ep position/amendments regulation of the · 2015-04-04 · ep position/amendments 2012/0011(c od)...

Version 21/04/15 – Council’s consolidated version of March 2015 of 630

COM (2012)0011 EP Position/amendments2012/0011(COD)

Council PositionDoc.15395/14

Comments / compromisesuggestions

Proposal for a Proposal for a Proposal for a

REGULATION OF THEEUROPEAN PARLIAMENT ANDOF THE COUNCIL



Having regard to the Treaty on theFunctioning of the EuropeanUnion, and in particular Article16(2) and Article 114(1) thereof,

Having regard to the Treaty on theFunctioning of the EuropeanUnion, and in particularArticle 16(2) and Article 114(1)thereof,

Having regard to the Treaty on theFunctioning of the EuropeanUnion, and in particular Article16(2) (…) thereof,

Having regard to the proposal fromthe European Commission,



After transmission of the draftlegislative act to the nationalParliaments,

After transmission of the draftlegislative act to the nationalparliaments,

After transmission of the draftlegislative act to the nationalParliaments,

Having regard to the opinion of theEuropean Economic and SocialCommittee1,

1 OJ C , , p. .


1 OJ C 229, 31.7.2012, p. 90.


1 OJ C, p. . .


After consulting the Committee ofthe Regions,

After consulting the European DataProtection Supervisor2,

2 OJ C , , p.

After consulting Having regard tothe opinion of the European DataProtection Supervisor2

2 OJ C 192, 30.6.2012, p. 7.

After consulting the European DataProtection Supervisor2,

Acting in accordance with theordinary legislative procedure

Acting in accordance with theordinary legislative procedure3

3 Position of the EuropeanParliament of 12 March 2014.

Acting in accordance with theordinary legislative procedure,

Whereas: Whereas: Whereas:

(1) The protection of naturalpersons in relation to the processingof personal data is a fundamentalright. Article 8(1) of the Charter ofFundamental Rights of theEuropean Union and Article 16(1)of the Treaty lay down thateveryone has the right to theprotection of personal dataconcerning him or her.

(1) The protection of naturalpersons in relation to the processingof personal data is a fundamentalright. Article 8(1) of the Charter ofFundamental Rights of theEuropean Union ('Charter') andArticle 16(1) of the Treaty laydown that everyone has the right tothe protection of personal dataconcerning him or her.

(1) The protection of naturalpersons in relation to theprocessing of personal data is afundamental right. Article 8(1) ofthe Charter of Fundamental Rightsof the European Union and Article16(1) of the Treaty lay down thateveryone has the right to theprotection of personal dataconcerning him or her.

2 OJ C p. .


(2) The processing of personaldata is designed to serve man; theprinciples and rules on theprotection of individuals withregard to the processing of theirpersonal data should, whatever thenationality or residence of naturalpersons, respect their fundamentalrights and freedoms, notably theirright to the protection of personaldata. It should contribute to theaccomplishment of an area offreedom, security and justice andof an economic union, to economicand social progress, thestrengthening and the convergenceof the economies within theinternal market, and the well-beingof individuals.

(2) The processing of personal datais designed to serve man; theprinciples and rules on theprotection of individuals withregard to the processing of theirpersonal data should, whatever thenationality or residence of naturalpersons, respect their fundamentalrights and freedoms, notably theirright to the protection of personaldata. It should contribute to theaccomplishment of an area offreedom, security and justice and ofan economic union, to economicand social progress, thestrengthening and the convergenceof the economies within the internalmarket, and the well-being ofindividuals.

(2) The processing of personal datais designed to serve man; theprinciples and rules on theprotection of individuals withregard to the processing of theirpersonal data should, whatever thenationality or residence of naturalpersons, respect their fundamentalrights and freedoms, notably theirright to the protection of personaldata. It should contribute to theaccomplishment of an area offreedom, security and justice and ofan economic union, to economicand social progress, thestrengthening and the convergenceof the economies within the internalmarket, and the well-being ofindividuals.

(3) Directive 95/46/EC of theEuropean Parliament and of theCouncil of 24 October 1995 on theprotection of individuals withregard to the processing of personaldata and on the free movement ofsuch data3 seeks to harmonise the

(3) Directive 95/46/EC of theEuropean Parliament and of theCouncil1 of 24 October 1995 on theprotection of individuals withregard to the processing of personaldata and on the free movement ofsuch data4 seeks to harmonise the

(3) Directive 95/46/EC of theEuropean Parliament and of theCouncil of 24 October 1995 on theprotection of individuals withregard to the processing of personaldata and on the free movement ofsuch data5 seeks to harmonise the

3 OJ L 281, 23.11.1995, p. 31.4 OJ L 281, 23.11.1995, p. 31.5 OJ L 281, 23.11.1995, p. 31.


protection of fundamental rightsand freedoms of natural persons inrespect of processing activities andto guarantee the free flow ofpersonal data between MemberStates.

protection of fundamental rightsand freedoms of natural persons inrespect of processing activities andto guarantee the free flow ofpersonal data between MemberStates.1 Directive 95/46/EC of theEuropean Parliament and of the Councilof 24 October 1995 on the protection ofindividuals with regard to the processingof personal data and on the freemovement of such data (OJ L 281,23.11.1995, p. 31).

protection of fundamental rightsand freedoms of natural persons inrespect of processing activities andto guarantee the free flow ofpersonal data between MemberStates.

(3a) The right to the protection ofpersonal data is not an absoluteright; it must be considered inrelation to its function in societyand be balanced with otherfundamental rights, in accordancewith the principle ofproportionality. This Regulationrespects all fundamental rightsand observes the principlesrecognised in the Charter ofFundamental Rights of theEuropean Union as enshrined inthe Treaties, notably the right torespect for private and family life,home and communications, theright to the protection of personaldata, the freedom of thought,


conscience and religion, thefreedom of expression andinformation, the freedom toconduct a business, the right to aneffective remedy and to a fair trialas well as cultural, religious andlinguistic diversity

(4) The economic and socialintegration resulting from thefunctioning of the internal markethas led to a substantial increase incross-border flows. The exchangeof data between economic andsocial, public and private actorsacross the Union increased.National authorities in the MemberStates are being called upon byUnion law to co-operate andexchange personal data so as to beable to perform their duties or carryout tasks on behalf of an authorityin another Member State.

(4) The economic and socialintegration resulting from thefunctioning of the internal markethas led to a substantial increase incross-border flows. The exchangeof data between economic andsocial, public and private actorsacross the Union increased.National authorities in the MemberStates are being called upon byUnion law to co-operate andexchange personal data so as to beable to perform their duties or carryout tasks on behalf of an authorityin another Member State.

(4) The economic and socialintegration resulting from thefunctioning of the internal markethas led to a substantial increase incross-border flows. The exchangeof data between economic andsocial, public and private actors,including individuals andundertakings across the Union hasincreased. National authorities inthe Member States are being calledupon by Union law to co-operateand exchange personal data so as tobe able to perform their duties orcarry out tasks on behalf of anauthority in another Member State.

(5) Rapid technologicaldevelopments and globalisationhave brought new challenges forthe protection of personal data. Thescale of data sharing and collectinghas increased spectacularly.




Technology allows both privatecompanies and public authorities tomake use of personal data on anunprecedented scale in order topursue their activities. Individualsincreasingly make personalinformation available publicly andglobally. Technology hastransformed both the economy andsocial life, and requires to furtherfacilitate the free flow of datawithin the Union and the transfer tothird countries and internationalorganisations, while ensuring anhigh level of the protection ofpersonal data.

Technology allows both privatecompanies and public authorities tomake use of personal data on anunprecedented scale in order topursue their activities. Individualsincreasingly make personalinformation available publicly andglobally. Technology hastransformed both the economy andsocial life, and requires to furtherfacilitate the free flow of datawithin the Union and the transfer tothird countries and internationalorganisations, while ensuring anhigh level of the protection ofpersonal data.

Technology allows both privatecompanies and public authorities tomake use of personal data on anunprecedented scale in order topursue their activities. Individualsincreasingly make personalinformation available publicly andglobally. Technology hastransformed both the economy andsocial life, and should furtherfacilitate the free flow of datawithin the Union and the transfer tothird countries and internationalorganisations, while ensuring ahigh level of the protection ofpersonal data.

(6) These developments requirebuilding a strong and morecoherent data protection frameworkin the Union, backed by strongenforcement, given the importanceto create the trust that will allow thedigital economy to develop acrossthe internal market. Individualsshould have control of their ownpersonal data and legal andpractical certainty for individuals,economic operators and publicauthorities should be reinforced.

(6) These developments requirebuilding a strong and morecoherent data protection frameworkin the Union, backed by strongenforcement, given the importanceto create the trust that will allow thedigital economy to develop acrossthe internal market. Individualsshould have control of their ownpersonal data and legal andpractical certainty for individuals,economic operators and publicauthorities should be reinforced.

(6) These developments requirebuilding a strong and morecoherent data protection frameworkin the Union, backed by strongenforcement, given the importanceto of create creating the trust thatwill allow the digital economy todevelop across the internal market.Individuals should have control oftheir own personal data and legaland practical certainty forindividuals, economic operatorsand public authorities should bereinforced.


(7) The objectives andprinciples of Directive 95/46/ECremain sound, but it has notprevented fragmentation in the waydata protection is implementedacross the Union, legal uncertaintyand a widespread public perceptionthat there are significant risks forthe protection of individualsassociated notably with onlineactivity. Differences in the level ofprotection of the rights andfreedoms of individuals, notably tothe right to the protection ofpersonal data, with regard to theprocessing of personal dataafforded in the Member States mayprevent the free flow of personaldata throughout the Union. Thesedifferences may therefore constitutean obstacle to the pursuit ofeconomic activities at the level ofthe Union, distort competition andimpede authorities in the dischargeof their responsibilities underUnion law. This difference in levelsof protection is due to the existenceof differences in theimplementation and application ofDirective 95/46/EC.

(7) The objectives and principles ofDirective 95/46/EC remain sound,but it has not preventedfragmentation in the way dataprotection is implemented acrossthe Union, legal uncertainty and awidespread public perception thatthere are significant risks for theprotection of individuals associatednotably with online activity.Differences in the level ofprotection of the rights andfreedoms of individuals, notably tothe right to the protection ofpersonal data, with regard to theprocessing of personal dataafforded in the Member States mayprevent the free flow of personaldata throughout the Union. Thesedifferences may therefore constitutean obstacle to the pursuit ofeconomic activities at the level ofthe Union, distort competition andimpede authorities in the dischargeof their responsibilities underUnion law. This difference in levelsof protection is due to the existenceof differences in theimplementation and application ofDirective 95/46/EC.

(7) The objectives and principles ofDirective 95/46/EC remain sound,but it has not preventedfragmentation in the way dataprotection is implemented acrossthe Union, legal uncertainty and awidespread public perception thatthere are significant risks for theprotection of individuals associatednotably with online activity.Differences in the level ofprotection of the rights andfreedoms of individuals, notably tothe right to the protection ofpersonal data, with regard to theprocessing of personal dataafforded in the Member States mayprevent the free flow of personaldata throughout the Union. Thesedifferences may therefore constitutean obstacle to the pursuit ofeconomic activities at the level ofthe Union, distort competition andimpede authorities in the dischargeof their responsibilities underUnion law. This difference in levelsof protection is due to the existenceof differences in theimplementation and application ofDirective 95/46/EC.


(8) In order to ensure consistentand high level of protection ofindividuals and to remove theobstacles to flows of personal data,the level of protection of the rightsand freedoms of individuals withregard to the processing of suchdata should be equivalent in allMember States. Consistent andhomogenous application of therules for the protection of thefundamental rights and freedoms ofnatural persons with regard to theprocessing of personal data shouldbe ensured throughout the Union.

(8) In order to ensure consistent andhigh level of protection ofindividuals and to remove theobstacles to flows of personal data,the level of protection of the rightsand freedoms of individuals withregard to the processing of suchdata should be equivalent in allMember States. Consistent andhomogenous application of therules for the protection of thefundamental rights and freedoms ofnatural persons with regard to theprocessing of personal data shouldbe ensured throughout the Union.

(8) In order to ensure consistent andhigh level of protection ofindividuals and to remove theobstacles to flows of personal data,the level of protection of the rightsand freedoms of individuals withregard to the processing of suchdata should be equivalent in allMember States. Consistent andhomogenous application of therules for the protection of thefundamental rights and freedoms ofnatural persons with regard to theprocessing of personal data shouldbe ensured throughout the Union.Regarding the processing ofpersonal data for compliance witha legal obligation,6 for theperformance of a task carried outin the public interest or in theexercise of official authority vestedin the controller, Member Statesshould be allowed to maintain orintroduce national provisions tofurther specify the application ofthe rules of this Regulation. Inconjunction with the general and

6 AT, supported by SI, made a proposal for a separate Article 82b which would allow Member States to adopt specific private sector provisions for specific situations (15768/14DATAPROTECT 176 JAI 908 MI 916 DRS 156 DAPIX 179 FREMP 215 COMIX 623 CODEC 2300). The Presidency thinks that the revised recital 8 read together with Article 1(2a)sufficiently caters for this concern.


horizontal law on data protectionimplementing Directive 95/46/ECMember States have several sectorspecific laws in areas that needmore specific provisions. ThisRegulation also provides a marginof manoeuvre for Member Statesto specify its rules. Within thismargin of manoeuvre sector-specific laws that Member Stateshave issued implementingDirective 95/46/EC should be ableto be upheld.

(9) Effective protection ofpersonal data throughout the Unionrequires strengthening and detailingthe rights of data subjects and theobligations of those who processand determine the processing ofpersonal data, but also equivalentpowers for monitoring and ensuringcompliance with the rules for theprotection of personal data andequivalent sanctions for offendersin the Member States.

(9) Effective protection of personaldata throughout the Union requiresstrengthening and detailing therights of data subjects and theobligations of those who processand determine the processing ofpersonal data, but also equivalentpowers for monitoring and ensuringcompliance with the rules for theprotection of personal data andequivalent sanctions for offendersin the Member States.

(9) Effective protection of personaldata throughout the Union requiresstrengthening and detailing therights of data subjects and theobligations of those who processand determine the processing ofpersonal data, but also equivalentpowers for monitoring and ensuringcompliance with the rules for theprotection of personal data andequivalent sanctions for offendersin the Member States.

(10) Article 16(2) of the Treatymandates the European Parliamentand the Council to lay down therules relating to the protection of




individuals with regard to theprocessing of personal data and therules relating to the free movementof personal data.

individuals with regard to theprocessing of personal data and therules relating to the free movementof personal data.

individuals with regard to theprocessing of personal data and therules relating to the free movementof personal data

(11) In order to ensure aconsistent level of protection forindividuals throughout the Unionand to prevent divergenceshampering the free movement ofdata within the internal market, aRegulation is necessary to providelegal certainty and transparency foreconomic operators, includingmicro, small and medium-sizedenterprises, and to provideindividuals in all Member Stateswith the same level of legallyenforceable rights and obligationsand responsibilities for controllersand processors, to ensure consistentmonitoring of the processing ofpersonal data, and equivalentsanctions in all Member States aswell as effective co-operation bythe supervisory authorities ofdifferent Member States. To takeaccount of the specific situation ofmicro, small and medium-sizedenterprises, this Regulationincludes a number of derogations.

(11) In order to ensure a consistentlevel of protection for individualsthroughout the Union and toprevent divergences hampering thefree movement of data within theinternal market, a Regulation isnecessary to provide legal certaintyand transparency for economicoperators, including micro, smalland medium-sized enterprises, andto provide individuals in allMember States with the same levelof legally enforceable rights andobligations and responsibilities forcontrollers and processors, toensure consistent monitoring of theprocessing of personal data, andequivalent sanctions in all MemberStates as well as effective co-operation by the supervisoryauthorities of different MemberStates. To take account of thespecific situation of micro, smalland medium-sized enterprises, thisRegulation includes a number ofderogations. In addition, the Union

(11) In order to ensure a consistentlevel of protection for individualsthroughout the Union and toprevent divergences hampering thefree movement of data within theinternal market, a Regulation isnecessary to provide legal certaintyand transparency for economicoperators, including micro, smalland medium-sized enterprises, andto provide individuals in allMember States with the same levelof legally enforceable rights andobligations and responsibilities forcontrollers and processors, toensure consistent monitoring of theprocessing of personal data, andequivalent sanctions in all MemberStates as well as effective co-operation by the supervisoryauthorities of different MemberStates. The proper functioning ofthe internal market requires thatthe free movement of personaldata within the Union should notbe restricted or prohibited for


In addition, the Union institutionsand bodies, Member States andtheir supervisory authorities areencouraged to take account of thespecific needs of micro, small andmedium-sized enterprises in theapplication of this Regulation. Thenotion of micro, small and medium-sized enterprises should draw uponCommission Recommendation2003/361/EC of 6 May 2003concerning the definition of micro,small and medium-sizedenterprises.

institutions and bodies, MemberStates and their supervisoryauthorities are encouraged to takeaccount of the specific needs ofmicro, small and medium-sizedenterprises in the application of thisRegulation. The notion of micro,small and medium-sized enterprisesshould draw upon CommissionRecommendation 2003/361/EC1 of6 May 2003 concerning thedefinition of micro, small andmedium-sized enterprises.1 Commission Recommendation2003/361/EC of 6 May 2003 concerningthe definition of micro, small and medium-sized enterprises (OJ L 124, 20.5.2003, p.36).

reasons connected with theprotection of individuals withregard to the processing ofpersonal data.

To take account of the specificsituation of micro, small andmedium-sized enterprises, thisRegulation includes a number ofderogations. In addition, the Unioninstitutions and bodies, MemberStates and their supervisoryauthorities are encouraged to takeaccount of the specific needs ofmicro, small and medium-sizedenterprises in the application of thisRegulation. The notion of micro,small and medium-sized enterprisesshould draw upon CommissionRecommendation 2003/361/EC of6 May 2003 concerning thedefinition of micro, small andmedium-sized enterprises.

(12) The protection afforded bythis Regulation concerns naturalpersons, whatever their nationalityor place of residence, in relation tothe processing of personal data.With regard to the processing ofdata which concern legal personsand in particular undertakings

(12) The protection afforded by thisRegulation concerns naturalpersons, whatever their nationalityor place of residence, in relation tothe processing of personal data.With regard to the processing ofdata which concern legal personsand in particular undertakings

(12) The protection afforded by thisRegulation concerns naturalpersons, whatever their nationalityor place of residence, in relation tothe processing of personal data.With regard to the processing ofdata which concern legal personsand in particular undertakings


established as legal persons,including the name and the form ofthe legal person and the contactdetails of the legal person, theprotection of this Regulation shouldnot be claimed by any person. Thisshould also apply where the nameof the legal person contains thenames of one or more naturalpersons.



(13) The protection ofindividuals should betechnologically neutral and notdepend on the techniques used;otherwise this would create aserious risk of circumvention. Theprotection of individuals shouldapply to processing of personal databy automated means as well as tomanual processing, if the data arecontained or are intended to becontained in a filing system. Filesor sets of files as well as their coverpages, which are not structuredaccording to specific criteria,should not fall within the scope ofthis Regulation.

(13) The protection of individualsshould be technologically neutraland not depend on the techniquesused; otherwise this would create aserious risk of circumvention. Theprotection of individuals shouldapply to processing of personal databy automated means as well as tomanual processing, if the data arecontained or are intended to becontained in a filing system. Filesor sets of files as well as their coverpages, which are not structuredaccording to specific criteria,should not fall within the scope ofthis Regulation.

(13) The protection of individualsshould be technologically neutraland not depend on the techniquesused; otherwise this would create aserious risk of circumvention. Theprotection of individuals shouldapply to processing of personal databy automated means as well as tomanual processing, if the data arecontained or are intended to becontained in a filing system. Filesor sets of files as well as their coverpages, which are not structuredaccording to specific criteria,should not fall within the scope ofthis Regulation.


Amendment 1

(14) This Regulation does notaddress issues of protection offundamental rights and freedoms orthe free flow of data related toactivities which fall outside thescope of Union law, nor does itcover the processing of personaldata by the Union institutions,bodies, offices and agencies, whichare subject to Regulation (EC) No45/20017, or the processing ofpersonal data by the Member Stateswhen carrying out activities inrelation to the common foreign andsecurity policy of the Union.

(14) This Regulation does not ThisRegulation does not address issuesof protection of fundamental rightsand freedoms or the free flow ofdata related to activities which falloutside the scope of Union law, nordoes it cover the processing ofpersonal data by the Unioninstitutions, bodies, offices andagencies, which are subject to.Regulation (EC) No 45/2001, or theprocessing of personal data by theMember States when carrying outactivities in relation to the commonforeign and security policy of theUnion of the European Parliamentand of the Council441 should bebrought in line with thisRegulation and applied inaccordance with this Regulation.

________________44 1 Regulation (EC) No 45/2001 ofthe European Parliament and ofthe Council of 18 December 2000on the protection of individuals

(14) This Regulation does notaddress issues of protection offundamental rights and freedoms orthe free flow of data related toactivities which fall outside thescope of Union law, such asactivities concerning nationalsecurity, taking into accountArticles 3 to 6 of the Treaty on theFunctioning of the EuropeanUnion nor does it cover theprocessing of personal data by theUnion institutions, bodies, officesand agencies, which are subject toRegulation (EC) No 45/20018, orthe processing of personal data bythe Member States when carryingout activities in relation to thecommon foreign and securitypolicy of the Union.

7 OJ L 8, 12.1.2001, p. 1.8 OJ L 8, 12.1.2001, p. 1.


with regard to the processing ofpersonal data by the Communityinstitutions and bodies and on thefree movement of such data (OJ L8, 12.1.2001, p. 1).

(14a) Regulation (EC) No45/20019 applies to the processingof personal data by the Unioninstitutions, bodies, offices andagencies. Regulation (EC) No45/2001 and other Union legalinstruments applicable to suchprocessing of personal data shouldbe adapted to the principles andrules of this Regulation.

Amendment 2

(15) This Regulation should notapply to processing of personaldata by a natural person, which areexclusively personal or domestic,such as correspondence and theholding of addresses, and withoutany gainful interest and thuswithout any connection with aprofessional or commercialactivity. The exemption should alsonot apply to controllers or

(15) This Regulation should notapply to processing of personal databy a natural person, which areexclusively personal, family-related, or domestic, such ascorrespondence and the holding ofaddresses or a private sale, andwithout any gainful interest andthus without any connection with aprofessional or commercialactivity. The exemption should also

(15) This Regulation should notapply to processing of personal databy a natural person in the contectsof a, which are exclusively personalor domestichousehold activity,such as correspondence and theholding of addresses, and withoutany gainful interest and thuswithout any connection with aprofessional or commercial activity.Personal and household activities

9 OJ L 8, 12.1.2001, p. 1.


processors which provide themeans for processing personal datafor such personal or domesticactivities.

not apply to controllers orprocessors which provide themeans for processing personal datafor such personal or domesticactivities. However, thisRegulation should apply tocontrollers and processors whichprovide the means for processingpersonal data for such personal ordomestic activities..

include social networking and on-line activity undertaken within thecontext of such personal andhousehlod activities. However, thisRegulation The exemption shouldalso not apply to controllers orprocessors which provide themeans for processing personal datafor such personal or domesticactivities.

(16) The protection ofindividuals with regard to theprocessing of personal data bycompetent authorities for thepurposes of prevention,investigation, detection orprosecution of criminal offences orthe execution of criminal penalties,and the free movement of suchdata, is subject of a specific legalinstrument at Union level.Therefore, this Regulation shouldnot apply to the processingactivities for those purposes.However, data processed by publicauthorities under this Regulationwhen used for the purposes ofprevention, investigation, detectionor prosecution of criminal offencesor the execution of criminal

(16) The protection of individualswith regard to the processing ofpersonal data by competentauthorities for the purposes ofprevention, investigation, detectionor prosecution of criminal offencesor the execution of criminalpenalties, and the free movement ofsuch data, is subject of a specificlegal instrument at Union level.Therefore, this Regulation shouldnot apply to the processingactivities for those purposes.However, data processed by publicauthorities under this Regulationwhen used for the purposes ofprevention, investigation, detectionor prosecution of criminal offencesor the execution of criminalpenalties should be governed by the

(16) The protection of individualswith regard to the processing ofpersonal data by competentauthorities for the purposes ofprevention, investigation, detectionor prosecution of criminal offencesand, for these purposes, themaintenance of public order, orthe execution of criminal penalties,and the free movement of suchdata, is subject of a specific legalinstrument at Union level.Therefore, this Regulation shouldnot apply to the processingactivities for those purposes.However, data processed by publicauthorities under this Regulationwhen used for the purposes ofprevention, investigation, detectionor prosecution of criminal offences


penalties should be governed bythe more specific legal instrumentat Union level (DirectiveXX/YYY).

more specific legal instrument atUnion level (DirectiveXX/YYY(Directive 2014/.../EU ofthe European Parliament and of theCouncil on the protection ofindividuals with regard to theprocessing of personal data bycompetent authorities for thepurposes of prevention,investigation, detection orprosecution of criminal offences orthe execution of criminal penalties,and the free movement of suchdata).

or the execution of criminalpenalties should be governed by themore specific legal instrument atUnion level (Directive XX/YYY).

When processing of personal databy (...) private bodies falls withinthe scope of this Regulation, thisRegulation should provide for thepossibility for Member Statesunder specific conditions torestrict by law certain obligationsand rights when such a restrictionconstitutes a necessary andproportionate measure in ademocratic society to safeguardspecific important interestsincluding public security and theprevention, investigation, detectionand prosecution of criminaloffences. This is relevant forinstance in the framework of anti-money laundering or the activitiesof forensic laboratories.

(16a) While this Regulationapplies also to the activities ofcourts and other judicialauthorities, Union or MemberState law could specify theprocessing operations andprocessing procedures in relation


to the processing of personal databy courts and other judicialauthorities. The competence of thesupervisory authorities should notcover the processing of personaldata when courts are acting intheir judicial capacity, in order tosafeguard the independence of thejudiciary in the performance of itsjudicial tasks, including itsdecision-making. Supervision ofsuch data processing operationsmay be entrusted to specific bodieswithin the judicial system of theMember State, which should inparticular control compliance withthe rules of this Regulation,promote the awareness of thejudiciary of their obligations underthis Regulation and deal withcomplaints in relation to suchprocessing.

(17) This Regulation should bewithout prejudice to the applicationof Directive 2000/31/EC, inparticular of the liability rules ofintermediary service providers inArticles 12 to 15 of that Directive.

(17) This Regulation should bewithout prejudice to the applicationof Directive 2000/31/EC of theEuropean Parliament and of theCouncil1, in particular of theliability rules of intermediaryservice providers in Articles 12 to15 of that Directive.

(17) Directive 2000/31/EC does notapply to questions relating toinformation society servicescovered by this Regulation. ThatDirective seeks to contribute to theproper functioning of the internalmarket by ensuring the freemovement of information society


1 Directive 2000/31/EC of theEuropean Parliament and of the Council of8 June 2000 on certain legal aspects ofinformation society services, in particularelectronic commerce, in the InternalMarket (Directive on electroniccommerce) (OJ L 178, 17.7.2000, p. 1).

services between Member States.Its application should not beaffected by this Regulation.ThisRegulation should therefore bewithout prejudice to the applicationof Directive 2000/31/EC, inparticular of the liability rules ofintermediary service providers inArticles 12 to 15 of that Directive.

Amendment 3

(18) This Regulation allows theprinciple of public access toofficial documents to be taken intoaccount when applying theprovisions set out in thisRegulation.

(18) This Regulation allows theprinciple of public access to officialdocuments to be taken into accountwhen applying the provisions setout in this Regulation. Personaldata in documents held by a publicauthority or public body may bedisclosed by that authority or bodyin accordance with Union orMember State law regardingpublic access to officialdocuments, which reconciles theright to data protection with theright of public access to officialdocuments and constitutes a fairbalance of the various interestsinvolved.

(18) This Regulation allows theprinciple of public access to officialdocuments to be taken into accountwhen applying the provisions setout in this Regulation. Publicaccess to official documents maybe considered as a public interest.Personal data in documents heldby a public authority or a publicbody may be publicly disclosed bythis authority or body if thedisclosure is provided for by Unionlaw or Member State law to whichthe public authority or public bodyis subject. Such laws shouldreconcile the interest of publicaccess to official documents withthe right to the protection ofpersonal data.


(19) Any processing of personaldata in the context of the activitiesof an establishment of a controlleror a processor in the Union shouldbe carried out in accordance withthis Regulation, regardless ofwhether the processing itself takesplace within the Union or not.Establishment implies the effectiveand real exercise of activitythrough stable arrangements. Thelegal form of such arrangements,whether through a branch or asubsidiary with a legal personality,is not the determining factor in thisrespect.

(19) Any processing of personaldata in the context of the activitiesof an establishment of a controlleror a processor in the Union shouldbe carried out in accordance withthis Regulation, regardless ofwhether the processing itself takesplace within the Union or not.Establishment implies the effectiveand real exercise of activitythrough stable arrangements. Thelegal form of such arrangements,whether through a branch or asubsidiary with a legal personality,is not the determining factor in thisrespect.

(19) Any processing of personaldata in the context of the activitiesof an establishment of a controlleror a processor in the Union shouldbe carried out in accordance withthis Regulation, regardless ofwhether the processing itself takesplace within the Union or not.Establishment implies the effectiveand real exercise of activity throughstable arrangements. The legal formof such arrangements, whetherthrough a branch or a subsidiarywith a legal personality, is not thedetermining factor in this respect.

Amendment 4

(20) In order to ensure thatindividuals are not deprived of theprotection to which they areentitled under this Regulation, theprocessing of personal data of datasubjects residing in the Union by acontroller not established in theUnion should be subject to thisRegulation where the processingactivities are related to the offeringof goods or services to such datasubjects, or to the monitoring of the

(20) In order to ensure thatindividuals are not deprived of theprotection to which they areentitled under this Regulation, theprocessing of personal data of datasubjects residing in the Union by acontroller not established in theUnion should be subject to thisRegulation where the processingactivities are related to the offeringof goods or services, irrespective ofwhether connected to a payment or

(20) In order to ensure thatindividuals are not deprived of theprotection to which they areentitled under this Regulation, theprocessing of personal data of datasubjects residing in the Union by acontroller not established in theUnion should be subject to thisRegulation where the processingactivities are related to the offeringof goods or services to such datasubjects, or to the monitoring of the


behaviour of such data subjects. not, to such data subjects, or to themonitoring of the behaviour of suchdata subjects. In order todetermine whether such acontroller is offering goods orservices to such data subjects inthe Union, it should be ascertainedwhether it is apparent that thecontroller is envisaging theoffering of services to datasubjects in one or more MemberStates in the Union.

behaviour of such data subjectsirrespective of whether connectedto a payment or not, which takesplace in the Union. In order todetermine whether such acontroller is offering goods orservices to such data subjects inthe Union, it should be ascertainedwhether it is apparent that thecontroller is envisaging doingbusiness with data subjectsresiding in one or more MemberStates in the Union. Whereas themere accessibility of thecontroller’s or an intermediary’swebsite in the Union or of anemail address and of other contactdetails or the use of a languagegenerally used in the third countrywhere the controller is established,is insufficient to ascertain suchintention, factors such as the useof a language or a currencygenerally used in one or moreMember States with the possibilityof ordering goods and services inthat other language, and/or thementioning of customers or usersresiding in the Union, may make itapparent that the controllerenvisages offering goods or


services to such data subjects inthe Union.

Amendment 5

(21) In order to determinewhether a processing activity canbe considered to ‘monitor thebehaviour’ of data subjects, itshould be ascertained whetherindividuals are tracked on theinternet with data processingtechniques which consist ofapplying a ‘profile’ to anindividual, particularly in order totake decisions concerning her orhim or for analysing or predictingher or his personal preferences,behaviours and attitudes.

(21) In order to determine whethera processing activity can beconsidered to ‘monitor thebehaviour’ of data subjects, itshould be ascertained whetherindividuals are tracked on theinternet with, regardless of theorigins of the data, or if other dataabout them are collected,including from public registersand announcements in the Unionthat are accessible from outside ofthe Union, including with theintention to use, or potential ofsubsequent use of data processingtechniques which consist ofapplying a ‘profile’ to anindividual, particularly in order totake decisions concerning her orhim or for analysing or predictingher or his personal preferences,behaviours and attitudes.

(21) The processing of personaldata of data subjects residing inthe Union by a controller notestablished in the Union shouldalso be subject to this Regulationwhen it is related to themonitoring of their behaviourtaking place within the EuropeanUnion. In order to determinewhether a processing activity canbe considered to ‘monitor thebehaviour’ of data subjects, itshould be ascertained whetherindividuals are tracked on theinternet with data processingtechniques which consist ofapplying a ‘profile’ to profiling anindividual, particularly in order totake decisions concerning her orhim or for analysing or predictingher or his personal preferences,behaviours and attitudes.

(22) Where the national law of aMember State applies by virtue of




public international law, thisRegulation should also apply to acontroller not established in theUnion, such as in a Member State'sdiplomatic mission or consularpost.



Amendment 6

(23) The principles of protectionshould apply to any informationconcerning an identified oridentifiable person. To determinewhether a person is identifiable,account should be taken of all themeans likely reasonably to be usedeither by the controller or by anyother person to identify theindividual. The principles of dataprotection should not apply to datarendered anonymous in such a waythat the data subject is no longeridentifiable.

(23) The principles of dataprotection should apply to anyinformation concerning anidentified or identifiable naturalperson. To determine whether aperson is identifiable, accountshould be taken of all the meanslikely reasonably likely to be usedeither by the controller or by anyother person to identify or singleout the individual directly orindirectly. To ascertain whethermeans are reasonably likely to beused to identify the individual,account should be taken of allobjective factors, such as thecosts of and the amount of timerequired for identification, takinginto consideration both availabletechnology at the time of theprocessing and technologicaldevelopment. The principles of

(23) The principles of dataprotection should apply to anyinformation concerning anidentified or identifiable naturalperson. Data includingpseudonymised data, which couldbe attributed to a natural personby the use of additionalinformation, should be consideredas information on an identifiablenatural person. To determinewhether a person is identifiable,account should be taken of all themeans likely reasonably to be usedeither by the controller or by anyother person to identify theindividual directly or indirectly. Toascertain whether means arereasonable likely to be used toidentify the individual, accountshould be taken of all objectivefactors, such as the costs of and


data protection should thereforenot apply to anonymous datarendered anonymous in such a waythat the data subject is no longeridentifiable, which is informationthat does not relate to anidentified or identifiable naturalperson. This Regulation doestherefore not concern theprocessing of such anonymousdata, including for statistical andresearch purposes.

the amount of time required foridentification, taking intoconsideration both availabletechnology at the time of theprocessing and technologicaldevelopment. The principles of dataprotection should therefore notapply to anonymous information,that is information which does notrelate to an identified oridentifiable natural person or todata rendered anonymous in such away that the data subject is not orno longer identifiable. ThisRegulation does therefore notconcern the processing of suchanonymous information, includingfor statistical and researchpurposes.

The principles of data protectionshould not apply to deceasedpersons, unless information ondeceased persons is related to anidentified or identifiable naturalperson.10

(23a) The application ofpseudonymisation to personal datacan reduce the risks for the data

10 The question of the application of the Regulation to deceased persons may need to be revisited in the future.


subjects concerned and helpcontrollers and processors meettheir data protection obligations.The explicit introduction of‘pseudonymisation’ through thearticles of this Regulation is thusnot intended to preclude any othermeasures of data protection.

23b) (…)

(23c) In order to create incentivesfor applying pseudonymisationwhen processing personal data,measures of pseudonymisationwhilst allowing general analysisshould be possible within the samecontroller when the controller hastaken technical and organisationalmeasures necessary to ensure thatthe provisions of this Regulationare implemented, taking intoaccount the respective dataprocessing and ensuring thatadditional information forattributing the personal data to aspecific data subject is keptseparetly. The controller whoprocesses the data shall also referto authorised persons within thesame controller. In such casehowever the controller shall make


sure that the individual(s)performing the pseudonymisationare not referenced in the meta-data11.

Amendment 7

(24) When using online services,individuals may be associated withonline identifiers provided by theirdevices, applications, tools andprotocols, such as Internet Protocoladdresses or cookie identifiers.This may leave traces which,combined with unique identifiersand other information received bythe servers, may be used to createprofiles of the individuals andidentify them. It follows thatidentification numbers, locationdata, online identifiers or otherspecific factors as such need notnecessarily be considered aspersonal data in all circumstances.

(24) When using online services,individuals may be associated withonline This Regulation should beapplicable to processing involvingidentifiers provided by theirdevices, applications, tools andprotocols, such as Internet Protocoladdresses or cookie identifiers andRadio Frequency Identificationtags, unless those identifiers do notrelate to an identified oridentifiable natural person. Thismay leave traces which, combinedwith unique identifiers and otherinformation received by the servers,may be used to create profiles ofthe individuals and identify them. Itfollows that identification numbers,location data, online identifiers orother specific factors as such need

(24) When using online services,individuals may be associated withonline identifiers provided by theirdevices, applications, tools andprotocols, such as Internet Protocoladdresses or cookie identifiers. Thismay leave traces which, whencombined with unique identifiersand other information received bythe servers, may be used to createprofiles of the individuals andidentify them. It follows thatiIdentification numbers, locationdata, online identifiers or otherspecific factors as such need shouldnot necessarily be considered aspersonal data in all circumstances ifthey do not identify an individualor make an individualidentifiable12.

11 COM, IE, IT, AT, SE, UK reservation and FR scrutiny reservation on two last sentences.12 DE reservation. ES, EE and IT also queried as regard the status of so-called identifiers. AT and SI thought the last sentence of the recital should be deleted. UK questioned whether

so-called identifiers which were never used to trace back to a data subject should also be considered as personal data and hence subjected to the Regulation. It suggested stating thatthese can constitute personal data, but this will depend on the context. UK suggests deleting the words 'provided by their devices, applications, tools and protocols, such as Internet


not necessarily be considered aspersonal data in all circumstances..

Amendment 8

(25) Consent should be givenexplicitly by any appropriatemethod enabling a freely givenspecific and informed indication ofthe data subject's wishes, either bya statement or by a clearaffirmative action by the datasubject, ensuring that individualsare aware that they give theirconsent to the processing ofpersonal data, including by tickinga box when visiting an Internetwebsite or by any other statementor conduct which clearly indicatesin this context the data subject'sacceptance of the proposedprocessing of their personal data.Silence or inactivity shouldtherefore not constitute consent.Consent should cover allprocessing activities carried out forthe same purpose or purposes. If

(25) Consent should be givenexplicitly by any appropriatemethod enabling a freely givenspecific and informed indication ofthe data subject's wishes, either bya statement or by a clear affirmativeaction that is the result of choiceby the data subject, ensuring thatindividuals are aware that they givetheir consent to the processing ofpersonal data, including by. Clearaffirmative action could includeticking a box when visiting anInternet website or by any otherstatement or conduct which clearlyindicates in this context the datasubject's acceptance of theproposed processing of his or herpersonal data. Silence, mere use ofa service or inactivity shouldtherefore not constitute consent.Consent should cover all processing

(25) Consent should be givenexplicitly unambiguously by anyappropriate method enabling afreely given specific and informedindication of the data subject'swishes, either by a writtent,including13 electronic, oral orother statement or, if required byspecific circumstances, by aanyother clear affirmative action bythe data subject, signifying his orher agreement to ensuring thatindividuals are aware that they givetheir consent to the processing ofpersonal data relating to him or herbeing processed., This couldincludingee by ticking a box whenvisiting an Internet website or byany other statement or conductwhich clearly indicates in thiscontext the data subject'sacceptance of the proposed

Protocol addresses or cookie identifiers' and 'received by the servers'. It also suggests deleting 'need not necessarily be considered as personal data in all circumstances ' andreplacing it by 'can constitute personal data, but this will depend on the context'. COM referred to the ECJ case law (Scarlett C-70/10) according to which IP addresses should beconsidered as persona data if they actually could lead to the identification of data subjects. DE queried who would in practice be responsible for such metadata.

13 HU and DE would prefer to distinguish electronic from written statements.


the data subject's consent is to begiven following an electronicrequest, the request must be clear,concise and not unnecessarilydisruptive to the use of the servicefor which it is provided.

activities carried out for the samepurpose or purposes. If the datasubject's consent is to be givenfollowing an electronic request, therequest must be clear, concise andnot unnecessarily disruptive to theuse of the service for which it isprovided.

processing of their personal data.Silence or inactivity shouldtherefore not constitute consent.Where it is technically feasible andeffective, the data subject'sconsent to processing may begiven by using the appropriatesettings of a browser or otherapplication14. In such cases it issufficient that the data subjectreceives the information needed togive freely specific and informedconsent when starting to use theservice. Consent should cover allprocessing activities carried out forthe same purpose or purposes.When the processing has multiplepurposes, unambiguous consentshould be granted for all of theprocessing purposes. It is often notpossible to fully identify thepurpose of data processing forscientific purposes at the time ofdata collection. Therefore datasubjects can give their consent tocertain areas of scientific researchwhen in keeping with recognisedethical standards for scientificresearch15. Data subjects should

14 PL and AT reservation.15 FR and COM scrutiny reservation.


have the opportunity to give theirconsent only to certain areas ofresearch or parts of researchprojects to the extent allowed bythe intended purpose and providedthat this does not involvedisproportionate efforts in view ofthe protective purpose16. If the datasubject's consent is to be givenfollowing an electronic request, therequest must be clear, concise andnot unnecessarily disruptive to theuse of the service for which it isprovided17.

(25a) Genetic data should bedefined as personal data relatingto the genetic characteristics of anindividual which have beeninherited or acquired as they resultfrom an analysis of a biologicalsample from the individual inquestion, in particular bychromosomal, deoxyribonucleicacid (DNA) or ribonucleic acid(RNA) analysis or analysis of anyother element enabling equivalent

16 AT, CZ, IE and FR scrutiny reservation; COM reservation.17 UK, supported by CZ and IE, proposed adding: 'Where the intention is to store data for an as yet unknown research purpose or as part of a research resource [such as a biobank or

cohort], then this should be explained to data subjects, setting out the types of research that may be involved and any wider implications. This interpretation of consent does not affectthe need for derogations from the prohibition on processing sensitive categories of data for scientific purposes' .


information to be obtained.

(26) Personal data relating tohealth should include in particularall data pertaining to the healthstatus of a data subject; informationabout the registration of theindividual for the provision ofhealth services; information aboutpayments or eligibility forhealthcare with respect to theindividual; a number, symbol orparticular assigned to an individualto uniquely identify the individualfor health purposes; anyinformation about the individualcollected in the course of theprovision of health services to theindividual; information derivedfrom the testing or examination ofa body part or bodily substance,including biological samples;identification of a person asprovider of healthcare to theindividual; or any information one.g. a disease, disability, diseaserisk, medical history, clinicaltreatment, or the actualphysiological or biomedical stateof the data subject independent of

(26) Personal data relating to healthshould include in particular all datapertaining to the health status of adata subject; information about theregistration of the individual for theprovision of health services;information about payments oreligibility for healthcare withrespect to the individual; a number,symbol or particular assigned to anindividual to uniquely identify theindividual for health purposes; anyinformation about the individualcollected in the course of theprovision of health services to theindividual; information derivedfrom the testing or examination of abody part or bodily substance,including biological samples;identification of a person asprovider of healthcare to theindividual; or any information one.g. a disease, disability, diseaserisk, medical history, clinicaltreatment, or the actualphysiological or biomedical state ofthe data subject independent of itssource, such as e.g. from a

(26) Personal data relating toconcerning health should includein particular all data pertaining tothe health status of a data subjectwhich reveal information relatingto the past, current or futurephysical or mental health of thedata subject18; includinginformation about the registrationof the individual for the provisionof health services; informationabout payments or eligibility forhealthcare with respect to theindividual; a number, symbol orparticular assigned to an individualto uniquely identify the individualfor health purposes; anyinformation about the individualcollected in the course of theprovision of health services to theindividual; information derivedfrom the testing or examination of abody part or bodily substance,including genetic data andbiological samples; identification ofa person as provider of healthcareto the individual; or anyinformation on e.g. for a example a

18 BE proposal.


its source, such as e.g. from aphysician or other healthprofessional, a hospital, a medicaldevice, or an in vitro diagnostictest.

physician or other healthprofessional, a hospital, a medicaldevice, or an in vitro diagnostictest.

disease, disability, disease risk,medical history, clinical treatment,or the actual physiological orbiomedical state of the data subjectindependent of its source, such ase.g. for example from a physicianor other health professional, ahospital, a medical device, or an invitro diagnostic test.

(27) The main establishment of acontroller in the Union should bedetermined according to objectivecriteria and should imply theeffective and real exercise ofmanagement activities determiningthe main decisions as to thepurposes, conditions and means ofprocessing through stablearrangements. This criterion shouldnot depend whether the processingof personal data is actually carriedout at that location; the presenceand use of technical means andtechnologies for processingpersonal data or processingactivities do not, in themselves,constitute such main establishmentand are therefore no determiningcriteria for a main establishment.The main establishment of the

(27) The main establishment of acontroller in the Union should bedetermined according to objectivecriteria and should imply theeffective and real exercise ofmanagement activities determiningthe main decisions as to thepurposes, conditions and means ofprocessing through stablearrangements. This criterion shouldnot depend whether the processingof personal data is actually carriedout at that location; the presenceand use of technical means andtechnologies for processingpersonal data or processingactivities do not, in themselves,constitute such main establishmentand are therefore no determiningcriteria for a main establishment.The main establishment of the

(27) The main establishment of acontroller in the Union should bethe place of its centraladministration in the Union,unless determined according toobjective criteria and should implythe effective and real exercise ofmanagement activities determiningthe main decisions as to on thepurposes, conditions and means ofprocessing of personal data aretaken in another establishment ofthe controller in the Union. In thiscase the latter should beconsidered as the mainestablishment. through stablearrangements. The mainestablishment of a controller in theUnion should be determinedaccording to objective criteria andshould imply the effective and real


processor should be the place of itscentral administration in the Union.

processor should be the place of itscentral administration in the Union.

exercise of management activitiesdetermining the main decisions asto the purposes and means ofprocessing through stablearrangements. This criterionshould not depend on whether theprocessing of personal data isactually carried out at that location;the presence and use of technicalmeans and technologies forprocessing personal data orprocessing activities do not, inthemselves, constitute such mainestablishment and are therefore notdetermining criteria for a mainestablishment. The mainestablishment of the processorshould be the place of its centraladministration in the Union and, ifit has no central administration inthe Union, the place where themain processing activities takeplace in the Union. In casesinvolving both the controller andthe processor, the competent leadsupervisory authority shouldremain the supervisory authorityof the Member State where thecontroller has its mainestablishment but the supervisoryauthority of the processor should


be considered as a concernedsupervisory authority andparticipate to the cooperationprocedure provided for by thisRegulation. In any case, thesupervisory authorities of theMember State or Member Stateswhere the processor has one ormore establishments should not beconsidered as concernedsupervisory authorities when thedraft decision concerns only thecontroller.

Where the processing is carriedout by a group of undertakings,the main establishment of thecontrolling undertaking should beconsidered as the mainestablishment of the group ofundertakings, except where thepurposes and means of processingare determined by anotherundertaking.

(28) A group of undertakingsshould cover a controllingundertaking and its controlledundertakings, whereby thecontrolling undertaking should bethe undertaking which can exercisea dominant influence over the other




undertakings by virtue, forexample, of ownership, financialparticipation or the rules whichgovern it or the power to havepersonal data protection rulesimplemented.



Amendment 9

(29) Children deserve specificprotection of their personal data, asthey may be less aware of risks,consequences, safeguards and theirrights in relation to the processingof personal data. To determinewhen an individual is a child, thisRegulation should take over thedefinition laid down by the UNConvention on the Rights of theChild.

(29) Children deserve specificprotection of their personal data, asthey may be less aware of risks,consequences, safeguards and theirrights in relation to the processingof personal data. To determinewhen an individual is a child, thisRegulation should take over thedefinition laid down by the UNConvention on the Rights of theChild. Where data processing isbased on the data subject’sconsent in relation to the offeringof goods or services directly to achild, consent should be given orauthorised by the child’s parent orlegal guardian in cases where thechild is below the age of 13. Age-appropriate language should be

(29) Children deserve specificprotection of their personal data, asthey may be less aware of risks,consequences, safeguards and theirrights in relation to the processingof personal data19. To determinewhen an individual is a child, thisRegulation should take over thedefinition laid down by the UNConvention on the Rights of theChild. 20 This concerns especiallythe use of personal data ofchildren for the purposes ofmarketing or creating personalityor user profiles and the collectionof child data when using servicesoffered directly to a child21.

19 COM reservation on deletion of the UN Convention on the Rights of the Child reference.20 COM reservation on deletion of the reference to the UN Convention on the Rights of the Child.21 CZ and AT reservation.


used where the intended audienceis children. Other grounds oflawful processing such as groundsof public interest should remainapplicable, such as for processingin the context of preventive orcounselling services offereddirectly to a child.

(30) Any processing of personaldata should be lawful, fair andtransparent in relation to theindividuals concerned. Inparticular, the specific purposes forwhich the data are processedshould be explicit and legitimateand determined at the time of thecollection of the data. The datashould be adequate, relevant andlimited to the minimum necessaryfor the purposes for which the dataare processed; this requires inparticular ensuring that the datacollected are not excessive and thatthe period for which the data arestored is limited to a strictminimum. Personal data shouldonly be processed if the purpose ofthe processing could not befulfilled by other means. Everyreasonable step should be taken to

(30) Any processing of personaldata should be lawful, fair andtransparent in relation to theindividuals concerned. Inparticular, the specific purposes forwhich the data are processed shouldbe explicit and legitimate anddetermined at the time of thecollection of the data. The datashould be adequate, relevant andlimited to the minimum necessaryfor the purposes for which the dataare processed; this requires inparticular ensuring that the datacollected are not excessive and thatthe period for which the data arestored is limited to a strictminimum. Personal data shouldonly be processed if the purpose ofthe processing could not be fulfilledby other means. Every reasonablestep should be taken to ensure that

(30) Any processing of personaldata should be lawful and, fair. andIt should be transparent in relationto for the individuals concerned. Inparticular, the specific purposes forwhich the data are processed shouldbe explicit and legitimate anddetermined at the time of thecollection of the data. The datashould be adequate, relevant andlimited to the minimum necessaryfor the purposes for which the dataare processed; this requires inparticular ensuring that the datacollected are not excessive and thatthe period for which the data arestored is limited to a strictminimum. Personal data shouldonly be processed if the purpose ofthe processing could not be fulfilledby other means. that personal dataconcerning them are collected,


ensure that personal data which areinaccurate are rectified or deleted.In order to ensure that the data arenot kept longer than necessary,time limits should be establishedby the controller for erasure or fora periodic review.

personal data which are inaccurateare rectified or deleted. In order toensure that the data are not keptlonger than necessary, time limitsshould be established by thecontroller for erasure or for aperiodic review.

used, consulted or otherwiseprocessed and to which extent thedata are processed or will beprocessed. The principle oftransparency requires that anyinformation and communicationrelating to the processing of thosedata should be easily accessibleand easy to understand, and thatclear and plain language is used.This concerns in particular theinformation of the data subjects onthe identity of the controller andthe purposes of the processing andfurther information to ensure fairand transparent processing inrespect of the individualsconcerned and their right to getconfirmation and communicationof personal data being processedconcerning them.

Individuals should be made awareon risks, rules, safeguards andrights in relation to the processingof personal data and how toexercise his or her rights inrelation to the processing. Inparticular, the specific purposesfor which the data are processedshould be explicit and legitimateand determined at the time of the


collection of the data22. The datashould be adequate and relevant(…) for the purposes for which thedata are processed; this requires inparticular ensuring that the datacollected are not excessive andthat the period for which the dataare stored is limited to a strictminimum. (…). Personal datashould only be processed if thepurpose of the processing couldnot reasonably be fulfilled by othermeans23. In order to ensure thatthe data are not kept longer thannecessary, time limits should beestablished by the controller forerasure or for a periodic review.

Every reasonable step should betaken to ensure that personal datawhich are inaccurate are rectified ordeleted. In order to ensure that thedata are not kept longer thannecessary, time limits should beestablished by the controller forerasure or for a periodic review.Personal data should be processedin a manner that ensures

22 DE suggested inserting the following sentence: 'Data processing for archiving and statistical purposes in the public interest and for scientific or historical purposes is consideredcompatible and can be conducted on the basis of the original legal basis (e.g. consent), if the data have been initially collected for these purposes'.

23 UK reservation: this was too burdensome.


appropriate security andconfidentiality of the personaldata, including for preventingunauthorised access to or the useof personal data and theequipment used for the processing.

Amendment 10

(31) In order for processing to belawful, personal data should beprocessed on the basis of theconsent of the person concerned orsome other legitimate basis, laiddown by law, either in thisRegulation or in other Union orMember State law as referred to inthis Regulation.

(31) In order for processing to belawful, personal data should beprocessed on the basis of theconsent of the person concerned orsome other legitimate basis, laiddown by law, either in thisRegulation or in other Union orMember State law as referred to inthis Regulation. In case of a childor a person lacking legal capacity,relevant Union or Member Statelaw should determine theconditions under which consent isgiven or authorised by that person.

(31) In order for processing to belawful, personal data should beprocessed on the basis of theconsent of the person concerned orsome other legitimate basis, laiddown by law, either in thisRegulation or in other Union orMember State law as referred to inthis Regulation, including thenecessity for compliance with thelegal obligation to which thecontroller is subject or thenecessity for the performance of acontract to which the data subjectis party or in order to take steps atthe request of the data subjectprior to entering into a contract.

(31a) Wherever this Regulationrefers to a legal basis or alegislative measure, this does notnecessarily require a legislative actadopted by a parliament, without


prejudice to requirementspursuant the constitutional orderof the Member State concerned,however such legal basis orlegislative measure should be clearand precise and its applicationforeseeable for those subject to itas required by the case law of theCourt of Justice of the EuropeanUnion and the European Court onHuman Rights.

Amendment 11

(32) Where processing is basedon the data subject's consent, thecontroller should have the burdenof proving that the data subject hasgiven the consent to the processingoperation. In particular in thecontext of a written declaration onanother matter, safeguards shouldensure that the data subject isaware that and to what extentconsent is given.

(32) Where processing is based onthe data subject’s consent, thecontroller should have the burdenof proving that the data subject hasgiven the consent to the processingoperation. In particular in thecontext of a written declaration onanother matter, safeguards shouldensure that the data subject is awarethat and to what extent consent isgiven. To comply with theprinciple of data minimisation, theburden of proof should not beunderstood as requiring thepositive identification of datasubjects unless necessary. Similarto civil law terms (e.g. Council

(32) Where processing is based onthe data subject's consent, thecontroller should have the burdenof proving be able to demonstratethat the data subject has given theconsent to the processing operation.In particular in the context of awritten declaration on anothermatter, safeguards should ensurethat the data subject is aware thatand to what the extent to whichconsent is given. A declaration ofconsent pre-formulated by thecontroller should be provided inan intelligible and easily accessibleform, using clear and plainlanguage and its content should


Directive 93/13/EEC44a1), dataprotection policies should be asclear and transparent as possible.They should not contain hidden ordisadvantageous clauses. Consentcan notcannot be given for theprocessing of personal data ofthird persons.

______________________44a 1 Council Directive 93/13/EECof 5 April 1993 on unfair terms inconsumer contracts (OJ L 95,21.4.1993, p. 29).

not be unusual within the overallcontext. For consent to beinformed, the data subject shouldbe aware at least of the identity ofthe controller and the purposes ofthe processing for which thepersonal data are intended;consent should not be regarded asfreely-given if the data subject hasno genuine and free choice and isunable to refuse or withdrawconsent without detriment.

Amendment 12

(33) In order to ensure freeconsent, it should be clarified thatconsent does not provide a validlegal ground where the individualhas no genuine and free choice andis subsequently not able to refuseor withdraw consent withoutdetriment.

(33) In order to ensure free consent,it should be clarified that consentdoes not provide a valid legalground where the individual has nogenuine and free choice and issubsequently not able to refuse orwithdraw consent withoutdetriment. This is especially thecase if the controller is a publicauthority that can impose anobligation by virtue of its relevantpublic powers and the consentcannot be deemed as freely given.The use of default options whichthe data subject is required to

(33) In order to ensure free Forconsent, it should be clarified thatconsent does not provide a validlegal ground where the individualhas no genuine and free choice andis subsequently not able to refuse tobe informed, the data subjectshould be aware at least of theidentity of the controller and thepurposes of the processing forwhich the personal data areintended; consent should not beregarded as freely-given if the datasubject has no genuine and freechoice and is unable to refuse or


modify to object to the processing,such as pre-ticked boxes, does notexpress free consent. Consent forthe processing of additionalpersonal data that are notnecessary for the provision of aservice should not be required forusing the service. When consent iswithdrawn, this may allow thetermination or non-execution of aservice which is dependent on thedata. Where the conclusion of theintended purpose is unclear, thecontroller should in regularintervals provide the data subjectwith information about theprocessing and request a re-affirmation of their his or herconsent.

withdraw consent withoutdetriment.

Amendment 13

(34) Consent should not providea valid legal ground for theprocessing of personal data, wherethere is a clear imbalance betweenthe data subject and the controller.This is especially the case wherethe data subject is in a situation ofdependence from the controller,among others, where personal data

deleted (34) In order to safeguard thatConsent consent has been freely-given, consent should not provide avalid legal ground for theprocessing of personal data in aspecific case, where there is a clearimbalance between the data subjectand the controller and This this isespecially the case where the data


are processed by the employer ofemployees' personal data in theemployment context. Where thecontroller is a public authority,there would be an imbalance onlyin the specific data processingoperations where the publicauthority can impose an obligationby virtue of its relevant publicpowers and the consent cannot bedeemed as freely given, taking intoaccount the interest of the datasubject.

subject is in a situation ofdependence from the controller,among others, where personal dataare processed by the employer ofemployees' personal data in theemployment context. Where thecontroller is a public authority,there would be an imbalance onlyin the specific data processingoperations where the publicauthority can impose an obligationby virtue of its relevant publicpowers and makes it unlikely thatthe consent cannot be deemed wasgiven as freely- given, taking intoaccount the interest of the datasubjectin all circumstance of thatspecific situation. Consent ispresumed not to be freely given, ifit does not allow separate consentto be given to different dataprocessing operations despite it isappropriate in the individual case,or if the performance of a contractis made dependent on the consentdespite this is not necessary forsuch performance and the datasubject cannot reasonably obtain


equivalent services from anothersource without consent24.

(35) Processing should be lawfulwhere it is necessary in the contextof a contract or the intendedentering into a contract.



(35a) This Regulation provides forgeneral rules on data protectionand that in specific cases MemberStates are also empowered to laydown national rules on dataprotection. The Regulation doestherefore not exclude MemberState law that defines thecircumstances of specificprocessing situations, includingdetermining more precisely theconditions under which processingof personal data is lawful.National law may also provide forspecial processing conditions forspecific sectors and for theprocessing of special categories ofdata.

24 COM, DK, IE and FR, SE reservation. CZ thought the wording should be more generic.


Amendment 14

(36) Where processing is carriedout in compliance with a legalobligation to which the controller issubject or where processing isnecessary for the performance of atask carried out in the publicinterest or in the exercise of anofficial authority, the processingshould have a legal basis in Unionlaw, or in a Member State lawwhich meets the requirements ofthe Charter of Fundamental Rightsof the European Union for anylimitation of the rights andfreedoms. It is also for Union ornational law to determine whetherthe controller performing a taskcarried out in the public interest orin the exercise of official authorityshould be a public administrationor another natural or legal persongoverned by public law, or byprivate law such as a professionalassociation.

(36) Where processing is carriedout in compliance with a legalobligation to which the controller issubject or where processing isnecessary for the performance of atask carried out in the publicinterest or in the exercise of anofficial authority, the processingshould have a legal basis in Unionlaw, or in a Member State lawwhich meets the requirements ofthe Charter of Fundamental Rightsof the European Union for anylimitation of the rights andfreedoms. This should include alsocollective agreements that could berecognised under national law ashaving general validity. It is alsofor Union or national law todetermine whether the controllerperforming a task carried out in thepublic interest or in the exercise ofofficial authority should be a publicadministration or another natural orlegal person governed by publiclaw, or by private law such as aprofessional association.

(36) Where processing is carriedout in compliance with a legalobligation to which the controller issubject or where processing isnecessary for the performance of atask carried out in the publicinterest or in the exercise of anofficial authority, the processingshould have a legal basis in Unionlaw, or in the national law of aMember State law which meets therequirements of the Charter ofFundamental Rights of theEuropean Union for any limitationof the rights and freedoms. It isshould be also for Union ornational law to determine thepurpose of processing. whether thecontroller performing a task carriedout in the public interest or in theexercise of official authority shouldbe a public administration oranother natural or legal persongoverned by public law, or byprivate law such as a professionalassociation. Furthermore, thisbasis could specify the generalconditions of the Regulationgoverning the lawfulness of data


processing, determinespecifications for determining thecontroller, the type of data whichare subject to the processing, thedata subjects concerned, theentities to which the data may bedisclosed, the purpose limitations,the storage period and othermeasures to ensure lawful and fairprocessing.

It should also be for Union ornational law to determine whetherthe controller performing a taskcarried out in the public interest orin the exercise of official authorityshould be a public authority oranother natural or legal persongoverned by public law, or byprivate law such as a professionalassociation, where grounds ofpublic interest so justify includingfor health purposes, such as publichealth and social protection andthe management of health careservices.

(37) The processing of personaldata should equally be regarded aslawful where it is necessary toprotect an interest which isessential for the data subject's life.

(37) The processing of personaldata should equally be regarded aslawful where it is necessary toprotect an interest which isessential for the data subject's life.

(37) The processing of personaldata should equally be regarded aslawful where it is necessary toprotect an interest which isessential for the data subject's life


or that of another person. Sometypes of data processing may serveboth important grounds of publicinterest and the vital interests ofthe data subject as, for instancewhen processing is necessary forhumanitarian purposes, includingfor monitoring epidemic and itsspread or in situations ofhumanitarian emergencies, inparticular in situations of naturaldisasters25.

Amendment 15

(38) The legitimate interests of acontroller may provide a legal basisfor processing, provided that theinterests or the fundamental rightsand freedoms of the data subjectare not overriding. This wouldneed careful assessment inparticular where the data subject isa child, given that children deservespecific protection. The datasubject should have the right toobject the processing, on groundsrelating to their particular situationand free of charge. To ensuretransparency, the controller should

(38) The legitimate interests of athe controller, or in case ofdisclosure, of the third party towhom the data is are disclosed,may provide a legal basis forprocessing, provided that they meetthe reasonable expectations of thedata subject based on his or herrelationship with the controllerand that the interests or thefundamental rights and freedoms ofthe data subject are not overriding.This would need careful assessmentin particular where the data subjectis a child, given that children

(38) The legitimate interests of acontroller including of a controllerto which the data may be disclosedor of a third party may provide alegal basis for processing, providedthat the interests or thefundamental rights and freedoms ofthe data subject are not overriding.This would need carefulassessment including whether adata subject can expect at the timeand in the context of the collectionof the data that processing for thispurpose may take place.Legitimate interest could exist for

25 CZ, FR, SE and PL thought the entire recital was superfluous.


be obliged to explicitly inform thedata subject on the legitimateinterests pursued and on the rightto object, and also be obliged todocument these legitimateinterests. Given that it is for thelegislator to provide by law thelegal basis for public authorities toprocess data, this legal groundshould not apply for the processingby public authorities in theperformance of their tasks.

deserve specific protection.Provided that the interests or thefundamental rights and freedomsof the data subject are notoverriding, processing limited topseudonymous data should bepresumed to meet the reasonableexpectations of the data subjectbased on his or her relationshipwith the controller. The datasubject should have the right toobject the processing, on groundsrelating to their particular situationand free of charge. To ensuretransparency, the controller shouldbe obliged to explicitly inform thedata subject on the legitimateinterests pursued and on the right toobject, and also be obliged todocument these legitimate interests.The interests and fundamentalrights of the data subject could inparticular override the interest ofthe data controller where personaldata are processed incircumstances where data subjectsdo not reasonably expect furtherprocessing. Given that it is for thelegislator to provide by law the

example when there is a relevantand appropriate connectionbetween the data subject and thecontroller in situations such as thedata subject being a client or inthe service of the controller26. (…)At any rate the existence of alegitimate interest would needcareful assessment includingwhether a data subject can expectat the time and in the context ofthe collection of the data thatprocessing for this purpose maytake place. iIn particular wheresuch assessment must take intoaccount whether the data subject isa child, given that children deservespecific protection. The datasubject should have the right toobject to the processing, ongrounds relating to their particularsituation and free of charge. Toensure transparency, the controllershould be obliged to explicitlyinform the data subject on thelegitimate interests pursued and onthe right to object, and also beobliged to document theselegitimate interests. Given that it is

26 HU scrutiny reservation.


legal basis for public authorities toprocess data, this legal groundshould not apply for the processingby public authorities in theperformance of their tasks.

for Union or national law thelegislator to provide by law thelegal basis for public authorities toprocess data, this legal groundshould not apply for the processingby public authorities in the exerciseperformance of their tasksduties.

(38a) Controllers that are part of agroup of undertakings orinstitution affiliated to a centralbodymay have a legitimate interestto transmit personal data withinthe group of undertakings forinternal administrative purposes,including the processing ofclients' or employees' personaldata. The general principles forthe transfer of personal data,within a group of undertakings, toan undertaking located in a thirdcountry (…) remain unaffected.27

Amendment 16

(39) The processing of data tothe extent strictly necessary for thepurposes of ensuring network and

(39) The processing of data to theextent strictly necessary andproportionate for the purposes of

(39) The processing of data to theextent strictly necessary for thepurposes of ensuring network and

27 FR reservation.


information security, i.e. the abilityof a network or an informationsystem to resist, at a given level ofconfidence, accidental events orunlawful or malicious actions thatcompromise the availability,authenticity, integrity andconfidentiality of stored ortransmitted data, and the securityof the related services offered by,or accessible via, these networksand systems, by public authorities,Computer Emergency ResponseTeams – CERTs, ComputerSecurity Incident Response Teams– CSIRTs, providers of electroniccommunications networks andservices and by providers ofsecurity technologies and services,constitutes a legitimate interest ofthe concerned data controller. Thiscould, for example, includepreventing unauthorised access toelectronic communicationsnetworks and malicious codedistribution and stopping ‘denial ofservice’ attacks and damage tocomputer and electroniccommunication systems.

ensuring network and informationsecurity, i.e. the ability of anetwork or an information systemto resist, at a given level ofconfidence, accidental events orunlawful or malicious actions thatcompromise the availability,authenticity, integrity andconfidentiality of stored ortransmitted data, and the security ofthe related services offered by, oraccessible via, these networks andsystems, by public authorities,Computer Emergency ResponseTeams – CERTs, ComputerSecurity Incident Response Teams– CSIRTs, providers of electroniccommunications networks andservices and by providers ofsecurity technologies and servicesconstitutes a legitimate interest ofthe concerned data controller. Thiscould, for example, includepreventing unauthorised access toelectronic communicationsnetworks and malicious codedistribution and stopping ‘denial ofservice’ attacks and damage tocomputer and electroniccommunication systems. Thisprinciple also applies to processing

information security, i.e. the abilityof a network or an informationsystem to resist, at a given level ofconfidence, accidental events orunlawful or malicious actions thatcompromise the availability,authenticity, integrity andconfidentiality of stored ortransmitted data, and the security ofthe related services offered by, oraccessible via, these networks andsystems, by public authorities,Computer Emergency ResponseTeams – CERTs, ComputerSecurity Incident Response Teams -– CSIRTs, providers of electroniccommunications networks andservices and by providers ofsecurity technologies and services,constitutes a legitimate interest ofthe concerned data controllerconcerned. This could, for example,include preventing unauthorisedaccess to electroniccommunications networks andmalicious code distribution andstopping ‘denial of service’ attacksand damage to computer andelectronic communication systems.The processing of personal datastrictly necessary for the purposes


of personal data to restrict abusiveaccess to and use of publiclyavailable network or informationsystems, such as the blacklisting ofelectronic identifiers.

of preventing fraud alsoconstitutes a legitimate interest ofthe data controller concerned. (...)The processing of personal datafor direct marketing purposes canmay be regarded as carried out fora legitimate interest.

Amendment 17

(39a) Provided that the interests orthe fundamental rights andfreedoms of the data subject arenot overriding, the prevention orlimitation of damages on the sideof the data controller should bepresumed as carried out for thelegitimate interest of the datacontroller or, in case of disclosure,of the third party to whom the datais are disclosed, and as meetingthe reasonable expectations of thedata subject based on his or herrelationship with the controller.The same principle also applies tothe enforcement of legal claimsagainst a data subject, such asdebt collection or civil damagesand remedies.


Amendment 18

(39b) Provided that the interests orthe fundamental rights andfreedoms of the data subject arenot overriding, the processing ofpersonal data for the purpose ofdirect marketing for own orsimilar products and services orfor the purpose of postal directmarketing should be presumed ascarried out for the legitimateinterest of the controller, or incase of disclosure, of the thirdparty to whom the data is aredisclosed, and as meeting thereasonable expectations of thedata subject based on his or herrelationship with the controller ifhighly visible information on theright to object and on the source ofthe personal data is given. Theprocessing of business contactdetails should be generallyregarded as carried out for thelegitimate interest of thecontroller, or in case of disclosure,of the third party to whom the datais are disclosed, and as meetingthe reasonable expectations of thedata subject based on his or her


relationship with the controller.The same should apply to theprocessing of personal data mademanifestly public by the datasubject.

Amendment 19

(40) The processing of personaldata for other purposes should beonly allowed where the processingis compatible with those purposesfor which the data have beeninitially collected, in particularwhere the processing is necessaryfor historical, statistical orscientific research purposes. Wherethe other purpose is not compatiblewith the initial one for which thedata are collected, the controllershould obtain the consent of thedata subject for this other purposeor should base the processing onanother legitimate ground forlawful processing, in particularwhere provided by Union law orthe law of the Member State towhich the controller is subject. Inany case, the application of theprinciples set out by thisRegulation and in particular the

deleted (40) The processing of personaldata for other purposes than thepurposes for which the dat havebeen initially collected should beonly allowed where the processingis compatible with those purposesfor which the data have beeninitially collected, . in In such caseno separate legal basis is requiredother than the one which allowedthe collection of the data. (…) Ifparticular where the processing isnecessary for the performacne of atask carried out in the publicinterest or in the exercise ofofficial authority vested in thecontroller, Union law or MemberState law may determine andspecify the tasks and purposes forwhich the further processing shallbe regarded as lawful. The furtherprocessing (…) for archivingpurposes in the public interest, or


information of the data subject onthose other purposes should beensured.

for historical, statistical, orscientific research or historicalpurposes or in view of futuredispute resolution28 should beconsidered as compatible lawfulprocessing operations. The legalbasis provided by Union orMember State law for thecollection and processing ofpersonal data may also provide alegal basis for further processingfor other purposes if thesepurposes are in line with theassigned task and the controller isentitled legally to collect the datafor these other purposes29.

In order to ascertain whether apurpose of further processing iscompatible with the purpose forwhich the data are initiallycollected, the controller, afterhaving met all the requirementsfor the lawfulness of the originalprocessing, should take intoaccount any link between thosepurposes and the purposes of theintended further processing, thecontext in which the data have

28 ES pointed out the text of Article 6 had not been modified regarding dispute resolution.29 FR, IT and UK scrutiny reservation.


been collected, including thereasonable expectations of thedata subject as to their further use,the nature of the personal data,the consequences of the intendedfurther processing for datasubjects, and the existence ofappropriate safeguards in both theoriginal and intended processingoperations. Where the intendedother purpose is not compatiblewith the initial one for which thedata are collected, the controllershould obtain the consent of thedata subject for this other purposeor should base the processing onanother legitimate ground forlawful processing, in particularwhere provided by Union law orthe law of the Member State towhich the controller is subject.

In any case, the application of theprinciples set out by this Regulationand in particular the information ofthe data subject on those otherpurposes and on his or her rightsincluding the right to object,should be ensured. Indicatingpossible criminal acts or threats topublic security by the controllerand transmitting these data to a


competent authority should beregarded as being in the legitimateinterest pursued by thecontroller30. However suchtransmission in the legitimateinterest of the controller or furtherprocessing of personal data shouldbe prohibited if the processing isnot compatible with a legal,professional or other bindingobligation of secrecy31.

Amendment 20

(41) Personal data which are, bytheir nature, particularly sensitiveand vulnerable in relation tofundamental rights or privacy,deserve specific protection. Suchdata should not be processed,unless the data subject gives hisexplicit consent. However,derogations from this prohibitionshould be explicitly provided for inrespect of specific needs, inparticular where the processing iscarried out in the course oflegitimate activities by certain

deleted (41) Personal data which are, bytheir nature, particularly sensitiveand vulnerable in relation tofundamental rights and freedomsorprivacy, deserve specific protectionas the context of their processingmay create important risks for thefundamental rights and freedoms.These data should also includepersonal data revealing racial orethnic origin, whereby the use ofthe term ‘racial origin’ in thisRegulation does not imply anacceptance by the European

30 AT, PL and COM reservation.31 IE, SE and UK queried the last sentence of recital 40, which was not reflected in the body of the text. DE, supported by CZ, IE, GR and PL, wanted it to be made clear that Article 6

did not hamper direct marketing or credit information services or businesses in general according to GR.


associations or foundations thepurpose of which is to permit theexercise of fundamental freedoms.

Union of theories which attempt todetermine the existence of separatehuman races. Such data should notbe processed, unless processing isallowed in specific cases set out inthis Regulation, taking intoaccount that Member States lawmay lay down specific provisionson data protection in order toadapt the application of the rulesof this Regulation32for compliancewith a legal obligation or for theperformance of a task carried outin the public interest or in theexercise of official authority vestedin the controller. In addition to thespecific requirements for suchprocessing, the general principlesand other rules of this Regulationshould apply, in particular asregards the conditions for lawfulprocessing. Derogations from thegeneral prohibition for processingsuch special categories of personaldata should be explicitly beprovided inter alia where the datasubject gives his or her explicitconsent . However, derogationsfrom this prohibition should be

32 AT scrutiny reservation.


explicitly provided for or in respectof specific needs, in particularwhere the processing is carried outin the course of legitimate activitiesby certain associations orfoundations the purpose of which isto permit the exercise offundamental freedoms.

Special categories of personal datamay also be processed where thedata have manifestly been madepublic or voluntarily and at therequest of the data subjecttransferred to the controller for aspecific purpose specified by thedata subject, where the processingis done in the interest of the datasubject.

Member State and Union Law mayprovide that the generalprohibition for processing suchspecial categories of personal datain certain cases may not be liftedby the data subject’s explicitconsent.

Amendment 21

(42) Derogating from theprohibition on processing sensitivecategories of data should also be




allowed if done by a law, andsubject to suitable safeguards, so asto protect personal data and otherfundamental rights, where groundsof public interest so justify and inparticular for health purposes,including public health and socialprotection and the management ofhealth-care services, especially inorder to ensure the quality andcost-effectiveness of theprocedures used for settling claimsfor benefits and services in thehealth insurance system, or forhistorical, statistical and scientificresearch purposes.

allowed if done by a law, andsubject to suitable safeguards, so asto protect personal data and otherfundamental rights, where groundsof public interest so justify and inparticular for health purposes,including public health and socialprotection and the management ofhealth-care services, especially inorder to ensure the quality and cost-effectiveness of the proceduresused for settling claims for benefitsand services in the health insurancesystem, for historical, statistical andscientific research purposes, or forarchive services.

allowed if done by a whenprovided for in Union or MemberState law, and subject to suitablesafeguards, so as to protectpersonal data and otherfundamental rights, where groundsof public interest so justify, inparticular processing data in thefield of employment law, socialsecurity and social protection law,including pensions and for healthsecurity, monitoring and alertpurposes, the prevention orcontrol of communicable diseasesand other serious threats to healthor ensuring high standards ofquality and safety of health careand services and of medicinalproducts or medical devices orassessing public policies adoptedin the field of health, also byproducing quality and activityindicators. and in particular Thismay be done for health purposes,including public health and socialprotection and the management ofhealth-care services, especially inorder to ensure the quality andcost-effectiveness of theprocedures used for settling claimsfor benefits and services in the


health insurance system, or forarchiving in the public interest orhistorical, statistical and scientificresearch purposes. A derogationshould also allow processing ofsuch data where necessary for theestablishment, exercise or defenceof legal claims, regardless ofwhether in a judicial procedure orwhether in an administrative orany out-of-court procedure.

(42a) Special categories ofpersonal data which deservehigher protection, may only beprocessed for health-relatedpurposes where necessary toachieve those purposes for thebenefit of individuals and societyas a whole, in particular in thecontext of the management ofhealth or social care services andsystems including the processingby the management and centralnational health authorities of suchdata for the purpose of qualitycontrol, management informationand the general national and localsupervision of the health or socialcare system, and ensuringcontinuity of health or social care


and cross-border healthcare orhealth security, monitoring andalert purposes or for archiving,historical, statistical or scientificpurposes as well as for studiesconducted in the public interest inthe area of public health.Therefore this Regulation shouldprovide for harmonised conditionsfor the processing of specialcategories of personal dataconcerning health, in respect ofspecific needs, in particular wherethe processing of these data iscarried out for certain health-related purposes by personssubject to a legal obligation ofprofessional secrecy (…). Unionor Member State law shouldprovide for specific and suitablemeasures so as to protect thefundamental rights and thepersonal data of individuals.(…)33.

(42b) The processing of specialcategories personal data (…) maybe necessary for reasons of publicinterest in the areas of publichealth, without consent of the data

33 Moved from recital 122.


subject. This processing is subjectto for suitable and specificmeasures so as to protect the rightsand freedoms of individuals. Inthat context, ‘public health’should be interpreted as defined inRegulation (EC) No 1338/2008 ofthe European Parliament and ofthe Council of 16 December 2008on Community statistics on publichealth and health and safety atwork, meaning all elements relatedto health, namely health status,including morbidity and disability,the determinants having an effecton that health status, health careneeds, resources allocated tohealth care, the provision of, anduniversal access to, health care aswell as health care expenditureand financing, and the causes ofmortality. Such processing ofpersonal data concerning healthfor reasons of public interestshould not result in personal databeing processed for other purposesby third parties such as employers,insurance and bankingcompanies34.

34 Moved from recital 123.


(43) Moreover, the processing ofpersonal data by official authoritiesfor achieving aims, laid down inconstitutional law or internationalpublic law, of officially recognisedreligious associations is carried outon grounds of public interest.



(44) Where in the course ofelectoral activities, the operation ofthe democratic system requires in aMember State that political partiescompile data on people's politicalopinions, the processing of suchdata may be permitted for reasonsof public interest, provided thatappropriate safeguards areestablished.



Amendment 22

(45) If the data processed by acontroller do not permit thecontroller to identify a naturalperson, the data controller shouldnot be obliged to acquire additionalinformation in order to identify thedata subject for the sole purpose ofcomplying with any provision ofthis Regulation. In case of a requestfor access, the controller should be




entitled to ask the data subject forfurther information to enable thedata controller to locate thepersonal data which that personseeks.

entitled to ask the data subject forfurther information to enable thedata controller to locate thepersonal data which that personseeks. If it is possible for the datasubject to provide such data,controllers should not be able toinvoke a lack of information torefuse an access request.

entitled to ask the data subject forfurther information to enable thedata controller to locate thepersonal data which that personseeksHowever, the controllershould not refuse to takeadditional information providedby the data subject in order tosupport the exercise of his or herrights.

(46) The principle of transparencyrequires that any informationaddressed to the public or to thedata subject should be easilyaccessible and easy to understand,and that clear and plain language isused. This is in particular relevantwhere in situations, such as onlineadvertising, the proliferation ofactors and the technologicalcomplexity of practice makes itdifficult for the data subject toknow and understand if personaldata relating to them are beingcollected, by whom and for whatpurpose. Given that childrendeserve specific protection, anyinformation and communication,where processing is addressedspecifically to a child, should be in

(46) The principle of transparencyrequires that any informationaddressed to the public or to thedata subject should be easilyaccessible and easy to understand,and that clear and plain language isused. This is in particular relevantwhere in situations, such as onlineadvertising, the proliferation ofactors and the technologicalcomplexity of practice makes itdifficult for the data subject toknow and understand if personaldata relating to them him or her arebeing collected, by whom and forwhat purpose. Given that childrendeserve specific protection, anyinformation and communication,where processing is addressedspecifically to a child, should be in

(46) The principle of transparencyrequires that any informationaddressed to the public or to thedata subject should be easilyaccessible and easy to understand,and that clear and plain language isused. This information could beprovided in electronic form, forexample, when addressed to thepublic, through a website. This isin particular relevant where insituations, such as onlineadvertising, the proliferation ofactors and the technologicalcomplexity of practice makes itdifficult for the data subject toknow and understand if personaldata relating to them are beingcollected, by whom and for whatpurpose. Given that children


such a clear and plain language thatthe child can easily understand.

such a clear and plain language thatthe child can easily understand.

deserve specific protection, anyinformation and communication,where processing is addressedspecifically -to a child, should be insuch a clear and plain language thatthe child can easily understand.

Amendment 23

(47) Modalities should beprovided for facilitating the datasubject’s exercise of their rightsprovided by this Regulation,including mechanisms to request,free of charge, in particular accessto data, rectification, erasure and toexercise the right to object. Thecontroller should be obliged torespond to requests of the datasubject within a fixed deadline andgive reasons, in case he does notcomply with the data subject'srequest.

(47) Modalities should be providedfor facilitating the data subject’sexercise of their his or her rightsprovided by this Regulation,including mechanisms to requestobtain, free of charge, in particularaccess to data, rectification, erasureand to exercise the right to object.The controller should be obliged torespond to requests of the datasubject within a fixed reasonabledeadline and give reasons, in casehe does not comply with the datasubject’s request.

(47) Modalities should be providedfor facilitating the data subject’sexercise of their rights provided bythis Regulation, includingmechanisms to request, free ofcharge,- in particular access to data,rectification, erasure and toexercise the right to object. Thusthe controller should also providemeans for requests to be madeelectronically, especially wherepersonal data are processed byelectronic means. The controllershould be obliged to respond torequests of the data subject within afixed deadline and give reasonswhere the controller , in case hedoes not intend to comply with thedata subject's request.


Amendment 24

(48) The principles of fair andtransparent processing require thatthe data subject should be informedin particular of the existence of theprocessing operation and itspurposes, how long the data will bestored, on the existence of the rightof access, rectification or erasureand on the right to lodge acomplaint. Where the data arecollected from the data subject, thedata subject should also beinformed whether they are obligedto provide the data and of theconsequences, in cases they do notprovide such data.

(48) The principles of fair andtransparent processing require thatthe data subject should be informedin particular of the existence of theprocessing operation and itspurposes, how long the data will belikely stored for each purpose, ifthe data are to be transferred tothird parties or third countries, onthe existence of measures to objectand of the right of access,rectification or erasure and on theright to lodge a complaint. Wherethe data are collected from the datasubject, the data subject should alsobe informed whether they areobliged to provide the data and ofthe consequences, in cases they donot provide such data. Thisinformation should be provided,which can also mean made readilyavailable, to the data subject afterthe provision of simplifiedinformation in the form ofstandardised icons. This shouldalso mean that personal data areprocessed in a way that effectivelyallows the data subject to exercisehis or her rights.

(48) The principles of fair andtransparent processing require thatthe data subject should be informedin particular of the existence of theprocessing operation and itspurposes, how long the data will bestored, on the existence of the rightof access, rectification or erasureand on the right to lodge acomplaint. The controller shouldprovide the data subject with anyfurther information necessary toguarantee fair and transparentprocessing. Furthermore the datasubject should be informed aboutthe existence of profiling, and theconsequences of such profiling.Where the data are collected fromthe data subject, the data subjectshould also be informed whetherthey are obliged to provide the dataand of the consequences, in casesthey do not provide such data.


(49) The information in relation tothe processing of personal datarelating to the data subject shouldbe given to them at the time ofcollection, or, where the data arenot collected from the data subject,within a reasonable period,depending on the circumstances ofthe case. Where data can belegitimately disclosed to anotherrecipient, the data subject should beinformed when the data are firstdisclosed to the recipient.

(49) The information in relation tothe processing of personal datarelating to the data subject shouldbe given to them at the time ofcollection, or, where the data arenot collected from the data subject,within a reasonable period,depending on the circumstances ofthe case. Where data can belegitimately disclosed to anotherrecipient, the data subject should beinformed when the data are firstdisclosed to the recipient.

(49) The information in relation tothe processing of personal datarelating to the data subject shouldbe given to them at the time ofcollection, or, where the data arenot collected from the data subject,within a reasonable period,depending on the circumstances ofthe case. Where data can belegitimately disclosed to anotherrecipient, the data subject should beinformed when the data are firstdisclosed to the recipient. Wherethe origin of the data could not beprovided to the data subjectbecause various sources have beenused, the information should beprovided in a general manner.

Amendment 25

(50) However, it is not necessaryto impose this obligation where thedata subject already disposes of thisinformation, or where the recordingor disclosure of the data isexpressly laid down by law, orwhere the provision of informationto the data subject provesimpossible or would involvedisproportionate efforts. The latter

(50) However, it is not necessary toimpose this obligation where thedata subject already disposes ofknows this information, or wherethe recording or disclosure of thedata is expressly laid down by law,or where the provision ofinformation to the data subjectproves impossible or would involvedisproportionate efforts. The latter

(50) However, it is not necessary toimpose this obligation where thedata subject already disposespossesses of this information, orwhere the recording or disclosureof the data is expressly laid downby law, or where the provision ofinformation to the data subjectproves impossible or would involvedisproportionate efforts. The latter


could be particularly the case whereprocessing is for historical,statistical or scientific researchpurposes; in this regard, the numberof data subjects, the age of the data,and any compensatory measuresadopted may be taken intoconsideration.

could be particularly the case whereprocessing is for historical,statistical or scientific researchpurposes; in this regard, the numberof data subjects, the age of the data,and any compensatory measuresadopted may be taken intoconsideration.

could be particularly the case whereprocessing is for historical,statistical or scientific researchpurposes; in this regard, the numberof data subjects, the age of the data,and any compensatory measuresappropriate safeguards adoptedmay be taken into consideration.

Amendment 26

(51) Any person should have theright of access to data which hasbeen collected concerning them,and to exercise this right easily, inorder to be aware and verify thelawfulness of the processing. Everydata subject should therefore havethe right to know and obtaincommunication in particular forwhat purposes the data areprocessed, for what period, whichrecipients receive the data, what isthe logic of the data that areundergoing the processing and whatmight be, at least when based onprofiling, the consequences of suchprocessing. This right should notadversely affect the rights andfreedoms of others, including tradesecrets or intellectual property and

(51) Any person should have theright of access to data which havebeen collected concerning them,and to exercise this right easily, inorder to be aware and verify thelawfulness of the processing. Everydata subject should therefore havethe right to know and obtaincommunication in particular forwhat purposes the data areprocessed, for what estimatedperiod, which recipients receive thedata, what is the general logic ofthe data that are undergoing theprocessing and what might be, atleast when based on profiling, theconsequences of such processing.This right should not adverselyaffect the rights and freedoms ofothers, including trade secrets or

(51) Any A natural person shouldhave the right of access to datawhich has been collectedconcerning themhim or her, and toexercise this right easily and atreasonable intervals, in order to beaware of and verify the lawfulnessof the processing. This includes theright for individuals to have accessto their personal data concerningtheir health, for example the datain their medical recordscontaining such information asdiagnosis, examination results,assessments by treating physiciansand any treatment or interventionsprovided. Every data subject shouldtherefore have the right to knowand obtain communication inparticular for what purposes the


in particular the copyrightprotecting the software. However,the result of these considerationsshould not be that all information isrefused to the data subject.

intellectual property and inparticular, such as in relation tothe copyright protecting thesoftware. However, the result ofthese considerations should not bethat all information is refused to thedata subject.

data are processed, where possiblefor what period, which recipientsreceive the data, what is the logicinvolved in any automatic of thedata that are undergoing theprocessing and what might be, atleast when based on profiling, theconsequences of such processing.This right should not adverselyaffect the rights and freedoms ofothers, including trade secrets orintellectual property and inparticular the copyright protectingthe software. However, the result ofthese considerations should not bethat all information is refused to thedata subject. Where the controllerprocesses a large quantity ofinformation concerning the datasubject, the controller may requestthat before the information isdelivered the data subject specifyto which information or to whichprocessing activities the requestrelates.

(52) The controller should use allreasonable measures to verify theidentity of a data subject thatrequests access, in particular in thecontext of online services and

(52) The controller should use allreasonable measures to verify theidentity of a data subject thatrequests access, in particular in thecontext of online services and

(52) The controller should use allreasonable measures to verify theidentity of a data subject thatwhorequests access, in particular in thecontext of online services and


online identifiers. A controllershould not retain personal data forthe unique purpose of being able toreact to potential requests.

online identifiers. A controllershould not retain personal data forthe unique purpose of being able toreact to potential requests.

online identifiers. A controllershould not retain personal data forthe unique sole purpose of beingable to react to potential requests.

Amendment 27

(53) Any person should have theright to have personal dataconcerning them rectified and a'right to be forgotten' where theretention of such data is not incompliance with this Regulation. Inparticular, data subjects shouldhave the right that their personaldata are erased and no longerprocessed, where the data are nolonger necessary in relation to thepurposes for which the data arecollected or otherwise processed,where data subjects havewithdrawn their consent forprocessing or where they object tothe processing of personal dataconcerning them or where theprocessing of their personal dataotherwise does not comply withthis Regulation. This right isparticularly relevant, when the datasubject has given their consent as a

(53) Any person should have theright to have personal dataconcerning them rectified and a'right to be forgotten erasure' wherethe retention of such data is not incompliance with this Regulation. Inparticular, data subjects shouldhave the right that their personaldata are erased and no longerprocessed, where the data are nolonger necessary in relation to thepurposes for which the data arecollected or otherwise processed,where data subjects havewithdrawn their consent forprocessing or where they object tothe processing of personal dataconcerning them or where theprocessing of their personal dataotherwise does not comply withthis Regulation. This right isparticularly relevant, when the datasubject has given their consent as a

(53) Any A natural person shouldhave the right to have personal dataconcerning them rectified and a'right to be forgotten' where theretention of such data is not incompliance with this Regulation. Inparticular, data subjects shouldhave the right that their personaldata are erased and no longerprocessed, where the data are nolonger necessary in relation to thepurposes for which the data arecollected or otherwise processed,where data subjects havewithdrawn their consent forprocessing or where they object tothe processing of personal dataconcerning them or where theprocessing of their personal dataotherwise does not comply withthis Regulation. This right isparticularly in particular relevant,when the data subject has given


child, when not being fully awareof the risks involved by theprocessing, and later wants toremove such personal dataespecially on the Internet.However, the further retention ofthe data should be allowed where itis necessary for historical,statistical and scientific researchpurposes, for reasons of publicinterest in the area of public health,for exercising the right of freedomof expression, when required bylaw or where there is a reason torestrict the processing of the datainstead of erasing them.

child, when not being fully awareof the risks involved by theprocessing, and later wants toremove such personal dataespecially on the Internet.However, the further retention ofthe data should be allowed where itis necessary for historical,statistical and scientific researchpurposes, for reasons of publicinterest in the area of public health,for exercising the right of freedomof expression, when required bylaw or where there is a reason torestrict the processing of the datainstead of erasing them. Also, theright to erasure should not applywhen the retention of personaldata is necessary for theperformance of a contract with thedata subject, or when there is alegal obligation to retain this data.

their consent as a child, when notbeing fully aware of the risksinvolved by the processing, andlater wants to remove such personaldata especially on the Internet.However, the further retention ofthe data should be allowed where itis necessary for archiving purposesin the public interest, for historical,statistical and scientific researchpurposes, for reasons of publicinterest in the area of public health,for exercising the right of freedomof expression, when required bylaw or where there is a reason torestrict the processing of the datainstead of erasing them.

