1Where point (a) of Article 6(1) applies, in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. 2Where the child is below the age of 16 years, such processing shall be … Continue reading Art. 8 GDPR – Conditions applicable to child’s consent in relation to information society services| General Data Protection Regulation (GDPR)
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have … Continue reading Art. 20 GDPR – Right to data portability| General Data Protection Regulation (GDPR)
1A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. 2Such a transfer shall not require … Continue reading Art. 45 GDPR – Transfers on the basis of an adequacy decision| General Data Protection Regulation (GDPR)
Each supervisory authority shall have all of the following investigative powers: to order the controller and the processor, and, where applicable, the controller’s or the processor’s representative to provide any information it requires for the performance of its tasks; to carry out investigations in the form of data protection audits; to carry out a review … Continue reading Art. 58 GDPR – Powers| General Data Protection Regulation (GDPR)
1Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the … Continue reading Art. 35 GDPR – Data protection impact assessment| General Data Protection Regulation (GDPR)
Without prejudice to the tasks and powers of the competent supervisory authority under Articles 57 and 58, the monitoring of compliance with a code of conduct pursuant to Article 40 may be carried out by a body which has an appropriate level of expertise in relation to the subject-matter of the code and is accredited … Continue reading Art. 41 GDPR – Monitoring of approved codes of conduct| General Data Protection Regulation (GDPR)
The competent supervisory authority shall approve binding corporate rules in accordance with the consistency mechanism set out in Article 63, provided that they: are legally binding and apply to and are enforced by every member concerned of the group of undertakings, or group of enterprises engaged in a joint economic activity, including their employees; expressly … Continue reading Art. 47 GDPR – Binding corporate rules| General Data Protection Regulation (GDPR)
In the absence of a decision pursuant to Article 45(3), a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available. The appropriate … Continue reading Art. 46 GDPR – Transfers subject to appropriate safeguards| General Data Protection Regulation (GDPR)
1The Commission shall be assisted by a committee. 2That committee shall be a committee within the meaning of Regulation (EU) No 182/2011. Where reference is made to this paragraph, Article 5 of Regulation (EU) No 182/2011 shall apply. Where reference is made to this paragraph, Article 8 of Regulation ((EU) No 182/2011, in conjunction with … Continue reading Art. 93 GDPR – Committee procedure| General Data Protection Regulation (GDPR)
Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article in respect of infringements of this Regulation referred to in paragraphs 4, 5 and 6 shall in each individual case be effective, proportionate and dissuasive. 1Administrative fines shall, depending on the circumstances of each individual case, be imposed in addition … Continue reading Art. 83 GDPR – General conditions for imposing administrative fines| General Data Protection Regulation (GDPR)
In order to contribute to the consistent application of this Regulation throughout the Union, the supervisory authorities shall cooperate with each other and, where relevant, with the Commission, through the consistency mechanism as set out in this Section.| General Data Protection Regulation (GDPR)
1Without prejudice to the tasks and powers of the competent supervisory authority under Articles 57 and 58, certification bodies which have an appropriate level of expertise in relation to data protection shall, after informing the supervisory authority in order to allow it to exercise its powers pursuant to point (h) of Article 58(2) where necessary, … Continue reading Art. 43 GDPR – Certification bodies| General Data Protection Regulation (GDPR)
1The Member States, the supervisory authorities, the Board and the Commission shall encourage, in particular at Union level, the establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with this Regulation of processing operations by controllers and processors. 2The specific needs of micro, small and … Continue reading Art. 42 GDPR – Certification| General Data Protection Regulation (GDPR)
The controller shall consult the supervisory authority prior to processing where a data protection impact assessment under Article 35 indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk. 1Where the supervisory authority is of the opinion that the intended processing referred … Continue reading Art. 36 GDPR – Prior consultation| General Data Protection Regulation (GDPR)
Article 85Processing and freedom of expression and information Article 86Processing and public access to official documents Article 87Processing of the national identification number Article 88Processing in the context of employment Article 89Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes Article 90Obligations of … Continue reading Chapter 9 – Provisions relating to specifi...| General Data Protection Regulation (GDPR)
The data protection officer shall have at least the following tasks: to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions; to monitor compliance with this Regulation, with other Union or Member … Continue reading Art. 39 GDPR – Tasks of the data protection officer| General Data Protection Regulation (GDPR)
Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means … Continue reading Art. 25 GDPR – Data protection by design and by default| General Data Protection Regulation (GDPR)
The Member States, the supervisory authorities, the Board and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper application of this Regulation, taking account of the specific features of the various processing sectors and the specific needs of micro, small and medium-sized enterprises. Associations and other bodies … Continue reading Art. 40 GDPR – Codes of conduct| General Data Protection Regulation (GDPR)
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level … Continue reading Art. 32 GDPR – Security of processing| General Data Protection Regulation (GDPR)
The controller and the processor shall designate a data protection officer in any case where: the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope … Continue reading Art. 37 GDPR – Designation of the data protection officer| General Data Protection Regulation (GDPR)
For the purposes of this Regulation: ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to … Continue reading Art. 4 GDPR – Definitions| General Data Protection Regulation (GDPR)
1Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility. 2That record shall contain all of the following information: the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer; the purposes of the processing; a … Continue reading Art. 30 GDPR – Records of processing activities| General Data Protection Regulation (GDPR)
The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: the purposes of the processing; the categories of personal data concerned; the recipients … Continue reading Art. 15 GDPR – Right of access by the data subject| General Data Protection Regulation (GDPR)
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies: the personal data are no longer necessary in relation to … Continue reading Art. 17 GDPR – Right to erasure (‘right to be forgotten’)| General Data Protection Regulation (GDPR)
National authorities can or must assess fines for specific data protection violations in accordance with the General Data Protection Regulation. The fines are applied in addition to or instead of further remedies or corrective powers, such as the order to end a violation, an instruction to adjust the data processing to comply with the GDPR, … Continue reading Fines / Penalties| General Data Protection Regulation (GDPR)
The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. Paragraph 1 shall not apply if the decision: is necessary for entering into, or performance of, a contract between … Continue reading Art. 22 GDPR – Automated individual decision-making, including profiling| General Data Protection Regulation (GDPR)
Where personal data have not been obtained from the data subject, the controller shall provide the data subject with the following information: the identity and the contact details of the controller and, where applicable, of the controller’s representative; the contact details of the data protection officer, where applicable; the purposes of the processing for which … Continue reading Art. 14 GDPR – Information to be provided where personal data have not been obtained from the data subject| General Data Protection Regulation (GDPR)
Personal data shall be: processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’); collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research … Continue reading Art. 5 GDPR – Principles relating to processing of personal data| General Data Protection Regulation (GDPR)
Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information: the identity and the contact details of the controller and, where applicable, of the controller’s representative; the contact details of … Continue reading Art. 13 GDPR – Information to be provided where personal data are collected from the data subject| General Data Protection Regulation (GDPR)
Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject. 1The processor shall … Continue reading Art. 28 GDPR – Processor| General Data Protection Regulation (GDPR)
Processing shall be lawful only if and to the extent that at least one of the following applies: the data subject has given consent to the processing of his or her personal data for one or more specific purposes; processing is necessary for the performance of a contract to which the data subject is party … Continue reading Art. 6 GDPR – Lawfulness of processing| General Data Protection Regulation (GDPR)
Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited. Paragraph 1 … Continue reading Art. 9 GDPR – Processing of special categories of personal data| General Data Protection Regulation (GDPR)