The competent supervisory authority shall approve binding corporate rules in accordance with the consistency mechanism set out in Article 63, provided that they: are legally binding and apply to and are enforced by every member concerned of the group of undertakings, or group of enterprises engaged in a joint economic activity, including their employees; expressly … Continue reading Art. 47 GDPR – Binding corporate rules| General Data Protection Regulation (GDPR)
In the absence of a decision pursuant to Article 45(3), a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available. The appropriate … Continue reading Art. 46 GDPR – Transfers subject to appropriate safeguards| General Data Protection Regulation (GDPR)
Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article in respect of infringements of this Regulation referred to in paragraphs 4, 5 and 6 shall in each individual case be effective, proportionate and dissuasive. 1Administrative fines shall, depending on the circumstances of each individual case, be imposed in addition … Continue reading Art. 83 GDPR – General conditions for imposing administrative fines| General Data Protection Regulation (GDPR)
1Without prejudice to the tasks and powers of the competent supervisory authority under Articles 57 and 58, certification bodies which have an appropriate level of expertise in relation to data protection shall, after informing the supervisory authority in order to allow it to exercise its powers pursuant to point (h) of Article 58(2) where necessary, … Continue reading Art. 43 GDPR – Certification bodies| General Data Protection Regulation (GDPR)
1The Member States, the supervisory authorities, the Board and the Commission shall encourage, in particular at Union level, the establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with this Regulation of processing operations by controllers and processors. 2The specific needs of micro, small and … Continue reading Art. 42 GDPR – Certification| General Data Protection Regulation (GDPR)
The controller shall consult the supervisory authority prior to processing where a data protection impact assessment under Article 35 indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk. 1Where the supervisory authority is of the opinion that the intended processing referred … Continue reading Art. 36 GDPR – Prior consultation| General Data Protection Regulation (GDPR)
The Member States, the supervisory authorities, the Board and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper application of this Regulation, taking account of the specific features of the various processing sectors and the specific needs of micro, small and medium-sized enterprises. Associations and other bodies … Continue reading Art. 40 GDPR – Codes of conduct| General Data Protection Regulation (GDPR)
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies: the personal data are no longer necessary in relation to … Continue reading Art. 17 GDPR – Right to erasure (‘right to be forgotten’)| General Data Protection Regulation (GDPR)
Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject. 1The processor shall … Continue reading Art. 28 GDPR – Processor| General Data Protection Regulation (GDPR)