Amendment 28

(54) To strengthen the 'right tobe forgotten' in the onlineenvironment, the right to erasureshould also be extended in such away that a controller who has madethe personal data public should be

(54) To strengthen the 'right to beforgotten erasure' in the onlineenvironment, the right to erasureshould also be extended in such away that a controller who has madethe personal data public without

(54) To strengthen the 'right to beforgotten' in the onlineenvironment, the right to erasureshould also be extended in such away that a controller who has madethe personal data public should be


obliged to inform third partieswhich are processing such data thata data subject requests them toerase any links to, or copies orreplications of that personal data.To ensure this information, thecontroller should take allreasonable steps, includingtechnical measures, in relation todata for the publication of whichthe controller is responsible. Inrelation to a third party publicationof personal data, the controllershould be considered responsiblefor the publication, where thecontroller has authorised thepublication by the third party.

legal justification should beobliged to inform third partieswhich are processing such data thata data subject requests them toerase any links to, or copies orreplications of that personal data.To ensure this information, thecontroller should take allreasonable steps, includingtechnical measures, in relation todata for the publication of whichthe controller is responsible. Inrelation to a third party publicationof personal data, the controllershould be considered responsiblefor the publication, where thecontroller has authorised thepublication by the third party takeall necessary steps to have the dataerased, including by third parties,without prejudice to the right ofthe data subject to claimcompensation.

obliged to inform third parties thecontrollers which are processingsuch data that a data subjectrequests them to erase any links to,or copies or replications of thatpersonal data. To ensure thisinformation, the controller shouldtake all reasonable steps, takinginto account available technologyand the means available to thecontroller, including technicalmeasures, in relation to data for thepublication of which the controlleris responsible. In relation to a thirdparty publication of personal data,the controller should be consideredresponsible for the publication,where the controller has authorisedthe publication by the third party.

Amendment 29

(54a) Data which are contested bythe data subject and whoseaccuracy or inaccuracy cannot bedetermined should be blocked untilthe issue is cleared.

54a) Methods to restrict processingof personal data could include,inter alia, temporarily moving theselected data to another processingsystem or making the selected data


unavailable to users or temporarilyremoving published data from awebsite. In automated filingsystems the restriction ofprocessing of personal data shouldin principle be ensured bytechnical means; the fact that theprocessing of personal data isrestricted should be indicated inthe system in such a way that it isclear that the processing of thepersonal data is restricted.

Amendment 30

(55) To further strengthen thecontrol over their own data andtheir right of access, data subjectsshould have the right, wherepersonal data are processed byelectronic means and in a structuredand commonly used format, toobtain a copy of the dataconcerning them also in commonlyused electronic format. The datasubject should also be allowed totransmit those data, which theyhave provided, from one automatedapplication, such as a socialnetwork, into another one. Thisshould apply where the data subject

(55) To further strengthen thecontrol over their own data andtheir right of access, data subjectsshould have the right, wherepersonal data are processed byelectronic means and in a structuredand commonly used format, toobtain a copy of the dataconcerning them also in commonlyused electronic format. The datasubject should also be allowed totransmit those data, which theyhave provided, from one automatedapplication, such as a socialnetwork, into another one. Datacontrollers should be encouraged

(55) To further strengthen thecontrol over their own data andtheir right of access, data subjectsshould have the right, where theprocessing of personal data areprocessed is carried out byelectronic automated means and ina structured and commonly usedformat, to obtain a copy of the dataconcerning them also in commonlyused electronic format. The the datasubject should also be allowed totransmit those the personal dataconcerning him or her, which theyhave he or she has provided , fromone automated application, such as


provided the data to the automatedprocessing system, based on theirconsent or in the performance of acontract.

to develop interoperable formatsthat enable data portability. Thisshould apply where the data subjectprovided the data to the automatedprocessing system, based on theirhis or her consent or in theperformance of a contract.Providers of information societyservices should not make thetransfer of those data mandatoryfor the provision of their services.

a social network, into to acontroller, in a commonly usedand machine-readable format toanother onecontroller. This rightshould apply where the data subjectprovided the personal data to theautomated processing system,based on their his or her consent orin the performance of a contract. Itshould not apply where processingis based on another legal groundother than consent or contract. Byits very nature this right shouldnot be exercised againstcontrollers processing data in theexercise of their public duties. Itshould therefore in particular notapply where processing of thepersonal data is necessary forcompliance with a legal obligationto which the controller is subjector for the performance of a taskcarried out in the public interest orin the exercise of a official dutyvested in the controller.

Where, in a certain set of personaldata, more than one data subject isconcerned, the right to transmitthe data should be withoutprejudice to the requirements onthe lawfulness of the processing of


personal data related to anotherdata subject in accordance withthis Regulation. This right shouldalso not prejudice the right of thedata subject to obtain the erasureof personal data and thelimitations of that right as set outin this Regulation and should inparticular not imply the erasure ofpersonal data concerning the datasubject which have been providedby him or her for the performanceof a contract, to the extent and aslong as the data are necessary forthe performance of that contract.

Amendment 31

(56) In cases where personal datamight lawfully be processed toprotect the vital interests of the datasubject, or on grounds of publicinterest, official authority or thelegitimate interests of a controller,any data subject shouldnevertheless be entitled to object tothe processing of any data relatingto them. The burden of proofshould be on the controller todemonstrate that their legitimateinterests may override the interests

(56) In cases where personal datamight lawfully be processed toprotect the vital interests of the datasubject, or on grounds of publicinterest, official authority or thelegitimate interests of a controller,any data subject shouldnevertheless be entitled to object tothe processing of any data relatingto themhim or her, free of chargeand in a manner that can be easilyand effectively invoked. Theburden of proof should be on the

(56) In cases where personal datamight lawfully be processed toprotect the vital interests of the datasubject, or on grounds of publicinterest, official authority or thelegitimate interests of a controller,any data subject shouldnevertheless be entitled to object tothe processing of any data relatingto them. The burden of proof Itshould be on for the controller todemonstrate that their legitimateinterests may override the interests


or the fundamental rights andfreedoms of the data subject.

controller to demonstrate that theirlegitimate interests may overridethe interests or the fundamentalrights and freedoms of the datasubject.

or the fundamental rights andfreedoms of the data subject.

Amendment 32

(57) Where personal data areprocessed for the purposes of directmarketing, the data subject shouldhave the right to object to suchprocessing free of charge and in amanner that can be easily andeffectively invoked.

(57) Where personal data areprocessed for the purposes of directmarketing, the data subject shouldhave has the right to object to suchthe processing free of charge and ina manner that can be easily andeffectively invoked, the controllershould explicitly offer it to the datasubject in an intelligible mannerand form, using clear and plainlanguage and should clearlydistinguish it from otherinformation.

(57) Where personal data areprocessed for the purposes of directmarketing, the data subject shouldhave the right to object to suchprocessing free of charge and in amanner that can be easily andeffectively invoked.

Amendment 33

(58) Every natural person shouldhave the right not to be subject to ameasure which is based onprofiling by means of automatedprocessing. However, such measureshould be allowed when expresslyauthorised by law, carried out in thecourse of entering or performance

(58) Without prejudice to thelawfulness of the data processing,every natural person should havethe right not to be subject to objectto a measure which is based onprofiling by means of automatedprocessing. However, suchmeasure. Profiling which leads to

(58) Every natural person The datasubject should have the right not tobe subject to a measure a decisionevaluation personal aspectsrelating to him or her and takenwhich is based soleley on profilingby means of automated processing,which produces legal effects


of a contract, or when the datasubject has given his consent. Inany case, such processing should besubject to suitable safeguards,including specific information ofthe data subject and the right toobtain human intervention and thatsuch measure should not concern achild.

measures producing legal effectsconcerning the data subject ordoes similarly significantly affectthe interests, rights or freedoms ofthe concerned data subject shouldonly be allowed when expresslyauthorised by law, carried out in thecourse of entering or performanceof a contract, or when the datasubject has given his consent. TheIn any case, such processing shouldbe subject to suitable safeguards,including specific information ofthe data subject and the right toobtain human interventionassessment and that such measureshould not concern a child. Suchmeasures should not lead todiscrimination against individualson the basis of race or ethnicorigin, political opinions, religionor beliefs, trade unionmembership, sexual orientation orgender identity.

concerning him or her orsignificantly affects his or her, likeautomatic refusal of an on-linecredit application or e-recruitingpractices without any humanintervention. Such processingincludes also 'profiling' intendedto create or use a profile, that is aset of data characterising acategory of individuals to evaluatepersonal aspects relating to anatural person, in particular toanalyse or predict aspectsconcerning performance at work,economic situation, health,personal preferences, or interests,reliability or behaviour, locationor movements. However, suchmeasure decision making based onsuch processing, includingprofiling, should be allowed whenexpressly authorised35 by Union orMember State law, carried out inthe course of to which thecontroller is subject, including forfraud and tax evasion36

monitoring and preventionpurposes and to ensure thesecurity and reliability of a service

35 BE suggested adding ' or recommended', with regard to e.g. ECB recommendations.36 Further to MT suggestion.


provided by the controller, ornecessary for the entering orperformance of a contract betweenthe data subject and a controller,or when the data subject has givenhis or her explicit consent. In anycase, such processing should besubject to suitable safeguards,including specific information ofthe data subject and the right toobtain human intervention and thatsuch measure should not concern achild, to express his or her point ofview, to get an explanation of thedecision reached after suchassessment37 and the right tocontest the decision.

Automated decision making andprofiling based on specialcategories of personal data shouldonly be allowed under specificconditions.

Amendment 34

(58a) Profiling based solely on theprocessing of pseudonymous datashould be presumed not tosignificantly affect the interests,

37 Further to PL suggestion.


rights or freedoms of the datasubject. Where profiling, whetherbased on a single source ofpseudonymous data or on theaggregation of pseudonymous datafrom different sources, permits thecontroller to attributepseudonymous data to a specificdata subject, the processed datashould no longer be considered tobe pseudonymous.

(58a) The creation and the use ofa profile, i.e. a set of datacharacterising a category ofindividuals that is e applied orintended to be applied to a naturalperson as such is subject to the(general) rules of this Regulationgoverning processing of personaldata (legal grounds of processing,data protection principles etc.)with specific safeguards (forinstance the obligation to conductan impact assessment in somecases or provisions concerningspecific information to be providedto the concerned individual). TheEuropean Data Protection Boardshould have the possibility to issueguidance in this context.


Amendment 35

(59) Restrictions on specificprinciples and on the rights ofinformation, access, rectificationand erasure or on the right to dataportability, the right to object,measures based on profiling, aswell as on the communication of apersonal data breach to a datasubject and on certain relatedobligations of the controllers maybe imposed by Union or MemberState law, as far as necessary andproportionate in a democraticsociety to safeguard public security,including the protection of humanlife especially in response to naturalor man made disasters, theprevention, investigation andprosecution of criminal offences orof breaches of ethics for regulatedprofessions, other public interestsof the Union or of a Member State,in particular an important economicor financial interest of the Union orof a Member State, or theprotection of the data subject or therights and freedoms of others.Those restrictions should be incompliance with requirements set

(59) Restrictions on specificprinciples and on the rights ofinformation, access, rectificationand erasure or on the right ofaccess and to obtain dataportability, the right to object,measures based on profiling, aswell as on the communication of apersonal data breach to a datasubject and on certain relatedobligations of the controllers maybe imposed by Union or MemberState law, as far as necessary andproportionate in a democraticsociety to safeguard public security,including the protection of humanlife especially in response to naturalor man made disasters, theprevention, investigation andprosecution of criminal offences orof breaches of ethics for regulatedprofessions, other specific andwell-defined public interests of theUnion or of a Member State, inparticular an important economic orfinancial interest of the Union or ofa Member State, or the protectionof the data subject or the rights andfreedoms of others. Those

(59) Restrictions on specificprinciples and on the rights ofinformation, access, rectificationand erasure or on the right to dataportability, the right to object,measures based on profiling, aswell as on the communication of apersonal data breach to a datasubject and on certain relatedobligations of the controllers maybe imposed by Union or MemberState law, as far as necessary andproportionate in a democraticsociety to safeguard public security,including the protection of humanlife especially in response to naturalor man made disasters, theprevention, investigation andprosecution of criminal offences orof breaches of ethics for regulatedprofessions, other public interestsof the Union or of a Member State,in particular an important economicor financial interest of the Union orof a Member State, the keeping ofpublic registers kept for reasons ofgeneral public interest, furtherprocessing of archived personaldata to provide specific


out by the Charter of FundamentalRights of the European Union andby the European Convention for theProtection of Human Rights andFundamental Freedoms.

restrictions should be in compliancewith requirements set out by theCharter of Fundamental Rights ofthe European Union and by theEuropean Convention for theProtection of Human Rights andFundamental Freedoms.

information related to the politicalbehaviour under formertotalitarian state regimes or theprotection of the data subject or therights and freedoms of others,including social protection andpublic health. Those restrictionsshould be in compliance withrequirements set out by the Charterof Fundamental Rights of theEuropean Union and by theEuropean Convention for theProtection of Human Rights andFundamental Freedoms.

Amendment 36

(60) Comprehensiveresponsibility and liability of thecontroller for any processing ofpersonal data carried out by thecontroller or on the controller'sbehalf should be established. Inparticular, the controller shouldensure and be obliged todemonstrate the compliance of eachprocessing operation with thisRegulation.

(60) Comprehensive responsibilityand liability of the controller forany processing of personal datacarried out by the controller or onthe controller's behalf should beestablished, in particular withregard to documentation, datasecurity, impact assessments, thedata protection officer andoversight by data protectionauthorities. In particular, thecontroller should ensure and beobliged able to demonstrate thecompliance of each processing

(60) Comprehensive Theresponsibility and liability of thecontroller for any processing ofpersonal data carried out by thecontroller or on the controller'sbehalf should be established. Inparticular, the controller shouldensure and be obliged to implementappropriate measures and be ableto demonstrate the compliance ofeach processing operation activitieswith this Regulation. Thesemeasures should take into accountthe nature, scope, context and


operation with this Regulation.This should be verified byindependent internal or externalauditors.

purposes of the processing and therisk for the rights and freedoms ofindividuals.

(60a) Such risks, of varyinglikelihood and severity, may resultfrom data processing which couldlead to physical, material or moraldamage, in particular where theprocessing may give rise todiscrimination, identity theft orfraud, financial loss, damage tothe reputation, loss ofconfidentiality of data protected byprofessional secrecy, [breach of(…) pseudonymity]38, or any othersignificant economic or socialdisadvantage; or where datasubjects might be deprived of theirrights and freedoms or fromexercising control over theirpersonal data; where personaldata are processed which revealracial or ethnic origin, politicalopinions, religion or philosophicalbeliefs, trade-union membership,and the processing of genetic dataor data concerning health or sexlife or criminal convictions and

38 The reference to the use of pseudonymous data in Chapter IV will in the future need to be debated in the context of a further debate on pseudonymising personal data.


offences or related securitymeasures; where personal aspectsare evaluated, in particularanalysing and prediction ofaspects concerning performance atwork, economic situation, health,personal preferences or interests,reliability or behaviour, locationor movements, in order to createor use personal profiles; wherepersonal data of vulnerableindividuals, in particular ofchildren, are processed; whereprocessing involves a largeamount of personal data andaffects a large number of datasubjects.

(60b) The likelihood and severityof the risk should be determined infunction of the nature, scope,context and purposes of the dataprocessing. Risk should beevaluated on an objectiveassessment, by which it isestablished whether dataprocessing operations involve a


high risk. A high risk is aparticular39 risk of prejudice to therights and freedoms of individuals.

(60c) Guidance for theimplementation of appropriatemeasures, and for demonstratingthe compliance by the controller[or processor], especially asregards the identification of therisk related to the processing, theirassessment in terms of their origin,nature, likelihood and severity,and the identification of bestpractices to mitigate the risk, couldbe provided in particular byapproved codes of conduct,approved certifications, guidelinesof the European Data ProtectionBoard or through the indicationsprovided by a data protectionofficer. The European DataProtection Board may also issueguidelines on processingoperations that are considered tobe unlikely to result in a high riskfor the rights and freedoms ofindividuals and indicate whatmeasures may be sufficient in

39 The use the word 'particular' was questioned by BE, CZ, ES and UK, which thought that this term does not express the seriousness of the risk in case of 'high' risk.


such cases to address such risk.

Amendment 37

(61) The protection of the rightsand freedoms of data subjects withregard to the processing of personaldata require that appropriatetechnical and organisationalmeasures are taken, both at thetime of the design of the processingand at the time of the processingitself, to ensure that therequirements of this Regulation aremet. In order to ensure anddemonstrate compliance with thisRegulation, the controller shouldadopt internal policies andimplement appropriate measures,which meet in particular theprinciples of data protection bydesign and data protection bydefault.

(61) The protection of the rightsand freedoms of data subjects withregard to the processing of personaldata require that appropriatetechnical and organisationalmeasures are taken, both at the timeof the design of the processing andat the time of the processing itself,to ensure that the requirements ofthis Regulation are met. In order toensure and demonstrate compliancewith this Regulation, the controllershould adopt internal policies andimplement appropriate measures,which meet in particular theprinciples of data protection bydesign and data protection bydefault. The principle of dataprotection by design requires dataprotection to be embedded withinthe entire life cycle of thetechnology, from the very earlydesign stage, right through to itsultimate deployment, use and finaldisposal. This should also includethe responsibility for the productsand services used by the controller

(61) The protection of the rightsand freedoms of data subjectsindividuals with regard to theprocessing of personal data requirethat appropriate technical andorganisational measures are taken,both at the time of the design of theprocessing and at the time of theprocessing itself, to ensure that therequirements of this Regulation aremet. In order to ensure anddemonstrate compliance with thisRegulation, the controller shouldadopt internal policies andimplement appropriate measures,which meet in particular theprinciples of data protection bydesign and data protection bydefault. Such measures couldconsist inter alia of minimising theprocessing of personal data, (…)pseudonymising personal data assoon as possible, transparencywith regard to the functions andprocessing of personal data,enabling the data subject tomonitor the data processing,


or processor. The principle of dataprotection by default requiresprivacy settings on services andproducts which should by defaultcomply with the general principlesof data protection, such as dataminimisation and purposelimitation.

enabling the controller to createand improve security features.When developing, designing,selecting and using applications,services and products that areeither based on the processing ofpersonal data or process personaldata to fulfil their task, producersof the products, services andapplications should be encouragedto take into account the right todata protection when developingand designing such products,services and applications and, withdue regard to the state of the art,to make sure that controllers andprocessors are able to fulfil theirdata protection obligations.

Amendment 38

(62) The protection of the rightsand freedoms of data subjects aswell as the responsibility andliability of controllers andprocessor, also in relation to themonitoring by and measures ofsupervisory authorities, requires aclear attribution of theresponsibilities under thisRegulation, including where a




controller determines the purposes,conditions and means of theprocessing jointly with othercontrollers or where a processingoperation is carried out on behalfof a controller.

controller determines the purposes,conditions and means of theprocessing jointly with othercontrollers or where a processingoperation is carried out on behalf ofa controller. The arrangementbetween the joint controllersshould reflect the joint controllers'effective roles and relationships.The processing of personal dataunder this Regulation shouldinclude the permission for acontroller to transmit the data to ajoint controller or to a processorfor the processing of the data ontheir his or her behalf.

controller determines the purposes,conditions and means of theprocessing jointly with othercontrollers or where a processingoperation is carried out on behalf ofa controller.

Amendment 39

(63) Where a controller notestablished in the Union isprocessing personal data of datasubjects residing in the Unionwhose processing activities arerelated to the offering of goods orservices to such data subjects, or tothe monitoring their behaviour, thecontroller should designate arepresentative, unless the controlleris established in a third countryensuring an adequate level of

(63) Where a controller notestablished in the Union isprocessing personal data of datasubjects residing in the Unionwhose processing activities arerelated to the offering of goods orservices to such data subjects, or tothe monitoring their behaviour, thecontroller should designate arepresentative, unless the controlleris established in a third countryensuring an adequate level of

(63) Where a controller notestablished in the Union isprocessing personal data of datasubjects residing in the Unionwhose processing activities arerelated to the offering of goods orservices to such data subjects, or tothe monitoring of their behaviour inthe Union, the controller shoulddesignate a representative, unlessthe processing it carries outisoccasional and unlikely to result


protection, or the controller is asmall or medium sized enterpriseor a public authority or body orwhere the controller is onlyoccasionally offering goods orservices to such data subjects. Therepresentative should act on behalfof the controller and may beaddressed by any supervisoryauthority.

protection, or the controller is asmall or medium sized enterprise orprocessing relates to fewer than5000 data subjects during anyconsecutive 12-month period andis not carried out on specialcategories of personal data, or is apublic authority or body or wherethe controller is only occasionallyoffering goods or services to suchdata subjects. The representativeshould act on behalf of thecontroller and may be addressed byany supervisory authority.

in a risk for the rights andfreedoms of data subjects, takinginto account the nature, scope,context and purposes of theprocessing or the controller isestablished in a third countryensuring an adequate level ofprotection, or the controller is asmall or medium sized enterprise ora public authority or body or wherethe controller is only occasionallyoffering goods or services to suchdata subjects. The representativeshould act on behalf of thecontroller and may be addressed byany supervisory authority. Therepresentative should be explicitlydesignated by a written mandate ofthe controller to act on its behalfwith regard to the latter'sobligations under this Regulation.The designation of suchrepresentative does not affect theresponsibility and liability of thecontroller under this Regulation.Such representative shouldperform its tasks according to thereceived mandate from thecontroller, including to cooperatewith the competent supervisoryauthorities on any action taken in


ensuring compliance with thisRegulation. The designatedrepresentative should be subjectedto enforcement actions in case ofnon-compliance by the controller.

(63a) To ensure compliance withthe requirements of thisRegulation in respect of theprocessing to be carried out by theprocessor on behalf of thecontroller, when entrusting aprocessor with processingactivities, the controller should useonly processors providingsufficient guarantees, in particularin terms of expert knowledge,reliability and resources, toimplement technical andorganisational measures whichwill meet the requirements of thisRegulation, including for thesecurity of processing. Adherenceof the processor to an approvedcode of conduct or an approvedcertification mechanism may beused as an element to demonstratecompliance with the obligations ofthe controller. The carrying out ofprocessing by a processor shouldbe governed by a contract or other


legal act under Union or MemberState law, binding the processor tothe controller, setting out thesubject-matter and duration of theprocessing, the nature andpurposes of the processing, thetype of personal data andcategories of data subjects, takinginto account the specific tasks andresponsibilities of the processor inthe context of the processing to becarried out and the risk for therights and freedoms of the datasubject.

The controller and processor maychoose to use an individualcontract or standard contractualclauses which are adopted eitherdirectly by the Commission or by asupervisory authority inaccordance with the consistencymechanism and then adopted bythe Commission, or which are partof a certification granted in thecertification mechanism. After thecompletion of the processing onbehalf of the controller, theprocessor should return or deletethe personal data, unless there is arequirement to store the dataunder Union or Member State law


to which the processor is subject.

Amendment 39

(64) In order to determinewhether a controller is onlyoccasionally offering goods andservices to data subjects residing inthe Union, it should be ascertainedwhether it is apparent from thecontroller's overall activities thatthe offering of goods and servicesto such data subjects is ancillary tothose main activities.

(64) In order to determine whethera controller is only occasionallyoffering goods and services to datasubjects residing in the Union, itshould be ascertained whether it isapparent from the controller'soverall activities that the offering ofgoods and services to such datasubjects is ancillary to those mainactivities.

deleted

Amendment 41

(65) In order to demonstratecompliance with this Regulation,the controller or processor shoulddocument each processingoperation. Each controller andprocessor should be obliged to co-operate with the supervisoryauthority and make thisdocumentation, on request,available to it, so that it mightserve for monitoring thoseprocessing operations.

(65) In order to be able todemonstrate compliance with thisRegulation, the controller orprocessor should document eachprocessing operation maintain thedocumentation necessary in orderto fulfill the requirements laiddown in this Regulation. Eachcontroller and processor should beobliged to co-operate with thesupervisory authority and make thisdocumentation, on request,available to it, so that it might servefor monitoring those processingoperations evaluating the

(65) In order to demonstratecompliance with this Regulation,the controller or processor shoulddocument each maintain recordsregarding all categories ofprocessing operationactivitiesunder its responsibility. Eachcontroller and processor should beobliged to co-operate with thesupervisory authority and make thisdocumentationthese records, onrequest, available to it, so that itmight serve for monitoring thoseprocessing operations.


compliance with this Regulation.However, equal emphasis andsignificance should be placed ongood practice and compliance andnot just the completion ofdocumentation.

Amendment 42

(66) In order to maintain securityand to prevent processing in breachof this Regulation, the controller orprocessor should evaluate the risksinherent to the processing andimplement measures to mitigatethose risks. These measures shouldensure an appropriate level ofsecurity, taking into account thestate of the art and the costs of theirimplementation in relation to therisks and the nature of the personaldata to be protected. Whenestablishing technical standardsand organisational measures toensure security of processing, theCommission should promotetechnological neutrality,interoperability and innovation,and, where appropriate, cooperatewith third countries.

(66) In order to maintain securityand to prevent processing in breachof this Regulation, the controller orprocessor should evaluate the risksinherent to the processing andimplement measures to mitigatethose risks. These measures shouldensure an appropriate level ofsecurity, taking into account thestate of the art and the costs of theirimplementation in relation to therisks and the nature of the personaldata to be protected. Whenestablishing technical standards andorganisational measures to ensuresecurity of processing, theCommission should promotetechnological neutrality,interoperability and innovationshould be promoted and, whereappropriate, cooperate cooperationwith third countries should be

(66) In order to maintain securityand to prevent processing in breachof this Regulation, the controller orprocessor should evaluate the risksinherent to the processing andimplement measures to mitigatethose risks. These measures shouldensure an appropriate level ofsecurity including confidentiality,taking into account availabletechnology the state of the art andthe costs of their implementation inrelation to the risks and the natureof the personal data to be protected.When establishing technicalstandards and organisationalmeasures to ensure security ofprocessing, the Commission shouldpromote technological neutrality,interoperability and innovation,and, where appropriate, cooperatewith third countriesIn assessing


encouraged. data security risk, considerationshould be given to the risks thatare presented by data processing,such as accidental or unlawfuldestruction, loss, alteration,unauthorised disclosure of, oraccess to personal datatransmitted, stored or otherwiseprocessed, which may in particularlead to physical, material or moraldamage.

(66a) In order to enhancecompliance with this Regulation incases where the processingoperations are likely to result in ahigh risk for the rights andfreedoms of individuals, thecontroller [or the processor]should be responsible for thecarrying out of a data protectionimpact assessment to evaluate, inparticular, the origin, nature,particularity and severity of thisrisk. The outcome of theassessment should be taken intoaccount when determining theappropriate measures to be takenin order to demonstrate that theprocessing of personal data is incompliance with this Regulation.


Where a data protection impactassessment indicates thatprocessing operations involve ahigh risk which the controllercannot mitigate by appropriatemeasures in terms of availabletechnology and costs ofimplementation, a consultation ofthe supervisory authority shouldtake place prior to the processing.

Amendment 43

(67) A personal data breach may,if not addressed in an adequate andtimely manner, result in substantialeconomic loss and social harm,including identity fraud, to theindividual concerned. Therefore, assoon as the controller becomesaware that such a breach hasoccurred, the controller shouldnotify the breach to the supervisoryauthority without undue delay and,where feasible, within 24 hours.Where this cannot achieved within24 hours, an explanation of thereasons for the delay shouldaccompany the notification. Theindividuals whose personal datacould be adversely affected by the

(67) A personal data breach may, ifnot addressed in an adequate andtimely manner, result in substantialeconomic loss and social harm,including identity fraud, to theindividual concerned. Therefore, assoon as the controller becomesaware that such a breach hasoccurred, the controller shouldnotify the breach to the supervisoryauthority without undue delay and,where feasible, within 24,whichshould be presumed to be not laterthan 72 hours. Where this cannotachieved within 24 hours Ifapplicable, an explanation of thereasons for the delay shouldaccompany the notification. The

(67) A personal data breach may, ifnot addressed in an adequate andtimely manner, result in physical,material or moral damage toindividuals such as substantialeconomic loss of control over theirpersonal data or limitation of theirrights, discrimination, identitytheft or fraud, financial loss,[brreach of pseudonymity],damage to the reputation, loss ofconfidentiality of data protected byprofessional secrecy or any othereconomic or and social harm,including identity fraud,disadvantage to the individualconcerned. Therefore, as soon asthe controller becomes aware that


breach should be notified withoutundue delay in order to allow themto take the necessary precautions.A breach should be considered asadversely affecting the personaldata or privacy of a data subjectwhere it could result in, forexample, identity theft or fraud,physical harm, significanthumiliation or damage toreputation. The notification shoulddescribe the nature of the personaldata breach as well asrecommendations as well asrecommendations for the individualconcerned to mitigate potentialadverse effects. Notifications todata subjects should be made assoon as reasonably feasible, and inclose cooperation with thesupervisory authority andrespecting guidance provided by itor other relevant authorities (e.g.law enforcement authorities). Forexample, the chance for datasubjects to mitigate an immediaterisk of harm would call for aprompt notification of data subjectswhereas the need to implementappropriate measures againstcontinuing or similar data breaches

individuals whose personal datacould be adversely affected by thebreach should be notified withoutundue delay in order to allow themto take the necessary precautions. Abreach should be considered asadversely affecting the personaldata or privacy of a data subjectwhere it could result in, forexample, identity theft or fraud,physical harm, significanthumiliation or damage toreputation. The notification shoulddescribe the nature of the personaldata breach and formulate as wellas recommendations as well asrecommendations for the individualconcerned to mitigate potentialadverse effects. Notifications todata subjects should be made assoon as reasonably feasible, and inclose cooperation with thesupervisory authority andrespecting guidance provided by itor other relevant authorities (e.g.law enforcement authorities). Forexample, the chance for datasubjects to mitigate an immediaterisk of harm would call for aprompt notification of data subjectswhereas the need to implement

such a personal data breach whichmay result in physical, material ormoral damage has occurred, thecontroller should notify the breachto the supervisory authority withoutundue delay and, where feasible,within 24 72 hours. Where thiscannot be achieved within 24 72hours, an explanation of the reasonsfor the delay should accompany thenotification. The individuals whoserights and freedoms personal datacould be adversely severelyaffected by the breach should benotified without undue delay inorder to allow them to take thenecessary precautions. A breachshould be considered as adverselyaffecting the personal data orprivacy of a data subject where itcould result in, for example,identity theft or fraud, physicalharm, significant humiliation ordamage to reputation. Thenotification should describe thenature of the personal data breachas well as recommendations as wellas recommendations for theindividual concerned to mitigatepotential adverse effects.Notifications to data subjects


may justify a longer delay. appropriate measures againstcontinuing or similar data breachesmay justify a longer delay.

should be made as soon asreasonably feasible, and in closecooperation with the supervisoryauthority and respecting guidanceprovided by it or other relevantauthorities (e.g. law enforcementauthorities). For example, thechance for data subjects need tomitigate an immediate risk of harmdamage would call for a promptnotification of data subjectswhereas the need to implementappropriate measures againstcontinuing or similar data breachesmay justify a longer delay.

(68) In order to determinewhether a personal data breach isnotified to the supervisoryauthority and to the data subjectwithout undue delay, it should beascertained whether the controllerhas implemented and appliedappropriate technologicalprotection and organisationalmeasures to establish immediatelywhether a personal data breach hastaken place and to inform promptlythe supervisory authority and thedata subject, before a damage topersonal and economic interests

(68) In order to determine whethera personal data breach is notified tothe supervisory authority and to thedata subject without undue delay, itshould be ascertained whether thecontroller has implemented andapplied appropriate technologicalprotection and organisationalmeasures to establish immediatelywhether a personal data breach hastaken place and to inform promptlythe supervisory authority and thedata subject, before a damage topersonal and economic interestsoccurs, taking into account in

(68) In order to determine It mustwhether a personal data breach isnotified to the supervisory authorityand to the data subject withoutundue delay, it should beascertained whether the controllerhas implemented and applied allappropriate technologicalprotection and organisationalmeasures have been implementedto establish immediately whether apersonal data breach has takenplace and to inform promptly thesupervisory authority and the datasubject., before a damage to


occurs, taking into account inparticular the nature and gravity ofthe personal data breach and itsconsequences and adverse effectsfor the data subject.

particular the nature and gravity ofthe personal data breach and itsconsequences and adverse effectsfor the data subject.

personal and economic interestsoccurs, The fact that thenotification was made withoutundue delay should be establishedtaking into account in particular thenature and gravity of the personaldata breach and its consequencesand adverse effects for the datasubject. Such notification mayresult in an intervention of thesupervisory authority inaccordance with its tasks andpowers laid down in thisRegulation.

(68a) The communication of apersonal data breach to the datasubject should not be required ifthe controller has implementedappropriate technologicalprotection measures, and thatthose measures were applied to thedata affected by the personal databreach. Such technologicalprotection measures shouldinclude those that render the dataunintelligible to any person who isnot authorised to access it, inparticular by encrypting thepersonal data.


(69) In setting detailed rulesconcerning the format andprocedures applicable to thenotification of personal databreaches, due consideration shouldbe given to the circumstances ofthe breach, including whether ornot personal data had beenprotected by appropriate technicalprotection measures, effectivelylimiting the likelihood of identityfraud or other forms of misuse.Moreover, such rules andprocedures should take intoaccount the legitimate interests oflaw enforcement authorities incases where early disclosure couldunnecessarily hamper theinvestigation of the circumstancesof a breach.

(69) In setting detailed rulesconcerning the format andprocedures applicable to thenotification of personal databreaches, due consideration shouldbe given to the circumstances of thebreach, including whether or notpersonal data had been protected byappropriate technical protectionmeasures, effectively limiting thelikelihood of identity fraud or otherforms of misuse. Moreover, suchrules and procedures should takeinto account the legitimate interestsof law enforcement authorities incases where early disclosure couldunnecessarily hamper theinvestigation of the circumstancesof a breach.

(69) In setting detailed rulesconcerning the format andprocedures applicable to thenotification of personal databreaches, due consideration shouldbe given to the circumstances of thebreach, including whether or notpersonal data had been protected byappropriate technical protectionmeasures, effectively limiting thelikelihood of identity fraud or otherforms of misuse. Moreover, suchrules and procedures should takeinto account the legitimate interestsof law enforcement authorities incases where early disclosure couldunnecessarily hamper theinvestigation of the circumstancesof a breach.

(70) Directive 95/46/ECprovided for a general obligation tonotify processing of personal datato the supervisory authorities.While this obligation producesadministrative and financialburdens, it did not in all casescontribute to improving theprotection of personal data.Therefore such indiscriminate

(70) Directive 95/46/EC providedfor a general obligation to notifyprocessing of personal data to thesupervisory authorities. While thisobligation produces administrativeand financial burdens, it did not inall cases contribute to improvingthe protection of personal data.Therefore such indiscriminategeneral notification obligation

(70) Directive 95/46/EC providedfor a general obligation to notifyprocessing of personal data to thesupervisory authorities. While thisobligation produces administrativeand financial burdens, it did not inall cases contribute to improvingthe protection of personal data.Therefore such indiscriminategeneral notification obligations


general notification obligationshould be abolished, and replacedby effective procedures andmechanism which focus instead onthose processing operations whichare likely to present specific risksto the rights and freedoms of datasubjects by virtue of their nature,their scope or their purposes. Insuch cases, a data protectionimpact assessment should becarried out by the controller orprocessor prior to the processing,which should include in particularthe envisaged measures, safeguardsand mechanisms for ensuring theprotection of personal data and fordemonstrating the compliance withthis Regulation.

should be abolished, and replacedby effective procedures andmechanism which focus instead onthose processing operations whichare likely to present specific risks tothe rights and freedoms of datasubjects by virtue of their nature,their scope or their purposes. Insuch cases, a data protection impactassessment should be carried out bythe controller or processor prior tothe processing, which shouldinclude in particular the envisagedmeasures, safeguards andmechanisms for ensuring theprotection of personal data and fordemonstrating the compliance withthis Regulation.

should be abolished, and replacedby effective procedures andmechanism which focus instead onthose types of processing operationswhich are likely to presentspecificresult in a high risks to therights and freedoms of datasubjectsindividuals by virtue oftheir nature, their scope, contextand or their purposes. In such Suchcases, a data protection impactassessment should be carried out bythe controller or processor prior tothe types of processing, operationsmay be those which should includein particular, involve using newtechnologies, or are of a new kindand where no data protectionimpact assessment has beencarried out before by thecontroller, or wehere they becomenecessary in the light of the timethat has elapsed since the initialprocessing40 the envisagedmeasures, safeguards andmechanisms for ensuring theprotection of personal data and fordemonstrating the compliance withthis Regulation.

40 BE was opposed to the temporal reference in the last part of this sentence.


(70a) In such cases, a dataprotection impact assessmentshould be carried out by thecontroller prior to the processingin order to assess the particularlikelihood and severity of the highrisk, taking into account thenature, scope, context andpurposes of the processing and thesources of the risk, which shouldinclude in particular the envisagedmeasures, safeguards andmechanisms for mitigating thatrisk and for ensuring theprotection of personal data and fordemonstrating the compliancewith this Regulation.

(71) This should in particularapply to newly established largescale filing systems, which aim atprocessing a considerable amountof personal data at regional,national or supranational level andwhich could affect a large numberof data subjects.

(71) This should in particular applyto newly established large scalefiling systems, which aim atprocessing a considerable amountof personal data at regional,national or supranational level andwhich could affect a large numberof data subjects.

(71) This should in particular applyto newly established large scalefiling systemsprocessingoperations, which aim atprocessing a considerable amountof personal data at regional,national or supranational level andwhich could affect a large numberof data subjects and which arelikely to result in a high risk, forexample, on account of theirsensitivity, where in accordancewith the achieved state of


technological knowledge a newtechnology is used on a large scaleas well as to other processingoperations which result in a highrisk for the rights and freedoms ofdata subjects, in particular wherethose operations render it moredifficult for data subjects toexercise their rights. A dataprotection impact assessmentshould also be made in caseswhere data are processed fortaking decisions regarding specificindividuals following anysystematic and extensiveevaluation of personal aspectsrelating to natural persons basedon profiling those data orfollowing the processing of specialcategories of personal data,biometric data, or data on criminalconvictions and offences or relatedsecurity measures. A dataprotection impact assessment isequally required for monitoringpublicly accessible areas on alarge scale, especially when usingoptic-electronic devices or for anyother operations where thecompetent supervisory authorityconsiders that the processing is


likely to result in a high risk forthe rights and freedoms of datasubjects, in particular becausethey prevent data subjects fromexercising a right or using aservice or a contract, or becausethey are carried out systematicallyon a large scale. The processing ofpersonal data irrespective of thevolume or the nature of the data,should not be considered as beingon a large scale, if the processingof these data is protected byprofessional secrecy, such as theprocessing of personal data frompatients or clients by an individualdoctor, health care professional,hospital or attorney. In these casesa data protection impactassessment should not bemandatory.

Amendment 44

(71a) Impact assessments are theessential core of any sustainabledata protection framework,making sure that businesses areaware from the outset of allpossible consequences of theirdata processing operations. If


impact assessments are thorough,the likelihood of any data breachor privacy-intrusive operation canbe fundamentally limited. Dataprotection impact assessmentsshould consequently have regardto the entire lifecycle managementof personal data from collection toprocessing to deletion, describingin detail the envisaged processingoperations, the risks to the rightsand freedoms of data subjects, themeasures envisaged to address therisks, safeguards, securitymeasures and mechanisms toensure compliance with the thisRregulation.

Amendment 45

(71b) Controllers should focus onthe protection of personal datathroughout the entire datalifecycle from collection toprocessing to deletion by investingfrom the outset in a sustainabledata management framework andby following it up with acomprehensive compliancemechanism.


(72) There are circumstancesunder which it may be sensible andeconomic that the subject of a dataprotection impact assessmentshould be broader than a singleproject, for example where publicauthorities or bodies intend toestablish a common application orprocessing platform or whereseveral controllers plan tointroduce a common application orprocessing environment across anindustry sector or segment or for awidely used horizontal activity.

(72) There are circumstances underwhich it may be sensible andeconomic that the subject of a dataprotection impact assessmentshould be broader than a singleproject, for example where publicauthorities or bodies intend toestablish a common application orprocessing platform or whereseveral controllers plan to introducea common application orprocessing environment across anindustry sector or segment or for awidely used horizontal activity.

(72) There are circumstances underwhich it may be sensible andeconomic that the subject of a dataprotection impact assessmentshould be broader than a singleproject, for example where publicauthorities or bodies intend toestablish a common application orprocessing platform or whereseveral controllers plan to introducea common application orprocessing environment across anindustry sector or segment or for awidely used horizontal activity.

Amendment 46

(73) Data protection impactassessments should be carried outby a public authority or publicbody if such an assessment has notalready been made in the context ofthe adoption of the national law onwhich the performance of the tasksof the public authority or publicbody is based and which regulatesthe specific processing operation orset of operations in question.

deleted (73) Data protection impactassessments should may be carriedout by a public authority or publicbody if such an assessment has notalready been made in the context ofthe adoption of the national law onwhich the performance of the tasksof the public authority or publicbody is based and which regulatesthe specific processing operation orset of operations in question.


Amendment 47

(74) Where a data protectionimpact assessment indicates thatprocessing operations involve ahigh degree of specific risks to therights and freedoms of datasubjects, such as excludingindividuals from their right, or bythe use of specific newtechnologies, the supervisoryauthority should be consulted, priorto the start of operations, on a riskyprocessing which might not be incompliance with this Regulation,and to make proposals to remedysuch situation. Such consultationshould equally take place in thecourse of the preparation either of ameasure by the national parliamentor of a measure based on suchlegislative measure which definesthe nature of the processing andlays down appropriate safeguards.

(74) Where a data protection impactassessment indicates thatprocessing operations involve ahigh degree of specific risks to therights and freedoms of datasubjects, such as excludingindividuals from their right, or bythe use of specific newtechnologies, the data protectionofficer or the supervisory authorityshould be consulted, prior to thestart of operations, on a riskyprocessing which might not be incompliance with this Regulation,and to make proposals to remedysuch situation. Such A consultationof the supervisory authority shouldequally take place in the course ofthe preparation either of a measureby the national parliament or of ameasure based on such legislativemeasure which defines the nature ofthe processing and lays downappropriate safeguards.

(74) Where a data protectionimpact assessment indicates thatthe processing would, despite theenvisaged safeguards, securitymeasures and mechanisms tomitigate the operations involve ahigh degree of specific risks to theresult in a high riks to the rightsand freedoms of datasubjectsindividuals and thecontroller is of the opinion that therisk cannot be mitigated byreasonable means in terms ofavailable technologies and costs ofimplementation, such as excludingindividuals from their right, or bythe use of specific newtechnologies, the supervisoryauthority should be consulted, priorto the start of operationsprocessingactivities, on a risky processingwhich might not be in compliancewith this Regulation, and to makeproposals to remedy such situation.Such consultation should equallytake place in the course of thepreparation either of a measure bythe national parliament or of ameasure based on such legislative


measure which defines the natureof the processing and lays downappropriate safeguards. Such highrisk is likely to result from certaintypes of data processing andcertain extent and frequency ofprocessing, which may result alsoin a realisation of damage orinterference with the rights andfreedoms of the data subject. Thesupervisory authority shouldrespond to the request forconsultation in a defined period.However, the absence of a reactionof the supervisory authority withinthis period should be withoutprejudice to any intervention ofthe supervisory authority inaccordance with its tasks andpowers laid down in thisRegulation, including the power toprohibit processing operations. Aspart of this consultation process,the outcome of a data protectionimpact assessment carried out withregard to the processing at issuepursuant to Article 33 may besubmitted to the supervisoryauthority, in particular themeasures envisaged to mitigate therisk for the rights and freedoms of


individuals.

Amendment 48

(74a) Impact assessments can onlybe of help if controllers make surethat they comply with the promisesoriginally laid down in them. Datacontrollers should thereforeconduct periodic data protectioncompliance reviews demonstratingthat the data processingmechanisms in place comply withassurances made in the dataprotection impact assessment. Itshould further demonstrate theability of the data controller tocomply with the autonomouschoices of data subjects. Inaddition, in case the review findscompliance inconsistencies, itshould highlight these and presentrecommendations on how toachieve full compliance.

(74a) The processor should assistthe controller, where necessaryand upon request, in ensuringcompliance with the obligationsderiving from the carrying out ofdata protection impact assessmentsand from prior consultation of the


supervisory authority.

(74b) A consultation with thesupervisory authority should alsotake place in the course of thepreparation of a legislative orregulatory measure whichprovides for the processing ofpersonal data, in order to ensurethe compliance of the intendedprocessing with this Regulationand in particular to mitigate therisk involved for the data subject.

Amendment 49

(75) Where the processing iscarried out in the public sector orwhere, in the private sector,processing is carried out by a largeenterprise, or where its coreactivities, regardless of the size ofthe enterprise, involve processingoperations which require regularand systematic monitoring, aperson should assist the controlleror processor to monitor internalcompliance with this Regulation.Such data protection officers,whether or not an employee of thecontroller, should be in a positionto perform their duties and tasks

(75) Where the processing iscarried out in the public sector orwhere, in the private sector,processing is carried out by a largeenterprise relates to more than5000 data subjects within 12months, or where its core activities,regardless of the size of theenterprise, involve processingoperations on sensitive data, orprocessing operations whichrequire regular and systematicmonitoring, a person should assistthe controller or processor tomonitor internal compliance withthis Regulation. When establishing

(75) Where the processing iscarried out in the public sector orwhere, in the private sector,processing is carried out by a largeenterprise, or where its coreactivities, regardless of the size ofthe enterprise, involve processingoperations which require regularand systematic monitoring, aperson should with expertknowledge of data protection lawand practices may assist thecontroller or processor to monitorinternal compliance with thisRegulation. Such data protectionofficers, whether or not an


independently. whether data about a largenumber of data subjects areprocessed, archived data that arerestricted in such a way that theyare not subject to the normal dataaccess and processing operationsof the controller and can no longerbe changed should not be takeninto account. Such data protectionofficers, whether or not anemployee of the controller andwhether or not performing thattask full time, should be in aposition to perform their duties andtasks independently and enjoyspecial protection againstdismissal. Final responsibilityshould stay with the managementof an organisation. The dataprotection officer should inparticular be consulted prior to thedesign, procurement, developmentand setting-up of systems for theautomated processing of personaldata, in order to ensure theprinciples of privacy by design andprivacy by default.

employee of the controller, shouldbe in a position to perform theirduties and tasks in anindependently manner.


Amendment 50

(75a) The data protection officershould have at least the followingqualifications: extensiveknowledge of the substance andapplication of data protection law,including technical andorganisational measures andprocedures; mastery of technicalrequirements for privacy bydesign, privacy by default and datasecurity; industry-specificknowledge in accordance with thesize of the controller or processorand the sensitivity of the data to beprocessed; the ability to carry outinspections, consultation,documentation, and log fileanalysis; and the ability to workwith employee representation. Thecontroller should enable the dataprotection officer to take part inadvanced training measures tomaintain the specializedknowledge required to perform hisor her duties. The designation as adata protection officer does notnecessarily require fulltimeoccupation of the respectiveemployee.


Amendment 51

(76) Associations or other bodiesrepresenting categories ofcontrollers should be encouraged todraw up codes of conduct, withinthe limits of this Regulation, so asto facilitate the effective applicationof this Regulation, taking accountof the specific characteristics of theprocessing carried out in certainsectors.

(76) Associations or other bodiesrepresenting categories ofcontrollers should be encouraged,after consultation of therepresentatives of the employees,to draw up codes of conduct, withinthe limits of this Regulation, so asto facilitate the effective applicationof this Regulation, taking accountof the specific characteristics of theprocessing carried out in certainsectors. Such codes should makecompliance with this Regulationeasier for industry.

(76) Associations or other bodiesrepresenting categories ofcontrollers or processors should beencouraged to draw up codes ofconduct, within the limits of thisRegulation, so as to facilitate theeffective application of thisRegulation, taking account of thespecific characteristics of theprocessing carried out in certainsectors and the specific needs ofmicro, small and mediumenterprises. In particular suchcodes of conduct could calibratethe obligations of controllers andprocessors, taking into account therisk likely to result from theprocessing for the rights andfreedoms of individuals.

(76a) When drawing up a code ofconduct, or when amending orextending such a code,associations and other bodiesrepresenting categories ofcontrollers or processors shouldconsult with relevant stakeholders,including data subjects wherefeasible, and have regard to


submissions received and viewsexpressed in response to suchconsultations.

Amendment 52

(77) In order to enhancetransparency and compliance withthis Regulation, the establishmentof certification mechanisms, dataprotection seals and marks shouldbe encouraged, allowing datasubjects to quickly assess the levelof data protection of relevantproducts and services.

(77) In order to enhancetransparency and compliance withthis Regulation, the establishmentof certification mechanisms, dataprotection seals and standardisedmarks should be encouraged,allowing data subjects to quickly,reliably and verifiably assess thelevel of data protection of relevantproducts and services. A"European Data Protection Seal"should be established on theEuropean level to create trustamong data subjects, legalcertainty for controllers, and at thesame time export European dataprotection standards by allowingnon-European companies to moreeasily enter European markets bybeing certified.

(77) In order to enhancetransparency and compliance withthis Regulation, the establishmentof certification mechanisms, dataprotection seals and marks shouldbe encouraged, allowing datasubjects to quickly assess the levelof data protection of relevantproducts and services.

(78) Cross-border flows ofpersonal data are necessary for theexpansion of international tradeand international co-operation. Theincrease in these flows has raised

(78) Cross-border flows of personaldata are necessary for the expansionof international trade andinternational co-operation. Theincrease in these flows has raised

(78) Cross-border flows of personaldata to and from countries outsidethe Union and internationalorganisations are necessary for theexpansion of international trade and


new challenges and concerns withrespect to the protection ofpersonal data. However, whenpersonal data are transferred fromthe Union to third countries or tointernational organisations, thelevel of protection of individualsguaranteed in the Union by thisRegulation should not beundermined. In any event, transfersto third countries may only becarried out in full compliance withthis Regulation.

new challenges and concerns withrespect to the protection of personaldata. However, when personal dataare transferred from the Union tothird countries or to internationalorganisations, the level ofprotection of individualsguaranteed in the Union by thisRegulation should not beundermined. In any event, transfersto third countries may only becarried out in full compliance withthis Regulation.

international co-operation. Theincrease in these flows has raisednew challenges and concerns withrespect to the protection of personaldata. However, when personal dataare transferred from the Union tocontrollers, processors or otherrecipients in third countries or tointernational organisations, thelevel of protection of individualsguaranteed in the Union by thisRegulation should not beundermined, to and from countriesoutside the Union andinternational organisations arenecessary for the expansion ofinternational trade andinternational co-operation. Theincrease in these flows has raisednew challenges and concerns withrespect to the protection ofpersonal data. However, whenpersonal data are transferred fromthe Union to controllers,processors or other recipients inthird countries or to internationalorganisations, the level ofprotection of individualsguaranteed in the Union by thisRegulation should not beundermined, including in cases of


onward transfers of personal datafrom the third country orinternational organisation tocontrollers, processors in the sameor41 another third country orinternational organisation. In anyevent, transfers to third countriesand international organisationsmay only be carried out in fullcompliance with this Regulation. Atransfer may only take place if,subject to the other provisions ofthis Regulation, the conditions laiddown in Chapter V are compliedwith by the controller or processor.

Amendment 53

(79) This Regulation is withoutprejudice to internationalagreements concluded between theUnion and third countriesregulating the transfer of personaldata including appropriatesafeguards for the data subjects.

(79) This Regulation is withoutprejudice to internationalagreements concluded between theUnion and third countriesregulating the transfer of personaldata including appropriatesafeguards for the data subjectsensuring an adequate level ofprotection for the fundamentalrights of citizens

(79) This Regulation is withoutprejudice to internationalagreements concluded between theUnion and third countriesregulating the transfer of personaldata including appropriatesafeguards for the data subjects.Member States may concludeinternational agreements whichinvolve the transfer of personaldata to third countries orinternational organisations, as far

41 DE scrutiny reservation, in particular about the application of the rules of place of purchase in relation to Article 89a.


as such agreements do not affectthis Regulation or any otherprovisions of EU law and includesafeguards to protect the rights ofthe data subjects42.

Amendment 54

(80) The Commission maydecide with effect for the entireUnion that certain third countries,or a territory or a processing sectorwithin a third country, or aninternational organisation, offer anadequate level of data protection,thus providing legal certainty anduniformity throughout the Union asregards the third countries orinternational organisations whichare considered to provide suchlevel of protection. In these cases,transfers of personal data to thesecountries may take place withoutneeding to obtain any furtherauthorisation.

(80) The Commission may decidewith effect for the entire Union thatcertain third countries, or a territoryor a processing sector within a thirdcountry, or an internationalorganisation, offer an adequatelevel of data protection, thusproviding legal certainty anduniformity throughout the Union asregards the third countries orinternational organisations whichare considered to provide such levelof protection. In these cases,transfers of personal data to thesecountries may take place withoutneeding to obtain any furtherauthorisation. The Commissionmay also decide, having givennotice and a complete justificationto the third country, to revoke such

(80) The Commission may decidewith effect for the entire Union thatcertain third countries, or a territoryor a processing specified sector,such as the private sector or one ormore specific economic sectorswithin a third country, or aninternational organisation, offer anadequate level of data protection,thus providing legal certainty anduniformity throughout the Union asregards the third countries orinternational organisations whichare considered to provide such levelof protection. In these cases,transfers of personal data to thesecountries may take place withoutneeding to obtain any furtherauthorisation.

42 FR requests the second sentence to be inserted in Article 89a. NL asked what was meant with the new text and considered that it was necessary to keep it, but its purpose andmeaning should be clarified. DE and UK scrutiny reservation on the new text. EE asked whether if “affect” means that it was not contradictory or something else.


a decision.

(81) In line with the fundamentalvalues on which the Union isfounded, in particular theprotection of human rights, theCommission should, in itsassessment of the third country,take into account how a given thirdcountry respects the rule of law,access to justice as well asinternational human rights normsand standards.

(81) In line with the fundamentalvalues on which the Union isfounded, in particular theprotection of human rights, theCommission should, in itsassessment of the third country,take into account how a given thirdcountry respects the rule of law,access to justice as well asinternational human rights normsand standards.

(81) In line with the fundamentalvalues on which the Union isfounded, in particular the protectionof human rights, the Commissionshould, in its assessment of the athird country or of a territory or ofa specified sector within a thirdcountry, take into account how agiven third country respects the ruleof law, access to justice as well asinternational human rights normsand standards and its general andsectoral law, including legislationconcerning public security,defence and national security aswell as public order and criminallaw. The adoption of an adequacydecision to a territory or aspecified sector in a third countryshould take into account clear andobjective criteria , such as specificprocessing activities and the scopeof applicable legal standards andlegislation in force in the thirdcountry.

(81a) Apart from the internationalcommitments the third country orinternational organisation has


entered into, the Commissionshould also take account ofobligations arising from the thirdcountry’s or internationalorganisation’s participation inmultilateral or regional systems inparticular in relation to theprotection of personal data, as wellas the implementation of suchobligations. In particular the thirdcountry’s accession to the Councilof Europe Convention of 28January 1981 for the Protection ofIndividuals with regard to theAutomatic Processing of PersonalData and its Additional Protocolshould be taken into account. TheCommission should consult withthe European Data ProtectionBoard when assessing the level ofprotection in third countries orinternational organisations43.

(81b) The Commission shouldmonitor the functioning ofdecisions on the level of protectionin a third country or a territory or

43 DE, supported by NL, proposed that the list of checks in Article 42(2) should include a new component consisting of the participation of third states or international organisations ininternational data-protection systems (e.g. APEC and ECOWAS). According to the position of DE, although those systems are still in the early stages of practical implementation, thedraft Regulation should make allowance right away for the significance they may gain in future. Point (d) of Article 41(2) requires the systems to be fundamentally suited to ensuringcompliance with data protection standards.


specified sector within a thirdcountry, or an internationalorganisation, including decisionsadopted on the basis of Article25(6) or Article 26 (4) of Directive95/46/EC. The Commission shouldevaluate, within a reasonable time,the functioning of the latterdecisions and report any pertinentfindings to the Committee withinthe meaning of Regulation (EU)No 182/2011 as established underthis Regulation.

Amendment 55

(82) The Commission mayequally recognise that a thirdcountry, or a territory or aprocessing sector within a thirdcountry, or an internationalorganisation offers no adequatelevel of data protection.Consequently the transfer ofpersonal data to that third countryshould be prohibited. In that case,provision should be made forconsultations between theCommission and such thirdcountries or internationalorganisations.

(82) The Commission may equallyrecognise that a third country, or aterritory or a processing sectorwithin a third country, or aninternational organisation offers noadequate level of data protection.Any legislation which provides forextra-territorial access to personaldata processed in the Unionwithout authorisation underUnion or Member State lawshould be considered as anindication of a lack of adequacy.Consequently the transfer ofpersonal data to that third country

(82) The Commission may equallyrecognise that a third country, or aterritory or a processing specifiedsector within a third country, or aninternational organisation offers nolonger ensures an adequate levelof data protection. Consequentlythe transfer of personal data to thatthird country or internationalorganisation should be prohibited,unless the requirements of Articles42 to 44 are fulfilled. In that case,provision should be made forconsultations between theCommission and such third


should be prohibited. In that case,provision should be made forconsultations between theCommission and such thirdcountries or internationalorganisations.

countries or internationalorganisations. The Commissionshould, in a timely manner, informthe third country or internationalorganisation of the reasons andenter into consultations with it inorder to remedy the situation.

Amendment 56

(83) In the absence of anadequacy decision, the controller orprocessor should take measures tocompensate for the lack of dataprotection in a third country byway of appropriate safeguards forthe data subject. Such appropriatesafeguards may consist of makinguse of binding corporate rules,standard data protection clausesadopted by the Commission,standard data protection clausesadopted by a supervisory authorityor contractual clauses authorisedby a supervisory authority, or othersuitable and proportionatemeasures justified in the light of allthe circumstances surrounding adata transfer operation or set ofdata transfer operations and whereauthorised by a supervisory

(83) In the absence of an adequacydecision, the controller or processorshould take measures tocompensate for the lack of dataprotection in a third country by wayof appropriate safeguards for thedata subject. Such appropriatesafeguards may consist of makinguse of binding corporate rules,standard data protection clausesadopted by the Commission,standard data protection clausesadopted by a supervisory authorityor contractual clauses authorised bya supervisory authority, or othersuitable and proportionate measuresjustified in the light of all thecircumstances surrounding a datatransfer operation or set of datatransfer operations and whereauthorised by a supervisory

(83) In the absence of an adequacydecision, the controller or processorshould take measures tocompensate for the lack of dataprotection in a third country by wayof appropriate safeguards for thedata subject. Such appropriatesafeguards may consist of makinguse of binding corporate rules,standard data protection clausesadopted by the Commission,standard data protection clausesadopted by a supervisory authorityor ad hoc contractual clausesauthorised by a supervisoryauthority, or other suitable andproportionate measures justified inthe light of all the circumstancessurrounding a data transferoperation or set of data transferoperations and where authorised by


authority. authority. Those appropriatesafeguards should uphold arespect of the data subject’s rightsadequate to intra-EU processing,in particular relating to purposelimitation, right to access,rectification, erasure and to claimcompensation. Those safeguardsshould in particular guarantee theobservance of the principles ofpersonal data processing,safeguard the data subject’s rightsand provide for effective redressmechanisms, ensure theobservance of the principles ofdata protection by design and bydefault, guarantee the existence ofa data protection officer.

a supervisory authority. Thosesafeguards should ensurecompliance with data protectionrequirements and the rights of thedata subjects, including the rightto obtain effective administrativeor judicial redress. They shouldrelate in particular to compliancewith the general principles relatingto personal data processing, theavailability of enforceable datasubject's rights and of effectivelegal remedies and the principlesof data protection by design and bydefault. Transfers may be carriedout also by public authorities orbodies with public authorities orbodies in third countries or withinternational organisations withcorresponding duties or functions,including on the basis ofprovisions to be inserted intoadministrative arrangements, suchas a memorandum ofunderstanding. The authorisationof the competent supervisoryauthority should be obtained whenthe safeguards are adduced in nonlegally binding administrativearrangements.


Amendment 57

(84) The possibility for thecontroller or processor to usestandard data protection clausesadopted by the Commission or by asupervisory authority shouldneither prevent the possibility forcontrollers or processors to includethe standard data protection clausesin a wider contract nor to add otherclauses as long as they do notcontradict, directly or indirectly,the standard contractual clausesadopted by the Commission or by asupervisory authority or prejudicethe fundamental rights or freedomsof the data subjects.

(84) The possibility for thecontroller or processor to usestandard data protection clausesadopted by the Commission or by asupervisory authority shouldneither prevent the possibility forcontrollers or processors to includethe standard data protection clausesin a wider contract nor to add otherclauses or supplementarysafeguards as long as they do notcontradict, directly or indirectly, thestandard contractual clausesadopted by the Commission or by asupervisory authority or prejudicethe fundamental rights or freedomsof the data subjects. The standarddata protection clauses adopted bythe Commission could coverdifferent situations, namelytransfers from controllersestablished in the European Unionto controllers established outsidethe European Union and fromcontrollers established in theEuropean Union to processors,including sub-processors,established outside the EuropeanUnion. Controllers and processors

(84) The possibility for thecontroller or processor to usestandard data protection clausesadopted by the Commission or by asupervisory authority shouldneither prevent the possibility forcontrollers or processors to includethe standard data protection clausesin a wider contract, including in acontract between the processorand another processor, nor to addother clauses or additionalsafeguards as long as they do notcontradict, directly or indirectly, thestandard contractual clausesadopted by the Commission or by asupervisory authority or prejudicethe fundamental rights or freedomsof the data subjects.


should be encouraged to provideeven more robust safeguards viaadditional contractualcommitments that supplementstandard protection clauses.

Amendment 58

(85) A corporate group should beable to make use of approvedbinding corporate rules for itsinternational transfers from theUnion to organisations within thesame corporate group ofundertakings, as long as suchcorporate rules include essentialprinciples and enforceable rights toensure appropriate safeguards fortransfers or categories of transfersof personal data.

(85) A corporate group should beable to make use of approvedbinding corporate rules for itsinternational transfers from theUnion to organisations within thesame corporate group ofundertakings, as long as suchcorporate rules include all essentialprinciples and enforceable rights toensure appropriate safeguards fortransfers or categories of transfersof personal data

(85) A corporate group or a groupof enterprises engaged in a jointeconomic activity should be able tomake use of approved bindingcorporate rules for its internationaltransfers from the Union toorganisations within the samecorporate group of undertakings orgroup of enterprises, as long assuch corporate rules includeessential principles and enforceablerights to ensure appropriatesafeguards for transfers orcategories of transfers of personaldata.

Amendment 59

(86) Provisions should be madefor the possibility for transfers incertain circumstances where thedata subject has given his consent,where the transfer is necessary inrelation to a contract or a legal

(86) Provisions should be made forthe possibility for transfers incertain circumstances where thedata subject has given his consent,where the transfer is necessary inrelation to a contract or a legal

(86) Provisions should be made forthe possibility for transfers incertain circumstances where thedata subject has given his explicitconsent, where the transfer isnecessary occasional in relation to


claim, where important grounds ofpublic interest laid down by Unionor Member State law so require orwhere the transfer is made from aregister established by law andintended for consultation by thepublic or persons having alegitimate interest. In this lattercase such a transfer should notinvolve the entirety of the data orentire categories of the datacontained in the register and, whenthe register is intended forconsultation by persons having alegitimate interest, the transfershould be made only at the requestof those persons or if they are to bethe recipients.

claim, where important grounds ofpublic interest laid down by Unionor Member State law so require orwhere the transfer is made from aregister established by law andintended for consultation by thepublic or persons having alegitimate interest. In this lattercase such a transfer should notinvolve the entirety of the data orentire categories of the datacontained in the register and, whenthe register is intended forconsultation by persons having alegitimate interest, the transfershould be made only at the requestof those persons or if they are to bethe recipients, taking into fullaccount the interests andfundamental rights of the datasubject.

a contract or a legal claim,regardless of whether in a judicialprocedure or whether in anadministrative or any out-of-courtprocedure, including proceduresbefore regulatory bodies. Provisionshould also be made for thepossibility for transfers whereimportant grounds of public interestlaid down by Union or MemberState law so require or where thetransfer is made from a registerestablished by law and intended forconsultation by the public orpersons having a legitimate interest.In this latter case such a transfershould not involve the entirety ofthe data or entire categories of thedata contained in the register and,when the register is intended forconsultation by persons having alegitimate interest, the transfershould be made only at the requestof those persons or if they are to bethe recipients.

Amendment 60

(87) These derogations should inparticular apply to data transfersrequired and necessary for the

(87) These derogations should inparticular apply to data transfersrequired and necessary for the

(87) These derogations rules shouldin particular apply to data transfersrequired and necessary for the


protection of important grounds ofpublic interest, for example incases of international data transfersbetween competition authorities,tax or customs administrations,financial supervisory authorities,between services competent forsocial security matters, or tocompetent authorities for theprevention, investigation, detectionand prosecution of criminaloffences.

protection of important grounds ofpublic interest, for example in casesof international data transfersbetween competition authorities,tax or customs administrations,financial supervisory authorities,between services competent forsocial security matters or for publichealth, or to competent publicauthorities for the prevention,investigation, detection andprosecution of criminal offences,including for the prevention ofmoney laundering and the fightagainst terrorist financing. Atransfer of personal data shouldequally be regarded as lawfulwhere it is necessary to protect aninterest which is essential for thedata subject’s or another person’slife, if the data subject is incapableof giving consent. Transferringpersonal data for such importantgrounds of public interest shouldonly be used for occasionaltransfers. In each and every case,a careful assessment of allcircumstances of the transfer

protection of important groundsreasons of public interest, forexample in cases of internationaldata transfers exchange betweencompetition authorities, tax orcustoms administrations, beteweenfinancial supervisory authorities,between services competent forsocial security matters, or tocompetent authorities for theprevention, investigation, detectionand prosecution of criminaloffencesfor public health, forexample in case of contact tracingfor contagious diseases or in orderto reduce and/or eliminate dopingin sport. A transfer of personaldata should equally be regarded aslawful where it is necessary toprotect an interest which isessential for the data subject’s oranother person’s vital interests,including physical integrity or life,if the data subject is incapable ofgiving consent.44 In the absence ofan adequacy decision, Union lawor Member State law may, forimportant reasons of publicinterest, expressly set limits to the

44 FR referred to the situation of a recipient of the transfer who is a medical professional or has adduced provisions ensuring the respect of the data subject's right to privacy andmedical confidentiality. PRES considers that this could be further addressed in the context of Chapter IX.


should be carried out. transfer of specific categories ofdata to a third country or aninternational organization.Member States should notify suchprovisions to the Commission.

Amendment 61

(88) Transfers which cannot bequalified as frequent or massive,could also be possible for thepurposes of the legitimate interestspursued by the controller or theprocessor, when they have assessedall the circumstances surroundingthe data transfer. For the purposesof processing for historical,statistical and scientific researchpurposes, the legitimateexpectations of society for anincrease of knowledge should betaken into consideration.

(88) Transfers which cannot bequalified as frequent or massive,could also be possible for thepurposes of the legitimate interestspursued by the controller or theprocessor, when they have assessedall the circumstances surroundingthe data transfer. For the purposesof processing for historical,statistical and scientific researchpurposes, the legitimateexpectations of society for anincrease of knowledge should betaken into consideration.

(88) Transfers which cannot bequalified as large scale or frequentor massive, could also be possiblefor the purposes of the legitimateinterests pursued by the controlleror the processor, when they havethose interests are not overriddenby the interests or rights andfreedoms of the data subject andwhen the controller or theprocessor has assessed all thecircumstances surrounding the datatransfer. The controller orprocessor should give particularconsideration to the nature of thedata, the purpose and duration ofthe proposed processing operationor operations, as well as thesituation in the country of origin,the third country and the countryof final destination, and adducedsuitable safeguards to protectfundamental rights and freedoms


of natural persons with respect toprocessing of their personal data.For the purposes of processing forhistorical, statistical and scientificresearch purposes, the legitimateexpectations of society for anincrease of knowledge should betaken into consideration. To assesswhether a transfer is large scale orfrequent the amount of personaldata and number of data subjectsshould be taken into account andwhether the transfer takes placeon an occasional or regular basis.

Amendment 62

(89) In any case, where theCommission has taken no decisionon the adequate level of dataprotection in a third country, thecontroller or processor shouldmake use of solutions that providedata subjects with a guarantee thatthey will continue to benefit fromthe fundamental rights andsafeguards as regards processing oftheir data in the Union once thisdata has been transferred.

(89) In any case, where theCommission has taken no decisionon the adequate level of dataprotection in a third country, thecontroller or processor should makeuse of solutions that provide datasubjects with a legally bindingguarantee that they will continue tobenefit from the fundamental rightsand safeguards as regardsprocessing of their data in theUnion once those data have beentransferred, to the extent that theprocessing is not massive, not

(89) In any case, where theCommission has taken no decisionon the adequate level of dataprotection in a third country, thecontroller or processor should makeuse of solutions that provide datasubjects with a guarantee that theywill continue to benefit from thefundamental rights and safeguardsas regards processing of their datain the Union once this data hasbeen transferred.


repetitive and not structural. Thatguarantee should includefinancial indemnification in casesof loss or unauthorised access orprocessing of the data and anobligation, regardless of nationallegislation, to provide full detailsof all access to the data by publicauthorities in the third country.

Amendment 63

(90) Some third countries enactlaws, regulations and otherlegislative instruments whichpurport to directly regulate dataprocessing activities of natural andlegal persons under the jurisdictionof the Member States. Theextraterritorial application of theselaws, regulations and otherlegislative instruments may be inbreach of international law andmay impede the attainment of theprotection of individualsguaranteed in the Union by thisRegulation. . Transfers should onlybe allowed where the conditions ofthis Regulation for a transfer tothird countries are met. This mayinter alia be the case where the

(90) Some third countries enactlaws, regulations and otherlegislative instruments whichpurport to directly regulate dataprocessing activities of natural andlegal persons under the jurisdictionof the Member States. Theextraterritorial application of theselaws, regulations and otherlegislative instruments may be inbreach of international law and mayimpede the attainment of theprotection of individualsguaranteed in the Union by thisRegulation. Transfers should onlybe allowed where the conditions ofthis Regulation for a transfer tothird countries are met. This mayinter alia be the case where the

(90) Some third countries enactlaws, regulations and otherlegislative instruments whichpurport to directly regulate dataprocessing activities of natural andlegal persons under the jurisdictionof the Member States. Theextraterritorial application of theselaws, regulations and otherlegislative instruments may be inbreach of international law and mayimpede the attainment of theprotection of individualsguaranteed in the Union by thisRegulation. Transfers should onlybe allowed where the conditions ofthis Regulation for a transfer tothird countries are met. This mayinter alia be the case where the


disclosure is necessary for animportant ground of public interestrecognised in Union law or in aMember State law to which thecontroller is subject. Theconditions under which animportant ground of public interestexists should be further specifiedby the Commission in a delegatedact.

disclosure is necessary for animportant ground of public interestrecognised in Union law or in aMember State law to which thecontroller is subject. The conditionsunder which an important groundof public interest exists should befurther specified by theCommission in a delegated act. Incases where controllers orprocessors are confronted withconflicting compliancerequirements between thejurisdiction of the Union on theone hand, and that of a thirdcountry on the other, theCommission should ensure thatUnion law takes precedence at alltimes. The Commission shouldprovide guidance and assistance tothe controller and processor, and itshould seek to resolve thejurisdictional conflict with thethird country in question.

disclosure is necessary for animportant ground of public interestrecognised in Union law or in aMember State law to which thecontroller is subject. The conditionsunder which an important groundof public interest exists should befurther specified by theCommission in a delegated act.

(91) When personal data movesacross borders it may put atincreased risk the ability ofindividuals to exercise dataprotection rights in particular toprotect themselves from the

(91) When personal data movesacross borders it may put atincreased risk the ability ofindividuals to exercise dataprotection rights in particular toprotect themselves from the

(91) When personal data movesacross borders outside the Union itmay put at increased risk the abilityof individuals to exercise dataprotection rights in particular toprotect themselves from the


unlawful use or disclosure of thatinformation. At the same time,supervisory authorities may findthat they are unable to pursuecomplaints or conductinvestigations relating to theactivities outside their borders.Their efforts to work together inthe cross-border context may alsobe hampered by insufficientpreventative or remedial powers,inconsistent legal regimes, andpractical obstacles like resourceconstraints. Therefore, there is aneed to promote closer co-operation among data protectionsupervisory authorities to helpthem exchange information andcarry out investigations with theirinternational counterparts.

unlawful use or disclosure of thatinformation. At the same time,supervisory authorities may findthat they are unable to pursuecomplaints or conductinvestigations relating to theactivities outside their borders.Their efforts to work together in thecross-border context may also behampered by insufficientpreventative or remedial powers,inconsistent legal regimes, andpractical obstacles like resourceconstraints. Therefore, there is aneed to promote closer co-operationamong data protection supervisoryauthorities to help them exchangeinformation and carry outinvestigations with theirinternational counterparts.

unlawful use or disclosure of thatinformation. At the same time,supervisory authorities may findthat they are unable to pursuecomplaints or conductinvestigations relating to theactivities outside their borders.Their efforts to work together in thecross-border context may also behampered by insufficientpreventative or remedial powers,inconsistent legal regimes, andpractical obstacles like resourceconstraints. Therefore, there is aneed to promote closer co-operationamong data protection supervisoryauthorities to help them exchangeinformation and carry outinvestigations with theirinternational counterparts. For thepurposes of developinginternational co-operationmechanisms to facilitate andprovide international mutualassistance for the enforcement oflegislation for the protection ofpersonal data, the Commissionand the supervisory authoritiesshould exchange information andcooperate in activities related tothe exercise of their powers with


competent authorities in thirdcountries, based on reciprocity andin compliance with the provisionsof this Regulation, including thoselaid down in Chapter V.

Amendment 64

(92) The establishment ofsupervisory authorities in MemberStates, exercising their functionswith complete independence, is anessential component of theprotection of individuals withregard to the processing of theirpersonal data. Member States mayestablish more than onesupervisory authority, to reflecttheir constitutional, organisationaland administrative structure.

(92) The establishment ofsupervisory authorities in MemberStates, exercising their functionswith complete independence, is anessential component of theprotection of individuals withregard to the processing of theirpersonal data. Member States mayestablish more than one supervisoryauthority, to reflect theirconstitutional, organisational andadministrative structure. Anauthority shall have adequatefinancial and personal resourcesto fully carry out its role, takinginto account the size of thepopulation and the amount ofpersonal data processing.

(92) The establishment ofsupervisory authorities in MemberStates, empowered to perform theirtasks and exercising exercise theirfunctions powers with completeindependence, is an essentialcomponent of the protection ofindividuals with regard to theprocessing of their personal data.Member States may establish morethan one supervisory authority, toreflect their constitutional,organisational and administrativestructure.

(92a) The independence ofsupervisory authorities should notmean that the supervisoryauthorities cannot be subjected tocontrol or monitoring mechanism


regarding their financialexpenditure. Neither does it implythat supervisory authorities cannotbe subjected to judicial review.

(93) Where a Member Stateestablishes several supervisoryauthorities, it should establish bylaw mechanisms for ensuring theeffective participation of thosesupervisory authorities in theconsistency mechanism. ThatMember State should in particulardesignate the supervisory authoritywhich functions as a single contactpoint for the effective participationof those authorities in themechanism, to ensure swift andsmooth co-operation with othersupervisory authorities, theEuropean Data Protection Boardand the Commission.



Amendment 65

(94) Each supervisory authorityshould be provided with theadequate financial and humanresources, premises andinfrastructure, which is necessaryfor the effective performance oftheir tasks, including for the tasks

(94) Each supervisory authorityshould be provided with theadequate financial and humanresources, paying particularattention to ensuring adequatetechnical and legal skills of staff,premises and infrastructure, which

(94) Each supervisory authorityshould be provided with theadequate financial and humanresources, premises andinfrastructure, which is arenecessary for the effectiveperformance of their tasks,


related to mutual assistance and co-operation with other supervisoryauthorities throughout the Union.

is necessary for the effectiveperformance of their tasks,including for the tasks related tomutual assistance and co-operationwith other supervisory authoritiesthroughout the Union.

including for the tasks related tomutual assistance and co-operationwith other supervisory authoritiesthroughout the Union. Eachsupervisory authority should havea separate annual budget, whichmay be part of the overall state ornational budget.

Amendment 66

(95) The general conditions forthe members of the supervisoryauthority should be laid down bylaw in each Member State andshould in particular provide thatthose members should be eitherappointed by the parliament or thegovernment of the Member State,and include rules on the personalqualification of the members andthe position of those members.

(95) The general conditions for themembers of the supervisoryauthority should be laid down bylaw in each Member State andshould in particular provide thatthose members should be eitherappointed by the parliament or thegovernment of the Member Statetaking due care to minimise thepossibility of political interference,and include rules on the personalqualification of the members, theavoidance of conflicts of interestand the position of those members.

(95) The general conditions for themember or members of thesupervisory authority should be laiddown by law in each Member Stateand should in particular providethat those members should be eitherappointed by the parliament and/orthe government or the heade ofState of the Member State, andinclude rules on the personalqualification of the members andthe position of those membersor byan independent body entrusted byMember State law with theappointment by means of atransparent procedure. In order toensure the independence of thesupervisory authority, the memberor members should refrain fromany action incompatible with their


duties and should not, during theirterm of office, engage in anyincompatible occupation, whethergainful or not.

(95a) Each supervisory authorityshould be competent on theterritory of its own Member Stateto exercise the powers and toperform the tasks conferred on itin accordance with thisRegulation. This should cover inparticular the processing in thecontext of the activities of anestablishment of the controller orprocessor on the territory of itsown Member State, the processingof personal data carried out bypublic authorities or private bodiesacting in the public interestproceesing affecting data subjectson its territory or processingcarried out by a controller orprocessor not established in theEuropean Union when targetingdata subjects residing in itsterritory. This should includedealing with complaints lodged bya data subject, conductinginvestigations on the application ofthe Regulation, promoting public


awareness of the risks, rules,safeguards and rights in relationto the processing of personal data.

(96) The supervisory authoritiesshould monitor the application ofthe provisions pursuant to thisRegulation and contribute to itsconsistent application throughoutthe Union, in order to protectnatural persons in relation to theprocessing of their personal dataand to facilitate the free flow ofpersonal data within the internalmarket. For that purpose, thesupervisory authorities should co-operate with each other and theCommission.

(96) The supervisory authoritiesshould monitor the application ofthe provisions pursuant to thisRegulation and contribute to itsconsistent application throughoutthe Union, in order to protectnatural persons in relation to theprocessing of their personal dataand to facilitate the free flow ofpersonal data within the internalmarket. For that purpose, thesupervisory authorities should co-operate with each other and theCommission.

(96) The supervisory authoritiesshould monitor the application ofthe provisions pursuant to thisRegulation and contribute to itsconsistent application throughoutthe Union, in order to protectnatural persons in relation to theprocessing of their personal dataand to facilitate the free flow ofpersonal data within the internalmarket. For that purpose, thisRegulation should oblige andempower the supervisoryauthorities should to co-operatewith each other and theCommission, without the need forany agreement between MemberStates on the provision of mutualassistance or on such cooperation.

(96a) Where the processing ofpersonal data takes place in thecontext of the activities of anestablishment of a controller orprocessor in the Union and thecontroller or processor isestablished in more than one


Member State, or whereprocessing taking place in thecontext of the activities of a singleestablishment of a controller orprocessor in the Unionsubstantially affects or is likely tosubstantially affect data subjects inmore than one Member State, thesupervisory authority for the mainestablishment of the controller orprocessor or for the singleestablishment of the controller orprocessor should act as leadauthority. It should cooperate withthe other authorities tha t areconcerned, because the controlleror processor has an establishmenton the territory of their MemberState, because data subjectsresiding on their territory aresubstantially affected, or because acomplaint has been lodged withthem. Also where a data subjectnot residing in that Member Statehas lodged a complaint, thesupervisory authority to whichscuh complaint has been lodgedshould also be a concernedsupervisory authority. Within itstasks to issue guidelines on anyquestion covering the application


of this Regulation, the EuropeanData Protection Board may issueguidelines in particular on thecriteria to be taken into account inorder to ascertain whether theprocessing in questionsubstantially affects data subjectsin more than one Member Stateand on what constitutes a relevantand reasoned objection45.

(96b) The lead authority should becompetent to adopt bindingdecisions regarding measuresapplying the powers conferred onit in accordance with theprovisions of this Regulation. Inits capacity as lead authority, thesupervisory authority shouldclosely involve and coordinate theconcerned supervisory authoritiesin the decision-making process. Incases where the decisions is toreject the complaint by the datasubject in whole or in part thatdecision should be adopted by thesupervisory authority at which thecomplaint has been lodged.

45 DE proposal; CZ and LU scrutiny reservation.


(96c) The decision should beagreed jointly by the leadsupervisory authority and theconcernec supervisory authoritiesconcerned and should be directedtowards the main or singleestablishment of the controller orprocessor and be binding on thecontroller and processor. Thecontroller or processor should takethe necessary measures to ensurethe compliance with thisRegulation and theimplementation of the decisionnotified by the lead supervisoryauthority to the mainestablishment of the controller orprocessor as regards theprocessing activities in the Union.

Amendment 67

(97) Where the processing ofpersonal data in the context of theactivities of an establishment of acontroller or a processor in theUnion takes place in more than oneMember State, one singlesupervisory authority should becompetent for monitoring theactivities of the controller or

(97) Where the processing ofpersonal data in the context of theactivities of an establishment of acontroller or a processor in theUnion takes place in more than oneMember State, one singlesupervisory authority should becompetent for monitoring theactivities of act as the single

Moved modified under 96a


processor throughout the Unionand taking the related decisions, inorder to increase the consistentapplication, provide legal certaintyand reduce administrative burdenfor such controllers and processors.

contact point and the leadauthority responsible forsupervising the controller orprocessor throughout the Union andtaking the related decisions, inorder to increase the consistentapplication, provide legal certaintyand reduce administrative burdenfor such controllers and processors.

(97) Each supervisory authoritynot acting as lead supervisoryauthority should be competent todeal with local cases where thecontroller or processor isestablished in more than oneMember State, but the subjectmatter of the specific processingconcerns only processing carriedout in a single Member State andinvolving only data subjects in thatsingle Member State, for example,where the subject matter concernsthe processing of employees datain the specific employment contextof a Member State. In such cases,the supervisory authority shouldinform the lead supervisoryauthority without delay on thismatter. After being informed, thelead supervisory authority should


decide, whether it will deal withthe case within the one-stop-shopmechanism or whether thesupervisory authority whichinformed it should deal with thecase at local level. When decidingwhether it will deal with the case,the lead supervisory authorityshould take into account, whetherthere is an establishment of thecontroller or processor in theMember State of the supervisoryauthority which informed it, inorder to ensure effectiveenforcement of a decision vis-à-visthe controller or processor. Wherethe lead supervisory authoritydecides to deal with the case, thesupervisory authority whichinformed it should have thepossibility to submit a draft for adecision, of which the leadsupervisory authority should takeutmost account when preparing itsdraft decision in the one-stop-shopmechanism.

Amendment 68

(98) The competent authority,providing such one-stop shop,

(98) The competent lead authority,providing such one-stop shop,

(98) The competent rules on thelead supervisory authority,


should be the supervisory authorityof the Member State in which thecontroller or processor has its mainestablishment.

should be the supervisory authorityof the Member State in which thecontroller or processor has its mainestablishment or its representative.The European Data ProtectionBoard may designate the leadauthority through the consistencymechanism in certain cases at therequest of a competent authority.

providing such and the one-stop-shop mechanism, should not applywhere the processing is carried outby public authorities or privatebodies in the public interest. Insuch cases be the only supervisoryauthority competent to exercise thepowers conferred to it inaccordance with this Regulationshould be the supervisoryauthority of the Member Statewhere the public authority proprivate body is establishedin whichthe controller or processor has itsmain establishment.

Amendment 69

(98a) Data subjects whosepersonal data is are processed by adata controller or processor inanother Member State should beable to complain to the supervisoryauthority of their choice. The leaddata protection authority shouldcoordinate its work with that of theother authorities involved.

(99) While this Regulationapplies also to the activities ofnational courts, the competence ofthe supervisory authorities should

(99) While this Regulation appliesalso to the activities of nationalcourts, the competence of thesupervisory authorities should not

deleted


not cover the processing ofpersonal data when courts areacting in their judicial capacity, inorder to safeguard theindependence of judges in theperformance of their judicial tasks.However, this exemption should bestrictly limited to genuine judicialactivities in court cases and notapply to other activities wherejudges might be involved in, inaccordance with national law.

cover the processing of personaldata when courts are acting in theirjudicial capacity, in order tosafeguard the independence ofjudges in the performance of theirjudicial tasks. However, thisexemption should be strictly limitedto genuine judicial activities incourt cases and not apply to otheractivities where judges might beinvolved in, in accordance withnational law.

(100) In order to ensure consistentmonitoring and enforcement of thisRegulation throughout the Union,the supervisory authorities shouldhave in each Member State thesame duties and effective powers,including powers of investigation,legally binding intervention,decisions and sanctions,particularly in cases of complaintsfrom individuals, and to engage inlegal proceedings. Investigativepowers of supervisory authoritiesas regards access to premisesshould be exercised in conformitywith Union law and national law.This concerns in particular therequirement to obtain a prior

(100) In order to ensure consistentmonitoring and enforcement of thisRegulation throughout the Union,the supervisory authorities shouldhave in each Member State thesame duties and effective powers,including powers of investigation,legally binding intervention,decisions and sanctions,particularly in cases of complaintsfrom individuals, and to engage inlegal proceedings. Investigativepowers of supervisory authorities asregards access to premises shouldbe exercised in conformity withUnion law and national law. Thisconcerns in particular therequirement to obtain a prior

(100) In order to ensure consistentmonitoring and enforcement of thisRegulation throughout the Union,the supervisory authorities shouldhave in each Member State thesame duties tasks and effectivepowers, including powers ofinvestigation, corrective powerslegally binding intervention,decisions and sanctions, andauthorisation and advisory powers,particularly in cases of complaintsfrom individuals, and withoutprejudice to the powers ofprosecutorial authorities undernational law, to bringinfringments of this Regulation tothe attention of the judicial


judicial authorisation. judicial authorisation. authorities and/or to engage inlegal proceedings. Such powersshould also include the power toforbid the processing on which theauthority is consulted. MemberStates may specify other tasksrelated to the protection ofpersonal data under thisRegulation. The powers ofsupervisory authorities should beexercised in conformity withappropriate procedural safeguardsset out in Union law and nationallaw, impartially, fairly and withina reasonable time. In particulareach measure should beappropriate, necessary andproportionate in view of ensuringcompliance with this Regulation,taking into account thecircumstances of each individualcase, respect the right of everyperson to be heard before anyindividual measure which wouldaffect him or her adversely istaken and avoid superfluous costsand excessive inconveniences forthe persons concerned.Investigative Investigatory powersof supervisory authorities asregards access to premises should


be exercised in conformityaccordance with specificrequirements in nationalprocedural law, such as withUnion law and national law. Thisconcerns in particular therequirement to obtain a priorjudicial authorisation.

Each legally binding measure ofthe supervisory authority shouldbe in writing, be clear andunambiguous, indicate thesupervisory authority which hasissued the measure, the date ofissue of the measure, bear thesignature of the head, or amember of the supervisoryauthority authorised by him orher, give the reasons for themeasure, and refer to the right ofan effective remedy. This shouldnot preclude additionalrequirements pursuant to nationalprocedural law. The adoption ofsuch legally binding decisionimplies that it may give rise tojudicial review in the MemberState of the supervisory authoritythat adopted the decision.


Amendment 70

(101) Each supervisory authorityshould hear complaints lodged byany data subject and shouldinvestigate the matter. Theinvestigation following a complaintshould be carried out, subject tojudicial review, to the extent that isappropriate in the specific case.The supervisory authority shouldinform the data subject of theprogress and the outcome of thecomplaint within a reasonableperiod. If the case requires furtherinvestigation or coordination withanother supervisory authority,intermediate information should begiven to the data subject.

(101) Each supervisory authorityshould hear complaints lodged byany data subject or by associationsacting in the public interest andshould investigate the matter. Theinvestigation following a complaintshould be carried out, subject tojudicial review, to the extent that isappropriate in the specific case. Thesupervisory authority should informthe data subject or the associationof the progress and the outcome ofthe complaint within a reasonableperiod. If the case requires furtherinvestigation or coordination withanother supervisory authority,intermediate information should begiven to the data subject.

(101) Each Where the supervisoryauthority should hear to which thecomplaints has been lodged is notthe lead supervisory authority, thelead supervisory authority shouldclosely co-operate with thesupervisory authority to which thecomplaint has been lodgedaccording to the provisions on co-operation and consistency laiddown in this Regulation. In suchcases, by any data subject andshould investigate the matter. Theinvestigation following a complaintshould be carried out, subject tojudicial review, to the extent that isappropriate in the specific case.Thethe lead supervisory authorityshould, when taking measuresintended to produce legal effects,including the imposition ofadministrative fines, take utmostaccount of the view of the informthe data subject of the progress andthe outcome of the complaintwithin a reasonable period. If thecase requires further investigationor coordination with anothersupervisory authority, intermediate


information should be given to thedata subject to which the complainthas been lodged and which shouldremain competent to carry out anyinvestigation on the territory of itsown Member State in liaison withthe competent supervisoryauthority.

(101a) The supervisory authorityreceiving a complaint or detectingor being informed otherwise ofsituations that entail possibleinfringements of the Regulationshould seek an amicablesettlement and, if this provesunsuccessful, exercise its fullrange of powers in cases whereanother supervisory authorityshould act as a lead supervisoryauthority for the processingactivities of the controller orprocessor but the concrete subjectmatter of a complaint or thepossible infringement concernsonly processing activities of thecontroller or processor in the oneMember State where the complainthas been lodged or the possibleinfringement detected and thematter does not substantially affect


or is not likely to substantiallyaffect data subjects in otherMember States. This shouldinclude specific processing carriedout in the territory of the MemberState of the supervisory authorityor with regard to data subjects onthe territory of that Member State;or to processing that is carried outin the context of an offer of goodsor services specifically aimed atdata subjects in the territory of theMember State of the supervisoryauthority; or that has to beassessed taking into accountrelevant legal obligations undernational law.

(102) Awareness raising activitiesby supervisory authoritiesaddressed to the public shouldinclude specific measures directedat controllers and processors,including micro, small andmedium-sized enterprises, as wellas data subjects.

(102) Awareness raising activitiesby supervisory authoritiesaddressed to the public shouldinclude specific measures directedat controllers and processors,including micro, small andmedium-sized enterprises, as wellas data subjects.

(102) Awareness raising activitiesby supervisory authoritiesaddressed to the public shouldinclude specific measures directedat controllers and processors,including micro, small andmedium-sized enterprises, as wellas data subjectsindividuals inparticular in the educationalcontext.

(103) The supervisory authoritiesshould assist each other in




performing their duties and providemutual assistance, so as to ensurethe consistent application andenforcement of this Regulation inthe internal market.

performing their duties and providemutual assistance, so as to ensurethe consistent application andenforcement of this Regulation inthe internal market.

performing their duties tasks andprovide mutual assistance, so as toensure the consistent applicationand enforcement of this Regulationin the internal market. Where asupervisory authority requestingmutual assistance, in the case ofno response of the requestedsupervisory authority within onemonth of receiving the request,adopts a provisional measure,such provisional measure shouldbe duly justified and only of atemporary nature.

(104) Each supervisory authorityshould have the right to participatein joint operations betweensupervisory authorities. Therequested supervisory authorityshould be obliged to respond to therequest in a defined time period.



Amendment 71

(105) In order to ensure theconsistent application of thisRegulation throughout the Union, aconsistency mechanism for co-operation between the supervisoryauthorities themselves and theCommission should be established.




