take action
taking into account the positions and conclusions of the European Parliament, the Council and other relevant bodies or sources.
5. The Commission shall, if necessary, submit appropriate proposals for amendments thereto
regulation, in particular with regard to developments in the field of information technology and in the light of progress in the information society.
Article 98
Review of other Union legal acts in the field of privacy
The Commission shall, if appropriate, submit proposals for new legislation with a view to amending other
Union legislation on the protection of personal data in order to ensure harmonized and harmonized protection of
linga with respect to processing. This applies in particular to rules on the protection of individuals with regard to the processing of institutions,
parties, offices and specialized agencies of the Union and on the free dissemination of such information.
Article 99
Entry into force and application
1. This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union .
2. It will be implemented from 25 May 2018.

This Regulation shall be binding in its entirety and directly applicable in all Member States.

Done at Brussels, 27 April 2016.

On behalf of the European Parliament,
M. SCHULZ

On behalf of the Council,
YES HENNIS PLASSCHAERT

President.

President.

__________
Division A - Published: 28 June 2018