This mechanism should inparticular apply where asupervisory authority intends totake a measure as regardsprocessing operations that arerelated to the offering of goods orservices to data subjects in severalMember States, , or to themonitoring such data subjects, orthat might substantially affect thefree flow of personal data. It shouldalso apply where any supervisoryauthority or the Commissionrequests that the matter should bedealt with in the consistencymechanism. This mechanismshould be without prejudice to anymeasures that the Commission maytake in the exercise of its powersunder the Treaties.

This mechanism should inparticular apply where asupervisory authority intends totake a measure as regardsprocessing operations that arerelated to the offering of goods orservices to data subjects in severalMember States, or to themonitoring of such data subjects, orthat might substantially affect thefree flow of personal data. It shouldalso apply where any supervisoryauthority or the Commissionrequests that the matter should bedealt with in the consistencymechanism. Furthermore, the datasubjects should have the right toobtain consistency, if they deem ameasure by a Data ProtectionAuthority of a Member State hasnot fulfilled this criterion. Thismechanism should be withoutprejudice to any measures that theCommission may take in theexercise of its powers under theTreaties.

This mechanism should inparticular apply where asupervisory authority intends totake adopt a measure intended toproduce legal effects as regardsprocessing operations that arerelated to the offering of goods orservices to data subjects in severalMember States, , or to themonitoring such data subjects, orthat might which substantiallyaffect a significant number of datasubjects in several Member States.the free flow of personal data. Itshould also apply where anyconcerned supervisory authority orthe Commission46 requests that thesuch matter should be dealt with inthe consistency mechanism. Thismechanism should be withoutprejudice to any measures that theCommission may take in theexercise of its powers under theTreaties.

(106) In application of theconsistency mechanism, theEuropean Data Protection Board



46 HU reservation on the reference to the Commission.


should, within a determined periodof time, issue an opinion, if asimple majority of its members sodecides or if so requested by anysupervisory authority or theCommission.

should, within a determined periodof time, issue an opinion, if asimple majority of its members sodecides or if so requested by anysupervisory authority or theCommission.

should, within a determined periodof time, issue an opinion, if asimple majority of its members sodecides or if so requested by anyconcerned supervisory authorityconcerned or the Commission. TheEuropean Data Protection Boardshould also be empowered to adoptlegally binding decisions in case ofdisputes between supervisoryauthorities. For that purposes itshould issue, in principle with atwo-third majority of its members,legally binding decisions in clearlydefined cases where there areconflicting views amongsupervisory authorities inparticular in the cooperationmechanism between the leadsupervisory authority andconcerned supervisory authoritieson the merits of the case, notablywhether there is an infringementof this Regulation or not.

Amendment 72

(106a) In order to ensure theconsistent application of thisRegulation, the European DataProtection Board may in


individual cases adopt a decisionwhich is binding on the competentsupervisory authorities.

Amendment 73

(107) In order to ensurecompliance with this Regulation,the Commission may adopt anopinion on this matter, or adecision, requiring the supervisoryauthority to suspend its draftmeasure.

deleted deleted

(108) There may be an urgentneed to act in order to protect theinterests of data subjects, inparticular when the danger existsthat the enforcement of a right of adata subject could be considerablyimpeded. Therefore, a supervisoryauthority should be able to adoptprovisional measures with aspecified period of validity whenapplying the consistencymechanism.

(108) There may be an urgent needto act in order to protect theinterests of data subjects, inparticular when the danger existsthat the enforcement of a right of adata subject could be considerablyimpeded. Therefore, a supervisoryauthority should be able to adoptprovisional measures with aspecified period of validity whenapplying the consistencymechanism.

(108) There may be an urgent needto act in order to protect the rightsand freedoms interests of datasubjects, in particular when thedanger exists that the enforcementof a right of a data subject could beconsiderably impeded. Therefore, asupervisory authority should beable to adopt provisional measureswith a specified period of validitywhen applying the consistencymechanism.

(109) The application of thismechanism should be a conditionfor the legal validity andenforcement of the respectivedecision by a supervisory authority.

(109) The application of thismechanism should be a conditionfor the legal validity andenforcement of the respectivedecision by a supervisory authority.

(109) The application of thismechanism should be a conditionfor the legal validity andenforcement of the respectivedecision lawfulness of a measure


In other cases of cross-borderrelevance, mutual assistance andjoint investigations might becarried out between the concernedsupervisory authorities on abilateral or multilateral basiswithout triggering the consistencymechanism.

In other cases of cross-borderrelevance, mutual assistance andjoint investigations might be carriedout between the concernedsupervisory authorities on abilateral or multilateral basiswithout triggering the consistencymechanism.

intended to produce legal effectsby a supervisory authority in thosecases where its application ismandatory. In other cases of cross-border relevance, the co-operationmechanism between the leadsupervisory authority andconcerned supervisory authoritiesshould be applied and mutualassistance and joint investigationsoperations might be carried outbetween the concerned supervisoryauthorities on a bilateral ormultilateral basis without triggeringthe consistency mechanism.

Amendment 74

(110) At Union level, a EuropeanData Protection Board should beset up. It should replace theWorking Party on the Protection ofIndividuals with Regard to theProcessing of Personal Dataestablished by Directive 95/46/EC.It should consist of a head of asupervisory authority of eachMember State and of the EuropeanData Protection Supervisor. TheCommission should participate inits activities. The European Data

(110) At Union level, a EuropeanData Protection Board should be setup. It should replace the WorkingParty on the Protection ofIndividuals with Regard to theProcessing of Personal Dataestablished by Directive 95/46/EC.It should consist of a head of asupervisory authority of eachMember State and of the EuropeanData Protection Supervisor. TheCommission should participate inits activities. The European Data

(110) In order to promote theconsistent application of thisRegulation, At Union level, a theEuropean Data Protection Boardshould be set up as an independentbody of the Union. To fulfil itsobjectives, the European DataProtection Board should havelegal personality. The EuropeanData Protection Board should berepresented by its Chair. It shouldreplace the Working Party on theProtection of Individuals with


Protection Board should contributeto the consistent application of thisRegulation throughout the Union,including by advising theCommission and promoting co-operation of the supervisoryauthorities throughout the Union.The European Data ProtectionBoard should act independentlywhen exercising its tasks.

Protection Board should contributeto the consistent application of thisRegulation throughout the Union,including by advising theCommission institutions of theUnion and promoting co-operationof the supervisory authoritiesthroughout the Union, includingthe coordination of jointoperations. The European DataProtection Board should actindependently when exercising itstasks. The European DataProtection Board shouldstrengthen the dialogue withconcerned stakeholders such asdata subjects’ associations,consumer organisations, datacontrollers and other relevantstakeholders and experts.

Regard to the Processing ofPersonal Data established byDirective 95/46/EC. It shouldconsist of a head of a supervisoryauthority of each Member State orhis or her representative and of.the The Commission and theEuropean Data ProtectionSupervisor . The Commissionshould participate in its activitieswithout voting rights. TheEuropean Data Protection Boardshould contribute to the consistentapplication of this Regulationthroughout the Union, including byadvising the Commission, inparticular on the level ofprotection in third countries orinternational organisations, andpromoting co-operation of thesupervisory authorities throughoutthe Union. The European DataProtection Board should actindependently when exercising itstasks.

(110a) The European DataProtection Board should beassisted by a secretariat providedby the secretariat of the EuropeanData Protection Supervisor. The


staff of the secretariat of theEuropean Data ProtectionSupervisor involved in carryingout the tasks conferred on theEuropean Data Protection Boardby this Regulation should performits tasks exclusively under theinstructions of, and report to theChair of the European DataProtection Board. Organisationalseparation of staff should concernall services needed for theindependent functioning of theEuropean Data Protection Board

Amendment 75

(111) Every data subject shouldhave the right to lodge a complaintwith a supervisory authority in anyMember State and have the right toa judicial remedy if they considerthat their rights under thisRegulation are infringed or wherethe supervisory authority does notreact on a complaint or does not actwhere such action is necessary toprotect the rights of the datasubject.

(111) Every data Data subjectsubjects should have the right tolodge a complaint with asupervisory authority in anyMember State and have the right toa an effective judicial remedy inaccordance with Article 47 of theCharter of Fundamental Rights ifthey consider that their rights underthis Regulation are infringed orwhere the supervisory authoritydoes not react on a complaint ordoes not act where such action isnecessary to protect the rights of

(111) Every data subject shouldhave the right to lodge a complaintwith a supervisory authority, inparticular in the Member State ofhis or her habitual residence, inany Member State and have theright to an effective judicial remedyin accordance with Article 47 ofthe Charter of FundamentalRights if the data subject if theyconsiders that their his or her rightsunder this Regulation are infringedor where the supervisory authoritydoes not react on a complaint,


the data subject. partially or wholly rejects ordismisses a complaint or does notact where such action is necessaryto protect the rights of the datasubject. The investigationfollowing a complaint should becarried out, subject to judicialreview, to the extent that isappropriate in the specific case.The supervisory authority shouldinform the data subject of theprogress and the outcome of thecomplaint within a reasonableperiod. If the case requires furtherinvestigation or coordination withanother supervisory authority,intermediate information shouldbe given to the data subject. Inorder to facilitate the submissionof complaints, each supervisoryauthority should take measuressuch as providing a complaintsubmission form which can becompleted also electronically,without excluding other means ofcommunication.

Amendment 76

(112) Any body, organisation orassociation which aims to protects

(112) Any body, organisation orassociation which aims to protects

(112) Where a data subjectconsiders that his or her rights


the rights and interests of datasubjects in relation to theprotection of their data and isconstituted according to the law ofa Member State should have theright to lodge a complaint with asupervisory authority or exercisethe right to a judicial remedy onbehalf of data subjects, or to lodge,independently of a data subject'scomplaint, an own complaintwhere it considers that a personaldata breach has occurred.

the rights and interests of datasubjects in relation to the protectionof their data acts in the publicinterest and is constitutedaccording to the law of a MemberState should have the right to lodgea complaint with a supervisoryauthority on behalf of data subjectswith their consent or exercise theright to a judicial remedy on behalfof if mandated by the datasubjectssubject, or to lodge,independently of a data subject'scomplaint, an own complaint whereit considers that a personal databreach of this Regulation hasoccurred.

under this Regulation areinfringed, he or she should havethe right to mandate aAny body,organisation or association whichaims to protects the rights andinterests of data subjects in relationto the protection of their data and isconstituted according to the law ofa Member State, should have theright to lodge a complaint on his orher behalf with a supervisoryauthority or exercise the right to ajudicial remedy on behalf of datasubjects. Such a body,organisation or association shouldhave the right, or to lodge,independently of a data subject'scomplaint, an own complaint whereit has reasons to considers that apersonal data breach referred to inArticle 32(1) has occurred andArticle 32(3) does not apply.

(113) Each natural or legal personshould have the right to a judicialremedy against decisions of asupervisory authority concerningthem. Proceedings against asupervisory authority should bebrought before the courts of theMember State, where the

(113) Each natural or legal personshould have the right to a judicialremedy against decisions of asupervisory authority concerningthem. Proceedings against asupervisory authority should bebrought before the courts of theMember State, where the

(113) Each Any natural or legalperson should have the right tobring an action for annulment ofdecisions of the European DataProtection Board before the Courtof Justice of the European Union(the “Court of Justice”) under theconditions provided for in Article


supervisory authority isestablished.

supervisory authority is established. 263 TFEU. As addressees of suchdecisions, the concernedsupervisory authorities who wishto challenge them, have to bringaction within two months of theirnotification to them, in accordancewith Article 263 TFEU. Wheredecisions of the European DataProtection Board are of direct andindividual concern to a controller,processor or the complainant, thelatter may bring an action forannulment against those decisionsand they should do so within twomonths of their publication on thewebsite of the European DataProtection Board, in accordancewith Article 263 TFEU. Withoutprejudice to this right underArticle 263 TFEU, each natural orlegal person should have aneffective judicial remedy before thecompetent national court against adecisions of a supervisory authoritywhich produces legal effectsconcerning themthis person.

Such a decision concerns inparticular the exercise ofinvestigative, corrective andauthorisation powers by thesupervisory authority or the


dismissal or rejection ofcomplaints47. However, this rightdoes not encompass othermeasures of supervisoryauthorities which are not legallybinding, such as opinions issuedby or advice provided by thesupervisory authority. Proceedingsagainst a supervisory authorityshould be brought before the courtsof the Member State, where thesupervisory authority is establishedand should be conducted inaccordance with the nationalprocedural law of that MemberState. Those courts shouldexercise full jurisdiction whichshould include jurisdiction toexamine all questions of fact andlaw relevant to the dispute beforeit. Where a complaint has beenrejected or dismissed by asupervisory authority, thecomplainant may bringproceedings to the courts in thesame Member State. In the contextof judicial remedies relating to theapplication of this Regulation,national courts which consider a

47 GR reservation.


decision on the question necessaryto enable them to give judgment,may, or in the case provided for inArticle 267 TFEU, must, requestthe Court of Justice to give apreliminary ruling on theinterpretation of Union lawincluding this Regulation.

Furthermore, where a decision ofa supervisory authorityimplementing a decision of theEuropean Data Protection Boardis challenged before a nationalcourt and the validity of thedecision of the European DataProtection Board is at issue, thatnational court does not have thepower to declare the EuropeanData Protection Board's decisioninvalid but must refer the questionof validity to the Court of Justicein accordance with Article 267TFEU as in terpreted by the Courtof Justice in the Foto-frost case48,whenever it considers the decisioninvalid. However, a national courtmay not refer a question on thevalidity of the decision of theEuropean Data Protection Board

48 Case C-314/85.


at the request of a natural or legalperson which had the opportunityto bring an action for annulmentof that decision, in particular if itwas directly and individuallyconcerned by that decision, buthad not done so within the periodlaid down by Article 263 TFEU.

(113a) Where a court seized with aproceeding against a decision of asupervisory authority has reasonto believe that proceedingsconcerning the same processingactivities or the same cause ofaction are brought before acompetent court in anotherMember State, it should contactthat court in order to confirm theexistence of such relatedproceedings. If related proceedingsare pending before a court inanother Member State, any courtother than the court first seizedshould stay its proceedings or may,on request of one of the parties,decline jurisdiction in favour ofthe court first seized if the latterhas jurisdiction over theproceedings in question and itslaw permits the consolidation of


such related proceedings.Proceedings are deemed to berelated where they are so closelyconnected that it is expedient tohear and determine them togetherto avoid the risk of irreconcilablejudgments resulting from separateproceedings.

Amendment 77

(114) In order to strengthen thejudicial protection of the datasubject in situations where thecompetent supervisory authority isestablished in another MemberState than the one where the datasubject is residing, the data subjectmay request any body, organisationor association aiming to protect therights and interests of data subjectsin relation to the protection of theirdata to bring on the data subject'sbehalf proceedings against thatsupervisory authority to thecompetent court in the otherMember State.

(114) In order to strengthen thejudicial protection of the datasubject in situations where thecompetent supervisory authority isestablished in another MemberState than the one where the datasubject is residing, the data subjectmay request mandate any body,organisation or association aimingto protect the rights and interests ofdata subjects in relation to theprotection of their data acting inthe public interest to bring on thedata subject's behalf proceedingsagainst that supervisory authority tothe competent court in the otherMember State.

deleted


Amendment 78

(115) In situations where thecompetent supervisory authorityestablished in another MemberState does not act or has takeninsufficient measures in relation toa complaint, the data subject mayrequest the supervisory authority inthe Member State of his or herhabitual residence to bringproceedings against thatsupervisory authority to thecompetent court in the otherMember State. The requestedsupervisory authority may decide,subject to judicial review, whetherit is appropriate to follow therequest or not.

(115) In situations where thecompetent supervisory authorityestablished in another MemberState does not act or has takeninsufficient measures in relation toa complaint, the data subject mayrequest the supervisory authority inthe Member State of his or herhabitual residence to bringproceedings against thatsupervisory authority to thecompetent court in the otherMember State. This does not applyto non-EU residents. The requestedsupervisory authority may decide,subject to judicial review, whetherit is appropriate to follow therequest or not.

deleted

Amendment 79

(116) For proceedings against acontroller or processor, the plaintiffshould have the choice to bring theaction before the courts of theMember States where thecontroller or processor has anestablishment or where the datasubject resides, unless the

(116) For proceedings against acontroller or processor, the plaintiffshould have the choice to bring theaction before the courts of theMember States where the controlleror processor has an establishmentor, in case of EU residence, wherethe data subject resides, unless the

(116) For proceedings against acontroller or processor, the plaintiffshould have the choice to bring theaction before the courts of theMember States where the controlleror processor has an establishmentor where the data subject resides,unless the controller is a public


controller is a public authorityacting in the exercise of its publicpowers.

controller is a public authority ofthe Union or a Member Stateacting in the exercise of its publicpowers.

authority acting in the exercise ofits public powers.

(117) Where there are indicationsthat parallel proceedings arepending before the courts indifferent Member States, the courtsshould be obliged to contact eachother. The courts should have thepossibility to suspend a case wherea parallel case is pending inanother Member State. MemberStates should ensure that courtactions, in order to be effective,should allow the rapid adoption ofmeasures to remedy or prevent aninfringement of this Regulation.

(117) Where there are indicationsthat parallel proceedings arepending before the courts indifferent Member States, the courtsshould be obliged to contact eachother. The courts should have thepossibility to suspend a case wherea parallel case is pending in anotherMember State. Member Statesshould ensure that court actions, inorder to be effective, should allowthe rapid adoption of measures toremedy or prevent an infringementof this Regulation.

deleted

Amendment 80

(118) Any damage which a personmay suffer as a result of unlawfulprocessing should be compensatedby the controller or processor, whomay be exempted from liability ifthey prove that they are notresponsible for the damage, inparticular where he establishesfault on the part of the data subject

(118) Any damage, whetherpecuniary or not, which a personmay suffer as a result of unlawfulprocessing should be compensatedby the controller or processor, whomay be exempted from liabilityonly if they prove he proves thatthey are he is not responsible forthe damage, in particular where heestablishes fault on the part of the

(118) Any damage which a personmay suffer as a result of unlawfulprocessing should be compensatedby the controller or processor, whomay be exempted from liability ifthey prove that they are notresponsible for the damage, inparticular where he establishes faulton the part of the data subject or incase of force majeure. The concept


or in case of force majeure. data subject or in case of forcemajeure.

of damage should be broadlyinterpreted in the light of the caselaw of the Court of Justice of theEuropean Union in a mannerwhich fully reflects the objectivesof this Regulation. This is withoutprejudice to any claims fordamage deriving from theviolation of other rules in Unionor Member State law49.

(118a) Where specific rules onjurisdiction are contained in thisRegulation, in particular asregards proceedings seeking ajudicial remedy includingcompensation, against a controlleror processor, general jurisdictionrules such as those of RegulationNo 1215/2012 should not prejudicethe application of such specificrules50.

(118b) In order to strengthen theenforcement of the rules of thisRegulation, penalties andadministrative fines may beimposed for any infringement ofthe Regulation, in addition to, or

49 COM scrutiny reservation.50 COM and DE scrutiny reservation.


instead of appropriate measuresimposed by the supervisoryauthority pursuant to thisRegulation. The imposition ofpenalties and administrative finesshould be subject to adequateprocedural safeguards inconformity with general principlesof Union law and the Charter ofFundamental Rights, includingeffective judicial protection anddue process.

Amendment 81

(119) Penalties should be imposedto any person, whether governedby private or public law, who failsto comply with this Regulation.Member States should ensure thatthe penalties should be effective,proportionate and dissuasive andshould take all measures toimplement the penalties.

(119) Penalties should be imposedto any person, whether governed byprivate or public law, who fails tocomply with this Regulation.Member States should ensure thatthe penalties should be effective,proportionate and dissuasive andshould take all measures toimplement the penalties. The ruleson penalties should be subject toappropriate procedural safeguardsin conformity with the generalprinciples of Union law and theCharter of Fundamental Rights,including those concerning theright to an effective judicial

(119) Member States may laydown the rules on criminalsanctions for infringements of thisRegulation, including forinfringements of national rulesadopted pursuant to and within thelimits of Penalties should beimposed to any person, whethergoverned by private or public law,who fails to comply with thisRegulation. These criminalsanctions may also allow for thedeprivation of the profits obtainedthrough infringements of thisRegulation. However, theimposition of criminal


remedy, due process and theprinciple of ne bis in idem.

sanctionsfor infringements of suchnational rules and ofadministrative sanctions MemberStates should ensure that thepenalties should be effective,proportionate and dissuasive andshould take all measures toimplement the penalties.not lead tothe breach of the principle of nebis in idem, as interpreted by theCourt of Justice.

Amendment 82

(119a) In applying penalties,Member States should show fullrespect for appropriate proceduralsafeguards, including the right toan effective judicial remedy, dueprocess, and the principle of ne bisin idem.

(120) In order to strengthen andharmonise administrative sanctionsagainst infringements of thisRegulation, each supervisoryauthority should have the power tosanction administrative offences.This Regulation should indicatethese offences and the upper limitfor the related administrative fines,which should be fixed in each

(120) In order to strengthen andharmonise administrative sanctionsagainst infringements of thisRegulation, each supervisoryauthority should have the power tosanction administrative offences.This Regulation should indicatethese offences and the upper limitfor the related administrative fines,which should be fixed in each

(120) In order to strengthen andharmonise administrative sanctionsagainst infringements of thisRegulation, each supervisoryauthority should have the power toimpose sanction administrativeoffencesfines. This Regulationshould indicate these offences and,the upper limit and criteria forfixing the related administrative


individual case proportionate to thespecific situation, with due regardin particular to the nature, gravityand duration of the breach. Theconsistency mechanism may alsobe used to cover divergences in theapplication of administrativesanctions.

individual case proportionate to thespecific situation, with due regardin particular to the nature, gravityand duration of the breach. Theconsistency mechanism may alsobe used to cover divergences in theapplication of administrativesanctions.

fines, which should be fixeddetermined by the competentsupervisory authority in eachindividual case, taking intoaccount all relevant circumstancesof proportionate to the specificsituation, with due regard inparticular to the nature, gravity andduration of the breach and of itsconsequences and the measurestaken to ensure compliance withthe obligations under theRegulation and to prevent ormitigate the consequences of theinfringement. The consistencymechanism may also be used topromote a consistent coverdivergences in the application ofadministrative sanctions. It shouldbe for the Member States todetermine whether and to whichextent public authorities should besubject to administrative fines.Imposing an administrative fine orgiving a warning does not affectthe application of other powers ofthe supervisory authorities or ofother sanctions under theRegulation.


Amendment 83

(121) The processing of personaldata solely for journalisticpurposes, or for the purposes ofartistic or literary expression shouldqualify for exemption from therequirements of certain provisionsof this Regulation in order toreconcile the right to the protectionof personal data with the right tofreedom of expression, and notablythe right to receive and impartinformation, as guaranteed inparticular by Article 11 of theCharter of Fundamental Rights ofthe European Union. This shouldapply in particular to processing ofpersonal data in the audiovisualfield and in news archives and presslibraries. Therefore, Member Statesshould adopt legislative measures,which should lay down exemptionsand derogations which arenecessary for the purpose ofbalancing these fundamental rights.Such exemptions and derogationsshould be adopted by the MemberStates on general principles, on therights of the data subject, oncontroller and processor, on the

(121) The processing of personaldata solely for journalisticpurposes, or for the purposes ofartistic or literary expression shouldqualify for exemption Whenevernecessary, exemptions orderogations from the requirementsof certain provisions of thisRegulation for the processing ofpersonal data should be providedfor in order to reconcile the right tothe protection of personal data withthe right to freedom of expression,and notably the right to receive andimpart information, as guaranteedin particular by Article 11 of theCharterof Fundamental Rights ofthe European Union. This shouldapply in particular to processing ofpersonal data in the audiovisualfield and in news archives and presslibraries. Therefore, Member Statesshould adopt legislative measures,which should lay down exemptionsand derogations which arenecessary for the purpose ofbalancing these fundamental rights.Such exemptions and derogationsshould be adopted by the Member

(121) Member States law shouldreconcile the rules governingfreedom of expression andinformation, includingjournalistic, academic, artistic andor literary expression with theright to the protection of personaldata pursuant to this Regulation.The processing of personal datasolely for journalistic purposes, orfor the purposes of academic,artistic or literary expression shouldbe subject to qualify for exemptionfrom the requirements of certainprovisions of this Regulation inorder to reconcile the right to theprotection of personal data with theright to freedom of expression, andnotably the right to receive andimpart information, as guaranteedin particular by Article 11 of theCharter of Fundamental Rights ofthe European Union. derogationsor exemptions from certainprovisions of this Regulation ifnecessary to reconcile the right tothe protection of personal data,with the right to freedom ofexpression and information, as


transfer of data to third countries orinternational organisations, on theindependent supervisory authoritiesand on co-operation andconsistency. This should not,however, lead Member States to laydown exemptions from the otherprovisions of this Regulation. Inorder to take account of theimportance of the right to freedomof expression in every democraticsociety, it is necessary to interpretnotions relating to that freedom,such as journalism, broadly.Therefore, Member States shouldclassify activities as ‘journalistic’for the purpose of the exemptionsand derogations to be laid downunder this Regulation if the objectof these activities is the disclosureto the public of information,opinions or ideas, irrespective ofthe medium which is used totransmit them. They should not belimited to media undertakings andmay be undertaken for profit-making or for non-profit makingpurposes.

States on general principles, on therights of the data subject, oncontroller and processor, on thetransfer of data to third countries orinternational organisations, on theindependent supervisoryauthorities, and on co-operation andconsistency and on specific dataprocessing situations. This shouldnot, however, lead Member Statesto lay down exemptions from theother provisions of this Regulation.In order to take account of theimportance of the right to freedomof expression in every democraticsociety, it is necessary to interpretnotions relating to that freedom,such as journalism, broadly.Therefore, Member States shouldclassify activities as "journalistic"for the purpose of the exemptionsand derogations to be laid downunder this Regulation if the objectof these to cover all activities iswhich aim at the disclosure to thepublic of information, opinions orideas, irrespective of the mediumwhich is used to transmit them, alsotaking into account technologicaldevelopment. They should not belimited to media undertakings and

guaranteed by Article 11 of theCharter of Fundamental Rights ofthe European Union. This shouldapply in particular to processing ofpersonal data in the audiovisualfield and in news archives and presslibraries. Therefore, Member Statesshould adopt legislative measures,which should lay down exemptionsand derogations which arenecessary for the purpose ofbalancing these fundamental rights.Such exemptions and derogationsshould be adopted by the MemberStates on general principles, on therights of the data subject, oncontroller and processor, on thetransfer of data to third countries orinternational organisations, on theindependent supervisory authoritiesand on co-operation andconsistency. In case theseexemptions or derogations differfrom one Member State toanother, the national law of theMember State to which thecontroller is subject should apply.This should not, however, leadMember States to lay downexemptions from the otherprovisions of this Regulation. In


may be undertaken for profit-making or for non-profit makingpurposes.

order to take account of theimportance of the right to freedomof expression in every democraticsociety, it is necessary to interpretnotions relating to that freedom,such as journalism, broadly.Therefore, Member States shouldclassify activities as ‘journalistic’for the purpose of the exemptionsand derogations to be laid downunder this Regulation if the objectof these activities is the disclosureto the public of information,opinions or ideas, irrespective ofthe medium which is used totransmit them. They should not belimited to media undertakings andmay be undertaken for profit-making or for non-profit makingpurposes.In order to take accountof the importance of the right tofreedom of expression in everydemocratic society, it is necessaryto interpret notions relating to thatfreedom, such as journalism,broadly.

(121a) This Regulation allows theprinciple of public access toofficial documents to be taken intoaccount when applying the


provisions set out in thisRegulation. Public access toofficial documents may beconsidered as a public interest.Personal data in documents heldby a public authority or a publicbody should be able to be publiclydisclosed by this authority or bodyif the disclosure is provided for byUnion law or Member State law towhich the public authority orpublic body is subject. Such lawsshould reconcile public access toofficial documents and the reuseof public sector information withthe right to the protection ofpersonal data and may thereforeprovide for the necessaryderogations from the rules of thisregulation. The reference to publicauthorities and bodies should inthis context include all authoritiesor other bodies covered byMember State law on public accessto documents. Directive2003/98/EC of the EuropeanParliament and of the Council of17 November 2003 on the re-use ofpublic sector information leavesintact and in no way affects thelevel of protection of individuals


with regard to the processing ofpersonal data under the provisionsof Union and national law, and inparticular does not alter theobligations and rights set out inthis Regulation. In particular, thatDirective should not apply todocuments access to which isexcluded or restricted by virtue ofthe access regimes on the groundsof protection of personal data, andparts of documents accessible byvirtue of those regimes whichcontain personal data the re-use ofwhich has been defined by law asbeing incompatible with the lawconcerning the protection ofindividuals with regard to theprocessing of personal data51.

(122) The processing of personaldata concerning health, as a specialcategory of data which deserveshigher protection, may often bejustified by a number of legitimatereasons for the benefit ofindividuals and society as a whole,in particular in the context ofensuring continuity of cross-border

(122) The processing of personaldata concerning health, as a specialcategory of data which deserveshigher protection, may often bejustified by a number of legitimatereasons for the benefit ofindividuals and society as a whole,in particular in the context ofensuring continuity of cross-border

Moved to recital 42a52

51 Moved from recital 18.52 Moved to recital 42a.


healthcare. Therefore thisRegulation should provide forharmonised conditions for theprocessing of personal dataconcerning health, subject tospecific and suitable safeguards soas to protect the fundamental rightsand the personal data ofindividuals. This includes the rightfor individuals to have access totheir personal data concerning theirhealth, for example the data in theirmedical records containing suchinformation as diagnosis,examination results, assessments bytreating physicians and anytreatment or interventions provided.

healthcare. Therefore thisRegulation should provide forharmonised conditions for theprocessing of personal dataconcerning health, subject tospecific and suitable safeguards soas to protect the fundamental rightsand the personal data ofindividuals. This includes the rightfor individuals to have access totheir personal data concerning theirhealth, for example the data in theirmedical records containing suchinformation as diagnosis,examination results, assessments bytreating physicians and anytreatment or interventions provided.

Amendment 84

(122a) A professional whoprocesses personal dataconcerning health should receive,if possible, anonymised orpseudonymised data, leaving theknowledge of the identity only tothe General general Practitionerpractitioner or to the Specialistspecialist who has requested suchdata processing.


Amendment 85

(123) The processing of personaldata concerning health may benecessary for reasons of publicinterest in the areas of publichealth, without consent of the datasubject. In that context, ‘publichealth’ should be interpreted asdefined in Regulation (EC) No1338/2008 of the EuropeanParliament and of the Council of 16December 2008 on Communitystatistics on public health andhealth and safety at work, meaningall elements related to health,namely health status, includingmorbidity and disability, thedeterminants having an effect onthat health status, health care needs,resources allocated to health care,the provision of, and universalaccess to, health care as well ashealth care expenditure andfinancing, and the causes ofmortality. Such processing ofpersonal data concerning health forreasons of public interest shouldnot result in personal data being

(123) The processing of personaldata concerning health may benecessary for reasons of publicinterest in the areas of publichealth, without consent of the datasubject. In that context, ‘publichealth’ should be interpreted asdefined in Regulation (EC) No1338/2008 of the EuropeanParliament and of theCouncil44bCouncil1of 16 December2008 on Community statistics onpublic health and health and safetyat work, meaning all elementsrelated to health, namely healthstatus, including morbidity anddisability, the determinants havingan effect on that health status,health care needs, resourcesallocated to health care, theprovision of, and universal accessto, health care as well as health careexpenditure and financing, and thecauses of mortality. Suchprocessing of personal dataconcerning health for reasons ofpublic interest should not result in

Moved to recital 42b53.

53 Moved to recital 42b.


processed for other purposes bythird parties such as employers,insurance and banking companies.

personal data being processed forother purposes by third parties suchas employers, insurance andbanking companies.

________________________44b 1b Regulation (EC) No1338/2008 of the EuropeanParliament and of the Council of16 December 2008 on Communitystatistics on public health andhealth and safety at work (OJ L354, 31.12.2008, p. 70).

Amendment 86

123a) The processing of personaldata concerning health, as aspecial category of data, may benecessary for reasons of historical,statistical or scientific research.Therefore this Regulation foreseesan exemption from therequirement of consent in cases ofresearch that serves a high publicinterest.

Amendment 87

(124) The general principles on theprotection of individuals withregard to the processing of personal




data should also be applicable tothe employment context. Therefore,in order to regulate the processingof employees' personal data in theemployment context, MemberStates should be able, within thelimits of this Regulation, to adoptby law specific rules for theprocessing of personal data in theemployment sector.

data should also be applicable tothe employment and the socialsecurity context. Therefore, inorder Member States should beable to regulate the processing ofemployees' personal data in theemployment and the processing ofpersonal data in the social securitycontext in accordance with therules and minimum standards setout in, Member States should beable, within the limits of thisRegulation, to adopt by law specificrules for. Where a statutory basis isprovided in the Member State inquestion for the regulation ofemployment matters by agreementbetween employee representativesand the management of theundertaking or the controllingundertaking of a group ofundertakings (collectiveagreement) or under Directive2009/38/EC of the EuropeanParliament and of theCouncil44cCouncil1, the processingof personal data in the anemployment sector context mayalso be regulated by such an

data should also be applicable tothe employment context. Therefore,in order to regulate the processingof employees' personal data in theemployment context, MemberStates should be able, within thelimits of this Regulation, to adoptby law specific rules for theprocessing of personal data in theemployment sector.National law orcollective agreements (including'works agreements')54 may providefor specific rules on the processingof employees' personal data in theemployment context, in particularfor the purposes of therecruitment, the performance ofthe contract of employment,including discharge of obligationslaid down by law or by collectiveagreements, management,planning and organisation ofwork, equality and diversity in theworkplace , health and safety atwork, and for the purposes of theexercise and enjoyment, on anindividual or collective basis, ofrights and benefits related toemployment, and for the purpose

54 DE proposal.


agreement.

_________________44c 1 Directive 2009/38/EC of theEuropean Parliament and of theCouncil of 6 May 2009 on theestablishment of a EuropeanWorks Council or a procedure inCommunity-scale undertakingsand Community-scale groups ofundertakings for the purposes ofinforming and consultingemployees (OJ L 122, 16.5.2009, p.28).

of the termination of theemployment relationship.

(125) The processing of personaldata for the purposes of historical,statistical or scientific researchshould, in order to be lawful, alsorespect other relevant legislationsuch as on clinical trials.

(125) The processing of personaldata for the purposes of historical,statistical or scientific researchshould, in order to be lawful, alsorespect other relevant legislationsuch as on clinical trials.

(125) The processing of personaldata for the purposes of historical,statistical or scientific researchpurposes and for archivingpurposes in the public interestshould, in addition to the generalprinciples and specific rules of thisRegulation, in particular asregards the conditions for in orderto be lawful processing, alsocomply with respect other relevantlegislation such as on clinicaltrials.The further processing ofpersonal data for historical,statistical and scientific purposesand for archiving purposes in thepublic interest (…) should not be


considered incompatible with thepurposes for which the data areinitially collected and may beprocessed for those purposes for alonger period than necessary forthat initial purpose (…). MemberStates should be authorised toprovide, under specific conditionsand in the presence of appropriatesafeguards for data subjects,specifications and derogations tothe information requirements andthe rights to access, rectification,erasure, to be forgotten, restrictionof processing and on the right todata portability and the right toobject when processing personaldata for historical, statistical orscientific purposes and forarchiving purposes (…) Theconditions and safeguards inquestion may entail specificprocedures for data subjects toexercise those rights if this isappropriate in the light of thepurposes sought by the specificprocessing along with technicaland organisational measuresaimed at minimising theprocessing of personal data inpursuance of the proportionality


and necessity principles.

Amendment 88

(125a) Personal data may also beprocessed subsequently by archiveservices whose main or mandatorytask is to collect, conserve, provideinformation about, exploit anddisseminate archives in the publicinterest. Member State legislationshould reconcile the right to theprotection of personal data withthe rules on archives and onpublic access to administrativeinformation. Member Statesshould encourage the drafting, inparticular by the EuropeanArchives Group, of rules toguarantee the confidentiality ofdata vis-à-vis third parties and theauthenticity, integrity and properconservation of data.

Moved to recitals 126c and 126d.55

(125aa) By coupling informationfrom registries, researchers canobtain new knowledge of greatvalue when it comes to e.g.

55 Moved to recitals 126c and 126d.


widespread diseases ascardiovascular disease, cancer,depression etc. On the basis ofregistries, research results can beenhanced, as they draw on alarger population. Within socialscience, research on the basis ofregistries enables researchers toobtain essential knowledge aboutlong-term impact of a number ofsocial conditions e.g.unemployment, education, and thecoupling of this information toother life conditions. Researchresults obtained on the basis ofregistries provide solid, highquality knowledge, which canprovide the basis for theformulation and implementationof knowledge-based policy,improve the quality of life for anumber of people, and improve theefficiency of social services etc.

In order to facilitate scientificresearch, personal data can beprocessed for scientific purposessubject to appropriate conditionsand safeguards set out in MemberState or Union law. Hence consentfrom the data subject should notbe necessary for each further


processing for scientific purposes.

(125b) The importance of archivesfor the understanding of thehistory and culture of Europe”and “that well-kept and accessiblearchives contribute to thedemocratic function of oursocieties', were underlined byCouncil Resolution of 6 May 2003on archives in the MemberStates56. Where personal data areprocessed for archiving purposes,this Regulation should also applyto that processing, bearing in mindthat this Regulation should notapply to deceased persons.

Public authorities or public orprivate bodies that hold records ofpublic interest should be serviceswhich, pursuant to Union orMember State law, have a legalobligation to acquire, preserve,appraise, arrange, describe,communicate, promote,disseminate and provide access torecords of enduring value forgeneral public interest. MemberStates should also be authorised to

56 OJ C 113, 13.5.2003, p. 2.


provide that personal data may befurther processed for archivingpurposes, for example with a viewto providing specific informationrelated to the political behaviourunder former totalitarian stateregimes57.

Codes of conduct may contributeto the proper application of thisRegulation, including whenpersonal data are processed forarchiving purposes in the publicinterest by further specifyingappropriate safeguards for therights and freedoms of the datasubject58. Such codes should bedrafted by Member States' officialarchives or by the EuropeanArchives Group. Regardinginternational transfers of personaldata included in archives, thesemust take place without prejudiceof the applying European andnational rules for the circulationof cultural goods and nationaltreasures.

57 CZ reservation.58 CZ, DK, FI, HU, FR, MT, NL, PT, RO, SE, SI and UK scrutiny reservation.


Amendment 89

(126) Scientific research for thepurposes of this Regulation shouldinclude fundamental research,applied research, and privatelyfunded research and in additionshould take into account theUnion's objective under Article179(1) of the Treaty on theFunctioning of the European Unionof achieving a European ResearchArea.

(126) Scientific research for thepurposes of this Regulation shouldinclude fundamental research,applied research, and privatelyfunded research and in additionshould take into account theUnion's objective under Article179(1) of the Treaty on theFunctioning of the European Unionof achieving a European ResearchArea. The processing of personaldata for historical, statistical andscientific research purposesshould not result in personal databeing processed for otherpurposes, unless with the consentof the data subject or on the basisof Union or Member State law.

(126) Where personal data areprocessed for Scientific scientificresearch for the purposes, of thisRegulation should also apply tothat processing. For the purposesof this Regulation, processing ofpersonal data for scientificpurposes should includefundamental research, appliedresearch, and privately fundedresearch59 and in addition shouldtake into account the Union'sobjective under Article 179(1) ofthe Treaty on the Functioning of theEuropean Union of achieving aEuropean Research Area. Scientificpurposes should also includestudies conducted in the publicinterest in the area of publichealth. To meet the specificities ofprocessing personal data forscientific purposes specificconditions should apply inparticular as regards thepublication or otherwise disclosureof personal data in the context ofscientific purposes. If the result of

59 AT and SE scrutiny reservation.


scientific research in particular inthe health context gives reason forfurther measures in the interest ofthe data subject, the general rulesof this Regulation should apply inview of those measures60.

(126a) Where personal data areprocessed for historical purposes,this Regulation should also applyto that processing. This shouldalso include historical researchand research for genealogicalpurposes, bearing in mind that thisRegulation should not apply todeceased persons.

(126b) For the purpose ofconsenting to the participation inscientific research activities inclinical trials (…) the relevantprovisions of Regulation (EU) No.536/2014 of the EuropeanParliament and of the Councilshould apply.

(126c) Where personal data areprocessed for statistical purposes,this Regulation should apply tothat processing. Union law or

60 CZ, DK, FI, FR, HU, MT, NL, PT, SE, SI and UK scrutiny reservation.


Member State law should, withinthe limits of this Regulation,determine statistical content,control of access, specificationsfor the processing of personal datafor statistical purposes andappropriate measures to safeguardthe rights and freedoms of the datasubject and for guaranteeingstatistical confidentiality.

(126d) The confidentialinformation which the Union andnational statistical authoritiescollect for the production ofofficial European and officialnational statistics should beprotected. European statisticsshould be developed, produced anddisseminated in conformity withthe statistical principles as set outin Article 338(2) of the Treaty ofthe Functioning of the EuropeanUnion, while national statisticsshould also comply with nationallaw.

Regulation (EC) No 223/2009 ofthe European Parliament and ofthe Council of 11 March 2009 onEuropean statistics and repealingRegulation (EC, Euratom) No


1101/2008 of the EuropeanParliament and of the Council onthe transmission of data subject tostatistical confidentiality to theStatistical Office of the EuropeanCommunities, Council Regulation(EC) No 322/97 on CommunityStatistics, and Council Decision89/382/EEC, Euratom establishinga Committee on the StatisticalProgrammes of the EuropeanCommunities61 provides furtherspecifications on statisticalconfidentiality for Europeanstatistics.

(127) As regards the powers of thesupervisory authorities to obtainfrom the controller or processoraccess personal data and access toits premises, Member States mayadopt by law, within the limits ofthis Regulation, specific rules inorder to safeguard the professionalor other equivalent secrecyobligations, in so far as necessaryto reconcile the right to theprotection of personal data with anobligation of professional secrecy.

(127) As regards the powers of thesupervisory authorities to obtainfrom the controller or processoraccess personal data and access toits premises, Member States mayadopt by law, within the limits ofthis Regulation, specific rules inorder to safeguard the professionalor other equivalent secrecyobligations, in so far as necessaryto reconcile the right to theprotection of personal data with anobligation of professional secrecy.

(127) As regards the powers of thesupervisory authorities to obtainfrom the controller or processoraccess personal data and access toits premises, Member States mayadopt by law, within the limits ofthis Regulation, specific rules inorder to safeguard the professionalor other equivalent secrecyobligations, in so far as necessaryto reconcile the right to theprotection of personal data with anobligation of professional secrecy.This is without prejudice to

61 OJ L 87, 31.3.2009, p. 164–173.


existing Member State obligationsto adopt professional secrecywhere required by Union law.

Amendment 90

(128) This Regulation respects anddoes not prejudice the status undernational law of churches andreligious associations orcommunities in the Member States,as recognised in Article 17 of theTreaty on the Functioning of theEuropean Union. As aconsequence, where a church in aMember State applies, at the timeof entry into force of thisRegulation, comprehensive rulesrelating to the protection ofindividuals with regard to theprocessing of personal data, theseexisting rules should continue toapply if they are brought in linewith this Regulation. Suchchurches and religious associationsshould be required to provide forthe establishment of a completelyindependent supervisory authority.

(128) This Regulation respects anddoes not prejudice the status undernational law of churches andreligious associations orcommunities in the Member States,as recognised in Article 17 of theTreaty on the Functioning of theEuropean Union. As aconsequence, where a church in aMember State applies, at the timeof entry into force of thisRegulation, comprehensiveadequate rules relating to theprotection of individuals withregard to the processing of personaldata, these existing rules shouldcontinue to apply if they arebrought in line with this Regulationand recognised as compliant. Suchchurches and religious associationsshould be required to provide forthe establishment of a completelyindependent supervisory authority. .

(128) This Regulation respects anddoes not prejudice the status underexisting constitutional national lawof churches and religiousassociations or communities in theMember States, as recognised inArticle 17 of the Treaty on theFunctioning of the EuropeanUnion. As a consequence, where achurch in a Member State applies,at the time of entry into force ofthis Regulation, comprehensiverules relating to the protection ofindividuals with regard to theprocessing of personal data, theseexisting rules should continue toapply if they are brought in linewith this Regulation. Such churchesand religious associations should berequired to provide for theestablishment of a completelyindependent supervisory authority.


Amendment 91

(129) In order to fulfil theobjectives of this Regulation,namely to protect the fundamentalrights and freedoms of naturalpersons and in particular their rightto the protection of personal dataand to ensure the free movement ofpersonal data within the Union, thepower to adopt acts in accordancewith Article 290 of the Treaty onthe Functioning of the EuropeanUnion should be delegated to theCommission. In particular,delegated acts should be adopted inrespect of lawfulness ofprocessing; specifying the criteriaand conditions in relation to theconsent of a child; processing ofspecial categories of data;specifying the criteria andconditions for manifestly excessiverequests and fees for exercising therights of the data subject; criteriaand requirements for theinformation to the data subject andin relation to the right of access;the right to be forgotten and toerasure; measures based onprofiling; criteria and requirements

(129) In order to fulfil theobjectives of this Regulation,namely to protect the fundamentalrights and freedoms of naturalpersons and in particular their rightto the protection of personal dataand to ensure the free movement ofpersonal data within the Union, thepower to adopt acts in accordancewith Article 290 of the Treaty onthe Functioning of the EuropeanUnion should be delegated to theCommission. In particular,delegated acts should be adopted inrespect of lawfulness of processing;specifying the criteria andconditions in relation to the consentof a child; processing of specialcategories of data; specifying thecriteria and conditions formanifestly excessive requests andfees for exercising the rights of thedata subject; criteria andrequirements for the information tothe data subject and in relation tothe right of access conditions oficon-based mode for provision ofinformation; the right to beforgotten and to erasure; measures

(129) In order to fulfil theobjectives of this Regulation,namely to protect the fundamentalrights and freedoms of naturalpersons and in particular their rightto the protection of personal dataand to ensure the free movement ofpersonal data within the Union, thepower to adopt acts in accordancewith Article 290 of the Treaty onthe Functioning of the EuropeanUnion should be delegated to theCommission. In particular,delegated acts should be adopted inrespect of lawfulness of processing;specifying the criteria andconditions in relation to the consentof a child; processing of specialcategories of data; specifying thecriteria and conditions formanifestly excessive requests andfees for exercising the rights of thedata subject; criteria andrequirements for the information tothe data subject and in relation tothe right of access; the right to beforgotten and to erasure; measuresbased on profiling; criteria andrequirements in relation to the


in relation to the responsibility ofthe controller and to data protectionby design and by default; aprocessor; criteria andrequirements for the documentationand the security of processing;criteria and requirements forestablishing a personal data breachand for its notification to thesupervisory authority, and on thecircumstances where a personaldata breach is likely to adverselyaffect the data subject; the criteriaand conditions for processingoperations requiring a dataprotection impact assessment; thecriteria and requirements fordetermining a high degree ofspecific risks which require priorconsultation; designation and tasksof the data protection officer; codesof conduct; criteria andrequirements for certificationmechanisms; criteria andrequirements for transfers by wayof binding corporate rules; transferderogations; administrativesanctions; processing for healthpurposes; processing in theemployment context andprocessing for historical, statistical

based on profiling; criteria andrequirements in relation to theresponsibility of the controller andto data protection by design and bydefault; a processor; criteria andrequirements for the documentationand the security of processing;criteria and requirements forestablishing a personal data breachand for its notification to thesupervisory authority, and on thecircumstances where a personaldata breach is likely to adverselyaffect the data subject; the criteriaand conditions for processingoperations requiring a dataprotection impact assessment; thecriteria and requirements fordetermining a high degree ofspecific risks which require priorconsultation; designation and tasksof the data protection officer;declaring that codes of conduct arein line with this Regulation;criteria and requirements forcertification mechanisms; theadequate level of protectionafforded by a third country or aninternational organisation; criteriaand requirements for transfers byway of binding corporate rules;

responsibility of the controller andto data protection by design and bydefault; a processor; criteria andrequirements for the documentationand the security of processing;criteria and requirements forestablishing a personal data breachand for its notification to thesupervisory authority, and on thecircumstances where a personaldata breach is likely to adverselyaffect the data subject; the criteriaand conditions for processingoperations requiring a dataprotection impact assessment; thecriteria and requirements fordetermining a high degree ofspecific risks which require priorconsultation; designation and tasksof the data protection officer; codesof conduct; criteria andrequirements for certificationmechanisms; criteria andrequirements for transfers by wayof binding corporate rules; transferderogations; administrativesanctions; processing for healthpurposes; processing in theemployment context and processingfor historical, statistical andscientific research purposes. It is of


and scientific research purposes. Itis of particular importance that theCommission carry out appropriateconsultations during its preparatorywork, including at expert level. TheCommission, when preparing anddrawing-up delegated acts, shouldensure a simultaneous, timely andappropriate transmission ofrelevant documents to theEuropean Parliament and Councill.

transfer derogations; administrativesanctions; processing for healthpurposes; and processing in theemployment context and processingfor historical, statistical andscientific research purposes. It is ofparticular importance that theCommission carry out appropriateconsultations during its preparatorywork, including at expert level, inparticular with the European DataProtection Board. TheCommission, when preparing anddrawing-up delegated acts, shouldensure a simultaneous, timely andappropriate transmission of relevantdocuments to the EuropeanParliament and to the Council..

particular importance that theCommission carry out appropriateconsultations during its preparatorywork, including at expert level. TheCommission, when preparing anddrawing-up delegated acts, shouldensure a simultaneous, timely andappropriate transmission of relevantdocuments to the EuropeanParliament and Councill.

Amendment 92

(130) In order to ensure uniformconditions for the implementationof this Regulation, implementingpowers should be conferred on theCommission for: specifyingstandard forms in relation to theprocessing of personal data of achild; standard procedures andforms for exercising the rights ofdata subjects; standard forms for

(130) In order to ensure uniformconditions for the implementationof this Regulation, implementingpowers should be conferred on theCommission for: specifyingstandard forms for specificmethods to obtain verifiableconsent in relation to theprocessing of personal data of achild; standard procedures and

(130) In order to ensure uniformconditions for the implementationof this Regulation, implementingpowers should be conferred on theCommission for: specifyingstandard forms in relation to theprocessing of personal data of achild; standard procedures andforms for exercising the rights ofdata subjects; standard forms for


the information to the data subject;standard forms and procedures inrelation to the right of access; theright to data portability; standardforms in relation to theresponsibility of the controller todata protection by design and bydefault and to the documentation;specific requirements for thesecurity of processing; the standardformat and the procedures for thenotification of a personal databreach to the supervisory authorityand the communication of apersonal data breach to the datasubject; standards and proceduresfor a data protection impactassessment; forms and proceduresfor prior authorisation and priorconsultation; technical standardsand mechanisms for certification;the adequate level of protectionafforded by a third country or aterritory or a processing sectorwithin that third country or aninternational organisation;disclosures not authorized byUnion law; mutual assistance; jointoperations; decisions under theconsistency mechanism. Thosepowers should be exercised in

forms for exercising the rights ofthe communication to the datasubjects on the exercice exercise oftheir rights; standard forms for theinformation to the data subject;standard forms and procedures inrelation to the right of accessincluding for communicating thepersonal data to the data subject;the right to data portability;standard forms in relation to theresponsibility of the controller todata protection by design and bydefault and to the documentation tobe kept by the controller and theprocessor; specific requirementsfor the security of processing; thestandard format and the proceduresform for the notification of apersonal data breach to thesupervisory authority and thecommunication of a personal databreach to the data subject fordocumenting a personal databreach; standards and proceduresfor a data protection impactassessment; forms and proceduresfor prior authorisation and priorconsultation; technical standardsand mechanisms for certification;the adequate level of protection

the information to the data subject;standard forms and procedures inrelation to the right of access; theright to data portability; standardforms in relation to theresponsibility of the controller todata protection by design and bydefault and to the documentation;specific requirements for thesecurity of processing; the standardformat and the procedures for thenotification of a personal databreach to the supervisory authorityand the communication of apersonal data breach to the datasubject; standards and proceduresfor a data protection impactassessment; forms and proceduresfor prior authorisation and priorconsultation; technical standardsand mechanisms for certification;the adequate level of protectionafforded by a third country or aterritory or a processing sectorwithin that third country or aninternational organisation;disclosures not authorized by Unionlaw; mutual assistance; jointoperations; decisions under theconsistency mechanism. Thosepowers should be exercised in


accordance with Regulation (EU)No 182/2011 of the EuropeanParliament and of the Council of16 February 2011 laying down therules and general principlesconcerning mechanisms for controlby the Member States of theCommission's exercise ofimplementing powers45. In thiscontext, the Commission shouldconsider specific measures formicro, small and medium-sizedenterprises.

afforded by a third country or aterritory or a processing sectorwithin that third country or aninternational organisation;disclosures not authorized by Unionlaw; mutual assistance; jointoperations; decisions under theconsistency mechanism andinformation to the supervisoryauthority. Those powers should beexercised in accordance withRegulation (EU) No 182/2011 ofthe European Parliament and of theCouncil45 Council of 16 February2011 laying down the rules andgeneral principles concerningmechanisms for control by theMember States of the Commission'sexercise of implementing powers1.

In this context, the Commissionshould consider specific measuresfor micro, small and medium-sizedenterprises.

___________________45 1 Regulation (EU) No 182/2011of the European Parliament and ofthe Council of 16 February 2011laying down the rules and general

accordance with Regulation (EU)No 182/2011 of the EuropeanParliament and of the Council of 16February 2011 laying down therules and general principlesconcerning mechanisms for controlby the Member States of theCommission's exercise ofimplementing powers62. In thiscontext, the Commission shouldconsider specific measures formicro, small and medium-sizedenterprises.

62 Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for controlby Member States of the Commission’s exercise of implementing powers, OJ L 55, 28.2.2011, p. 13.


principles concerning mechanismsfor control by the Member States ofthe Commission's exercise ofimplementing powers (OJ L 55,28.2.2011, p. 13).

Amendment 93

(131)The examination procedureshould be used for the adoption ofspecifying standard forms inrelation to the consent of a child;standard procedures and forms forexercising the rights of datasubjects; standard forms for theinformation to the data subject;standard forms and procedures inrelation to the right of access;, theright to data portability; standardforms in relation to theresponsibility of the controller todata protection by design and bydefault and to the documentation;specific requirements for thesecurity of processing; the standardformat and the procedures for thenotification of a personal databreach to the supervisory authorityand the communication of apersonal data breach to the datasubject; standards and procedures

(131) The examination procedureshould be used for the adoption ofspecifying standard forms inrelation to the : for specificmethods to obtain verifiableconsent in relation to theprocessing of personal data of achild; standard procedures andforms for exercising the thecommunication to the datasubjects on the exercice exercise oftheir rightsof data subjects;standard forms for the informationto the data subject; standard formsand procedures in relation to theright of access including forcommunicating the personal datato the data subject; the right todata portability; standard forms inrelation to the responsibility ofdocumentation to be kept by thecontroller to data protection bydesign and by default and to the

(131) The examination procedureshould be used for the adoption ofspecifying standard forms inrelation to the consent of a child;standard procedures and forms forexercising the rights of datasubjects; standard forms for theinformation to the data subject;standard forms and procedures inrelation to the right of access;, theright to data portability; standardforms in relation to theresponsibility of the controller todata protection by design and bydefault and to the documentation;specific requirements for thesecurity of processing; the standardformat and the procedures for thenotification of a personal databreach to the supervisory authorityand the communication of apersonal data breach to the datasubject; standards and procedures


for a data protection impactassessment; forms and proceduresfor prior authorisation and priorconsultation; technical standardsand mechanisms for certification;the adequate level of protectionafforded by a third country or aterritory or a processing sectorwithin that third country or aninternational organisation;disclosures not authorized byUnion law; mutual assistance; jointoperations; decisions under theconsistency mechanism, given thatthose acts are of general scope.

documentation and the processor;specific requirements for thesecurity of processing; the standardformat and the procedures for thenotification of a personal databreach to the supervisory authorityand the communication of fordocumenting a personal databreach to the data subject;standards and procedures for a dataprotection impact assessment;forms and procedures for priorauthorisation and priorconsultation; technical standardsand mechanisms for certification;the adequate level of protectionafforded by a third country or aterritory or a processing sectorwithin that third country or aninternational organisation;disclosures not authorized by Unionlaw; mutual assistance; jointoperations; decisions under theconsistency mechanism, andinformation to the supervisoryauthority, given that those acts areof general scope.

for a data protection impactassessment; forms and proceduresfor prior authorisation and priorconsultation; technical standardsand mechanisms for certification;the adequate level of protectionafforded by a third country or aterritory or a processing sectorwithin that third country or aninternational organisation;disclosures not authorized by Unionlaw; mutual assistance; jointoperations; decisions under theconsistency mechanism, given thatthose acts are of general scope.

Amendment 94

(132) The Commission should Deleted (132) The Commission should


adopt immediately applicableimplementing acts where, in dulyjustified cases relating to a thirdcountry or a territory or aprocessing sector within that thirdcountry or an internationalorganisation which does not ensurean adequate level of protection andrelating to matters communicatedby supervisory authorities under theconsistency mechanism, imperativegrounds of urgency so require.

adopt immediately applicableimplementing acts where, in dulyjustified cases relating to a thirdcountry or a territory or aprocessing sector within that thirdcountry or an internationalorganisation which does not ensurean adequate level of protection andrelating to matters communicatedby supervisory authorities under theconsistency mechanism, imperativegrounds of urgency so require.

(133) Since the objectives of thisRegulation, namely to ensure anequivalent level of protection ofindividuals and the free flow ofdata throughout the Union, cannotbe sufficiently achieved by theMember States and can therefore,by reason of the scale or effects ofthe action, be better achieved atUnion level, the Union may adoptmeasures, in accordance with theprinciple of subsidiarity as set outin Article 5 of the Treaty onEuropean Union. In accordancewith the principle ofproportionality as set out in thatArticle, this Regulation does not gobeyond what is necessary in order

(133) Since the objectives of thisRegulation, namely to ensure anequivalent level of protection ofindividuals and the free flow ofdata throughout the Union, cannotbe sufficiently achieved by theMember States and but canthereforerather, by reason of thescale or effects of the action, bebetter achieved at Union level, theUnion may adopt measures, inaccordance with the principle ofsubsidiarity as set out in Article 5of the Treaty on European Union.In accordance with the principle ofproportionality as set out in thatArticle, this Regulation does not gobeyond what is necessary in order

(133) Since the objectives of thisRegulation, namely to ensure anequivalent level of protection ofindividuals and the free flow ofdata throughout the Union, cannotbe sufficiently achieved by theMember States and can therefore,by reason of the scale or effects ofthe action, be better achieved atUnion level, the Union may adoptmeasures, in accordance with theprinciple of subsidiarity as set outin Article 5 of the Treaty onEuropean Union. In accordancewith the principle of proportionalityas set out in that Article, thisRegulation does not go beyondwhat is necessary in order to


to achieve that objective. to achieve that objective. achieve that objective.

Amendment 95

(134) Directive 95/46/EC shouldbe repealed by this Regulation.However, Commission decisionsadopted and authorisations bysupervisory authorities based onDirective 95/46/EC should remainin force.

(134) Directive 95/46/EC should berepealed by this Regulation.However, Commission decisionsadopted and authorisations bysupervisory authorities based onDirective 95/46/EC should remainin force. Commission decisionsand authorisations by supervisoryauthorities relating to transfers ofpersonal data to third countriespursuant to Article 41(8) shouldremain in force for a transitionperiod of five years after the entryinto force of this Regulationunless amended, replaced orrepealed by the Commission beforethe end of this period.

(134) Directive 95/46/EC should berepealed by this Regulation.However, Commission decisionsadopted and authorisations bysupervisory authorities based onDirective 95/46/EC should remainin force.

(135) This Regulation should applyto all matters concerning theprotection of fundamental rightsand freedom vis-à-vis theprocessing of personal data, whichare not subject to specificobligations with the same objectiveset out in Directive 2002/58/EC,including the obligations on thecontroller and the rights of

(135) This Regulation should applyto all matters concerning theprotection of fundamental rightsand freedom vis-à-vis theprocessing of personal data, whichare not subject to specificobligations with the same objectiveset out in Directive 2002/58/EC ofthe European Parliament and of theCouncil1, including the obligations

(135) This Regulation should applyto all matters concerning theprotection of fundamental rightsand freedom vis-à-vis theprocessing of personal data, whichare not subject to specificobligations with the same objectiveset out in Directive 2002/58/EC,including the obligations on thecontroller and the rights of


individuals. In order to clarify therelationship between thisRegulation and Directive2002/58/EC, the latter Directiveshould be amended accordingly.

on the controller and the rights ofindividuals. In order to clarify therelationship between thisRegulation and Directive2002/58/EC, the latter Directiveshould be amended accordingly.

1 Directive 2202/58/EC of theEuropean Parliament and of theCouncil of 12 July 2002 concerningthe processing of personal data andthe protection of privacy in theelectronic communications sector(Directive on privacy and electroniccommunications) (OJ L 201,31.07.2002, P.37)

individuals. In order to clarify therelationship between thisRegulation and Directive2002/58/EC, the latter Directiveshould be amended accordingly.

(136) As regards Iceland andNorway, this Regulation constitutesa development of provisions of theSchengen acquis to the extent that itapplies to the processing ofpersonal data by authoritiesinvolved in the implementation ofthat acquis, as provided for by theAgreement concluded by theCouncil of the European Union andthe Republic of Iceland and theKingdom of Norway concerningthe association of those two Stateswith the implementation,

(136) As regards Iceland andNorway, this Regulation constitutesa development of provisions of theSchengen acquis to the extent thatit applies to the processing ofpersonal data by authoritiesinvolved in the implementation ofthat acquis, within the meaning ofas provided for by the Agreementconcluded by the Council of theEuropean Union and the Republicof Iceland and the Kingdom ofNorway concerning the latters’association of those two States with

deleted


application and development of theSchengen acquis46.

_________________46 OJ L 176, 10.7.1999, p. 36.

the implementation, application anddevelopment of the Schengenacquis461.

_________________46 1 OJ L 176, 10.7.1999, p. 36.

(137) As regards Switzerland, thisRegulation constitutes adevelopment of provisions of theSchengen acquis to the extent thatit applies to the processing ofpersonal data by authoritiesinvolved in the implementation ofthat acquis, as provided for by theAgreement between the EuropeanUnion, the European Communityand the Swiss Confederationconcerning the association of theSwiss Confederation with theimplementation, application anddevelopment of the Schengenacquis47.

________________47 OJ L 53, 27.2.2008, p. 52

(137) As regards Switzerland, thisRegulation constitutes adevelopment of provisions of theSchengen acquis to the extent thatit applies to the processing ofpersonal data by authoritiesinvolved in the implementation ofthat acquis, within the meaning ofas provided for by the Agreementbetween the European Union, theEuropean Community and theSwiss Confederation concerning onthe association of the SwissConfederation’s association withthe implementation, applicationand development of the Schengenacquis471.

________________471 OJ L 53, 27.2.2008, p. 52

deleted

(138) As regards Liechtenstein, thisRegulation constitutes a

(138) As regards Liechtenstein, thisRegulation constitutes a

deleted63

63 Recitals 136, 137 and 138 were deleted as this proposal is not Schengen relevant. COM scrutiny reservation on these deletions.


development of provisions of theSchengen acquis to the extent thatit applies to the processing ofpersonal data by authoritiesinvolved in the implementation ofthat acquis, as provided for by theProtocol between the EuropeanUnion, the European Community,the Swiss Confederation and thePrincipality of Liechtenstein on theaccession of the Principality ofLiechtenstein to the Agreementbetween the European Union, theEuropean Community and theSwiss Confederation on the SwissConfederation’s association withthe implementation, applicationand development of the Schengenacquis48.

___________________48 OJ L 160 of 18.6.2011, p. 19

development of provisions of theSchengen acquis to the extent thatit applies to the processing ofpersonal data by authoritiesinvolved in the implementation ofthat acquis, within the meaning ofas provided for by the Protocolbetween the European Union, theEuropean Community, the SwissConfederation and the Principalityof Liechtenstein on the accessionof the Principality of Liechtensteinto the Agreement between theEuropean Union, the EuropeanCommunity and the SwissConfederation on the SwissConfederation’s association withthe implementation, applicationand development of the Schengenacquis481.

___________________48 1 OJ L 160 of 18.6.2011, p. 19

(139) In view of the fact that, asunderlined by the Court of Justiceof the European Union, the right tothe protection of personal data isnot an absolute right, but must beconsidered in relation to its

(139) In view of the fact that, asunderlined by the Court of Justiceof the European Union, the right tothe protection of personal data isnot an absolute right, but must beconsidered in relation to its

deleted64

64 Former recital 139 was moved up to recital 3a so as to emphasise the importance of the fundamental rights dimension of data protection in connection with other fundamental rights.


function in society and be balancedwith other fundamental rights, inaccordance with the principle ofproportionality, this Regulationrespects all fundamental rights andobserves the principles recognisedin the Charter of FundamentalRights of the European Union asenshrined in the Treaties, notablythe right to respect for private andfamily life, home andcommunications, the right to theprotection of personal data, thefreedom of thought, conscience andreligion, the freedom of expressionand information, the freedom toconduct a business, the right to aneffective remedy and to a fair trialas well as cultural, religious andlinguistic diversity.business, theright to an effective remedy and toa fair trial as well as cultural,religious and linguistic diversity.

function in society and be balancedwith other fundamental rights, inaccordance with the principle ofproportionality, this Regulationrespects all fundamental rights andobserves the principles recognisedin the Charter of FundamentalRights of the European Union asenshrined in the Treaties, notablythe right to respect for private andfamily life, home andcommunications, the right to theprotection of personal data, thefreedom of thought, conscience andreligion, the freedom of expressionand information, the freedom toconduct a business, the right to aneffective remedy and to a fair trialas well as cultural, religious andlinguistic diversity.business, theright to an effective remedy and toa fair trial as well as cultural,religious and linguistic diversity

HAVE ADOPTED THISREGULATION.


CHAPTER IGENERAL

PROVISIONS

CHAPTER IGENERAL

PROVISIONS

CHAPTER IGENERAL

PROVISIONS

CHAPTER IGENERAL

PROVISIONS

Article 1 Article 1 Article 1

Subject matter and objectives Subject matter and objectives Subject matter and objectives

1. This Regulation lays downrules relating to the protection ofindividuals with regard to theprocessing of personal data andrules relating to the free movementof personal data.

1. This Regulation lays down rulesrelating to the protection ofindividuals with regard to theprocessing of personal data andrules relating to the free movementof personal data

2. This Regulation protects thefundamental rights and freedoms ofnatural persons, and in particulartheir right to the protection ofpersonal data.

2. This Regulation protects thefundamental rights and freedoms ofnatural persons, and in particulartheir right to the protection ofpersonal data.

2a. Member States maymaintain or introduce morespecific provisions to adapt theapplication of the rules of thisRegulation with regard to theprocessing of personal data forcompliance with a legal obligationor for the performance of a task


carried out in the public interestor in the exercise of officialauthority vested in the controlleror for other specific processingsituations as provided for inArticle 6(1)(c) and (e) bydetermining more preciselyspecific requirements for theprocessing and other measures toensure lawful and fair processingincluding for other specificprocessing situations as providedfor in Chapter IX65.

3. The free movement ofpersonal data within the Unionshall neither be restricted norprohibited for reasons connectedwith the protection of individualswith regard to the processing ofpersonal data.

3. The free movement of personaldata within the Union shall neitherbe restricted nor prohibited forreasons connected with theprotection of individuals withregard to the processing of personaldata.

3. The free movement ofpersonal data within the Unionshall neither be restricted norprohibited for reasons connectedwith the protection of individualswith regard to the processing ofpersonal data66.

65 AT, CZ, HU, SI and SK reservation; these delegations were in favour of a minimum harmonisation clause for the public sector. LU reservation: this offers too much leeway.66 DK, FR, NL, SI scrutiny reservation.



Material scope Material scope Material scope

Amendment 96

1. This Regulation applies to theprocessing of personal data whollyor partly by automated means, andto the processing other than byautomated means of personal datawhich form part of a filing systemor are intended to form part of afiling system.

1. This Regulation applies to theprocessing of personal data whollyor partly by automated means,irrespective of the method ofprocessing, and to the processingother than by automated means ofpersonal data which form part of afiling system or are intended toform part of a filing system.

1. This Regulation applies tothe processing of personal datawholly or partly by automatedmeans, and to the processing otherthan by automated means ofpersonal data which form part of afiling system or are intended toform part of a filing system67.

2.This Regulation does not apply tothe processing of personal data:

2. This Regulation does not applyto the processing of personal data:

2.This Regulation does not apply tothe processing of personal data:

(a) in the course of an activitywhich falls outside the scope ofUnion law, in particular concerningnational security;



(b) by the Union institutions,bodies, offices and agencies;

deleted deleted

(c) by the Member States when (c) by the Member States when (c) by the Member States when

67 HU objected to the fact that data processing operations not covered by this phrase would be excluded from the scope of the Regulation and thought this was not compatible with thestated aim of a set of comprehensive EU data protection rules. HU therefore proposed to replace the second part by the following wording 'irrespective of the means by whichpersonal data are processed'.


carrying out activities which fallwithin the scope of Chapter 2 of theTreaty on European Union;

carrying out activities which fallwithin the scope of Chapter 2 ofTitle V of the Treaty on EuropeanUnion;

carrying out activities which fallwithin the scope of Chapter 2 ofTitle V the Treaty on EuropeanUnion;

(d) by a natural person withoutany gainful interest in the course ofits own exclusively personal orhousehold activity;

(d) by a natural person without anygainful interest in the course of itsown an exclusively personal orhousehold activity. This exemptionshall also apply to a publication ofpersonal data where it can bereasonably expected that it theywill be only accessed by a limitednumber of persons;

(d) by a natural person without anygainful interest in the course of itsown exclusively a personal orhousehold activity;

(e) by competent authorities forthe purposes of prevention,investigation, detection orprosecution of criminal offences orthe execution of criminal penalties.

(e) by competent public authoritiesfor the purposes of prevention,investigation, detection orprosecution of criminal offences orthe execution of criminal penalties.

(e) by competent public authoritiesfor the purposes of prevention,investigation, detection orprosecution of criminal offencesand, for these purposes68,safeguarding of public security69,or the execution of criminalpenalties.

3. This Regulation shall bewithout prejudice to the applicationof Directive 2000/31/EC, inparticular of the liability rules of

3. This Regulation shall be withoutprejudice to the application ofDirective 2000/31/EC, in particularof the liability rules of intermediary

deleted

68 BE reservation on the terms 'for these purposes'.69 This change in wording will need to be discussed, but the Presidency has suggested this change in order to align the text to the suggested text in the Data Protection Directive for

police and judicial cooperation.


intermediary service providers inArticles 12 to 15 of that Directive.

service providers in Articles 12 to15 of that Directive.


Territorial scope Territorial scope Territorial scope

Amendment 97

1. This Regulation applies tothe processing of personal data inthe context of the activities of anestablishment of a controller or aprocessor in the Union.

1. This Regulation applies to theprocessing of personal data in thecontext of the activities of anestablishment of a controller or aprocessor in the Union, whether theprocessing takes place in theUnion or not.

1. This Regulation applies tothe processing of personal data inthe context of the activities of anestablishment of a controller or aprocessor in the Union.

2. This Regulation applies tothe processing of personal data ofdata subjects residing in the Unionby a controller not established inthe Union, where the processingactivities are related to:

2. This Regulation applies to theprocessing of personal data of datasubjects residing in the Union by acontroller or processor notestablished in the Union, where theprocessing activities are related to:

2. This Regulation applies tothe processing of personal data ofdata subjects residing in the Unionby a controller not established inthe Union, where the processingactivities are related to:

(a) the offering of goods orservices to such data subjects in theUnion; or

(a) the offering of goods orservices, irrespective of whether apayment of the data subject isrequired, to such data subjects inthe Union; or

(a) the offering of goods orservices, irrespective of whether apayment of the data subject isrequired, to such data subjects inthe Union; or

(b) the monitoring of theirbehaviour.

(b) the monitoring of theirbehaviour such data subjects.

(b) the monitoring of theirbehaviour as far as their behaviour


takes place within the EuropeanUnion70.

3. This Regulation applies tothe processing of personal data by acontroller not established in theUnion, but in a place where thenational law of a Member Stateapplies by virtue of publicinternational law.

3. This Regulation applies to theprocessing of personal data by acontroller not established in theUnion, but in a place where thenational law of a Member Stateapplies by virtue of publicinternational law.

3. This Regulation applies tothe processing of personal data by acontroller not established in theUnion, but in a place where thenational law of a Member Stateapplies by virtue of publicinternational law.


Definitions Definitions Definitions

Amendment 98

For the purposes of this Regulation: For the purposes of this Regulation: For the purposes of this Regulation:

(1) 'data subject' means anidentified natural person or anatural person who can beidentified, directly or indirectly, bymeans reasonably likely to be usedby the controller or by any othernatural or legal person, in particularby reference to an identificationnumber, location data, onlineidentifier or to one or more factors

deleted (1) 'personal data' means anyinformation relating 'data subject'means or identifiable naturalperson ('data subject'); anidentifiable an identified naturalperson or a natural person who canbe identified, directly or indirectly,by means reasonably likely to beused by the controller or by anyother natural or legal person, in

70 UK reservation.


specific to the physical,physiological, genetic, mental,economic, cultural or social identityof that person;

particular by reference to anidentifier71 such as a name, anidentification number, locationdata, online identifier or to one ormore factors specific to thephysical, physiological, genetic,mental, economic, cultural or socialidentity of that person;

(2) 'personal data' means anyinformation relating to a datasubject;

(2) 'personal data' means anyinformation relating to a anidentified or identifiable naturalperson ('data subject'); anidentifiable person is one who canbe identified, directly or indirectly,in particular by reference to anidentifier such as a name, anidentification number, locationdata, unique identifier or to one ormore factors specific to thephysical, physiological, genetic,mental, economic, cultural orsocial or gender identity of thatperson;

deleted

(2a) 'pseudonymous data' meanspersonal data that cannot beattributed to a specific data subjectwithout the use of additionalinformation, as long as such

71 UK is concerned that, together with recital 24, this will lead to risk-averse approach that this is always personal data.


additional information is keptseparately and subject to technicaland organisational measures toensure non-attribution;

(2b) ‘encrypted data’ meanspersonal data, which throughtechnological protection measuresis rendered unintelligible to anyperson who is not authorised toaccess itthem;

(3) 'processing' means anyoperation or set of operations whichis performed upon personal data orsets of personal data, whether ornot by automated means, such ascollection, recording, organization,structuring, storage, adaptation oralteration, retrieval, consultation,use, disclosure by transmission,dissemination or otherwise makingavailable, alignment orcombination, erasure or destruction;

(3) 'processing' means anyoperation or set of operations whichis performed upon personal data orsets of personal data, whether ornot by automated means, such ascollection, recording, organization,structuring, storage, adaptation oralteration, retrieval, consultation,use, disclosure by transmission,dissemination or otherwise makingavailable, alignment orcombination, erasure or destruction;

(3) 'processing' means anyoperation or set of operations whichis performed upon personal data orsets of personal data, whether ornot by automated means, such ascollection, recording, organization,structuring, storage, adaptation oralteration, retrieval, consultation,use, disclosure by transmission,dissemination or otherwise makingavailable, alignment orcombination, or erasure ordestruction72;

(3a) 'profiling' means any form ofautomated processing of personal

72 DE, FR and NL regretted that the blocking of data was not included in the list of data processing operations as this was a means especially useful in the public sector. COM indicatedthat the right to have the processing restricted in certain cases was provided for in Article 17(4) (restriction of data processing), even though the terminology 'blocking' was not usedthere. DE and FR thought the definition of Article 4(3) (erasure) should be linked to Article 17.


data intended to evaluate certainpersonal aspects relating to anatural person or to analyse orpredict in particular that naturalperson’s performance at work,economic situation, location,health, personal preferences,reliability or behaviour;

(3a) 'restriction of processing'means the marking of storedpersonal data with the aim oflimiting their processing in thefuture73;

(3b) 'pseudonymisation' means theprocessing of personal data insuch a way that the data can nolonger be attributed to a specificdata subject without the use ofadditional information, as long assuch additional information is keptseparately and subject to technicaland organisational measures toensure non-attribution to anidentified or identifiable person(…)74.

73 RO scrutiny reservation.74 DE, supported by UK, proposed reinserting the following reference 'or can be attributed to such person only with the investment of a disproportionate amount of time, expense and

manpower'.


(4) filing system' means anystructured set of personal datawhich are accessible according tospecific criteria, whethercentralized, decentralized ordispersed on a functional orgeographical basis;

(4) 'filing system' means anystructured set of personal datawhich are accessible according tospecific criteria, whethercentralized, decentralized ordispersed on a functional orgeographical basis;

(4) 'filing system' means anystructured set of personal datawhich are accessible according tospecific criteria, whethercentralized, decentralized ordispersed on a functional orgeographical basis75;

(5) 'controller' means the natural orlegal person, public authority,agency or any other body whichalone or jointly with othersdetermines the purposes, conditionsand means of the processing ofpersonal data; where the purposes,conditions and means of processingare determined by Union law orMember State law, the controller orthe specific criteria for hisnomination may be designated byUnion law or by Member State law;



(6) 'processor' means a natural orlegal person, public authority,agency or any other body whichprocesses personal data on behalfof the controller;

(6) 'processor' means a natural orlegal person, public authority,agency or any other body whichprocesses personal data on behalfof the controller;

(6) 'processor' means a natural orlegal person, public authority,agency or any other body whichprocesses personal data on behalfof the controller76;

75 DE, FR SI, SK and UK scrutiny reservation. DE and SI thought this was completely outdated concept. COM explained that the definition had been taken over from Directive95/46/EC and is related to the technical neutrality of the Regulation, as expressed in Article 2(1).

76 DE, DK, FR, LU and NL requested the inclusion of a definition of third party.


(7) 'recipient' means a natural orlegal person, public authority,agency or any other body to whichthe personal data are disclosed;

(7) 'recipient' means a natural orlegal person, public authority,agency or any other body to whichthe personal data are disclosed;

(7)'recipient' means a natural orlegal person, public authority,agency or any other body otherthan the data subject, the datacontroller or the data processor towhich the personal data aredisclosed;77 however regulatorybodies and authorities which mayreceive personal data in theexercise of their official functionsshall not be regarded asrecipients78;

(7a) ‘third party’ means anynatural or legal person, publicauthority, agency or any otherbody other than the data subject,the controller, the processor andthe persons who, under the directauthority of the controller or theprocessor, are authorized toprocess the data;

(8) 'the data subject's consent'means any freely given specific,informed and explicit indication of

(8) 'the data subject's consent'means any freely given specific,informed and explicit indication of

(8) 'the data subject's consent'means any freely given specific,and informed and explicit79

77 PT reservation. DE, FR, LU, NL, SI and SE regretted the deletion from the 1995 Data Protection Directive of the reference to third party disclosure and pleaded in favour of itsreinstatement. COM argued that this reference was superfluous and that its deletion did not make a substantial difference.

78 DE, ES, NL and UK scrutiny reservation on latter part of definition. ES, NL and UK thought it could be deleted.79 COM, CY, FR, GR, HU, IT, PL and RO reservation on the deletion of 'explicit'.


his or her wishes by which the datasubject, either by a statement or bya clear affirmative action, signifiesagreement to personal data relatingto them being processed;

his or her wishes by which the datasubject, either by a statement or bya clear affirmative action, signifiesagreement to personal data relatingto them being processed;

indication of his or her wishes bywhich the data subject, either by astatement or by a clear affirmativeaction, signifies agreement topersonal data relating to them beingprocessed;

(9) 'personal data breach' means abreach of security leading to theaccidental or unlawful destruction,loss, alteration, unauthoriseddisclosure of, or access to, personaldata transmitted, stored orotherwise processed;

(9) 'personal data breach' means abreach of security leading to theaccidental or unlawful destruction,loss, alteration, unauthoriseddisclosure of, or access to, personaldata transmitted, stored orotherwise processed;

(9) 'personal data breach' means abreach of security leading to theaccidental or unlawful destruction,loss, alteration, unauthoriseddisclosure of, or access to, personaldata transmitted, stored orotherwise processed80;

(10) 'genetic data' means all data, ofwhatever type, concerning thecharacteristics of an individualwhich are inherited or acquiredduring early prenatal development;

(10) 'genetic data' means allpersonal data, of whatever type,concerning relating to the geneticcharacteristics of an individualwhich are have been inherited oracquired during early prenataldevelopment as they result from ananalysis of a biological samplefrom the individual in question, inparticular by chromosomal,

(10) 'genetic data' means allpersonal data, of whatever type,concerning relating to the geneticcharacteristics of an individualwhich are inherited or acquiredduring early prenatal developmentthat have been inherited oracquired, resulting from ananalysis of a biological samplefrom the individual in question81;

80 COM, supported by LU, explained that it sought to have a similar rule as in the E-Privacy Directive, which should be extended to all types of data processing. DE scrutiny reservationquestioned the very broad scope of the duty of notifying data breaches, which so far under German law was limited to sensitive cases. NL, LV and PT concurred with DE and thoughtthis could lead to over-notification. In the meantime the scope of Articles 31 and 32 has been limited.

81 AT, CY, FR, IT, NL and SE scrutiny reservation. Several delegations (CH, CY, DE and SE) expressed their surprise regarding the breadth of this definition, which would also coverdata about a person's physical appearance. DE thought the definition should differentiate between various types of genetic data. AT scrutiny reservation. The definition is nowexplained in the recital 25a.


desoxyribonucleic acid (DNA) orribonucleic acid (RNA) analysis oranalysis of any other elementenabling equivalent information tobe obtained;

(11) 'biometric data' means any datarelating to the physical,physiological or behaviouralcharacteristics of an individualwhich allow their uniqueidentification, such as facialimages, or dactyloscopic data;

(11) 'biometric data' means anypersonal data relating to thephysical, physiological orbehavioural characteristics of anindividual which allow their his orher unique identification, such asfacial images, or dactyloscopicdata;

(11) 'biometric data' means anypersonal data resulting fromspecific technical processingrelating to the physical,physiological or behaviouralcharacteristics of an individualwhich allows or confirms the82

their unique identification of thatindividual, such as facial images,or dactyloscopic data83;

(12) ‘data concerning health’ meansany information which relates tothe physical or mental health of anindividual, or to the provision ofhealth services to the individual;

(12) ‘data concerning health’ meansany information personal datawhich relate to the physical ormental health of an individual, or tothe provision of health services tothe individual;

(12) ‘data concerning health’ meansdata related any information whichrelates to the physical or mentalhealth of an individual, whichreaveal information about his orher health status84or to theprovision of health services to theindividual;

82 ES preferred 'allows'; SI suggested 'allows or confirms'83 NL, SE and AT scrutiny reservation. SI did not understand why genetic data were not included in the definition of biometric data. FR queried the meaning of 'behavioural

characteristics of an individual which allow their unique identification'. CH is of the opinion that the term 'biometric data' is too broadly defined.84 CZ, DE, DK, EE, FR and SI expressed their surprise regarding the breadth of this definition. AT, BE, DE, NL and SI scrutiny reservation. COM scrutiny reservation.


(12a) 'profiling' means a form ofautomated processing of personaldata intended to (…) use a profileto evaluate personal aspectsrelating to a natural person, inparticular to analyse and predictaspects concerning performanceat work, economic situation,health, personal preferences, orinterests, reliability or behaviour,location or movements85;

(12b) ‘profile’ means a set ofdata characterising a category ofindividuals that is intended to beapplied to a natural person;

(13) ‘main establishment’ means asregards the controller, the place ofits establishment in the Unionwhere the main decisions as to thepurposes, conditions and means ofthe processing of personal data aretaken; if no decisions as to thepurposes, conditions and means ofthe processing of personal data aretaken in the Union, the main

(13) ‘main establishment’ means asregards the controller, the place ofits establishment of theundertaking or group ofundertakings in the Union,whether controller or processor,where the main decisions as to thepurposes, conditions and means ofthe processing of personal data aretaken.; if no decisions as to the

(13) ‘main establishment’ means86

- as regards the a controller withestablishments in more than oneMember State, the place of itsestablishment centraladministration in the Union whereunless the main decisions as to onthe purposes, conditions and meansof the processing of personal data

85 BE, RO and SE scrutiny reservation. BE, FR, LU, SI and RO would prefer reverting to the Council of Europe definition. COM reservation.86 AT remarked that, in view technological developments, it was very difficult to pinpoint the place of processing and , supported by ES, HU, PL, expressed a preference for a formal

criterion, which referred to the incorporation of the controller. AT pointed out that such criterion would avoid the situation that, depending on the processing activity concerned,there would be a different main establishment and consequently a different lead DPA.


establishment is the place where themain processing activities in thecontext of the activities of anestablishment of a controller in theUnion take place. As regards theprocessor, 'main establishment'means the place of its centraladministration in the Union;

purposes, conditions and means ofthe processing of personal data aretaken in the Union, the mainestablishment is the place where themain processing activities in thecontext of the activities of anestablishment of a controller in theUnion take place. As regards theprocessor, 'main establishment'means the place of its centraladministration in the Union Thefollowing objective criteria may beconsidered among others: thelocation of the controller orprocessor's headquarters; thelocation of the entity within agroup of undertakings which isbest placed in terms ofmanagement functions andadministrative responsibilities todeal with and enforce the rules asset out in this Regulation; thelocation where effective and realmanagement activities areexercised determining the dataprocessing through stablearrangements;

are taken in another establishmentof the controller in the Union andthe latter establishment has thepower to have such decisionsimplemented, in this case theestablishment having taken suchdecisions shall be considered asthe main establishment87.

If no decisions as to the purposes,conditions and means of theprocessing of personal data aretaken in the Union, the mainestablishment is the place where themain processing activities in thecontext of the activities of anestablishment of a controller in theUnion take place.

- As as regards the a processor withestablishments in more than oneMember State, 'main establishment'means the place of its centraladministration in the Union, and, ifthe processor has no centraladministration in the Union, theestablishment of the processor inthe Union where the mainprocessing activities in the context

87 BE reservation.


of the activities of anestablishment of the processor takeplace to the extent that theprocessor is subject to specificobligations under this Regulation;

- Where the controller exercisesalso activities as a processor, (…)the main establishment of thecontroller shall be considered asthe main establishment for thesupervision of processingactivities;

- Where the processing is carriedout by a group of undertakings,the main establishment of thecontrolling undertaking shall beconsidered as the mainestablishment of the group ofundertakings, except where thepurposes and means of processingare determined by anotherundertaking;

(14) ‘representative’ means anynatural or legal person establishedin the Union who, explicitlydesignated by the controller, actsand may be addressed by anysupervisory authority and other

(14) ‘representative’ means anynatural or legal person establishedin the Union who, explicitlydesignated by the controller, actsand may be addressed by anysupervisory authority and other

(14) ‘representative’ means anynatural or legal person establishedin the Union who, explicitlydesignated by the controller inwriting pursuant to Article 25,represents acts and may be


bodies in the Union instead of thecontroller, with regard to theobligations of the controller underthis Regulation;

bodies in the Union instead ofrepresents the controller, withregard to the obligations of thecontroller under this Regulation;

addressed by any supervisoryauthority and other bodies in theUnion instead of the controller,with regard to the obligations of thecontroller under this Regulation;

(15) ‘enterprise’ means any entityengaged in an economic activity,irrespective of its legal form, thusincluding, in particular, natural andlegal persons, partnerships orassociations regularly engaged inan economic activity;

(15) ‘enterprise’ means any entityengaged in an economic activity,irrespective of its legal form, thusincluding, in particular, natural andlegal persons, partnerships orassociations regularly engaged inan economic activity;

(15) ‘enterprise’ means any naturalor legal person entity engaged inan economic activity, irrespectiveof its legal form, thus including, inparticular, natural and legalpersons, partnerships orassociations regularly engaged inan economic activity;

(16) 'group of undertakings' meansa controlling undertaking and itscontrolled undertakings;

(16) 'group of undertakings' meansa controlling undertaking and itscontrolled undertakings;

(16) 'group of undertakings' meansa controlling undertaking and itscontrolled undertakings88;

(17) ‘binding corporate rules’means personal data protectionpolicies which are adhered to by acontroller or processor establishedon the territory of a Member Stateof the Union for transfers or a set oftransfers of personal data to acontroller or processor in one or



88 DE scrutiny reservation. UK scrutiny reservation on all definitions in paragraphs 10 to 16.


more third countries within a groupof undertakings;

more third countries within a groupof undertakings;

more third countries within a groupof undertakings89 or group ofenterprises engaged in a jointeconomic activity;

(18) 'child' means any person belowthe age of 18 years;

(18) 'child' means any person belowthe age of 18 years;

deleted90

(19) 'supervisory authority' means apublic authority which isestablished by a Member State inaccordance with Article 46.

(19) 'supervisory authority' means apublic authority which isestablished by a Member State inaccordance with Article 46.

(19) 'supervisory authority' meansan independent public authoritywhich is established by a MemberState in accordance with pursuantto Article 46.

19a) ‘concerned supervisoryauthority means

- a supervisory authority whichis concerned by the processing,because:

a) the controller or processor isestablished on the territory ofthe Member State of thatsupervisory authority;

b) data subjects residing in this

89 DE queried whether BCRs could also cover intra-EU data transfers. COM indicated that there was no need for BCRs in the case of intra-EU transfers, but that controllers were freeto apply BCRs also in those cases.

90 COM scrutiny reservation on the deletion of the definition of a child.


Member State aresubstantially91 affected or likelyto be substantially affected bythe processing; or

c) the underlying complaint hasbeen lodged to that supervisoryauthority.

(19b) “transnational processing ofpersonal data” means either:

a) processing which takes placein the context of the activitiesof establishments in more thanone Member State of acontroller or a processor in theUnion and the controller orprocessor is established in morethan one Member State; or

b) processing which takes placein the context of the activitiesof a single establishment of acontroller or processor in theUnion but which substantiallyaffects or is likely tosubstantially affect92 datasubjects in more than one

91 IE and UK would prefer the term 'materially'.92 Several Member States thought that this should be clarified in recital: CZ, FI, HU, SE.


Member State.

(19c) “relevant and reasonedobjection” means :

an objection as to whetherthere is an infringement of thisRegulation or not, or, as thecase may be, whether theenvisaged action in relation tothe controller or processor is inconformity with the Regulation.The objection shall clearlydemonstrate93 the significanceof the risks posed by the draftdecision as regards thefundamental rights andfreedoms of data subjects94 andwhere applicable, the free flowof personal data.

(20) 'Information Societyservice' means any service asdefined by Article 1 (2) ofDirective 98/34/EC of theEuropean Parliament and of theCouncil of 22 June 1998 layingdown a procedure for the

93 BE thought that this was a threshold too high.94 IE thought that also risks to the controller should be covered.


provision of information in thefield of technical standards andregulations and of rules onInformation Society services95 96

97.(21) ‘internationalorganisation’ means anorganisation and its subordinatebodies governed by publicinternational law or any otherbody which is set up by, or on thebasis of, an agreement betweentwo or more countries98;

95 OJ L 204, 21.7.1998, p. 37–48.96 UK suggests adding a definition of 'competent authority' corresponding to that of the future Data Protection Directive.97 BE, DE, FR and RO suggest adding a definition of ‘transfer’ ('communication or availability of the data to one or several recipients'). RO suggests adding 'transfers of personal data

to third countries or international organizations is a transmission of personal data object of processing or designated to be processed after transfer which ensure an adequate level ofprotection, whereas the adequacy of the level of protection afforded by a third country or international organization must be assessed in the light of all the circumstancessurrounding the transfer operation or set of transfer operations'.

98 NL queried whether MOUs would also be covered by this definition; FI queried whether Interpol would be covered. CZ, DK, LV, SI, SE and UK pleaded in favour of its deletion.


CHAPTER IIPRINCIPLES




Principles relating to personaldata processing



Amendment 99

Personal data must be: 1. Personal data mustshall be: Personal data must be:

(a) processed lawfully, fairlyand in a transparent manner inrelation to the data subject;

(a) processed lawfully, fairly and ina transparent manner in relation tothe data subject (lawfulness,fairness and transparency);

(a) processed lawfully, fairly and ina transparent manner in relation tothe data subject99;

(b) collected for specified,explicit and legitimate purposes andnot further processed in a wayincompatible with those purposes;

(b) collected for specified, explicitand legitimate purposes and notfurther processed in a wayincompatible with those purposes(purpose limitation);

(b) collected for specified, explicitand legitimate purposes and notfurther processed in a wayincompatible with those purposes;further processing of personaldata for archiving purposes in thepublic interest or scientific,statistical100 or historical purposes

99 DE proposed adding "and non-discriminatory" and "taking into account the benefit of data processing within a free, open and social society". This was viewed critically by severaldelegations (CZ, ES, IE, IT, PL).

100 FR thought Chapter III should contain specific rules for protecting personal data processed for statistical purposes; DE and PL thought statistical purposes should also be qualified bythe public interest filter. DE, supported by SI, suggested adding: "if the data have initially been collected for these purposes".


shall in accordance with Article 83not be considered incompatiblewith the initial purposes101;

(c) adequate, relevant, andlimited to the minimum necessaryin relation to the purposes forwhich they are processed; theyshall only be processed if, and aslong as, the purposes could not befulfilled by processing informationthat does not involve personal data;

(c) adequate, relevant, and limitedto the minimum necessary inrelation to the purposes for whichthey are processed; they shall onlybe processed if, and as long as, thepurposes could not be fulfilled byprocessing information that doesnot involve personal data (dataminimisation);

(c) adequate, relevant, and notexcessive limited to the minimumnecessary in relation to thepurposes for which they areprocessed102; they shall only beprocessed if, and as long as, thepurposes could not be fulfilled byprocessing information that doesnot involve personal data;

(d) accurate and kept up todate; every reasonable step must betaken to ensure that personal datathat are inaccurate, having regard tothe purposes for which they areprocessed, are erased or rectifiedwithout delay;

(d) accurate and, where necessary,kept up to date; every reasonablestep must be taken to ensure thatpersonal data that are inaccurate,having regard to the purposes forwhich they are processed, areerased or rectified without delay(accuracy).

(d) accurate and, where necessary,kept up to date; every reasonablestep must be taken to ensure thatpersonal data that are inaccurate,having regard to the purposes forwhich they are processed, areerased or rectified without delay;

(e) kept in a form whichpermits identification of datasubjects for no longer than is

(e) kept in a form which permitsdirect or indirect identification ofdata subjects for no longer than is

(e) kept in a form which permitsidentification of data subjects forno longer than is necessary for the

101 Referring to Article 6(2), DE and RO queried whether this phrase implied that a change of the purpose of processing was always lawful in case of scientific processing, also in theabsence of consent by the data subject. BE queried whether the concept of compatible purposes was still a useful one. HU and ES scrutiny reservations on reference to Article 83. FRthought that health data could be processed only in the public interest or with the consent of the data subject.

102 COM reservation on the deletion of the data minimisation principle. AT, CY, DE, EE, FR, HU, IT, PL, FI and SI preferred to return to the initial COM wording, stating 'limited to theminimum necessary'. DE, supported by PL, also suggested adding: "they shall only be processed if, and as long as, the purposes could not be fulfilled by processing information thatdoes not involve personal data". DK and UK were opposed to any further amendments to this point.


necessary for the purposes forwhich the personal data areprocessed; personal data may bestored for longer periods insofar asthe data will be processed solely forhistorical, statistical or scientificresearch purposes in accordancewith the rules and conditions ofArticle 83 and if a periodic reviewis carried out to assess the necessityto continue the storage;

necessary for the purposes forwhich the personal data areprocessed; personal data may bestored for longer periods insofar asthe data will be processed solely forhistorical, statistical or scientificresearch or for archive purposes inaccordance with the rules andconditions of Article Articles 83and 83a and if a periodic review iscarried out to assess the necessity tocontinue the storage, and ifappropriate technical andorganizational measures are put inplace to limit access to the dataonly for these purposes (storageminimisation);

purposes for which the personaldata are processed; personal datamay be stored for longer periodsinsofar as the data will be processedsolely for archiving purposes inthe public interest, or scientific,historical, statistical, or scientificresearch or historical purposes inaccordance with the rules andconditions of Article 83 and if aperiodic review is carried out toassess the necessity to continue thestoragesubject to implementationof the appropriate technical andorganisational measures requiredby the Regulation in order tosafeguard the rights and freedomsof data subject103;

(ea) processed in a way thateffectively allows the data subjectto exercise his or her rights(effectiveness);

(eb) processed in a way thatprotects against unauthorised orunlawful processing and againstaccidental loss, destruction ordamage, using appropriatetechnical or organisational

103 IE proposal so as to cover all the safeguards required under the Regulation, including those in Chapter IV.


measures (integrity);

(ee) processed in a manner thatensures appropriate security (…)of the personal data.

(f) processed under theresponsibility and liability of thecontroller, who shall ensure anddemonstrate for each processingoperation the compliance with theprovisions of this Regulation.

(f) processed under theresponsibility and liability of thecontroller, who shall ensure and beable to demonstrate for eachprocessing operation thecompliance with the provisions ofthis Regulation (accountability).

deleted104

2. The controller shall beresponsible for compliance withparagraph 1105.


Lawfulness of processing Lawfulness of processing Lawfulness of processing106

Amendment 100

1. Processing of personal datashall be lawful only if and to theextent that at least one of the

1. Processing of personal data shallbe lawful only if and to the extentthat at least one of the following

1. Processing of personal data shallbe lawful only if and to the extentthat at least one of the following

104 AT wondered whether a principle of digital autonomy should be added here.105 It was previously proposed to add 'also in case of personal data being processed on its behalf by a processor', but further to suggestion from LU and FR, this rule on liability may be

dealt with in the context of Chapter VIII.106 DE, AT, PT, SI, SE and SK scrutiny reservation.


following applies: applies: applies:

(a) the data subject has givenconsent to the processing of theirpersonal data for one or morespecific purposes;

(a) the data subject has givenconsent to the processing of theirpersonal data for one or morespecific purposes;

(a) the data subject has givenunambiguous107 consent to theprocessing of their personal data forone or more specific purposes108;

(b) processing is necessary forthe performance of a contract towhich the data subject is party or inorder to take steps at the request ofthe data subject prior to enteringinto a contract;

(b) processing is necessary for theperformance of a contract to whichthe data subject is party or in orderto take steps at the request of thedata subject prior to entering into acontract;

(b) processing is necessary for theperformance of a contract to whichthe data subject is party or in orderto take steps at the request of thedata subject prior to entering into acontract;

(c) processing is necessary forcompliance with a legal obligationto which the controller is subject;



(d) processing is necessary inorder to protect the vital interests ofthe data subject;

(d) processing is necessary in orderto protect the vital interests of thedata subject;

(d) processing is necessary in orderto protect the vital interests of thedata subject or of another person;

(e) processing is necessary forthe performance of a task carriedout in the public interest or in theexercise of official authority vestedin the controller;

(e) processing is necessary for theperformance of a task carried out inthe public interest or in the exerciseof official authority vested in thecontroller;

(e) processing is necessary for theperformance of a task carried out inthe public interest or in the exerciseof official authority vested in thecontroller;

(f) processing is necessary for (f) processing is necessary for the (f) processing is necessary for the

107 FR, PL and COM reservation in relation to the deletion of 'explicit' in the definition of ‘consent’; UK thought that the addition of 'unambiguous' was unjustified.108 RO scrutiny reservation.


the purposes of the legitimateinterests pursued by a controller,except where such interests areoverridden by the interests orfundamental rights and freedoms ofthe data subject which requireprotection of personal data, inparticular where the data subject isa child. This shall not apply toprocessing carried out by publicauthorities in the performance oftheir tasks.

purposes of the legitimate interestspursued by the controller or, incase of disclosure, by the thirdparty to whom the data is aredisclosed, and which meet thereasonable expectations of thedata subject based on his or herrelationship with the controller,except where such interests areoverridden by the interests orfundamental rights and freedoms ofthe data subject which requireprotection of personal data, inparticular where the data subject isa child. This shall not apply toprocessing carried out by publicauthorities in the performance oftheir tasks.

purposes of the legitimateinterests109 pursued by a thecontroller or by a third party110,except where such interests areoverridden by the interests orfundamental rights and freedoms ofthe data subject which requireprotection of personal data, inparticular where the data subject isa child. [This subparagraph shallnot apply to processing carried outby public authorities in theperformance exercise of theirtaskspublic duties]111 112.

2. Processing of personal datawhich is necessary for the purposesof historical, statistical or scientificresearch shall be lawful subject tothe conditions and safeguardsreferred to in Article 83.

2. Processing of personal datawhich is necessary for the purposesof historical, statistical or scientificresearch shall be lawful subject tothe conditions and safeguardsreferred to in Article 83.

2. Processing of personal datawhich is necessary for archivingthe purposes in the public interest,or offor historical, statistical orscientific research purposes shallbe lawful subject also to theconditions and safeguards referred

109 FR scrutiny reservation.110 Reinstated at the request of BG, CZ, DE, ES, HU, IT, NL, SE, SK and UK. COM, IE, FR and PL reservation on this reinstatement.111 Deleted at the request of BE, CZ, DK, IE, MT, SE, SI, SK, PT and UK. COM, AT, CY, DE, FI, FR, GR and IT wanted to maintain the last sentence. COM reservation against deletion

of the last sentence, stressing that processing by public authorities in the exercise of their public duties should rely on the grounds in point c) and e).112 DK and FR regretted there was no longer a reference to purposes set out in Article 9(2) and thought that the link between Article 6 and 9 needed to be clarified.


to in Article 83.

3. The basis of the processingreferred to in points (c) and (e) ofparagraph 1 must be provided forin:

3. The basis of the processingreferred to in points (c) and (e) ofparagraph 1 must be provided forin:

3. The basis of for the processingreferred to in points (c) and (e) ofparagraph 1 must be providedforestablished in accordance with:

(a) Union law, or (a) Union law, or (a) Union law, or

(b) the law of the Member Stateto which the controller is subject.

(b) the law of the Member State towhich the controller is subject.

(b) national the law of the MemberState to which the controller issubject113.

The purpose of the processingshall be determined in this legalbasis or as regards the processingreferred to in point (e) ofparagraph 1, be necessary for theperformance of a task carried outin the public interest or in theexercise of official authority vestedin the controller.

This legal basis may containspecific provisions to adapt theapplication of rules of this

113 It was pointed out that the text of Article 6 may have an adverse effect on the collection of personal data under administrative, criminal and civil law collections by third country publicauthorities, in that Article 6 provides that processing for compliance with a legal obligation to which the controller is subject or for the performance of a task carried out in the publicinterest may only take place to the extent established in accordance with Union or Member State law. Compliance with the administrative, regulatory, civil and criminal lawrequirements of a third country incumbent on controllers that engage in commercial or other regulated activities with respect to third countries, or voluntary reporting of violations oflaw to, or cooperation with, third country administrative, regulatory, civil and criminal law enforcement authorities appear not be allowed under the current draft of Article 6 . ThePresidency thinks this point will have to be examined in the future, notably in the context of Chapter I.


Regulation, inter alia the generalconditions governing thelawfulness of data processing bythe controller, the type of datawhich are subject to theprocessing, the data subjectsconcerned; the entities to, and thepurposes for which the data maybe disclosed; the purposelimitation; storage periods andprocessing operations andprocessing procedures, includingmeasures to ensure lawful and fairprocessing, including for otherspecific processing situations asprovided for in Chapter IX.

3a. In order to ascertainwhether a purpose of furtherprocessing is compatible with theone for which the data are initiallycollected, the controller shall takeinto account, unless the datasubject has given consent 114, interalia115:

(a) any link between thepurposes for which the data havebeen collected and the purposes of

114 DK, IT and PT scrutiny reservation; IT deemed this irrelevant to compatibility test.115 DK, FI, NL, RO, SI and SE stressed the list should not be exhaustive.


the intended further processing;

(b) the context in which thedata have been collected;

(c) the nature of the personaldata, in particular whether specialcategories of personal data areprocessed, pursuant to Article 9;

(d) the possible consequencesof the intended further processingfor data subjects;

(e) the existence of appropriatesafeguards116.

The law of the Member State mustmeet an objective of public interestor must be necessary to protect therights and freedoms of others,respect the essence of the right tothe protection of personal data andbe proportionate to the legitimateaim pursued.

The law of the Member State mustmeet an objective of public interestor must be necessary to protect therights and freedoms of others,respect the essence of the right tothe protection of personal data andbe proportionate to the legitimateaim pursued. Within the limits ofthis Regulation, the law of theMember State may provide detailsof the lawfulness of processing,particularly as regards data

deleted

116 DE, SK and PL reservation: safeguards as such do not make further processing compatible. FR queried to which processing this criterion related: the initial or further processing. DEand UK pleaded for the deletion of paragraph 3a.


controllers, the purpose ofprocessing and purpose limitation,the nature of the data and the datasubjects, processing measures andprocedures, recipients, and theduration of storage.

4. Where the purpose offurther processing is not compatiblewith the one for which the personaldata have been collected, theprocessing must have a legal basisat least in one of the groundsreferred to in points (a) to (e) ofparagraph 1. This shall in particularapply to any change of terms andgeneral conditions of a contract.

deleted 4. Where the purpose of furtherprocessing is not incompatible withthe one for which the personal datahave been collected by the samecontroller, the further processingmust have a legal basis at least inone of the grounds referred to inpoints (a) to (e) of paragraph 1117

118. This shall in particular apply toany change of terms and generalconditions of a contract. Furtherprocessing by the same controllerfor incompatible purposes ongrounds of legitimate interests ofthat controller or a third partyshall be lawful if these interestsoverride the interests of the datasubject119.

117 ES, AT and PL reservation; DE, HU scrutiny reservation. FR suggested adding 'if the process concerns the data mentioned in Articles 8 and 9'.118 HU, supported by CY, FR, AT and SK, thought that a duty for the data controller to inform the data subject of a change of legal basis should be added here. The Presidency refers to

the changes proposed in ADD 1 to 17072/3/14 REV 3.119 COM reservation; BE, AT, FI, HU, IT and PL scrutiny reservation: (some of) these delegations would have liked to delete this last sentence; DE wanted to limit the second sentence to

private controllers.


5. The Commission shall beempowered to adopt delegated actsin accordance with Article 86 forthe purpose of further specifyingthe conditions referred to in point(f) of paragraph 1 for varioussectors and data processingsituations, including as regards theprocessing of personal data relatedto a child.

deleted deleted


Conditions for consent Conditions for consent Conditions for consent

Amendment 101

1. The controller shall bear theburden of proof for the datasubject's consent to the processingof their personal data for specifiedpurposes.

1. Where processing is based onconsent, Thethe controller shallbear the burden of proof for thedata subject's consent to theprocessing of their his or herpersonal data for specifiedpurposes.

1. Where Article 6(1)(a) applies thecontroller shall bear the burden ofproof for the data subject's be ableto demonstrate thatunambiguous120 consent to theprocessing of their personal data forspecified purposes was given by thedata subject.

120 COM reservation related to the deletion of 'explicit' in the definition of consent.


1a. Where article 9(2)(a)applies, the controller shall be ableto demonstrate that explicitconsent was given by the datasubject.

2. If the data subject's consentis to be given in the context of awritten declaration which alsoconcerns another matter, therequirement to give consent mustbe presented distinguishable in itsappearance from this other matter.

2. If the data subject's consent isgiven in the context of a writtendeclaration which also concernsanother matter, the requirement togive consent must be presentedclearly distinguishable in itsappearance from this other matter.Provisions on the data subject’sconsent which are partly inviolation of this Regulation arefully void.

2. If the data subject's consent is tobe given in the context of a writtendeclaration which also concernsanother matters, the requirement togiverequest for consent must bepresented in a manner which isclearly distinguishable in itsappearance from thise othermatters, in an intelligible andeasily accessible form, using clearand plain language.

3. The data subject shall havethe right to withdraw his or herconsent at any time. Thewithdrawal of consent shall notaffect the lawfulness of processingbased on consent before itswithdrawal.

3. Notwithstanding other legalgrounds for processing, The thedata subject shall have the right towithdraw his or her consent at anytime. The withdrawal of consentshall not affect the lawfulness ofprocessing based on consent beforeits withdrawal. It shall be as easyto withdraw consent as to give it.The data subject shall be informed

3. The data subject shall have theright to withdraw his or her consentat any time. The withdrawal ofconsent shall not affect thelawfulness of processing based onconsent before its withdrawal.Prior to giving consent, the datasubject shall be informedthereof121.

121 IE reservation. The Presidency concurs with SE that the last sentence belongs rather in Article 14. To that end the Presidency has made some suggestions set out in ADD 1 to17072/3/14 REV 3.


by the controller if withdrawal ofconsent may result in thetermination of the servicesprovided or of the relationshipwith the controller.

4. Consent shall not provide alegal basis for the processing,where there is a significantimbalance between the position ofthe data subject and the controller.

4. Consent shall not provide a legalbasis for the processing, wherethere is a significant imbalancebetween the position of the datasubject and the controller bepurpose-limited and shall lose itsvalidity when the purpose ceases toexist or as soon as the processingof personal data is no longernecessary for carrying out thepurpose for which they wereoriginally collected. The executionof a contract or the provision of aservice shall not be madeconditional on the consent to theprocessing of data that is notnecessary for the execution of thecontract or the provision of theservice pursuant to Article 6(1),point (b).

deleted


Processing of personal data of achild

Processing of personal data of achild

Conditions applicable to child'sconsent in relation to


information society services 122

Amendment 102

1. For the purposes of thisRegulation, in relation to theoffering of information societyservices directly to a child, theprocessing of personal data of achild below the age of 13 yearsshall only be lawful if and to theextent that consent is given orauthorised by the child's parent orcustodian. The controller shallmake reasonable efforts to obtainverifiable consent, taking intoconsideration available technology.

1. For the purposes of thisRegulation, in relation to theoffering of information societygoods or services directly to achild, the processing of personaldata of a child below the age of 13years shall only be lawful if and tothe extent that consent is given orauthorised by the child's parent orcustodianlegal guardian. Thecontroller shall make reasonableefforts to obtain verifiable verifysuch consent, taking intoconsideration available technologywithout causing otherwiseunnecessary processing ofpersonal data.

1. For the purposes of thisRegulationWhere Article 6 (1)(a)applies, in relation to the offeringof information society servicesdirectly to a child123, the processingof personal data of a child belowthe age of 13 years124 shall only belawful if and to the extent that suchconsent is given or authorised bythe holder of parentalresponsibility over the child'sparent or custodianis given by thechild in circumstances where it istreated as valid by Union orMember State law.

(1a) The controller shall makereasonable efforts to obtainverifiable verify in such cases that

122 CZ, DE, AT, SE, SI, PT and UK scrutiny reservation. CZ and SI would prefer to see this Article deleted. NO proposes including a general provision stating that personal data relatingto children cannot be processed in an irresponsible manner contrary to the child’s best interest. Such a provision would give the supervisory authorities a possibility to intervene if forexample adults publish personal data about children on the Internet in a manner which may prove to be problematic for the child. DE, supported by NO, opined this article couldhave been integrated into Article 7

123 Several delegations (DE, HU, ES, FR, SE, SK, PT) disagreed with the restriction of the scope and thought the phrase 'in relation to the offering of information society services directlyto a child' should be deleted.

124 COM reservation on the deletion of a harmonised age threshold.


consent is given or authorised bythe holder of parentalresponsibility over the child, takinginto consideration availabletechnology.

1a. Information provided tochildren, parents and legalguardians in order to expressconsent, including about thecontroller’s collection and use ofpersonal data, should be given in aclear language appropriate to theintended audience.

2. Paragraph 1 shall not affectthe general contract law of MemberStates such as the rules on thevalidity, formation or effect of acontract in relation to a child.

2. Paragraph 1 shall not affect thegeneral contract law of MemberStates such as the rules on thevalidity, formation or effect of acontract in relation to a child.

2. Paragraph 1 shall not affect thegeneral contract law of MemberStates such as the rules on thevalidity, formation or effect of acontract in relation to a child125.

3. The Commission shall beempowered to adopt delegated actsin accordance with Article 86 forthe purpose of further specifyingthe criteria and requirements for themethods to obtain verifiable

3. The Commission EuropeanData Protection Board shall beempowered to adopt delegated actsin accordance with Article 86 forthe purpose entrusted with the taskof further specifying the criteria and

3. [The Commission shall beempowered to adopt delegated actsin accordance with Article 86 forthe purpose of further specifyingthe criteria and requirements for themethods to obtain verifiable

125 DE, supported by SE, queried whether a Member State could adopt/maintain more stringent contract law. SI thought the reference should be worded more broadly to 'civil law', thusencompassing also personality rights.


consent referred to in paragraph 1.In doing so, the Commission shallconsider specific measures formicro, small and medium-sizedenterprises.

requirements issuing guidelines,recommendations and bestpractices for the methods to obtainverifiable of verifying consentreferred to in paragraph 1, inaccordance with Article 66. Indoing so, the Commission shallconsider specific measures formicro, small and medium-sizedenterprises.

consent referred to in paragraph1126]. In doing so, the Commissionshall consider specific measures formicro, small and medium-sizedenterprises.

4. The Commission may laydown standard forms for specificmethods to obtain verifiableconsent referred to in paragraph 1.Those implementing acts shall beadopted in accordance with theexamination procedure referred toin Article 87(2).

deleted 4. The Commission may lay downstandard forms for specific methodsto obtain verifiable consent referredto in paragraph 1. Thoseimplementing acts shall be adoptedin accordance with the examinationprocedure referred to in Article87(2)]127.


Amendment 103

Processing of special categories ofpersonal data

Processing of special Specialcategories of personal data

Processing of special categories ofpersonal data128

126 DE, ES, FR, SE and UK suggested deleting this paragraph. CZ suggested adding "and for identifying that a service is offered directly to a child". DE, supported by BE and FR,suggested giving the EDPB the power to issue guidelines in this regard.

127 LU reservation. ES, FR, SE and UK suggested deleting paragraphs 3 and 4.128 COM, DK, SE and AT scrutiny reservation. SK thought the inclusion of biometric data should be considered.


1. The processing of personaldata, revealing race or ethnicorigin, political opinions, religionor beliefs, trade-union membership,and the processing of genetic dataor data concerning health or sex lifeor criminal convictions or relatedsecurity measures shall beprohibited.

1. The processing of personal data,revealing race or ethnic origin,political opinions, religion orphilosophical beliefs, sexualorientation or gender identity,trade-union membership andactivities, and the processing ofgenetic or biometric data or dataconcerning health or sex lifeor,administrative sanctions,judgments, criminal or suspectedoffences, convictions or relatedsecurity measures shall beprohibited.

1. The processing of personal data,revealing race racial or ethnicorigin, political opinions, religionusor philosophical beliefs, trade-union membership, and theprocessing of genetic data or dataconcerning health or sex life orcriminal convictions or relatedsecurity measures shall beprohibited.

2. Paragraph 1 shall not applywhere:

2. Paragraph 1 shall not applywhereif one of the following applies:

2. Paragraph 1 shall not apply ifone of the following applies:

(a) the data subject has givenconsent to the processing of thosepersonal data, subject to theconditions laid down in Articles 7and 8, except where Union law orMember State law provide that theprohibition referred to in paragraph1 may not be lifted by the datasubject; or

(a) the data subject has givenconsent to the processing of thosepersonal data for one or morespecified purposes, subject to theconditions laid down in Articles 7and 8, except where Union law orMember State law provide that theprohibition referred to in paragraph1 may not be lifted by the datasubject; or

(a) the data subject has givenexplicit consent to the processing ofthose personal data, subject to theconditions laid down in Articles 7and 8, except where Union law orMember State law provide that theprohibition referred to in paragraph1 may not be lifted by the datasubject; or

(aa) processing is necessary forthe performance or execution of a


contract to which the data subjectis party or in order to take steps atthe request of the data subjectprior to entering into a contract;

(b) processing is necessary forthe purposes of carrying out theobligations and exercising specificrights of the controller in the fieldof employment law in so far as it isauthorised by Union law orMember State law providing foradequate safeguards; or

(b) processing is necessary for thepurposes of carrying out theobligations and exercising specificrights of the controller in the fieldof employment law in so far as it isauthorised by Union law orMember State law or collectiveagreements providing for adequatesafeguards for the fundamentalrights and the interests of the datasubject such as right to non-discrimination, subject to theconditions and safeguards referredto in Article 82; or

(b) processing is necessary for thepurposes of carrying out theobligations and exercising specificrights of the controller or of thedata subject in the field ofemployment and social securityand social protection law in so faras it is authorised by Union law orMember State law or a collectiveagreement pursuant to MemberState law providing for adequatesafeguards; or

(c) processing is necessary toprotect the vital interests of the datasubject or of another person wherethe data subject is physically orlegally incapable of giving consent;or



(d) processing is carried out inthe course of its legitimateactivities with appropriatesafeguards by a foundation,association or any other non-profit-

(d) processing is carried out in thecourse of its legitimate activitieswith appropriate safeguards by afoundation, association or any othernon-profit-seeking body with a

(d) processing is carried out in thecourse of its legitimate activitieswith appropriate safeguards by afoundation, association or any othernon-profit-seeking body with a


seeking body with a political,philosophical, religious or trade-union aim and on condition that theprocessing relates solely to themembers or to former members ofthe body or to persons who haveregular contact with it inconnection with its purposes andthat the data are not disclosedoutside that body without theconsent of the data subjects; or

political, philosophical, religious ortrade-union aim and on conditionthat the processing relates solely tothe members or to former membersof the body or to persons who haveregular contact with it inconnection with its purposes andthat the data are not disclosedoutside that body without theconsent of the data subjects; or

political, philosophical, religious ortrade-union aim and on conditionthat the processing relates solely tothe members or to former membersof the body or to persons who haveregular contact with it inconnection with its purposes andthat the data are not disclosedoutside that body without theconsent of the data subjects; or

(e) the processing relates topersonal data which are manifestlymade public by the data subject; or



(f) processing is necessary forthe establishment, exercise ordefence of legal claims; or

(f) processing is necessary for theestablishment, exercise or defenceof legal claims; or

(f) processing is necessary for theestablishment, exercise or defenceof legal claims or whenever courtsare acting in their judicialcapacity; or

(g) processing is necessary forthe performance of a task carriedout in the public interest, on thebasis of Union law, or MemberState law which shall provide forsuitable measures to safeguard thedata subject's legitimate interests;

(g) processing is necessary for theperformance of a task carried out inthe for reasons of high publicinterest, on the basis of Union law,or Member State law which shall beproportionate to the aim pursued,respect the essence of the right todata protection and provide for

(g) processing is necessary for theperformance of a task carried out inthe129 reasons of public interest, onthe basis of Union law, or MemberState law which shall provide forsuitable and specific measures tosafeguard the data subject's

129 AT, PL and COM reservation on deletion of 'important'; DK suggested adding 'in the public interest vested in the controller'.


or suitable measures to safeguard thefundamental rights and the datasubject's legitimate interests of thedata subject; or

legitimate interests; or

(h) processing of dataconcerning health is necessary forhealth purposes and subject to theconditions and safeguards referredto in Article 81; or

(h) processing of data concerninghealth is necessary for healthpurposes and subject to theconditions and safeguards referredto in Article 81; or

(h) processing130 of data concerninghealth is necessary for healthpurposes the purposes ofpreventive or occupationalmedicine131, for the assessment ofthe working capacity of theemployee132, medical diagnosis, theprovision of health or social careor treatment or the management ofhealth or social care systems andservices on the basis of Union lawor Member State law133 orpursuant to contract with a healthprofessional134 and subject to theconditions and safeguards referredto in Article 81paragraph 4135; or

130 HU suggested reinstating "of health data" here and in point (hb).131 AT would like to see this deleted; BE pointed out this type of medicine practice is not (entirely) regulated by law under Belgian law and therefore the requirement of paragraph 4 is not

met.132 PL and AT would like to see this deleted.133 COM, IE, PL scrutiny reservation.134 FR and PL reservation.135 AT, DE and ES scrutiny reservation. DE and ES queried what happened in cases where obtaining consent was not possible (e.g. in case of contagious diseases; persons who were

physically or mentally not able to provide consent); NL thought this should be further clarified in recital 42. BE queried what happened in the case of processing of health data byinsurance companies. COM explained that this was covered by Article 9(2) (a), but SI was not convinced thereof.


(ha) (…);

(hb) processing is necessary forreasons of public interest in thearea of public health, such asprotecting against serious cross-border threats to health orensuring high standards of qualityand safety of health care and ofmedicinal products or medicaldevices, on the basis of Union lawor Member State law whichprovides for suitable and specificmeasures to safeguard the rightsand freedoms of the data subjectdata; or

(i) processing is necessary forhistorical, statistical or scientificresearch purposes subject to theconditions and safeguards referredto in Article 83; or

(i) processing is necessary forhistorical, statistical or scientificresearch purposes subject to theconditions and safeguards referredto in Article 83; or

(i) processing is necessary forarchiving purposes in the publicinterest or historical, statistical orscientific research purposes andsubject to the conditions andsafeguards laid down in Union orMember State law, including thosereferred to in Article 83.

(ia) processing is necessary forarchive services subject to theconditions and safeguards referredto in Article 83a; or


(j) processing of data relatingto criminal convictions or relatedsecurity measures is carried outeither under the control of officialauthority or when the processing isnecessary for compliance with alegal or regulatory obligation towhich a controller is subject, or forthe performance of a task carriedout for important public interestreasons, and in so far as authorisedby Union law or Member State lawproviding for adequate safeguards.A complete register of criminalconvictions shall be kept onlyunder the control of officialauthority.

(j) processing of data relating toadministrative sanctions,judgments, criminal offences,convictions or related securitymeasures is carried out either underthe control of official authority orwhen the processing is necessaryfor compliance with a legal orregulatory obligation to which acontroller is subject, or for theperformance of a task carried outfor important public interestreasons, and in so far as authorisedby Union law or Member State lawproviding for adequate safeguards.A complete for the fundamentalrights and the interests of the datasubject. Any register of criminalconvictions shall be kept onlyunder the control of officialauthority.

deleted136

3. The Commission shall beempowered to adopt delegated actsin accordance with Article 86 forthe purpose of further specifyingthe criteria, conditions andappropriate safeguards for the

3. The Commission EuropeanData Protection Board shall beempowered to adopt delegated actsin accordance with Article 86 forthe purposeentrusted with the taskof further specifying the criteria,

deleted137

136 Deleted at the request of AT, COM, EE, ES, FR, HU, IT, LU, MT, PL, PT, RO and SK. DE and FI wanted to reintroduce the paragraph.137 COM reservation on the deletion of paragraph 3 on delegated acts.


processing of the special categoriesof personal data referred to inparagraph 1 and the exemptionslaid down in paragraph 2.

conditions and appropriatesafeguards issuing guidelines,recommendations and bestpractices for the processing of thespecial categories of personal datareferred to in paragraph 1 and theexemptions laid down in paragraph2, in accordance with Article 66.

4. Personal data referred to inparagraph 1 may on the basis ofUnion or Member State law beprocessed for the purposesreferred to in points (h) ofparagraph 2 when those data areprocessed by or under theresponsibility of a professionalsubject to the obligation ofprofessional secrecy under Unionor Member State law or rulesestablished by national competentbodies or by another person alsosubject to an obligation of secrecyunder Umion or Member State lawor rules established by nationalcompetent bodies.

5. Member States may maintain orintroduce more specific provisionswith regard to genetic data orhealth data. This includes the


possibility for Member States tointroduce further conditions forthe processing of these data138.

Article 9a

Processing of data relating tocriminal convitions and offences139

Processing of data relating tocriminal convictions and offencesor related security measures basedon Article 6(1) may only be carriedout either under the control ofofficial authority or when theprocessing is authorised by Unionlaw or Member State lawproviding for adequate safeguardsfor the rights and freedoms of datasubjects. A complete register ofcriminal convictions may be keptonly under the control of officialauthority140.

138 COM scrutiny reservation.139 DE and HU would prefer to see these data treated as sensitive data in the sense of Article 9(1). EE and UK are strongly opposed thereto.140 SI, SK reservation on last sentence.



Processing not allowingidentification

Processing not allowingidentification

Processing not allowing requiringidentification

Amendment 104

If the data processed by a controllerdo not permit the controller toidentify a natural person, thecontroller shall not be obliged toacquire additional information inorder to identify the data subject forthe sole purpose of complying withany provision of this Regulation.

1. If the data processed by acontroller do not permit thecontroller or processor to directlyor indirectly identify a naturalperson, or consist only ofpseudonymous data, the controllershall not be obliged to process oracquire additional information inorder to identify the data subject forthe sole purpose of complying withany provision of this Regulation.

If the data processed by purposesfor which a controller processespersonal data do not permit or dono longer require theidentification of a data subject bythe controller to identify a naturalperson, the controller shall not beobliged to maintain or acquireadditional information nor toengage in additional processing inorder to identify the data subject forthe sole purpose of complying withany provision of this Regulation141.

2. Where the data controller isunable to comply with a provisionof this Regulation because ofparagraph 1, the controller shallnot be obliged to comply with thatparticular provision of thisRegulation. Where as aconsequence the data controller is

2. Where, in such cases thecontroller is not in a position toidentify the data subject, articles15, 16, 17, 17a, 17b and 18 do notapply except where the datasubject, for the purpose ofexercising his or her rights underthese articles, provides additional

141 AT, DE, HU, PL scrutiny reservation and UK and FR and COM reservation.


unable to comply with a request ofthe data subject, it shall inform thedata subject accordingly.

information enabling his or heridentification142.

Article 10 a (new)

Amendment 105

General principles for the rights ofthe data subject rights

1. The basis of data protection isclear and unambiguous rights forthe data subject which shall berespected by the data controller.The provisions of this Regulationaim to strengthen, clarify,guarantee and where appropriate,codify these rights.

2. Such rights include, inter alia,the provision of clear and easilyunderstandable informationregarding the processing of thedata subject’s his or her personaldata, the right of access,rectification and erasure of theirhis or her data, the right to obtaindata, the right to object to

142 DK, RO, SE and SI scrutiny reservation; COM and FR reservation; FR wanted to add in the end of the paragraph "In any case, the data subject should only have to provide theminimum additional information necessary in order to be able to exercise his or her rights which can never be denied by the controller.


profiling, the right to lodge acomplaint with the competent dataprotection authority and to bringlegal proceedings as well as theright to compensation anddamages resulting from anunlawful processing operation.Such rights shall in general beexercised free of charge. The datacontroller shall respond torequests from the data subjectwithin a reasonable period of time.


CHAPTER IIIRIGHTS OF THEDATA SUBJECT

CHAPTER IIIRIGHTS OF THE DATA

SUBJECT

CHAPTER IIIRIGHTS OF THE

DATA SUBJECT143

SECTION 1TRANSPARENCY AND

MODALITIES


MODALITIES


MODALITIES


Transparent information andcommunication



Amendment 106

1. The controller shall havetransparent and easily accessiblepolicies with regard to theprocessing of personal data and forthe exercise of data subjects' rights.

1. The controller shall have concise,transparent, clear and easilyaccessible policies with regard to theprocessing of personal data and forthe exercise of data subjects' rights

deleted

2. The controller shall provideany information and anycommunication relating to theprocessing of personal data to thedata subject in an intelligible form,

2.The controller shall provide anyinformation and any communicationrelating to the processing of personaldata to the data subject in anintelligible form, using clear and

deleted

143 General scrutiny reservation by UK on the articles in this Chapter.


using clear and plain language,adapted to the data subject, inparticular for any informationaddressed specifically to a child.

plain language, adapted to the datasubject, in particular for anyinformation addressed specifically toa child.


Procedures and mechanisms forexercising the rights of the data

subject

Procedures and mechanisms forexercising the rights of the data

subject

Procedures and mechanismsTransparent information,

communication and modalitiesfor exercising the rights of the

data subject144

Amendment 107

1. The controller shallestablish procedures for providingthe information referred to inArticle 14 and for the exercise ofthe rights of data subjects referredto in Article 13 and Articles 15 to19. The controller shall provide inparticular mechanisms forfacilitating the request for theactions referred to in Article 13 andArticles 15 to 19. Where personaldata are processed by automatedmeans, the controller shall alsoprovide means for requests to be

1. The controller shall establishprocedures for providing theinformation referred to in Article 14and for the exercise of the rights ofdata subjects referred to in Article 13and Articles 15 to 19. The controllershall provide in particularmechanisms for facilitating therequest for the actions referred to inArticle 13 and Articles 15 to 19.Where personal data are processedby automated means, the controllershall also provide means for requeststo be made electronically where

1. The controller shall establishprocedures for providing the takeappropriate measured to providayany information referred to inArticle 14 and 14a for the exerciseof the rights of data subjectsreferred to in Article 13 and anycommunication under Articles 15to 19 and 32 relating to theprocessing of personal data to thedata subject in an intelligible andeasily accessible form, usingclear and plain language145. Theinformation shall be provided in

144 DE, SE, SI and FI scrutiny reservation.145 COM reservation on deletion.


made electronically. possible. writing, or where appropriate,electronically or by other means.. The controller shall provide inparticular mechanisms forfacilitating the request for theactions referred to in Article 13and Articles 15 to 19. Wherepersonal data are processed byautomated means, the controllershall also provide means forrequests to be made electronically.

1a. The controller shall facilitatethe exercise of data subject rightsunder Articles 15 to 19146.

2. The controller shall informthe data subject without delay and,at the latest within one month ofreceipt of the request, whether ornot any action has been takenpursuant to Article 13 and Articles15 to 19 and shall provide therequested information. This periodmay be prolonged for a furthermonth, if several data subjectsexercise their rights and theircooperation is necessary to a

2. The controller shall inform thedata subject without undue delayand, at the latest within one month40 calendar days of receipt of therequest, whether or not any actionhas been taken pursuant to Article 13and Articles 15 to 19 and shallprovide the requested information.This period may be prolonged for afurther month, if several datasubjects exercise their rights andtheir cooperation is necessary to a

2. The controller shall provide theinformation referred to inArticles 14a and 15 andinformation on action taken on arquest under Articles 16 to 19 tothe data subject without unduedelay and, at the latest within onemonth of receipt of the request147,whether or not any action hasbeen taken pursuant to Article 13and Articles 15 to 19 and shallprovide the requested information.

146 SI and UK thought this paragraph should be deleted.147 UK pleaded in favour of deleting the one-month period. BG and PT thought it more simple to revert to the requirement of 'without excessive delay' under the 1995 Data Protection

Directive.


reasonable extent to prevent anunnecessary and disproportionateeffort on the part of the controller.The information shall be given inwriting. Where the data subjectmakes the request in electronicform, the information shall beprovided in electronic form, unlessotherwise requested by the datasubject.

reasonable extent to prevent anunnecessary and disproportionateeffort on the part of the controller.The information shall be given inwriting and, where possible, thecontroller may provide remoteaccess to a secure system whichwould provide the data subject withdirect access to their his or herpersonal data. Where the datasubject makes the request inelectronic form, the information shallbe provided in electronic form wherepossible, unless otherwise requestedby the data subject.

This period may be prolongedextended for a further two monthswhen necessary, taking intoaccount the complexity of therequest and th enumber of therequests., if several data subjectsexercise their rights and theircooperation is necessary to areasonable extent to prevent anunnecessary and disproportionateeffort on the part of the controller.The information shall be given inwriting. Where the extendedperiod applies, the data subjectmakes the request in electronicform, the information shall beprovided in electronic form,unless otherwise requested by thedata subjectinformed within onemonth of receipt of the request ofthe reasons for the delay.

3. If the controller refuses totake action on the request of thedata subject, the controller shallinform the data subject of thereasons for the refusal and on thepossibilities of lodging a complaintto the supervisory authority andseeking a judicial remedy.

3. If the controller refuses to doesnot take action at the request of thedata subject, the controller shallinform the data subject of the reasonsfor the refusalinaction and on thepossibilities of lodging a complaintto the supervisory authority andseeking a judicial remedy.

3. If the controller refuses todoesnot take action on the request ofthe data subject, the controllershall inform the data subjectwithout delay and at the latestwithin one month of receipt ofthe request of the reasons for therefusalnot taking action and onthe possibilities possibility of


lodging a complaint to the asupervisory authority and seekinga judicial remedy.

4. The information and theactions taken on requests referred toin paragraph 1 shall be free ofcharge. Where requests aremanifestly excessive, in particularbecause of their repetitivecharacter, the controller may chargea fee for providing the informationor taking the action requested, orthe controller may not take theaction requested. In that case, thecontroller shall bear the burden ofproving the manifestly excessivecharacter of the request.

4. The information and the actionstaken on requests referred to inparagraph 1 shall be free of charge.Where requests are manifestlyexcessive, in particular because oftheir repetitive character, thecontroller may charge a reasonablefee taking into account theadministrative costs for providingthe information or taking the actionrequested, or the controller may nottake the action requested. In thatcase, the controller shall bear theburden of proving the manifestlyexcessive character of the request.

4. The iInformation and theactions taken on requests referredto in paragraph 1provided underArticles 14 and 14a and anycommunication under Articles 16to 19 and 32 shall be providedfree of charge. Where requestsfrom a data subject are148

manifestly unfounded orexcessive, in particular because oftheir repetitive character, thecontroller may charge a fee forproviding the information ortaking the action requested, or thecontroller may not take the actionrequestedrefuse to act on149 therequest. In that case, the controllershall bear the burden of provingdemonstrating the manifestlyunfounded or excessive characterof the request150.

4a. Without prejudice to Article10, where the controller has

148 PL thought the criterion of 'manifestly excessive' required further clarification, e.g. through an additional recital. COM reservation on deletion.149 NL scrutiny reservation: avoid that this gives the impression that public authority cannot refuse to consider request by citizen.150 IT scrutiny reservation.


reasonable doubts concerning theidentity of the individual makingthe request referred to in Articles15 to 19, the controller mayrequest the provision ofadditional information necessaryto confirm the identity of the datasubject.

5. The Commission shall beempowered to adopt delegated actsin accordance with Article 86 forthe purpose of further specifyingthe criteria and conditions for themanifestly excessive requests andthe fees referred to in paragraph 4.

deleted deleted

6. The Commission may laydown standard forms andspecifying standard procedures forthe communication referred to inparagraph 2, including theelectronic format. In doing so, theCommission shall take theappropriate measures for micro,small and medium-sizedenterprises. Those implementingacts shall be adopted in accordancewith the examination procedurereferred to in Article 87(2).

deleted deleted



Amendment 108

Rights in relation to recipients Rights in relation to recipientsNotification requirement in the

event of rectification and erasure

Rights in relation to recipients

The controller shall communicateany rectification or erasure carriedout in accordance with Articles 16and 17 to each recipient to whomthe data have been disclosed, unlessthis proves impossible or involves adisproportionate effort.

The controller shall communicateany rectification or erasure carriedout in accordance with Articles 16and 17 to each recipient to whom thedata have been disclosed transferred,unless this proves impossible orinvolves a disproportionate effort.The controller shall inform the datasubject about those recipients if thedata subject requests this.

deleted

Article 13 a (new)

Amendment 109

Standardised information policies

1. Where personal data relating to adata subject are collected, thecontroller shall provide the datasubject with the followingparticulars before providinginformation pursuant to Article 14:


(a) whether personal data arecollected beyond the minimumnecessary for each specific purposeof the processing;

(b) whether personal data areretained beyond the minimumnecessary for each specific purposeof the processing;

(c) whether personal data areprocessed for purposes other thanthe purposes for which they werecollected;

(d) whether personal data aredisseminated to commercial thirdparties;

(e) whether personal data are soldor rented out;

(f) whether personal data areretained in encrypted form.

2. The particulars referred to inparagraph 1 shall be presentedpursuant to Annex to thisRegulation in an aligned tabularformat, using text and symbols, inthe following three columns:


(a) the first column depictsgraphical forms symbolising thoseparticulars;

(b) the second column containsessential information describingthose particulars;

(c) the third column depictsgraphical forms indicating whethera specific particular is met.

3. The information referred to inparagraphs 1 and 2 shall bepresented in an easily visible andclearly legible way and shall appearin a language easily understood bythe consumers of the Member Statesto whom the information isprovided. Where the particulars arepresented electronically, they shallbe machine readable.

4. Additional particulars shall notbe provided. Detailed explanationsor further remarks regarding theparticulars referred to in paragraph1 may be provided together with theother information requirementspursuant to Article 14.


5. The Commission shall beempowered to adopt, afterrequesting an opinion of theEuropean Data Protection Board,delegated acts in accordance withArticle 86 for the purpose of furtherspecifying the particulars referredto in paragraph 1 and theirpresentation as referred to inparagraph 2 and in the Annex tothis Regulation.


SECTION 2 SECTION 2 SECTION 2

INFORMATION ANDACCESS TO DATA




Information to the data subject Information to the data subject Information to be provided wherethe data are collected from the

data subject

Amendment 110

1. Where personal datarelating to a data subject arecollected, the controller shallprovide the data subject with atleast the following information:

1. Where personal data relating to adata subject are collected, thecontroller shall provide the datasubject with at least the followinginformation, after the particularspursuant to Article 13a have beenprovided:

1151. Where personal data relatingto a data subject are collectedfrom the data subject, thecontroller shall, at the time whenpersonal data are obtained,provide the data subject with atleast the following information:

(a) the identity and the contactdetails of the controller and, if any,of the controller's representativeand of the data protection officer;

(a) the identity and the contactdetails of the controller and, if any,of the controller's representative andof the data protection officer;

(a) the identity and the contactdetails of the controller and, ifany, of the controller'srepresentative; the controller mayalso include the contact detailsand of the data protection officer,

151 HU thought the legal basis of the processing should be included in the list.


if any;

(b) the purposes of the processingfor which the personal data areintended, including the contractterms and general conditionswhere the processing is based onpoint (b) of Article 6(1) and thelegitimate interests pursued by thecontroller where the processing isbased on point (f) of Article 6(1);

(b) the purposes of the processing forwhich the personal data are intended,as well as information regarding thesecurity of the processing ofpersonal data, including the contractterms and general conditions wherethe processing is based on point (b)of Article 6(1) and the legitimateinterests pursued by the controllerwhere the processing is based on ,where applicable, information onhow they implement and meet therequirements of point (f) of Article6(1);

(b) the purposes of the processingfor which the personal data areintended, including the contractterms and general conditionswhere the processing is based onpoint (b) of Article 6(1) and thelegitimate interests pursued by thecontroller where the processing isbased on point (f) of Article 6(1);

1a. In addition to theinformation referred to inparagraph 1, the controllershall152 provide the data subjectwith such further information153necessary to ensure fair andtransparent processing in respectof the data subject154, having

152 DE, EE, and PL asked to insert "on request". DE, DK, NL and UK doubted whether the redraft would allow for a sufficient risk-based approach and warned against excessiveadministrative burdens/compliance costs. DK and UK in particular referred to the difficulty for controllers in assessing what is required under para. 1a in order to ensure fair andtransparent processing. DE, EE and PL pleaded for making the obligation to provide this information contingent upon a request thereto as the controller might otherwise take a risk-averse approach and provide all the information under Article 14(1a), also in cases where not required. UK thought that many of the aspects set out in paragraph 1a of Article 14(and paragraph 2 of Article 14a) could be left to guidance under Article 39.

153 CZ suggested adding the word 'obviously'.154 FR scrutiny reservation.


regard to the specificcircumstances and context inwhich the personal data areprocessed155:

(c) the period for which thepersonal data will be stored;

(c) the period for which the personaldata will be stored, or if this is notpossible, the criteria used todetermine this period;

deleted

(b) where the processing is basedon point (f) of Article 6(1), thelegitimate interests pursued bythe controller;

(fc) the recipients or categories ofrecipients of the personal data156;

(gd) where applicable, that thecontroller intends to transferpersonal data to a recipient in athird country or internationalorganisation and on the level ofprotection afforded by that thirdcountry or internationalorganisation by reference to anadequacy decision by theCommission;

155 COM reservation on deletion of the words 'such as'.156 AT and DE thought that this concept was too vague (does it e.g. encompass employees of the data controller?).


(d) the existence of the right torequest from the controller accessto and rectification or erasure of thepersonal data concerning the datasubject or to object to theprocessing of such personal data;

(d) the existence of the right torequest from the controller access toand rectification or erasure of thepersonal data concerning the datasubject, or to object to the processingof such personal data, or to obtaindata;

(de) the existence of the right torequest from the controller accessto and rectification or erasure ofthe personal data or restriction ofprocessing of personal dataconcerning the data subject or andto object to the processing of suchpersonal data157;

(e) the right to lodge acomplaint to the supervisoryauthority and the contact details ofthe supervisory authority;

(e) the right to lodge a complaint towith the supervisory authority andthe contact details of the supervisoryauthority;

(ef) the right to lodge a complaintto the a supervisory authority andthe contact details of thesupervisory authority;

(f) the recipients or categoriesof recipients of the personal data;

(f) the recipients or categories ofrecipients of the personal data;

moved under (c)

(g) where applicable, that thecontroller intends to transfer to athird country or internationalorganisation and on the level ofprotection afforded by that thirdcountry or internationalorganisation by reference to anadequacy decision by theCommission;

(g) where applicable, that thecontroller’s intends to transfer thedata to a third country orinternational organisation and on thelevel of protection afforded by thatthird country or internationalorganisation by reference to theexistence or absence of an adequacydecision by the Commission, or incase of transfers referred to inArticle 42, Articleor 43, or point (h)of Article 44(1), reference to the

moved under (d) modified

157 The reference to direct marketing was deleted in view of comments by DK, FR, IT and SE.


appropriate safeguards and themeans to obtain a copy of them;

(g) whether the provision ofpersonal data is a statutory orcontractual requirement, or arequirement necessary to enterinto a contract, as well as thepossible consequences of failureto provide such data158; and

(ga) where applicable, informationabout the existence of profiling, ofmeasures based on profiling, andthe envisaged effects of profiling onthe data subject;

(gb) meaningful information aboutthe logic involved in any automatedprocessing;

(h) the existence of automateddecision making including -profiling referred to in Article20(1) and (3) and informationconcerning (…) the processing ,as well as the significance andthe envisaged consequences of

158 CZ, DE, ES and NL reservation.


such processing for the datasubject.159

(h) any further informationnecessary to guarantee fairprocessing in respect of the datasubject, having regard to thespecific circumstances in which thepersonal data are collected.

(h) any further information which isnecessary to guarantee fairprocessing in respect of the datasubject, having regard to the specificcircumstances in which the personaldata are collected or processed, inparticular the existence of certainprocessing activities and operationsfor which a personal data impactassessment has indicated that theremay be a high risk;

deleted

(ha) where applicable, informationwhether personal data was wereprovided to public authoritiesduring the last consecutive 12-month period.

2. Where the personal data arecollected from the data subject, thecontroller shall inform the datasubject, in addition to theinformation referred to in paragraph1, whether the provision of personaldata is obligatory or voluntary, aswell as the possible consequences

2. Where the personal data arecollected from the data subject, thecontroller shall inform the datasubject, in addition to theinformation referred to in paragraph1, whether the provision of personaldata is obligatory mandatory orvoluntaryoptional, as well as the

deleted160

159 SE scrutiny reservation.160 HU reservation on the deletion of this paragraph.


of failure to provide such data. possible consequences of failure toprovide such data.

2a. In deciding on furtherinformation which is necessary tomake the processing fair underpoint (h) of paragraph 1, controllersshall have regard to any relevantguidance under Article 3834.

3. Where the personal data arenot collected from the data subject,the controller shall inform the datasubject, in addition to theinformation referred to in paragraph1, from which source the personaldata originate.

3. Where the personal data are notcollected from the data subject, thecontroller shall inform the datasubject, in addition to theinformation referred to in paragraph1, from which source the specificpersonal data originate. If personaldata originate from publiclyavailable sources, a generalindication may be given.

deleted

4. The controller shall providethe information referred to inparagraphs 1, 2 and 3:

4. The controller shall provide theinformation referred to in paragraphs1, 2 and 3:

deleted

(a) at the time when thepersonal data are obtained from thedata subject; or

(a) at the time when the personal dataare obtained from the data subject orwithout undue delay where theabove is not feasible; or

deleted

(aa) on at the request by of a body,organization or association referred


to in Article 73;

(b) where the personal data arenot collected from the data subject,at the time of the recording orwithin a reasonable period after thecollection, having regard to thespecific circumstances in which thedata are collected or otherwiseprocessed, or, if a disclosure toanother recipient is envisaged, andat the latest when the data are firstdisclosed.

(b) where the personal data are notcollected from the data subject, at thetime of the recording or within areasonable period after thecollection, having regard to thespecific circumstances in which thedata are collected or otherwiseprocessed, or, if a disclosure transferto another recipient is envisaged, andat the latest when the data are firstdisclosed.at the time of the firsttransfer, or, if the data are to beused for communication with thedata subject concerned, at the latestat the time of the firstcommunication to that data subject;or

deleted

(ba) only on request where the dataare processed by a small or microenterprise which processes personaldata only as an ancillary activity.

5. Paragraphs 1 to 4 shall notapply, where:

5. Paragraphs 1 to 4 shall not apply,where:

5. Paragraphs 1 to 41a shall notapply, where and insofar as thedata subject already has theinformation.

(a) the data subject has alreadythe information referred to in

(a) the data subject has already theinformation referred to in paragraphs

merged with above 5.


paragraphs 1, 2 and 3; or 1, 2 and 3; or

(b) the data are not collectedfrom the data subject and theprovision of such informationproves impossible or would involvea disproportionate effort; or

(b) the data are processed forhistorical, statistical or scientificresearch purposes subject to theconditions and safeguards referredto in Articles 81 and 83, are notcollected from the data subject andthe provision of such informationproves impossible or would involvea disproportionate effort and thecontroller has published theinformation for anyone to retrieve;or

deleted

(c) the data are not collectedfrom the data subject and recordingor disclosure is expressly laid downby law; or

(c) the data are not collected from thedata subject and recording ordisclosure is expressly laid down bylaw to which the controller issubject, which provides appropriatemeasures to protect the datasubject's legitimate interests,considering the risks represented bythe processing and the nature of thepersonal data; or

deleted

(d) the data are not collectedfrom the data subject and theprovision of such information willimpair the rights and freedoms ofothers, as defined in Union law orMember State law in accordance

(d) the data are not collected fromthe data subject and the provision ofsuch information will impair therights and freedoms of others othernatural persons, as defined in Unionlaw or Member State law in

deleted


with Article 21. accordance with Article 21;

(da) the data are processed in theexercise of his profession by, or areentrusted or become known to, aperson who is subject to anobligation of professional secrecyregulated by Union or MemberState law or to a statutory obligationof secrecy, unless the data iscollected directly from the datasubject.

6. In the case referred to inpoint (b) of paragraph 5, thecontroller shall provide appropriatemeasures to protect the datasubject's legitimate interests.

6. In the case referred to in point (b)of paragraph 5, the controller shallprovide appropriate measures toprotect the data subject's rights orlegitimate interests.

deleted

7. The Commission shall beempowered to adopt delegated actsin accordance with Article 86 forthe purpose of further specifyingthe criteria for categories ofrecipients referred to in point (f) ofparagraph 1, the requirements forthe notice of potential accessreferred to in point (g) of paragraph1, the criteria for the furtherinformation necessary referred to inpoint (h) of paragraph 1 for specificsectors and situations, and the

deleted deleted


conditions and appropriatesafeguards for the exceptions laiddown in point (b) of paragraph 5. Indoing so, the Commission shalltake the appropriate measures formicro, small and medium-sized-enterprises.

8. The Commission may laydown standard forms for providingthe information referred to inparagraphs 1 to 3, taking intoaccount the specific characteristicsand needs of various sectors anddata processing situations wherenecessary. Those implementing actsshall be adopted in accordance withthe examination procedure referredto in Article 87(2).

deleted deleted

Article 14 a

Information to be provided wherethe data have not been obtained

from the data subjectt161

1162. Where personal data havenot been obtained from the datasubject, the controller shall

161 DE, EE, ES, NL (§§1+2),AT, PT scrutiny reservation.162 HU thought the legal basis of the processing should be included in the list.


provide the data subject with thefollowing information:

(a) the identity and the contactdetails of the controller and, ifany, of the controller'srepresentative; the controller mayalso include the contact details ofthe data protection officer, if any;

(b) the purposes of theprocessing for which thepersonal data are intended.

2. In addition to the informationreferred to in paragraph 1, thecontroller shall provide the datasubject with such furtherinformation necessary to ensurefair and transparent processingin respect of the data subject,having regard to the specificcircumstances and context163 inwhich the personal data areprocessed:

(a) the categories of personaldata concerned;

(b) (…)

163 ES, IT and FR doubts on the addition of the words 'and context'.


(c) where the processing isbased on point (f) of Article 6(1),the legitimate interests pursuedby the controller;

(d) the recipients orcategories of recipients of thepersonal data;

(e) the existence of the rightto request from the controlleraccess to and rectification orerasure of the personal dataconcerning the data subject andto object to the processing ofsuch personal data;

(f) the right to lodge acomplaint to a supervisoryauthority;

(g) the origin of the personaldata, unless the data originatefrom publicly accessiblesources164;

(h) the existence ofautomated decision makingincluding profiling referred to inArticle 20(1) and (3) and

164 COM and AT scrutiny reservation.


information concerning theprocessing, as well as thesignificance and the envisagedconsequences of such processingfor the data subject.165

3. The controller shallprovide the information referredto in paragraphs 1 and 2166:

(a) within a reasonableperiod after obtaining the data,having regard to the specificcircumstances in which the dataare processed, or

(b) if a disclosure to anotherrecipient is envisaged, at thelatest when the data are firstdisclosed.

4. Paragraphs 1 to 3 shallnot apply where and insofar as:

(a) the data subject alreadyhas the information; or

(b) the provision of suchinformation proves impossible or

165 PL asks for the deletion of the reference to 'logic'.166 BE proposed to add: 'possibly through an easily accessible contact person where the data subject concerned can consult his data'. This is already covered by the modified recital 46.


would involve a disproportionateeffort or is likely to renderimpossible or to seriously impairthe achievement of the purposesof the processing167; in suchcases the controller shall takeappropriate measures to protectthe data subject's legitimateinterests168; or

(c) obtaining or disclosure isexpressly laid down by Union orMember State law to which thecontroller is subject, whichprovides appropriate measures toprotect the data subject'slegitimate interests169; or

(d) where the data originatefrom publicly availablesources170; or

(e) where the data mustremain confidential inaccordance with a legal provisionin Union or Member State law or

167 COM scrutiny reservation.168 Several delegations (DE, DK, FI, PL, SK, and LT) thought that in this Regulation (contrary to the 1995 Directive) the text should be specified so as to clarify both the concepts of

'appropriate measures' and of 'legitimate interests'. According to the Commission, this should be done through delegated acts under Article 15(7). DE warned that a dangeroussituation might ensue if these delegated acts were not enacted in due time.

169 UK thought the requirement of a legal obligation was enough and no further appropriate measures should be required.170 COM, IT and FR reservation on this exception. ES thought this concept required further clarification. DE and SE emphasised the importance of this exception.


because of the overridinglegitimate interests of anotherperson171.

4. Paragraphs 1 to 3 shallnot apply where and insofar as:

(a) the data subject alreadyhas the information; or

(b) the provision of suchinformation proves impossible orwould involve a disproportionateeffort or is likely to renderimpossible or to seriously impairthe achievement of the purposesof the processing172; in suchcases the controller shall takeappropriate measures to protectthe data subject's legitimateinterests173; or

(c) obtaining or disclosure isexpressly laid down by Union orMember State law to which thecontroller is subject, which

171 COM and AT reservation on (d) and (e). UK referred to the existence of case law regarding privilege (confidentiality). BE thought the reference to the overriding interests of anotherperson was too broad.

172 COM scrutiny reservation.173 Several delegations (DE, DK, FI, PL, SK, and LT) thought that in this Regulation (contrary to the 1995 Directive) the text should be specified so as to clarify both the concepts of

'appropriate measures' and of 'legitimate interests'. According to the Commission, this should be done through delegated acts under Article 15(7). DE warned that a dangeroussituation might ensue if these delegated acts were not enacted in due time.


provides appropriate measures toprotect the data subject'slegitimate interests174; or

(d) where the data originatefrom publicly availablesources175; or

(e) where the data mustremain confidential inaccordance with a legal provisionin Union or Member State law orbecause of the overridinglegitimate interests of anotherperson176.


Amendment 111

Right of access for the data subject Right of to access and to obtain datafor the data subject

Right of access for the datasubject177

1. The data subject shall havethe right to obtain from the

1. TheSubject to Article 12(4), thedata subject shall have the right to

1. The data subject shall have theright to obtain from the controller

174 UK thought the requirement of a legal obligation was enough and no further appropriate measures should be required.175 COM, IT and FR reservation on this exception. ES thought this concept required further clarification. DE and SE emphasised the importance of this exception.176 COM and AT reservation on (d) and (e). UK referred to the existence of case law regarding privilege (confidentiality). BE thought the reference to the overriding interests of another

person was too broad.177 DE, FI and SE scrutiny reservation. DE, LU and UK expressed concerns on overlaps between Articles 14 and 15.


controller at any time, on request,confirmation as to whether or notpersonal data relating to the datasubject are being processed. Wheresuch personal data are beingprocessed, the controller shallprovide the following information:

obtain from the controller at anytime, on request, confirmation as towhether or not personal data relatingto the data subject are beingprocessed. Where such personal dataare being processed, and, in clearand plain language, the controllershall provide the followinginformation:

at reasonable intervals and freeof charge178 any time, on request,confirmation as to whether or notpersonal data relating to the datasubject concerning him or her arebeing processed and . Wwheresuch personal data are beingprocessed, the controller shallprovideaccess to the data and thefollowing information:

(a) the purposes of theprocessing;

(a) the purposes of the processing foreach category of personal data;

(a) the purposes of the processing;

(b) the categories of personaldata concerned;

(b) the categories of personal dataconcerned;

deleted

(c) the recipients or categoriesof recipients to whom the personaldata are to be or have beendisclosed, in particular to recipientsin third countries;

(c) the recipients or categories ofrecipients to whom the personal dataare to be or have been disclosed, inparticular including to recipients inthird countries;

(c) the recipients or categories ofrecipients to whom the personaldata are to be or have been or willbe disclosed, in particular torecipients in third countries179;

(d) the period for which thepersonal data will be stored;

(d) the period for which the personaldata will be stored, or if this is notpossible, the criteria used todetermine this period;

(d) where possible, theenvisaged180 period for which thepersonal data will be stored;

178 DE, ES, HU, IT and PL reservation on the possibility to charge a fee. DE, LV and SE thought that free access once a year should be guaranteed.179 UK reservation on the reference to recipients in third countries. IT thought the concept of recipient should be clarified, inter alia by clearly excluding employees of the controller.180 ES and UK proposed adding 'where possible'; FR reservation on 'where possible ' and 'envisaged'; FR emphasised the need of providing an exception to archives.


(e) the existence of the right torequest from the controllerrectification or erasure of personaldata concerning the data subject orto object to the processing of suchpersonal data;

(e) the existence of the right torequest from the controllerrectification or erasure of personaldata concerning the data subject or toobject to the processing of suchpersonal data;

(e) the existence of the right torequest from the controllerrectification or erasure of personaldata concerning the data subject orto object to the processing of suchpersonal data;

(f) the right to lodge acomplaint to the supervisoryauthority and the contact details ofthe supervisory authority;

(f) the right to lodge a complaint towith the supervisory authority andthe contact details of the supervisoryauthority;

(f) the right to lodge a complaintto a supervisory authority181 182;

(g) communication of thepersonal data undergoingprocessing and of any availableinformation as to their source;

deleted (g) where communication of thepersonal data undergoingprocessing and of are notcollected from the data subject,any available information as totheir source183

(h) the significance andenvisaged consequences of suchprocessing, at least in the case ofmeasures referred to in Article 20.

(h) the significance and envisagedconsequences of such processing, atleast in the case of measures referredto in Article 20.;

(h) in the case of automateddecision making includingprofiling referred to in Article20(1) and (3), knowledge of thelogic involved184 in anyautomated data processing aswell as the significance andenvisaged consequences of such

181 DE thought it was too onerous to repeat this for every data subject and pointed to difficulties in ascertaining the competent DPA in its federal structure.182 IT suggestion to delete subparagraphs (e) and (f) as under Article 14 this information should already be communicated to the data subject at the moment of the collection of the data.183 SK scrutiny reservation: subparagraph (g) should be clarified.184 PL reservation on the reference to 'logic': the underlying algorithm should not be disclosed. DE reservation on reference to decisions.


processing, at least in the case ofmeasures referred to in Article20185.

(ha) meaningful information aboutthe logic involved in any automatedprocessing;

(hb) without prejudice to Article 21,in the event of disclosure ofpersonal data to a public authorityas a result of a public authorityrequest, confirmation of the factthat such a request has been made.

1a. Where personal data aretransferred to a third country orto an international organisation,the data subject shall have theright to be informed of theappropriate safeguards pursuantto Article 42 relating to thetransfer186.

1b. On request and without anexcessive charge, the controllershall provide a copy of thepersonal data undergoingprocessing to the data subject.

185 NL scrutiny reservation. CZ and FR likewise harboured doubts on its exact scope.186 FR and UK scrutiny reservation on links with Chapter V


2. The data subject shall havethe right to obtain from thecontroller communication of thepersonal data undergoingprocessing. Where the data subjectmakes the request in electronicform, the information shall beprovided in electronic form, unlessotherwise requested by the datasubject.

2. The data subject shall have theright to obtain from the controllercommunication of the personal dataundergoing processing. Where thedata subject makes the request inelectronic form, the information shallbe provided in an electronic formand structured format, unlessotherwise requested by the datasubject. Without prejudice to Article10, the controller shall take allreasonable steps to verify that theperson requesting access to the datais the data subject.

2. Where personal data suppliedby the data subject are processedby automated means and in astructured and commonly usedformat, the controller shall, onrequest and without an excessivecharge, provide a copy of the dataconcerning the data subject inthat format to the data subject187.

2a. Where the data subject hasprovided the personal data wherethe personal data are processed byelectronic means, the data subjectshall have the right to obtain fromthe controller a copy of the providedpersonal data in an electronic andinteroperable format which iscommonly used and allows forfurther use by the data subjectwithout hindrance from thecontroller from whom the personal

2a. The right to obtain a copyreferred to in paragraphs 1b and2 shall not apply where such copycannot be provided withoutdisclosing personal data of otherdata subjects 188

187 COM, ES and FR reservation: they thought this was too narrowly drafted. DE, supported by UK, referred to the danger that data pertaining to a third party might be contained insuch electronic copy. DE scrutiny reservation on relation to paragraph 1.

188 DE, supported by UK, referred to the danger that data pertaining to a third party might be contained in such electronic copy.


data are withdrawn. Wheretechnically feasible and available,the data shall be transferred directlyfrom controller to controller at therequest of the data subject.

2b. This Article shall be withoutprejudice to the obligation to deletedata when no longer necessaryunder point (e) of Article 5(1).

2c. There shall be no right of accessin accordance with paragraphs 1and 2 when data within themeaning of point (da) of Article14(5) are concerned, except if thedata subject is empowered to lift thesecrecy in question and actsaccordingly.

3. The Commission shall beempowered to adopt delegated actsin accordance with Article 86 forthe purpose of further specifyingthe criteria and requirements for thecommunication to the data subjectof the content of the personal datareferred to in point (g) of paragraph1.

deleted deleted

4. The Commission mayspecify standard forms and

deleted deleted


procedures for requesting andgranting access to the informationreferred to in paragraph 1,including for verification of theidentity of the data subject andcommunicating the personal data tothe data subject, taking into accountthe specific features and necessitiesof various sectors and dataprocessing situations. Thoseimplementing acts shall be adoptedin accordance with the examinationprocedure referred to in Article87(2).


SECTION 3RECTIFICATION AND

ERASURE


ERASURE


ERASURE


Right to rectification Right to rectification Right to rectification

The data subject shall have the rightto obtain from the controller therectification of personal datarelating to them which areinaccurate. The data subject shallhave the right to obtain completionof incomplete personal data,including by way of supplementinga corrective statement.

The data subject shall have the rightto obtain from the controller therectification of personal data relatingto them which are inaccurate. Thedata subject shall have the right toobtain completion of incompletepersonal data, including by way ofsupplementing a correctivestatement.

The data subject shall have theright189 to obtain from thecontroller the rectification ofpersonal data relating to themconcerning him or her which areinaccurate. Having regard thepurposes for which data wereprocessed, The the data subjectshall have the right to obtaincompletion of incomplete personaldata, including by way means ofsupplementing providing acorrective supplementarystatement.

189 UK suggested to insert the qualification ' where reasonably practicable' UK also suggested inserting the qualification 'where necessary'.



Amendment 112

Right to be forgotten and toerasure

Right to be forgotten and to erasure Right to be forgotten and toerasure190

1. The data subject shall have theright to obtain from the controllerthe erasure of personal data relatingto them and the abstention fromfurther dissemination of such data,especially in relation to personaldata which are made available bythe data subject while he or she wasa child, where one of the followinggrounds applies:

1. The data subject shall have theright to obtain from the controller theerasure of personal data relating tohim or her and the abstention fromfurther dissemination of such data,especially in relation to personal datawhich are made available by the datasubject while he or she was a child,and to obtain from third parties theerasure of any links to, or copy orreplication of, those data where one

1. The data subject shall have theright to obtain from the controllershall have the obligation to erasethe erasure of personal datarelating to them and the abstentionfrom further dissemination of suchdata, especially in relation topersonal data which are madeavailable by without undue delayand the data subject while he orshe was a child, shall have the

190 DE, EE, PT, SE, SI, FI and UK scrutiny reservation. EE, FR, NL, RO and SE reservation on the applicability to the public sector. Whereas some Member States have welcomed theproposal to introduce a right to be forgotten (AT, EE, FR, IE); other delegations were more sceptical as to the feasibility of introducing a right which would go beyond the right toobtain from the controller the erasure of one's own personal data ( DE, DK, ES). The difficulties flowing from the household exception (UK), to apply such right to personal dataposted on social media were highlighted (BE, DE, FR), but also the impossibility to apply such right to 'paper/offline' data was stressed (EE, LU, SI). Some delegations (DE, ES) alsopointed to the possible externalities of such right when applied with fraudulent intent (e.g. when applying it to the financial sector). Several delegations referred to the challenge tomake data subjects active in an online environment behave responsibly (DE, LU and UK) and queried whether the creation of such a right would not be counterproductive to therealisation of this challenge, by creating unreasonable expectations as to the possibilities of erasing data (DK, LU and UK). Some delegations thought that the right to be forgottenwas rather an element of the right to privacy than part of data protection and should be balanced against the right to remember and access to information sources as part of thefreedom of expression (DE, ES, LU, NL, SI, PT and UK). It was pointed out that the possibility for Member States to restrict the right to be forgotten under Article 21 where itinterferes with the freedom of expression is not sufficient to allay all concerns in that regard as it would be difficult for controllers to make complex determinations about the balancewith the freedom of expression, especially in view of the stiff sanctions provided in Article 79 (UK). In general several delegations (CZ, DE, FR) stressed the need for furtherexamining the relationship between the right to be forgotten and other data protection rights. The Commission emphasised that its proposal was in no way meant to be a limitation ofthe freedom of expression. The inherent problems in enforcing such right in a globalised world outside the EU were cited as well as the possible consequences for the competitiveposition of EU companies linked thereto (BE, AT, LV, LU, NL, SE and SI).


of the following grounds applies: right to obtain the erasure ofpersonal data without unduedelay where one of the followinggrounds applies:

(a) the data are no longernecessary in relation to thepurposes for which they werecollected or otherwise processed;

(a) the data are no longer necessaryin relation to the purposes for whichthey were collected or otherwiseprocessed;

(a) the data are no longernecessary in relation to thepurposes for which they werecollected or otherwise processed;

(b) the data subject withdrawsconsent on which the processing isbased according to point (a) ofArticle 6(1), or when the storageperiod consented to has expired,and where there is no other legalground for the processing of thedata;

(b) the data subject withdrawsconsent on which the processing isbased according to point (a) ofArticle 6(1), or when the storageperiod consented to has expired, andwhere there is no other legal groundfor the processing of the data;

(b) the data subject withdrawsconsent on which the processing isbased according to point (a) ofArticle 6(1), or point (a) of Article9(2) and when the storage periodconsented to has expired, andwhere there is no other legalground for the processing of thedata;

(c) the data subject objects tothe processing of personal datapursuant to Article 19;

(c) the data subject objects to theprocessing of personal data pursuantto Article 19;

(c) the data subject objects to theprocessing of personal datapursuant to Article 19(1) andthere are no overriding legitimategrounds for the processing or thedata subject objects to theprocessing of personal datapursuant to Article 19(2) ;

(ca) a court or regulatory authoritybased in the Union has ruled asfinal and absolute that the data


concerned must be erased;

(d) the processing of the datadoes not comply with thisRegulation for other reasons.

(d) the processing of the data doesnot comply with this Regulation forother reasons has have beenunlawfully processed.

(d) the processing of the data doesnot comply with this Regulationfor other reasons have beenunlawfully processed191;

(e) the data have to be erased forcompliance with a legalobligation to which the controlleris subject192 193.

1a. The application of paragraph 1shall be dependent upon the abilityof the controller to verify that theperson requesting the erasure is thedata subject.

2. Where the controllerreferred to in paragraph 1 has madethe personal data public, it shalltake all reasonable steps, includingtechnical measures, in relation to

2. Where the controller referred to inparagraph 1 has made the personaldata public without a justificationbased on Article 6(1), it shall take allreasonable steps, including technical

deleted

191 UK scrutiny reservation: this was overly broad.192 RO scrutiny reservation.193 DE pointed to the difficulties in determining who is the controller in respect of data who are copied/made available by other controllers (e.g. a search engine) than the initial

controller (e.g. a newspaper). AT opined that the exercise of the right to be forgotten would have take place in a gradual approach, first against the initial controller and subsequentlyagainst the 'secondary' controllers. ES referred to the problem of initial controllers that have disappeared and thought that in such cases the right to be forgotten could immediatelybe exercised against the 'secondary controllers' ES suggested adding in paragraph 2: 'Where the controller who permitted access to the personal data has disappeared, ceased to existor cannot be contacted by the data subject for other reasons, the data subject shall have the right to have other data controllers delete any link to copies or replications thereof'. TheCommission, however, replied that the right to be forgotten could not be exercised against journals exercising freedom of expression. According to the Commission, the indexation ofpersonal data by search engines is a processing activity not protected by the freedom of expression.


data for the publication of whichthe controller is responsible, toinform third parties which areprocessing such data, that a datasubject requests them to erase anylinks to, or copy or replication ofthat personal data. Where thecontroller has authorised a thirdparty publication of personal data,the controller shall be consideredresponsible for that publication.

measures, in relation to data for thepublication of which the controller isresponsible, to inform third partieswhich are processing such data, thata data subject requests them to eraseany links to, or copy or replication ofthat personal data. Where thecontroller has authorised a third partypublication of personal data, thecontroller shall be consideredresponsible for that publication tohave the data erased, including bythird parties, without prejudice toArticle 77. The controller shallinform the data subject, wherepossible, of the action taken by therelevant third parties.

2a. Where the controller194 hasmade the personal data public195

and is obliged pursuant toparagraph 1 to erase the data, thecontroller, taking account of

194 BE, DE and SI queried whether this also covered controllers (e.g. a search engine) other than the initial controller (e.g. a newspaper).195 ES prefers referring to 'expressly or tacitly allowing third parties access to'. IE thought it would be more realistic to oblige controllers to erase personal data which are under their

control, or reasonably accessible to them in the ordinary course of business, i.e. within the control of those with whom they have contractual and business relations. BE, supported byIE and LU, also remarked that the E-Commerce Directive should be taken into account (e.g. through a reference in a recital) and asked whether this proposed liability did not violatethe exemption for information society services provided in that Directive (Article 12 of Directive 2000/31/EC of 8 June 2000), but COM replied there was no contradiction. LUpointed to a risk of obliging controllers in an online context to monitor all data traffic, which would be contrary to the principle of data minimization and in breach with theprohibition in Article 15 of the E-Commerce Directive to monitor transmitted information.


available technology and the costof implementation196, shall takereasonable steps197, includingtechnical measures, to informcontrollers198 which areprocessing the data, that a datasubject requests them to eraseany links to, or copy orreplication of that personaldata199.

3. The controller shall carryout the erasure without delay,except to the extent that theretention of the personal data isnecessary:

3. The controller and, whereapplicable, the third party shallcarry out the erasure without delay,except to the extent that the retentionof the personal data is necessary:

3. The controller shall carry outthe erasure without delay, exceptParagraphs 1 and 2a shall notapply200 to the extent that theretention processing of thepersonal data is necessary:

196 Further to NL suggestion. This may hopefully also accommodate the DE concern that the reference to available technology could be read as implying an obligation to always use thelatest technology;

197 LU queried why the reference to all reasonable steps had not been inserted in paragraph 1 as well and SE, supported by DK, suggested clarifying it in a recital. COM replied thatparagraph 1 expressed a results obligation whereas paragraph 2 was only an obligation to use one's best efforts. ES thought the term should rather be 'proportionate steps'. DE, ESand BG questioned the scope of this term. ES queried whether there was a duty on controllers to act proactively with a view to possible exercise of the right to be forgotten. DEwarned against the 'chilling effect' such obligation might have on the exercise of the freedom of expression.

198 BE, supported by ES and FR, suggested referring to 'known' controllers (or third parties).199 BE and ES queried whether this was also possible for the offline world and BE suggested to clearly distinguish the obligations of controllers between the online and offline world.

Several Member States (CZ, DE, LU, NL, PL, PT, SE and SI) had doubts on the enforceability of this rule.200 DE queried whether these exceptions also applied to the abstention from further dissemination of personal data. AT and DE pointed out that Article 6 contained an absolute

obligation to erase data in the cases listed in that article and considered that it was therefore illogical to provide for exception in this paragraph.


(a) for exercising the right offreedom of expression inaccordance with Article 80;

(a) for exercising the right offreedom of expression in accordancewith Article 80;

(a) for exercising the right offreedom of expression inaccordance with Article 80201;

(b) for compliance with a legalobligation to process thepersonal data by Union orMember State law to which thecontroller is subject202or for theperformance of a task carriedout in the public interest or inthe exercise of official authorityvested in the controller203;

(b) for reasons of public interest inthe area of public health inaccordance with Article 81;

(b) for reasons of public interest inthe area of public health inaccordance with Article 81;

(bc) for reasons of public interestin the area of public health inaccordance with Article 81204;

(c) for historical, statistical andscientific research purposes inaccordance with Article 83;

(c) for historical, statistical andscientific research purposes inaccordance with Article 83;

(cd) for archiving purposes in thepublic interest or for historical,statistical and scientific researchpurposes in accordance withArticle 83;

201 DE and EE asked why this exception had not been extended to individuals using their own freedom of expression (e.g. an individual blogger).202 In general DE thought it was a strange legal construct to lay down exceptions to EU obligations by reference to national law. DK and SI were also critical in this regard. UK thought

there should be an exception for creditworthiness and credit scoring, which is needed to facilitate responsible lending, as well as for judicial proceedings. IT suggested inserting areference to Article 21 (1).

203 AT scrutiny reservation.204 DK queried whether this exception implied that a doctor could refuse to erase a patient's personal data notwithstanding an explicit request to that end from the latter. ES and DE

indicated that this related to the more general question of how to resolve differences of view between the data subject and the data controller, especially in cases where the interests ofthird parties were at stake. PL asked what was the relation to Article 21.


(d) for compliance with a legalobligation to retain the personaldata by Union or Member State lawto which the controller is subject;Member State laws shall meet anobjective of public interest, respectthe essence of the right to theprotection of personal data and beproportionate to the legitimate aimpursued;

(d) for compliance with a legalobligation to retain the personal databy Union or Member State law towhich the controller is subject;Member State laws shall meet anobjective of public interest, respectthe right to the protection of personaldata and be proportionate to thelegitimate aim pursued;

deleted

(e) in the cases referred to inparagraph 4.

(e) in the cases referred to inparagraph 4.

deleted

(g) for the establishment, exerciseor defence of legal claims.

4. Instead of erasure, thecontroller shall restrict processingof personal data where:

4. Instead of erasure, the controllershall restrict processing of personaldata in such a way that it is notsubject to the normal data accessand processing operations and cannotcannot be changed anymore,where:

deleted

(a) their accuracy is contestedby the data subject, for a periodenabling the controller to verify theaccuracy of the data;

(a) their accuracy is contested by thedata subject, for a period enablingthe controller to verify the accuracyof the data;

deleted

(b) the controller no longer (b) the controller no longer needs the deleted


needs the personal data for theaccomplishment of its task but theyhave to be maintained for purposesof proof;

personal data for the accomplishmentof its task but they have to bemaintained for purposes of proof;

(c) the processing is unlawfuland the data subject opposes theirerasure and requests the restrictionof their use instead;

(c) the processing is unlawful and thedata subject opposes their erasureand requests the restriction of theiruse instead;

deleted

(ca) a court or regulatory authoritybased in the Union has ruled asfinal and absolute than theprocessing that the data concernedmust be restricted;

(d) the data subject requests totransmit the personal data intoanother automated processingsystem in accordance with Article18(2).

(d) the data subject requests totransmit the personal data intoanother automated processing systemin accordance with paragraphs 2a ofArticle 18(2).15;

deleted

(da) the particular type of storagetechnology does not allow forerasure and has been installedbefore the entry into force of thisRegulation.

5. Personal data referred to inparagraph 4 may, with theexception of storage, only beprocessed for purposes of proof, or

5. Personal data referred to inparagraph 4 may, with the exceptionof storage, only be processed forpurposes of proof, or with the data

deleted


with the data subject's consent, orfor the protection of the rights ofanother natural or legal person orfor an objective of public interest.

subject's consent, or for theprotection of the rights of anothernatural or legal person or for anobjective of public interest.

6. Where processing ofpersonal data is restricted pursuantto paragraph 4, the controller shallinform the data subject beforelifting the restriction on processing.

6. Where processing of personal datais restricted pursuant to paragraph 4,the controller shall inform the datasubject before lifting the restrictionon processing.

deleted

7. The controller shallimplement mechanisms to ensurethat the time limits established forthe erasure of personal data and/orfor a periodic review of the need forthe storage of the data are observed.

deleted deleted

8. Where the erasure is carriedout, the controller shall nototherwise process such personaldata.

8. Where the erasure is carried out,the controller shall not otherwiseprocess such personal data.

deleted

8a. The controller shall implementmechanisms to ensure that the timelimits established for the erasure ofpersonal data and/or for a periodicreview of the need for the storage ofthe data are observed.

9. The Commission shall beempowered to adopt delegated acts

9. The Commission shall beempowered to adopt, after

deleted


in accordance with Article 86 forthe purpose of further specifying:

requesting an opinion of theEuropean Data Protection Board,delegated acts in accordance withArticle 86 for the purpose of furtherspecifying:

(a) the criteria and requirementsfor the application of paragraph 1for specific sectors and in specificdata processing situations;

(a) the criteria and requirements forthe application of paragraph 1 forspecific sectors and in specific dataprocessing situations;

deleted

(b) the conditions for deletinglinks, copies or replications ofpersonal data from publiclyavailable communication servicesas referred to in paragraph 2;

(b) the conditions for deleting links,copies or replications of personaldata from publicly availablecommunication services as referredto in paragraph 2;

deleted

(c) the criteria and conditionsfor restricting the processing ofpersonal data referred to inparagraph 4.

(c) the criteria and conditions forrestricting the processing of personaldata referred to in paragraph 4.

deleted

Article 17a

Right to restriction of processing

1. The data subject shallhave the right to obtain from thecontroller the restriction of theprocessing of personal datawhere:


(a) the accuracy of the data iscontested by the data subject, fora period enabling the controllerto verify the accuracy of thedata205;

(b) the controller no longerneeds the personal data for thepurposes of the processing, butthey are required by the datasubject for the establishment,exercise or defence of legalclaims; or

(c) he or she has objected toprocessing pursuant to Article19(1) pending the verificationwhether the legitimate grounds ofthe controller override those ofthe data subject.

2. deleted

3. Where processing ofpersonal data has been restrictedunder paragraph 1, such datamay, with the exception ofstorage, only be processed withthe data subject's consent or for

205 FR scrutiny reservation: FR thought the cases in which this could apply, should be specified.


the establishment, exercise ordefence of legal claims or for theprotection of the rights ofanother natural or legal personor for reasons of importantpublic interest206.

4. A data subject whoobtained the restriction ofprocessing pursuant toparagraph 1 (…) shall beinformed by the controller beforethe restriction of processing islifted207.

Article 17b

Notification obligation regardingrectification, erasure or

restriction208

The controller shallcommunicate any rectification,erasure or restriction of

206 DE , ES and SI asked who was to define the concept of public interest. DE reservation.207 DE, PT, SI and IT thought that this paragraph should be a general obligation regarding processing, not limited to the exercise of the right to be forgotten. DK likewise thought the

first sentence should be moved to Article 22.208 Whilst several delegations agreed with this proposed draft and were of the opinion that it added nothing new to the existing obligations under the 1995 Directive, some delegations

(DE, PL, SK and NL) pointed to the possibly far-reaching impact in view of the data multiplication since 1995, which made it necessary to clearly specify the exact obligationsflowing from this proposed article. Thus, DE was opposed to a general obligation to log all the disclosures to recipients. DE also pointed out that the obligation should exclude caseswhere legitimate interests of the data subject would be harmed by a further communication to the recipients, that is not the case if the recipient would for the first time learn negativeinformation about the data subject in which he has no justified interest. BE and ES asked that the concept of a 'disproportionate effort' be clarified in a recital.


processing carried out inaccordance with Articles 16,17(1) and 17a to each recipient209

to whom the data have beendisclosed, unless this provesimpossible or involves adisproportionate effort.


Amendment 113

Right to data portability Right to data portability Right to data portability210

1. The data subject shall havethe right, where personal data areprocessed by electronic means andin a structured and commonly usedformat, to obtain from thecontroller a copy of dataundergoing processing in anelectronic and structured format

deleted deleted

209 BE, supported by ES and FR, suggested referring to 'known' recipients.210 UK reservation: while it supports the concept of data portability in principle, the UK considers it not within scope of data protection, but in consumer or competition law. Several

other delegations (DK, DE, FR, IE, NL, PL and SE) also wondered whether this was not rather a rule of competition law and/or intellectual property law or how it related to thesefields of law. Therefore the UK thinks this article should be deleted. NL and CZ thought its scope should be limited to social media. DE, DK and UK pointed to the risks for thecompetitive positions of companies if they were to be obliged to apply this rule unqualifiedly and referred to/raises serious issues about intellectual property and commercialconfidentiality for all controllers. DE, FI, SE and UK also underscored the considerable administrative burdens this article would imply. DE and FR referred to services, such ashealth services where the exercise of the right to data portability might endanger on-going research or the continuity of the service. Reference was also made to an increased risk offraud as it may be used to fraudulently obtain the data of innocent data subjects (UK). DE, ES, FR, HU, IE and PL were in principle supportive of this right. SK thought that thearticle was unenforceable and DE referred to the difficulty/impossibility to apply this right in 'multi-data subject' cases where a single 'copy' would contain data from several datasubjects, who might not necessarily agree or even be known or could not be contacted. BE, CZ and RO thought that the exclusion of the public sector should be mentioned not onlyin recital 55, but also here (ES was opposed thereto).


which is commonly used andallows for further use by the datasubject.

2. Where the data subject hasprovided the personal data and theprocessing is based on consent oron a contract, the data subject shallhave the right to transmit thosepersonal data and any otherinformation provided by the datasubject and retained by anautomated processing system, intoanother one, in an electronic formatwhich is commonly used, withouthindrance from the controller fromwhom the personal data arewithdrawn.

deleted 2. Where tThe data subjecthas provided shall have the rightto transmit the personal data211

concerning him or her which heor she has provided to acontroller and the processing isbased on consent or on a contract,the data subject shall have theright to transmit those personaldata and any other informationprovided by the data subject andretained by an automatedprocessing system, into anotherone, in an electronic format whichis controller in a commonlyused212 and213 machine-readableformat, without hindrance fromthe controller from whom thepersonal data are withdrawn towhich the data have beenprovided to, where.

211 PL suggested to specify that this pertained to personal data in their non-aggregated or non-modified form. DE also queried about the scope of this right, in particular whether itcould extend to data generated by the controller or data posted by third persons.

212 DE and FI queried whether this meant the scope was restricted to currently used formats (excluding future developments) and whether it implied an obligation for controllers to useone of these commonly used formats.

213 PT thought 'and' should be deleted.


(a) the processing is based onconsent or on a contractpursuant to points (a) and

(b) of Article 6 (2) or point (a) ofArticle 9 (2); and

(b) the processing is carried outby automated means214.

2a. The exercise of this rightshall be without prejudice toArticle 17.

2aa. The right referred to inparagraph 2 shall be withoutprejudice to intellectual propertyrights in relation to theprocessing of the those personaldata215.

3. The Commission mayspecify the electronic formatreferred to in paragraph 1 and thetechnical standards, modalities andprocedures for the transmission ofpersonal data pursuant to paragraph2. Those implementing acts shall be

deleted 2. The Commission mayspecify the electronic formatreferred to in paragraph 1 and thetechnical standards, modalitiesand procedures for thetransmission of personal datapursuant to paragraph 2. Those

214 BE, DE, ES, IE, FI and FR these delegations thought emphasis should be put on the right to withdraw data, also with a view to creating an added value as compared to the right toobtain a copy of personal data. VY and HU also thought the obligation of the controller should be emphasised.

215 ES thought there should be an exception in case disproportionate efforts would be required.


adopted in accordance with theexamination procedure referred toin Article 87(2).

implementing acts shall beadopted in accordance with theexamination procedure referred toin Article 87(2) 216.

216 FR, HU, SE and UK reservation: this would better set out in the Regulation itself.


SECTION 4

RIGHT TO OBJECT ANDPROFILING

SECTION 4


SECTION 4



Right to object Right to object Right to object217

Amendment 114

1. The data subject shall havethe right to object, on groundsrelating to their particular situation,at any time to the processing ofpersonal data which is based onpoints (d), (e) and (f) of Article6(1), unless the controllerdemonstrates compelling legitimategrounds for the processing whichoverride the interests orfundamental rights and freedoms ofthe data subject.

1. The data subject shall have theright to object, on grounds relating totheir particular situation, at any timeto the processing of personal datawhich is based on points (d), and (e)and (f) of Article 6(1), unless thecontroller demonstrates compellinglegitimate grounds for the processingwhich override the interests orfundamental rights and freedoms ofthe data subject.

1. The data subject shall have theright to object, on reasoned218

grounds relating to their his or herparticular situation, at any time tothe processing of personal dataconcerning him or her which isbased on points (d), (e) and (f) ofArticle 6(1) 219; the personal datashall no longer be processed,unless the controller demonstratescompelling legitimate grounds forthe processing which override the

217 DE, ES, EE, AT, SI, SK and UK scrutiny reservation.218 COM reservation.219 The reference to point (e) of Article 6(1) was deleted in view of the objections by BE, CZ, DE, DK, FR and HU. COM reservation on deletion. UK, supported by DE, queried

whether the right to object would still apply in a case where different grounds for processing applied simultaneously, some of which are not listed in Article 6. ES and LUqueried why Article 6(1) (c) was not listed here.


interests or fundamental rights andfreedoms of the data subject220.

1a. Where an objection isupheld pursuant to paragraph 1,the controller shall no longer221

process the personal dataconcerned except for theestablishment, exercise ordefence of legal claims222.

2. Where personal data areprocessed for direct marketingpurposes, the data subject shallhave the right to object free ofcharge to the processing of theirpersonal data for such marketing.This right shall be explicitly offeredto the data subject in an intelligiblemanner and shall be clearlydistinguishable from other

2. Where the processing of personaldata are processed for directmarketing purposes is based onpoint (f) of Article 6(1), the datasubject shall have, at any time andwithout any further justification, theright to object free of charge ingeneral or for any particularpurpose to the processing of his orher personal data for such marketing.

2. Where personal data areprocessed for direct marketing223

purposes, the data subject shallhave the right to object free ofcharge at any time to theprocessing of their personal dataconcerning him or her for suchmarketing. This right shall beexplicitly offered to brought tothe attention of the data subject in

220 SE scrutiny reservation: SE and NL queried the need to put the burden of proof on the controller regarding the existence of compelling legitimate grounds. DE and FI queried theneed for new criteria, other than those from the 1995 Directive. COM stressed that the link with the 'particular situation' was made in order to avoid whimsical objections. CZ alsostated that this risked making processing of data an exceptional situation due to the heavy burden of proof. NL and SE queried whether the right would also allow objecting to anyprocessing by third parties.

221 ES proposed to reformulate the last part of this paragraph as follows: 'shall inform the data subject of the compelling legitimate reasons applicable as referred to in paragraph 1above, or otherwise shall no longer use or otherwise process the personal data concerned'.

222 UK proposed adding ' for demonstrating compliance with the obligations imposed under this instrument'. This might also cover the concern raised by DE that a controller should stillbe able to process data for the execution of a contract if the data were obtained further to a contractual legal basis. CZ, DK, EE, IT, SE and UK have likewise emphasised the needfor allowing to demonstrate compliance. CZ and SK also referred to the possibility of further processing on other grounds.

223 FR and UK under lined the need to have clarity regarding the exact content of this concept, possibly through a definition of direct marketing. DE asked which cases werecovered exactly.


information. This right shall be explicitly offeredto the data subject in an intelligiblemanner and shall be clearlydistinguishable from otherinformation.

an intelligible manner and shall beclearly distinguishable presentedclearly and separately from anyother information224.

2a. The right referred to inparagraph 2 shall be explicitlyoffered to the data subject in anintelligible manner and form, usingclear and plain language, inparticular if addressed specificallyto a child, and shall be clearlydistinguishable from otherinformation.

2a. Where the data subjectobjects to the processing fordirect marketing purposes, thepersonal data shall no longer beprocessed for such purposes.

2b. In the context of the use ofinformation society services, andnotwithstanding Directive2002/58/EC, the right to object maybe exercised by automated meansusing a technical standard whichallows the data subject to clearlyexpress his or her wishes.

224 At the request of several delegations (FR, LT, PT), COM confirmed that this paragraph was not meant to create an opt-in system and that the E-Privacy Directive would remainunaffected. DE feels there is a need to clarify the relationship between Article 19(2) on the one hand and Article 6(1)(f) and Article 6(4) on the other. It can be concluded from theright to object that direct marketing without consent is possible on the basis of a weighing of interests. On the other hand, Article 6(1)(f) no longer refers to the interests of thirdparties and Article 6(4) also no longer refers to Article 6(1)(f) in regard to data processing which changes the original purpose. DE is therefore of the opinion that this also needs tobe clarified in view of online advertising and Directive 2002/58/EC and Article 89 of the Proposal for a Regulation.


3. Where an objection isupheld pursuant to paragraphs 1and 2, the controller shall no longeruse or otherwise process thepersonal data concerned.

3. Where an objection is upheldpursuant to paragraphs 1 and 2, thecontroller shall no longer use orotherwise process the personal dataconcerned for the purposesdetermined in the objection.

deleted


Amendment 115

Measures based on profiling Measures based onprofilingProfiling

Measures based on pProfiling

1. Every natural person shallhave the right not to be subject to ameasure which produces legaleffects concerning this naturalperson or significantly affects thisnatural person, and which is basedsolely on automated processingintended to evaluate certainpersonal aspects relating to thisnatural person or to analyse orpredict in particular the naturalperson's performance at work,economic situation, location,health, personal preferences,reliability or behaviour.

1. Without prejudice to theprovisions in Article 6, Every everynatural person shall have the right toobject not to be subject to a measurewhich produces legal effectsconcerning this natural person orsignificantly affects this naturalperson, and which is based solely onautomated processing intended toevaluate certain personal aspectsrelating to this natural person or toanalyse or predict in particular thenatural person's performance atwork, economic situation, location,health, personal preferences,reliability or behaviour profiling in

1. Every natural person The datasubject shall have the right not tobe subject to a measure whichproduces legal effects concerningthis natural person or significantlyaffects this natural person, andwhich decision evaluatingpersonal aspects relating to himor her, which is based solely onautomated processing, intended toevaluate certain personal aspectsrelating to this natural person or toanalyse or predict in particular thenatural person's performance atwork, economic situation,location, health, personal


accordance with Article 19. Thedata subject shall be informed aboutthe right to object to profiling in ahighly visible manner.

preferences, reliability orbehaviourincluding profiling, andproduces legal effects concerninghim or her or significantly225

affects him or her.

1a. A data subject may besubject to a decision] referred toin paragraph 1 only if it

(a) is necessary for enteringinto, or performance of, acontract between the data subjectand a data controller 226; or

(b) is authorized by Union orMember State law to which thecontroller is subject and whichalso lays down suitable measuresto safeguard the data subject'slegitimate interests; or

(c) is based on the datasubject's explicit consent.

1b. In cases referred to inparagraph 1a) the data controller

225 DE and PL wondered whether automated data processing was the right criterion for selecting high risk data processing operations and provided some examples of automated dataprocessing operation which it did not consider as high risk. DE and ES pointed out that there are also cases of automated data processing which actually were aimed at increasingthe level of data protection (e.g. in case of children that are automatically excluded from certain advertising).

226 NL had proposed to use the wording 'and arrangements allowing him to put his point of view, inspired by Article 15 of Directive 95/46. BE suggested adding this for each casereferred in paragraph 2.


shall implement suitablemeasures to safeguard the datasubject’s rights and freedoms andlegitimate interests, such as theright to obtain humanintervention on the part of thecontroller, to express his or herpoint of view and to contest thedecision227:

2. Subject to the otherprovisions of this Regulation, aperson may be subjected to ameasure of the kind referred to inparagraph 1 only if the processing:

2. Subject to the other provisions ofthis Regulation, a person may besubjected to a measure of the kindreferred to in paragraph 1 profilingwhich leads to measures producinglegal effects concerning the datasubject or does similarlysignificantly affect the interests,rights or freedoms of the concerneddata subject only if the processing:

deleted

(a) is carried out in the courseof the entering into, or performanceof, a contract, where the request forthe entering into or the performanceof the contract, lodged by the datasubject, has been satisfied or wheresuitable measures to safeguard thedata subject's legitimate interestshave been adduced, such as the

(a) is carried out in the course ofnecessary for the entering into, orperformance of, a contract, where therequest for the entering into or theperformance of the contract, lodgedby the data subject, has been satisfiedor where, provided that suitablemeasures to safeguard the datasubject's legitimate interests have

deleted

227 NL had proposed to use the wording 'and arrangements allowing him to put his point of view, inspired by Article 15 of Directive 95/46.


right to obtain human intervention;or

been adduced, such as the right toobtain human intervention; or

(b) is expressly authorized by aUnion or Member State law whichalso lays down suitable measures tosafeguard the data subject'slegitimate interests; or

(b) is expressly authorized by aUnion or Member State law whichalso lays down suitable measures tosafeguard the data subject'slegitimate interests;

deleted

(c) is based on the datasubject's consent, subject to theconditions laid down in Article 7and to suitable safeguards.

(c) is based on the data subject'sconsent, subject to the conditionslaid down in Article 7 and to suitablesafeguards.

deleted

3. Automated processing ofpersonal data intended to evaluatecertain personal aspects relating toa natural person shall not be basedsolely on the special categories ofpersonal data referred to in Article9.

3. Automated processing of personaldata intended to evaluate certainpersonal aspects relating to a naturalpersonProfiling that has the effectof discriminating againstindividuals on the basis of race orethnic origin, political opinions,religion or beliefs, trade unionmembership, sexual orientation orgender identity, or that results inmeasures which have such effect,shall be prohibited. The controllershall implement effective protectionagainst possible discrimination

3. Automated processing ofpersonal data intended to evaluatecertain personal aspects relating toa natural person Decisionsreferred to in paragraph 1a shallnot be based solely on the specialcategories of personal datareferred to in Article 9(1), unlesspoints (a) or (g) of Article 9(2)apply and suitable measures tosafeguard the data subject'slegitimate interests228 are inplace.

228 BE, FR, IT, PL, PT, AT, SE and UK reservation FR and AT reservation on the compatibility with the E-Privacy Directive. BE would prefer to reinstate the term 'solely based', butFR and DE had previously pointed out that 'not … solely' could empty this prohibition of its meaning by allowing sensitive data to be profiled together with other non-sensitivepersonal data. DE would prefer to insert a reference to a the use of pseudonymous data.


resulting from profiling. Profilingshall not be based solely on thespecial categories of personal datareferred to in Article 9.

4. In the cases referred to inparagraph 2, the information to beprovided by the controller underArticle 14 shall include informationas to the existence of processing fora measure of the kind referred to inparagraph 1 and the envisagedeffects of such processing on thedata subject.

deleted deleted

5. The Commission shall beempowered to adopt delegated actsin accordance with Article 86 forthe purpose of further specifyingthe criteria and conditions forsuitable measures to safeguard thedata subject's legitimate interestsreferred to in paragraph 2.

5. The Commission shall beempowered to adopt delegated actsin accordance with Article 86 for thepurpose of further specifying thecriteria and conditions for Profilingwhich leads to measures producinglegal effects concerning the datasubject or does similarlysignificantly affect the interests,rights or freedoms of the concerneddata subject shall not be basedsolely or predominantly onautomated processing and shallinclude human assessment,including an explanation of thedecision reached after such an

deleted


assessment. The suitable measuresto safeguard the data subject'slegitimate interests referred to inparagraph 2 shall include the rightto obtain human assessment and anexplanation of the decision reachedafter such assessment.

5a. The European Data ProtectionBoard shall be entrusted with thetask of issuing guidelines,recommendations and best practicesin accordance with point (b) ofArticle 66(1) for further specifyingthe criteria and conditions forprofiling pursuant to paragraph 2.


SECTION 5RESTRICTIONS




Restrictions Restrictions Restrictions229

Amendment 116

1. Union or Member State lawmay restrict by way of a legislativemeasure the scope of theobligations and rights provided forin points (a) to (e) of Article 5 andArticles 11 to 20 and Article 32,when such a restriction constitutes anecessary and proportionatemeasure in a democratic society tosafeguard:

1. Union or Member State law mayrestrict by way of a legislativemeasure the scope of the obligationsand rights provided for in points (a)to (e) of Article 5 and Articles 11 to2019 and Article 32, when such arestriction constitutes meets a clearlydefined objective of public interest,respects the essence of the right toprotection of personal data, isproportionate to the legitimate aimpursued and respects thefundamental rights and interests ofthe data subject and is a necessaryand proportionate measure in a

1. Union or Member State law towhich the data controller orprocessor is subject may restrictby way of a legislative measurethe scope of the obligations andrights provided for in points (a) to(e) of Article 5 and Articles 11 12to 20 and Article 32, as well asArticle 5230 in so far as itsprovisions correspond to therights and obligations providedfor in Articles 12 to 20,when sucha restriction constitutes anecessary and proportionatemeasure in a democratic society to

229 SI and UK scrutiny reservation. SE and UK wondered why paragraph 2 of Article 13 of the 1995 Data Protection Directive had not been copied here. DE, supported by DK, HU, RO,PT and SI, stated that para. 1 should not only permit restrictions of the rights of data subjects but also their extension. For example, Article 20(2)(b) requires that Member States laydown 'suitable measures to safeguard the data subject’s legitimate interests', which, when they take on the form of extended rights of access to information as provided for underGerman law in the case of profiling to asses creditworthiness (credit scoring), go beyond the Proposal for a Regulation.

230 AT reservation.


democratic society to safeguard: safeguard:

(aa) national security;

(ab) defence;

(a) public security; (a) public security; (a) public security;

(b) the prevention,investigation, detection andprosecution of criminal offences;

(b) the prevention, investigation,detection and prosecution of criminaloffences;

(b) the prevention, investigation,detection and prosecution ofcriminal offences and for thesepurposes, safeguarding publicsecurity231, or the execution ofcriminal penalties;

(c) other public interests of theUnion or of a Member State, inparticular an important economic orfinancial interest of the Union or ofa Member State, includingmonetary, budgetary and taxationmatters and the protection ofmarket stability and integrity;

(c) other public interests of theUnion or of a Member State, inparticular an important economic orfinancial interest of the Union or of aMember State, including monetary,budgetary and taxation matters andthe protection of market stability andintegrity;

(c) other important objectives ofgeneral public interests of theUnion or of a Member State, inparticular an important economicor financial interest of the Unionor of a Member State, includingmonetary, budgetary and taxationmatters, public health and socialsecurity, and the protection ofmarket stability and integrity;

(ca) the protection of judicialindependence and judicialproceedings;

231 The wording of points (b), and possibly also point (a), will have to be discussed again in the future in the light of the discussions on the relevant wording of the text of the DataProtection Directive for police and judicial cooperation.


(d) the prevention,investigation, detection andprosecution of breaches of ethicsfor regulated professions;

(d) the prevention, investigation,detection and prosecution ofbreaches of ethics for regulatedprofessions;

(d) the prevention, investigation,detection and prosecution ofbreaches of ethics for regulatedprofessions;

(e) a monitoring, inspection orregulatory function connected, evenoccasionally, with the exercise ofofficial authority in cases referredto in (a), (b), (c) and (d);

(e) a monitoring, inspection orregulatory function connected, evenoccasionally, with in the frameworkof the exercise of official acompetent public authority in casesreferred to in (a), (b), (c) and (d);

(e) a monitoring, inspection orregulatory function connected,even occasionally, with theexercise of official authority incases referred to in (aa), (ab), (a)(b), (c) and (d);

(f) the protection of the datasubject or the rights and freedomsof others.

(f) the protection of the data subjector the rights and freedoms of others.

(f) the protection of the datasubject or the rights and freedomsof others.;

(g) the enforcement of civil lawclaims.

2. In particular, any legislativemeasure referred to in paragraph 1shall contain specific provisions atleast as to the objectives to bepursued by the processing and thedetermination of the controller.

2. In particular, any legislativemeasure referred to in paragraph 1must be necessary andproportionate in a democraticsociety and shall contain specificprovisions at least as to theobjectives to be pursued by theprocessing and the determination ofthe controller.:

(a) the objectives to be pursued bythe processing;

2. In particular, aAny legislativemeasure referred to in paragraph 1shall contain specific provisions atleast, where relevant, as to theobjectives to be pursued by theprocessing and the determinationpurposes of the processing orcategories of processing, thecategories of personal data, thescope of the restrictionsintroduced, the specificationofthe controller or categories of


(b) the determination of thecontroller;

(c) the specific purposes and meansof processing;

(d) the safeguards to prevent abuseor unlawful access or transfer;

(e) the right of data subjects to beinformed about the restriction.

controllers, the storage periodsand the applicable safeguardstaking into account of the nature,scope and purposes of theprocessing or categories ofprocessing and the risks for therights and freedoms of datasubjects.

2a. Legislative measures referred toin paragraph 1 shall neither permitnor oblige private controllers toretain data additional to thosestrictly necessary for the originalpurpose.


232 SI and UK scrutiny reservation on the entire chapter. BE, DE, NL and UK have not been not convinced by the figures provided by COM according to which the reduction ofadministrative burdens doing away with the general notification obligation on controllers, outbalanced any additional administrative burdens and compliance costs flowing from theproposed Regulation.

CHAPTER IVCONTROLLER AND

PROCESSOR


PROCESSOR


PROCESSOR232

SECTION 1GENERAL OBLIGATIONS




Amendment 117

Responsibility of the controller Responsibility and accountabilityof the controller

Responsibility Obligationsof thecontroller

1. The controller shall adoptpolicies and implement appropriatemeasures to ensure and be able todemonstrate that the processing ofpersonal data is performed incompliance with this Regulation.

1. The controller shall adoptappropriate policies and implementappropriate an demonstrabletechnical and organisationalmeasures to ensure and be able todemonstrate in a transparentmanner that the processing ofpersonal data is performed incompliance with this Regulation,having regard to the state of theart, the nature of personal dataprocessing, the context, scope andpurposes of processing, the risks

1. Taking into account the nature,scope context and purposes of theprocessing as well as thelikelihood and severity of risk forthe rights and freedoms ofindividuals,The the controller shalladopt policies and implementappropriate measures to ensure andbe able to demonstrate that theprocessing of personal data isperformed in compliance with thisRegulation.


for the rights and freedoms of thedata subjects and the type of theorganisation, both at the time ofthe determination of the means forprocessing and at the time of theprocessing itself.

1a. Having regard to the state ofthe art and the cost ofimplementation, the controllershall take all reasonable steps toimplement compliance policies andprocedures that persistently respectthe autonomous choices of datasubjects. These compliance policiesshall be reviewed at least every twoyears and updated wherenecessary.

2. The measures provided forin paragraph 1 shall in particularinclude:

deleted deleted

(a) keeping the documentationpursuant to Article 28;

deleted deleted

(b) implementing the datasecurity requirements laid down inArticle 30;

deleted deleted

(c) performing a data protectionimpact assessment pursuant to

deleted deleted


233 HU, RO and PL thought this wording allowed too much leeway to controllers. AT thought that in particular for the respects to time limits and the reference to the proportionality wasproblematic.

Article 33;

(d) complying with therequirements for prior authorisationor prior consultation of thesupervisory authority pursuant toArticle 34(1) and (2);

deleted deleted

(e) designating a data protectionofficer pursuant to Article 35(1).

deleted deleted

2a. Where proportionate inrelation to the processingactivities233, the measures referredto in paragraph 1 shall include theimplementation of appropriatedata protection policies by thecontroller.

2b. Adherence to approved codesof conduct pursuant to Article 38or an approved certificationmechanism pursuant to Article 39may be used as an element todemonstrate compliance with theobligations of the controller.

3. The controller shallimplement mechanisms to ensure

3. The controller shall implementmechanisms to ensure the

deleted


the verification of the effectivenessof the measures referred to inparagraphs 1 and 2. Ifproportionate, this verification shallbe carried out by independentinternal or external auditors.

verification of thebe able todemonstrate the adequacy andeffectiveness of the measuresreferred to in paragraphs 1 and 2. Ifproportionate, this verification shallbe carried out by independentinternal or external auditors Anyregular general reports of theactivities of the controller, such asthe obligatory reports by publiclytraded companies, shall contain asummary description of the policiesand measures referred to inparagraph 1.

3a. The controller shall have theright to transmit personal datainside the Union within the groupof undertakings the controller ispart of, where such processing isnecessary for legitimate internaladministrative purposes betweenconnected business areas of thegroup of undertakings and anadequate level of data protection aswell as the interests of the datasubjects are safeguarded byinternal data protection provisionsor equivalent codes of conduct asreferred to in Article 38.


4. The Commission shall beempowered to adopt delegated actsin accordance with Article 86 forthe purpose of specifying anyfurther criteria and requirements forappropriate measures referred to inparagraph 1 other than thosealready referred to in paragraph 2,the conditions for the verificationand auditing mechanisms referredto in paragraph 3 and as regards thecriteria for proportionality underparagraph 3, and consideringspecific measures for micro, smalland medium-sized-enterprises.

deleted deleted


Data protection by design and bydefault



Amendment 118

1. Having regard to the state ofthe art and the cost ofimplementation, the controllershall, both at the time of thedetermination of the means forprocessing and at the time of theprocessing itself, implementappropriate technical and

1. Having regard to the state of theart and the cost of implementation,current technical knowledge,international best practices and therisks represented by the dataprocessing, the controller and theprocessor, if any, shall, both at thetime of the determination of the

1. Having regard to availabletechnology the state of the art andthe cost of implementation andtaking account of the nature,scope, context and purposes of theprocessing as well as thelikelihood and severity of the riskfor rights and freedoms of


234 DE thought that, in view of Article 5(c), the principle of data economy and avoidance, as well as anonymisation and pseudonymisation should be listed as key options forimplementation. This debate will however need to take place in the context of a debate on pseudonymising personal data.

organisational measures andprocedures in such a way that theprocessing will meet therequirements of this Regulation andensure the protection of the rightsof the data subject.

purposes and means for processingand at the time of the processingitself, implement appropriate andproportionate technical andorganisational measures andprocedures in such a way that theprocessing will meet therequirements of this Regulation andensure the protection of the rights ofthe data subject, in particular withregard to the principles laid downin Article 5. Data protection bydesign shall have particular regardto the entire lifecycle managementof personal data from collection toprocessing to deletion,systematically focusing oncomprehensive proceduralsafeguards regarding the accuracy,confidentiality, integrity, physicalsecurity and deletion of personaldata. Where the controller hascarried out a data protectionimpact assessment pursuant toArticle 33, the results shall betaken into account whendeveloping those measures andprocedures.

individuals posed by theprocessing, the controllers shall,both at the time of thedetermination of the means forprocessing and at the time of theprocessing itself, implementappropriate technical andorganisational measuresappropriate to the processingactivity being carried out and itsobjectives, [includingminimisation andpseudonymisation234], andprocedures in such a way that theprocessing will meet therequirements of this Regulation andensure protect the protection of therights of the data subjects.


1a. In order to foster its widespreadimplementation in differenteconomic sectors, data protectionby design shall be a prerequisitefor public procurement tendersaccording to Directive 2004/18/ECof the European Parliament and ofthe Council48a1 as well asaccording to Directive 2004/17/ECof the European Parliament and ofthe Council48b2 (Utilities Directive).

48a1 Directive 2004/18/EC of theEuropean Parliament and of theCouncil of 31 March 2004 on thecoordination of procedures for theaward of public works contracts,public supply contracts and publicservice contracts (OJ L 134,30.4.2004, p. 114).

48b2 Directive 2004/17/EC of theEuropean Parliament and of theCouncil of 31 March 2004coordinating the procurementprocedures of entities operating inthe water, energy, transport andpostal services sector (OJ L 134,30.4.2004, p.1)


235 CZ would prefer "not excessive". This term may be changed again in the future in the context of the debate on the wording of Article 5(1)(c).

2. The controller shallimplement mechanisms forensuring that, by default, only thosepersonal data are processed whichare necessary for each specificpurpose of the processing and areespecially not collected or retainedbeyond the minimum necessary forthose purposes, both in terms of theamount of the data and the time oftheir storage. In particular, thosemechanisms shall ensure that bydefault personal data are not madeaccessible to an indefinite numberof individuals.

2. The controller shall implementmechanisms for ensuring ensurethat, by default, only those personaldata are processed which arenecessary for each specific purposeof the processing and are especiallynot collected or, retained ordisseminated beyond the minimumnecessary for those purposes, bothin terms of the amount of the dataand the time of their storage. Inparticular, those mechanisms shallensure that by default personal dataare not made accessible to anindefinite number of individualsand that data subjects are able tocontrol the distribution of theirpersonal data.

2. The controller shall implementmechanisms appropriate measuresfor ensuring that, by default, onlythose personal data are processedwhich are necessary235 for eachspecific purpose of the processingand are especially not collected orretained beyond the minimumnecessary for those purposes, bothin terms of are processed; thisapplies to the amount of the datacollected, the extent of theirprocessing,and the time period oftheir storage and their accessibility.Where the purpose of theprocessing is not intended toprovide the public withinformationIn particular, thosemechanisms shall ensure that bydefault personal data are not madeaccessible without humanintervention to an indefinitenumber of individuals.

2a. An approved certificationmechanism pursuant to Article 39may be used as an element todemonstrate compliance with the


requirements set out in paragraphs1 and 2.

3. The Commission shall beempowered to adopt delegated actsin accordance with Article 86 forthe purpose of specifying anyfurther criteria and requirements forappropriate measures andmechanisms referred to inparagraph 1 and 2, in particular fordata protection by designrequirements applicable acrosssectors, products and services.

deleted deleted

4. The Commission may laydown technical standards for therequirements laid down inparagraph 1 and 2. Thoseimplementing acts shall be adoptedin accordance with the examinationprocedure referred to in Article87(2).

deleted deleted


236 SI reservation; it warned against potential legal conflicts on the allocation of the liability and SI therefore thought this article should be further revisited in the context of the futuredebate on Chapter VIII. FR also thought the allocation of liability between the controller and the processor is very vague and CZ expressed doubts about the enforceability of thisprovision in the private sector outside arrangements within a group of undertakings and thought it should contain a safeguard against outsourcing of responsibility.


Joint controllers Joint controllers Joint controllers236

Amendment 119

Where a controller determines thepurposes, conditions and means ofthe processing of personal datajointly with others, the jointcontrollers shall determine theirrespective responsibilities forcompliance with the obligationsunder this Regulation, in particularas regards the procedures andmechanisms for exercising therights of the data subject, by meansof an arrangement between them.

Where a controller determinesseveral controllers jointlydetermine the purposes, conditionsand means of the processing ofpersonal data jointly with others, thejoint controllers shall determinetheir respective responsibilities forcompliance with the obligationsunder this Regulation, in particularas regards the procedures andmechanisms for exercising therights of the data subject, by meansof an arrangement between them.The arrangement shall duly reflectthe joint controllers' respectiveeffective roles and relationshipsvis-à-vis data subjects, and theessence of the arrangement shallbe made available for the datasubject. In case of unclarity of theresponsibility, the controllers shall

1. Where two or more acontrollers determines thepurposes, conditions and means ofthe processing of personal datajointly with others, they are jointcontrollers. They shall in atransparent manner determinetheir respective responsibilities forcompliance with the obligationsunder this Regulation, in particularas regards the procedures andmechanisms for exercising of therights of the data subject and theirrespective duties to provide theinformation referred to in Articles14 and 14a, by means of anarrangement between them unless,and in so far as, the respectiveresponsibilities of the controllersare determined by Union orMember State law to which thecontrollers are subject. The


be jointly and severally liable. arrangement shall designatewhich of the joint controllers shallact as single point of contact fordata subjects to exercise theirrights.

2. Irrespective of the terms ofthe arrangement referred to inparagraph 1, the data subject mayexercise his or her rights underthis Regulation in respect of andagainst each of the (…)controllers.

3. The arrangement shallduly reflect the joint controllers’respective effective roles andrelationships vis-à-vis datasubjects, and the essence of thearrangement shall be madeavailable for the data subject.Paragraph 2 does not applywhere the data subject has beeninformed in a transparent andunequivocal manner which of thejoint controllers is responsible,unless such arrangement otherthan one determined by Union orMember State law is unfair withregard to his or her rights (…)


237 HU, SE and UK reservation.


Representatives of controllers notestablished in the Union



Amendment 120

1. In the situation referred toin Article 3(2), the controller shalldesignate a representative in theUnion.

1. In the situation referred to inArticle 3(2), the controller shalldesignate a representative in theUnion.

1. In the situation referred toin Where Article 3(2) applies, thecontroller shall designate in writinga representative in the Union.

2. This obligation shall notapply to:

2. This obligation shall not apply to: 2. This obligation shall notapply to:

(a) a controller established in athird country where theCommission has decided that thethird country ensures an adequatelevel of protection in accordancewith Article 41; or

(a) a controller established in a thirdcountry where the Commission hasdecided that the third countryensures an adequate level ofprotection in accordance withArticle 41; or

deleted

(b) an enterprise employingfewer than 250 persons; or

(b) an enterprise employing fewerthan 250 personsa controllerprocessing personal data whichrelates to less than 5000 datasubjects during any consecutive12-month period are and notprocessing special categories ofpersonal data as referred to in

(b) an enterprise employingfewer than 250 persons processingwhich is occasional237 and unlikelyto result in a (…) risk for therights and freedoms of individuals,taking into account the nature,context, scope and purposes of the


Article 9(1), location data or dataon children or employees in large-scale filing systems; or

processing; or

(c) a public authority or body;or

(c) a public authority or body; or (c) a public authority or body;or

(d) a controller offering onlyoccasionally goods or services todata subjects residing in the Union.

(d) a controller offering onlyoccasionally offering goods orservices to data subjects residing inthe Union, unless the processing ofpersonal data concerns specialcategories of personal data asreferred to in Article 9(1), locationdata or data on children oremployees in large-scale filingsystems.

deleted

3. The representative shall beestablished in one of those MemberStates where the data subjectswhose personal data are processedin relation to the offering of goodsor services to them, or whosebehaviour is monitored, reside.

3. The representative shall beestablished in one of those MemberStates where the data subjectswhose personal data are processedin relation to the offering of goodsor services to themthe datasubjects, or whose behaviour ismonitored, reside the monitoring ofthem, takes place.

3. The representative shall beestablished in one of those MemberStates where the data subjectswhose personal data are processedin relation to the offering of goodsor services to them, or whosebehaviour is monitored, reside.

3a. The representative shall bemandated by the controller to beaddressed in addition to or insteadof the controller by, in particular,


238 The Presidency suggest completing Article 5(2) with the words "also in case of personal data being processed on its behalf by a processor". This may also need further discussion inthe context of the future debate on liability in the context of Chapter VIII.

supervisory authorities and datasubjects, on all issues related tothe processing of personal data,for the purposes of ensuringcompliance with this Regulation.

4. The designation of arepresentative by the controllershall be without prejudice to legalactions which could be initiatedagainst the controller itself.

4. The designation of arepresentative by the controller shallbe without prejudice to legal actionswhich could be initiated against thecontroller itself.

4. The designation of arepresentative by the controllershall be without prejudice to legalactions which could be initiatedagainst the controller itself.


Processor Processor Processor

Amendment 121

1. Where a processingoperation is to be carried out onbehalf of a controller, the controllershall choose a processor providingsufficient guarantees to implementappropriate technical andorganisational measures andprocedures in such a way that theprocessing will meet therequirements of this Regulation andensure the protection of the rights

1. Where a processing operation isto be carried out on behalf of acontroller, the controller shallchoose a processor providingsufficient guarantees to implementappropriate technical andorganisational measures andprocedures in such a way that theprocessing will meet therequirements of this Regulation andensure the protection of the rights of

1. Where a processingoperation is to be carried out onbehalf of a controller, 238the Thecontroller shall choose use only aprocessors providing sufficientguarantees to implementappropriate technical andorganisational measures andprocedures in such a way that theprocessing will meet therequirements of this Regulation and


239 LU and FI were concerned that this might constitute an undue interference with contractual freedom.

of the data subject, in particular inrespect of the technical securitymeasures and organizationalmeasures governing the processingto be carried out and shall ensurecompliance with those measures.

the data subject, in particular inrespect of the technical securitymeasures and organisationalmeasures governing the processingto be carried out and shall ensurecompliance with those measures.

ensure the protection of the rightsof the data subject, in particular inrespect of the technical securitymeasures and organizationalmeasures governing the processingto be carried out and shall ensurecompliance with those measures.

1a. The processor shall not enlistanother processor without theprior specific or general writtenconsent of the controller. In thelatter case, the processor shouldalways inform the controller onany intended changes concerningthe addition or replacement ofother processors, thereby givingthe opportunity to the controller toobject to such changes239.

2. The carrying out ofprocessing by a processor shall begoverned by a contract or otherlegal act binding the processor tothe controller and stipulating inparticular that the processor shall:

2. The carrying out of processing bya processor shall be governed by acontract or other legal act bindingthe processor to the controller. Thecontroller and the processor shallbe free to determine respectiveroles and tasks with respect to therequirements of this Regulation,and shall provide that andstipulating in particular that the

2. The carrying out of processingby a processor shall be governed bya contract or other a legal actunder Union or Member State lawbinding the processor to thecontroller, setting out the subject-matter and duration of theprocessing, the nature andpurpose of the processing, the typeof personal data and categories of


processor shall: data subjects, the rights of bindingthe processor to the controller andstipulating in particular that theprocessor shall:

(a) act only on instructionsfrom the controller, in particular,where the transfer of the personaldata used is prohibited;

(a) act process personal data onlyon instructions from the controller,in particular, where the transfer ofthe personal data used is prohibited,unless otherwise required by Unionlaw or Member State law;

(a) process the personal dataact only on instructions from thecontroller, in particular, where thetransfer of the personal data used isprohibitedunless required to do soby Union or Member State law towhich the processor is subject; insuch a case, the processor shallinform the controller of that legalrequirement before processing thedata, unless that law prohibitssuch information on importantgrounds of public interest;

(b) employ only staff who havecommitted themselves toconfidentiality or are under astatutory obligation ofconfidentiality;

(b) employ only staff who havecommitted themselves toconfidentiality or are under astatutory obligation ofconfidentiality;

deleted

(c) take all required measurespursuant to Article 30;



(d) enlist another processoronly with the prior permission ofthe controller;

(d) enlist determine the conditionsfor enlisting another processor onlywith the prior permission of thecontroller, unless otherwise

(d) respect the conditions forenlisting another processor onlywith the prior permission such as arequirement of specific prior


determined; permission of the controller;

(e) insofar as this is possiblegiven the nature of the processing,create in agreement with thecontroller the necessary technicaland organisational requirements forthe fulfilment of the controller’sobligation to respond to requestsfor exercising the data subject’srights laid down in Chapter III;

(e) insofar as this is possible giventhe nature of the processing, createin agreement with the controller thenecessary appropriate and relevanttechnical and organisationalrequirements for the fulfilment ofthe controller’s obligation torespond to requests for exercisingthe data subject’s rights laid downin Chapter III;

(e) insofar as this is possiblegiven taking into account thenature of the processing, assistcreate in agreement with thecontroller the necessary technicaland organisational requirements forthe fulfilment of the controller’sobligation to in responding torequests for exercising the datasubject’s rights laid down inChapter III;

(f) assist the controller inensuring compliance with theobligations pursuant to Articles 30to 34;

(f) assist the controller in ensuringcompliance with the obligationspursuant to Articles 30 to 34, takinginto account the nature ofprocessing and the informationavailable to the processor;

(f) assist the controller inensuring compliance with theobligations pursuant to Articles 30to 34;

(g) hand over all results to thecontroller after the end of theprocessing and not process thepersonal data otherwise;

(g) hand over return all results tothe controller after the end of theprocessing, and not process thepersonal data otherwise and deleteexisting copies unless Union orMember State law requires storageof the data;

(g) hand over all results toreturn or delete, at the choice ofthe controller after the end of theprocessing and not process thepersonal data otherwiseupon thetermination of the provision ofdata processing services specifiedin the contract or other legal act,unless there is a requirement tostore the data under Union orMember State law to which the


240 HU suggested qualifying this reference to EU or MS law by adding 'binding that other processor to the initial processor'.

processor is subject;

(h) make available to thecontroller and the supervisoryauthority all information necessaryto control compliance with theobligations laid down in thisArticle.

(h) make available to the controllerand the supervisory authority allinformation necessary to controldemonstrate compliance with theobligations laid down in this Articleand allow on-site inspections;

(h) make available to thecontroller and the supervisoryauthority all information necessaryto control demonstrate compliancewith the obligations laid down inthis Article and allow for andcontribute to audits conducted bythe controller.

The processor shall immediatelyinform the controller if, in hisopinion, an instruction breachesthis Regulation or Union orMember State data protectionprovisions.

2a. Where a processor enlistsanother processor for carrying outspecific processing activities onbehalf of the controller, the samedata protection obligations as setout in the contract or other legalact between the controller and theprocessor as referred to inparagraph 2 shall be imposed onthat other processor by way of acontract or other legal act underUnion or Member State law240, in


241 FR reservation; SK suggested specifying that where the other processor fails to fulfil its data protection obligations under such contract or other legal act, the processor shall remainfully liable to the controller for the performance of the other processor’s obligation. By authorising the processor to subcontract itself and not obliging the sub-processor to have acontractual relationship with the controller, it should ensure enough legal certainty for the controller in terms of liability. The principle of liability of the main processor for anybreaches of sub-processor is provided in clause 11 of Model clause 2010/87 and BCR processor and is therefore the current standard. It also suggested deleting the reference toArticle 2aa.

particular providing sufficientguarantees to implementappropriate technical andorganisational measures in such away that the processing will meetthe requirements of thisRegulation. Where that otherprocessor fails to fulfil its dataprotection obligations, the initialprocessor shall remain fully liableto the controller for theperformance of that otherprocessor's obligations.

2aa. Adherence of the processorto an approved code of conductpursuant to Article 38 or anapproved certification mechanismpursuant to Article 39241 may beused as an element to demonstratesufficient guarantees referred to inparagraphs 1 and 2a.

2ab. Without prejudice to anindividual contract between thecontroller and the processor, the


242 PL was worried about a scenario in which the Commission would not act. CY and FR were opposed to conferring this role to COM (FR could possibly accept it for the EDPB).

contract or the other legal actreferred to in paragraphs 2 and 2amay be based, in whole or in part,on standard contractual clausesreferred to in paragraphs 2b and2c or on standard contractualclauses which are part of acertification granted to thecontroller or processor pursuant toArticles 39 and 39a.

2b. The Commission may laydown standard contractual clausesfor the matters referred to inparagraph 2 and 2a and inaccordance with the examinationprocedure referred to in Article87(2) 242.

2c. A supervisory authoritymay adopt standard contractualclauses for the matters referred toin paragraph 2 and 2a and inaccordance with the consistencymechanism referred to in Article57.

3. The controller and theprocessor shall document in writingthe controller's instructions and the

3. The controller and the processorshall document in writing thecontroller's instructions and the

3. The controller and theprocessor shall document in writingthe controller's instructions and the


243 COM reservation on deletion.

processor's obligations referred toin paragraph 2.

processor's obligations referred to inparagraph 2.

processor's obligations referred toin paragraph 2 The contract or theother legal act referred to inparagraphs 2 and 2a shall be inwriting, including in an electronicform.

3a. The sufficient guaranteesreferred to in paragraph 1 may bedemonstrated by adherence tocodes of conduct or certificationmechanisms pursuant to Articles38 or 39 of this Regulation.

4. If a processor processespersonal data other than asinstructed by the controller, theprocessor shall be considered to bea controller in respect of thatprocessing and shall be subject tothe rules on joint controllers laiddown in Article 24.

4. If a processor processes personaldata other than as instructed by thecontroller or becomes thedetermining party in relation to thepurposes and means of dataprocessing, the processor shall beconsidered to be a controller inrespect of that processing and shallbe subject to the rules on jointcontrollers laid down in Article 24.

deleted

5. The Commission shall beempowered to adopt delegated actsin accordance with Article 86 forthe purpose of further specifyingthe criteria and requirements for the

deleted deleted243


244 AT scrutiny reservation.

responsibilities, duties and tasks inrelation to a processor in line withparagraph 1, and conditions whichallow facilitating the processing ofpersonal data within a group ofundertakings, in particular for thepurposes of control and reporting.


Processing under the authority ofthe controller and processor



The processor and any personacting under the authority of thecontroller or of the processor whohas access to personal data shall notprocess them except on instructionsfrom the controller, unless requiredto do so by Union or Member Statelaw.

The processor and any personacting under the authority of thecontroller or of the processor whohas access to personal data shall notprocess them except on instructionsfrom the controller, unless requiredto do so by Union or Member Statelaw.

deleted


Documentation Documentation Records of categories of personaldata processing activities244

Amendment 122

1. Each controller and 1. Each controller and processor 1. Each controller and processor


processor and, if any, thecontroller's representative, shallmaintain documentation of allprocessing operations under itsresponsibility.

and, if any, the controller'srepresentative, shall maintainregularly updated documentation ofall processing operations under itsresponsibility necessary to fulfillthe requirements laid down in thisRegulation.

and, if any, the controller'srepresentative, shall maintain arecord documentation of allcategories of personal dataprocessing operations activitiesunder its responsibility. Thedocumentation This record shallcontain at least the followinginformation:

2. The documentation shallcontain at least the followinginformation:

2. The In addition, each controllerand processor shall maintaindocumentation shall contain at leastof the following information:

Merged with 1. above and slightlymodified

(a) the name and contact detailsof the controller, or any jointcontroller or processor, and of therepresentative, if any;

(a) the name and contact details ofthe controller, or any joint controlleror processor, and of therepresentative, if any;

(a) the name and contact details ofthe controller, orand any jointcontroller or processor, and ofthecontrol’er's representative anddata protection officer, if any;

(b) the name and contact detailsof the data protection officer, ifany;

(b) the name and contact details ofthe data protection officer, if any;

deleted

(c) the purposes of theprocessing, including the legitimateinterests pursued by the controllerwhere the processing is based onpoint (f) of Article 6(1);

deleted (c) the purposes of the processing,including the legitimate interestspursued by the controllerwherewhen the processing is basedon point (f) of Article 6(1)(f);


(d) a description of categoriesof data subjects and of thecategories of personal data relatingto them;

deleted (d) a description of categories ofdata subjects and of the categoriesof personal data relating to them;

(e) the recipients or categoriesof recipients of the personal data,including the controllers to whompersonal data are disclosed for thelegitimate interest pursued by them;

(e) the recipients or categories ofrecipients of the personal data,including name and contact detailsof the controllers to whom personaldata are disclosed for the legitimateinterest pursued by them, if any;

(e) the recipients or categories ofrecipients of to whom the personaldata, including the controllers towhom personal data arehave beenor will be disclosed for thelegitimate interest pursued by themin particular recipients in thirdcountries;

(f) where applicable, transfersof data to a third country or aninternational organisation,including the identification of thatthird country or internationalorganisation and, in case oftransfers referred to in point (h) ofArticle 44(1), the documentation ofappropriate safeguards;

deleted (f) where applicable, the categoriesof transfers of personal data to athird country or an internationalorganisation, including theidentification of that third countryor international organisation and, incase of transfers referred to in point(h) of Article 44(1), thedocumentation of appropriatesafeguards;

(g) a general indication of thetime limits for erasure of thedifferent categories of data;

deleted (g) where possible, the envisaged ageneral indication of the time limitsfor erasure of the differentcategories of data;

(h) the description of the deleted (h) where possible, a general


mechanisms referred to in Article22(3).

description of the technical andorganisational security measuresthe description of the mechanismsreferred to in Article 2230(31).

2a. Each processor shallmaintain a record of all categoriesof personal data processingactivities carried out on behalf of acontroller, containing:

(a) the name and contactdetails of the processor orprocessors and of each controlleron behalf of which the processor isacting, and of the controller'srepresentative, if any;

(b) the name and contactdetails of the data protectionofficer, if any;

(c) the categories of processingcarried out on behalf of eachcontroller;

(d) where applicable, thecategories of transfers of personaldata to a third country or aninternational organisation;


(e) where possible, a generaldescription of the technical andorganisational security measuresreferred to in Article 30(1).

3a. The records referred to inparagraphs 1 and 2a shall be inwriting, including in an electronicor other non-legible form which iscapable of being converted into alegible form.

3. The controller and theprocessor and, if any, thecontroller's representative, shallmake the documentation available,on request, to the supervisoryauthority.

deleted 3. On request, The the controllerand the processor and, if any, thecontroller's representative, shallmake the documentation recordavailable, on request, to thesupervisory authority.

4. The obligations referred toin paragraphs 1 and 2 shall notapply to the following controllersand processors:

deleted 4. The obligations referred to inparagraphs 1 and 2a shall not applyto the following controllers andprocessors:

(a) a natural person processingpersonal data without a commercialinterest; or

deleted (a) a natural person processingpersonal data without a commercialinterest; or

(b) an enterprise or anorganisation employing fewer than250 persons that is processing

deleted (b) an enterprise or anorganisation employing fewer than250 persons that is unless the


personal data only as an activityancillary to its main activities.

processing personal data only as anactivity ancillary to itsmain activitiesit carries out islikely to result in a high risk forthe rights and freedoms of datasubject such as discrimination,identity theft or fraud, [breach ofpseudonymity,] financial loss,damage to the reputation, loss ofconfidentiality of data protected byprofessional secrecy or any othereconomic or social disadvantagefor the data subjects, taking intoaccount the nature, scope, contextand purposes of the processing; or

5. The Commission shall beempowered to adopt delegated actsin accordance with Article 86 forthe purpose of further specifyingthe criteria and requirements for thedocumentation referred to inparagraph 1, to take account of inparticular the responsibilities of thecontroller and the processor and, ifany, the controller's representative.

deleted deleted

6. The Commission may laydown standard forms for thedocumentation referred to inparagraph 1. Those implementing

deleted deleted


acts shall be adopted in accordancewith the examination procedurereferred to in Article 87(2).


Co-operation with the supervisoryauthority



Amendment 123

1. The controller and theprocessor and, if any, therepresentative of the controller,shall co-operate, on request, withthe supervisory authority in theperformance of its duties, inparticular by providing theinformation referred to in point (a)of Article 53(2) and by grantingaccess as provided in point (b) ofthat paragraph.

1. The controller and, if any, theprocessor and, if any, therepresentative of the controller,shall co-operate, on request, withthe supervisory authority in theperformance of its duties, inparticular by providing theinformation referred to in point (a)of Article 53(2) and by grantingaccess as provided in point (b) ofthat paragraph.

deleted

2. In response to thesupervisory authority's exercise ofits powers under Article 53(2), thecontroller and the processor shallreply to the supervisory authoritywithin a reasonable period to bespecified by the supervisoryauthority. The reply shall include adescription of the measures taken

2. In response to thesupervisory authority's exercise ofits powers under Article 53(2), thecontroller and the processor shallreply to the supervisory authoritywithin a reasonable period to bespecified by the supervisoryauthority. The reply shall include adescription of the measures taken

deleted


and the results achieved, inresponse to the remarks of thesupervisory authority.

and the results achieved, in responseto the remarks of the supervisoryauthority.


SECTION 2DATA SECURITY




Security of processing Security of processing Security of processing

Amendment 124

1. The controller and theprocessor shall implementappropriate technical andorganisational measures to ensure alevel of security appropriate to therisks represented by the processingand the nature of the personal datato be protected, having regard tothe state of the art and the costs oftheir implementation.

1. The controller and the processorshall implement appropriatetechnical and organisationalmeasures to ensure a level ofsecurity appropriate to the risksrepresented by the processing andthe nature of the personal data to beprotected, taking into account theresults of a data protection impactassessment pursuant to Article 33,having regard to the state of the artand the costs of theirimplementation.

1. Having regard to availabletechnology and the costs ofimplementation and taking intoaccount the nature, scope, contextand purposes of the processing aswell as the likelihood and severityof the risk for the rights andfreedoms of individuals, The thecontroller and the processor shallimplement appropriate technicaland organisational measures[,including pseudonymisation ofpersonal data] to ensure a level ofsecurity appropriate to the risksrepresented by the processing andthe nature of the personal data to beprotected, having regard to the stateof the art and the costs of theirimplementation.

1a. Having regard to the state ofthe art and the cost of

1a. In assessing the appropriatelevel of security account shall be


implementation, such a securitypolicy shall include:

taken in particular of the risks thatare presented by data processing,in particular from accidental orunlawful destruction, loss,alteration, unauthorised disclosureof, or access to personal datatransmitted, stored or otherwiseprocessed.

(a) the ability to ensure that theintegrity of the personal data isvalidated;

(b) the ability to ensure theongoing confidentiality, integrity,availability and resilience ofsystems and services processingpersonal data;

(c) the ability to restore theavailability and access to data in atimely manner in the event of aphysical or technical incident thatimpacts the availability, integrityand confidentiality of informationsystems and services;

(d) in the case of sensitive personaldata processing according toArticles 8 and 9, additional securitymeasures to ensure situationalawareness of risks and the ability


to take preventive, corrective andmitigating action in near real timeagainst vulnerabilities or incidentsdetected that could pose a risk tothe data;

(e) a process for regularly testing,assessing and evaluating theeffectiveness of security policies,procedures and plans put in placeto ensure ongoing effectiveness.

2. The controller and theprocessor shall, following anevaluation of the risks, take themeasures referred to in paragraph 1to protect personal data againstaccidental or unlawful destructionor accidental loss and to preventany unlawful forms of processing,in particular any unauthoriseddisclosure, dissemination or access,or alteration of personal data.

2. The controller and the processorshall, following an evaluation of therisks, take the measures referred toin paragraph 1 to protect personaldata against accidental or unlawfuldestruction or accidental loss and toprevent any unlawful forms ofprocessing, in particular anyunauthorised disclosure,dissemination or access, oralteration of personal data. shall atleast:

deleted

(a) ensure that personal data canbe accessed only by authorisedpersonnel for legally authorisedpurposes;

2a. Adherence to approved codesof conduct pursuant to Article 38


or an approved certificationmechanism pursuant to Article 39may be used as an element todemonstrate compliance with therequirements set out in paragraph1.

(b) protect personal data stored ortransmitted against accidental orunlawful destruction, accidentalloss or alteration, andunauthorised or unlawful storage,processing, access or disclosure;and

2b. The controller and processorshall take steps to ensure that anyperson acting under the authorityof the controller or the processorwho has access to personal datashall not process them except oninstructions from the controller,unless he or she is required to doso by Union or Member State law.

(c) ensure the implementation of asecurity policy with respect to theprocessing of personal data.

3. The Commission shall beempowered to adopt delegated actsin accordance with Article 86 for

3. The Commission European DataProtection Board shall beempowered to adopt delegated acts

deleted


the purpose of further specifyingthe criteria and conditions for thetechnical and organisationalmeasures referred to in paragraphs1 and 2, including thedeterminations of what constitutesthe state of the art, for specificsectors and in specific dataprocessing situations, in particulartaking account of developments intechnology and solutions forprivacy by design and dataprotection by default, unlessparagraph 4 applies.

in accordance with Article 86 forthe purpose of further specifying thecriteria and conditions entrustedwith the task of issuing guidelines,recommendations and bestpractices in accordance with point(b) of Article 66(1) for the technicaland organisational measuresreferred to in paragraphs 1 and 2,including the determinations ofwhat constitutes the state of the art,for specific sectors and in specificdata processing situations, inparticular taking account ofdevelopments in technology andsolutions for privacy by design anddata protection by default, unlessparagraph 4 applies.

4. The Commission mayadopt, where necessary,implementing acts for specifyingthe requirements laid down inparagraphs 1 and 2 to varioussituations, in particular to:

deleted deleted

(a) prevent any unauthorisedaccess to personal data;

deleted deleted

(b) prevent any unauthoriseddisclosure, reading, copying,modification, erasure or removal of

deleted deleted


245 AT and SI scrutiny reservation. COM reservation: the consistency with the E-Privacy Directive regime should be safeguarded; SI thought this alignment could be achieved bydeleting "high" before "risk" in Articles 31 and 32.

personal data;

(c) ensure the verification ofthe lawfulness of processingoperations.

deleted deleted

Those implementing acts shall beadopted in accordance with theexamination procedure referred toin Article 87(2).

deleted deleted


Notification of a personal databreach to the supervisory authority

Notification of a personal databreach to the supervisory authority

Notification of a personal databreach to the supervisory

authority245

Amendment 125

1. In the case of a personaldata breach, the controller shallwithout undue delay and, wherefeasible, not later than 24 hoursafter having become aware of it,notify the personal data breach tothe supervisory authority. Thenotification to the supervisoryauthority shall be accompanied by areasoned justification in cases

1. In the case of a personal databreach, the controller shall withoutundue delay and, where feasible,not later than 24 hours after havingbecome aware of it, notify thepersonal data breach to thesupervisory authority. Thenotification to the supervisoryauthority shall be accompanied by areasoned justification in cases

1. In the case of a personal databreach which is likely to result in ahigh risk for the rights andfreedoms of individuals, such asdiscrimination, identity theft orfraud, financial loss, [breach of(…) pseudonymity], damage to thereputation, loss of confidentialityof data protected by professionalsecrecy or any other significant


246 AT and PL thought this paragraph should be deleted.

where it is not made within 24hours.

where it is not made within 24hours.

economic or social disadvantage,the controller shall without unduedelay and, where feasible, not laterthan 24 72 hours after havingbecome aware of it, notify thepersonal data breach to thesupervisory authority competent inaccordance with Article 51. Thenotification to the supervisoryauthority shall be accompanied by areasoned justification in caseswhere it is not made within 24 72hours.

1a. The notification referred to inparagraph 1 shall not be requiredif a communication to the datasubject is not required underArticle 32(3)(a) and (b)246.

2. Pursuant to point (f) ofArticle 26(2), the processor shallalert and inform the controllerimmediately after the establishmentof a personal data breach.

2. Pursuant to point (f) of Article26(2), the The processor shall alertand inform the controllerimmediately without undue delayafter the establishment of a personaldata breach.

2. Pursuant to point (f) of Article26(2), the The processor shall alertnotify and inform the controllerimmediately after the establishmentwithout undue delay afterbecoming award of a personal databreach.

3. The notification referred to 3. The notification referred to in 3. The notification referred to in


in paragraph 1 must at least: paragraph 1 must at least: paragraph 1 must at least:

(a) describe the nature of thepersonal data breach including thecategories and number of datasubjects concerned and thecategories and number of datarecords concerned;

(a) describe the nature of thepersonal data breach including thecategories and number of datasubjects concerned and thecategories and number of datarecords concerned;

(a) describe the nature of thepersonal data breach includingwhere possible and appropriate,the approximate categories andnumber of data subjects concernedand the categories and approximatenumber of data records concerned;

(b) communicate the identityand contact details of the dataprotection officer or other contactpoint where more information canbe obtained;

(b) communicate the identityand contact details of the dataprotection officer or other contactpoint where more information canbe obtained;

(b) communicate the identity andcontact details of the dataprotection officer or other contactpoint where more information canbe obtained;

(c) recommend measures tomitigate the possible adverseeffects of the personal data breach;

(c) recommend measures tomitigate the possible adverse effectsof the personal data breach;

deleted

(d) describe the consequencesof the personal data breach;

(d) describe the consequencesof the personal data breach;

(d) describe the likely consequencesof the personal data breachidentified by the controller;

(e) describe the measuresproposed or taken by the controllerto address the personal data breach.

(e) describe the measures proposedor taken by the controller to addressthe personal data breach and/ormitigate its effects.

The information may if necessarybe provided in phases.

(e) describe the measures taken orproposed or to be taken by thecontroller to address the personaldata breach.; and


(f) where appropriate, indicatemeasures to mitigate the possibleadverse effects of the personaldata breach.

3a. Where, and in so far as, it isnot possible to provide theinformation referred to inparagraph 3 (d), (e) and (f) at thesame time as the informationreferred to in points (a) and (b) ofparagraph 3, the controller shallprovide this information withoutundue further delay.

4. The controller shalldocument any personal databreaches, comprising the factssurrounding the breach, its effectsand the remedial action taken. Thisdocumentation must enable thesupervisory authority to verifycompliance with this Article. Thedocumentation shall only includethe information necessary for thatpurpose.

4. The controller shall documentany personal data breaches,comprising the facts surroundingthe breach, its effects and theremedial action taken. Thisdocumentation must be sufficient toenable the supervisory authority toverify compliance with this Articleand with Article 30. Thedocumentation shall only includethe information necessary for thatpurpose.

4. The controller shall documentany personal data breaches referredto in paragraphs 1 and 2,comprising the facts surroundingthe breach, its effects and theremedial action taken. Thisdocumentation must enable thesupervisory authority to verifycompliance with this Article. Thedocumentation shall only includethe information necessary for thatpurpose.

4a. The supervisory authority shallkeep a public register of the typesof breaches notified.



5. The Commission shall beempowered to adopt delegated actsin accordance with Article 86 forthe purpose of further specifyingthe criteria and requirements forestablishing the data breachreferred to in paragraphs 1 and 2and for the particular circumstancesin which a controller and aprocessor is required to notify thepersonal data breach.

5. The Commission European DataProtection Board shall beempowered to adopt delegated actsin accordance with Article 86 forthe purpose entrusted with the taskof further specifying the criteria andrequirements issuing guidelines,recommendations and bestpractices in accordance with point(b) of Article 66(1) for establishingthe data breach and determiningthe undue delay referred to inparagraphs 1 and 2 and for theparticular circumstances in which acontroller and a processor isarerequired to notify the personal databreach.

deleted

6. The Commission may laydown the standard format of suchnotification to the supervisoryauthority, the procedures applicableto the notification requirement andthe form and the modalities for thedocumentation referred to inparagraph 4, including the timelimits for erasure of the informationcontained therein. Thoseimplementing acts shall be adopted

deleted deleted247


248 AT scrutiny reservation. COM reservation: the consistency with the E-Privacy Directive regime should be safeguarded.

in accordance with the examinationprocedure referred to in Article87(2).


Communication of a personal databreach to the data subject

Communication of a personal databreach to the data subject

Communication of a personal databreach to the data subject248

Amendment 126

1. When the personal databreach is likely to adversely affectthe protection of the personal dataor privacy of the data subject, thecontroller shall, after thenotification referred to in Article31, communicate the personal databreach to the data subject withoutundue delay.

1. When the personal data breach islikely to adversely affect theprotection of the personal data, theor privacy, the rights or thelegitimate interests of the datasubject, the controller shall, afterthe notification referred to in Article31, communicate the personal databreach to the data subject withoutundue delay.

1. When the personal data breach islikely to adversely affect theprotection of the personal data orprivacy of the data subject result ina high risk for the rights andfreedoms of individuals, such asdiscrimination, identity theft orfraud, financial loss, damage tothe reputation, [breach ofpseudonymity], loss ofconfidentiality of data protected byprofessional secrecy or any othersignificant economic or socialdisadvantage, the controller shall,after the notification referred to inArticle 31, communicate thepersonal data breach to the datasubject without undue delay.


2. The communication to thedata subject referred to inparagraph 1 shall describe thenature of the personal data breachand contain at least the informationand the recommendations providedfor in points (b) and (c) of Article31(3).

2. The communication to the datasubject referred to in paragraph 1shall be comprehensive and useclear and plain language. It shalldescribe the nature of the personaldata breach and contain at least theinformation and therecommendations provided for inpoints (b) and, (c) and (d) of Article31(3) and information about therights of the data subject, includingredress.

2. The communication to the datasubject referred to in paragraph 1shall describe the nature of thepersonal data breach and contain atleast the information and therecommendations provided for inpoints (b), (e) and (cf) of Article31(3).

3. The communication of apersonal data breach to the datasubject shall not be required if thecontroller demonstrates to thesatisfaction of the supervisoryauthority that it has implementedappropriate technologicalprotection measures, and that thosemeasures were applied to the dataconcerned by the personal databreach. Such technologicalprotection measures shall render thedata unintelligible to any personwho is not authorised to access it.

3. The communication of a personaldata breach to the data subject shallnot be required if the controllerdemonstrates to the satisfaction ofthe supervisory authority that it hasimplemented appropriatetechnological protection measures,and that those measures wereapplied to the data concerned by thepersonal data breach. Suchtechnological protection measuresshall render the data unintelligibleto any person who is not authorisedto access it.

3. The communication of a personaldata breach to the data subjectreferred to in paragraph 1 shall notbe required if:

a. the controller demonstrates to thesatisfaction of the supervisoryauthority that it has implementedappropriate technological andorganisational protectionmeasures, and that those measureswere applied to the data concernedaffected by the personal databreach, in particular those that .Such technological protectionmeasures shall render the dataunintelligible to any person who isnot authorised to access it, such as


encryption;or

b. the controller has takensubsequent measures whichensure that the high risk for therights and freedoms of datasubjects referred to in paragraph 1is no longer likely to materialise;or

c. it would involvedisproportionate effort, inparticular owing to the number ofcases involved. In such case, thereshall instead be a publiccommunication or similarmeasure whereby the data subjectsare informed in an equallyeffective manner; or

d. it would adversely affect asubstantial public interest.

4. Without prejudice to thecontroller's obligation tocommunicate the personal databreach to the data subject, if thecontroller has not alreadycommunicated the personal databreach to the data subject of thepersonal data breach, thesupervisory authority, havingconsidered the likely adverse

4. Without prejudice to thecontroller's obligation tocommunicate the personal databreach to the data subject, if thecontroller has not alreadycommunicated the personal databreach to the data subject of thepersonal data breach, thesupervisory authority, havingconsidered the likely adverse effects

deleted



effects of the breach, may require itto do so.

of the breach, may require it to doso.

5. The Commission shall beempowered to adopt delegated actsin accordance with Article 86 forthe purpose of further specifyingthe criteria and requirements as tothe circumstances in which apersonal data breach is likely toadversely affect the personal datareferred to in paragraph 1.

5. The CommissionEuropean DataProtection Board shall beempowered to adopt delegated actsin accordance with Article 86 forthe purpose entrusted with the taskof further specifying the criteria andrequirements issuing guidelines,recommendations and bestpractices in accordance with point(b) of Article 66(1) as to thecircumstances in which a personaldata breach is likely to adverselyaffect the personal data, the privacy,the rights or the legitimate interestsof the data subject referred to inparagraph 1.

deleted

6. The Commission may laydown the format of thecommunication to the data subjectreferred to in paragraph 1 and theprocedures applicable to thatcommunication. Thoseimplementing acts shall be adoptedin accordance with the examinationprocedure referred to in Article

deleted deleted249


87(2).

Amendment 127

Article 32a

Respect to Risk

1. The controller, or whereapplicable the processor, shallcarry out a risk analysis of thepotential impact of the intendeddata processing on the rights andfreedoms of the data subjects,assessing whether its processingoperations are likely to presentspecific risks..

2. The following processingoperations are likely to presentspecific risks:

(a) processing of personal datarelating to more than 5000 datasubjects during any consecutive12-month period;

(b) processing of special categoriesof personal data as referred to inArticle 9(1), location data or dataon children or employees in large


scale filing systems;

(c) profiling on which measuresare based that produce legal effectsconcerning the individual orsimilarly significantly affect theindividual;

(d) processing of personal data forthe provision of health care,epidemiological researches, orsurveys of mental or infectiousdiseases, where the data areprocessed for taking measures ordecisions regarding specificindividuals on a large scale;

(e) automated monitoring ofpublicly accessible areas on a largescale;

(f) other processing operations forwhich the consultation of the dataprotection officer or supervisoryauthority is required pursuant topoint (b) of Article 34(2);

(g) where a personal data breachwould likely adversely affect theprotection of the personal data, theprivacy, the rights or the legitimate


interests of the data subject;

(h) the core activities of thecontroller or the processor consistof processing operations which, byvirtue of their nature, their scopeand/or their purposes, requireregular and systematic monitoringof data subjects;

(i) where personal data are madeaccessible to a number of personswhich cannot reasonably beexpected to be limited.

3. According to the result of therisk analysis:

(a) where any of the processingoperations referred to in points (a)or (b) of paragraph 2 exist,controllers not established in theUnion shall designate arepresentative in the Union in linewith the requirements andexemptions laid down in Article25;

(b) where any of the processingoperations referred to in points (a),(b) or (h)of paragraph 2 exist, thecontroller shall designate a data


protection officer in line with therequirements and exemptions laiddown in Article 35;

(c) where any of the processingoperations referred to in points (a),(b), (c), (d), (e), (f), (g) or (h) ofparagraph 2 exist, the controller orthe processor acting on thecontroller's behalf shall carry out adata protection impact assessmentpursuant to Article 33;

(d) where processing operationsreferred to in point (f) ofparagraph 2 exist, the controllershall consult the data protectionofficer, or in case a data protectionofficer has not been appointed, thesupervisory authority pursuant toArticle 34.

4. The risk analysis shall bereviewed at the latest after oneyear, or immediately, if the nature,the scope or the purposes of thedata processing operations changesignificantly. Where pursuant topoint (c) of paragraph 3 thecontroller is not obliged to carryout a data protection impactassessment, the risk analysis shall


250 FR, HU, AT and COM expressed doubts on the concept of new types of processing, which is now clarified in recital 70. UK thought this obligation should not apply where there is anoverriding public interest for the processing to take place (such as a public health emergency).

251 FR, RO, SK and UK warned against the considerable administrative burdens flowing from the proposed obligation. The UK considers that any requirements to carry out a dataprotection impact assessment should be limited to those cases where there is an identified high risk to the rights of data subjects.

be documented.

Amendment 128

SECTION 3DATA PROTECTION

IMPACT ASSESSMENTAND PRIOR

AUTHORISATION

SECTION 3LIFECYCLE DATA

PROTECTIONMANAGEMENT


IMPACT ASSESSMENTAND PRIOR

AUTHORISATION


Data protection impact assessment Data protection impact assessment Data protection impactassessment250

1. Where processingoperations present specific risks tothe rights and freedoms of datasubjects by virtue of their nature,their scope or their purposes, thecontroller or the processor actingon the controller's behalf shall carryout an assessment of the impact ofthe envisaged processing operationson the protection of personal data.

1. Where processing operationspresent specific risks to the rightsand freedoms of data subjects byvirtue of their nature, their scope ortheir purposes, required pursuantto point (c) of Article 32a(3) thecontroller or the processor acting onthe controller's behalf shall carryout an assessment of the impact ofthe envisaged processing operationson the rights and freedoms of thedata subjects, especially their right

1. Where a type of processing inparticular using new technologies,and taking into account operationspresent specific risks to the rightsand freedoms of data subjects byvirtue of their the nature, theirscope, context and or theirpurposes of the processing, is likelyto result in a high251 risk for therights and freedoms of individuals,such as discrimination, identitytheft or fraud, financial loss,



to protection of personal data. Asingle assessment shall besufficient to address a set of similarprocessing operations that presentsimilar risks.

damage to the reputation, [breachof pseudonymity], loss ofconfidentiality of data protected byprofessional secrecy or any othersignificant economic or socialdisadvantage, the controller252 orthe processor acting on thecontroller's behalf shall, prior tothe processing, carry out anassessment of the impact of theenvisaged processing operations onthe protection of personal data.

1a. The controller shall seek theadvice of the data protectionofficer, where designated, whencarrying out a data protectionimpact assessment.

2. The following processingoperations in particular presentspecific risks referred to inparagraph 1:

deleted 2. The following processingoperations in particular presentspecific risks A data protectionimpact assessment referred to inparagraph 1 shall in particular berequired in the following cases:

(a) a systematic and extensiveevaluation of personal aspectsrelating to a natural person or foranalysing or predicting in particular

deleted (a) a systematic and extensiveevaluation of personal aspectsrelating to a natural persons or foranalysing or predicting in particular


253 In the future this wording will be aligned to the eventual wording of Article 20.254 HU suggested that data pertaining to children be also reinserted.

the natural person's economicsituation, location, health, personalpreferences, reliability orbehaviour, which is based onautomated processing and on whichmeasures are based that producelegal effects concerning theindividual or significantly affect theindividual;

the natural person's economicsituation, location, health, personalpreferences, reliability orbehaviour, which is based onautomated processing which isbased on profiling and on whichmeasures decisions253 are basedthat produce legal effectsconcerning the individual datasubjects or significantly severelyaffect the individualdata subjects;

(b) information on sex life,health, race and ethnic origin or forthe provision of health care,epidemiological researches, orsurveys of mental or infectiousdiseases, where the data areprocessed for taking measures ordecisions regarding specificindividuals on a large scale;

deleted (b) information on sex life, health,race and ethnic origin or for theprovision of health care,epidemiological researches, orsurveys of mental or infectiousdiseases processing of specialcategories of personal data underArticle 9(1) (…)254, biometric dataor data on criminal convictionsand offences or related securitymeasures, where the data areprocessed for taking measures ordecisions regarding specificindividuals on a large scale;

(c) monitoring publiclyaccessible areas, especially when

deleted (c) monitoring publicly accessibleareas on a large scale, especially


255 FR scrutiny reservation. PL thought a role could be given to the EDPB in order to determine high-risk operations.256 CZ reservation.HU wondered what kind of legal consequences, if any, would be triggered by the listing of a type of processing operation by a DPA with regard to on-going processing

operations as well as what its territorial scope would be. In the view of the Presidency any role for the EDPB in this regard should be discussed in the context of Chapter VII.

using optic-electronic devices(video surveillance) on a largescale;

when using optic-electronic devices(video surveillance) on a largescale;

(d) personal data in large scalefiling systems on children, geneticdata or biometric data;

deleted deleted

(e) other processing operationsfor which the consultation of thesupervisory authority is requiredpursuant to point (b) of Article34(2).

deleted deleted255

2a. The supervisory authority shallestablish and make public a list ofthe kind of processing operationswhich are subject to therequirement for a data protectionimpact assessment pursuant toparagraph 1. The supervisoryauthority shall communicate thoselists to the European DataProtection Board. 256

2b. The supervisory authority mayalso establish and make public alist of the kind of processing


257 CZ reservation.

operations for which no dataprotection impact assessment isrequired. The supervisoryauthority shall communicate thoselists to the European DataProtection Board.

2c. Prior to the adoption of thelists referred to in paragraphs 2aand 2b the competent supervisoryauthority shall apply theconsistency mechanism referred toin Article 57 where such listsinvolve processing activities whichare related to the offering of goodsor services to data subjects or tothe monitoring of their behaviourin several Member States, or maysubstantially affect the freemovement of personal data withinthe Union. 257

3. The assessment shallcontain at least a generaldescription of the envisagedprocessing operations, anassessment of the risks to the rightsand freedoms of data subjects, themeasures envisaged to address therisks, safeguards, security measures

3. The assessment shall have regardto the entire lifecycle managementof personal data from collection toprocessing to deletion. It shallcontain at least a general descriptionof the envisaged processingoperations, an assessment of therisks to the rights and freedoms of

3. The assessment shall contain atleast a general description of theenvisaged processing operations, anassessment evaluation of the risksto the rights and freedoms of datasubjectsreferred to in paragraph 1,the measures envisaged to addressthe risks, including safeguards,


258 FR scrutiny reservation.

and mechanisms to ensure theprotection of personal data and todemonstrate compliance with thisRegulation, taking into account therights and legitimate interests ofdata subjects and other personsconcerned.

data subjects, the measuresenvisaged to address the risks,safeguards, security measures andmechanisms to ensure the protectionof personal data and to demonstratecompliance with this Regulation,taking into account the rights andlegitimate interests of data subjectsand other persons concerned:

security measures and mechanismsto ensure the protection of personaldata and to demonstrate compliancewith this Regulation, taking intoaccount the rights and legitimateinterests of data subjects and otherpersons concerned258.

(a) a systematic description of theenvisaged processing operations,the purposes of the processing and,if applicable, the legitimateinterests pursued by the controller;

(b) an assessment of the necessityand proportionality of theprocessing operations in relation tothe purposes;

(c) an assessment of the risks to therights and freedoms of datasubjects, including the risk ofdiscrimination being embedded inor reinforced by the operation;

(d) a description of the measuresenvisaged to address the risks andminimise the volume of personal


data which is processed;

(e) a list of safeguards, securitymeasures and mechanisms toensure the protection of personaldata, such as pseudonymisation,and to demonstrate compliancewith this Regulation, taking intoaccount the rights and legitimateinterests of data subjects and otherpersons concerned;

(f) a general indication of the timelimits for erasure of the differentcategories of data;

(g) an explanation which dataprotection by design and defaultpractices pursuant to Article 23have been implemented;

(h) a list of the recipients orcategories of recipients of thepersonal data;

(i) where applicable, a list of theintended transfers of data to a thirdcountry or an internationalorganisation, including theidentification of that third countryor international organisation and,in case of transfers referred to in


point (h) of Article 44(1), thedocumentation of appropriatesafeguards;

(j) an assessment of the context ofthe data processing.

3a. If the controller or theprocessor has designated a dataprotection officer, he or she shallbe involved in the impactassessment proceeding.

3b. The assessment shall bedocumented and lay down aschedule for regular periodic dataprotection compliance reviewspursuant to Article 33a(1). Theassessment shall be updatedwithout undue delay, if the resultsof the data protection compliancereview referred to in Article 33ashow compliance inconsistencies.The controller and the processorand, if any, the controller'srepresentative shall make theassessment available, on request, tothe supervisory authority.

3a. Compliance with approvedcodes of conduct referred to inArticle 38 by the relevant


259 HU thought this should be moved to a recital.260 CZ and FR indicated that this was a completely impractical obligation; IE reservation.

controllers or processors shall betaken into due account inassessing lawfulness and impact ofthe processing operationsperformed by such controllers orprocessors, in particular for thepurposes of a data protectionimpact assessment259.

4. The controller shall seek theviews of data subjects or theirrepresentatives on the intendedprocessing, without prejudice to theprotection of commercial or publicinterests or the security of theprocessing operations.

deleted 4. The controller shall seek theviews of data subjects or theirrepresentatives on the intendedprocessing, without prejudice to theprotection of commercial or publicinterests or the security of theprocessing operations260.

5. Where the controller is apublic authority or body and wherethe processing results from a legalobligation pursuant to point (c) ofArticle 6(1) providing for rules andprocedures pertaining to theprocessing operations and regulatedby Union law, paragraphs 1 to 4shall not apply, unless MemberStates deem it necessary to carryout such assessment prior to the

Deleted 5. Where the controller is a publicauthority or body and where theprocessing results from a legalobligation pursuant to point (c) or(e) of Article 6(1) providing forrules and procedures pertaining tothe processing operations andregulated by has a legal basis inUnion law, paragraphs 1 to 4 shallnot apply, unlessor the law of theMember States to which thecontroller is subject, and such law


261 BE and SI stated that this will have to be revisited in the context of the future debate on how to include the public sector in the scope of the Regulation.

processing activities. regulates the specific processingoperation or set of operations inquestion261, paragraphs 1 to 3shall not apply, unless MemberStates deem it necessary to carryout such assessment prior to theprocessing activities.

6. The Commission shall beempowered to adopt delegated actsin accordance with Article 86 forthe purpose of further specifyingthe criteria and conditions for theprocessing operations likely topresent specific risks referred to inparagraphs 1 and 2 and therequirements for the assessmentreferred to in paragraph 3,including conditions for scalability,verification and auditability. Indoing so, the Commission shallconsider specific measures formicro, small and medium-sizedenterprises.

deleted deleted

7. The Commission mayspecify standards and proceduresfor carrying out and verifying andauditing the assessment referred toin paragraph 3. Those

deleted deleted


implementing acts shall be adoptedin accordance with the examinationprocedure referred to in Article87(2).

Amendment 130

Article 33 a (new)

Data protection compliance review

1. At the latest two years after thecarrying out of an impactassessment pursuant to Article33(1), the controller or theprocessor acting on the controller'sbehalf shall carry out a compliancereview. This compliance reviewshall demonstrate that theprocessing of personal data isperformed in compliance with thedata protection impact assessment.

2. The compliance review shall becarried out periodically at leastonce every two years, orimmediately when there is achange in the specific riskspresented by the processingoperations.


3. Where the compliance reviewresults show complianceinconsistencies, the compliancereview shall includerecommendations on how toachieve full compliance.

4. The compliance review and itsrecommendations shall bedocumented. The controller andthe processor and, if any, thecontroller's representative shallmake the compliance reviewavailable, on request, to thesupervisory authority.

5. If the controller or the processorhas designated a data protectionofficer, he or she shall be involvedin the compliance reviewproceeding.


Amendment 131

Prior authorisation and priorconsultation Prior consultation

Prior authorisation and priorconsultation

1. The controller or theprocessor as the case may be shall

deleted deleted


262 COM and LU reservation on deleting processor.

obtain an authorisation from thesupervisory authority prior to theprocessing of personal data, inorder to ensure the compliance ofthe intended processing with thisRegulation and in particular tomitigate the risks involved for thedata subjects where a controller orprocessor adopts contractualclauses as provided for in point (d)of Article 42(2) or does not providefor the appropriate safeguards in alegally binding instrument asreferred to in Article 42(5) for thetransfer of personal data to a thirdcountry or an internationalorganisation.

2. The controller or processoracting on the controller's behalfshall consult the supervisoryauthority prior to the processing ofpersonal data in order to ensure thecompliance of the intendedprocessing with this Regulation andin particular to mitigate the risksinvolved for the data subjectswhere:

2. The controller or processor actingon the controller's behalf shallconsult the data protection officer,or in case a data protection officerhas not been appointed, thesupervisory authority prior to theprocessing of personal data in orderto ensure the compliance of theintended processing with thisRegulation and in particular tomitigate the risks involved for the

2. The controller262 or processoracting on the controller's behalfshall consult the supervisoryauthority prior to the processing ofpersonal data where a dataprotection impact assessment asprovided for in Article 33 indicatesthat the in order to ensure thecompliance of the intendedprocessing with this Regulation andin particular to mitigate the wouldresult in a high risks involved for


data subjects where: the data subjects where:in theabsence of measures to be taken bythe controller to mitigate the risk.

(a) a data protection impactassessment as provided for inArticle 33 indicates that processingoperations are by virtue of theirnature, their scope or theirpurposes, likely to present a highdegree of specific risks; or

(a) a data protection impactassessment as provided for inArticle 33 indicates that processingoperations are by virtue of theirnature, their scope or their purposes,likely to present a high degree ofspecific risks; or

deleted

(b) the supervisory authoritydeems it necessary to carry out aprior consultation on processingoperations that are likely to presentspecific risks to the rights andfreedoms of data subjects by virtueof their nature, their scope and/ortheir purposes, and specifiedaccording to paragraph 4.

(b) the data protection officer orthe supervisory authority deems itnecessary to carry out a priorconsultation on processingoperations that are likely to presentspecific risks to the rights andfreedoms of data subjects by virtueof their nature, their scope and/ortheir purposes, and specifiedaccording to paragraph 4.

deleted

3. Where the supervisoryauthority is of the opinion that theintended processing does notcomply with this Regulation, inparticular where risks areinsufficiently identified ormitigated, it shall prohibit theintended processing and makeappropriate proposals to remedy

3. Where the competent supervisoryauthority is of the opiniondetermines in accordance with itspower that the intended processingdoes not comply with thisRegulation, in particular where risksare insufficiently identified ormitigated, it shall prohibit theintended processing and make

3. Where the supervisory authorityis of the opinion that the intendedprocessing referred to inparagraph 2 would does notcomply with this Regulation, inparticular where the controller hasrisks are insufficiently identified ormitigated, it shall prohibit theintended processing and make


263 UK reservation; it thought the power to prohibit processing operations should not apply during periods in which there is an overriding public interest for the processing to take place(such as a public health emergency). The Presidency thinks this issue should however be debated in the context of Chapter VI on the powers of the DPA, as these may obviously also beused regardless of any consultation.

such incompliance. appropriate proposals to remedysuch non-compliance.

appropriate proposals to remedysuch incompliancewithin amaximum period of 6 weeksfollowing the request forconsultation give advice to thedata controller , in writing, andmay use any of its powers referredto in263 Article 53. This period maybe extended for a further sixweeks, taking into account thecomplexity of the intendedprocessing. Where the extendedperiod applies, the controller orprocessor shall be informed withinone month of receipt of the requestof the reasons for the delay.

4. The supervisory authorityshall establish and make public alist of the processing operationswhich are subject to priorconsultation pursuant to point (b) ofparagraph 2. The supervisoryauthority shall communicate thoselists to the European DataProtection Board.

4. The supervisory authorityEuropean Data Protection Boardshall establish and make public alist of the processing operationswhich are subject to priorconsultation pursuant to point (b) ofparagraph 2. The supervisoryauthority shall communicate thoselists to the European DataProtection Board.

deleted


5. Where the list provided forin paragraph 4 involves processingactivities which are related to theoffering of goods or services to datasubjects in several Member States,or to the monitoring of theirbehaviour, or may substantiallyaffect the free movement ofpersonal data within the Union, thesupervisory authority shall applythe consistency mechanism referredto in Article 57 prior to theadoption of the list.

deleted deleted

6. The controller or processorshall provide the supervisoryauthority with the data protectionimpact assessment provided for inArticle 33 and, on request, with anyother information to allow thesupervisory authority to make anassessment of the compliance of theprocessing and in particular of therisks for the protection of personaldata of the data subject and of therelated safeguards.

6. The controller or processor shallprovide the supervisory authority,on request, with the data protectionimpact assessment provided for inpursuant to Article 33 and, onrequest, with any other informationto allow the supervisory authority tomake an assessment of thecompliance of the processing and inparticular of the risks for theprotection of personal data of thedata subject and of the relatedsafeguards.

6. When consulting thesupervisory authority pursuant toparagraph2, The the controller orprocessor shall provide thesupervisory authority, with

(a) where applicable, therespective responsibilities ofcontroller, joint controllers andprocessors involved in theprocessing, in particular forprocessing within a group ofundertakings;

(b) the purposes and means ofthe intended processing;

(c) the measures andsafeguards provided to protect the


rights and freedoms of datasubjects pursuant to thisRegulation;

(d) where applicable , thecontact details of the dataprotection officer;

(e) the data protection impactassessment provided for in Article33; and

(f), on request, with any otherinformation to allow requested bythe supervisory authority to makean assessment of the compliance ofthe processing and in particular ofthe risks for the protection ofpersonal data of the data subjectand of the related safeguards.

7. Member States shall consultthe supervisory authority in thepreparation of a legislative measureto be adopted by the nationalparliament or of a measure basedon such a legislative measure,which defines the nature of theprocessing, in order to ensure thecompliance of the intendedprocessing with this Regulation andin particular to mitigate the risksinvolved for the data subjects.

7. Member States shall consult thesupervisory authority in thepreparation of a legislative measureto be adopted by the nationalparliament or of a measure based onsuch a legislative measure, whichdefines the nature of the processing,in order to ensure the compliance ofthe intended processing with thisRegulation and in particular tomitigate the risks involved for thedata subjects.

7. Member States shall consult thesupervisory authority in during thepreparation of a proposal for alegislative measure to be adoptedby the a national parliament or of ameasure based on such a legislativemeasure, which defines the natureof the processing, in order to ensurethe compliance of the intendedprovide for the processing with thisRegulation and in particular tomitigate the risks involved for the


264 IE scrutiny reservation on deletion.265 SE scrutiny reservation.

data subjectsof personal data264.

7a. Notwithstanding paragraph2, Member States' law may requirecontrollers to consult with, andobtain prior authorisation from,the supervisory authority inrelation to the processing ofpersonal data by a controller forthe performance of a task carriedout by the controller in the publicinterest, including the processingof such data in relation to socialprotection and public health265.

8. The Commission shall beempowered to adopt delegated actsin accordance with Article 86 forthe purpose of further specifyingthe criteria and requirements fordetermining the high degree ofspecific risk referred to in point (a)of paragraph 2.

deleted deleted

9. The Commission may setout standard forms and proceduresfor prior authorisations andconsultations referred to inparagraphs 1 and 2, and standard

deleted deleted


forms and procedures for informingthe supervisory authorities pursuantto paragraph 6. Thoseimplementing acts shall be adoptedin accordance with the examinationprocedure referred to in Article87(2).


266 Made optional further to decision by the Council. AT scrutiny reservation. DE, HU and AT would have preferred to define cases of a mandatory appointment of DPA in theRegulation itself and may want to revert to this issue at a later stage. COM reservation on optional nature and deletion of points a) to c).


OFFICER


OFFICER


OFFICER


Designation of the data protectionofficer



Amendment 132

1. The controller and theprocessor shall designate a dataprotection officer in any casewhere:

1. The controller and the processorshall designate a data protectionofficer in any case where :

1. The controller and or theprocessor may,or where requiredby Union or Member State lawshall266 designate a data protectionofficer in any case where:.

(a) the processing is carried outby a public authority or body; or

(a) the processing is carried out by apublic authority or body; or

deleted

(b) the processing is carried outby an enterprise employing 250persons or more; or

(b) the processing is carried out byan enterprise employing 250persons or more a legal person andrelates to more than 5000 datasubjects in any consecutive 12-month period; or

deleted


(c) the core activities of thecontroller or the processor consistof processing operations which, byvirtue of their nature, their scopeand/or their purposes, requireregular and systematic monitoringof data subjects.

(c) the core activities of thecontroller or the processor consistof processing operations which, byvirtue of their nature, their scopeand/or their purposes, requireregular and systematic monitoringof data subjects; or

deleted

(d) the core activities of thecontroller or the processor consistof processing special categories ofdata pursuant to Article 9(1),location data or data on childrenor employees in large scale filingsystems.

2. In the case referred to inpoint (b) of paragraph 1, a group ofundertakings may appoint a singledata protection officer.

2. In the case referred to in point (b)of paragraph 1, a A group ofundertakings may appoint a singlemain responsible data protectionofficer, provided it is ensured that adata protection officer is easilyaccessible from eachestablishment.

2. In the case referred to in point(b) of paragraph 1, a A group ofundertakings may appoint a singledata protection officer.

3. Where the controller or theprocessor is a public authority orbody, the data protection officermay be designated for several of itsentities, taking account of theorganisational structure of the

3. Where the controller or theprocessor is a public authority orbody, the data protection officermay be designated for several of itsentities, taking account of theorganisational structure of the

3. Where the controller or theprocessor is a public authority orbody, the a single data protectionofficer may be designated forseveral of its entitiessuchauthorities or bodies, taking


public authority or body. public authority or body. account of their organisationalstructure of the public authority orbodyand size.

4. In cases other than thosereferred to in paragraph 1, thecontroller or processor orassociations and other bodiesrepresenting categories ofcontrollers or processors maydesignate a data protection officer.

4. In cases other than those referredto in paragraph 1, the controller orprocessor or associations and otherbodies representing categories ofcontrollers or processors maydesignate a data protection officer.

deleted

5. The controller or processorshall designate the data protectionofficer on the basis of professionalqualities and, in particular, expertknowledge of data protection lawand practices and ability to fulfilthe tasks referred to in Article 37.The necessary level of expertknowledge shall be determined inparticular according to the dataprocessing carried out and theprotection required for the personaldata processed by the controller orthe processor.

5. The controller or processor shalldesignate the data protection officeron the basis of professional qualitiesand, in particular, expert knowledgeof data protection law and practicesand ability to fulfil the tasksreferred to in Article 37. Thenecessary level of expert knowledgeshall be determined in particularaccording to the data processingcarried out and the protectionrequired for the personal dataprocessed by the controller or theprocessor.

5. The controller or processor shalldesignate the data protection officershall be designated on the basis ofprofessional qualities and, inparticular, expert knowledge ofdata protection law and practicesand ability to fulfil the tasksreferred to in Article 37,particularly the absence of anyconflict of interests. The necessarylevel of expert knowledge shall bedetermined in particular accordingto the data processing carried outand the protection required for thepersonal data processed by thecontroller or the processor.

6. The controller or theprocessor shall ensure that anyother professional duties of the data

6. The controller or the processorshall ensure that any otherprofessional duties of the data

deleted


protection officer are compatiblewith the person's tasks and duties asdata protection officer and do notresult in a conflict of interests.

protection officer are compatiblewith the person's tasks and duties asdata protection officer and do notresult in a conflict of interests.

7. The controller or theprocessor shall designate a dataprotection officer for a period of atleast two years. The data protectionofficer may be reappointed forfurther terms. During their term ofoffice, the data protection officermay only be dismissed, if the dataprotection officer no longer fulfilsthe conditions required for theperformance of their duties.

7. The controller or the processorshall designate a data protectionofficer for a period of at least twofour years in case of an employeeor two years in case of an externalservice contractor. The dataprotection officer may bereappointed for further terms.During their his or her term ofoffice, the data protection officermay only be dismissed, if the dataprotection officer he or she nolonger fulfils the conditionsrequired for the performance oftheir his or her duties.

7. The controller or the processorshall designate a During their termof office, the data protection officerfor a period of at least two years.The data protection officer may,apart from serious grounds underthe law of the Member Stateconcerned which justify thedismissal of an employee or civilservant, be reappointed for furtherterms. During their term of office,the data protection officer may onlybe dismissed,only if the dataprotection officer no longer fulfilsthe conditions required for theperformance of their dutieshis orher tasks pursuant to Article 37.

8. The data protection officermay be employed by the controlleror processor, or fulfil his or hertasks on the basis of a servicecontract.

8. The data protection officer maybe employed by the controller orprocessor, or fulfil his or her taskson the basis of a service contract.

8. The data protection officer maybe employed by a staff member ofthe controller or processor, or fulfilhis or her the tasks on the basis of aservice contract.

9. The controller or theprocessor shall communicate thename and contact details of the data

9. The controller or the processorshall communicate the name andcontact details of the data protection

9. The controller or the processorshall communicate publish thename and contact details of the data


protection officer to the supervisoryauthority and to the public.

officer to the supervisory authorityand to the public.

protection officer andcommunicate these to thesupervisory authority and to thepublic.

10. Data subjects shall have theright to contact the data protectionofficer on all issues related to theprocessing of the data subject’sdata and to request exercising therights under this Regulation.

10. Data subjects shall have theright to contact the data protectionofficer on all issues related to theprocessing of the data subject’s dataand to request exercising the rightsunder this Regulation.

10. Data subjects shall have theright to may contact the dataprotection officer on all issuesrelated to the processing of the datasubject’s data and to requestexercising the the exercise of theirrights under this Regulation.

11. The Commission shall beempowered to adopt delegated actsin accordance with Article 86 forthe purpose of further specifyingthe criteria and requirements for thecore activities of the controller orthe processor referred to in point (c)of paragraph 1 and the criteria forthe professional qualities of thedata protection officer referred to inparagraph 5.

deleted deleted



Position of the data protectionofficer



Amendment 133

1. The controller or theprocessor shall ensure that the dataprotection officer is properly and ina timely manner involved in allissues which relate to the protectionof personal data.

1. The controller or the processorshall ensure that the data protectionofficer is properly and in a timelymanner involved in all issues whichrelate to the protection of personaldata.

1. The controller or the processorshall ensure that the data protectionofficer is properly and in a timelymanner involved in all issues whichrelate to the protection of personaldata.

2. The controller or processorshall ensure that the data protectionofficer performs the duties andtasks independently and does notreceive any instructions as regardsthe exercise of the function. Thedata protection officer shall directlyreport to the management of thecontroller or the processor.

2. The controller or processor shallensure that the data protectionofficer performs the duties and tasksindependently and does not receiveany instructions as regards theexercise of the function. The dataprotection officer shall directlyreport to the executive managementof the controller or the processor.The controller or processor shallfor this purpose designate anexecutive management memberwho shall be responsible for thecompliance with the provisions ofthis Regulation.

2. The controller or processor shallensure that support the dataprotection officer in performsingthe duties and tasks referred to inArticle 37 by providing resourcesnecessary to carry out these tasksas well as access to personal dataand processingoperationsindependently and doesnot receive any instructions asregards the exercise of the function.The data protection officer shalldirectly report to the managementof the controller or the processor.


3. The controller or theprocessor shall support the dataprotection officer in performing thetasks and shall provide staff,premises, equipment and any otherresources necessary to carry out theduties and tasks referred to inArticle 37.

3. The controller or the processorshall support the data protectionofficer in performing the tasks andshall provide all means, includingstaff, premises, equipment and anyother resources necessary to carryout the duties and tasks referred toin Article 37, and to maintain hisor her professional knowledge.

3. The controller or the processorshall support ensure that the dataprotection officer can act in anindependent manner with respectto the performingance of his or herthe tasks and shall provide staff,premises, equipment and any otherresources necessary to carry out theduties and does not receive anyinstructions regarding the exerciseof these tasks referred to in Article37. He or she shall not bepenalised by the controller or theprocessor for performing his tasks.The data protection officer shalldirectly report to the highestmanagement level of the controlleror the processor.

4. Data protection officers shall bebound by secrecy concerning theidentity of data subjects andconcerning circumstancesenabling data subjects to beidentified, unless they are releasedfrom that obligation by the datasubject.

4. The data protection officer mayfulfil other tasks and duties. Thecontroller or processor shall


ensure that any such tasks andduties do not result in a conflict ofinterests.


Tasks of the data protection officer Tasks of the data protection officer Tasks of the data protection officer

Amendment 134

1. The controller or theprocessor shall entrust the dataprotection officer at least with thefollowing tasks:

1. The controller or the processorshall entrust the data protectionofficer at least with the followingtasks:

1. The controller or the processorshall entrust the data protectionofficer at least with shall have thefollowing tasks:

(a) to inform and advise thecontroller or the processor of theirobligations pursuant to thisRegulation and to document thisactivity and the responses received;

(a) to raise awareness, to informand advise the controller or theprocessor of their obligationspursuant to this Regulation, inparticular with regard to technicaland organisational measures andprocedures, and to document thisactivity and the responses received;

(a) to inform and advise thecontroller or the processor and theemployees who are processingpersonal data of their obligationspursuant to this Regulation and todocument this activity and theresponses receivedother Union orMember State data protectionprovisions;

(b) to monitor theimplementation and application ofthe policies of the controller orprocessor in relation to theprotection of personal data,including the assignment ofresponsibilities, the training of staff

(b) to monitor the implementationand application of the policies of thecontroller or processor in relation tothe protection of personal data,including the assignment ofresponsibilities, the training of staffinvolved in the processing

(b) to monitor compliance with thisRegulation, with other Union orMember State data protectionprovisions and with theimplementation and application ofthe policies of the controller orprocessor in relation to the


involved in the processingoperations, and the related audits;

operations, and the related audits; protection of personal data,including the assignment ofresponsibilities, awareness-raisingand the training of staff involved inthe processing operations, and therelated audits;

(c) to monitor theimplementation and application ofthis Regulation, in particular as tothe requirements related to dataprotection by design, dataprotection by default and datasecurity and to the information ofdata subjects and their requests inexercising their rights under thisRegulation;

(c) to monitor the implementationand application of this Regulation,in particular as to the requirementsrelated to data protection by design,data protection by default and datasecurity and to the information ofdata subjects and their requests inexercising their rights under thisRegulation;

deleted

(d) to ensure that thedocumentation referred to in Article28 is maintained;

(d) to ensure that the documentationreferred to in Article 28 ismaintained;

deleted

(e) to monitor thedocumentation, notification andcommunication of personal databreaches pursuant to Articles 31and 32;

(e) to monitor the documentation,notification and communication ofpersonal data breaches pursuant toArticles 31 and 32;

deleted

(f) to monitor the performanceof the data protection impactassessment by the controller orprocessor and the application for

(f) to monitor the performance ofthe data protection impactassessment by the controller orprocessor and the application for

(f) to monitor the performance ofprovide advice where requested asregards the data protection impactassessment by the controller or


prior authorisation or priorconsultation, if required pursuantArticles 33 and 34;

prior authorisation or priorconsultation, if required pursuant toArticles 32a, 33 and 34;

processor and the application forprior authorisation or priorconsultation, if required monitorits performance pursuant Articles33 and 34;

(g) to monitor the response torequests from the supervisoryauthority, and, within the sphere ofthe data protection officer'scompetence, co-operating with thesupervisory authority at the latter'srequest or on the data protectionofficer’s own initiative;

(g) to monitor the response torequests from the supervisoryauthority, and, within the sphere ofthe data protection officer'scompetence, co-operating with thesupervisory authority at the latter'srequest or on the data protectionofficer’s own initiative;

(g) to monitor the responses torequests from the supervisoryauthority, and, within the sphere ofthe data protection officer'scompetence, to co-operatingoperate with the supervisoryauthority at the latter's request or onthe data protection officer’s owninitiative;

(h) to act as the contact pointfor the supervisory authority onissues related to the processing andconsult with the supervisoryauthority, if appropriate, on his/herown initiative.

(h) to act as the contact point for thesupervisory authority on issuesrelated to the processing and consultwith the supervisory authority, ifappropriate, on his/her owninitiative.

(h) to act as the contact point forthe supervisory authority on issuesrelated to the processing of pesonaldata, including the prior andconsultation referred to in Article34, and consult, as with thesupervisory authority, ifappropriate, on his/her owninitiativeany other matter.

(i) to verify the compliance withthis Regulation under the priorconsultation mechanism laid out inArticle 34;


(j) to inform the employeerepresentatives on data processingof the employees.

2. The Commission shall beempowered to adopt delegated actsin accordance with Article 86 forthe purpose of further specifyingthe criteria and requirements fortasks, certification, status, powersand resources of the data protectionofficer referred to in paragraph 1.

deleted deleted

2a. The data protection officershall in the performance his or hertasks have due regard to the riskassociated with the processingoperations, taking into account thenature, scope, context andpurposes of the processing.


267 AT, FI, SK and PL scrutiny reservation.

SECTION5CODES OF CONDUCTAND CERTIFICATION




Codes of conduct Codes of conduct Codes of conduct 267

Amendment 135

1. The Member States, thesupervisory authorities and theCommission shall encourage thedrawing up of codes of conductintended to contribute to the properapplication of this Regulation,taking account of the specificfeatures of the various dataprocessing sectors, in particular inrelation to:

1. The Member States, thesupervisory authorities and theCommission shall encourage thedrawing up of codes of conduct orthe adoption of codes of conductdrawn up by a supervisoryauthority intended to contribute tothe proper application of thisRegulation, taking account of thespecific features of the various dataprocessing sectors, in particular inrelation to:

1. The Member States, thesupervisory authorities, theEuropean Data Protection Boardand the Commission shallencourage the drawing up of codesof conduct intended to contribute tothe proper application of thisRegulation, taking account of thespecific features of the various dataprocessing sectors, in particular inrelation to:and the specific needsof micro, small and medium-sizedenterprises.

1a. Associations and other bodiesrepresenting categories ofcontrollers or processors mayprepare codes of conduct, oramend or extend such codes, for


the purpose of specifying theapplication of provisions of thisRegulation, such as:

(a) fair and transparent dataprocessing;



(aa) respect for consumer rights;

(aa) the legitimate interestspursued by controllers in specificcontexts;

(b) the collection of data; (b) the collection of data; (b) the collection of data;

(bb) the pseudonymisation ofpersonal data;

(c) the information of thepublic and of data subjects;

(c) the information of the public andof data subjects;

(c) the information of thepublic and of data subjects;

(d) requests of data subjects inexercise of their rights;

(d) requests of data subjects inexercise of their rights;

(d) requests of data subjectsinthe exercise of their rights of datasubjects;

(e) information and protectionof children;

(e) information and protection ofchildren;

(e) information and protectionof children and the way to collectthe parent’s and guardian’sconsent;

(ee) measures and proceduresreferred to in Articles 22 and 23


and measures to ensure security ofprocessing referred to in Article30;

(ef) notification of personaldata breaches to supervisoryauthorities and communication ofsuch breaches to data subjects;

(f) transfer of data to thirdcountries or internationalorganisations;

(f) transfer of data to third countriesor international organisations;

deleted

(g) mechanisms for monitoringand ensuring compliance with thecode by the controllers adherent toit;

(g) mechanisms for monitoring andensuring compliance with the codeby the controllers adherent to it;

deleted

(h) out-of-court proceedingsand other dispute resolutionprocedures for resolving disputesbetween controllers and datasubjects with respect to theprocessing of personal data,without prejudice to the rights ofthe data subjects pursuant toArticles 73 and 75.

(h) out-of-court proceedings andother dispute resolution proceduresfor resolving disputes betweencontrollers and data subjects withrespect to the processing of personaldata, without prejudice to the rightsof the data subjects pursuant toArticles 73 and 75.

deleted

1ab. In addition to adherence bycontroller or processor subject tothe regulation, codes of conductapproved pursuant to paragraph 2


268 CZ preferred this monitoring to be optional.

may also be adhered to bycontrollers or processors that arenot subject to this Regulationaccording to Article 3 in order toprovide appropriate safeguardswithin the framework of personaldata transfers to third countries orinternational organisations underthe terms referred to in Article42(2)(d). Such controllers orprocessors shall make binding andenforceable commitments, viacontractual instruments orotherwise, to apply thoseappropriate safeguards includingas regards data subjects’ rights.

1b. Such a code of conductshall contain mechanisms whichenable the body referred to inparagraph 1 of article 38a to carryout the mandatory268 monitoringof compliance with its provisionsby the controllers or processorswhich undertake to apply it,without prejudice to the tasks andpowers of the supervisoryauthority which is competentpursuant to Article 51 or 51a.


2. Associations and otherbodies representing categories ofcontrollers or processors in oneMember State which intend to drawup codes of conduct or to amend orextend existing codes of conductmay submit them to an opinion ofthe supervisory authority in thatMember State. The supervisoryauthority may give an opinionwhether the draft code of conductor the amendment is in compliancewith this Regulation. Thesupervisory authority shall seek theviews of data subjects or theirrepresentatives on these drafts.

2. Associations and other bodiesrepresenting categories ofcontrollers or processors in oneMember State which intend to drawup codes of conduct or to amend orextend existing codes of conductmay submit them to an opinion ofthe supervisory authority in thatMember State. The supervisoryauthority may shall without unduedelay give an opinion on whetherthe processing under the draft codeof conduct or the amendment is incompliance with this Regulation.The supervisory authority shall seekthe views of data subjects or theirrepresentatives on these drafts.

2. Associations and other bodiesreferred to in paragraph 1arepresenting categories ofcontrollers or processors in oneMember State which intend to drawup prepare a codes of conduct or toamend or extend existing codes, ofconduct mayshall submit them toan opinion ofdraft code to thesupervisory authority in thatMember Statewhich is competentpursuant to Article 51. Thesupervisory authority may shallgive an opinion on whether thedraft code, or amended or extendedof conduct or the amendment is incompliance with this Regulationand shall approve such draft,amended or extended coded if itfinds that it provides sufficientappropriate safeguards. Thesupervisory authority shall seek theviews of data subjects or theirrepresentatives on these drafts.

2a. Where the opinion referred toin paragraph 2 confirms that thecode of conduct, or amended orextended code, is in compliancewith this Regulation and the codeis approved, and if the code of


269 FR made a proposal for a paragraph 2c: 'Approved codes of conduct pursuant to paragraph 2a shall constitute an element of the contractual relationship between the controller andthe data subject. When such codes of conduct determine the compliance of the controller or processor with this Regulation, they shall be legally binding and enforceable.'

conduct does not relate toprocessing activities in severalMember States, the supervisoryauthority shall register the codeand publish the details thereof.

2b. Where the draft code ofconduct relates to processingactivities in several MemberStates, the supervisory authoritycompetent pursuant to Article 51shall, before approval, submit it inthe procedure referred to in Article57 to the European DataProtection Board which shall givean opinion on whether the draftcode, or amended or extendedcode, is in compliance with thisRegulation or, in the situationreferred to in paragraph 1ab,provides appropriatesafeguards269.

3. Associations and otherbodies representing categories ofcontrollers in several MemberStates may submit draft codes ofconduct and amendments orextensions to existing codes of

3. Associations and other bodiesrepresenting categories ofcontrollers or processors in severalMember States may submit draftcodes of conduct and amendmentsor extensions to existing codes of

3. Associations and other bodiesrepresenting categories ofcontrollers in several MemberStates may submit draft Where theopinion referred to in paragraph2b confirms that the codes of


conduct to the Commission. conduct to the Commission. conduct, and or amendmentsed orextensionsed to existing codescode,of conduct to the Commissionis in compliance with thisRegulation, or, in the situationreferred to in paragraph 1ab,provides appropriate safeguards,the European Data ProtectionBoard shall submit its opinion tothe Commission.

4. The Commission may adoptimplementing acts for deciding thatthe codes of conduct andamendments or extensions toexisting codes of conduct submittedto it pursuant to paragraph 3 havegeneral validity within the Union.Those implementing acts shall beadopted in accordance with theexamination procedure set out inArticle 87(2).

4. The Commission may adoptimplementing acts shall beempowered to adopt, afterrequesting an opinion of theEuropean Data Protection Board,delegated acts in accordance withArticle 86 for deciding that thecodes of conduct and amendmentsor extensions to existing codes ofconduct submitted to it pursuant toparagraph 3 are in line with thisRegulation and have generalvalidity within the Union. Thoseimplementing acts delegated actsshall be adopted in accordance withthe examination procedure set out inArticle 87(2) confer enforceablerights on data subjects.

4. The Commission may adoptimplementing acts for deciding thatthe approved codes of conduct andamendments or extensions toexisting approved codes ofconduct submitted to it pursuant toparagraph 3 have general validitywithin the Union. Thoseimplementing acts shall be adoptedin accordance with the examinationprocedure set out in Article 87(2).


270 AT, LU scrutiny reservation.271 CZ, ES, LU are opposed to giving this role to such separate bodies. Concerns were raised, inter alia, on the administrative burden involved in the setting up of such bodies. Codes of

conduct are an entirely voluntary mechanism in which no controller is obliged to participate.

5. The Commission shallensure appropriate publicity for thecodes which have been decided ashaving general validity inaccordance with paragraph 4.

5. The Commission shall ensureappropriate publicity for the codeswhich have been decided as havinggeneral validity in accordance withparagraph 4.

5. The Commission shall ensureappropriate publicity for theapproved codes which have beendecided as having general validityin accordance with paragraph 4.

5a. The European DataProtection Board shall collect allapproved codes of conduct andamendments thereto in a registerand shall make them publiclyavailable through any appropriatemeans, such as through theEuropean E-Justice Portal.

Article 38a

Monitoring of approved codes ofconduct270

1. Without prejudice to thetasks and powers of the competentsupervisory authority underArticles 52 and 53, the monitoringof compliance with a code ofconduct pursuant to Article 38(1b), may be carried out by abody271 which has an appropriate


level of expertise in relation to thesubject-matter of the code and isaccredited for this purpose by thecompetent supervisory authority.

2. A body referred to inparagraph 1 may be accredited forthis purpose if:

(a) it has demonstratedits independence and expertise inrelation to the subject-matter ofthe code to the satisfaction of thecompetent supervisory authority;

(b) it has establishedprocedures which allow it to assessthe eligibility of controllers andprocessors concerned to apply thecode, to monitor their compliancewith its provisions and toperiodically review its operation;

(c) it has establishedprocedures and structures to dealwith complaints aboutinfringements of the code or themanner in which the code hasbeen, or is being, implemented bya controller or processor, and tomake these procedures andstructures transparent to data


subjects and the public;

(d) it demonstrates to thesatisfaction of the competentsupervisory authority that its tasksand duties do not result in aconflict of interests.

3. The competent supervisoryauthority shall submit the draftcriteria for accreditation of a bodyreferred to in paragraph 1 to theEuropean Data Protection Boardpursuant to the consistencymechanism referred to inArticle 57.

4. Without prejudice to theprovisions of Chapter VIII, a bodyreferred to in paragraph 1 may,subject to adequate safeguards,take appropriate action in cases ofinfringement of the code by acontroller or processor, includingsuspension or exclusion of thecontroller or processor concernedfrom the code. It shall inform thecompetent supervisory authority ofsuch actions and the reasons fortaking them.


272 AT, FR, FI scrutiny reservation. FR thought the terminology used was unclear an that the DPA should be in a position to check compliance with certified data protection policies;this should be clarified in Article 53.

5. The competent supervisoryauthority shall revoke theaccreditation of a body referred toin paragraph 1 if the conditionsfor accreditation are not, or nolonger, met or actions taken by thebody are not in compliance withthis Regulation.

This article shall not apply to theprocessing of personal datacarried out by public authoritiesand bodies.


Certification Certification Certification272

Amendment 136

1. The Member States and theCommission shall encourage, inparticular at European level, theestablishment of data protectioncertification mechanisms and ofdata protection seals and marks,allowing data subjects to quicklyassess the level of data protectionprovided by controllers and

deleted 1. The Member States, theEuropean Data Protection Boardand the Commission shallencourage, in particular atEuropean Union level, theestablishment of data protectioncertification mechanisms and ofdata protection seals and marks, forthe purpose of demonstrating


processors. The data protectioncertifications mechanisms shallcontribute to the proper applicationof this Regulation, taking accountof the specific features of thevarious sectors and differentprocessing operations.

compliance with this Regulation ofprocessing operations carried outallowing data subjects to quicklyassess the level of data protectionprovided by controllers andprocessors. The data protectioncertifications mechanisms shallcontribute to the proper applicationof this Regulation, taking accountof the specific features of thevarious sectors and differentprocessing operationsneeds ofmicro, small and medium-sizedentreprises shall be taken intoaccount.

1a. In addition to adherence bycontrollers or processors subject tothis Regulation, data protectioncertification mechanisms, seals ormarks approved pursuant toparagraph 2a may also beestablished for the purpose ofdemonstrating the existence ofappropriate safeguards providedby controllers or processors thatare not subject to this Regulationaccording to Article 3 within theframework of personal datatransfers to third countries orinternational organisations under


the terms referred to in Article42(2)(e). Such controllers orprocessors shall make binding andenforceable commitments, viacontractual instruments orotherwise, to apply thoseappropriate safeguards, includingas regards data subjects’ rights.

1a. Any controller or processormay request any supervisoryauthority in the Union, for areasonable fee taking into accountthe administrative costs, to certifythat the processing of personaldata is performed in compliancewith this Regulation, in particularwith the principles set out inArticle 5, 23 and 30, theobligations of the controller andthe processor, and the datasubject’s rights.

1b. The certification shall bevoluntary, affordable, andavailable via a process that istransparent and not undulyburdensome.

1c. The supervisory authorities andthe European Data ProtectionBoard shall cooperate under the


consistency mechanism pursuantto Article 57 to guarantee aharmonised data protectioncertification mechanism includingharmonised fees within the Union.

1d. During the certificationprocedure, the supervisoryauthority authorities may accreditspecialised third party auditors tocarry out the auditing of thecontroller or the processor on theirbehalf. Third party auditors shallhave sufficiently qualified staff, beimpartial and free from anyconflict of interests regarding theirduties. Supervisory authoritiesshall revoke accreditation, if thereare reasons to believe that theauditor does not fulfil its dutiescorrectly. The final certificationshall be provided by thesupervisory authority.

1e. Supervisory authorities shallgrant controllers and processors,who pursuant to the auditing havebeen certified that they processpersonal data in compliance withthis Regulation, the standardiseddata protection mark named


"European Data Protection Seal".

1f. The "European DataProtection Seal" shall be valid foras long as the data processingoperations of the certifiedcontroller or processor continue tofully comply with this Regulation.

1g. Notwithstanding paragraph 1f,the certification shall be valid formaximum five years.

1h. The European Data ProtectionBoard shall establish a publicelectronic register in which allvalid and invalid certificates whichhave been issued in the MemberStates can be viewed by the publc.

1i. The European Data ProtectionBoard may on its own initiativecertify that a data protection-enhancing technical standard iscompliant with this Regulation.

2. The Commission shall beempowered to adopt delegated actsin accordance with Article 86 forthe purpose of further specifyingthe criteria and requirements for thedata protection certification

2. The Commission shall beempowered to adopt, afterrequesting an opinion of theEuropean Data Protection Boardand consulting with stakeholders,in particular industry and non-

Moved and modified underArticle39 point 7


mechanisms referred to inparagraph 1, including conditionsfor granting and withdrawal, andrequirements for recognition withinthe Union and in third countries.

governmental organisations,delegated acts in accordance withArticle 86 for the purpose of furtherspecifying the criteria andrequirements for the data protectioncertification mechanisms referred toin paragraph 1paragraphs 1a to 1h,including requirements foraccreditation of auditors,conditions for granting andwithdrawal, and requirements forrecognition within the Union and inthird countries. Those delegatedacts shall confer enforceable rightson data subjects.

2. A certification pursuant to thisArticle does not reduce theresponsibility of the controller orthe processor for compliance withthis Regulation and is withoutprejudice to the tasks and powersof the supervisory authority whichis competent pursuant to Article 51or 51a.

2a. A certification pursuant tothis Article shall be issued by thecertification bodies referred to inArticle 39a, or where applicable,by the competent supervisory


273 This is without prejudice to the future discussion on the exact powers of the EDPB. This discussion will take place in the context of the discussion on the one-stop-shop mechanism.

authority on the basis of thecriteria approved by the competentsupervisory authority or, pursuantto Article 57, the European DataProtection Board273.

3. The Commission may laydown technical standards forcertification mechanisms and dataprotection seals and marks andmechanisms to promote andrecognize certification mechanismsand data protection seals andmarks. Those implementing actsshall be adopted in accordance withthe examination procedure set outin Article 87(2).

deleted Moved under 39a point 8.

3. The controller or processorwhich submits its processing to thecertification mechanism shallprovide the certification bodyreferred to in Article 39a, or whereapplicable, the competentsupervisory authority, with allinformation and access to itsprocessing activities which arenecessary to conduct thecertification procedure.


274 AT, FR, LU scrutiny reservation.

4. The certification shall beissued to a controller or processorfor a maximum period of 3 yearsand may be renewed under thesame conditions as long as therelevant requirements continue tobe met. It shall be withdrawn bythe certification bodies referred toin Article 39a, or whereapplicable, by the competentsupervisory authority where therequirements for the certificationare not or no longer met.

5. The European DataProtection Board shall collect allcertification mechanisms and dataprotection seals in a register andshall make them publicly availablethrough any appropriate means,such as through the European E-Justice Portal.

Article 39a

Certificationbody and procedure274

1. Without prejudice to thetasks and powers of the competent


supervisory authority underArticles 52 and 53, thecertification shall be issued andrenewed by a certification bodywhich has an appropriate level ofexpertise in relation to dataprotection. Each Member Stateshall provide whether thesecertification bodies are accreditedby:

(a) the supervisory authoritywhich is competent according toArticle 51 or 51a; and/or

(b) the National AccreditationBody named in accordance withRegulation (EC) 765/2008 of theEuropean parliament and theCouncil of 9 July 2008 setting outthe requirements for accreditationand market surveillance relating tothe marketing of products incompliance with EN-ISO/IEC17065/2012 and with theadditional requirementsestablished by the supervisoryauthority which is competentaccording to Article 51 or 51a.

2. The certification bodyreferred to in paragraph 1 may be


accredited for this purpose only if:

(a) it has demonstrated itsindependence and expertise inrelation to the subject-matter ofthe certification to the satisfactionof the competent supervisoryauthority;

(aa) it has undertaken to respectthe criteria referred to inparagraph 2a of Article 39 andapproved by the supervisoryauthority which is competentaccording to Article 51 or 51a or ,pursuant to Article 57, theEuropean Data Protection Board;

(b) it has establishedprocedures for the issue, periodicreview and withdrawal of dataprotection seals and marks;

(b) it has establishedprocedures and structures to dealwith complaints aboutinfringements of the certificationor the manner in which thecertification has been, or is being,implemented by the controller orprocessor, and to make theseprocedures and structures


275 This is without prejudice to the future discussion on the exact powers of the EDPB. This discussion will take place in the context of the discussion on the one-stop-shop mechanism.

transparent to data subjects andthe public;

(c) it demonstrates to thesatisfaction of the competentsupervisory authority that its tasksand duties do not result in aconflict of interests.

3. The accreditation of thecertification bodies referred to inparagraph 1 shall take place onthe basis of criteria approved bythe supervisory authority which iscompetent according to Article 51or 51a or, pursuant to Article 57,the European Data ProtectionBoard275. In case of anaccreditation pursuant to point (b)of paragraph 1, theserequirements complement thoseenvisaged in Regulation 765/2008and the technical rules thatdescribe the methods andprocedures of the certificationbodies.

4. The certification bodyreferred to in paragraph 1 shall beresponsible for the proper


assessment leading to thecertification or the withdrawal ofsuch certification withoutprejudice to the responsibility ofthe controller or processor forcompliance with this Regulation.The accreditation is issued for amaximum period of five years andcan be renewed in the sameconditions as long as the bodymeets the requirements.

5. The certification bodyreferred to in paragraph 1 shallprovide the competent supervisoryauthority with the reasons forgranting or withdrawing therequested certification.

6. The requirements referredto in paragraph 3, the criteriareferred to in paragraph 2a ofArticle 39 shall be made public bythe supervisory authority in aneasily accessible form. Thesupervisory authorities shall alsotransmit these to the EuropeanData Protection Board. TheEuropean Data Protection Boardshall collect all certificationmechanisms and data protection


276 CZ, FR and HU though the national accreditation body should always consult the DPA before accrediting a certification body.

seals in a register and shall makethem publicly available throughany appropriate means, such asthrough the European E-JusticePortal.

6a. Without prejudice to theprovisions of Chapter VIII, thecompetent supervisory authority orthe National Accreditation Bodyshall revoke the accreditation itgranted to a certification bodyreferred to in paragraph 1 if theconditions for accreditation arenot, or no longer, met or actionstaken by the body are not incompliance with thisRegulation276.

7. The Commission shall beempowered to adopt delegated actsin accordance with Article 86, forthe purpose of specifying thecriteria and requirements to betaken into account for the dataprotection certificationmechanisms referred to inparagraph 1, [including contions


277 This is without prejudice to the future discussion on the exact powers of the EDPB. This discussion will take place in the context of the discussion on the one-stop-shop mechanism.278 DE pleaded in favour of deleting the last two paragraphs and suggested adding a new paragraph: "The previous paragraphs shall not affect provisions governing the responsibility of

national certification bodies, the accreditation procedures and the specification of criteria for security and data protection. Commission’s power to adopt acts pursuant to paragraphs7 and 8 shall not apply to national and international certification procedures carried out on this basis. Security certificates issued by the responsible bodies or bodies accredited bythem in the framework of these procedures shall be mutually recognized." ES also thought that this should not be left exclusively to the Commission.

for granting and revocation, andrequirements for recognition ofthe certification and therequirements for a standardised‘European Data Protection Seal’within the Union and in thirdcountries].

7a. The European DataProtection Board shall give anopinion to the Commission on thecriteria and requirements referredto in paragraph 7277.

3. The Commission may laydown technical standards forcertification mechanisms and dataprotection seals and marks andmechanisms to promote andrecognize certification mechanismsand data protection seals andmarks. Those implementing actsshall be adopted in accordance withthe examination procedure set outin Article 87(2).

deleted 8. The Commission may laydown technical standards forcertification mechanisms and dataprotection seals and marks andmechanisms to promote andrecognize certification mechanismsand data protection seals andmarks. Those implementing actsshall be adopted in accordance withthe examination procedure set outin Article 87(2)278.


279 In light of the fact that the public interest exception would in many cases be the main ground warranting an international transfer of personal data, some delegations (CZ, DE, LV,UK) queried whether the 'old' adequacy principle/test should still maintained and set out in such detail, as it would in practice not be applied in that many cases. DE in particularthought that the manifold exceptions emptied the adequacy rule of its meaning. Whilst they did not disagree with the goal of providing protection against transfer of personal data tothird countries, it doubted whether the adequacy principle was the right procedure therefore, in view of the many practical and political difficulties (the latter especially regarding therisk of a negative adequacy decision, cf. DE, FR, UK). The feasibility of maintaining an adequacy-test was also questioned with reference to the massive flows of personal data in inthe context of cloud computing: BG, DE, FR, IT, NL, SK and UK. FR and DE asked whether a transfer of data in the context of cloud computing or the disclosure of personal dataon the internet constitutes an international transfer of data. DE also thought that the Regulation should create a legal framework for 'Safe Harbor-like' arrangements under whichcertain guarantees to which companies in a third country have subscribed on a voluntary basis are monitored by the public authorities of that country. The applicability to the publicsector of the rules set out in this Chapter was questioned (EE), as well as the delimitation to the scope of proposed Directive (FR). The impact of this Chapter on existing MemberState agreements was raised by several delegations (FR, PL).

280 NL and UK pointed out that under the 1995 Data Protection Directive the controller who wants to transfer data is the first one to assess whether this possible in under the applicable(EU) law and they would like to maintain this basic principle, which appears to have disappeared in the Commission proposal.

281 DE asked which law would apply to data transferred controllers established in third countries that come within the ambit of Article 3(2); namely whether this would be EU law inaccordance with that provision.

282 AT has made a number of proposals regarding this chapter set out in 10198/14 DATAPROTECT 82 JAI 363 MI 458 DRS 73 DAPIX 71 FREMP 103 COMIX 281 CODEC 1351.

CHAPTER VTRANSFER OF

PERSONAL DATA TOTHIRD COUNTRIES

OR INTERNATIONALORGANISATIONS



OR INTERNATIONALORGANISATIONS



OR INTERNATIONALORGANISATIONS279 280

281 282


General principle for transfers General principle for transfers General principle for transfers

Any transfer of personal data whichare undergoing processing or areintended for processing after

Any transfer of personal data whichare undergoing processing or areintended for processing after

deleted


283 Some delegations raised concerns on the time taken up by adequacy procedures and stressed the need to speed up this process. COM stated that this should not be at the expense ofthe quality of the process of adequacy.

284 CZ, DE and SI reservation on giving such power to the Commission. NL and UK indicated that on this point the proposal seemed to indicate a shift from the 1995 Data ProtectionDirective, which put the responsibility for assessing a third country's data protection legislation in the first place with the controller who wanted to transfer personal data. UK hadconsiderable doubts on the feasibility of the list in paragraph 2.

transfer to a third country or to aninternational organisation may onlytake place if, subject to the otherprovisions of this Regulation, theconditions laid down in thisChapter are complied with by thecontroller and processor, includingfor onward transfers of personaldata from the third country or aninternational organisation toanother third country or to anotherinternational organisation.

transfer to a third country or to aninternational organisation may onlytake place if, subject to the otherprovisions of this Regulation, theconditions laid down in this Chapterare complied with by the controllerand processor, including for onwardtransfers of personal data from thethird country or an internationalorganisation to another thirdcountry or to another internationalorganisation.


Transfers with an adequacydecision

Transfers with an adequacydecision

Transfers with an adequacydecision283

Amendment 137

1. A transfer may take placewhere the Commission has decidedthat the third country, or a territoryor a processing sector within thatthird country, or the internationalorganisation in question ensures an

1. A transfer may take place wherethe Commission has decided thatthe third country, or a territory or aprocessing sector within that thirdcountry, or the internationalorganisation in question ensures an

1. A transfer of personal datato a third country or aninternational organisation maytake place where theCommission284 has decided that thethird country, or a territory or oner


285 AT would have preferred including a reference to national security.

adequate level of protection. Suchtransfer shall not require anyfurther authorisation.

adequate level of protection. Suchtransfer shall not require anyfurtherspecific authorisation.

or more specified a processingsectors within that third country, orthe international organisation inquestion ensures an adequate levelof protection. Such transfer shallnot require any further specificauthorisation.

2. When assessing theadequacy of the level of protection,the Commission shall giveconsideration to the followingelements:

2. When assessing the adequacy ofthe level of protection, theCommission shall giveconsideration to the followingelements:

2. When assessing theadequacy of the level of protection,the Commission shall, inparticular, take account of giveconsideration to the followingelements:

(a) the rule of law, relevantlegislation in force, both generaland sectoral, including concerningpublic security, defence, nationalsecurity and criminal law, theprofessional rules and securitymeasures which are complied within that country or by thatinternational organisation, as wellas effective and enforceable rightsincluding effective administrativeand judicial redress for datasubjects, in particular for those datasubjects residing in the Unionwhose personal data are being

(a) the rule of law, relevantlegislation in force, both generaland sectoral, including concerningpublic security, defence, nationalsecurity and criminal law as well asthe implementation of thislegislation, the professional rulesand security measures which arecomplied with in that country or bythat international organisation,jurisprudential precedents, as wellas effective and enforceable rightsincluding effective administrativeand judicial redress for datasubjects, in particular for those data

(a) the rule of law, respect forhuman rights and fundamentalfreedoms, relevant legislation inforce285, both general and sectoral,data protection includingconcerning public security,defence, national security andcriminal law, the professional rulesand security measures, includingrules for onward transfer ofpersonal data to another thirdcountry or internationalorganisation, which are compliedwith in that country or by thatinternational organisation, as well


286 NL thought that Article 41 was based on fundamental rights and legislation whereas Safe harbour is of a voluntary basis and that it was therefore useful to set out elements of SafeHarbour in a separate Article. DE asked how Safe Harbour could be set out in Chapter V.

287 NL queried how strict this independence would need to be assessed. BE suggested adding a reference to independent judicial authorities, FI suggested to refer to 'authorities' toutcourt.

transferred; subjects residing in the Unionwhose personal data are beingtransferred;

as the existences of effective andenforceable data subject rightsincluding and effectiveadministrative and judicial redressfor data subjects, in particular forthose data subjects residing in theUnion whose personal data arebeing transferred286;

(b) the existence and effectivefunctioning of one or moreindependent supervisory authoritiesin the third country or internationalorganisation in question responsiblefor ensuring compliance with thedata protection rules, for assistingand advising the data subjects inexercising their rights and for co-operation with the supervisoryauthorities of the Union and ofMember States; and

(b) the existence and effectivefunctioning of one or moreindependent supervisory authoritiesin the third country or internationalorganisation in question responsiblefor ensuring compliance with thedata protection rules, includingsufficient sanctioning powers, forassisting and advising the datasubjects in exercising their rightsand for co-operation with thesupervisory authorities of the Unionand of Member States; and

(b) the existence and effectivefunctioning of one or moreindependent supervisoryauthorities287 in the third country orto which an internationalorganisation in question is subject,with responsibleility for ensuringand enforcing compliance with thedata protection rules includingadequate sanctioning powers forassisting and advising the datasubjects in exercising their rightsand for co-operation with thesupervisory authorities of the Unionand of Member States; and

(c) the internationalcommitments the third country or

(c) the international commitmentsthe third country or international

(c) the internationalcommitments the third country or


288 CZ would prefer stronger language on the COM obligation to request an opinion from the EDPB.289 CZ, RO and SI reservation on giving such power to the Commission. DE thought that stakeholders should be involved in this process. NL and UK indicated that on this point the

proposal seemed to indicate a shift from the 1995 Data Protection Directive, which put the responsibility for assessing a third country's data protection legislation in the first placewith the controller who wanted to transfer personal data.

international organisation inquestion has entered into.

organisation in question has enteredinto, in particular any legallybinding conventions orinstruments with respect to theprotection of personal data.

international organisation inquestion concerned has enteredinto or other obligations arisingfrom its participation inmultilateral or regional systems, inparticular in relation to theprotection of personal data.

2a. The European DataProtection Board shall give theCommission an opinion288 for theassessment of the adequacy of thelevel of protection in a thirdcountry or internationalorganization, including for theassessment whether a thirdcountry or the territory or theinternational organization or thespecified sector no longer ensuresan adequate level of protection.

3. The Commission maydecide that a third country, or aterritory or a processing sectorwithin that third country, or an

3. The Commission mayshall beempowered to adopt delegated actsin accordance with Article 86 todecide that a third country, or a

3. The Commission, after assessingthe adequacy289 of the level ofprotection, may decide that a thirdcountry, or a territory or one or


290 CZ, DE, DK, HR, IT, NL, PL, SK and RO thought an important role should be given to the EDPB in assessing these elements.COM has pointed out that there can be no additionalstep in the Comitology procedure, in order to be in line with the Treaties and Regulation 182/2011.

291 DE queried the follow-up to such decisions and warned against the danger that third countries benefiting from an adequacy decision might not continue to offer the same level ofdata protection. COM indicated there was monitoring of third countries for which an adequacy decision was taken.

292 Moved from paragraph 8. CZ and AT thought an absolute maximum time period should be set (sunset clause), to which COM was opposed. NL, PT and SI thought this paragraph 3awas superfluous or at least unclear. Also RO thought that, if maintained, it should be moved to the end of the Regulation.

international organisation ensuresan adequate level of protectionwithin the meaning of paragraph 2.Those implementing acts shall beadopted in accordance with theexamination procedure referred toin Article 87(2).

territory or a processing sectorwithin that third country, or aninternational organisation ensuresan adequate level of protectionwithin the meaning of paragraph 2.Those implementing acts Suchdelegated acts shall be adopted inaccordance with the examinationprocedure referred to in Article87(2) provide for a sunset clause ifthey concern a processing sectorand shall be revoked according toparagraph 5 as soon as anadequate level of protectionaccording to this Regulation is nolonger ensured.

more specified a processing sectorswithin that third country, or aninternational organisation ensuresan adequate level of protectionwithin the meaning of paragraph2290. Those implementing acts shallspecify its territorial and sectoralapplication and, where applicable,identify the (independent)supervisory authority(ies)mentioned in point(b) ofparagraph 2. The implementingact shall be adopted in accordancewith the examination procedurereferred to in Article 87(2)291.

3a. Decisions adopted by theCommission on the basis of Article25(6) of Directive 95/46/EC shallremain in force until amended,replaced or repealed by theCommission292 in accordance with


293 DE and ES suggested to request the Board for an opinion. COM has pointed out that there can be no additional step in the Comitology procedure, in order to be in line with theTreaties and Regulation 182/2011. DE asked if a decision in paragraph 3a lasted forever. IE considered paragraph 3a providing necessary flexibility. CZ thought that new Statesshould not be disadvantaged compared to those having received an adequacy decision under Directive 1995.

294 ΒΕ queried about the reference to the 1995 Directive. CZ perceives this as superfluous.

the examination procedurereferred to in Article 87(2)293.

4. The implementing act shallspecify its geographical andsectoral application, and, whereapplicable, identify the supervisoryauthority mentioned in point (b) ofparagraph 2.

4. The implementingdelegated actshall specify itsgeographicalterritorial and sectoralapplication, and, where applicable,identify the supervisory authoritymentioned in point (b) of paragraph2.

deleted

4a. The Commission shall, on anon-going basis, monitordevelopments in third countriesand international organisationsthat could affect the elements listedin paragraph 2 where a delegatedact pursuant to paragraph 3 hasbeen adopted.

4a. The Commission shallmonitor the functioning ofdecisions adopted pursuant toparagraph 3 and decisions adoptedon the basis of Article 25(6) orArticle 26(4) of Directive95/46/EC294.

5. The Commission maydecide that a third country, or aterritory or a processing sectorwithin that third country, or aninternational organisation does notensure an adequate level ofprotection within the meaning of

5. The Commission mayshall beempowered to adopt delegated actsin accordance with Article 86 todecide that a third country, or aterritory or a processing sectorwithin that third country, or aninternational organisation does not

5. The Commission may decide thata third country, or a territory or aprocessing specified sector withinthat third country, or aninternational organisation does notno longer ensures an adequate levelof protection within the meaning of


295 FR and UK suggested the EDPB give an opinion before COM decided to withdraw an adequacy decision.

paragraph 2 of this Article, inparticular in cases where therelevant legislation, both generaland sectoral, in force in the thirdcountry or internationalorganisation, does not guaranteeeffective and enforceable rightsincluding effective administrativeand judicial redress for datasubjects, in particular for those datasubjects residing in the Unionwhose personal data are beingtransferred. Those implementingacts shall be adopted in accordancewith the examination procedurereferred to in Article 87(2), or, incases of extreme urgency forindividuals with respect to theirright to personal data protection, inaccordance with the procedurereferred to in Article 87(3).

ensure or no longer ensures anadequate level of protection withinthe meaning of paragraph 2 of thisArticle, in particular in cases wherethe relevant legislation, both generaland sectoral, in force in the thirdcountry or internationalorganisation, does not guaranteeeffective and enforceable rightsincluding effective administrativeand judicial redress for datasubjects, in particular for those datasubjects residing in the Unionwhose personal data are beingtransferred. Those implementingacts shall be adopted in accordancewith the examination procedurereferred to in Article 87(2), or, incases of extreme urgency forindividuals with respect to theirright to personal data protection, inaccordance with the procedurereferred to in Article 87(3).

paragraph 2 and may, wherenecessary, repeal, amend orsuspend such decision withoutretro-active effect of this Article, inparticular in cases where therelevant legislation, both generaland sectoral, in force in the thirdcountry or internationalorganisation, does not guaranteeeffective and enforceable rightsincluding effective administrativeand judicial redress for datasubjects, in particular for those datasubjects residing in the Unionwhose personal data are beingtransferred. Those implementingacts shall be adopted in accordancewith the examination procedurereferred to in Article 87(2), or, incases of extreme urgency forindividuals with respect to theirright to personal data protection, inaccordance with the procedurereferred to in Article 87(3).295

6. Where the Commissiondecides pursuant to paragraph 5,any transfer of personal data to thethird country, or a territory or aprocessing sector within that third

6. Where the Commission decidespursuant to paragraph 5, anytransfer of personal data to the thirdcountry, or a territory or aprocessing sector within that third

6. Where the CommissiondecidesA decision pursuant toparagraph 5, any is wihtoutprejudice to transfers of personaldata to the third country, or a the


296 DE asked for the deletion of paragraph 6. DK thought the moment when third countries should be consulted was unclear.

country, or the internationalorganisation in question shall beprohibited, without prejudice toArticles 42 to 44. At theappropriate time, the Commissionshall enter into consultations withthe third country or internationalorganisation with a view toremedying the situation resultingfrom the Decision made pursuant toparagraph 5 of this Article.

country, or the internationalorganisation in question shall beprohibited, without prejudice toArticles 42 to 44. At the appropriatetime, the Commission shall enterinto consultations with the thirdcountry or internationalorganisation with a view toremedying the situation resultingfrom the Decision decision madepursuant to paragraph 5 of thisArticle.

territory or a processing specifiedsector within that third country, orthe international organisation inquestion shall be prohibited,without prejudice pursuant toArticles 42 to 44296. At theappropriate time, the Commissionshall enter into consultations withthe third country or internationalorganisation with a view toremedying the situation resultingfrom the Decision made pursuant toparagraph 5 of this Article.

6a. Prior to adopting a delegatedact pursuant to paragraphs 3 and5, the Commission shall requestthe European Data ProtectionBoard to provide an opinion on theadequacy of the level of protection.To that end, the Commission shallprovide the European DataProtection Board with allnecessary documentation,including correspondence with thegovernment of the third country,territory or processing sectorwithin that third country or theinternational organisation.


7. The Commission shallpublish in the Official Journal ofthe European Union a list of thosethird countries, territories andprocessing sectors within a thirdcountry and internationalorganisations where it has decidedthat an adequate level of protectionis or is not ensured.

7. The Commission shall publish inthe Official Journal of the EuropeanUnion and on its website a list ofthose third countries, territories andprocessing sectors within a thirdcountry and internationalorganisations where it has decidedthat an adequate level of protectionis or is not ensured.

7. The Commission shallpublish in the Official Journal ofthe European Union a list of thosethird countries, territories andprocessing specified sectors withina third country and internationalorganisations where it has decidedthat an adequate level of protectionis or is not ensured in respect ofwhich decisions have been takenpursuant to paragraphs 3, 3aand5.

8. Decisions adopted by theCommission on the basis of Article25(6) or Article 26(4) of Directive95/46/EC shall remain in force,until amended, replaced or repealedby the Commission.

8. Decisions adopted by theCommission on the basis of Article25(6) or Article 26(4) of Directive95/46/EC shall remain in force untilfive years after the entry into forceof this Regulation unless amended,replaced or repealed by theCommission before the end of thisperiod.

deleted


297 UK expressed concerns regarding the length of authorisation procedures and the burdens these would put on DPA resources. The use of these procedures regarding data flows in thecontext of cloud computing was also questioned.


Transfers by way of appropriatesafeguards

Transfers by way of appropriatesafeguards

Transfers by way of appropriatesafeguards297

Amendment 138

1. Where the Commission hastaken no decision pursuant toArticle 41, a controller or processormay transfer personal data to a thirdcountry or an internationalorganisation only if the controlleror processor has adducedappropriate safeguards with respectto the protection of personal data ina legally binding instrument.

1. Where the Commission has takenno decision pursuant to Article 41,or decides that a third country, or aterritory or processing sectorwithin that third country, or aninternational organisation does notensure an adequate level ofprotection in accordance withArticle 41(5), a controller orprocessor may not transfer personaldata to a third country, territory oran international organisation unlessthe controller or processor hasadduced appropriate safeguardswith respect to the protection ofpersonal data in a legally bindinginstrument.

1. Where the Commission has takenno In the absence ofdecisionpursuant to paragraph 3 of Article41, a controller or processor maytransfer personal data to a thirdcountry or an internationalorganisation only if the controlleror processor has adducedappropriate safeguards with respectto the protection of personal data ina legally binding instrument, alsocovering onward transfers.

2. The appropriate safeguardsreferred to in paragraph 1 shall beprovided for, in particular, by:

2. The appropriate safeguardsreferred to in paragraph 1 shall beprovided for, in particular, by:

2. The appropriate safeguardsreferred to in paragraph 1 shall maybe provided for, inparticularwithout requiring any


298 HU has serious concerns; the proposed general clause (“a legally binding instrument”) is too vague because the text does not define its content. Furthermore, the text does notprovide for previous examination by the DPA either. HU therefore suggests either deleting this point or subjecting such instrument to the authorisation of the DPA, as it believes thatthere is a real risk that transfers based on such a vague instrument might seriously undermine the rights of the data subjects.

299 FR reservation on the possibility for COM to adopt such standard clauses.

specific authorisation from asupervisory authority, by:

(oa) a legally binding andenforceable instrument betweenpublic authorities or bodies298; or

(a) binding corporate rules inaccordance with Article 43; or

(a) binding corporate rules inaccordance with Article 43; or

(a) binding corporate rules inaccordance with referred to inArticle 43; or

(aa) a valid “European DataProtection Seal” for the controllerand the recipient in accordancewith paragraph 1e of Article 39; or

(b) standard data protectionclauses adopted by theCommission. Those implementingacts shall be adopted in accordancewith the examination procedurereferred to in Article 87(2); or

deleted (b) standard data protection clausesadopted by the Commission. Thoseimplementing acts shall be adoptedin accordance with the examinationprocedure referred to in Article87(2)299; or

(c) standard data protectionclauses adopted by a supervisoryauthority in accordance with theconsistency mechanism referred to

(c) standard data protection clausesadopted by a supervisory authorityin accordance with the consistencymechanism referred to in Article 57

(c) standard data protection clausesadopted by a supervisory authorityin accordance with the consistencymechanism referred to in Article 57


in Article 57 when declaredgenerally valid by the Commissionpursuant to point (b) of Article62(1); or

when declared generally valid bythe Commission pursuant to point(b) of Article 62(1); or

when declared generally valid andadopted by the Commissionpursuant to point (b) of Article62(1)the examination procedurereferred to in Article 87(2); or

(d) contractual clauses betweenthe controller or processor and therecipient of the data authorised by asupervisory authority in accordancewith paragraph 4.

(d) contractual clauses between thecontroller or processor and therecipient of the data authorised by asupervisory authority in accordancewith paragraph 4.

(d) contractual clauses betweenthe controller or processor and therecipient of the data authorised by asupervisory authority in accordancewith paragraph 4.an approved codeof conduct pursuant to Article 38together with binding andenforceable commitments of thecontroller or processor in the thirdcountry to apply the appropriatesafeguards, including as regardsdata subjects’ rights ; or

(e) an approved certificationmechanism pursuant to Article 39together with binding andenforceable commitments of thecontroller or processor in the thirdcountry to apply the appropriatesafeguards, including as regardsdata subjects’ rights.

2a. Subject to the authorisationfrom the competent supervisoryauthority, the appropriatesafeguards referred to in


paragraph 1 may also be providedfor, in particular, by:

(a) contractual clausesbetween the controller orprocessor and the controller,processor or the recipient of thedata in the third country orinternational organisation; or

(b) (…)(c) (…)(d) provisions to be insertedinto administrative arrangementsbetween public authorities orbodies .

3. A transfer based on standarddata protection clauses or bindingcorporate rules as referred to inpoints (a), (b) or (c) of paragraph 2shall not require any furtherauthorisation.

3. A transfer based on standard dataprotection clauses, a “EuropeanData Protection Seal” or bindingcorporate rules as referred to inpoint (a), (b) (aa) or (c) ofparagraph 2 shall not require anyfurtherspecific authorisation.

deleted

4. Where a transfer is based oncontractual clauses as referred to inpoint (d) of paragraph 2 of thisArticle the controller or processorshall obtain prior authorisation ofthe contractual clauses according topoint (a) of Article 34(1) from the

4. Where a transfer is based oncontractual clauses as referred to inpoint (d) of paragraph 2 of thisArticle the controller or processorshall obtain prior authorisation ofthe contractual clauses according topoint (a) of Article 34(1) from the

deleted


supervisory authority. If thetransfer is related to processingactivities which concern datasubjects in another Member Stateor other Member States, orsubstantially affect the freemovement of personal data withinthe Union, the supervisoryauthority shall apply theconsistency mechanism referred toin Article 57.

supervisory authority. If the transferis related to processing activitieswhich concern data subjects inanother Member State or otherMember States, or substantiallyaffect the free movement ofpersonal data within the Union, thesupervisory authority shall apply theconsistency mechanism referred toin Article 57.

5. Where the appropriatesafeguards with respect to theprotection of personal data are notprovided for in a legally bindinginstrument, the controller orprocessor shall obtain priorauthorisation for the transfer, or aset of transfers, or for provisions tobe inserted into administrativearrangements providing the basisfor such transfer. Suchauthorisation by the supervisoryauthority shall be in accordancewith point (a) of Article 34(1). Ifthe transfer is related to processingactivities which concern datasubjects in another Member Stateor other Member States, orsubstantially affect the free

5. Where the appropriate safeguardswith respect to the protection ofpersonal data are not provided for ina legally binding instrument, thecontroller or processor shall obtainprior authorisation for the transfer,or a set of transfers, or forprovisions to be inserted intoadministrative arrangementsproviding the basis for suchtransfer. Such authorisation by thesupervisory authority shall be inaccordance with point (a) of Article34(1). If the transfer is related toprocessing activities which concerndata subjects in another MemberState or other Member States, orsubstantially affect the freemovement of personal data within

deleted


300 UK and ES disagreed with the principle of subjecting non-standardised contracts to prior authorisation by DPAs. IT was thought that this was contrary to the principle ofaccountability. DE emphasised the need of monitoring.

movement of personal data withinthe Union, the supervisoryauthority shall apply theconsistency mechanism referred toin Article 57. Authorisations by asupervisory authority on the basisof Article 26(2) of Directive95/46/EC shall remain valid, untilamended, replaced or repealed bythat supervisory authority.

the Union, the supervisory authorityshall apply the consistencymechanism referred to in Article 57.Authorisations by a supervisoryauthority on the basis of Article26(2) of Directive 95/46/EC shallremain valid, until two years afterthe entry into force of thisRegulation unless amended,replaced or repealed by thatsupervisory authority before theend of that period.

5a. The supervisory authorityshall apply the consistencymechanism in the cases referred toin points (ca), (d), (e) and (f) ofArticle 57 (2).

5b. Authorisations by aMember State or supervisoryauthority on the basis of Article26(2) of Directive 95/46/EC shallremain valid until amended,replaced or repealed by thatsupervisory authority300. Decisionsadopted by the Commission on thebasis of Article 26(4) of Directive


301 AT thought an absolute time period should be set.302 DE and ES have suggested to request the Board for an opinion. COM has pointed out that there can be no additional step in the Comitology procedure, in order to be in line with the

Treaties and Regulation 182/2011.303 NL thought it should be given a wider scope. BE and NL pointed to the need for a transitional regime allowing to 'grandfather' existing BCRs. NL asked whether the BCRs should

also be binding upon employees. SI thought BCRs should also be possible with regard to some public authorities, but COM stated that it failed to see any cases in the public sectorwhere BCRs could be applied. HU said that it thought that BCRs were used not only by profit-seeking companies but also by international bodies and NGOs.

304 DE and UK expressed concerns on the lengthiness and cost of such approval procedures. The question was raised which DPAs should be involved in the approval of such BCRs inthe consistency mechanism.

95/46/EC shall remain in forceuntil amended, replaced orrepealed by the Commission301 inaccordance with the examinationprocedure referred to in Article87(2)302.


Transfers by way of bindingcorporate rules

Transfers by way of bindingcorporate rules

Transfers by way of bBindingcorporate rules303

Amendment 139

1. A supervisory authorityshall in accordance with theconsistency mechanism set out inArticle 58 approve bindingcorporate rules, provided that they:

1. AThe supervisory authority shallin accordance with the consistencymechanism set out in Article 58approve binding corporate rules,provided that they:

1. A The competent supervisoryauthority shall approve304 bindingcorporate rules in accordance withthe consistency mechanism set outin Article 5857 approve bindingcorporate rules, provided that they:

(a) are legally binding andapply to and are enforced by everymember within the controller’s or

(a) are legally binding and apply toand are enforced by every memberwithin the controller’s group of

(a) are legally binding and apply toand are enforced by every memberconcerned of the within the


processor's group of undertakings,and include their employees;

undertakings and those externalsubcontractors that are covered bythe scope of the binding corporaterules, and include their employees;

controller’s or processor's group ofundertakings or group ofenterprises engaged in a jointeconomic activity, and include theiremployees;

(b) expressly conferenforceable rights on data subjects;

(b) expressly confer enforceablerights on data subjects;

(b) expressly confer enforceablerights on data subjects with regardto the processing of their personaldata;

(c) fulfil the requirements laiddown in paragraph 2.

(c) fulfil the requirements laid downin paragraph 2

(c) fulfil the requirements laiddown in paragraph 2.

1a. With regard to employmentdata, the representatives of theemployees shall be informed aboutand, in accordance with Union orMember State law and practice, beinvolved in the drawing-up ofbinding corporate rules pursuantto Article 43.

2. The binding corporate rulesshall at least specify:

2. The binding corporate rules shallat least specify.

2. The binding corporate rulesreferred to in paragraph 1 shall atleast specify at least :

(a) the structure and contactdetails of the group of undertakingsand its members;

(a) the structure and contact detailsof the group of undertakings and itsmembers and those externalsubcontractors that are covered bythe scope of the binding corporate

(a) the structure and contact detailsof the concerned group ofundertakings and of each of itsmembers;


rules;

(b) the data transfers or set oftransfers, including the categoriesof personal data, the type ofprocessing and its purposes, thetype of data subjects affected andthe identification of the thirdcountry or countries in question;

(b) the data transfers or set oftransfers, including the categories ofpersonal data, the type of processingand its purposes, the type of datasubjects affected and theidentification of the third country orcountries in question;

(b) the data transfers or setcategories of transfers, includingthe categories types of personaldata, the type of processing and itspurposes, the type of data subjectsaffected and the identification ofthe third country or countries inquestion;

(c) their legally binding nature,both internally and externally;

(c) their legally binding nature, bothinternally and externally;

(c) their legally binding nature,both internally and externally;

(d) the general data protectionprinciples, in particular purposelimitation, data quality, legal basisfor the processing, processing ofsensitive personal data; measures toensure data security; and therequirements for onward transfersto organisations which are notbound by the policies;

(d) the general data protectionprinciples, in particular purposelimitation, data minimisation,limited retention periods, dataquality, data protection by designand by default, legal basis for theprocessing, processing of sensitivepersonal data; measures to ensuredata security; and the requirementsfor onward transfers toorganisations which are not boundby the policies;

(d) application of the general dataprotection principles, in particularpurpose limitation, data quality,legal basis for the processing,processing of sensitive specialcategories of personal data;,measures to ensure data security;,and the requirements for in respectof onward transfers to organisationsbodies which are not bound by thepoliciesbinding corporate rules;

(e) the rights of data subjectsand the means to exercise theserights, including the right not to besubject to a measure based onprofiling in accordance with Article

(e) the rights of data subjects andthe means to exercise these rights,including the right not to be subjectto a measure based on profiling inaccordance with Article 20, the

(e) the rights of data subjects inregard to the processing of theirpersonal data and the means toexercise these rights, including theright not to be subject to a measure


305 DE thought that the reference to exemptions should be deleted here.

20, the right to lodge a complaintbefore the competent supervisoryauthority and before the competentcourts of the Member States inaccordance with Article 75, and toobtain redress and, whereappropriate, compensation for abreach of the binding corporaterules;

right to lodge a complaint before thecompetent supervisory authorityand before the competent courts ofthe Member States in accordancewith Article 75, and to obtainredress and, where appropriate,compensation for a breach of thebinding corporate rules;

based on profiling in accordancewith Article 20, the right to lodge acomplaint before the competentsupervisory authority and beforethe competent courts of theMember States in accordance withArticle 75, and to obtain redressand, where appropriate,compensation for a breach of thebinding corporate rules;

(f) the acceptance by thecontroller or processor establishedon the territory of a Member Stateof liability for any breaches of thebinding corporate rules by anymember of the group ofundertakings not established in theUnion; the controller or theprocessor may only be exemptedfrom this liability, in whole or inpart, if he proves that that memberis not responsible for the eventgiving rise to the damage;

(f) the acceptance by the controlleror processor established on theterritory of a Member State ofliability for any breaches of thebinding corporate rules by anymember of the group ofundertakings not established in theUnion; the controller or theprocessor may only be exemptedfrom this liability, in whole or inpart, if he proves that that memberis not responsible for the eventgiving rise to the damage;

(f) the acceptance by the controlleror processor established on theterritory of a Member State ofliability for any breaches of thebinding corporate rules by anymember concerned of the group ofundertakings not established in theUnion; the controller or theprocessor may only be exemptedfrom this liability, in whole or inpart, if he proves on proving thatthat member is not responsible forthe event giving rise to thedamage305;

(g) how the information on thebinding corporate rules, inparticular on the provisions referredto in points (d), (e) and (f) of this




paragraph is provided to the datasubjects in accordance with Article11;

paragraph is provided to the datasubjects in accordance with Article11;

paragraph is provided to the datasubjects in accordance with Articles1114 and 14a;

(h) the tasks of the dataprotection officer designated inaccordance with Article 35,including monitoring within thegroup of undertakings thecompliance with the bindingcorporate rules, as well asmonitoring the training andcomplaint handling;

(h) the tasks of the data protectionofficer designated in accordancewith Article 35, includingmonitoring within the group ofundertakings the compliance withthe binding corporate rules, as wellas monitoring the training andcomplaint handling;

(h) the tasks of the any dataprotection officer designated inaccordance with Article 35 or anyother person or entity in charge ofthe , including monitoring withinthe group of undertakings thecompliance with the bindingcorporate rules within the group, aswell as monitoring the training andcomplaint handling;

(hh) the complaint procedures;

(i) the mechanisms within thegroup of undertakings aiming atensuring the verification ofcompliance with the bindingcorporate rules;

(i) the mechanisms within the groupof undertakings aiming at ensuringthe verification of compliance withthe binding corporate rules;

(i) the mechanisms within thegroup of undertakings aiming at forensuring the verification ofcompliance with the bindingcorporate rules. Such mechanismsshall include data protectionaudits and methods for ensuringcorrective actions to protect therights of the data subject. Resultsof such verification should becommunicated to the person orentity referred under point h) andto the board of the controllingundertaking or of the group ofenterprises, and should be


306 BE suggested making this more explicit in case of a conflict between the 'local' legislation applicable to a member of the group and the BCR.307 CZ expressed concerns about the purpose of this provision and its application. UK found this point very prescriptive and wanted BCRs to be flexible to be able to be used for different

circumstances.

available upon request to thecompetent supervisory authority;

(j) the mechanisms forreporting and recording changes tothe policies and reporting thesechanges to the supervisoryauthority;

(j) the mechanisms for reportingand recording changes to thepolicies and reporting these changesto the supervisory authority;

(j) the mechanisms for reportingand recording changes to thepolicies rules and reporting thesechanges to the supervisoryauthority;

(k) the co-operation mechanismwith the supervisory authority toensure compliance by any memberof the group of undertakings, inparticular by making available tothe supervisory authority the resultsof the verifications of the measuresreferred to in point (i) of thisparagraph.

(k) the co-operation mechanismwith the supervisory authority toensure compliance by any memberof the group of undertakings, inparticular by making available tothe supervisory authority the resultsof the verifications of the measuresreferred to in point (i) of thisparagraph.

(k) the co-operation mechanismwith the supervisory authority toensure compliance by any memberof the group of undertakings, inparticular by making available tothe supervisory authority the resultsof the verifications of the measuresreferred to in point (i) of thisparagraph;306

(l) the mechanisms forreporting to the competentsupervisory authority any legalrequirements to which a memberof the group is subject in a thirdcountry which are likely to have asubstantial adverse effect on theguarantees provided by thebinding corporate rules307; and


308 CZ, IT, SE and NL reservation. FR scrutiny reservation regarding (public) archives. RO and HR thought the EDPB should be involved. PL and COM wanted to keep paragraph 3.

(m) the appropriate dataprotection training to personnelhaving permanent or regularaccess to personal data (...).

3. The Commission shall beempowered to adopt delegated actsin accordance with Article 86 forthe purpose of further specifyingthe criteria and requirements forbinding corporate rules within themeaning of this Article, inparticular as regards the criteria fortheir approval, the application ofpoints (b), (d), (e) and (f) ofparagraph 2 to binding corporaterules adhered to by processors andon further necessary requirementsto ensure the protection of personaldata of the data subjects concerned.

3. The Commission shall beempowered to adopt delegated actsin accordance with Article 86 forthe purpose of further specifying theformat, procedures, criteria andrequirements for binding corporaterules within the meaning of thisArticle, in particular as regards thecriteria for their approval, includingtransparency for data subjects, theapplication of points (b), (d), (e) and(f) of paragraph 2 to bindingcorporate rules adhered to byprocessors and on further necessaryrequirements to ensure theprotection of personal data of thedata subjects concerned.

[3. The Commission shall beempowered to adopt delegated actsin accordance with Article 86 forthe purpose of further specifyingthe criteria and requirements forbinding corporate rules within themeaning of this Article, inparticular as regards the criteria fortheir approval, the application ofpoints (b), (d), (e) and (f) ofparagraph 2 to binding corporaterules adhered to by processors andon further necessary requirementsto ensure the protection of personaldata of the data subjectsconcerned.]308

4. The Commission mayspecify the format and proceduresfor the exchange of information byelectronic means betweencontrollers, processors andsupervisory authorities for binding

deleted 4. The Commission may specify theformat and procedures for theexchange of information byelectronic means betweencontrollers, processors andsupervisory authorities for binding


corporate rules within the meaningof this Article. Those implementingacts shall be adopted in accordancewith the examination procedure setout in Article 87(2).

corporate rules within the meaningof this Article. Those implementingacts shall be adopted in accordancewith the examination procedure setout in Article 87(2).

Amendment 140

Article 43a (new)

Transfers or disclosures notauthorised by Union law

1. No judgment of a court ortribunal and no decision of anadministrative authority of a thirdcountry requiring a controller orprocessor to disclose personal datashall be recognised or beenforceable in any manner,without prejudice to a mutual legalassistance treaty or aninternational agreement in forcebetween the requesting thirdcountry and the Union or aMember State.

2. Where a judgment of a court ortribunal or a decision of anadministrative authority of a thirdcountry requests a controller orprocessor to disclose personal data,


the controller or processor and, ifany, the controller's representative,shall notify the supervisoryauthority of the request withoutundue delay and must obtain priorauthorisation for the transfer ordisclosure by the supervisoryauthority.

3. The supervisory authority shallassess the compliance of therequested disclosure with theRegulation and in particularwhether the disclosure is necessaryand legally required in accordancewith points (d) and (e) of Article44(1) and Article 44(5). Wheredata subjects from other MemberStates are affected, the supervisoryauthority shall apply theconsistency mechanism referred toin Article 57.

4. The supervisory authority shallinform the competent nationalauthority of the request. Withoutprejudice to Article 21, thecontroller or processor shall alsoinform the data subjects of therequest and of the authorisation bythe supervisory authority and


309 EE reservation. NL parliamentary reservation. CZ, EE and UK and other delegations that in reality these 'derogations' would become the main basis for international data transfersand this should be acknowledged as such by the text of the Regulation.

310 UK thought the question of the nature of the consent needed to be discussed in a horizontal manner.

where applicable inform the datasubject whether personal data wasprovided to public authoritiesduring the last consecutive 12-month period, pursuant to point(ha) of Article 14(1).


DerogationsDerogations

Derogations for specificsituations309

Amendment 141

1. In the absence of anadequacy decision pursuant toArticle 41 or of appropriatesafeguards pursuant to Article 42, atransfer or a set of transfers ofpersonal data to a third country oran international organisation maytake place only on condition that:

1. In the absence of an adequacydecision pursuant to Article 41 or ofappropriate safeguards pursuant toArticle 42, a transfer or a set oftransfers of personal data to a thirdcountry or an internationalorganisation may take place only oncondition that:

1. In the absence of an adequacydecision pursuant to paragraph 3of Article 41, or of appropriatesafeguards pursuant to Article 42,including binding corporate rulesa transfer or a set category oftransfers of personal data to a thirdcountry or an internationalorganisation may take place onlyon condition that:

(a) the data subject hasconsented to the proposed transfer,after having been informed of the

(a) the data subject has consented tothe proposed transfer, after havingbeen informed of the risks of such

(a) the data subject has explicitly310

consented to the proposed transfer,after having been informed of the


311 DE remarked that the effects of (d) in conjunction with paragraph 5 need to be examined, in particular with respect to the transfer of data on the basis of court judgments anddecisions by administrative authorities of third states, and with regard to existing mutual legal assistance treaties. IT reservation on the (subjective) use of the concept of publicinterest. HR suggested adding 'which is not overridden by the legal interest of the data subject'.

risks of such transfers due to theabsence of an adequacy decisionand appropriate safeguards; or

transfers due to the absence of anadequacy decision and appropriatesafeguards; or

risks of that such transfers mayinvolve risks for the data subjectdue to the absence of an adequacydecision and appropriatesafeguards; or

(b) the transfer is necessary forthe performance of a contractbetween the data subject and thecontroller or the implementation ofpre-contractual measures taken atthe data subject's request; or

(b) the transfer is necessary for theperformance of a contract betweenthe data subject and the controller orthe implementation of pre-contractual measures taken at thedata subject's request; or

(b) the transfer is necessary for theperformance of a contract betweenthe data subject and the controlleror the implementation of pre-contractual measures taken at thedata subject's request; or

(c) the transfer is necessary forthe conclusion or performance of acontract concluded in the interest ofthe data subject between thecontroller and another natural orlegal person; or

(c) the transfer is necessary for theconclusion or performance of acontract concluded in the interest ofthe data subject between thecontroller and another natural orlegal person; or

(c) the transfer is necessary for theconclusion or performance of acontract concluded in the interest ofthe data subject between thecontroller and another natural orlegal person; or

(d) the transfer is necessary forimportant grounds of publicinterest; or

(d) the transfer is necessary forimportant grounds of publicinterest; or

(d) the transfer is necessary forimportant grounds reasons ofpublic interest311; or

(e) the transfer is necessary forthe establishment, exercise ordefence of legal claims; or

(e) the transfer is necessary for theestablishment, exercise or defenceof legal claims; or

(e) the transfer is necessary for theestablishment, exercise or defenceof legal claims; or


312 AT, ES, HU, MT, PL, PT and SI would prefer to have this derogation deleted as they think it is too wide; it was stated that data transfers based on the legitimate interest of the datacontroller and directed into third countries that do not provide for an adequate level of protection with regard to the right of the data subjects would entail a serious risk of loweringthe level of protection the EU acquis currently provides for.) DE and ES scrutiny reservation on the terms 'frequent or massive'. DE, supported by SI, proposed to narrow it byreferring to 'overwhelming legitimate interest'. ES proposed to replace it by 'are small-scale and occasional'; UK asked why it was needed to add another qualifier to the legitimateinterest of the transfer and thought that such narrowing down of this derogation was against the risk-based approach.

(f) the transfer is necessary inorder to protect the vital interests ofthe data subject or of anotherperson, where the data subject isphysically or legally incapable ofgiving consent; or

(f) the transfer is necessary in orderto protect the vital interests of thedata subject or of another person,where the data subject is physicallyor legally incapable of givingconsent; or

(f) the transfer is necessary in orderto protect the vital interests of thedata subject or of another persons,where the data subject is physicallyor legally incapable of givingconsent; or

(g) the transfer is made from aregister which according to Unionor Member State law is intended toprovide information to the publicand which is open to consultationeither by the public in general or byany person who can demonstratelegitimate interest, to the extent thatthe conditions laid down in Unionor Member State law forconsultation are fulfilled in theparticular case; or

(g) the transfer is made from aregister which according to Unionor Member State law is intended toprovide information to the publicand which is open to consultationeither by the public in general or byany person who can demonstratelegitimate interest, to the extent thatthe conditions laid down in Unionor Member State law forconsultation are fulfilled in theparticular case.

(g) the transfer is made from aregister which according to Unionor Member State law is intended toprovide information to the publicand which is open to consultationeither by the public in general or byany person who can demonstrate alegitimate interest, but only to theextent that the conditions laid downin Union or Member State law forconsultation are fulfilled in theparticular case; or

(h) the transfer is necessary forthe purposes of the legitimateinterests pursued by the controlleror the processor, which cannot bequalified as frequent or massive,and where the controller or

deleted (h) the transfer, which is not largescale or frequent312, is necessaryfor the purposes of the legitimateinterests pursued by the controllerwhich are not oveerriden by theinterests or rights and freedoms of


313 AT and NL reservation: it was unclear how this reference to appropriate safeguards relates to appropriate safeguards in Article 42.

processor has assessed all thecircumstances surrounding the datatransfer operation or the set of datatransfer operations and based onthis assessment adducedappropriate safeguards with respectto the protection of personal data,where necessary.

the data subject or the processor,which cannot be qualified asfrequent or massive, and where thecontroller or processor has assessedall the circumstances surroundingthe data transfer operation or the setof data transfer operations andbased on this assessment adducedappropriate suitable safeguards313

with respect to the protection ofpersonal data, where necessary.

2. A transfer pursuant to point(g) of paragraph 1 shall not involvethe entirety of the personal data orentire categories of the personaldata contained in the register. Whenthe register is intended forconsultation by persons having alegitimate interest, the transfer shallbe made only at the request of thosepersons or if they are to be therecipients.

2. A transfer pursuant to point (g) ofparagraph 1 shall not involve theentirety of the personal data orentire categories of the personaldata contained in the register. Whenthe register is intended forconsultation by persons having alegitimate interest, the transfer shallbe made only at the request of thosepersons or if they are to be therecipients.

2. A transfer pursuant to point (g)of paragraph 1 shall not involve theentirety of the personal data orentire categories of the personaldata contained in the register. Whenthe register is intended forconsultation by persons having alegitimate interest, the transfer shallbe made only at the request of thosepersons or if they are to be therecipients.

3. Where the processing isbased on point (h) of paragraph 1,the controller or processor shallgive particular consideration to thenature of the data, the purpose andduration of the proposed processing

deleted deleted


314 BE scrutiny reservation. FR has a reservation concerning the exception of public authorities.

operation or operations, as well asthe situation in the country oforigin, the third country and thecountry of final destination, andadduced appropriate safeguardswith respect to the protection ofpersonal data, where necessary.

4. Points (b), (c) and (h) ofparagraph 1 shall not apply toactivities carried out by publicauthorities in the exercise of theirpublic powers.

4. Points (b), and (c) and (h) ofparagraph 1 shall not apply toactivities carried out by publicauthorities in the exercise of theirpublic powers.

4. Points (a), (b), (c) and (h) ofparagraph 1 shall not apply toactivities carried out by publicauthorities in the exercise of theirpublic powers314.

5. The public interest referredto in point (d) of paragraph 1 mustbe recognised in Union law or inthe law of the Member State towhich the controller is subject.

5. The public interest referred to inpoint (d) of paragraph 1 must berecognised in Union law or in thelaw of the Member State to whichthe controller is subject.

5. The public interest referred to inpoint (d) of paragraph 1 must berecognised in Union law or in thenational law of the Member Stateto which the controller is subject.

5a. In the absence of anadequacy decision, Union law orMember State law may, forimportant reasons of publicinterest, expressly set limits to thetransfer of specific categories ofpersonal data to a third country or


315 SI and UK scrutiny reservation. FR and ES proposed that this provision should be included in another provision.316 Some delegations (FR, PL, SI) referred to the proposal made by DE (for new Article 42a: 12884/13 DATAPROTECT 117 JAI 689 MI 692 DRS 149 DAPIX 103 FREMP 116 COMIX

473 CODEC 186) and the amendment voted by the European Parliament (Article 43a), which will imply discussions at a later stage.

an international organisation315.Member States shall notify suchprovisions to the Commission316.

6. The controller or processorshall document the assessment aswell as the appropriate safeguardsadduced referred to in point (h) ofparagraph 1 of this Article in thedocumentation referred to in Article28 and shall inform the supervisoryauthority of the transfer.

deleted 6. The controller or processor shalldocument the assessment as well asthe appropriate suitable safeguardsadduced referred to in point (h) ofparagraph 1 of this Article in thedocumentation recoreds referred toin Article 28 and shall inform thesupervisory authority of thetransfer.

7. The Commission shall beempowered to adopt delegated actsin accordance with Article 86 forthe purpose of further specifying'important grounds of publicinterest' within the meaning ofpoint (d) of paragraph 1 as well asthe criteria and requirements forappropriate safeguards referred toin point (h) of paragraph 1.

7. The Commission European DataProtection Board shall beempowered to adopt delegated actsin accordance with Article 86entrusted with the task of issuingguidelines, recommendations andbest practices in accordance withpoint (b) of Article 66(1) for thepurpose of further specifying'important grounds of publicinterest' within the meaning of point(d) of paragraph 1 as well as thecriteria and requirements forappropriate safeguards referred to in

deleted


317 PL thought (part of) Article 45 could be inserted into the preamble. NL, RO and UK also doubted the need for this article in relation to adequacy and thought that any otherinternational co-operation between DPAs should be dealt with in Chapter VI. NL thought this article could be deleted. ES has made an alternative proposal, set out in 6723/6/13REV 6 DATAPROTECT 20 JAI 130 MI 131 DRS 34 DAPIX 30 FREMP 15 COMIX 111 CODEC 394.

point (h) data transfers on the basisof paragraph 1.


International co-operation for theprotection of personal data

International co-operation for theprotection of personal data

International co-operation for theprotection of personal data317

Amendment 142

1. In relation to third countriesand international organisations, theCommission and supervisoryauthorities shall take appropriatesteps to:

1. In relation to third countries andinternational organisations, theCommission and supervisoryauthorities shall take appropriatesteps to:

1. In relation to third countries andinternational organisations, theCommission and supervisoryauthorities shall take appropriatesteps to:

(a) develop effectiveinternational co-operationmechanisms to facilitate theenforcement of legislation for theprotection of personal data;

(a) develop effective internationalco-operation mechanisms tofacilitate ensure the enforcement oflegislation for the protection ofpersonal data;

(a) develop effective internationalco-operation mechanisms tofacilitate the effective enforcementof legislation for the protection ofpersonal data;

(b) provide international mutualassistance in the enforcement oflegislation for the protection ofpersonal data, including throughnotification, complaint referral,investigative assistance and




318 AT and FI thought this subparagraph was unclear and required clarification.

information exchange, subject toappropriate safeguards for theprotection of personal data andother fundamental rights andfreedoms;

information exchange, subject toappropriate safeguards for theprotection of personal data andother fundamental rights andfreedoms;

information exchange, subject toappropriate safeguards for theprotection of personal data andother fundamental rights andfreedoms318;

(c) engage relevantstakeholders in discussion andactivities aimed at furtheringinternational co-operation in theenforcement of legislation for theprotection of personal data;

(c) engage relevant stakeholdersin discussion and activities aimed atfurthering international co-operationin the enforcement of legislation forthe protection of personal data;

(c) engage relevant stakeholders indiscussion and activities aimed atfurthering promoting internationalco-operation in the enforcement oflegislation for the protection ofpersonal data;

(d) promote the exchange anddocumentation of personal dataprotection legislation and practice.

d) promote the exchange anddocumentation of personal dataprotection legislation and practice.;

(d) promote the exchange anddocumentation of personal dataprotection legislation and practice.

Amendment 143

(da) clarify and consult onjurisdictional conflicts with thirdcountries.

2. For the purposes ofparagraph 1, the Commission shalltake appropriate steps to advancethe relationship with third countriesor international organisations, andin particular their supervisoryauthorities, where the Commission

2. For the purposes ofparagraph 1, the Commission shalltake appropriate steps to advancethe relationship with third countriesor international organisations, andin particular their supervisoryauthorities, where the Commission

deleted


has decided that they ensure anadequate level of protection withinthe meaning of Article 41(3).

has decided that they ensure anadequate level of protection withinthe meaning of Article 41(3).

Amendment 144

Article 45a (new)

Report by the Commission

The Commission shall submit tothe European Parliament and theCouncil at regular intervals,starting not later than four yearsafter the date referred to in Article91(1), a report on the applicationof Articles 40 to 45. For thatpurpose, the Commission mayrequest information from theMember States and supervisoryauthorities, which shall be suppliedwithout undue delay. The reportshall be made public.


319 At the request of IT, COM clarified that this DPA could be the same as the one designated/set up under the future Data Protection Directive. ES asked for clarification that a DPAmay be composed of more members, but t this is already sufficiently clear from the current text. DE indicated that it would require an intra-German consistency mechanism betweenthe its various DPAs.

CHAPTER VIINDEPENDENTSUPERVISORYAUTHORITIES



SECTION 1INDEPENDENT STATUS




Supervisory authority Supervisory authority Supervisory authority319

1. Each Member State shallprovide that one or more publicauthorities are responsible formonitoring the application of thisRegulation and for contributing toits consistent applicationthroughout the Union, in order toprotect the fundamental rights andfreedoms of natural persons inrelation to the processing of theirpersonal data and to facilitate thefree flow of personal data withinthe Union. For these purposes, thesupervisory authorities shall co-

1. Each Member State shall providethat one or more public authoritiesare responsible for monitoring theapplication of this Regulation andfor contributing to its consistentapplication throughout the Union, inorder to protect the fundamentalrights and freedoms of naturalpersons in relation to the processingof their personal data and tofacilitate the free flow of personaldata within the Union. For thesepurposes, the supervisoryauthorities shall co-operate with

1. Each Member State shall providethat one or more independentpublic authorities are responsiblefor monitoring the application ofthis Regulation and for contributingto its consistent applicationthroughout the Union, in order toprotect the fundamental rights andfreedoms of natural persons inrelation to the processing of theirpersonal data and to facilitate thefree flow of personal data withinthe Union. For these purposes, thesupervisory authorities shall co-


operate with each other and theCommission.

each other and the Commission. operate with each other and theCommission.

1a Each supervisory authorityshall contribute to the consistentapplication of this Regulationthroughout the Union. For thispurpose, the supervisoryauthorities shall co-operate witheach other and the Commission inaccordance with Chapter VII.

2. Where in a Member Statemore than one supervisoryauthority are established, thatMember State shall designate thesupervisory authority whichfunctions as a single contact pointfor the effective participation ofthose authorities in the EuropeanData Protection Board and shall setout the mechanism to ensurecompliance by the other authoritieswith the rules relating to theconsistency mechanism referred toin Article 57.

2. Where in a Member State morethan one supervisory authority areestablished, that Member State shalldesignate the supervisory authoritywhich functions as a single contactpoint for the effective participationof those authorities in the EuropeanData Protection Board and shall setout the mechanism to ensurecompliance by the other authoritieswith the rules relating to theconsistency mechanism referred toin Article 57.

2. Where in a Member State morethan one supervisory authority areestablished, that Member Stateshall designate the supervisoryauthority which functions as asingle contact point for theeffective participation of shallrepresent those authorities in theEuropean Data Protection Boardand shall set out the mechanism toensure compliance by the otherauthorities with the rules relating tothe consistency mechanism referredto in Article 57.

3. Each Member State shallnotify to the Commission thoseprovisions of its law which itadopts pursuant to this Chapter, bythe date specified in Article 91(2) at

3. Each Member State shall notifyto the Commission those provisionsof its law which it adopts pursuantto this Chapter, by the datespecified in Article 91(2) at the

[3. Each Member State shallnotify to the Commission thoseprovisions of its law which itadopts pursuant to this Chapter, bythe date specified in Article 91(2) at


320 DE, FR and EE that thought that this paragraph could be moved to the final provisions.321 GR scrutiny reservation.322 IE reservation: IE thought the latter part of this paragraph was worded too strongly.

the latest and, without delay, anysubsequent amendment affectingthem.

latest and, without delay, anysubsequent amendment affectingthem.

the latest and, without delay, anysubsequent amendment affectingthem320.]


Independence Independence Independence

Amendment 145

1. The supervisory authorityshall act with completeindependence in exercising theduties and powers entrusted to it.

1. The supervisory authority shallact with complete independence inexercising the duties and powersentrusted to it, notwithstanding co-operative and consistencyarrangements related to ChapterVII of this Regulation.

1. The Each supervisory authorityshall act with completeindependence in performing theduties321 and exercising the dutiesand powers entrusted to it inaccordance with this Regulation..

2. The members of thesupervisory authority shall, in theperformance of their duties, neitherseek nor take instructions fromanybody.

2. The members of thesupervisory authority shall, in theperformance of their duties, neitherseek nor take instructions fromanybody.

2. The member or members of theeach supervisory authority shall, inthe performance of their duties andexercise of their powers inaccordance with this Regulation,remain free from externalinfluence, whether direct orindirect, and neither seek nor takeinstructions from anybody322.


323 AT, BE, DE and HU would prefer to reinstate this text. CZ, EE and SE were satisfied with the deletion.324 COM and DE, AT reservation on deletion of paragraphs 3 and 4.

3. Members of the supervisoryauthority shall refrain from anyaction incompatible with theirduties and shall not, during theirterm of office, engage in anyincompatible occupation, whethergainful or not.

3. Members of the supervisoryauthority shall refrain from anyaction incompatible with theirduties and shall not, during theirterm of office, engage in anyincompatible occupation, whethergainful or not.

deleted323

4. Members of the supervisoryauthority shall behave, after theirterm of office, with integrity anddiscretion as regards the acceptanceof appointments and benefits.

4. Members of the supervisoryauthority shall behave, after theirterm of office, with integrity anddiscretion as regards the acceptanceof appointments and benefits.

deleted324

5. Each Member State shallensure that the supervisoryauthority is provided with theadequate human, technical andfinancial resources, premises andinfrastructure necessary for theeffective performance of its dutiesand powers, including those to becarried out in the context of mutualassistance, co-operation andparticipation in the European DataProtection Board.

5. Each Member State shallensure that the supervisory authorityis provided with the adequatehuman, technical and financialresources, premises andinfrastructure necessary for theeffective performance of its dutiesand powers, including those to becarried out in the context of mutualassistance, co-operation andparticipation in the European DataProtection Board.

5. Each Member State shallensure that the each supervisoryauthority is provided with theadequate human, technical andfinancial resources, premises andinfrastructure necessary for theeffective performance of its dutiesand exercise of its powers,including those to be carried out inthe context of mutual assistance,co-operation and participation inthe European Data ProtectionBoard.


325 EE reservation.

6. Each Member State shallensure that the supervisoryauthority has its own staff whichshall be appointed by and besubject to the direction of the headof the supervisory authority.

6. Each Member State shallensure that the supervisory authorityhas its own staff which shall beappointed by and be subject to thedirection of the head of thesupervisory authority.

6. Each Member State shallensure that the each supervisoryauthority has its own staff whichshall be appointed by and besubject to the direction of themember or members head of thesupervisory authority.

7. Member States shall ensurethat the supervisory authority issubject to financial control whichshall not affect its independence.Member States shall ensure that thesupervisory authority has separateannual budgets. The budgets shallbe made public.

7. Member States shall ensurethat the supervisory authority issubject to financial control whichshall not affect its independence.Member States shall ensure that thesupervisory authority has separateannual budgets. The budgets shallbe made public.

7. Member States shall ensurethat the each supervisory authorityis subject to financial control325

which shall not affect itsindependence. Member States shallensure that the each supervisoryauthority has separate, public,annual budgets, which may be partof the overall state or nationalbudget. The budgets shall be madepublic.

Amendment 146

7a. Each Member State shallensure that the supervisoryauthority shall be accountable tothe national parliament for reasonsof budgetary control.


326 Several delegations (FR, SE, SI and UK) thought that other modes of appointment should have been allowed for. FR (and RO) thought that a recital should clarify that "independentbody" also covers courts.


General conditions for themembers of the supervisory

authority


authority


authority

1. Member States shallprovide that the members of thesupervisory authority must beappointed either by the parliamentor the government of the MemberState concerned.

1. Member States shall provide thatthe members of the supervisoryauthority must be appointed eitherby the parliament or the governmentof the Member State concerned.

1. Member States shall provide thatthe member or members of theeach supervisory authority must beappointed either by the parliamentand/or the government of head ofState of the Member Stateconcerned or by an independentbody entrusted by Member Statelaw with the appointment bymeans of a transparentprocedure326.

2. The members shall bechosen from persons whoseindependence is beyond doubt andwhose experience and skillsrequired to perform their dutiesnotably in the area of protection ofpersonal data are demonstrated.

2. The members shall be chosenfrom persons whose independenceis beyond doubt and whoseexperience and skills required toperform their duties notably in thearea of protection of personal dataare demonstrated.

2. The member or members shallhave the qualifications, be chosenfrom persons whose independenceis beyond doubt and whoseexperience and skills required toperform their duties notably in thearea of protection of personal dataare demonstratedand exercise theirpowers.


327 COM reservation and DE scrutiny reservation on the expression "in accordance with the law of the Member States concerned". The question is whether this means that the MemberStates are being granted the power to define the duties further or whether the wording should be understood as meaning that only constitutional conditions or other legal frameworkconditions (e.g. civil service law) should be taken into account. DE and HU also suggest that rules in the event of death or invalidity be added (see, for example, Article 42(4) ofRegulation (EC) No 45/2001) as well as referring to a procedure for the nomination of a representative in case the member is prevented from performing his or her duties. CZ, NO,SE see no need for paragraph 3

328 COM, DE and AT scrutiny reservation on deletion of paragraphs 4 and 5.

3. The duties of a membershall end in the event of the expiryof the term of office, resignation orcompulsory retirement inaccordance with paragraph 5.

3. The duties of a member shall endin the event of the expiry of theterm of office, resignation orcompulsory retirement inaccordance with paragraph 5.

3. The duties of a member shall endin the event of the expiry of theterm of office, resignation orcompulsory retirement inaccordance with paragraph 5thelaw of the Member Stateconcerned327.

4. A member may bedismissed or deprived of the rightto a pension or other benefits in itsstead by the competent nationalcourt, if the member no longerfulfils the conditions required forthe performance of the duties or isguilty of serious misconduct.

4. A member may be dismissed ordeprived of the right to a pension orother benefits in its stead by thecompetent national court, if themember no longer fulfils theconditions required for theperformance of the duties or isguilty of serious misconduct.

deleted

5. Where the term of officeexpires or the member resigns, themember shall continue to exercisethe duties until a new member isappointed.

5. Where the term of office expiresor the member resigns, the membershall continue to exercise the dutiesuntil a new member is appointed.

deleted328


329 AT scrutiny reservation. DE and FR queried which was the leeway given to Member States by this article as compared to the rules flowing from the previous Articles from theRegulation. Several delegations (FR, GR, SE, SI UK) thought that some of these rules, in particular those spelled out in subparagraphs (c) and (d) were too detailed.

330 IE reservation: IE thought these qualifications need not be laid down in law.


Rules on the establishment of thesupervisory authority

Rules on the establishment of thesupervisory authority

Rules on the establishment of thesupervisory authority329

Each Member State shall provideby law within the limits of thisRegulation:

Each Member State shall provide bylaw within the limits of thisRegulation:

Each Member State shall provideby law within the limits of thisRegulationfor:

(a) the establishment and statusof the supervisory authority;

(a) the establishment and status ofthe supervisory authority;

(a) the establishment and status ofthe each supervisory authority;

(b) the qualifications,experience and skills required toperform the duties of the membersof the supervisory authority;

(b) the qualifications, experienceand skills required to perform theduties of the members of thesupervisory authority;

(b) the qualifications, experienceand skills required to perform theduties of the members of thesupervisory authority330;

(c) the rules and procedures forthe appointment of the members ofthe supervisory authority, as wellthe rules on actions or occupationsincompatible with the duties of theoffice;

(c) the rules and procedures for theappointment of the members of thesupervisory authority, as well therules on actions or occupationsincompatible with the duties of theoffice;

(c) the rules and procedures for theappointment of the member ormembers of the each supervisoryauthority, as well the rules onactions or occupations incompatiblewith the duties of the office;

(d) the duration of the term ofthe members of the supervisoryauthority which shall be no lessthan four years, except for the first

(d) the duration of the term of themembers of the supervisoryauthority which shall be no less thanfour years, except for the first

(d) the duration of the term of themember or members of the eachsupervisory authority which shallnot be no less than four years,


331 CZ, DE scrutiny reservation on deletion of this point.

appointment after entry into forceof this Regulation, part of whichmay take place for a shorter periodwhere this is necessary to protectthe independence of the supervisoryauthority by means of a staggeredappointment procedure;

appointment after entry into force ofthis Regulation, part of which maytake place for a shorter periodwhere this is necessary to protectthe independence of the supervisoryauthority by means of a staggeredappointment procedure;

except for the first appointmentafter entry into force of thisRegulation, part of which may takeplace for a shorter period where thisis necessary to protect theindependence of the supervisoryauthority by means of a staggeredappointment procedure;

(e) whether the members of thesupervisory authority shall beeligible for reappointment;

(e) whether the members of thesupervisory authority shall beeligible for reappointment;

(e) whetherand, if so, for howmany terms the member ormembers of the eachsupervisoryauthority shall be eligible forreappointment;

(f) the regulations and commonconditions governing the duties ofthe members and staff of thesupervisory authority;

(f) the regulations and commonconditions governing the duties ofthe members and staff of thesupervisory authority;

(f) the regulations and commonconditions governing the dutiesobligations of the member ormembers and staff of the eachsupervisory authority, prohibitionson actions and occupationsincompatible therewith during andafter the term of office and rulesgoverning the cessation ofemployment;

(g) the rules and procedures onthe termination of the duties of themembers of the supervisoryauthority, including in case that

(g) the rules and procedures on thetermination of the duties of themembers of the supervisoryauthority, including in case that they

deleted331


332 UK pointed out that also transparency concerns should be taken into account. Many delegations (CZ, DE, FR, FI, GR, IT, SE, SI, UK) raised practical questions as to the scope andthe exact implications of this article. All thought that the rules on professional secrecy should be left to national law and hence the suggestion by CZ (supported by EE, SE, SI andRO) to move this to Article 49 was followed. COM and DE scrutiny reservation on moving this provision to Article 49.

they no longer fulfil the conditionsrequired for the performance oftheir duties or if they are guilty ofserious misconduct.

no longer fulfil the conditionsrequired for the performance oftheir duties or if they are guilty ofserious misconduct.

2. The member or members andthe staff of each supervisoryauthority shall, in accordance withUnion or Member State law, besubject to a duty of professionalsecrecy both during and after theirterm of office, with regard to anyconfidential information whichhas come to their knowledge in thecourse of the performance of theirduties or exercise of their powers


Professional secrecy Professional secrecy Professional secrecy332

Amendment 147

The members and the staff of thesupervisory authority shall besubject, both during and after theirterm of office, to a duty ofprofessional secrecy with regard to

The members and the staff of thesupervisory authority shall besubject, both during and after theirterm of office and in conformitywith national legislation and

deleted


any confidential information whichhas come to their knowledge in thecourse of the performance of theirofficial duties.

practice, to a duty of professionalsecrecy with regard to anyconfidential information which hascome to their knowledge in thecourse of the performance of theirofficial duties, whilst conductingtheir duties with independence andtransparency as set out in theRegulation.


SECTION 2DUTIES AND POWERS

SECTION 2DUTIES AND POWERS

SECTION 2DUTIES COMPETENCE,

TASKS AND POWERS


Competence Competence Competence

Amendment 148

1. Each supervisory authorityshall exercise, on the territory of itsown Member State, the powersconferred on it in accordance withthis Regulation.

1. Each supervisory authority shallbe competent to perform the dutiesand to exercise, on the territory ofits own Member State, the powersconferred on it in accordance withthis Regulation on the territory ofits own Member State, withoutprejudice to Articles 73 and 74.Data processing by a publicauthority shall be supervised onlyby the supervisory authority of thatMember State.

1. Each supervisory authority shallbe competent to perform the tasksand exercise on the territory of itsown Member State, the powersconferred on it in accordance withthis Regulation on the territory ofits own Member State.

Amendment 149

2. Where the processing ofpersonal data takes place in thecontext of the activities of anestablishment of a controller or aprocessor in the Union, and thecontroller or processor is

deleted 2. Where the processing ofpersonal data takes place in thecontext of the activities of anestablishment of a controller or aprocessor in the Union, and thecontroller or processor is


333 COM opposes the exclusion of private bodies from the one-stop mechanism, pointing to the example of cross-border infrastructure provided by private bodies in the public interest.AT, IE, FR and FI preferred to refer to ' processing carried out by public authorities and bodies of a Member State or by private bodies acting on the basis of a legal obligation todischarge functions in the public interest'.

334 FR, HU, RO and UK scrutiny reservation. DE suggested adding "other matters assigned to courts for independent performance. The same shall apply insofar as judiciallyindependent processing has been ordered, approved or declared admissible", as the derogation must apply whenever courts' work falls within the scope of their institutionalindependence, which is not only the case in the core area of judicial activity but also in areas where courts are assigned tasks specifically for independent performance.

established in more than oneMember State, the supervisoryauthority of the main establishmentof the controller or processor shallbe competent for the supervision ofthe processing activities of thecontroller or the processor in allMember States, without prejudiceto the provisions of Chapter VII ofthis Regulation.

established in more than oneMember State, the supervisoryauthority of the main establishmentof the controller or processor shallbe competent for the supervision ofthe processing activities of thecontroller or the processor in allMember States, without prejudiceto the provisions of Chapter VII ofthis Regulation. is carried out bypublic authorities or private bodiesacting on the basis of points (c) or(e) of Article 6(1), the supervisoryauthority of the Member Stateconcerned shall be competent333.In such cases Article 51a does notapply.

3. The supervisory authorityshall not be competent to superviseprocessing operations of courtsacting in their judicial capacity.

3. The supervisory authority shallnot be competent to superviseprocessing operations of courtsacting in their judicial capacity.

3. The sSupervisory authorityauthorities shall not be competentto supervise processing operationsof courts acting in their judicialcapacity334.

Article 51a


Competence of the leadsupervisory authority

1. Without prejudice toArticle 51 the supervisoryauthority of the mainestablishment or of the singleestablishment of the controller orprocessor shall be competent to actas lead supervisory authority forthe transnational processing ofthis controller or processor inaccordance with the procedure inArticle 54a.

2a. By derogation fromparagraph 1, each supervisoryauthority shall be competent todeal with a complaint lodged withit or to deal with a possibleinfringement of this Regulation, ifthe subject matter relates only toan establishment in its MemberState or substantially affects datasubjects only in its Member State.

2b. In the cases referred to inparagraph 2a, the supervisoryauthority shall inform the leadsupervisory authority withoutdelay on this matter. Within a


period of three weeks after beinginformed the lead supervisoryauthority shall decide whether ornot it will deal with the case inaccordance with the procedureprovided in Article 54a, taking intoaccount whether or not there is anestablishment of the controller orprocessor in the Member State ofwhich the supervisory authorityinformed it.

2c. Where the lead supervisoryauthority decides to deal with thecase, the procedure provided inArticle 54a shall apply. Thesupervisory authority whichinformed the lead supervisoryauthority may submit to suchsupervisory authority a draft for adecision. The lead supervisoryauthority shall take utmostaccount of that draft whenpreparing the draft decisionreferred to in paragraph 2 ofArticle 54a.

2d. In case the lead supervisoryauthority decides not to deal withit, the supervisory authority whichinformed the lead supervisory


335 AT reservation on the deletion of Articles 51b and 51c.336 DE, IT, AT, PT and SE scrutiny reservation.

authority shall deal with the caseaccording to Articles 55 and 56.

3. The lead supervisory authorityshall be the sole interlocutor of thecontroller or processor for theirtransnational processing

Article 51b

Identification of the supervisoryauthority competent for the main

establishment

deleted

Article 51c

One-stop shop register

deleted335


Duties Duties Tasks336

1. The supervisory authorityshall:

1. The supervisory authority shall: 1. The Without prejudice to othertasks set out under thisRegulation, each supervisory


authority shall on its territory:

(a) monitor and ensure theapplication of this Regulation;

(a) monitor and ensure theapplication of this Regulation;

(a) monitor and ensure enforce theapplication of this Regulation;

(aa) promote public awarenessand understanding of the risks,rules, safeguards and rights inrelation to the processing ofpersonal data. Activities addressedspecifically to children shallreceive specific attention;

(ab) advise, in accordance withnational law, the nationalparliament, the government, andother institutions and bodies onlegislative and administrativemeasures relating to the protectionof individuals’ rights and freedomswith regard to the processing ofpersonal data;

(ac) promote the awareness ofcontrollers and processors of theirobligations under this Regulation;

(ad) upon request, provideinformation to any data subjectconcerning the exercise of theirrights under this Regulation and,if appropriate, co-operate with the


supervisory authorities in otherMember States to this end;

Amendment 150

(b) hear complaints lodged byany data subject, or by anassociation representing that datasubject in accordance with Article73, investigate, to the extentappropriate, the matter and informthe data subject or the associationof the progress and the outcome ofthe complaint within a reasonableperiod, in particular if furtherinvestigation or coordination withanother supervisory authority isnecessary;

(b) hear complaints lodged by anydata subject, or by an associationrepresenting that data subject inaccordance with Article 73,investigate, to the extentappropriate, the matter and informthe data subject or the association ofthe progress and the outcome of thecomplaint within a reasonableperiod, in particular if furtherinvestigation or coordination withanother supervisory authority isnecessary;

(b) hear deall with complaintslodged by any a data subject, orbody, organisation or by anassociation representing that a datasubject in accordance with Article73, and investigate, to the extentappropriate, the subject matter ofthe complaint and inform the datasubject or the body, organisation orassociation of the progress and theoutcome of the complaintinvestigation within a reasonableperiod, in particular if furtherinvestigation or coordination withanother supervisory authority isnecessary;

(c) share information with andprovide mutual assistance to othersupervisory authorities and ensurethe consistency of application andenforcement of this Regulation;

(c) share information with andprovide mutual assistance to othersupervisory authorities and ensurethe consistency of application andenforcement of this Regulation;

(c) share cooperate with, includingsharing information with, andprovide mutual assistance to othersupervisory authorities with a viewto and ensure ensuring theconsistency of application andenforcement of this Regulation;

Amendment 151


(d) conduct investigationseither on its own initiative or on thebasis of a complaint or on requestof another supervisory authority,and inform the data subjectconcerned, if the data subject hasaddressed a complaint to thissupervisory authority, of theoutcome of the investigationswithin a reasonable period;

(d) conduct investigations, either onits own initiative or on the basis of acomplaint or of specific anddocumented information receivedalleging unlawful processing or onrequest of another supervisoryauthority, and inform the datasubject concerned, if the datasubject has addressed a complaint tothis supervisory authority, of theoutcome of the investigations withina reasonable period;

(d) conduct investigations either onits own initiative or on the basis ofa complaint or on request ofanother supervisory authority, andinform the data subject concerned,if the data subject has addressed acomplaint to this on the applicationof this Regulation, including onthe basis of information receivedfrom another supervisoryauthority, of the outcome of theinvestigations within a reasonableperiodor other public authority;

(e) monitor relevantdevelopments, insofar as they havean impact on the protection ofpersonal data, in particular thedevelopment of information andcommunication technologies andcommercial practices;

(e) monitor relevant developments,insofar as they have an impact onthe protection of personal data, inparticular the development ofinformation and communicationtechnologies and commercialpractices;

(e) monitor relevant developments,insofar as they have an impact onthe protection of personal data, inparticular the development ofinformation and communicationtechnologies and commercialpractices;

(f) be consulted by MemberState institutions and bodies onlegislative and administrativemeasures relating to the protectionof individuals' rights and freedomswith regard to the processing ofpersonal data;

(f) be consulted by Member Stateinstitutions and bodies on legislativeand administrative measuresrelating to the protection ofindividuals' rights and freedomswith regard to the processing ofpersonal data;

(f) be consulted by Member Stateinstitutions and bodies onlegislative and administrativemeasures relating to the protectionof individuals' rights and freedomswith regard to the processing ofpersonal data adopt standardcontractual clauses referred to inArticle 26(2c);


(fa) establish and make a list inrelation to the requirement fordata protection impact assessmentpursuant to Article 33(2a);

(g) authorise and be consultedon the processing operationsreferred to in Article 34;

(g) authorise and be consulted onthe processing operations referred toin Article 34;

(g) authorise and be consulted giveadvice on the processing operationsreferred to in Article 34(3);

(ga) encourage the drawing upof codes of conduct pursuant toArticle 38 and give an opinion andapprove such codes of conductwhich provide sufficientsafeguards, pursuant to Article 38(2);

(gb) promote the establishmentof data protection certificationmechanisms and of data protectionseals and marks, and approve thecriteria of certification pursuant toArticle 39(2a);

(gc) where applicable, carry outa periodic review of certificationsissued in accordance with Article39(4);

(h) issue an opinion on the draftcodes of conduct pursuant to

(h) issue an opinion on the draftcodes of conduct pursuant to Article

(h) issue an opinion on the draftand publish the criteria for


Article 38(2); 38(2); accreditation of a body formonitoring codes of conductpursuant to Article 38(2)a and of acertification body pursuant toArticle 39a;

(ha) conduct the accreditation of abody for monitoring codes ofconduct pursuant to Article 38aand of a certification bodypursuant to Article 39a;

(hb) authorise contractual clausesreferred to in Article 42(2a)(a);

(i) approve binding corporaterules pursuant to Article 43;

(i) approve binding corporate rulespursuant to Article 43;

(i) approve binding corporate rulespursuant to Article 43;

(j) participate in the activitiesof the European Data ProtectionBoard.

(j) participate in the activities of theEuropean Data Protection Board.

(j) participate in contribute to theactivities of the European DataProtection Board.;

(k) fulfil any other tasks related tothe protection of personal data.

Amendment 152

(ja) certify controllers andprocessors pursuant to Article 39.


Amendment 153

2. Each supervisory authorityshall promote the awareness of thepublic on risks, rules, safeguardsand rights in relation to theprocessing of personal data.Activities addressed specifically tochildren shall receive specificattention.

2. Each supervisory authority shallpromote the awareness of the publicon risks, rules, safeguards and rightsin relation to the processing ofpersonal data and on appropriatemeasures for personal dataprotection. Activities addressedspecifically to children shall receivespecific attention.

deleted

Amendment 154

2a. Each supervisory authorityshall together with the EuropeanData Protection Board promote theawareness for controllers andprocessors on risks, rules,safeguards and rights in relation tothe processing of personal data.This includes keeping a register ofsanctions and breaches. Theregister should enrol both allwarnings and sanctions as detailedas possible and the resolving ofbreaches. Each supervisoryauthority shall provide micro,small and medium sized enterprisecontrollers and processors onrequest with general information


on their responsibilities andobligations in accordance with thisRegulation.

3. The supervisory authorityshall, upon request, advise any datasubject in exercising the rightsunder this Regulation and, ifappropriate, co-operate with thesupervisory authorities in otherMember States to this end.

3. The supervisory authority shall,upon request, advise any datasubject in exercising the rightsunder this Regulation and, ifappropriate, co-operate with thesupervisory authorities in otherMember States to this end.

deleted

4. For complaints referred toin point (b) of paragraph 1, thesupervisory authority shall providea complaint submission form,which can be completedelectronically, without excludingother means of communication.

4. For complaints referred to inpoint (b) of paragraph 1, thesupervisory authority shall providea complaint submission form, whichcan be completed electronically,without excluding other means ofcommunication.

4. For Each supervisory authorityshall facilitate the submission ofcomplaints referred to in point (b)of paragraph 1, the supervisoryauthority shall provide a bymeasures such as providing acomplaint submission form, whichcan be completed alsoelectronically, without excludingother means of communication.

5. The performance of theduties of the supervisory authorityshall be free of charge for the datasubject.

5. The performance of the duties ofthe supervisory authority shall befree of charge for the data subject.

5. The performance of the dutiestasks of the each supervisoryauthority shall be free of charge forthe data subject and for the dataprotection officer, if any.


337 DE and SE reservation: this could be left to general rules.338 DE, RO, PT and SE scrutiny reservation; SE thought this list was too broad. Some Member States were uncertain (CZ, RO and UK) or opposed (DE, DK, and IE) to categorising the

DPA powers according to their nature.339 RO argued in favour of the inclusion of an explicit reference to the power of DPAs to issue administrative orders regarding the uniform application of certain data protection rules.

COM and ES scrutiny reservation on 'at least' in paragraphs 1 and 1a.

Amendment 155

6. Where requests aremanifestly excessive, in particulardue to their repetitive character, thesupervisory authority may charge afee or not take the action requestedby the data subject. The supervisoryauthority shall bear the burden ofproving the manifestly excessivecharacter of the request.

6. Where requests are manifestlyexcessive, in particular due to theirrepetitive character, the supervisoryauthority may charge a reasonablefee or not take the action requestedby the data subject. Such a fee shallnot exceed the costs of taking theaction requested. The supervisoryauthority shall bear the burden ofproving the manifestly excessivecharacter of the request.

6. Where requests are manifestlyunfounded or excessive, inparticular due to because of theirrepetitive character, the supervisoryauthority may charge a fee or nottake the action requested by thedata subject refuse to act on therequest. The supervisory authorityshall bear the burden of provingdemonstrating the manifestlyunfounded or excessive characterof the request337.


Powers Powers Powers338

Amendment 156

1. Each supervisory authorityshall have the power:

1. Each supervisory authority shall,in line with this Regulation, havethe power:

1. Each Member State shallprovide by law that its supervisoryauthority shall have at least339 thefollowing investigative powers:


340 CZ, IT, PL scrutiny reservation. CZ and PL pleaded for a recital explaining that audit could be understood as inspection.

(a) to notify the controller orthe processor of an alleged breachof the provisions governing theprocessing of personal data, and,where appropriate, order thecontroller or the processor toremedy that breach, in a specificmanner, in order to improve theprotection of the data subject;

(a) to notify the controller or theprocessor of an alleged breach ofthe provisions governing theprocessing of personal data, and,where appropriate, order thecontroller or the processor toremedy that breach, in a specificmanner, in order to improve theprotection of the data subject, or toorder the controller tocommunicate a personal databreach to the data subject;

(a) to notify order the controller orand the processor of an allegedbreach of the provisions governingthe processing of personal data,and, where appropriateapplicable,order the controller’s or theprocessor to remedy that breach, ina specific manner, in order toimprove the protection of the datasubjectrepresentative to provideany information it requires for theperformance of its tasks;

(aa) to carry out investigationsin the form of data protectionaudits340;

(ab) to carry out a review oncertifications issued pursuant toArticle 39(4);

(b) to order the controller or theprocessor to comply with the datasubject's requests to exercise therights provided by this Regulation;

(b) to order the controller or theprocessor to comply with the datasubject's requests to exercise therights provided by this Regulation;

deleted

(c) to order the controller andthe processor, and, whereapplicable, the representative to

(c) to order the controller and theprocessor, and, where applicable,the representative to provide any

deleted


provide any information relevantfor the performance of its duties;

information relevant for theperformance of its duties;

(d) to ensure the compliancewith prior authorisations and priorconsultations referred to in Article34;

(d) to ensure the compliance withprior authorisations and priorconsultations referred to in Article34;

(d) to ensure notify the compliancewith prior authorisations and priorconsultations referred to in Article34controller or the processor of analleged infringment of thisRegulation;

(da) to obtain, from thecontroller and the processor,access to all personal data and toall information necessary for theperformance of its tasks;

(db) to obtain access to anypremises of the controller and theprocessor , including to any dataprocessing equipment and means,in conformity with Union law orMember State procedural law.

1a. (…).1b. Each Member State shallprovide by law that its supervisoryauthority shall have the followingcorrective powers:

(a) to issue warnings to acontroller or processor that


341 PL scrutiny reservation.342 PL scrutiny reservation on points (a) and (b).

intended processing operations arelikely to infringe provisions of thisRegulation;

(b) to issue reprimands341 to acontroller or processor whereprocessing operations haveinfringed provisions of thisRegulation342;

(c) to order the controller orthe processor to comply with thedata subject's requests to exercisehis or her rights pursuant to thisRegulation;

(d) to order the controller orprocessor to bring processingoperations into compliance withthe provisions of this Regulation,where appropriate, in a specifiedmanner and within a specifiedperiod; in particular by orderingthe rectification, restriction orerasure of data pursuant toArticles 16, 17 and 17a and thenotification of such actions torecipients to whom the data havebeen disclosed pursuant to Articles


343 DK constitutional reservation on the introduction of administrative fines, irrespective of the level of the fines.344 SK reservation.

17(2a) and 17b;

(e) to warn or admonish thecontroller or the processor;

(e) to warn or admonish thecontroller or the processor;

(e) to impose a temporary ordefinitive limitation on processing;

(f) to order the rectification,erasure or destruction of all datawhen they have been processed inbreach of the provisions of thisRegulation and the notification ofsuch actions to third parties towhom the data have been disclosed;

(f) to order the rectification, erasureor destruction of all data when theyhave been processed in breach ofthe provisions of this Regulationand the notification of such actionsto third parties to whom the datahave been disclosed;

(f) to order the rectification,erasure or destruction of all datawhen they have been processed inbreach of the provisions of thisRegulation and the notification ofsuch actions to third parties towhom the data have been discloseddata flows to a recipient in a thirdcountry or to an internationalorganisation;

(g) to impose a temporary ordefinitive ban on processing;

(g) to impose a temporary ordefinitive ban on processing;

(g) to impose a temporary ordefinitive ban on processing;anadministrative fine pursuant toArticles 79 and 79a343, in additionto, or instead of measures referredto in this paragraph, depending onthe circumstances of eachindividual case.

(h) to suspend data flows to arecipient in a third country or to aninternational organisation;

(h) to suspend data flows to arecipient in a third country or to aninternational organisation;

(h) to order the suspend suspensionof data flows to a recipient in athird country or to an internationalorganisation344;


(i) to issue opinions on anyissue related to the protection ofpersonal data;

(i) to issue opinions on any issuerelated to the protection of personaldata;

deleted

(ia) to certify controllers andprocessors pursuant to Article 39;

(j) to inform the nationalparliament, the government or otherpolitical institutions as well as thepublic on any issue related to theprotection of personal data.

(j) to inform the nationalparliament, the government or otherpolitical institutions as well as thepublic on any issue related to theprotection of personal data;

deleted

(ja) to put in place effectivemechanisms to encourageconfidential reporting of breachesof this Regulation, taking intoaccount guidance issued by theEuropean Data Protection Boardpursuant to Article 66(4b).

1c. Each Member State shallprovide by law that its supervisoryauthority shall have the followingauthorisation and advisorypowers:

(a) to advise the controller inaccordance with the priorconsultation procedure referred toin Article 34;


(aa) to issue, on its owninitiative or on request, opinions tothe national parliament, theMember State government or, inaccordance with national law, toother institutions and bodies aswell as to the public on any issuerelated to the protection ofpersonal data;

(ab) to authorise processingreferred to in Article 34(7a), if thelaw of the Member State requiressuch prior authorisation;

(ac) to issue an opinion andadopt draft codes of conductpursuant to Article 38(2);

(ad) to accredit certificationbodies under the terms of Article39a;

(ae) to issue certifications andapprove criteria of certification inaccordance with Article 39(2a);

(b) to adopt standard dataprotection clauses referred to inpoint (c) of Article 42(2);


345 CY, ES, FR, IT and RO thought this could be put in a recital as these obligations were binding upon the Member States at any rate.

(c) to authorise contractualclauses referred to in point (a) ofArticle 42(2a);

(ca) to authorise administrativeagreements referred to in point (d)of Article 42 (2a);

(d) to approve bindingcorporate rules pursuant to Article43.

2. Each supervisory authorityshall have the investigative powerto obtain from the controller or theprocessor:

2. Each supervisory authority shallhave the investigative power toobtain from the controller or theprocessor without prior notice:

2. Each supervisory authority shallhave the investigative power toobtain from the controller or theprocessor: The exercise of thepowers conferred on thesupervisory authority pursuant tothis Article shall be subject toappropriate safeguards, includingeffective judicial remedy and dueprocess, set out in Union andMember State law in accordancewith the Charter of FundamentalRights of the European Union.345

(a) access to all personal dataand to all information necessary forthe performance of its duties;

(a) access to all personal data and toall documents and informationnecessary for the performance of its

deleted


346 DE, FR and RO reservation on proposed DPA power to engage in legal proceedings. UK scrutiny reservation. CZ and HU reservation on the power to bring this to the attention ofthe judicial authorities.

347 DE thought para. 3 and 4 should be deleted.

duties;

(b) access to any of itspremises, including to any dataprocessing equipment and means,where there are reasonable groundsfor presuming that an activity inviolation of this Regulation is beingcarried out there.

(b) access to any of its premises,including to any data processingequipment and means, where thereare reasonable grounds forpresuming that an activity inviolation of this Regulation is beingcarried out there.

deleted

The powers referred to in point (b)shall be exercised in conformitywith Union law and Member Statelaw.

The powers referred to in point (b)shall be exercised in conformitywith Union law and Member Statelaw.

deleted

3. Each supervisory authorityshall have the power to bringviolations of this Regulation to theattention of the judicial authoritiesand to engage in legal proceedings,in particular pursuant to Article74(4) and Article 75(2).

3. Each supervisory authority shallhave the power to bring violationsof this Regulation to the attention ofthe judicial authorities and toengage in legal proceedings, inparticular pursuant to Article 74(4)and Article 75(2).

3. Each Member State shallprovide by law that its supervisoryauthority shall have the power tobring violations infringements ofthis Regulation to the attention ofthe judicial authorities and whereappropriate, to commence orengage otherwise in legalproceedings346, in particularpursuant to Article 74(4) andArticle 75(2), in order to enforcethe provisions of thisRegulation347.


4. Each supervisory authorityshall have the power to sanctionadministrative offences, inparticular those referred to inArticle 79(4), (5) and (6).

4. Each supervisory authority shallhave the power to sanctionadministrative offences, inparticular those referred to inaccordance with Article 79(4), (5)and (6). This power shall beexercised in an effective,proportionate and dissuasivemanner.

deleted


Activity report Activity report Activity report

Amendment 157

Each supervisory authority mustdraw up an annual report on itsactivities. The report shall bepresented to the national parliamentand shall be made be available tothe public, the Commission and theEuropean Data Protection Board.

Each supervisory authority mustdraw up an annual a report on itsactivities at least every two years.The report shall be presented to thenational respective parliament andshall be made be available to thepublic, the Commission and theEuropean Data Protection Board.

Each supervisory authority mustshall draw up an annual report onits activities. The report shall bepresented transmitted to thenational parliament Parliament , thegovernment and other authoritiesas designated by national law. andIt shall be made be available to thepublic, the European Commissionand the European Data ProtectionBoard.


Amendment 157

Article 54a (new)

Lead Authority

1. Where the processing ofpersonal data takes place in thecontext of the activities of anestablishment of a controller or aprocessor in the Union, and thecontroller or processor isestablished in more than oneMember State, or where personaldata of the residents of severalMember States are processed, thesupervisory authority of the mainestablishment of the controller orprocessor shall act as the leadauthority responsible for thesupervision of the processingactivities of the controller or theprocessor in all Member States, inaccordance with the provisions ofChapter VII of this Regulation.

2. The lead supervisory authorityshall take appropriate measures forthe supervision of the processingactivities of the controller orprocessor for which it is


responsible only after consultingall other competent supervisoryauthorities within the meaning ofparagraph 1 of Article 51(1) in anendeavour to reach a consensus.For that purpose it shall inparticular submit any relevantinformation and consult the otherauthorities before it adopts ameasure intended to produce legaleffects vis-à-vis a controller or aprocessor within the meaning ofparagraph 1 of Article 51(1). Thelead authority shall take the utmostaccount of the opinions of theauthorities involved. The leadauthority shall be the soleauthority empowered to decide onmeasures intended to produce legaleffects as regards the processingactivities of the controller orprocessor for which it isresponsible

3. The European Data ProtectionBoard shall, at the request of acompetent supervisory authority,issue an opinion on theidentification of the lead authorityresponsible for a controller orprocessor, in cases where:


(a) it is unclear from the facts ofthe case where the mainestablishment of the controller orprocessor is located; or

(b) the competent authorities donot agree on which supervisoryauthority shall act as leadauthority; or

(c) the controller is not establishedin the Union, and residents ofdifferent Member States areaffected by processing operationswithin the scope of this Regulation.

3a. Where the controller exercisesalso activities as a processor, thesupervisory authority of the mainestablishment of the controllershall act as lead authority for thesupervision of processing activities.

4. The European Data ProtectionBoard may decide on theidentification of the lead authority.


348 BE, CZ, CY, DE, EE, FR, FI, IE, LU, RO, PT and NL scrutiny reservation. IE pointed out that in the case of personal data processed by social media or other internet platforms, all28 MS DPAs would be 'concerned'. LU and NL doubted that one DPA concerned would be sufficient to trigger the consistency mechanisms. BE, FR, PL and LU expressed apreference for amicable settlements.

Article 54a

Cooperation between the leadsupervisory authority and other

supervisory authoritiesconcerned348

1. In the cases referred to inArticle 51a, the lead supervisoryauthority shall cooperate with thesupervisory authorities concernedin accordance with this article inan endeavour to reach consensus.

1a. In the cases referred to inparagraph 1 of Article 51a, eachsupervisory authority concernedshall inform the lead supervisoryauthority and refer the matter tothe lead supervisory authoritywithout delay.

The lead supervisory authorityshall, without delay, furtherinvestigate the subject matter andcommunicate the relevantinformation on the matter to thesupervisory authorities concerned


and shall submit a draft decisionincluding on whether there is aninfringement of this Regulation ornot and on the exercise of thepowers referred to in paragraphs1, 1b and 1c of Article 53 to allsupervisory authorities concernedfor their opinion and take dueaccount of the views of thosesupervisory authorities.

2a. (…)2b. The lead supervisoryauthority may request at any timethe supervisory authoritiesconcerned to provide mutualassistance pursuant to Article 55and may conduct joint operationspursuant to Article 56, inparticular for carrying outinvestigations or for monitoringthe implementation of a measureconcerning a controller orprocessor established in anotherMember State.

3. Where any of thesupervisory authorities concernedexpresses a reasoned objectionwithin a period of four weeks afterhaving been consulted in


accordance with paragraph 2 tothe draft decision, the leadsupervisory authority shall, if itdoes not follow the objection,submit the matter to theconsistency mechanism referred toin Article 57. In such a case, theEuropean Data Protection Boardshall settle the dispute and bebinding on the lead supervisoryauthority and all the supervisoryauthorities concerned pursuant topoint 2(a) of Article 57 and Article58a. Where a supervisoryauthority concerned has notobjected within this period, it isdeemed to be in agreement withthe draft decision.

4. Where no supervisoryauthority concerned has objectedto the draft decision submitted bythe lead supervisory authoritywithin the period referred to inparagraph 3, the lead supervisoryauthority and the supervisoryauthorities concerned shall agreeon a single decision jointly.

4a. The lead supervisoryauthority shall give legal effect to


349 PL scrutiny reservation on paragraph 4b.

the jointly agreed single decisionand notify it to the mainestablishment or singleestablishment of the controller orprocessor on the territory of itsMember State and inform theEuropean Data Protection Boardof the decision in questionincluding a summary of therelevant facts and grounds.

4b. Where the jointly agreedsingle decision concerns acomplaint and as far as itadversely affects the complainant,notably where the complaint isrejected, dismissed or granted onlyin part, the supervisory authoritythat has received such complaintshall give legal effect to the jointlyagreed the single decisionconcerning that complaint andserve it on the complainant. Thecomplainant shall be informed inany case of the outcome of thecomplaint pursuant to Article 73,paragraph 5.349

4c. After being notified of thedecision of the lead supervisory


authority pursuant to paragraph4a, the controller or processorshall take the necessary measuresto ensure compliance with thedecision as regards the processingactivities in the context of all itsestablishments in the Union. Thecontroller or processor shall notifythe measures taken for complyingwith the decision to the leadsupervisory authority, which shallthen inform all the supervisoryauthorities concerned. Thesupervisory authorities concernedshall be bound by the singledecision adopted jointly in themanner described above.

4d. Where, in exceptionalcircumstances, a supervisoryauthority concerned has reasons toconsider that there is an urgentneed to act in order to protect theinterests of data subjects, theurgency procedure referred to inArticle 61 shall apply.

5. The lead supervisoryauthority and the supervisoryauthorities concerned shall supplythe information required under


this Article to each other byelectronic means, using astandardised format.


350 AT and FR scrutiny reservation on Chapter VII.351 CZ, CY, DE, EE, FR, FI, IE, LU, RO and PT scrutiny reservation.

CHAPTER VIICO-OPERATION AND

CONSISTENCY

CHAPTER VIICO-OPERATION AND

CONSISTENCY

CHAPTER VII350

CO-OPERATION ANDCONSISTENCY

SECTION 1CO-OPERATION



Article 54a

Cooperation between the leadsupervisory authority and other

concerned supervisoryauthorities351

1. The lead supervisoryauthority shall cooperate with theother concerned supervisoryauthorities in accordance with thisarticle in an endeavour to reachconsensus. The lead supervisoryauthority and the concernedsupervisory authorities shallexchange all relevant informationwith each other.

1a. The lead supervisoryauthority may request at any time


352 A number of Member States (CZ, IE, NL, PL, FI and UK) still prefers a quantitative threshold by which an objection would need to be supported by 1/3 of the concerned supervisoryauthorities before the lead authority is obliged to refer the matter to the EDPB.

other concerned supervisoryauthorities to provide mutualassistance pursuant to Article 55and may conduct joint operationspursuant to Article 56, inparticular for carrying outinvestigations or for monitoringthe implementation of a measureconcerning a controller orprocessor established in anotherMember State.

2. The lead supervisoryauthority shall, without delaycommunicate the relevantinformation on the matter to theother concerned supervisoryauthorities. It shall without delaysubmit a draft decision to the otherconcerned supervisory authoritiesfor their opinion and take dueaccount of their views.

3. Where any352 of the otherconcerned supervisory authoritieswithin a period of four weeks afterhaving been consulted inaccordance with paragraph 2,expresses a relevant and reasoned


objection to the draft decision, thelead supervisory authority shall, ifit does not follow the objection oris of the opinion it is not relevantand reasoned, submit the matter tothe consistency mechanismreferred to in Article 57.

3a. Where the lead supervisoryauthority intends to follow theobjection made, it shall submit tothe other concerned supervisoryauthorities a revised draft decisionfor their opinion. This reviseddraft decision shall be subject tothe procedure referred to inparagraph 3 within a period of twoweeks.

4. Where none of the otherconcerned supervisory authorityhas objected to the draft decisionsubmitted by the lead supervisoryauthority within the periodreferred to in paragraphs 3 and3a, the lead supervisory authorityand the concerned supervisoryauthorities shall be deemed to bein agreement with this draftdecision and shall be bound by it.


4a. The lead supervisoryauthority shall adopt and notifythe decision to the mainestablishment or singleestablishment of the controller orprocessor, as the case may be andinform the other concernedsupervisory authorities and theEuropean Data Protection Boardof the decision in questionincluding a summary of therelevant facts and grounds. Thesupervisory authority to which acomplaint has been lodged shallinform the complainant on thedecision.

4b. By derogation fromparagraph 4a, where a complaintis dismissed or rejected, thesupervisory authority to which thecomplaint was lodged shall adoptthe decision and notify it to thecomplainant and shall inform thecontroller thereof.

4bb. Where the lead supervisoryauthority and the concernedsupervisory authorities are inagreement to dismiss or rejectparts of a complaint and to act on


353 Further to suggestions from HU and IE.354 SI scrutiny reservation. PL reservation on paras 4b and 4bb: PL and FI thought para. 4bb should be deleted as it was opposed to the concept of a split decision. IT thought para 4bb

overlapped with para 4b.355 Further to suggestions from HU and IE.

other parts of that complaint, aseparate decision shall be adoptedfor each of those parts of thematter.The lead supervisoryauthority shall adopt the decisionfor the part concerning actions inrelation to the controller andnotify it to the main establishmentor single establishment of thecontroller or processor on theterritory of its Member State andshall inform the complainantthereof353, while the supervisoryauthority of the complainant shalladopt the decision for the partconcerning dismissal or rejectionof that complaint and notify it onthat complainant354 and shallinform the controller or processorthereof. 355

4c. After being notified of thedecision of the lead supervisoryauthority pursuant to paragraph4a and 4bb, the controller orprocessor shall take the necessarymeasures to ensure compliance


with the decision as regards theprocessing activities in the contextof all its establishments in theUnion. The controller or processorshall notify the measures taken forcomplying with the decision to thelead supervisory authority, whichshall inform the other concernedsupervisory authorities.

4d. Where, in exceptionalcircumstances, a concernedsupervisory authority has reasonsto consider that there is an urgentneed to act in order to protect theinterests of data subjects, theurgency procedure referred to inArticle 61 shall apply.

5. The lead supervisoryauthority and the other concernedsupervisory authorities shallsupply the information requiredunder this Article to each other byelectronic means, using astandardised format.


356 DE, NL SE and UK scrutiny reservation.


Mutual assistance Mutual assistance Mutual assistance356

Amendment 159

1. Supervisory authorities shallprovide each other relevantinformation and mutual assistancein order to implement and applythis Regulation in a consistentmanner, and shall put in placemeasures for effective co-operationwith one another. Mutual assistanceshall cover, in particular,information requests andsupervisory measures, such asrequests to carry out priorauthorisations and consultations,inspections and prompt informationon the opening of cases and ensuingdevelopments where data subjectsin several Member States are likelyto be affected by processingoperations.

1. Supervisory authorities shallprovide each other relevantinformation and mutual assistancein order to implement and apply thisRegulation in a consistent manner,and shall put in place measures foreffective co-operation with oneanother. Mutual assistance shallcover, in particular, informationrequests and supervisory measures,such as requests to carry out priorauthorisations and consultations,inspections and investigations andprompt information on the openingof cases and ensuing developmentswhere the controller or processorhas establishments in severalMember States or where datasubjects in several Member Statesare likely to be affected byprocessing operations. The leadauthority as defined in Article 54ashall ensure the coordination with

1. Supervisory authorities shallprovide each other with relevantinformation and mutual assistancein order to implement and applythis Regulation in a consistentmanner, and shall put in placemeasures for effective co-operationwith one another. Mutual assistanceshall cover, in particular,information requests andsupervisory measures, such asrequests to carry out priorauthorisations and consultations,inspections and prompt informationon the opening of cases and ensuingdevelopments where data subjectsin several Member States are likelyto be affected by processingoperationsinvestigations.


357 ES, supported by PT, had suggested 15 days. RO and SE found one month too short. COM indicated that it was only a deadline for replying, but that paragraph 5 allowed longerperiods for executing the assistance requested.

358 EE and SE scrutiny reservation.

involved supervisory authoritiesand shall act as the single contactpoint for the controller orprocessor.

2. Each supervisory authorityshall take all appropriate measuresrequired to reply to the request ofanother supervisory authoritywithout delay and no later than onemonth after having received therequest. Such measures mayinclude, in particular, thetransmission of relevantinformation on the course of aninvestigation or enforcementmeasures to bring about thecessation or prohibition ofprocessing operations contrary tothis Regulation.

2. Each supervisory authority shalltake all appropriate measuresrequired to reply to the request ofanother supervisory authoritywithout delay and no later than onemonth after having received therequest. Such measures mayinclude, in particular, thetransmission of relevant informationon the course of an investigation orenforcement measures to bringabout the cessation or prohibition ofprocessing operations contrary tothis Regulation.

2. Each supervisory authority shalltake all appropriate measuresrequired to reply to the request ofanother supervisory authoritywithout undue delay and no laterthan one month357 after havingreceived the request. Suchmeasures may include, inparticular, the transmission ofrelevant information on the courseconduct of an investigation orenforcement measures to bringabout the cessation or prohibitionof processing operations contrary tothis Regulation.

3. The request for assistanceshall contain all the necessaryinformation, including the purposeof the request and reasons for therequest. Information exchangedshall be used only in respect of thematter for which it was requested.

3. The request for assistance shallcontain all the necessaryinformation, including the purposeof the request and reasons for therequest. Information exchangedshall be used only in respect of thematter for which it was requested.

3. The request for assistance shallcontain all the necessaryinformation358, including thepurpose of the request and reasonsfor the request. Informationexchanged shall be used only inrespect of the matter for the


359 Several delegations stressed the importance of establishing which is the competent DPA: DE, EE, SE, SI. and IT asked for further clarification.

purpose for which it was requested.

4. A supervisory authority towhich a request for assistance isaddressed may not refuse to complywith it unless:

4. A supervisory authority to whicha request for assistance is addressedmay not refuse to comply with itunless:

4. A supervisory authority to whicha request for assistance is addressedmay not refuse to comply with itunless:

(a) it is not competent for therequest; or

(a) it is not competent for therequest; or

(a) it is not competent for thesubject-matter of the request or forthe measures it is requested toexecute359; or

(b) compliance with the requestwould be incompatible with theprovisions of this Regulation.

(b) compliance with the requestwould be incompatible with theprovisions of this Regulation.

(b) compliance with the requestwould be incompatible with theprovisions of this Regulation orwith Union or Member State lawto which the supervisory authorityreceiving the request is subject.

5. The requested supervisoryauthority shall inform therequesting supervisory authority ofthe results or, as the case may be, ofthe progress or the measures takenin order to meet the request by therequesting supervisory authority.

5. The requested supervisoryauthority shall inform the requestingsupervisory authority of the resultsor, as the case may be, of theprogress or the measures taken inorder to meet the request by therequesting supervisory authority.

5. The requested supervisoryauthority shall inform therequesting supervisory authority ofthe results or, as the case may be, ofthe progress or the measures takenin order to meet respond to therequest by the requestingsupervisory authority.In case of arefusal under paragraph 4, it shallexplain its reasons for refusing the


360 RO scrutiny reservation.361 PT (supported by RO) suggested adding "or other means if for some reason, electronic means are not available, and the communication is urgent".362 PT, UK and DE asked for clarification in relation to the resources needed / and estimate of costs.

request360.

6. Supervisory authorities shallsupply the information requested byother supervisory authorities byelectronic means and within theshortest possible period of time,using a standardised format.

6. Supervisory authorities shallsupply the information requested byother supervisory authorities byelectronic means and within theshortest possible period of time,using a standardised format.

6. Supervisory authorities shall, asa rule, supply the informationrequested by other supervisoryauthorities by electronic means361

and within the shortest possibleperiod of time, using a standardisedformat.

Amendment 160

7. No fee shall be charged forany action taken following arequest for mutual assistance.

7. No fee shall be charged to therequesting supervisory authorityfor any action taken following arequest for mutual assistance.

7. No fee shall be charged for anyaction taken following a request formutual assistance. Supervisoryauthorities may agree with othersupervisory authorities rules forindemnification by othersupervisory authorities for specificexpenditure arising from theprovision of mutual assistance inexceptional circumstances362.

Amendment 161

8. Where a supervisoryauthority does not act within onemonth on request of another

8. Where a supervisory authoritydoes not act within one month onrequest of another supervisory

8. Where a supervisory authoritydoes not act provide theinformation reeferred to in


363 LU requested more clarification with regard to what would happen if this provisional measure were not confirmed.364 EE, FR, RO, and UK reservation. DE scrutiny.365 DE asked for deletion of this deadline; the measure should be withdrawn if the conditions for imposing it were no longer fulfilled.

supervisory authority, therequesting supervisory authoritiesshall be competent to take aprovisional measure on the territoryof its Member State in accordancewith Article 51(1) and shall submitthe matter to the European DataProtection Board in accordancewith the procedure referred to inArticle 57.

authority, the requestingsupervisory authorities shall becompetent to take a provisionalmeasure on the territory of itsMember State in accordance withArticle 51(1) and shall submit thematter to the European DataProtection Board in accordance withthe procedure referred to in Article57. Where no definitive measure isyet possible because the assistanceis not yet completed, the requestingsupervisory authority may takeinterim measures under Article 53in the territory of its Member State.

paragraph 5 within one monthofreceiving the on request of anothersupervisory authority, therequesting supervisory authoritiesauthority shall be competent to takemay adopt a provisional measure363

on the territory of its Member Statein accordance with Article 51(1)and shall submit the matter to theEuropean Data Protection Board inaccordance with the procedureconsistency mechanism referred toin Article 57364.

Amendment 162

9. The supervisory authorityshall specify the period of validityof such provisional measure. Thisperiod shall not exceed threemonths. The supervisory authorityshall, without delay, communicatethose measures, with full reasons,to the European Data ProtectionBoard and to the Commission.

9. The supervisory authority shallspecify the period of validity ofsuch provisional measure. Thisperiod shall not exceed threemonths. The supervisory authorityshall, without delay, communicatethose measures, with full reasons, tothe European Data Protection Boardand to the Commission inaccordance with the procedure

9. The supervisory authority shallspecify the period of validity ofsuch provisional measure which .This period shall not exceed threemonths365. The supervisoryauthority shall, without delay,communicate those such ameasures, together with full itsreasons for adopting it, to theEuropean Data Protection Board


366 DE, IT, EE and CZ reservation.

referred to in Article 57. and to the Commissioninaccordance with the consistencymechanism referred to in Article57.

Amendment 163

10. The Commission mayspecify the format and proceduresfor mutual assistance referred to inthis article and the arrangements forthe exchange of information byelectronic means betweensupervisory authorities, andbetween supervisory authorities andthe European Data ProtectionBoard, in particular thestandardised format referred to inparagraph 6. Those implementingacts shall be adopted in accordancewith the examination procedurereferred to in Article 87(2).

10. The Commission EuropeanData Protection Board mayspecify the format and proceduresfor mutual assistance referred to inthis article and the arrangements forthe exchange of information byelectronic means betweensupervisory authorities, andbetween supervisory authorities andthe European Data ProtectionBoard, in particular the standardisedformat referred to in paragraph 6.Those implementing acts shall beadopted in accordance with theexamination procedure referred toin Article 87(2).

10. The Commission may specifythe format and procedures formutual assistance referred to in thisarticle and the arrangements for theexchange of information byelectronic means betweensupervisory authorities, andbetween supervisory authorities andthe European Data ProtectionBoard, in particular thestandardised format referred to inparagraph 6. Those implementingacts shall be adopted in accordancewith the examination procedurereferred to in Article 87(2)366.


367 DE, EE, PT and UK scrutiny reservation.368 COM reservation; IT, supported by FR and CZ suggested stressing the multilateral aspect.


Joint operations of supervisoryauthorities

Joint operations of supervisoryauthorities

Joint operations of supervisoryauthorities367

1. In order to step up co-operation and mutual assistance,the supervisory authorities shallcarry out joint investigative tasks,joint enforcement measures andother joint operations, in whichdesignated members or staff fromother Member States' supervisoryauthorities are involved.

1. In order to step up co-operationand mutual assistance, thesupervisory authorities shall carryout joint investigative tasks, jointenforcement measures and otherjoint operations, in whichdesignated members or staff fromother Member States' supervisoryauthorities are involved.

1. In order to step up co-operationand mutual assistance, the Thesupervisory authorities shall carryout may , where appropriate,conduct joint operations includingjoint investigations andinvestigative tasks, jointenforcement measures and otherjoint operations, in whichdesignated members or staff fromother Member States' supervisoryauthorities are involved.

Amendment 164

2. In cases where data subjectsin several Member States are likelyto be affected by processingoperations, a supervisory authorityof each of those Member Statesshall have the right to participate inthe joint investigative tasks or joint

2. In cases where the controller orprocessor has establishments inseveral Member States or wheredata subjects in several MemberStates are likely to be affected byprocessing operations, a supervisoryauthority of each of those Member

2. In cases where the controller orprocecssor has establishments inseveral Member States or where asignificant number of368 datasubjects in several more than oneMember States are likely to besubstantially affected by


operations, as appropriate. Thecompetent supervisory authorityshall invite the supervisoryauthority of each of those MemberStates to take part in the respectivejoint investigative tasks or jointoperations and respond to therequest of a supervisory authorityto participate in the operationswithout delay.

States shall have the right toparticipate in the joint investigativetasks or joint operations, asappropriate. The competentsupervisory authority lead authorityas defined in Article 54a shallinvite involve the supervisoryauthority of each of those MemberStates to take part in the respectivejoint investigative tasks or jointoperations and respond to therequest of a supervisory authority toparticipate in the operations withoutdelay. The lead authority shall actas the single contact point for thecontroller or processor.

processing operations, asupervisory authority of each ofthose Member States shall have theright to participate in the jointinvestigative tasks or jointoperations, as appropriate. Thecompetent supervisory authorityshall invite the supervisoryauthority of each of those MemberStates to take part in the respectivejoint investigative tasks or jointoperations concerned and respondwithout delay to the request of asupervisory authority to participatein the operations without delay.

3. Each supervisory authoritymay, as a host supervisoryauthority, in compliance with itsown national law, and with theseconding supervisory authority’sauthorisation, confer executivepowers, including investigativetasks on the seconding supervisoryauthority’s members or staffinvolved in joint operations or, inso far as the host supervisoryauthority’s law permits, allow theseconding supervisory authority’smembers or staff to exercise their

3. Each supervisory authority may,as a host supervisory authority, incompliance with its own nationallaw, and with the secondingsupervisory authority’sauthorisation, confer executivepowers, including investigativetasks on the seconding supervisoryauthority’s members or staffinvolved in joint operations or, in sofar as the host supervisoryauthority’s law permits, allow theseconding supervisory authority’smembers or staff to exercise their

3. Each A supervisory authoritymay, as a host supervisoryauthority, in compliance with itsown national Member State law,and with the seconding supervisoryauthority’s authorisation, conferexecutive powers, includinginvestigative tasks powers on theseconding supervisory authority’smembers or staff involved in jointoperations or, in so far as the law ofthe Member State of the hostsupervisory authority’s law permits,allow the seconding supervisory


369 DE, LU, PT and COM scrutiny reservation on the deletion of this last phrase.

executive powers in accordancewith the seconding supervisoryauthority’s law. Such executivepowers may be exercised onlyunder the guidance and, as a rule, inthe presence of members or stafffrom the host supervisory authority.The seconding supervisoryauthority's members or staff shallbe subject to the host supervisoryauthority's national law. The hostsupervisory authority shall assumeresponsibility for their actions.

executive powers in accordancewith the seconding supervisoryauthority’s law. Such executivepowers may be exercised onlyunder the guidance and, as a rule, inthe presence of members or stafffrom the host supervisory authority.The seconding supervisoryauthority's members or staff shall besubject to the host supervisoryauthority's national law. The hostsupervisory authority shall assumeresponsibility for their actions.

authority’s members or staff toexercise their executiveinvestigative powers in accordancewith the law of the Member Stateof the seconding supervisoryauthority’s law. Such executiveinvestigative powers may beexercised only under the guidanceand, as a rule, in the presence ofmembers or staff from of the hostsupervisory authority. Theseconding supervisory authority'smembers or staff shall be subject tothe host supervisory authority'snational law369. The hostsupervisory authority shall assumeresponsibility for their actions.

3a. Where, in accordance withparagraph 1, staff of a secondingsupervisory authority areoperating in another MemberState, the Member State of the hostsupervisory authority shall beliable for any damage caused bythem during their operations, inaccordance with the law of theMember State in whose territorythey are operating.


370 UK reservation on paras. 3a, 3b and 3c.

3b. The Member State inwhose territory the damage wascaused shall make good suchdamage under the conditionsapplicable to damage caused by itsown staff. The Member State ofthe seconding supervisoryauthority whose staff has causeddamage to any person in theterritory of another Member Stateshall reimburse the latter in fullany sums it has paid to the personsentitled on their behalf.

3c. Without prejudice to theexercise of its rights vis-à-vis thirdparties and with the exception ofparagraph 3b, each Member Stateshall refrain, in the case providedfor in paragraph 1, fromrequesting reimbursement ofdamages it has sustained fromanother Member State370.

4. Supervisory authorities shalllay down the practical aspects ofspecific co-operation actions.

4. Supervisory authorities shall laydown the practical aspects ofspecific co-operation actions.

deleted

5. Where a supervisory 5. Where a supervisory authority 5. Where a joint operation is


authority does not comply withinone month with the obligation laiddown in paragraph 2, the othersupervisory authorities shall becompetent to take a provisionalmeasure on the territory of itsMember State in accordance withArticle 51(1).

does not comply within one monthwith the obligation laid down inparagraph 2, the other supervisoryauthorities shall be competent totake a provisional measure on theterritory of its Member State inaccordance with Article 51(1).

intended and a supervisoryauthority does not comply withinone month with the obligation laiddown in the second sentence ofparagraph 2, the other supervisoryauthorities shall be competent totake may adopt a provisionalmeasure on the territory of itsMember State in accordance withArticle 51(1).

6. The supervisory authorityshall specify the period of validityof a provisional measure referred toin paragraph 5. This period shallnot exceed three months. Thesupervisory authority shall, withoutdelay, communicate thosemeasures, with full reasons, to theEuropean Data Protection Boardand to the Commission and shallsubmit the matter in the mechanismreferred to in Article 57.

6. The supervisory authority shallspecify the period of validity of aprovisional measure referred to inparagraph 5. This period shall notexceed three months. Thesupervisory authority shall, withoutdelay, communicate thosemeasures, with full reasons, to theEuropean Data Protection Boardand to the Commission and shallsubmit the matter in the mechanismreferred to in Article 57.

6. The supervisory authority shallspecify the period of validity of aprovisional measure referred to inparagraph 5 which . This periodshall not exceed three months. Thesupervisory authority shall, withoutdelay, communicate those such ameasures, together with full itsreasons for adopting it, to theEuropean Data Protection Boardand to the Commission and shallsubmit the matter in the inaccordance with the consistencymechanism referred to in Article57.


371 IT and SI scrutiny reservation. DE parliamentary reservation and BE and UK reservation on the role of COM in the consistency mechanism.372 EE, FI, and UK scrutiny reservation.373 CZ, DE, ES and RO thought that supervisory authorities of third countries for which there is an adequacy decision should be involved in the consistency mechanism; if third

countries participated in the consistency mechanism; if third countries participated in the consistency mechanism, they would be bound by uniform implementation andinterpretation.

SECTION 2CONSISTENCY

SECTION 2CONSISTENCY

SECTION 2CONSISTENCY371


Consistency mechanism Consistency mechanism Consistency mechanism372

Amendment 165

For the purposes set out in Article46(1), the supervisory authoritiesshall co-operate with each otherand the Commission through theconsistency mechanism as set outin this section.

For the purposes set out in Article46(1), the supervisory authoritiesshall co-operate with each other andthe Commission through theconsistency mechanism as set outboth on matters of generalapplication and in individual casesin accordance with the provisionsof in this section.

1. For the purposes set out inArticle 46(1a), the supervisoryauthorities shall co-operate witheach other and the Commissionthrough the consistency mechanismas set out in this section373.

2. The European DataProtection Board shall issue anopinion whenever a competentsupervisory authority intends toadopt any of the measures below).To that end, the competentsupervisory authority shall


communicate the draft decision tothe European Data ProtectionBoard, when it:

(a) (…);(b) (…);(c) aims at adopting a list ofthe processing operations subjectto the requirement for a dataprotection impact assessmentpursuant to Article 33(2a); or

(ca) concerns a matter pursuantto Article 38(2b) whether a draftcode of conduct or an amendmentor extension to a code of conductis in compliance with thisRegulation; or

(cb) aims at approving thecriteria for accreditation of a bodypursuant to paragraph 3 of Article38a or a certification bodypursuant to paragraph 3 of Article39a;

(d) aims at determiningstandard data protection clausesreferred to in point (c) of Article42(2); or


(e) aims to authorisingcontractual clauses referred to inpoint (d) of Article 42(2); or

(f) aims at approving bindingcorporate rules within themeaning of Article 43.

3. The European DataProtection Board shall adopt abinding decision in the followingcases:

a) Where, in a case referred toin paragraph 3 of Article 54a, aconcerned supervisory authorityhas expressed a relevant andreasoned objection to a draftdecision of the lead authority orthe lead authority has rejected anobjection as being not relevantand/or reasoned. The bindingdecision shall concern all thematters which are the subject ofthe relevant and reasonedobjection, in particular whetherthere is an infringement of theRegulation;

b) Where, there areconflicting views on which of the


concerned supervisory authoritiesis competent for the mainestablishment;

c) (…);

d) Where a competentsupervisory authority does notrequest the opinion of theEuropean Data Protection Boardin the cases mentioned inparagraph 2 of this Article, ordoes not follow the opinion of theEuropean Data Protection Boardissued under Article 58. In thatcase, any concerned supervisoryauthority or the Commission maycommunicate the matter to theEuropean Data Protection Board.

4. Any supervisory authority,the Chair of the European DataProtection Board or theCommission may request that anymatter of general application orproducing effects in more thanone Member State be examined bythe European Data ProtectionBoard with a view to obtaining anopinion, in particular where acompetent supervisory authoritydoes not comply with the


obligations for mutual assistancein accordance with Article 55 orfor joint operations in accordancewith Article 56.

5. Supervisory authorities andthe Commission shallelectronically communicate to theEuropean Data Protection Board,using a standardised format anyrelevant information, including asthe case may be a summary of thefacts, the draft decision, thegrounds which make theenactment of such measurenecessary, and the views of otherconcerned supervisory authorities .

6. The chair of the EuropeanData Protection Board shallwithout undue delay electronicallyinform the members of theEuropean Data Protection Boardand the Commission of anyrelevant information which hasbeen communicated to it using astandardised format. Thesecretariat of the European DataProtection Board shall, wherenecessary, provide translations ofrelevant information.


374 UK scrutiny reservation.


Amendment 166

Opinion by the European DataProtection Board

Opinion by the European DataProtection BoardConsistency onmatters of general application

Opinion by the European DataProtection Board374

1. Before a supervisoryauthority adopts a measure referredto in paragraph 2, this supervisoryauthority shall communicate thedraft measure to the European DataProtection Board and theCommission.

1. Before a supervisory authorityadopts a measure referred to inparagraph 2, this supervisoryauthority shall communicate thedraft measure to the European DataProtection Board and theCommission.

deleted

2. The obligation set out inparagraph 1 shall apply to ameasure intended to produce legaleffects and which:

2. The obligation set out inparagraph 1 shall apply to ameasure intended to produce legaleffects and which:

deleted

(a) relates to processingactivities which are related to theoffering of goods or services to datasubjects in several Member States,or to the monitoring of theirbehaviour; or

deleted deleted

(b) may substantially affect thefree movement of personal data

deleted deleted


within the Union; or

(c) aims at adopting a list of theprocessing operations subject toprior consultation pursuant toArticle 34(5); or

deleted deleted

(d) aims to determine standarddata protection clauses referred toin point (c) of Article 42(2); or

(d) aims to determine standard dataprotection clauses referred to inpoint (c) of Article 42(2); or

deleted

(e) aims to authorisecontractual clauses referred to inpoint (d) of Article 42(2); or

(e) aims to authorise contractualclauses referred to in point (d) ofArticle 42(2); or

deleted

(f) aims to approve bindingcorporate rules within the meaningof Article 43.

(f) aims to approve bindingcorporate rules within the meaningof Article 43.

deleted

3. Any supervisory authorityor the European Data ProtectionBoard may request that any mattershall be dealt with in theconsistency mechanism, inparticular where a supervisoryauthority does not submit a draftmeasure referred to in paragraph 2or does not comply with theobligations for mutual assistance inaccordance with Article 55 or forjoint operations in accordance with

3. Any supervisory authority or theEuropean Data Protection Boardmay request that any matter ofgeneral application shall be dealtwith in the consistency mechanism,in particular where a supervisoryauthority does not submit a draftmeasure referred to in paragraph 2or does not comply with theobligations for mutual assistance inaccordance with Article 55 or forjoint operations in accordance with

deleted


Article 56. Article 56.

4. In order to ensure correctand consistent application of thisRegulation, the Commission mayrequest that any matter shall bedealt with in the consistencymechanism.

4. In order to ensure correct andconsistent application of thisRegulation, the Commission mayrequest that any matter of generalapplication shall be dealt with inthe consistency mechanism.

deleted

5. Supervisory authorities andthe Commission shall electronicallycommunicate any relevantinformation, including as the casemay be a summary of the facts, thedraft measure, and the groundswhich make the enactment of suchmeasure necessary, using astandardised format.

5. Supervisory authorities and theCommission shall without unduedelay electronically communicateany relevant information, includingas the case may be a summary ofthe facts, the draft measure, and thegrounds which make the enactmentof such measure necessary, using astandardised format.

deleted

6. The chair of the EuropeanData Protection Board shallimmediately electronically informthe members of the European DataProtection Board and theCommission of any relevantinformation which has beencommunicated to it, using astandardised format. The chair ofthe European Data ProtectionBoard shall provide translations ofrelevant information, where

6. The chair of the European DataProtection Board shall immediatelywithout undue delay electronicallyinform the members of theEuropean Data Protection Boardand the Commission of any relevantinformation which has beencommunicated to it, using astandardised format. The chairsecretariat of the European DataProtection Board shall providetranslations of relevant information,

deleted


necessary. where necessary.

6a. The European Data ProtectionBoard shall adopt an opinion onmatters referred to it underparagraph 2.

7. The European DataProtection Board shall issue anopinion on the matter, if theEuropean Data Protection Board sodecides by simple majority of itsmembers or any supervisoryauthority or the Commission sorequests within one week after therelevant information has beenprovided according to paragraph 5.The opinion shall be adopted withinone month by simple majority ofthe members of the European DataProtection Board. The chair of theEuropean Data Protection Boardshall inform, without undue delay,the supervisory authority referredto, as the case may be, inparagraphs 1 and 3, theCommission and the supervisoryauthority competent under Article51 of the opinion and make itpublic.

7. The European Data ProtectionBoard shall issue may decide bysimple majority whether to adoptan opinion on the any matter, if theEuropean Data Protection Board sodecides by simple majority of itsmembers or any supervisoryauthority or the Commission sorequests within one week after therelevant information has beenprovided according to paragraph 5.The opinion shall be adopted withinone month by simple majority of themembers of the European DataProtection Board. The chair of theEuropean Data Protection Boardshall inform, without undue delay,the supervisory authority referredto, as the case may be, inparagraphs 1 and 3, the Commissionand the supervisory authoritycompetent under Article 51 of theopinion and make it public.submitted under paragraphs 3 and

7. In the cases referred to inparagraphs 2 and 4 of Article 57,The the European Data ProtectionBoard shall issue an opinion on thesame matter, if the European DataProtection Board so decides bysimple majority of its members orany supervisory authority or theCommission so requests within oneweek after the relevant informationhas been provided according toparagraph 5. The This opinion shallbe adopted within one month bysimple majority of the members ofthe European Data ProtectionBoard. The chair of the EuropeanData Protection Board shall inform,without undue delay, thesupervisory authority referred to, asthe case may be, in paragraphs 1and 3, the Commission and thesupervisory authority competentunder Article 51 of the opinion andmake it public This period may be


4 taking into account : extended by a further month,taking into account the complexityof the subject matter. Regardingthe draft decision circulated to themembers of the Board inaccordance with paragraph 6 ofArticle 57, a member which hasnot objected within the periodindicated by the Chair, shall bedeemed to be in agreement withthe draft decision.].

(a) whether the matter presentselements of novelty, taking accountof legal or factual developments, inparticular in informationtechnology and in the light of thestate of progress in the informationsociety; and

(b) whether the European DataProtection Board has alreadyissued an opinion on the samematter.

7a. Within the period referredto in paragraph 7 the competentsupervisory authority shall notadopt its draft decision inaccordance with paragraph 2 ofArticle 57.


7b. The chair of the EuropeanData Protection Board shallinform, without undue delay, thesupervisory authority referred to,as the case may be, in paragraphs2 and 4 of Article 57 and theCommission of the opinion andmake it public.

8. The supervisory authorityreferred to in paragraph 1 and thesupervisory authority competentunder Article 51 shall take accountof the opinion of the European DataProtection Board and shall withintwo weeks after the information onthe opinion by the chair of theEuropean Data Protection Board,electronically communicate to thechair of the European DataProtection Board and to theCommission whether it maintainsor amends its draft measure and, ifany, the amended draft measure,using a standardised format.

8. The supervisory authorityreferred to in paragraph 1 and thesupervisory authority competentunder Article 51 shall take accountof the opinion of the European DataProtection Board and shall withintwo weeks after the information onthe opinion by the chair of theEuropean Data Protection Board,electronically communicate to thechair of the European DataProtection Board and to theCommission whether it maintains oramends its draft measure and, ifany, the amended draft measure,using a standardised formatTheEuropean Data Protection Boardshall adopt opinions pursuant toparagraphs 6a and 7 by a simplemajority of its members. Theseopinions shall be made public.

8. The supervisory authorityreferred to in paragraph 1 2ofArticle 57 and the supervisoryauthority competent under Article51 shall take utmost account of theopinion of the European DataProtection Board and shall withintwo weeks after the information onreceiving the opinion by the chairof the European Data ProtectionBoard, electronically communicateto the chair of the European DataProtection Board and to theCommission whether it maintainsor will amends its draft measuredecision and, if any, the amendeddraft measuredecision, using astandardised format.


9. Where the concernedsupervisory authority informs thechair of the European DataProtection Board within the periodreferred to in paragraph 8 that itdoes not intend to follow theopinion of the Board, in whole orin part, providing the relevantgrounds, paragraph 3 of Article 57shall apply.

Amendment 167

Article 58a (new)

Consistency in individual cases

1. Before taking a measureintended to produce legal effectswithin the meaning of Article 54a,the lead authority shall share allrelevant information and submitthe draft measure to all othercompetent authorities. The leadauthority shall not adopt themeasure if a competent authorityhas, within a period of three weeks,indicated it has serious objectionsto the measure.

2. Where a competent authority


has indicated that it has seriousobjections to a draft measure of thelead authority, or where the leadauthority does not submit a draftmeasure referred to in paragraph 1or does not comply with theobligations for mutual assistancein accordance with Article 55 orfor joint operations in accordancewith Article 56, the issue shall beconsidered by the European DataProtection Board.

3. The lead authority and/or othercompetent authorities involved andthe Commission shall withoutundue delay electronicallycommunicate to the EuropeanData Protection Board using astandardised format any relevantinformation, including as the casemay be a summary of the facts, thedraft measure, the grounds whichmake the enactment of suchmeasure necessary, the objectionsraised against it and the views ofother supervisory authoritiesconcerned.

4. The European Data ProtectionBoard shall consider the issue,


taking into account the impact ofthe draft measure of the leadauthority on the fundamentalrights and freedoms of datasubjects, and shall decide by simplemajority of its members whether toissue an opinion on the matterwithin two weeks after the relevantinformation has been providedpursuant to paragraph 3.

5. In case the European DataProtection Board decides to issuean opinion, it shall do so within sixweeks and make the opinionpublic.

6. The lead authority shall takeutmost account of the opinion ofthe European Data ProtectionBoard and shall within two weeksafter the information on theopinion by the chair of theEuropean Data Protection Board,electronically communicate to thechair of the European DataProtection Board and to theCommission whether it maintainsor amends its draft measure and, ifany, the amended draft measure,using a standardised format.


375 PL scrutiny reservation. IE thought the controller should have standing to intervene in the proceedings before the EDPB.

Where the lead authority intendsnot to follow the opinion of theEuropean Data Protection Board,it shall provide a reasonedjustification.

7. In case the European DataProtection Board still objects to themeasure of the supervisoryauthority as referred to inparagraph 5, it may within onemonth adopt by a two thirdsmajority a measure which shall bebinding upon the supervisoryauthority.

Article 58a

Dispute Resolution by theEuropean Data Protection

Board375

1. In the cases referred to inparagraph 3 of Article 57, theEuropean Data Protection Boardshall adopt a decision on thesubject-matter submitted to it inorder to ensure the correct andconsistent application of thisRegulation in individual cases.


376 AT and HU reservation. HU believes that this option will make the general two-thirds majority rule meaningless and symbolic, since there will be no effective incentive for the EDPBto adopt a decision that reflects the view of the vast majority of DPAs of the Member States, as eventually every decision could be adopted by only a slight majority of them. It wouldalso undermine the general validity of the EDPB’s decision, since the fact that the Board could not come to an agreement on a particular matter supported by at least the two-thirdsof its members might give rise to serious doubts whether the finding of such decision is commonly shared across the Union. AT believes that a simple majority would be moreeffective and would not prolong the procedure.

The decision shall be reasonedand addressed to the leadsupervisory authority and all theconcerned supervisory authoritiesand binding on them.

2. The decision referred to inparagraph 1 shall be adoptedwithin one month from thereferral of the subject-matter by atwo-third majority of the membersof the Board. This period may beextended by a further month onaccount of the complexity of thesubject-matter.

3. In case the Board has beenunable to adopt a decision withinthe periods referred to inparagraph 2, it shall adopt itsdecision within two weeksfollowing the expiration of thesecond month referred to inparagraph 2 by a simple majorityof the members of the Board376. Incase the members of the Board are


split, the decision shall by adoptedby the vote of its Chair.

4. The concerned supervisoryauthorities shall not adopt adecision on the subject mattersubmitted to the Board underparagraph 1 during the periodsreferred to in paragraphs 2 and 3.

5. (…)

6. The Chair of the EuropeanData Protection Board shallnotify, without undue delay, thedecision referred to in paragraph 1to the concerned supervisoryauthorities. It shall inform theCommission thereof. The decisionshall be published on the websiteof the European Data ProtectionBoard without delay after thesupervisory authority has notifiedthe final decision referred to inparagraph 7.

7. The lead supervisory authorityor, as the case may be, thesupervisory authority to which thecomplaint has been lodged shalladopt their final decision on thebasis of the decision referred to in


377 FI reservation; would prefer a system under which the EDPB decision would be directly applicable and would not have to be transposed by the lead DPA.

paragraph 1377, without unduedelay and at the latest by onemonth after the European DataProtection Board has notified itsdecision. The lead supervisoryauthority or, as the case may be,the supervisory authority to whichthe complaint has been lodged,shall inform the European DataProtection Board of the date whenits final decision is notifiedrespectively to the controller or theprocessor and the data subject.The final decision of theconcerned supervisory authoritiesshall be adopted under the termsof Article 54a, paragraph 4a, 4band 4bb. The final decision shallrefer to the decision referred to inparagraph 1 and shall specify thatthe decision referred to inparagraph 1 will be published onthe website of the European DataProtection Board in accordancewith paragraph 6. The finaldecision shall attach the decisionreferred to in paragraph 1.


378 COM and FR reservation on deletion.

Amendment 168


Opinion by the Commission Opinion by the Commission Opinion by the Commission378

1. Within ten weeks after amatter has been raised underArticle 58, or at the latest within sixweeks in the case of Article 61, theCommission may adopt, in order toensure correct and consistentapplication of this Regulation, anopinion in relation to matters raisedpursuant to Articles 58 or 61.

deleted deleted

2. Where the Commission hasadopted an opinion in accordancewith paragraph 1, the supervisoryauthority concerned shall takeutmost account of theCommission’s opinion and informthe Commission and the EuropeanData Protection Board whether itintends to maintain or amend itsdraft measure.

deleted deleted

3. During the period referredto in paragraph 1, the draft measureshall not be adopted by the

deleted deleted


379 COM and FR reservation on deletion.

supervisory authority.

4. Where the supervisoryauthority concerned intends not tofollow the opinion of theCommission, it shall inform theCommission and the European DataProtection Board thereof within theperiod referred to in paragraph 1and provide a justification. In thiscase the draft measure shall not beadopted for one further month.

deleted deleted

Amendment 169


Suspension of a draft measure Suspension of a draft measure Suspension of a draft measure379

1. Within one month after thecommunication referred to inArticle 59(4), and where theCommission has serious doubts asto whether the draft measure wouldensure the correct application ofthis Regulation or would otherwiseresult in its inconsistent application,the Commission may adopt areasoned decision requiring thesupervisory authority to suspend

deleted deleted


the adoption of the draft measure,taking into account the opinionissued by the European DataProtection Board pursuant toArticle 58(7) or Article 61(2),where it appears necessary in orderto:

(a) reconcile the divergingpositions of the supervisoryauthority and the European DataProtection Board, if this stillappears to be possible; or

deleted deleted

(b) adopt a measure pursuant topoint (a) of Article 62(1).

deleted deleted

2. The Commission shallspecify the duration of thesuspension which shall not exceed12 months.

deleted deleted

3. During the period referredto in paragraph 2, the supervisoryauthority may not adopt the draftmeasure.

deleted deleted


380 DE scrutiny reservation.

Amendment 170

Article 60a (new)

Notification of the EuropeanParliament and the Council

The Commission shall notify theEuropean Parliament and theCouncil at regular intervals, atleast every six months, on the basisof a report from the Chair of theEuropean Data Protection Board,of the matters dealt with under theconsistency mechanism, setting outthe conclusions drawn by theCommission and the EuropeanData Protection Board with a viewto ensuring the consistentimplementation and application ofthis Regulation.


Urgency procedure Urgency procedure Urgency procedure380

Amendment 171

1. In exceptionalcircumstances, where a supervisory

1. In exceptional circumstances,where a supervisory authority

1. In exceptional circumstances,where a concerned supervisory


381 HU remarked that it should be clarified whether provisional measures can be adopted pending a decision by the EDPB. The Presidency thinks that the reference to Article 57 makesit clear that this is indeed possible.

382 COM scrutiny reservation.

authority considers that there is anurgent need to act in order toprotect the interests of datasubjects, in particular when thedanger exists that the enforcementof a right of a data subject could beconsiderably impeded by means ofan alteration of the existing state orfor averting major disadvantages orfor other reasons, by way ofderogation from the procedurereferred to in Article 58, it mayimmediately adopt provisionalmeasures with a specified period ofvalidity. The supervisory authorityshall, without delay, communicatethose measures, with full reasons,to the European Data ProtectionBoard and to the Commission.

considers that there is an urgentneed to act in order to protect theinterests of data subjects, inparticular when the danger existsthat the enforcement of a right of adata subject could be considerablyimpeded by means of an alterationof the existing state or for avertingmajor disadvantages or for otherreasons, by way of derogation fromthe procedure referred to in Article5858a, it may immediately adoptprovisional measures with aspecified period of validity. Thesupervisory authority shall, withoutdelay, communicate thosemeasures, with full reasons, to theEuropean Data Protection Boardand to the Commission.

authority considers that there is anurgent need to act in order toprotect the interests rights andfreedoms of data subjects, it may,in particular when the danger existsthat the enforcement of a right of adata subject could be considerablyimpeded by means of an alterationof the existing state or for avertingmajor disadvantages or for otherreasons, by way of derogation fromthe procedure consistencymechanism referred to in Article587381 or the procedure referred toin Article 54a, it may immediatelyadopt provisional measuresintended to produce legal effectswithin the territory of its ownMember State382, with a specifiedperiod of validity. The supervisoryauthority shall, without delay,communicate those measures, withfulland the reasons for adoptingthem, to the other concernedsupervisory authorities, theEuropean Data Protection Boardand to the Commission.


2. Where a supervisoryauthority has taken a measurepursuant to paragraph 1 andconsiders that final measures needurgently be adopted, it may requestan urgent opinion of the EuropeanData Protection Board, givingreasons for requesting suchopinion, including for the urgencyof final measures.

2. Where a supervisory authorityhas taken a measure pursuant toparagraph 1 and considers that finalmeasures need urgently be adopted,it may request an urgent opinion ofthe European Data ProtectionBoard, giving reasons for requestingsuch opinion, including for theurgency of final measures.

2. Where a supervisory authorityhas taken a measure pursuant toparagraph 1 and considers that finalmeasures need urgently be adopted,it may request an urgent opinion oran urgent binding decision form ofthe European Data ProtectionBoard, giving reasons forrequesting such opinion, includingfor the urgency of final measuresordecision.

3. Any supervisory authoritymay request an urgent opinionwhere the competent supervisoryauthority has not taken anappropriate measure in a situationwhere there is an urgent need to act,in order to protect the interests ofdata subjects, giving reasons forrequesting such opinion, includingfor the urgent need to act.

3. Any supervisory authority mayrequest an urgent opinion where thecompetent supervisory authority hasnot taken an appropriate measure ina situation where there is an urgentneed to act, in order to protect theinterests of data subjects, givingreasons for requesting such opinion,including for the urgent need to act.

3. Any supervisory authority mayrequest an urgent opinion or anurgent binding decision, as thecase may be, from the EuropeanData Protection Board where the acompetent supervisory authorityhas not taken an appropriatemeasure in a situation where thereis an urgent need to act, in order toprotect the interests rights andfreedoms of data subjects, givingreasons for requesting such opinionor decision, including for theurgent need to act.

Amendment 172

4. By derogation from Article58(7), an urgent opinion referred to

4. By derogation from Article 58(7),aAn urgent opinion referred to in

4. By derogation from paragraph 7of Article 58(7) and paragraph 2



in paragraphs 2 and 3 of this Articleshall be adopted within two weeksby simple majority of the membersof the European Data ProtectionBoard.

paragraphs 2 and 3 of this Articleshall be adopted within two weeksby simple majority of the membersof the European Data ProtectionBoard.

of Article 58a, an urgent opinion oran urgent binding decisionreferred to in paragraphs 2 and 3 ofthis Article shall be adopted withintwo weeks by simple majority ofthe members of the European DataProtection Board.


Implementing acts Implementing acts Implementing acts

Amendment 173

1. The Commission may adoptimplementing acts for:

1. The Commission may adoptimplementing acts of generalapplication, after requesting anopinion of the European DataProtection Board, for:

1. The Commission may adoptimplementing acts of general scopefor:

(a) deciding on the correctapplication of this Regulation inaccordance with its objectives andrequirements in relation to matterscommunicated by supervisoryauthorities pursuant to Article 58 or61, concerning a matter in relationto which a reasoned decision hasbeen adopted pursuant to Article60(1), or concerning a matter in

deleted deleted383


relation to which a supervisoryauthority does not submit a draftmeasure and that supervisoryauthority has indicated that it doesnot intend to follow the opinion ofthe Commission adopted pursuantto Article 59;

(b) deciding, within the periodreferred to in Article 59(1), whetherit declares draft standard dataprotection clauses referred to inpoint (d) of Article 58(2), as havinggeneral validity;

(b) deciding, within the periodreferred to in Article 59(1), whetherit declares draft standard dataprotection clauses referred to inpoint (d) of Article 5842(2), ashaving general validity;

deleted

(c) specifying the format andprocedures for the application ofthe consistency mechanism referredto in this section;

deleted deleted

(d) specifying the arrangementsfor the exchange of information byelectronic means betweensupervisory authorities, andbetween supervisory authorities andthe European Data ProtectionBoard, in particular thestandardised format referred to inArticle 58(5), (6) and (8).

(d) specifying the arrangements forthe exchange of information byelectronic means betweensupervisory authorities, andbetween supervisory authorities andthe European Data ProtectionBoard, in particular the standardisedformat referred to in Article 58(5),(6) and (8).

(d) specifying the arrangements forthe exchange of information byelectronic means betweensupervisory authorities, andbetween supervisory authorities andthe European Data ProtectionBoard, in particular thestandardised format referred to inArticle 57(5) and (6) and in Article58(5), (6) and (8).


Those implementing acts shall beadopted in accordance with theexamination procedure referred toin Article 87(2).

deleted Those implementing acts shall beadopted in accordance with theexamination procedure referred toin Article 87(2).

2. On duly justified imperativegrounds of urgency relating to theinterests of data subjects in thecases referred to in point (a) ofparagraph 1, the Commission shalladopt immediately applicableimplementing acts in accordancewith the procedure referred to inArticle 87(3). Those acts shallremain in force for a period notexceeding 12 months.

deleted deleted

3. The absence or adoption ofa measure under this Section doesnot prejudice any other measure bythe Commission under the Treaties.

3. The absence or adoption of ameasure under this Section does notprejudice any other measure by theCommission under the Treaties.

deleted


Enforcement Enforcement Enforcement

1. For the purposes of thisRegulation, an enforceable measureof the supervisory authority of oneMember State shall be enforced inall Member States concerned.

1. For the purposes of thisRegulation, an enforceable measureof the supervisory authority of oneMember State shall be enforced inall Member States concerned.

deleted


Amendment 174

2. Where a supervisoryauthority does not submit a draftmeasure to the consistencymechanism in breach of Article58(1) to (5), the measure of thesupervisory authority shall not belegally valid and enforceable.

2. Where a supervisory authoritydoes not submit a draft measure tothe consistency mechanism inbreach of Article 58(1) and (2) oradopts a measure despite anindication of serious objectionpursuant to Article 58a(1), themeasure of the supervisoryauthority shall not be legally validand enforceable.

deleted


SECTION 3EUROPEAN DATA

PROTECTION BOARD


PROTECTION BOARD


PROTECTION BOARD


European Data Protection Board European Data Protection Board European Data Protection Board

1. A European Data ProtectionBoard is hereby set up.

1. A European Data ProtectionBoard is hereby set up.

1.a A The European DataProtection Board is hereby setupestablished as body of the Unionand shall have legal personality.

1b. The European DataProtection Board shall berepresented by its Chair.

2. The European DataProtection Board shall be composedof the head of one supervisoryauthority of each Member State andof the European Data ProtectionSupervisor.

2. The European Data ProtectionBoard shall be composed of thehead of one supervisory authority ofeach Member State and of theEuropean Data ProtectionSupervisor.

2. The European Data ProtectionBoard shall be composed of thehead of one supervisory authorityof each Member State and orhis/her representative of theEuropean Data ProtectionSupervisor.

3. Where in a Member Statemore than one supervisoryauthority is responsible formonitoring the application of theprovisions pursuant to thisRegulation, they shall nominate the

3. Where in a Member State morethan one supervisory authority isresponsible for monitoring theapplication of the provisionspursuant to this Regulation, theyshall nominate the head of one of

3. Where in a Member State morethan one supervisory authority isresponsible for monitoring theapplication of the provisionspursuant to this Regulation, theyshall nominate the head of one of


head of one of those supervisoryauthorities as joint representative.

those supervisory authorities asjoint representative.

those supervisory authorities as ajoint representative shall beappointed in accordance with thenational law of that Member State.

4. The Commission shall havethe right to participate in theactivities and meetings of theEuropean Data Protection Boardand shall designate a representative.The chair of the European DataProtection Board shall, withoutdelay, inform the Commission onall activities of the European DataProtection Board.

4. The Commission shall have theright to participate in the activitiesand meetings of the European DataProtection Board and shalldesignate a representative. Thechair of the European DataProtection Board shall, withoutdelay, inform the Commission onall activities of the European DataProtection Board.

4. The Commission and theEuropean Data ProtectionSupervisor or his/herrepresentative shall have the rightto participate in the activities andmeetings of the European DataProtection Board and shalldesignate a representative withoutvoting right. The Commissionshall designate a representative.The chair of the European DataProtection Board shall, withoutdelay, inform communicate to theCommission the on all activities ofthe European Data ProtectionBoard.


Independence Independence Independence

1. The European DataProtection Board shall actindependently when exercising itstasks pursuant to Articles 66 and

1. The European Data ProtectionBoard shall act independently whenexercising its tasks pursuant to

1. The European Data ProtectionBoard shall act independently whenexercising performing its tasks orexercising its powers pursuant to


384 UK and SI scrutiny reservation.385 DE scrutiny reservation.

67. Articles 66 and 67. Articles 66 and 67384.

2. Without prejudice torequests by the Commissionreferred to in point (b) of paragraph1 and in paragraph 2 of Article 66,the European Data ProtectionBoard shall, in the performance ofits tasks, neither seek nor takeinstructions from anybody.

2. Without prejudice to requests bythe Commission referred to in point(b) of paragraph 1 and in paragraph2 of Article 66, the European DataProtection Board shall, in theperformance of its tasks, neitherseek nor take instructions fromanybody.

2. Without prejudice to requests bythe Commission referred to in point(b) of paragraph 1 and in paragraph2 of Article 66, the European DataProtection Board shall, in theperformance of its tasks or theexercise of its powers, neither seeknor take instructions fromanybody385.


Tasks of the European DataProtection Board



Amendment 175

1. The European DataProtection Board shall ensure theconsistent application of thisRegulation. To this effect, theEuropean Data Protection Boardshall, on its own initiative or at therequest of the Commission, inparticular:

1. The European Data ProtectionBoard shall ensure the consistentapplication of this Regulation. Tothis effect, the European DataProtection Board shall, on its owninitiative or at the request of theEuropean Parliament, Council orCommission, in particular:

1. The European Data ProtectionBoard shall ensure promote theconsistent application of thisRegulation. To this effect, theEuropean Data Protection Boardshall, on its own initiative or at therequest of the Commission, inparticular:


(aa) monitor and ensure thecorrect application of thisRegulation in the cases providedfor in Article 57(3) withoutprejudice to the tasks of nationalsupervisory authorities;

(a) advise the Commission onany issue related to the protectionof personal data in the Union,including on any proposedamendment of this Regulation;

(a) advise the CommissionEuropean institutions on any issuerelated to the protection of personaldata in the Union, including on anyproposed amendment of thisRegulation;

(a) advise the Commission on anyissue related to the protection ofpersonal data in the Union,including on any proposedamendment of this Regulation;

(b) examine, on its owninitiative or on request of one of itsmembers or on request of theCommission, any question coveringthe application of this Regulationand issue guidelines,recommendations and bestpractices addressed to thesupervisory authorities in order toencourage consistent application ofthis Regulation;

(b) examine, on its own initiative oron request of one of its members oron request of the EuropeanParliament, Council or theCommission, any question coveringthe application of this Regulationand issue guidelines,recommendations and best practicesaddressed to the supervisoryauthorities in order to encourageconsistent application of thisRegulation, including on the use ofenforcement powers;

(b) examine, on its own initiative oron request of one of its members oron request of the Commission, anyquestion covering the application ofthis Regulation and issueguidelines, recommendations andbest practices addressed to thesupervisory authorities in order toencourage consistent application ofthis Regulation;

(ba) draw up guidelines forsupervisory authorities concerningthe application of measures


386 DK constitutional reservation on the introduction of administrative fines, irrespective of the level of the fines.

referred to in paragraph 1, 1b and1c of Article 53 and the fixing ofadministrative fines pursuant toArticles 79 and 79a386;

(c) review the practicalapplication of the guidelines,recommendations and bestpractices referred to in point (b) andreport regularly to the Commissionon these;

(c) review the practical applicationof the guidelines, recommendationsand best practices referred to inpoint (b) and report regularly to theCommission on these;

(c) review the practical applicationof the guidelines, recommendationsand best practices referred to inpoint (b) and report regularly to theCommission on these(ba);

(ca) encourage the drawing-upof codes of conduct and theestablishment of data protectioncertification mechanisms and dataprotection seals and markspursuant to Articles 38 and 39;

(cb) carry out the accreditationof certification bodies and itsperiodic review pursuant to Article39a and maintain a public registerof accredited bodies pursuant toparagraph 6 of Article 39a and ofthe accredited controllers orprocessors established in thirdcountries pursuant to paragraph 4


387 HU said that paragraphs (ca) and (cb) were contrary to the text of the general approach reached in June 2014 (11028/14); it is for the national supervisory authority to do this.

of Article 39387;

(cd) specify the requirementsmentioned in paragraph 3 ofArticle 39a with a view to theaccreditation of certificationbodies under Article 39;

(ce) give the Commission anopinion on the level of protectionin third countries or internationalorganisations, in particular in thecases referred to in Article 41;

(d) issue opinions on draftdecisions of supervisory authoritiespursuant to the consistencymechanism referred to in Article57;

(d) issue opinions on draft decisionsof supervisory authorities pursuantto the consistency mechanismreferred to in Article 57;

(d) issue opinions on draftdecisions of supervisory authoritiespursuant to the consistencymechanism referred to inparagraph 2 and on matterssubmitted pursuant to paragraph 4of Article 57;

(da) provide an opinion on whichauthority should be the leadauthority pursuant to Article54a(3);

(e) promote the co-operationand the effective bilateral andmultilateral exchange of

(e) promote the co-operation andthe effective bilateral andmultilateral exchange of

(e) promote the co-operation andthe effective bilateral andmultilateral exchange of


information and practices betweenthe supervisory authorities;

information and practices betweenthe supervisory authorities,including the coordination of jointoperations and other jointactivities, where it so decides at therequest of one or severalsupervisory authorities;

information and practices betweenthe supervisory authorities;

(f) promote common trainingprogrammes and facilitatepersonnel exchanges between thesupervisory authorities, as well as,where appropriate, with thesupervisory authorities of thirdcountries or of internationalorganisations;

(f) promote common trainingprogrammes and facilitate personnelexchanges between the supervisoryauthorities, as well as, whereappropriate, with the supervisoryauthorities of third countries or ofinternational organisations;

(f) promote common trainingprogrammes and facilitatepersonnel exchanges between thesupervisory authorities, as well as,where appropriate, with thesupervisory authorities of thirdcountries or of internationalorganisations;

(g) promote the exchange ofknowledge and documentation ondata protection legislation andpractice with data protectionsupervisory authorities worldwide.

(g) promote the exchange ofknowledge and documentation ondata protection legislation andpractice with data protectionsupervisory authorities worldwide;

(g) promote the exchange ofknowledge and documentation ondata protection legislation andpractice with data protectionsupervisory authorities worldwide.

(ga) give its opinion to theCommission in the preparation ofdelegated and implementing actsbased on this Regulation;

(gb) give its opinion on codes ofconduct drawn up at Union levelpursuant to Article 38(4);


(gc) give its opinion on criteria andrequirements for the dataprotection certificationmechanisms pursuant to Article39(3);

(gd) maintain a public electronicregister on valid and invalidcertificates pursuant to Article39(1h);

(ge) provide assistance to nationalsupervisory authorities, at theirrequest;

(gf) establish and make public alist of the processing operationswhich are subject to priorconsultation pursuant to Article34;

(gg) maintain a registry ofsanctions imposed on controllersor processors by the competentsupervisory authorities.

(h) (…)

(i) maintain a publiclyaccessible electronic register ofdecisions taken by supervisory


authorities and courts on issuesdealt with in the consistencymechanism.

2. Where the Commissionrequests advice from the EuropeanData Protection Board, it may layout a time limit within which theEuropean Data Protection Boardshall provide such advice, takinginto account the urgency of thematter.

2. Where the European Parliament,the Council or the Commissionrequests advice from the EuropeanData Protection Board, it may layout a time limit within which theEuropean Data Protection Boardshall provide such advice, takinginto account the urgency of thematter.

2. Where the Commission requestsadvice from the European DataProtection Board, it may lay outindicate a time limit within whichthe European Data ProtectionBoard shall provide such advice,taking into account the urgency ofthe matter.

3. The European DataProtection Board shall forward itsopinions, guidelines,recommendations, and bestpractices to the Commission and tothe committee referred to in Article87 and make them public.

3. The European Data ProtectionBoard shall forward its opinions,guidelines, recommendations, andbest practices to the EuropeanParliament, the Council and theCommission and to the committeereferred to in Article 87 and makethem public.

3. The European Data ProtectionBoard shall forward its opinions,guidelines, recommendations, andbest practices to the Commissionand to the committee referred to inArticle 87 and make them public.

4. The Commission shallinform the European DataProtection Board of the action it hastaken following the opinions,guidelines, recommendations andbest practices issued by theEuropean Data Protection Board.

4. The Commission shall inform theEuropean Data Protection Board ofthe action it has taken following theopinions, guidelines,recommendations and best practicesissued by the European DataProtection Board.

deleted


4a. The European Data ProtectionBoard shall, where appropriate,consult interested parties and givethem the opportunity to commentwithin a reasonable period. TheEuropean Data Protection Boardshall, without prejudice to Article72, make the results of theconsultation procedure publiclyavailable.

4b. The European Data ProtectionBoard shall be entrusted with thetask of issuing guidelines,recommendations and bestpractices in accordance with point(b) of paragraph 1 for establishingcommon procedures for receivingand investigating informationconcerning allegations of unlawfulprocessing and for safeguardingconfidentiality and sources ofinformation received.


Reports Reports Reports

Amendment 176

1. The European Data 1. The European Data Protection deleted


Protection Board shall regularlyand timely inform the Commissionabout the outcome of its activities.It shall draw up an annual report onthe situation regarding theprotection of natural persons withregard to the processing of personaldata in the Union and in thirdcountries.

Board shall regularly and timelyinform the European Parliament,the Council and the Commissionabout the outcome of its activities.It shall draw up an annual a reportat least every two years on thesituation regarding the protection ofnatural persons with regard to theprocessing of personal data in theUnion and in third countries.

The report shall include the reviewof the practical application of theguidelines, recommendations andbest practices referred to in point(c) of Article 66(1).

The report shall include the reviewof the practical application of theguidelines, recommendations andbest practices referred to in point (c)of Article 66(1).

deleted

2. The report shall be madepublic and transmitted to theEuropean Parliament, the Counciland the Commission.

2. The report shall be made publicand transmitted to the EuropeanParliament, the Council and theCommission.

2. The European Data ProtectionBoard shall draw up an annualreport regarding the protection ofnatural persons with regard to theprocessing of personal data in theUnion and, where relevant, inthird countries and internationalorganisations. The report shall bemade public and be transmitted tothe European Parliament, theCouncil and the Commission.

3. The annual report shallinclude a review of the practicalapplication of the guidelines,


recommendations and bestpractices referred to in point (c) ofArticle 66(1) as well as of thebinding decisions referred to inparagraph 3 of Article 57.


Procedure Procedure Procedure

Amendment 177

1. The European DataProtection Board shall takedecisions by a simple majority ofits members.

1. The European Data ProtectionBoard shall take decisions by asimple majority of its members,unless otherwise provided in itsrules of procedure.

1. The European Data ProtectionBoard shall take decisions adoptbinding decisions referred to inparagraph 3 of Article 57 inaccordance with majorityrequirements set out in paragraphs2 and 3 of Article 58a. As regardsdecisions related to the other taskslisted in Article 66 hereof, theyshall be taken by a simple majorityof its members.

2. The European DataProtection Board shall adopt itsown rules of procedure andorganise its own operationalarrangements. In particular, it shallprovide for the continuation ofexercising duties when a member’sterm of office expires or a member

2. The European DataProtection Board shall adopt its ownrules of procedure and organise itsown operational arrangements. Inparticular, it shall provide for thecontinuation of exercising dutieswhen a member’s term of officeexpires or a member resigns, for the

2. The European Data ProtectionBoard shall adopt its own rules ofprocedure by a two-third majorityof its members and organise itsown operational arrangements. Inparticular, it shall provide for thecontinuation of exercising dutieswhen a member’s term of office


388 IE proposal.389 COM reservation on deletion.390 COM scrutiny reservation.

resigns, for the establishment ofsubgroups for specific issues orsectors and for its procedures inrelation to the consistencymechanism referred to in Article57.

establishment of subgroups forspecific issues or sectors and for itsprocedures in relation to theconsistency mechanism referred toin Article 57.

expires or a member resigns, for theestablishment of subgroups forspecific issues or sectors and for itsprocedures in relation to theconsistency mechanism referred toin Article 57.


Chair Chair Chair

Amendment 178

1. The European DataProtection Board shall elect a chairand two deputy chairpersons fromamongst its members. One deputychairperson shall be the EuropeanData Protection Supervisor, unlesshe or she has been elected chair.

1. The European Data ProtectionBoard shall elect a chair and at leasttwo deputy chairpersons fromamongst its members. One deputychairperson shall be the EuropeanData Protection Supervisor, unlesshe or she has been elected chair.

1. The European Data ProtectionBoard shall elect a chair and twodeputy chairpersons chairs fromamongst its members by simplemajority388389. One deputychairperson shall be the EuropeanData Protection Supervisor, unlesshe or she has been elected chair.

2. The term of office of thechair and of the deputychairpersons shall be five years andbe renewable.

2. The term of office of the chairand of the deputy chairpersons shallbe five years and be renewable.

2. The term of office of the chairand of the deputy chairpersonschairs shall be five years and berenewable once390.


Amendment 179

2a. The position of the chair shallbe a full-time position.


Tasks of the chair Tasks of the chair Tasks of the chair

1. The chair shall have thefollowing tasks:



(a) to convene the meetings ofthe European Data ProtectionBoard and prepare its agenda;

(a) to convene the meetings of theEuropean Data Protection Boardand prepare its agenda;

(a) to convene the meetings of theEuropean Data Protection Boardand prepare its agenda;

(aa) to notify decisions adopted bythe European Data ProtectionBoard pursuant to Article 58a tothe lead supervisory authority andthe concerned supervisoryauthorities;

(b) to ensure the timelyfulfilment of the tasks of theEuropean Data Protection Board, inparticular in relation to theconsistency mechanism referred toin Article 57.

(b) to ensure the timely fulfilmentof the tasks of the European DataProtection Board, in particular inrelation to the consistencymechanism referred to in Article 57.

(b) to ensure the timely fulfilmentperformance of the tasks of theEuropean Data Protection Board, inparticular in relation to theconsistency mechanism referred toin Article 57.

2. The European DataProtection Board shall lay down the

2. The European Data ProtectionBoard shall lay down the attribution

2. The European Data ProtectionBoard shall lay down the attribution


attribution of tasks between thechair and the deputy chairpersonsin its rules of procedure.

of tasks between the chair and thedeputy chairpersons in its rules ofprocedure.

of tasks between the chair and thedeputy chairpersons in its rules ofprocedure.


Secretariat Secretariat Secretariat

1. The European DataProtection Board shall have asecretariat. The European DataProtection Supervisor shall providethat secretariat.

1. The European DataProtection Board shall have asecretariat. The European DataProtection Supervisor shall providethat secretariat.

1. The European Data ProtectionBoard shall have a secretariat,which shall be provided by thesecretariat of . Thethe EuropeanData Protection Supervisor shallprovide that secretariat.

1a. The secretariat shall performits tasks exclusively under theinstructions of the Chair of theEuropean Data Protection Board.

1b. The staff of the secretariat ofthe European Data ProtectionSupervisor involved in carryingout the tasks conferred on theEuropean Data Protection Boardby this Regulation shall beorganizationally separated from,and subject to separate reportinglines from the staff involved incarrying out tasks conferred onthe European Data Protection


391 CZ reservation on last part of the task.392 UK suggested deleting "analytical".

Supervisor391.

1c. Where needed, the EuropeanData Protection Board inconsultation with the EuropeanData Protection Supervisor shallestablish and publish a Code ofConduct implementing this Articleand applicable to the staff of thesecretariat of the European DataProtection Supervisor involved incarrying out the tasks conferredon the European Data ProtectionBoard by this Regulation.

Amendment 180

2. The secretariat shall provideanalytical, administrative andlogistical support to the EuropeanData Protection Board under thedirection of the chair.

2. The secretariat shall provideanalytical, legal, administrative andlogistical support to the EuropeanData Protection Board under thedirection of the chair.

2. The secretariat shall provideanalytical392, administrative andlogistical support to the EuropeanData Protection Board under thedirection of the chair.

3. The secretariat shall beresponsible in particular for:



(a) the day-to-day business ofthe European Data ProtectionBoard;

(a) the day-to-day business of theEuropean Data Protection Board;

(a) the day-to-day business of theEuropean Data Protection Board;


(b) the communication betweenthe members of the European DataProtection Board, its chair and theCommission and forcommunication with otherinstitutions and the public;

(b) the communication between themembers of the European DataProtection Board, its chair and theCommission and forcommunication with otherinstitutions and the public;

(b) the communication between themembers of the European DataProtection Board, its chair and theCommission and forcommunication with otherinstitutions and the public;

(c) the use of electronic meansfor the internal and externalcommunication;

(c) the use of electronic means forthe internal and externalcommunication;

(c) the use of electronic means forthe internal and externalcommunication;

(d) the translation of relevantinformation;



(e) the preparation and follow-up of the meetings of the EuropeanData Protection Board;

(e) the preparation and follow-up ofthe meetings of the European DataProtection Board;

(e) the preparation and follow-up ofthe meetings of the European DataProtection Board;

(f) the preparation, drafting andpublication of opinions and othertexts adopted by the European DataProtection Board.

(f) the preparation, drafting andpublication of opinions and othertexts adopted by the European DataProtection Board.

(f) the preparation, drafting andpublication of opinions, decisionson the settlement of disputesbetween supervisory authoritiesand other texts adopted by theEuropean Data Protection Board.


393 DE, EE, ES, RO, PL, PT, SE and UK reservation: it was thought that the EDPB should operate in a manner as transparent as possible and a general confidentiality duty wasobviously not conducive to this. This article should be revisited once there is more clarity on the exact role and powers of the board, including the question whether the EDPS shallensure the Secretariat.

394 IT scrutiny reservation: it suggested replacing this term with 'minutes' or 'summary records', thereby distinguishing between confidentiality of decision-making and access todocuments.


Confidentiality Confidentiality Confidentiality393

Amendment 181

1. The discussions of theEuropean Data Protection Boardshall be confidential.

1. The discussions of the EuropeanData Protection Board may beconfidential where necessary,unless otherwise provided in itsrules of procedure. The agendas ofthe meetings of the EuropeanProtection Board shall be madepublic.

1. The discussions394 of theEuropean Data Protection Boardshall be confidential.

2. Documents submitted tomembers of the European DataProtection Board, experts andrepresentatives of third parties shallbe confidential, unless access isgranted to those documents inaccordance with Regulation (EC)No 1049/2001 or the EuropeanData Protection Board otherwisemakes them public.

2. Documents submitted tomembers of the European DataProtection Board, experts andrepresentatives of third parties shallbe confidential, unless access isgranted to those documents inaccordance with Regulation (EC)No 1049/2001 of the EuropeanParliament and of the Council1 orthe European Data Protection Boardotherwise makes them public.

2. Access to Documents documentssubmitted to members of theEuropean Data Protection Board,experts and representatives of thirdparties shall be confidential, unlessaccess is granted to thosedocuments in accordance withgoverned by Regulation (EC) No1049/2001 or the European DataProtection Board otherwise makesthem public.


1 Regulation (EC) No 1049/2001 ofthe European Parliament and ofthe Council of 30 May 2001regarding public access toEuropean Parliament, Council andCommission documents (OJ L145,31.5.2001, p.43)

3. The members of theEuropean Data Protection Board, aswell as experts and representativesof third parties, shall be required torespect the confidentialityobligations set out in this Article.The chair shall ensure that expertsand representatives of third partiesare made aware of theconfidentiality requirementsimposed upon them.

3. The members of the EuropeanData Protection Board, as well asexperts and representatives of thirdparties, shall be required to respectthe confidentiality obligations setout in this Article. The chair shallensure that experts andrepresentatives of third parties aremade aware of the confidentialityrequirements imposed upon them.

deleted


395 AT, FR, EE, ES and RO scrutiny reservation.396 BE, CY, CZ, EE, IE, LY, PT and SI scrutiny reservation.397 COM, BG, IT and LU though that the data subject should be able to lodge a complaint with any DPA without limitation since the protection of personal data was a fundamental

right.

CHAPTER VIIIREMEDIES,

LIABILITY ANDSANCTIONS


LIABILITY ANDSANCTIONS


LIABILITY ANDSANCTIONS395


Right to lodge a complaint with asupervisory authority

Right to lodge a complaint with asupervisory authority

Right to lodge a complaint with asupervisory authority396

Amendment 182

1. Without prejudice to anyother administrative or judicialremedy, every data subject shallhave the right to lodge a complaintwith a supervisory authority in anyMember State if they consider thatthe processing of personal datarelating to them does not complywith this Regulation.

1. Without prejudice to any otheradministrative or judicial remedyand the consistency mechanism,every data subject shall have theright to lodge a complaint with asupervisory authority in anyMember State if they consider thatthe processing of personal datarelating to them does not complywith this Regulation.

1. Without prejudice to any otheradministrative or judicial remedy,every data subject shall have theright to lodge a complaint with asingle supervisory authority, inparticular397 in any the MemberState of his or her habitualresidemce.place of work or placeof the alleged infringment if theydata subject consider that theprocessing of personal data relatingto them him or her does not


398 DE, supported by NL, suggested adding "when its rights are not being respected".

comply with this Regulation398.

2. Any body, organisation orassociation which aims to protectdata subjects’ rights and interestsconcerning the protection of theirpersonal data and has been properlyconstituted according to the law ofa Member State shall have the rightto lodge a complaint with asupervisory authority in anyMember State on behalf of one ormore data subjects if it considersthat a data subject’s rights underthis Regulation have been infringedas a result of the processing ofpersonal data.

2. Any body, organisation orassociation which aims to protectdata subjects’ rights and interestsconcerning the protection of theirpersonal data acts in the publicinterest and has been properlyconstituted according to the law of aMember State shall have the right tolodge a complaint with asupervisory authority in anyMember State on behalf of one ormore data subjects if it considersthat a data subject’s rights underthis Regulation have been infringedas a result of the processing ofpersonal data.

deleted

3. Independently of a datasubject's complaint, any body,organisation or association referredto in paragraph 2 shall have theright to lodge a complaint with asupervisory authority in anyMember State, if it considers that apersonal data breach has occurred.

3. Independently of a data subject'scomplaint, any body, organisationor association referred to inparagraph 2 shall have the right tolodge a complaint with asupervisory authority in anyMember State, if it considers that apersonal data breach of thisRegulation has occurred.

deleted


399 NL and FR scrutiny reservation. Article 54c (2) already provides for a general duty for the supervisory authority with which a complaint has been lodged to notify the data subject ofany measures taken (i.e. the scenario of a 'positive' reply by the DPA).

400 ES, PT and SI reservation. EE, IT and UK scrutiny reservation.

4. (…)5. The supervisory authority towhich the complaint has beenlodged shall inform thecomplainant on the progress andthe outcome of the complaintincluding the possibility of ajudicial remedy pursuant Article74399 or, as regards decisions takenby the European Data ProtectionBoard pursuant to Article 76b.


Right to a judicial remedy againsta supervisory authority

Right to a judicial remedy againsta supervisory authority

Right to a judicial remedy againsta supervisory authority400

Amendment 183

1. Each natural or legal personshall have the right to a judicialremedy against decisions of asupervisory authority concerningthem.

1. Without prejudice to any otheradministrative or non-judicialremedy, Eeach natural or legalperson shall have the right to ajudicial remedy against decisions ofa supervisory authority concerningthem.

1. Without prejudice to any otheradministrative or non-judicialremedy, Each each natural or legalperson shall have the right to aneffective judicial remedy against alegally binding decisions of asupervisory authority concerning


401 DE, supported by IE and SE, suggested adding: 'by which it is adversely affected'.402 COM reservation.403 SI indicated that under its law the DPA was obliged to reply within two months.404 SE scrutiny reservation. BE reservation. BE said that there was a link to Article 53 and the main establishment and the DPA of the habitual residence. Support from NL. IT thought

that paragraphs 1 and 2 overlapped. NO wanted to delete paragraph 2 since a court review would endanger the independency of the DPA.

them401.

2. Each data subject shall havethe right to a judicial remedyobliging the supervisory authorityto act on a complaint in the absenceof a decision necessary to protecttheir rights, or where thesupervisory authority does notinform the data subject within threemonths on the progress or outcomeof the complaint pursuant to point(b) of Article 52(1).

2. Without prejudice to any otheradministrative or non-judicialremedy, Eeach data subject shallhave the right to a judicial remedyobliging the supervisory authority toact on a complaint in the absence ofa decision necessary to protect theirrights, or where the supervisoryauthority does not inform the datasubject within three months on theprogress or outcome of thecomplaint pursuant to point (b) ofArticle 52(1).

2. Without prejudice to any otheradministrative or non-judicialremedy, Each each data subjectshall have the right to a judicialremedy obliging where thesupervisory authority competent inaccordance with Article 51402 doesnot deal with to act on a complaintin the absence of a decisionnecessary to protect their rights, orwhere the supervisory authoritydoes not inform the data subjectwithin three months or any shorterperiod provided under Union orMember State law403 on theprogress or outcome of thecomplaint pursuant to point (b) oflodged under Article 52(1)73404.

3. Proceedings against asupervisory authority shall bebrought before the courts of theMember State where the

3. Proceedings against a supervisoryauthority shall be brought before thecourts of the Member State wherethe supervisory authority is

3. Proceedings against asupervisory authority shall bebrought before the courts of theMember State where the


405 IT suggests stating that proceedings may be brought before the courts of the Member state where the natural or legal person has his/her habitual residence or is established.406 COM reservation on deletion of paragraphs 4 and 5. DE scrutiny reservation on deletion of paragraphs 4 and 5.

supervisory authority is established. established. supervisory authority isestablished405.

3a. Where proceedings arebrought against a decision of asupervisory authority which waspreceded by an opinion or decisionof the European Data ProtectionBoard in the consistencymechanism, the supervisoryauthority shall forward thatopinion or decision to the court.

4. A data subject which isconcerned by a decision of asupervisory authority in anotherMember State than where the datasubject has its habitual residence,may request the supervisoryauthority of the Member Statewhere it has its habitual residenceto bring proceedings on its behalfagainst the competent supervisoryauthority in the other MemberState.

4. Without prejudice to theconsistency mechanism Aa datasubject which is concerned by adecision of a supervisory authorityin another Member State than wherethe data subject has its habitualresidence, may request thesupervisory authority of theMember State where it has itshabitual residence to bringproceedings on its behalf against thecompetent supervisory authority inthe other Member State.

deleted

5. The Member States shallenforce final decisions by the

5. The Member States shall enforcefinal decisions by the courts

deleted406


407 DE, EE, PL, PT, SI and SK scrutiny reservation. ES, IT reservation.408 SI wanted to delete non-judicial remedy.409 ES asked how judicial remedy would be interpreted and how a missed deadline or that there will be no judicial review would be considered.

courts referred to in this Article. referred to in this Article.


Right to a judicial remedy againsta controller or processor

Right to a judicial remedy againsta controller or processor

Right to a judicial remedy againsta controller or processor407

1. Without prejudice to anyavailable administrative remedy,including the right to lodge acomplaint with a supervisoryauthority as referred to in Article73, every natural person shall havethe right to a judicial remedy if theyconsider that their rights under thisRegulation have been infringed as aresult of the processing of theirpersonal data in non-compliancewith this Regulation.

1. Without prejudice to anyavailable administrative remedy,including the right to lodge acomplaint with a supervisoryauthority as referred to in Article73, every natural person shall havethe right to a judicial remedy if theyconsider that their rights under thisRegulation have been infringed as aresult of the processing of theirpersonal data in non-compliancewith this Regulation.

1. Without prejudice to anyavailable administrative or non-judicial remedy408 , including theright to lodge a complaint with asupervisory authority as referred toin under Article 73, every naturalperson a data subject shall have theright to an effective judicialremedy409 if they consider that theirrights under this Regulation havebeen infringed as a result of theprocessing of their personal data innon-compliance with thisRegulation.

Amendment 184

2. Proceedings against acontroller or a processor shall bebrought before the courts of the

2. Proceedings against a controlleror a processor shall be broughtbefore the courts of the Member

2. Proceedings against a controlleror a processor shall be broughtbefore the courts of the Member


410 In view of the concerns raised, the reference to national law has been kept only in recital 113.

Member State where the controlleror processor has an establishment.Alternatively, such proceedingsmay be brought before the courts ofthe Member State where the datasubject has its habitual residence,unless the controller is a publicauthority acting in the exercise ofits public powers.

State where the controller orprocessor has an establishment.Alternatively, such proceedingsmay be brought before the courts ofthe Member State where the datasubject has its habitual residence,unless the controller is a publicauthority of the Union or aMember State acting in the exerciseof its public powers.

State where the controller orprocessor has an establishment410.Alternatively, such proceedingsmay be brought before the courts ofthe Member State where the datasubject has its his or herhabitualresidence, unless the controller orprocessor is a public authorityacting in the exercise of its publicpowers.

3. Where proceedings arepending in the consistencymechanism referred to in Article58, which concern the samemeasure, decision or practice, acourt may suspend the proceedingsbrought before it, except where theurgency of the matter for theprotection of the data subject'srights does not allow to wait for theoutcome of the procedure in theconsistency mechanism.

3. Where proceedings are pendingin the consistency mechanismreferred to in Article 58, whichconcern the same measure, decisionor practice, a court may suspend theproceedings brought before it,except where the urgency of thematter for the protection of the datasubject's rights does not allow towait for the outcome of theprocedure in the consistencymechanism.

deleted

4. The Member States shallenforce final decisions by thecourts referred to in this Article.

4. The Member States shall enforcefinal decisions by the courtsreferred to in this Article.

deleted


411 DE, ES, PT, RO and SI scrutiny reservation. CZ, EE, IT, NL, SI and UK thought this article was superfluous.412 COM said that consumer organisations and data protection organisations enhance fundamental rights so it was important that they could lodge complaints.413 IT scrutiny reservation.414 DE parliamentary reservation; BE, EE reservation and IT scrutiny reservation. EE, supported by FI and SE, thought that the data subject could choose anybody to represent her/him

so this drafting was a limitation so a reference to national law was needed. Support from SE.


Common rules for courtproceedings

Common rules for courtproceedings

Representation of data subjects

Amendment 185

1. Any body, organisation orassociation referred to in Article73(2) shall have the right toexercise the rights referred to inArticles 74 and 75 on behalf of oneor more data subjects.

1. Any body, organisation orassociation referred to in Article73(2) shall have the right to exercisethe rights referred to in Articles 74and, 75 on behalf of and 77 ifmandated by one or more datasubjects.

1. The data subject shall have theright to mandate Any a body,organisation or association, whichhas been properly constitutedaccording to the law of a MemberState and whose statutoryobjectives include the protection ofdata subject’s rights and freedomswith regard to the protection oftheir personal dat412a to lodge thecomplaint on hir or her behalf413

and referred to in Article 73(2)shall have the right to exercise therights referred to in Articles 73, 74and 75 on his or her behalf414 ofone or more data subjects.


415 PL asked how an organisation could know about a breach. PT did not want to exclude the possibility of an organisation to lodge complaint if that was provided in national law butmeant that the wording was not clear.

416 COM reservation on limitation to competent supervisory authority.417 This paragraph was moved from Article 73(3). BE, EE, FR reservation. BG, DE, DK, IT, LU, NL, PT and UK scrutiny reservation. UK in particularly queried whether such

possibility would also be open to an association when the data subject itself considered that the reply he/she had received was satisfactory. ES on the contrary thought that thispossibility should not be limited to data breaches. UK thought that paragraph 1 was sufficient. For DK, PL and SE it was not acceptable that an organisation etc. had an independentright to lodge a complaint.

1a. [Independently of a datasubject's mandate or complaint,any body, organisation orassociation referred to inparagraph 1415 shall have the rightto lodge a complaint with thesupervisory authority competent inaccordance with Article 51416 if ithas reasons to consider that apersonal data breach referred to inArticle 32(1) has occurred andArticle 32(3) does not apply.417].

2. Each supervisory authorityshall have the right to engage inlegal proceedings and bring anaction to court, in order to enforcethe provisions of this Regulation orto ensure consistency of theprotection of personal data withinthe Union.

2. Each supervisory authority shallhave the right to engage in legalproceedings and bring an action tocourt, in order to enforce theprovisions of this Regulation or toensure consistency of the protectionof personal data within the Union.

deleted

3. Where a competent court ofa Member State has reasonable

3. Where a competent court of aMember State has reasonable

deleted


418 COM scrutiny reservation on deletion of paragraphs 3 to 5. FR reservation on the deletion of paragraphs 3 to 4.

grounds to believe that parallelproceedings are being conducted inanother Member State, it shallcontact the competent court in theother Member State to confirm theexistence of such parallelproceedings.

grounds to believe that parallelproceedings are being conducted inanother Member State, it shallcontact the competent court in theother Member State to confirm theexistence of such parallelproceedings.

4. Where such parallelproceedings in another MemberState concern the same measure,decision or practice, the court maysuspend the proceedings.

4. Where such parallel proceedingsin another Member State concernthe same measure, decision orpractice, the court may suspend theproceedings.

deleted

5. Member States shall ensurethat court actions available undernational law allow for the rapidadoption of measures includinginterim measures, designed toterminate any alleged infringementand to prevent any furtherimpairment of the interestsinvolved.

5. Member States shall ensure thatcourt actions available undernational law allow for the rapidadoption of measures includinginterim measures, designed toterminate any alleged infringementand to prevent any furtherimpairment of the interestsinvolved.

deleted418


419 AT, BE, DK, EE, ES, FI, FR, IT, NL, PL, PT, SE and SI scrutiny reservation. ES thought that lis pendens necessitated the same persons, same proceeding, same object of disputeand same claim and that that could be difficult to establish.UK, supported by FR, cautioned against having a too prescriptive text, support from FR SE thought that GDPR should notregulate lis pendens, instead it should be up to the DPA and MS courts to decide. For LU this was a question of judicial cooperation between judicial authorities. NO and FR askedhow this text related to Regulation No 44/2001 and the Lugano Convention FI considered that it was necessary to have rules on this question in GDPR.

420 LU supported by EL, suggested to replace "shall" with "may".421 NL and PL thought that it was difficult to force courts to stay proceedings waiting for another court to decide. NL asked how it was possible for a court to know that another case was

going on elsewhere. COM thought that limitation to "same parties" was not appropriate here.

Article 76a

Suspension of proceedings419

1. Where a competent court of aMember State has reasonablegrounds to believe thatproceedings concerning the sameprocessing activities are pendingin a court in another MemberState, it shall420 contact that courtin the other Member State toconfirm the existence of suchproceedings.

2. Where proceedings involvingthe same processing activities arepending in a court in anotherMember State, any competentcourt other than the court firstseized may suspend421 itsproceedings.


422 Based on Article 28 of Brussels I Regulation.

2a. Where these proceedingsare pending at first instance, anycourt other than the court firstseized may also, on the applicationof one of the parties, declinejurisdiction if the court first seizedhas jurisdiction over the actions inquestion and its law permits theconsolidation thereof.422

Article 76b

Actions before the Court of Justiceof the European Union againstdecisions by the European Data

Protection Board

1. Actions may be brought beforethe Court of Justice of theEuropean Union in accordancewith Article 263 TFEU, in orderfor it to review the legality ofdecisions taken by the EuropeanData Protection Board pursuant toArticle 58a. Such actions may bebrought before the Court ofJustice of the European Union bysupervisory authorities, MemberStates and the Union institutions


as well as by natural or legalpersons to whom decisions takenby the European Data ProtectionBoard have been notified or towhom such decisions are of directand individual concern, includingdata subjects who have lodged acomplaint in accordance withArticle 73.

2. The expiration of the time-period provided for in the sixthsubparagraph of Article 263TFEU and the Rules of Procedureof the General Court shall not barthe persons referred to inparagraph 1 from calling inquestion the lawfulness of anydecision taken by the EuropeanData Protection Board before thenational courts in accordance withArticle 74 or 75 and those nationalcourts from requesting the Courtof Justice of the European Uniona preliminary ruling concerningthe validity of any decision takenby the European Data ProtectionBoard in accordance with Article267 TFEU.


3. Where the European DataProtection Board notifies itsdecision in accordance withArticle 58a(6), such a notificationshall state the possibility for thepersons referred to in paragraph 1to bring an action for annulmentbefore the General Court of theEuropean Union in accordancewith Article 263 TFEU as well asthe time-period for such an actionin accordance with the sixthsubparagraph of Article 263TFEU and the Rules of Procedureof the General Court. It shall alsorefer to the additional rightconferred on that person pursuantto paragraph 2.

4. In the event that the EuropeanData Protection Board has anobligation to act and fails to take adecision, proceedings for failureto act may be brought before theCourt of Justice of the EuropeanUnion in accordance with Article265 TFEU.

5. The European Data ProtectionBoard shall be required to take thenecessary measures to comply


423 Several Member States (DE, NL and UK) have queried whether there was an EU concept of damage and compensation or whether this was left to Member State law. IT suggestedspecifying that these rules are to be applied according to national law, support from CZ, NL, RO and SI. COM thinks that it has to be left to ECJ to interpret these rules and concepts.FR scrutiny reservation; FR questioned the division of responsibilities and the link to Articles 24 and 25 and national law in this field as well as the principle of subsidiarity.

424 DE, HU and SK suggested adding “material or immaterial/moral”. NO suggested clarifying this in a recital.425 BE asked whether a violation of the principles of the Regulation was enough to constitute a damage or whether the data subject had to prove a specific damage (obligation de moyens

ou de résultat). COM said that the data subject had to prove the damage.426 DE suggested restricting the possibility to seek compensation from the processor to cases where, in violation of point (a) of paragraph 2 of Article 26, the processor has processed

personal data contrary to or in the absence of instructions from the controller. ES suggested adding a reference to ‘a right to exercise a direction action’, but this is alreadyencompassed in the current draft.

427 SE supported by HU considered that Article 77 was unclear and wanted to know whether both an economic and immaterial damage was covered.

with the judgment of the Court ofJustice of the European Union.


Right to compensation and liability Right to compensation and liability Right to compensation andliability423

Amendment 186

1. Any person who hassuffered damage as a result of anunlawful processing operation or ofan action incompatible with thisRegulation shall have the right toreceive compensation from thecontroller or the processor for thedamage suffered.

1. Any person who has suffereddamage, including non-pecuniarydamage, as a result of an unlawfulprocessing operation or of an actionincompatible with this Regulationshall have the right to receive claimcompensation from the controller orthe processor for the damagesuffered.

1. Any person who has suffered424

damage425 as a result of anunlawfula processing operation orof an action incompatible which isnot in compliance with thisRegulation shall have the right toreceive compensation from thecontroller or the processor426 for thedamage suffered427.


428 IE queried why the reference to Article 24(2) had been removed and then the second sentence had been added: what the purpose to bring a claim against all of them and then sort outthe individual responsibility?

429 UK thought that one controller or processor might be more responsible than another so it should be allowed for a relative responsibility. SE said that according Directive 95/46(Article 23) the burden of proof and division of responsibility between the controller and the processor it was only the controller that was held responsible.

430 SI reservation: SI thought this paragraph could be deleted and left entirely to national law.431 PL thought this should be turned into a mandatory provision.432 DE and PL thought this paragraph needed to be further elaborated. DE in particular thought that the relationship to Article 39 needed to be further clarified. SI thought an

arrangement for strict liability in the case of processing by public bodies should be inserted into this paragraph.

Amendment 187

2. Where more than onecontroller or processor is involvedin the processing, each controller orprocessor shall be jointly andseverally liable for the entireamount of the damage.

2. Where more than one controlleror processor is involved in theprocessing, each controller of thosecontrollers or processor processorsshall be jointly and severally liablefor the entire amount of the damage,unless they have an appropriatewritten agreement determining theresponsibilities pursuant to Article24.

2. 428Where more than onecontroller or processor or acontroller and processor is areinvolved in the processing whichgives rise to the damage, eachcontroller or processor shall bejointly429 and severally liable forthe entire amount of the damage.This is without prejudice torecourse claims betweencontrollers and/or processors430.

3. The controller or theprocessor may be exempted fromthis liability, in whole or in part, ifthe controller or the processorproves that they are not responsiblefor the event giving rise to thedamage.

3. The controller or the processormay be exempted from this liability,in whole or in part, if the controlleror the processor proves that they arenot responsible for the event givingrise to the damage.

3. The controller or the processormay431 be exempted from thisliability, in whole or in part, if thecontroller or the processor provesthat they are not responsible for theevent giving rise to the damage432.

4. Court proceedings for


433 This Article was moved to Article 79b. Scrutiny reservation by SK, RO and PT.

exercising the right to receivecompensation shall be broughtbefore the courts with jurisdictionfor compensation claims undernational law of the Member Statereferred to in paragraph 2 ofArticle 75.


Penalties Penalties Penalties

1. Member States shall laydown the rules on penalties,applicable to infringements of theprovisions of this Regulation andshall take all measures necessary toensure that they are implemented,including where the controller didnot comply with the obligation todesignate a representative. Thepenalties provided for must beeffective, proportionate anddissuasive.

1. Member States shall lay down therules on penalties, applicable toinfringements of the provisions ofthis Regulation and shall take allmeasures necessary to ensure thatthey are implemented, includingwhere the controller did not complywith the obligation to designate arepresentative. The penaltiesprovided for must be effective,proportionate and dissuasive.

deleted433

2. Where the controller hasestablished a representative, anypenalties shall be applied to therepresentative, without prejudice toany penalties which could be

2. Where the controller hasestablished a representative, anypenalties shall be applied to therepresentative, without prejudice toany penalties which could be

deleted


434 DK reservation: it indicated that this system of administrative fining was incompatible with its constitutional legal system. PL thought that Article 79 should set out guidelines only,with possibly a maximum threshold for the DPA to impose fines.

initiated against the controller. initiated against the controller.

3. Each Member State shallnotify to the Commission thoseprovisions of its law which itadopts pursuant to paragraph 1, bythe date specified in Article 91(2) atthe latest and, without delay, anysubsequent amendment affectingthem.

3. Each Member State shall notifyto the Commission those provisionsof its law which it adopts pursuantto paragraph 1, by the date specifiedin Article 91(2) at the latest and,without delay, any subsequentamendment affecting them.

deleted


Administrative sanctions Administrative sanctions General conditions for imposingadministrative sanctionsfines434

Amendment 188

1. Each supervisory authorityshall be empowered to imposeadministrative sanctions inaccordance with this Article.

1. Each supervisory authority shallbe empowered to imposeadministrative sanctions inaccordance with this Article. Thesupervisory authorities shall co-operate with each other inaccordance with Articles 46 and 57to guarantee a harmonized level ofsanctions within the Union.

1. Each supervisory authority[competent in accordance withArticl 51] shall be empowered toimpose administrative sanctions inaccordance with fines purusant tothis Article in respect ofinfringements of this Regulationreferred to in Article 79a.Administrative fines shall,depending on the circumstances ofeach individual case, be imposed


435 Some delegations thought that the corrective measures of Article 53 (1b) should be listed rather here.

in addition to, or instead of,measures referred to in Article53435.

2. The administrative sanctionshall be in each individual caseeffective, proportionate anddissuasive. The amount of theadministrative fine shall be fixedwith due regard to the nature,gravity and duration of the breach,the intentional or negligentcharacter of the infringement, thedegree of responsibility of thenatural or legal person and ofprevious breaches by this person,the technical and organisationalmeasures and proceduresimplemented pursuant to Article 23and the degree of co-operation withthe supervisory authority in order toremedy the breach.

2. The administrative sanction shallbe in each individual case effective,proportionate and dissuasive. Theamount of the administrative fineshall be fixed with due regard to thenature, gravity and duration of thebreach, the intentional or negligentcharacter of the infringement, thedegree of responsibility of thenatural or legal person and ofprevious breaches by this person,the technical and organisationalmeasures and proceduresimplemented pursuant to Article 23and the degree of co-operation withthe supervisory authority in order toremedy the breach.

2. The administrativeAdministrative sanction finesimposed pursuant to Article 79ashall be in each individual case beeffective, proportionate anddissuasive. The amount of theadministrative fine shall be fixedwith due regard to the nature,gravity and duration of the breach,the intentional or negligentcharacter of the infringement, thedegree of responsibility of thenatural or legal person and ofprevious breaches by this person,the technical and organisationalmeasures and proceduresimplemented pursuant to Article 23and the degree of co-operation withthe supervisory authority in order toremedy the breach.

2a. To anyone who does notcomply with the obligations laiddown in this Regulation, thesupervisory authority shall imposeat least one of the following


sanctions:

a) a warning in writing in cases offirst and non-intentional non-compliance;

b) regular periodic data protectionaudits;

c) a fine up to 100 000 000 EUR orup to 5% of the annual worldwideturnover in case of an enterprise,whichever is higher.

2b. If the controller or theprocessor is in possession of a valid"European Data Protection Seal"pursuant to Article 39, a finepursuant to point (c) of paragraph2a shall only be imposed in cases ofintentional or negligent innon-compliance.

2c. The administrative sanctionshall take into account thefollowing factors:

a) the nature, gravity and durationof the innon-compliance,

b) the intentional or negligentcharacter of the infringement,


c) the degree of responsibility ofthe natural or legal person and ofprevious breaches by this person,

d) the repetitive nature of theinfringement,

e) the degree of co-operation withthe supervisory authority, in orderto remedy the infringement andmitigate the possible adverseeffects of the infringement,

f) the specific categories ofpersonal data affected by theinfringement,

(g) the level of damage, includingnon-pecuniary damage, suffered bythe data subjects,

(h) the action taken by thecontroller or processor to mitigatethe damage suffered by datasubjects,

(i) any financial benefits intendedor gained, or losses avoided,directly or indirectly from theinfringement,


(j) the degree of technical andorganisational measures andprocedures implemented pursuantto:

(i) Article 23 - Data protectionby design and by default

(ii) Article 30 - Security ofprocessing

(iii) Article 33 - Data protectionimpact assessment

(iv) Article 33a - Data protectioncompliance review

(v) Article 35 - Designation ofthe data protection officer

(k) the refusal to cooperate with orobstruction of inspections, auditsand controls carried out by thesupervisory authority pursuant toArticle 53,

(l) other aggravating or mitigatingfactors applicable to thecircumstance of the case.

2a. When deciding whether toimpose an administrative fine inaddition to, or instead of,measures referred to in points (a)


436 Moved here from paragraph 2b (further to remarks by FR, IE, IT and CZ).437 Some delegations (EE, SK, PL) thought that aggravating circumstances should be distinguished from mitigating circumstances. SK suggested laying down exact thresholds (e.g.

more than 2/3 of the maximum fine in case of aggravating circumstances). IT thought the possibility of EDPB guidance should be referred to here. NL thought that the status ofcodes of conduct and certification as well as the consequences of adhering to them needed to be looked at.

to (f) of paragraph 1b of Article53436 and 437deciding on theamount of the administrative finein each individual case due regardshall be had to the following:

(a) the nature, gravity andduration of the infringementhaving regard to the nature scopeor purpose of the processingconcerned;

(b) the intentional or negligentcharacter of the infringement,

(c) the number of data subjectsaffected by the infringement andthe level of damage suffered bythem;

(d) action taken by thecontroller or processor to mitigatethe damage suffered by datasubjects;

(e) the degree of responsibilityof the controller or processor


438 DK, ES and SI reservation. SI stated that a DPA was not equipped to assess this.439 CZ was concerned that this factor might amount to a violation of the privilege against self-incrimination

having regard to technical andorganisational measuresimplemented by them pursuant toArticles 23 and 30;

(f) any previous infringementsby the controller or processor;

[(g) any financial benefitsgained, or losses avoided, directlyor indirectly from theinfringement438;]

(h) the manner in which theinfringement became known to thesupervisory authority, in particularwhether, and if so to what extent,the controller or processor notifiedthe infringement439;

(i) in case measures referredto in point (b) and (c) ofparagraph 1 and points (a), (d), (e)and (f) of paragraph 1b of Article53, have previously been orderedagainst the controller or processorconcerned with regard to the same


440 This should also accommodate concerns regarding the privilege against self-incrimination by removing a general reference to co-operation in the investigation. IT thought thisparagraph should refer more generally to previous incidents. DE pleaded for its deletion.

441 DE reservation: DE pointed out that non-adherence to approved codes of conduct or approved certification mechanisms could as such not amount to a violation of the Regulation.442 Removed at the suggestion of DE and SK.443 If Member states are entirely free to decide whether or not to provide for sanctions against public authorities, it does not seem appropriate to list the fact that the controller is a public

body here.444 COM reservation on deletion; linked to reservation on Article 79a.

subject-matter440, compliance withthese measures ;

(j) adherence to approvedcodes of conduct pursuant toArticle 38 or approved certificationmechanisms pursuant to Article39441;

(k) (…)442;

(l) (…)443;

(m) any other aggravating ormitigating factor applicable to thecircumstances of the case.

3. In case of a first and non-intentional non-compliance withthis Regulation, a warning inwriting may be given and nosanction imposed, where:

deleted deleted444

a) a natural person is processingpersonal data without a commercial

deleted deleted


445 DE would prefer to rule out this possibility in the Regulation. ES thought it should be provided that no administrative fines can be imposed on the public sector.

interest; or

b) an enterprise or an organisationemploying fewer than 250 personsis processing personal data only asan activity ancillary to itsmain activities.

deleted b) an enterprise or an organisationemploying fewer than 250 personsis processing personal data only asan activity ancillary to itsmain activities. Each MemberState may lay down the rules onwhether and to what extentadministrative fines may beimposed on public authorities andbodies established in that MemberState445.

4. The supervisory authorityshall impose a fine up to 250 000EUR, or in case of an enterprise upto 0,5 % of its annual worldwideturnover, to anyone who,intentionally or negligently:

deleted 4. The supervisory authority shallimpose a fine up to 250 000 EUR,or in case of an enterprise up to 0,5% of its annual worldwide turnover,to anyone who, intentionally ornegligently: The exercise by thesupervisory authority [competentin accordance with Article 51] ofits powers under this Article shallbe subject to appropriateprocedural safeguards inconformity with Union law andMember State law, includingeffective judicial remedy and dueprocess.


(a) does not provide themechanisms for requests bydata subjects or does notrespond promptly or not inthe required format to datasubjects pursuant to Articles12(1) and (2);

deleted deleted

(b) charges a fee for theinformation or for responsesto the requests of datasubjects in violation ofArticle 12(4).

deleted deleted

5. The supervisory authorityshall impose a fine up to 500 000EUR, or in case of an enterprise upto 1 % of its annual worldwideturnover, to anyone who,intentionally or negligently:

deleted deleted

(a) does not provide theinformation, or does provideincomplete information, or does notprovide the information in asufficiently transparent manner, tothe data subject pursuant to Article11, Article 12(3) and Article 14;

deleted deleted

(b) does not provide access for thedata subject or does not rectify

deleted deleted


personal data pursuant to Articles15 and 16 or does not communicatethe relevant information to arecipient pursuant to Article 13;

(c) does not comply with the rightto be forgotten or to erasure, or failsto put mechanisms in place toensure that the time limits areobserved or does not take allnecessary steps to inform thirdparties that a data subjects requeststo erase any links to, or copy orreplication of the personal datapursuant Article 17;

deleted deleted

(d) does not provide a copy of thepersonal data in electronic formator hinders the data subject totransmit the personal data toanother application in violation ofArticle 18;

deleted deleted

(e) does not or not sufficientlydetermine the respectiveresponsibilities with co-controllerspursuant to Article 24;

deleted deleted

(f) does not or not sufficientlymaintain the documentationpursuant to Article 28, Article

deleted deleted


31(4), and Article 44(3);

(g) does not comply, in cases wherespecial categories of data are notinvolved, pursuant to Articles 80,82 and 83 with rules in relation tofreedom of expression or with ruleson the processing in theemployment context or with theconditions for processing forhistorical, statistical and scientificresearch purposes.

deleted deleted

6. The supervisory authorityshall impose a fine up to 1 000 000EUR or, in case of an enterprise upto 2 % of its annual worldwideturnover, to anyone who,intentionally or negligently:

deleted deleted

(a) processes personal data withoutany or sufficient legal basis for theprocessing or does not comply withthe conditions for consent pursuantto Articles 6, 7 and 8;

deleted deleted

(b) processes special categories ofdata in violation of Articles 9 and81;

deleted deleted

(c) does not comply with anobjection or the requirement

deleted deleted


pursuant to Article 19;

(d) does not comply with theconditions in relation to measuresbased on profiling pursuant toArticle 20;

deleted deleted

(e) does not adopt internal policiesor does not implement appropriatemeasures for ensuring anddemonstrating compliance pursuantto Articles 22, 23 and 30;

deleted deleted

(f) does not designate arepresentative pursuant to Article25;

deleted deleted

(g) processes or instructs theprocessing of personal data inviolation of the obligations inrelation to processing on behalf of acontroller pursuant to Articles 26and 27;

deleted deleted

(h) does not alert on or notify apersonal data breach or does nottimely or completely notify the databreach to the supervisory authorityor to the data subject pursuant toArticles 31 and 32;

deleted deleted


(i) does not carry out a dataprotection impact assessmentpursuant or processes personal datawithout prior authorisation or priorconsultation of the supervisoryauthority pursuant to Articles 33and 34;

deleted deleted

(j) does not designate a dataprotection officer or does notensure the conditions for fulfillingthe tasks pursuant to Articles 35, 36and 37;

deleted deleted

(k) misuses a data protection seal ormark in the meaning of Article 39;

deleted deleted

(l) carries out or instructs a datatransfer to a third country or aninternational organisation that is notallowed by an adequacy decision orby appropriate safeguards or by aderogation pursuant to Articles 40to 44;

deleted deleted

(m) does not comply with an orderor a temporary or definite ban onprocessing or the suspension ofdata flows by the supervisoryauthority pursuant to Article 53(1);

deleted deleted


(n) does not comply with theobligations to assist or respond orprovide relevant information to, oraccess to premises by, thesupervisory authority pursuant toArticle 28(3), Article 29, Article34(6) and Article 53(2);

deleted deleted

(o) does not comply with the rulesfor safeguarding professionalsecrecy pursuant to Article 84.

deleted deleted

7. The Commission shall beempowered to adopt delegated actsin accordance with Article 86 forthe purpose of updating theamounts of the administrative finesreferred to in paragraphs 4, 5 and 6,taking into account the criteriareferred to in paragraph 2.

7. The Commission shall beempowered to adopt delegated actsin accordance with Article 86 forthe purpose of updating theabsolute amounts of theadministrative fines referred to inparagraphs 4, 5 and 6paragraph 2a,taking into account the criteria andfactors referred to in paragraph

deleted


446 DE, EE, ES, PT and SI scrutiny reservation. FI and SI reservation. COM reservation on replacing ‘shall’ by ‘may’ and the deletion of amounts and percentages in paragraphs 1, 2and 3. DE wanted the risk-based approach to be made clearer. DE thought that proportionality was important because Article 79a concerned fundamental rights/rule of law anddeemed it disproportionate that a supervisory authority could impose a fine that the data subject was unaware of. DE said that it was necessary to set out the fines clearly and that theone-stop shop principle did not allow for exceptions being set out in national law. IE thought e gravity of offences was not sufficiently illustrated, e.g. infringement in para. 3(m),which according to IE is the most serious one. FR reservation: the strictness of the text may impinge on the independence of the DPA.

447 A majority of Member States (BE, CY DE, EE, ES, FI, IT, LV, LU, MT and NL) appear to be in favour of different scales of sanctions. COM referred to the Market AbuseRegulation with three levels of fines. DK, HU, IE, SE and UK were opposed to maintaining different sanctions scales. FR and PL did not favour it, but could accept it.

448 EE did not consider it appropriate to set out sanctions in percentage because the sanction was not predictable.. PT considered that there should be minimum penalties for a naturalperson and that for SMEs and micro enterprises the volume of the business should not be looked at when applying the fines (this factor should only be applicable for multinationals).PL thought that administrative fines should be implemented in the same way in all MS. PL said that the fines should be flexible and high enough to represent a deterrent, also foroverseas companies

449 UK commented that turnover was used in competition law and asked whether the harm was the same here. EE asked how the annual turnover was connected to the sanction. SIthought that compared to competition law where the damage concerned the society as a whole, data protection concerned private infringements. COM said that both competition lawand data protection concern economic values, whereas data protection protects values of the data subject.

450 IT wanted to delete "intentionally or negligently" and thought that those notions were already integrated part of the mechanism to calculate fines.

paragraphs 2 and 2c.

Article 79a

Administrative fines446447

1. The supervisory authority[competent in accordance withArticle 51] may impose a fine thatshall not exceed […] EUR, or incase of an undertaking […] %448

of its total worldwide annualturnover449 of the precedingfinancial year, on a controllerwho, intentionally ornegligently450:


451 DE suggestion.452 IT considered that paragraphs 2 and 3 were very generic and only described the infringements but that the scale of gravity was not well defined. IT asked for a better categorisation

of the infringements.

(a) does not respond within theperiod referred to in Article 12(2)to requests of the data subject;

(b) charges a fee in violation ofthe first sentence of paragraph 4of Article 12.

2. The supervisory authority[competent in accordance withArticle 51] may impose a fine thatshall not exceed […] EUR, or incase of an undertaking […]% ofits total worldwide annual (…)turnover of the precedingfinancial year451, on a controlleror processor who, intentionally ornegligently:452

(a) does not provide theinformation, or providesincomplete information, or doesnot provide the information timelyor in a sufficiently transparentmanner, to the data subjectpursuant to Articles 12(3),14 and14a;


453 DE suggestion.

(b) does not provide access for thedata subject or does not rectifypersonal data pursuant to Articles15 and 16 or does not comply withthe rights and obligationspursuant to Articles 17, 17a, 17b,18 or 19;

(c) (...)

(d) (...)

(e) does not or not sufficientlydetermine the respectiveresponsibilities with jointcontrollers pursuant to Article 24;

(f) does not or not sufficientlymaintain the documentationpursuant to Article 28 and Article31(4).

3. The supervisory authority[competent in accordance withArticle 51] may impose a fine thatshall not exceed […] EUR or, incase of an undertaking, […] % ofits total worldwide annualturnover of the preceding financialyear453, on a controller or


454 FI pointed out that "sufficient" was unclear taking into consideration of the principles in Article 6 (f).

processor who, intentionally ornegligently:

(a) processes personal datawithout a 454 legal basis for theprocessing or does not complywith the conditions for consentpursuant to Articles 6, 7, 8 and 9;

(b) (…);(c) (…);(d) does not comply with theconditions in relation to profilingpursuant to Article 20;

(e) does not implementappropriate measures or is notable to demonstrate compliancepursuant to Articles 22 and 30;

(f) does not designate arepresentative in violation ofArticle 25;

(g) processes or instructs theprocessing of personal data inviolation of Articles 26;

(h) does not alert on or notify a


personal data breach or does nottimely or completely notify thedata breach to the supervisoryauthority or to the data subject inviolation of Articles 31 and 32;

(i) does not carry out a dataprotection impact assessment inviolation of Article 33 orprocesses personal data withoutprior consultation of thesupervisory authority in violationof Article 34(1);

(j) (…);(k) misuses a data protectionseal or mark in the meaning ofArticle 39 or does not complywith the conditions andprocedures laid down in Articles38a and 39a;

(l) carries out or instructs adata transfer to a recipient in athird country or an internationalorganisation in violation ofArticles 40 to 44;

(m) does not comply with anorder or a temporary or definiteban on processing or the


455 CZ, DE, NL and RO reservation. NL that thought that guidelines from the EDPB could solve the problems on the amounts. CZ wanted to delete the paragraph and thought that theDPA could set out the amounts.

suspension of data flows by thesupervisory authority pursuant toArticle 53(1) or does not provideaccess in violation of Article53(2).

[3a. If a controller or processorintentionally or negligentlyviolates several provisions of thisRegulation listed in paragraphs1, 2 or 3, the total amount of thefine may not exceed the amountspecified for the gravestviolation.]

4. [The Commission shall beempowered to adopt delegatedacts in accordance with Article 86for the purpose of adjusting themaximum amounts of theadministrative fines referred to inparagraphs 1, 2 and 3 tomonetary developments, takinginto account the criteria referredto in paragraph 2a of Article79.]455


456 DE, DK, EE, ES, IT, PL and PT and SK scrutiny reservation. COM explained that infringements not listed in Article 79a were those under national law, referred to in Chapter IX,for example infringements in employment law and relating to freedom of expression. In that way Article 79b is complementary to the list in Article 79and does not exclude otherpenalties. IT thought it was better to delete the Article but lay down the possibility to legislate at national level. FR reservation on the imposition of criminal penalties. DE in favour ofreferring expressis verbis to criminal penalties.

457 BE and EE reservation.

Article 79b

Penalties456

1. For infringements of theprovisions of this Regulation notlisted in Article 79a Member Statesshall457 lay down the rules onpenalties applicable to suchinfringements and shall take allmeasures necessary to ensure thatthey are implemented. Suchpenalties shall be effective,proportionate and dissuasive.

2. (…).3. Each Member State shallnotify to the Commission thoseprovisions of its law which itadopts pursuant to paragraph 1, bythe date specified in Article 91(2)at the latest and, without delay,any subsequent amendmentaffecting them.


CHAPTER IXPROVISIONS

RELATING TOSPECIFIC DATA

PROCESSINGSITUATIONS








Processing of personal data andfreedom of expression

Processing of personal data andfreedom of expression

Processing of personal data andfreedom of expression and

information

Amendment 189

1. Member States shallprovide for exemptions orderogations from the provisions onthe general principles in Chapter II,the rights of the data subject inChapter III, on controller andprocessor in Chapter IV, on thetransfer of personal data to thirdcountries and internationalorganisations in Chapter V, theindependent supervisory authoritiesin Chapter VI and on co-operationand consistency in Chapter VII forthe processing of personal data

1. Member States shall provide forexemptions or derogations from theprovisions on the general principlesin Chapter II, the rights of the datasubject in Chapter III, on controllerand processor in Chapter IV, on thetransfer of personal data to thirdcountries and internationalorganisations in Chapter V, theindependent supervisory authoritiesin Chapter VI, on co-operation andconsistency in Chapter VII for theprocessing of personal data carriedout solely for journalistic purposes

1. The national law of the MemberStates shall provide for exemptionsor derogations from the provisionson the general principles in ChapterII, reconcile the rights of the datasubject in Chapter III, on controllerand processor in Chapter IV, on tthe transfer protection of personaldata pursuant to this Regulationto third countries and internationalorganisations in Chapter V, theindependent supervisory authoritiesin Chapter VI and on co-operationand consistency in Chapter VII for


458 HU, AT, SI and SE reservation; they would prefer not to limit this paragraph to journalistic processing.

carried out solely for journalisticpurposes or the purpose of artisticor literary expression in order toreconcile the right to the protectionof personal data with the rulesgoverning freedom of expression.

or the purpose of artistic or literaryexpression and specific dataprocessing situations in thisChapter IX whenever this isnecessary in order to reconcile theright to the protection of personaldata with the rules governingfreedom of expression inaccordance with the Charter ofFundamental Rights of theEuropean Union.

with the right to freedeom ofexpression and information,including the processing ofpersonal data carried out solely forjournalistic purposes or thepurposes of academic, artistic orliterary expression in order toreconcile the right to the protectionof personal data with the rulesgoverning freedom of expression.

2. Each Member State shallnotify to the Commission thoseprovisions of its law which it hasadopted pursuant to paragraph 1 bythe date specified in Article 91(2) atthe latest and, without delay, anysubsequent amendment law oramendment affecting them.

2. Each Member State shall notifyto the Commission those provisionsof its law which it has adoptedpursuant to paragraph 1 by the datespecified in Article 91(2) at thelatest and, without delay, anysubsequent amendment law oramendment affecting them.

2. For the processing of personaldata carried out for journalisticpurposes or the purpose ofacademic artistic or literaryexpression, Member States shall458

provide for exemptions orderogations from the provisions inChapter II (principles), ChapterIII (rights of the data subject),Chapter IV (controller andprocessor), Chapter V (transfer ofpersonal data to third countries orinternational organizations),Chapter VI (independentsupervisory authorities), Chapter


459 BE, DE, FR, IE and SE had requested to include also a reference to Chapter VIII. This was opposed to by COM. The Presidency points out that in case the freedom of expressionprevails over the right to data protection, there will obviously no infringement to sanction. Where an infringement is found to have place, the interference with the freedom ofexpression will have to taken into account as an element in the determination of the sanction. This application of the proportionality principle should be reflected in Chapter VIII.

VII (co-operation andconsistency)459 if they arenecessary to reconcile the right tothe protection of personal datawith the freedom of expressionand information.

Amendment 190

Article 80a (new)

Access to documents

1. Personal data in documents heldby a public authority or a publicbody may be disclosed by thisauthority or body in accordancewith Union or Member Statelegislation regarding public accessto official documents, whichreconciles the right to theprotection of personal data withthe principle of public access toofficial documents.

2. Each Member State shall notifyto the Commission provisions of itslaw which it adopts pursuant to


460 SK and PT scrutiny reservation.

paragraph 1 by the date specifiedin Article 91(2) at the latest and,without delay, any subsequentamendment affecting them.

Article 80a

Processing of personal data andpublic access to official documents

460

Personal data in officialdocuments held by a publicauthority or a public body or aprivate body for the performanceof a task carried out in the publicinterest may be disclosed by theauthority or body in accordancewith Union law or Member Statelaw to which the public authorityor body is subject in order toreconcile public access to officialdocuments with the right to theprotection of personal datapursuant to this Regulation.


461 COM reservation in view of incompatibility with existing EU law, in particular Directive 2003/98/EC (as amended by Directive 2013/37/EU).462 DK, PL, SK scrutiny reservation.

Article 80aa

Processing of personal data andreuse of public sector information

Personal data in in public sectorinformation held by a publicauthority or a public body or aprivate body for the performanceof a task carried out in the publicinterest may be disclosed by theauthority or body in accordancewith Union law or Member Statelaw to which the public authorityor body is subject in order toreconcile the reuse of such officialdocuments and public sectorinformation with the right to theprotection of personal datapursuant to this Regulation461.

Article 80b462

Processing of nationalidentification number

Member States may determine thespecific conditions for theprocessing of a national


463 See Article 9(2)(g),(h), (hb) and (4) which enshrine the basic idea, previously expressed in Article 81, that sensitive data may be processed for purposes of medicine, health-care, publichealth and other public interests, subject to certain appropriate safeguards based on Union law or Member State law. This text is not part of the partial general approach which theCouncil is asked to agree at its meeting of 4 December 2014 and will be subject to further scrutiny at technical level.

identification number or any otheridentifier of general application.In this case the nationalidentification number or any otheridentifier of general applicationshall be used only underappropriate safeguards for therights and freedoms of the datasubject pursuant to thisRegulation.


Processing of personal dataconcerning health

Processing of personal dataconcerning health

Processing of personal dataconcerning for health- related

purposes

Amendment 191

1. Within the limits of thisRegulation and in accordance withpoint (h) of Article 9(2), processingof personal data concerning healthmust be on the basis of Union lawor Member State law which shallprovide for suitable and specificmeasures to safeguard the datasubject's legitimate interests, and be

1. Within the limits of Inaccordance with the rules set out inthis Regulation and in accordance,in particular with point (h) ofArticle 9(2), processing of personaldata concerning health must be onthe basis of Union law or MemberState law which shall provide forsuitable, consistent, and specific

deleted463


necessary for: measures to safeguard the datasubject's legitimate interests, and befundamental rights, to the extentthat these are necessary andproportionate, and of which theeffects shall be foreseeable by thedata subject, for:

(a) the purposes of preventiveor occupational medicine, medicaldiagnosis, the provision of care ortreatment or the management ofhealth-care services, and wherethose data are processed by a healthprofessional subject to theobligation of professional secrecyor another person also subject to anequivalent obligation ofconfidentiality under Member Statelaw or rules established by nationalcompetent bodies; or

(a) the purposes of preventive oroccupational medicine, medicaldiagnosis, the provision of care ortreatment or the management ofhealth-care services, and wherethose data are processed by a healthprofessional subject to theobligation of professional secrecy oranother person also subject to anequivalent obligation ofconfidentiality under Member Statelaw or rules established by nationalcompetent bodies; or

deleted

(b) reasons of public interest inthe area of public health, such asprotecting against serious cross-border threats to health or ensuringhigh standards of quality andsafety, inter alia for medicinalproducts or medical devices; or

(b) reasons of public interest in thearea of public health, such asprotecting against serious cross-border threats to health or ensuringhigh standards of quality and safety,inter alia for medicinal products ormedical devices, and if theprocessing is carried out by aperson bound by a confidentiality

deleted


obligation; or

(c) other reasons of publicinterest in areas such as socialprotection, especially in order toensure the quality and cost-effectiveness of the proceduresused for settling claims for benefitsand services in the health insurancesystem.

(c) other reasons of public interestin areas such as social protection,especially in order to ensure thequality and cost-effectiveness of theprocedures used for settling claimsfor benefits and services in thehealth insurance system and theprovision of health services. Suchprocessing of personal dataconcerning health for reasons ofpublic interest shall not result indata being processed for otherpurposes, unless with the consentof the data subject or on the basisof Union or Member State law.

deleted

1a. When the purposes referred toin points (a) to (c) of paragraph 1can be achieved without the use ofpersonal data, such data shall notbe used for those purposes, unlessbased on the consent of the datasubject or Member State law.

1b. Where the data subject'sconsent is required for theprocessing of medical dataexclusively for public healthpurposes of scientific research, theconsent may be given for one or


more specific and similarresearches. However, the datasubject may withdraw the consentat any time.

1c. For the purpose of consentingto the participation in scientificresearch activities in clinical trials,the relevant provisions of Directive2001/20/EC of the EuropeanParliament and of the Council48c1

shall apply.

48c1 Directive 2001/20/EC of theEuropean Parliament and of theCouncil of 4 April 2001 on theapproximation of the laws,regulations and administrativeprovisions of the Member Statesrelating to the implementation ofgood clinical practices in theconduct of clinical trials onmedicinal products for human use(OJ L121, 1.5.2001, p.34)

2. Processing of personal dataconcerning health which isnecessary for historical, statisticalor scientific research purposes,such as patient registries set up forimproving diagnoses and

2. Processing of personal dataconcerning health which isnecessary for historical, statisticalor scientific research purposes, suchas patient registries set up forimproving diagnoses and

deleted


differentiating between similartypes of diseases and preparingstudies for therapies, is subject tothe conditions and safeguardsreferred to in Article 83.

differentiating between similartypes of diseases and preparingstudies for therapies, is shall bepermitted only with the consent ofthe data subject, and shall besubject to the conditions andsafeguards referred to in Article 83.

2a. Member States law may providefor exceptions to the requirementof consent for research, as referredto in paragraph 2, with regard toresearch that serves a high publicinterest, if that research cannotpossibly be carried out otherwise.The data in question shall beanonymised, or if that is notpossible for the research purposes,pseudonymised under the highesttechnical standards, and allnecessary measures shall be takento prevent unwarranted re-identification of the data subjects.However, the data subject shallhave the right to object at any timein accordance with Article 19.

3. The Commission shall beempowered to adopt delegated actsin accordance with Article 86 forthe purpose of further specifying

3. The Commission shall beempowered to adopt, afterrequesting an opinion of theEuropean Data Protection Board,

deleted


other reasons of public interest inthe area of public health as referredto in point (b) of paragraph 1, aswell as criteria and requirementsfor the safeguards for theprocessing of personal data for thepurposes referred to in paragraph 1.

delegated acts in accordance withArticle 86 for the purpose of furtherspecifying other reasons of publicinterest in the area of public healthas referred to in point (b) ofparagraph 1, as well as criteria andrequirements for the safeguards forthe processing of personal data forthe purposes referred to inparagraph 1 and high publicinterest in the area of research asreferred to in paragraph 2a.

3a. Each Member State shall notifyto the Commission those provisionsof its law which it adopts pursuantto paragraph 1, by the datespecified in Article 91(2) at thelatest and, without delay, anysubsequent amendment affectingthem.


Processing in the employmentcontext

Minimum standards forPprocessing data in the employment

context

Processing in the employmentcontext

Amendment 192

1. Within the limits of thisRegulation, Member States may

1. Within the limits of thisRegulation, Member States may, in

1. Within the limits of thisRegulation, Member States may


464 DE, supported, by AT, CZ, HU, DK and SI, wanted to refer to 'stricter' rules.

adopt by law specific rulesregulating the processing ofemployees' personal data in theemployment context, in particularfor the purposes of the recruitment,the performance of the contract ofemployment, including discharge ofobligations laid down by law or bycollective agreements,management, planning andorganisation of work, health andsafety at work, and for the purposesof the exercise and enjoyment, onan individual or collective basis, ofrights and benefits related toemployment, and for the purpose ofthe termination of the employmentrelationship.

accordance with the rules set out inthis Regulation, and taking intoaccount the principle ofproportionality, adopt by law legalprovisions specific rules regulatingthe processing of employees'personal data in the employmentcontext, in particular for but notlimited to the purposes of therecruitment and job applicationswithin the group of undertakings,the performance of the contract ofemployment, including discharge ofobligations laid down by law or andby collective agreements, inaccordance with national law andpractice, management, planning andorganisation of work, health andsafety at work, and for the purposesof the exercise and enjoyment, onan individual or collective basis, ofrights and benefits related toemployment, and for the purpose ofthe termination of the employmentrelationship. Member States mayallow for collective agreements tofurther specify the provisions setout in this Article.

adopt by law specific rules or bycollective agreements, provide formore specific464 rules to ensure theprotection of the rights andfreedoms in respect of regulatingthe processing of employees'personal data in the employmentcontext, in particular for thepurposes of the recruitment, theperformance of the contract ofemployment, including discharge ofobligations laid down by law or bycollective agreements,management, planning andorganisation of work, equality anddiversity in the workplace, healthand safety at work, protection ofemployer’s or customer’s propertyand for the purposes of the exerciseand enjoyment, on an individual orcollective basis, of rights andbenefits related to employment, andfor the purpose of the terminationof the employment relationship.


1a. The purpose of processing suchdata must be linked to the reason itwas collected for and stay withinthe context of employment.Profiling or use for secondarypurposes shall not be allowed.

1b. Consent of an employee shallnot provide a legal basis for theprocessing of data by the employerwhen the consent has not beengiven freely.

1c. Notwithstanding the otherprovisions of this Regulation, thelegal provisions of Member Statesreferred to in paragraph 1 shallinclude at least the followingminimum standards:

(a) the processing of employee datawithout the employees' knowledgeshall not be permitted.Notwithstanding the first sentence,Member States may, by law,provide for the admissibility of thispractice, by setting appropriatedeadlines for the deletion of data,providing there exists a suspicionbased on factual indications thatmust be documented that the


employee has committed a crime orserious dereliction of duty in theemployment context, providing alsothe collection of data is necessaryto clarify the matter and providingfinally the nature and extent of thisdata collection are necessary andproportionate to the purpose forwhich it is intended. The privacyand private lives of employees shallbe protected at all times. Theinvestigation shall be carried outby the competent authority;

(b) the open optical-electronicand/or open acoustic-electronicmonitoring of parts of anundertaking which are notaccessible to the public and areused primarily by employees forprivate activities, especially inbathrooms, changing rooms, restareas, and bedrooms, shall beprohibited. Clandestinesurveillance shall be inadmissibleunder all circumstances;

(c) where undertakings orauthorities collect and processpersonal data in the context ofmedical examinations and/or


aptitude tests, they must explain tothe applicant or employeebeforehand the purpose for whichthese data are being used, andensure that afterwards they areprovided with these those datatogether with the results, and thatthey receive an explanation of theirsignificance on request. Datacollection for the purpose ofgenetic testing and analyses shallbe prohibited as a matter ofprinciple;

(d) whether and to what extent theuse of telephone, e-mail, internetand other telecommunicationsservices shall also be permitted forprivate use may be regulated bycollective agreement. Where thereis no regulation by collectiveagreement, the employer shallreach an agreement on this matterdirectly with the employee. In sofar as private use is permitted, theprocessing of accumulated trafficdata shall be permitted inparticular to ensure data security,to ensure the proper operation oftelecommunications networks andtelecommunications services and


for billing purposes.

Notwithstanding the thirdsentence, Member States may, bylaw, provide for the admissibility ofthis practice, by setting appropriatedeadlines for the deletion of data,providing there exists a suspicionbased on factual indications thatmust be documented that theemployee has committed a crime orserious dereliction of duty in theemployment context, providing alsothe collection of data is necessaryto clarify the matter and providingfinally the nature and extent of thisdata collection are necessary andproportionate to the purpose forwhich it is intended. The privacyand private lives of employees shallbe protected at all times. Theinvestigation shall be carried outby the competent authority;

(e) workers’ personal data,especially sensitive data such aspolitical orientation andmembership of and activities intrade unions, may under nocircumstances be used to putworkers on so-called ‘blacklists’,


and to vet or bar them from futureemployment. The processing, theuse in the employment context, thedrawing-up and passing-on ofblacklists of employees or otherforms of discrimination shall beprohibited. Member States shallconduct checks and adopt adequatesanctions in accordance withArticle 79(6) to ensure effectiveimplementation of this point.

1d. Transmission and processingof personal employee data betweenlegally independent undertakingswithin a group of undertakingsand with professionals providinglegal and tax advice shall bepermitted, providing it is relevantto the operation of the businessand is used for the conduct ofspecific operations oradministrative procedures and isnot contrary to the interests andfundamental rights of the personconcerned which are worthy ofprotection. Where employee dataare transmitted to a third countryand/or to an internationalorganization, Chapter V shallapply.


465 This paragraph may need to be looked at again in the context of the discussions on Articles 7 and 8 for consent. COM, PL, PT scrutiny reservation.

2. Each Member State shallnotify to the Commission thoseprovisions of its law which itadopts pursuant to paragraph 1, bythe date specified in Article 91(2) atthe latest and, without delay, anysubsequent amendment affectingthem.

2. Each Member State shall notifyto the Commission those provisionsof its law which it adopts pursuantto paragraph paragraphs 1 and 1b,by the date specified in Article91(2) at the latest and, withoutdelay, any subsequent amendmentaffecting them.

2.[ Each Member State shall notifyto the Commission those provisionsof its law which it adopts pursuantto paragraph 1, by the datespecified in Article 91(2) at thelatest and, without delay, anysubsequent amendment affectingthem.]

3. The Commission shall beempowered to adopt delegated actsin accordance with Article 86 forthe purpose of further specifyingthe criteria and requirements for thesafeguards for the processing ofpersonal data for the purposesreferred to in paragraph 1.

3. The Commission shall beempowered, after requesting anopinion from the European DataProtection Board, to adoptdelegated acts in accordance withArticle 86 for the purpose of furtherspecifying the criteria andrequirements for the safeguards forthe processing of personal data forthe purposes referred to inparagraph 1.

3. The Commission shall beempowered to adopt delegated actsin accordance with Article 86 forthe purpose of further specifyingthe criteria and requirements for thesafeguards for the processing ofpersonal data for the purposesreferred to in paragraph 1 MemberStates may by law determine theconditions under which personaldata in the employment contextmay be processed on the basis ofthe consent of the employee465.


Amendment 193

Article 82a

Processing in the social securitycontext

1. Member States may, inaccordance with the rules set out inthis Regulation, adopt specificlegislative rules particularising theconditions for the processing ofpersonal data by their publicinstitutions and departments in thesocial security context if carriedout in the public interest.

2. Each Member State shall notifyto the Commission those provisionswhich it adopts pursuant toparagraph 1, by the date specifiedin Article 91(2) at the latest and,without delay, any subsequentamendment affecting them.


466 PL and SI would want to restrict this to statistical processing in the public interest.467 NL and DK proposed adding a reference to Article 7. SI supported this as far as scientific processing is concerned. PL suggested deleting the reference to Article 19.


Processing for historical,statistical and scientific research

purposes

Processing for historical, statisticaland scientific research purposes

Derogations applying toProcessing processing of personal

data for archiving, historical,statistical and scientific, researchstatistical and historical purposes

Amendment 194

1. Within the limits of thisRegulation, personal data may beprocessed for historical, statisticalor scientific research purposes onlyif:

1. Within the limits ofInaccordance with the rules set out inthis Regulation, personal data maybe processed for historical,statistical or scientific researchpurposes only if:

1. Within the limits of thisRegulation, Where personal datamay be are processed forscientific, statistical466 orhistorical, statistical or scientificresearch purposes only if:Union orMember State law may, subject toappropriate safeguards for therights and freedoms of the datasubject, provide for derogationsfrom Articles 14a(1) and (2), 15,16, 17, 17a, 17b, 18 and 19467,insofar as such derogation isnecessary for the fulfilment of thespecific purposes.

(a) these purposes cannot beotherwise fulfilled by processingdata which does not permit or not




468 COM and AT thought the list of articles from which can be derogated should be more limited.

any longer permit the identificationof the data subject;

any longer permit the identificationof the data subject;

any longer permit the identificationof the data subject; Wherepersonal data are processed forarchiving purposes in the publicinterest, Union or Member Statelaw may, subject to appropriatesafeguards for the rights andfreedoms of the data subject,provide for derogations fromArticles 14a(1) and (2), 15, 16, 17,17a, 17b, 18, 19, 23, 32, 33 and 53(1b)(d) and (e), insofar as suchderogation is necessary for thefulfilment of these purposes468.

(b) data enabling the attributionof information to an identified oridentifiable data subject is keptseparately from the otherinformation as long as thesepurposes can be fulfilled in thismanner.

(b) data enabling the attribution ofinformation to an identified oridentifiable data subject is keptseparately from the otherinformation as long as thesepurposes can be fulfilled in thismanner under the highest technicalstandards, and all necessarymeasures are taken to preventunwarranted re-identification ofthe data subjects.

(b) data enabling the attribution ofinformation to an identified oridentifiable data subject is keptseparately from the otherinformation as long as thesepurposes can be fulfilled in thismannerIn case a type of processingreferred to in paragraphs 1 and 1aserves at the same time anotherpurpose, the derogations allowedfor apply only to the processing forthe purposes referred to in thoseparagraphs.


2. Bodies conductinghistorical, statistical or scientificresearch may publish or otherwisepublicly disclose personal data onlyif:

deleted 2. Bodies conducting historical,statistical or scientific research maypublish or otherwise publiclydisclose personal data only if: Theappropriate safeguards referred toin paragraphs 1 and 1a shall belaid down in Union or MemberState law and be such to ensurethat technological and/ororganisational protectionmeasures pursuant to thisRegulation are applied to thepersonal data, to minimise theprocessing of personal data inpursuance of the proportionalityand necessity principles, such aspseudonymising the data, unlessthose measures prevent achievingthe purpose of the processing andsuch purpose cannot be otherwisefulfilled within reasonable means.

(a) the data subject has givenconsent, subject to the conditionslaid down in Article 7;

deleted deleted

(b) the publication of personaldata is necessary to presentresearch findings or to facilitate

deleted deleted


research insofar as the interests orthe fundamental rights or freedomsof the data subject do not overridethese interests; or

(c) the data subject has madethe data public.

deleted deleted

3. The Commission shall beempowered to adopt delegated actsin accordance with Article 86 forthe purpose of further specifyingthe criteria and requirements for theprocessing of personal data for thepurposes referred to in paragraph 1and 2 as well as any necessarylimitations on the rights ofinformation to and access by thedata subject and detailing theconditions and safeguards for therights of the data subject underthese circumstances.

deleted deleted

Amendment 195

Article 83a

Processing of personal data byarchive services

1. Once the initial processing forwhich they were collected has been


completed, personal data may beprocessed by archive serviceswhose main or mandatory task is tocollect, conserve, provideinformation about, exploit anddisseminate archives in the publicinterest, in particular in order tosubstantiate individuals’ rights orfor historical, statistical orscientific research purposes. Thesetasks shall be carried out inaccordance with the rules laiddown by Member Statesconcerning access to and therelease and dissemination ofadministrative or archivedocuments and in accordance withthe rules set out in this Regulation,specifically with regard to consentand the right to object.

2. Each Member State shall notifyto the Commission provisions of itslaw which it adopts pursuant toparagraph 1 by the date specifiedin Article 91(2) at the latest and,without delay, any subsequentamendment affecting them.


469 DE and UK scrutiny reservation.


Obligations of secrecy Obligations of secrecy Obligations of secrecy469

Amendment 196

1. Within the limits of thisRegulation, Member States mayadopt specific rules to set out theinvestigative powers by thesupervisory authorities laid down inArticle 53(2) in relation tocontrollers or processors that aresubjects under national law or rulesestablished by national competentbodies to an obligation ofprofessional secrecy or otherequivalent obligations of secrecy,where this is necessary andproportionate to reconcile the rightof the protection of personal datawith the obligation of secrecy.These rules shall only apply withregard to personal data which thecontroller or processor has receivedfrom or has obtained in an activitycovered by this obligation ofsecrecy.

1. Within the limits of Inaccordance with the rules set out inthis Regulation, Member States mayadopt shall ensure that specificrules to set are in place setting outthe investigative powers by thesupervisory authorities laid down inArticle 53(2) in relation tocontrollers or processors that aresubjects under national law or rulesestablished by national competentbodies to an obligation ofprofessional secrecy or otherequivalent obligations of secrecy,where this is necessary andproportionate to reconcile the rightof the protection of personal datawith the obligation of secrecy.These rules shall only apply withregard to personal data which thecontroller or processor has receivedfrom or has obtained in an activitycovered by this obligation of

1. Within the limits of thisRegulation, Member States mayadopt specific rules to set out theinvestigative powers by thesupervisory authorities laid down inpoints (da) and (db) of Article53(21) in relation to controllers orprocessors that are subjects undernational Union or Member Statelaw or rules established by nationalcompetent bodies to an obligationof professional secrecy or otherequivalent obligations of secrecy orto a code of professional ethicssupervised and enforced byprofessional bodies, where this isnecessary and proportionate toreconcile the right of the protectionof personal data with the obligationof secrecy. These rules shall onlyapply with regard to personal datawhich the controller or processorhas received from or has obtained


470 MT, NL, AT and PT reservation.

secrecy. in an activity covered by thisobligation of secrecy.

2. Each Member State shallnotify to the Commission the rulesadopted pursuant to paragraph 1, bythe date specified in Article 91(2) atthe latest and, without delay, anysubsequent amendment affectingthem.

2. Each Member State shall notifyto the Commission the rulesadopted pursuant to paragraph 1, bythe date specified in Article 91(2) atthe latest and, without delay, anysubsequent amendment affectingthem.

2. Each Member State shall notifyto the Commission the rulesadopted pursuant to paragraph 1, bythe date specified in Article 91(2) atthe latest and, without delay, anysubsequent amendment affectingthem.


Existing data protection rules ofchurches and religious

associations


associations


associations470

Amendment 197

1. Where in a Member State,churches and religious associationsor communities apply, at the timeof entry into force of thisRegulation, comprehensive rulesrelating to the protection ofindividuals with regard to theprocessing of personal data, suchrules may continue to apply,provided that they are brought inline with the provisions of this

1. Where in a Member State,churches and religious associationsor communities apply, at the time ofentry into force of this Regulation,comprehensive adequate rulesrelating to the protection ofindividuals with regard to theprocessing of personal data, suchrules may continue to apply,provided that they are brought inline with the provisions of this

1. Where in a Member State,churches and religious associationsor communities apply, at the timeof entry into force of thisRegulation, comprehensive rulesrelating to the protection ofindividuals with regard to theprocessing of personal data, suchrules may continue to apply,provided that they are brought inline with the provisions of this


Regulation. Regulation. Regulation.

2. Churches and religiousassociations which applycomprehensive rules in accordancewith paragraph 1 shall provide forthe establishment of an independentsupervisory authority in accordancewith Chapter VI of this Regulation.

2. Churches and religiousassociations which applycomprehensive adequate rules inaccordance with paragraph 1 shallprovide for the establishment of anindependent supervisory authorityin accordance with Chapter VI ofthis Regulation obtain acompliance opinion pursuant toArticle 38.

2. Churches and religiousassociations which applycomprehensive rules in accordancewith paragraph 1, shall be subjectto the control provide for theestablishment of an independentsupervisory authority which may bespecific, provided that fulfuls theconditions laid down in accordancewith Chapter VI of this Regulation.

Amendment 198

Article 85a (new)

Respect of fundamental rights

This Regulation shall not have theeffect of modifying the obligationto respect fundamental rights andfundamental legal principles asenshrined in Article 6 of the TEU.

Amendment 199

Article 85b (new)

Standard Forms

1. The Commission may, taking


into account the specific featuresand necessities of various sectorsand data processing situations, laydown standard forms for:

(a) specific methods to obtainverifiable consent referred to inArticle 8(1),

(b) the communication referred toin Article 12(2), including theelectronic format,

(c) providing the informationreferred to in paragraphs 1 to 3 ofArticle 14,

(d) requesting and granting accessto the information referred to inArticle 15(1), including forcommunicating the personal datato the data subject,

(e) documentation referred to inparagraph 1 of Article 28,

(f) breach notifications pursuant toArticle 31 to the supervisoryauthority and the documentationreferred to in Article 31(4),


(g) prior consultations referred toin Article 34, and for informing thesupervisory authorities pursuant toArticle 34(6).

2. In doing so, the Commissionshall take the appropriatemeasures for micro, small andmedium-sized enterprises.

3. Those implementing acts shallbe adopted in accordance with theexamination procedure referred toin Article 87(2).


471 COM reservation on the deletion of empowerments for delegated acts or implementing acts.

CHAPTER XDELEGATED ACTS

AND IMPLEMENTINGACTS


AND IMPLEMENTINGACTS


AND IMPLEMENTINGACTS471


Exercise of the delegation Exercise of the delegation Exercise of the delegation

1. The power to adoptdelegated acts is conferred on theCommission subject to theconditions laid down in this Article.

1. The power to adopt delegatedacts is conferred on the Commissionsubject to the conditions laid downin this Article.

1. The power to adopt delegatedacts is conferred on theCommission subject to theconditions laid down in this Article.

Amendment 200

2. The delegation of powerreferred to in Article 6(5), Article8(3), Article 9(3), Article 12(5),Article 14(7), Article 15(3), Article17(9), Article 20(6), Article 22(4),Article 23(3), Article 26(5), Article28(5), Article 30(3), Article 31(5),Article 32(5), Article 336), Article34(8), Article 35(11), Article 37(2),Article 39(2), Article 43(3), Article44(7), Article 79(6), Article 81(3),Article 82(3) and Article 83(3)

2. The delegation of power power toadopt delegated acts referred to inArticle 6(5), Article 8(3), Article9(3), Article 12(5), Article 14(7),Article 15(3), Article 13a(5),Article 17(9), Article 20(6), Article22(4), Article 23(3), Article 26(5),Article 28(5), Article 30(3), Article31(5), Article 32(5), Article 336),Article 34(8), Article 35(11),Article 37(2), Article 38(4), Article39(2), Article 41(3), Article 41(5),

2. The delegation of power referredto in Article 6(5), Article 8(3),Article 9(3), Article 12(5), Article14(7), Article 15(3), Article 17(9),Article 20(6), Article 22(4), Article23(3), Article 26(5), Article 28(5),Article 30(3), Article 31(5), Article32(5), Article 336), Article 34(8),Article 35(11), Article 37(2),Article 39a(27), [Article 43(3),Article 44(7), Article 79a(64),Article 81(3), Article 82(3) and


shall be conferred on theCommission for an indeterminateperiod of time from the date ofentry into force of this Regulation.

Article 43(3), Article 44(7), Article79(6)Article 79(7), Article 81(3),and Article 82(3) and Article 83(3)shall be conferred on theCommission for an indeterminateperiod of time from the date ofentry into force of this Regulation.

Article 83(3) shall be conferred onthe Commission for anindeterminate period of time fromthe date of entry into force of thisRegulation.

Amendment 201

3. The delegation of powerreferred to in Article 6(5), Article8(3), Article 9(3), Article 12(5),Article 14(7), Article 15(3), Article17(9), Article 20(6), Article 22(4),Article 23(3), Article 26(5), Article28(5), Article 30(3), Article 31(5),Article 32(5), Article 33(6), Article34(8), Article 35(11), Article 37(2),Article 39(2), Article 43(3), Article44(7), Article 79(6), Article 81(3),Article 82(3) and Article 83(3) maybe revoked at any time by theEuropean Parliament or by theCouncil. A decision of revocationshall put an end to the delegation ofpower specified in that decision. Itshall take effect the day followingthe publication of the decision inthe Official Journal of theEuropean Union or at a later date

3. The delegation of power referredto in Article 6(5), Article 8(3),Article 9(3), Article 12(5), Article14(7), Article 15(3), Article 13a(5),Article 17(9), Article 20(6), Article22(4), Article 23(3), Article 26(5),Article 28(5), Article 30(3), Article31(5), Article 32(5), Article 33(6),Article 34(8), Article 35(11),Article 37(2), Article 38(4), Article39(2), Article 41(3), Article 41(5),Article 43(3), Article 44(7), Article79(6)Article 79(7), Article 81(3),and Article 82(3) and Article 83(3)may be revoked at any time by theEuropean Parliament or by theCouncil. A decision of revocation torevoke shall put an end to thedelegation of power specified inthat decision. It shall take effect theday following the publication of the

3. The delegation of power referredto in Article 6(5), Article 8(3),Article 9(3), Article 12(5), Article14(7), Article 15(3), Article 17(9),Article 20(6), Article 22(4), Article23(3), Article 26(5), Article 28(5),Article 30(3), Article 31(5), Article32(5), Article 33(6), Article 34(8),Article 35(11), Article 37(2),Article 39a(27),[ Article 43(3)],Article 44(7), Article 79a(64),Article 81(3), Article 82(3) andArticle 83(3) may be revoked atany time by the EuropeanParliament or by the Council. Adecision of revocation shall put anend to the delegation of powerspecified in that decision. It shalltake effect the day following thepublication of the decision in theOfficial Journal of the European


specified therein. It shall not affectthe validity of any delegated actsalready in force.

decision in the Official Journal ofthe European Union or at a laterdate specified therein. It shall notaffect the validity of any delegatedacts already in force.

Union or at a later date specifiedtherein. It shall not affect thevalidity of any delegated actsalready in force.

4. As soon as it adopts adelegated act, the Commission shallnotify it simultaneously to theEuropean Parliament and to theCouncil.

4. As soon as it adopts a delegatedact, the Commission shall notify itsimultaneously to the EuropeanParliament and to the Council.

4. As soon as it adopts a delegatedact, the Commission shall notify itsimultaneously to the EuropeanParliament and to the Council.

Amendment 202

5. A delegated act adoptedpursuant to Article 6(5), Article8(3), Article 9(3), Article 12(5),Article 14(7), Article 15(3), Article17(9), Article 20(6), Article 22(4),Article 23(3), Article 26(5), Article28(5), Article 30(3), Article 31(5),Article 32(5), Article 33(6), Article34(8), Article 35(11), Article 37(2),Article 39(2), Article 43(3), Article44(7), Article 79(6), Article 81(3),Article 82(3) and Article 83(3)shall enter into force only if noobjection has been expressed eitherby the European Parliament or theCouncil within a period of twomonths of notification of that act tothe European Parliament and the

5. A delegated act adopted pursuantto Article 6(5), Article 8(3), Article9(3), Article 12(5), Article 14(7),Article 15(3), Article 13a(5),Article 17(9), Article 20(6), Article22(4), Article 23(3), Article 26(5),Article 28(5), Article 30(3), Article31(5), Article 32(5), Article 33(6),Article 34(8), Article 35(11),Article 37(2), Article 38(4), Article39(2), Article 41(3), Article 41(5),Article 43(3), Article 44(7), Article79(6), Article 79(7), Article81(3),and Article 82(3) and Article83(3) shall enter into force only ifno objection has been expressedeither by the European Parliamentor the Council within a period of

5. A delegated act adopted pursuantto Article 6(5), Article 8(3), Article9(3), Article 12(5), Article 14(7),Article 15(3), Article 17(9), Article20(6), Article 22(4), Article 23(3),Article 26(5), Article 28(5), Article30(3), Article 31(5), Article 32(5),Article 33(6), Article 34(8), Article35(11), Article 37(2), Article39a(27),[ Article 43(3)], Article44(7), Article 79a(64), Article81(3), Article 82(3) and Article83(3) shall enter into force only ifno objection has been expressedeither by the European Parliamentor the Council within a period oftwo months of notification of thatact to the European Parliament and


Council or if, before the expiry ofthat period, the EuropeanParliament and the Council haveboth informed the Commission thatthey will not object. That periodshall be extended by two months atthe initiative of the EuropeanParliament or the Council.

twosix months of notification ofthat act to the European Parliamentand the Council or if, before theexpiry of that period, the EuropeanParliament and the Council haveboth informed the Commission thatthey will not object. That periodshall be extended by two six monthsat the initiative of the EuropeanParliament or of the Council.

the Council or if, before the expiryof that period, the EuropeanParliament and the Council haveboth informed the Commission thatthey will not object. That periodshall be extended by two months atthe initiative of the EuropeanParliament or the Council.


Committee procedure Committee procedure Committee procedure

1. The Commission shall beassisted by a committee. Thatcommittee shall be a committeewithin the meaning of Regulation(EU) No 182/2011.

1. The Commission shall be assistedby a committee. That committeeshall be a committee within themeaning of Regulation (EU) No182/2011.

1. The Commission shall beassisted by a committee. Thatcommittee shall be a committeewithin the meaning of Regulation(EU) No 182/2011.

2. Where reference is madeto this paragraph, Article 5 ofRegulation (EU) No 182/2011 shallapply.

2. Where reference is made to thisparagraph, Article 5 of Regulation(EU) No 182/2011 shall apply.

2. Where reference is made to thisparagraph, Article 5 of Regulation(EU) No 182/2011 shall apply.

Amendment 203

3. Where reference is madeto this paragraph, Article 8 ofRegulation (EU) No 182/2011, inconjunction with Article 5 thereof,shall apply.

deleted 3. Where reference is made to thisparagraph, Article 8 of Regulation(EU) No 182/2011, in conjunctionwith Article 5 thereof, shall apply.


CHAPTER XIFINAL PROVISIONS




Repeal of Directive 95/46/EC Repeal of Directive 95/46/EC Repeal of Directive 95/46/EC

1. Directive 95/46/EC isrepealed.

1. Directive 95/46/EC is repealed. 1. Directive 95/46/EC is repealed.

2. References to the repealedDirective shall be construed asreferences to this Regulation.References to the Working Party onthe Protection of Individuals withregard to the Processing of PersonalData established by Article 29 ofDirective 95/46/EC shall beconstrued as references to theEuropean Data Protection Boardestablished by this Regulation.




Relationship to and amendment ofDirective 2002/58/EC



1. This Regulation shall notimpose additional obligations onnatural or legal persons in relationto the processing of personal data in

1. This Regulation shall not imposeadditional obligations on natural orlegal persons in relation to theprocessing of personal data in

1. This Regulation shall not imposeadditional obligations on natural orlegal persons in relation to theprocessing of personal data in


connection with the provision ofpublicly available electroniccommunications services in publiccommunication networks in theUnion in relation to matters forwhich they are subject to specificobligations with the same objectiveset out in Directive 2002/58/EC.



Amendment 204

2 Article 1(2) of Directive2002/58/EC shall be deleted.

2. ArticleArticles 1(2), 4 and 15 ofDirective 2002/58/EC shall bedeleted.

2 Article 1(2) of Directive2002/58/EC shall be deleted.

Amendment 205

2a. The Commission shall present,without delay and by the datereferred to in Article 91(2) at thelatest, a proposal for the revision ofthe legal framework for theprocessing of personal data andthe protection of privacy inelectronic communications, inorder to align the law with thisRegulation and ensure consistentand uniform legal provisions onthe fundamental right to protectionof personal data in the EuropeanUnion.


Amendment 206

Article 89a (new)

Relationship to and amendment ofRegulation (EC) No 45/2001

1. The rules set out in thisRegulation shall apply to theprocessing of personal data byUnion institutions, bodies, officesand agencies in relation to mattersfor which they are not subject toadditional rules set out inRegulation (EC) No 45/2001.

2. The Commission shall present,without delay and by the datespecified in Article 91(2) at thelatest, a proposal for the revision ofthe legal framework applicable tothe processing of personal data bythe Union institutions, bodies,offices and agencies.

Article 89a

Relationship to previouslyconcluded Agreements

International agreementsinvolving the transfer of personal


472 COM reservation based on strong legal doubts on the legality of such proposal. COM refers to recital 79. DK, IT, RO and UK scrutiny reservation.

data to third countries orinternational organisations whichwere concluded by Member Statesprior to the entry into force of thisRegulation, and which are incompliance with Directive95/46/EC, shall remain in forceuntil amended, replaced orrevoked472.


Evaluation Evaluation Evaluation

The Commission shall submitreports on the evaluation andreview of this Regulation to theEuropean Parliament and theCouncil at regular intervals. Thefirst report shall be submitted nolater than four years after the entryinto force of this Regulation.Subsequent reports shall besubmitted every four yearsthereafter. The Commission shall, ifnecessary, submit appropriateproposals with a view to amendingthis Regulation, and aligning otherlegal instruments, in particulartaking account of developments in

The Commission shall submitreports on the evaluation and reviewof this Regulation to the EuropeanParliament and the Council atregular intervals. The first reportshall be submitted no later than fouryears after the entry into force ofthis Regulation. Subsequent reportsshall be submitted every four yearsthereafter. The Commission shall, ifnecessary, submit appropriateproposals with a view to amendingthis Regulation, and aligning otherlegal instruments, in particulartaking account of developments ininformation technology and in the

The Commission shall submitreports on the evaluation andreview of this Regulation to theEuropean Parliament and theCouncil at regular intervals. Thefirst report shall be submitted nolater than four years after the entryinto force of this Regulation.Subsequent reports shall besubmitted every four yearsthereafter. The Commission shall, ifnecessary, submit appropriateproposals with a view to amendingthis Regulation, and aligning otherlegal instruments, in particulartaking account of developments in


information technology and in thelight of the state of progress in theinformation society. The reportsshall be made public.

light of the state of progress in theinformation society. The reportsshall be made public.

information technology and in thelight of the state of progress in theinformation society. The reportsshall be made public.


Entry into force and application Entry into force and application Entry into force and application

1. This Regulation shall enterinto force on the twentieth dayfollowing that of its publication inthe Official Journal of theEuropean Union.

1. This Regulation shall enter intoforce on the twentieth day followingthat of its publication in the OfficialJournal of the European Union.

1. This Regulation shall enter intoforce on the twentieth dayfollowing that of its publication inthe Offi ial Journal of the EuropeanUnion.

2. It shall apply from [twoyears from the date referred to inparagraph 1].

2. It shall apply from [two yearsfrom the date referred to inparagraph 1]…*.

* OJ: insert the date: two yearsfrom the date of entry into force ofthis Regulation

2. It shall apply from [two yearsfrom the date referred to inparagraph 1].

This Regulation shall be binding inits entirety and directly applicablein all Member States.



Done at …, Done at Brussels

For the European Parliament

The President

For the European Parliament

The President


1) Having regard to the proportions referred to in point 6, particulars shall be provided as follows:

For the Council

The President

For the Council

The President

Amendment 207

Annex (new)

Presentation of the particularsreferred to in Article 13a

No personal data arecollected beyond the

minimum necessary for eachspecific purpose of the

processing

No personal data areprocessed for purposes otherthan the purposes for which

they were collected

FULFILLEDESSENTIAL INFORMATIONICON

No personal data are retainedbeyond the minimum

necessary for each specificpurpose of the processing

No personal data aredisseminated to commercial

third parties

No personal data are sold orrented out

No personal data are retainedin unencrypted form

COMPLIANCE WITH ROWS 1-3 IS REQUIRED BY EU LAW


2) The following words in the rows in the second column of the table in point 1, entitled"ESSENTIAL INFORMATION", shall be formatted as bold:

a) the word "collected" in the first row of the second column;

b) the word "retained" in the second row of the second column;

c) the word "processed" in the third row of the second column;

d) the word "disseminated” in the fourth row of the second column;

e) the word "sold and rented out” in the fifth row of the second column;

f) the word "unencrypted" in the sixth row of the second column.

3) Having regard to the proportions referred to in point 6, the rows in the third column of thetable in point 1, entitled "FULFILLED", shall be completed with one of the following twographical forms in accordance with the conditions laid down under point 4:

a)

b)

4)

a) If no personal data are collected beyond the minimum necessary for each specific purpose ofthe processing, the first row of the third column of the table in point 1 shall entail the graphicalform referred to in point 3a.

b) If personal data are collected beyond the minimum necessary for each specific purpose of theprocessing, the first row of the third column of the table in point 1 shall entail the graphical formreferred to in point 3b.

c) If no personal data are retained beyond the minimum necessary for each specific purpose ofthe processing, the second row of the third column of the table in point 1 shall entail thegraphical form referred to in point 3a.


d) If personal data are retained beyond the minimum necessary for each specific purpose of theprocessing, the second row of the third column of the table in point 1 shall entail the graphicalform referred to in point 3b.

e) If no personal data are processed for purposes other than the purposes for which they werecollected, the third row of the third column of the table in point 1 shall entail the graphical formreferred to in point 3a.

f) If personal data are processed for purposes other than the purposes for which they werecollected, the third row of the third column of the table in point 1 shall entail the graphical formreferred to in point 3b.

g) If no personal data are disseminated to commercial third parties, the fourth row of the thirdcolumn of the table in point 1 shall entail the graphical form referred to in point 3a.

h) If personal data are disseminated to commercial third parties, the fourth row of the thirdcolumn of the table in point 1 shall entail the graphical form referred to in point 3b.

i) If no personal data are sold or rented out, the fifth row of the third column of the table in point1 shall entail the graphical form referred to in point 3a.

j) If personal data are sold or rented out, the fifth row of the third column of the table in point 1shall entail the graphical form referred to in point 3b.

k) If no personal data are retained in unencrypted form, the sixth row of the third column of thetable in point 1 shall entail the graphical form referred to in point 3a.

l) If personal data are retained in unencrypted form, the sixth row of the third column of thetable in point 1 shall entail the graphical form referred to in point 3b.

5) The reference colours of the graphical forms in point 1 in Pantone are Black Pantone No7547 and Red Pantone No 485. The reference colour of the graphical form in point 3a inPantone is Green Pantone No 370. The reference colour of the graphical form in point 3b inPantone is Red Pantone No 485.

6) The proportions given in the following graduated drawing shall be respected, even where thetable is reduced or enlarged: