Preamble

(1)

The protection of natural persons in the processing of personal data is a fundamental right. Pursuant to Article 8(1) of the Charter of Fundamental Rights of the European Union (the "Charter") and Article 16(1) of the Treaty on the Functioning of the European Union (TFEU), everyone has the right to the protection of their personal data.

(2)

The principles and rules relating to the protection of natural persons with regard to the processing of their personal data should, whatever their nationality or place of residence, respect their fundamental rights and freedoms, in particular their right to the protection of personal data. This Regulation aims to contribute to the establishment of an area of freedom, security and justice and of an economic union, as well as to economic and social progress, the strengthening and convergence of economies within the internal market and the well-being of natural persons.

(3)

Directive 95/46/EC of the European Parliament and of the Council (⁴) aims to harmonize the protection of the fundamental rights and freedoms of natural persons with regard to processing activities and to ensure the free flow of personal data within the Union.

(4)

The processing of personal data must be at the service of man. The right to protection of personal data does not have absolute validity, but must be considered in relation to its function in society and must be balanced against other fundamental rights in accordance with the principle of proportionality. This Regulation respects all fundamental rights as well as the freedoms and principles recognized in the Charter as enshrined in the Treaties, in particular the respect for private and family life, home and communications, the protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, freedom to conduct a business, the right to an effective remedy and to a fair trial and the right to cultural, religious and linguistic diversity.

(5)

The single market has achieved a level of economic and social integration that has led to a significant increase in cross-border flows of personal data. The exchange of personal data between public and private actors, including natural persons, associations and companies, has increased throughout the Union. Union law requires national authorities in Member States to cooperate and exchange personal data in order to fulfill their missions or to perform tasks on behalf of an authority in another Member State.

(6)

Rapid technological developments and globalization have created new challenges for the protection of personal data. The extent to which personal data is collected and shared has increased significantly. Technology allows companies and government to use personal data in conducting their operations more than ever before. Natural persons increasingly disclose their personal data globally. Technology has dramatically changed both the economy and social life and should further facilitate the free flow of personal data within the Union and transfers to third countries and international organizations, while ensuring a high level of protection of personal data.

(7)

These developments require a strong and more coherent data protection framework in the Union, backed by strong enforcement, because this is important for the trust needed for the digital economy to develop throughout the internal market. Individuals should have control over their own personal data. Greater legal and practical certainty should be provided to individuals, economic operators and public authorities.

(8)

To the extent that this Regulation provides that the rules it contains may be specified or limited by Member State law, Member States may, where necessary, incorporate elements of this Regulation into their law in order to ensure consistency and to make the national provisions intelligible to those to whom they apply.

(9)

While the objectives and principles of Directive 95/46/EC remain valid, the Directive has not been able to prevent fragmented data protection across the Union, legal uncertainty or a widespread perception that online activities in particular pose significant risks to the protection of natural persons. Member States provide different levels of protection of the rights and freedoms of natural persons, in particular the protection of personal data, with regard to the processing of personal data, which may impede the free flow of personal data within the Union. Those differences may therefore constitute an obstacle to the pursuit of economic activities at Union level, distort competition and prevent public authorities from fulfilling their task under Union law. Those different levels of protection are due to differences in the implementation and application of Directive 95/46/EC.

(10)

In order to provide natural persons with a consistent and high level of protection and to remove obstacles to the circulation of personal data within the Union, the level of protection of the rights and freedoms of natural persons with regard to the processing of such data should be equivalent in all Member States. Consistent and homogeneous application throughout the Union of the rules protecting the fundamental rights and freedoms of natural persons with regard to the processing of personal data should be ensured. In relation to the processing of personal data for the fulfilment of a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, Member States should be allowed to maintain or introduce national provisions further specifying how the rules of this Regulation are to be applied. In conjunction with the general and horizontal data protection legislation implementing Directive 95/46/EC, Member States have several sectoral laws in areas where more specific provisions are needed. This Regulation also leaves room for Member States to adopt their own rules of application, including as regards the processing of special categories of personal data ("sensitive data"). To that extent, this Regulation does not preclude Member State law specifying specific situations in the field of data processing, in particular by defining more precisely the cases in which processing of personal data is lawful.

(11)

Effective protection of personal data throughout the Union requires strengthening and further specifying the rights of data subjects and the obligations of those who process personal data and those who decide on such processing, as well as equivalent powers of supervision and enforcement of data protection rules and comparable sanctions for violations in the Member States.

(12)

Article 16(2) TFEU empowers the European Parliament and the Council to adopt the rules relating to the protection of natural persons with regard to the processing of personal data, as well as the rules relating to the free movement of such data.

(13)

In order to ensure a consistent level of protection for natural persons throughout the Union and to prevent divergences from hindering the free flow of personal data in the internal market, a Regulation is necessary to provide legal certainty and transparency for economic operators, including micro, small and medium-sized enterprises, to provide the same legally enforceable rights for natural persons in all Member States and obligations and responsibilities for controllers and processors, to ensure consistent monitoring of the processing of personal data and comparable sanctions in all Member States, as well as effective cooperation between the supervisory authorities of different Member States. The proper functioning of the internal market requires that the free flow of personal data within the Union should not be restricted or prohibited for reasons relating to the protection of natural persons in relation to the processing of personal data. To take into account the specific situation of micro, small and medium-sized enterprises, this Regulation includes a derogation for organizations with fewer than 250 employees as regards record keeping. Furthermore, Union institutions, bodies, offices and agencies, and Member States and their supervisory authorities are encouraged to take into account the specific needs of micro, small and medium-sized enterprises when applying this Regulation. The definition of micro, small and medium-sized enterprises should be taken from Article 2 of the Annex to Commission Recommendation 2003/361/EC (⁵).

(14)

The protection afforded by this Regulation concerns natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data. This Regulation does not cover the processing of data on legal persons and in particular companies established as legal persons, such as the name and legal form of the legal person and the contact details of the legal person.

(15)

To avoid a serious risk of circumvention, the protection of natural persons should be technology-neutral and should not depend on the technologies used. The protection of individuals should apply to both automated processing of personal data and manual processing thereof if the personal data are stored or intended to be stored in a file. Files or a collection of files and their covers, which are not structured according to specific criteria, should not fall within the scope of this Directive.

(16)

This Regulation shall not apply to issues relating to the protection of fundamental rights and freedoms or the free flow of personal data in relation to activities which are not governed by Union law, such as activities concerning national security. This Regulation shall not apply to the processing of personal data carried out by Member States in activities concerning the Union's common foreign and security policy.

(17)

Regulation (EC) No 45/2001 of the European Parliament and of the Council (⁶) applies to the processing of personal data by Union institutions, bodies, offices and agencies. Regulation (EC) No 45/2001 and other legal acts of the Union applicable to such processing of personal data should be adapted to the principles and rules of this Regulation and applied in the light of this Regulation. In order to provide the Union with a strong and coherent data protection framework, Regulation (EC) No 45/2001 should be adapted where necessary once this Regulation is adopted so that it can become applicable at the same time as this Regulation.

(18)

This Regulation shall not apply to the processing of personal data by a natural person in the course of a purely personal or domestic activity which, as such, has no connection with any professional or commercial activity. Personal or household activities may include correspondence or address files, social networking and online activities in the context of such activities. This regulation does apply to controllers or processors who provide the means for processing personal data for such personal or domestic activities.

(19)

The protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the protection against and the prevention of threats to public security, and the free movement of such data is governed by a specific legal act of the Union. Therefore, this Regulation should not apply to processing operations carried out for those purposes. Personal data processed by public authorities pursuant to this Regulation and used for those purposes should be governed by a more specific legal act of the Union, namely Directive (EU) 2016/680 of the European Parliament and of the Council (⁷). Member States may entrust competent authorities within the meaning of Directive (EU) 2016/680 with tasks which are not necessarily carried out for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the protection against and the prevention of threats to public security, so that the processing of personal data for those other purposes falls within the scope of this Regulation to the extent that it falls within the scope of Union law.

With regard to the processing of personal data by those competent authorities for purposes that fall within the scope of this Regulation, Member States should be able to maintain or introduce more specific provisions to adapt the application of the rules of this Regulation. In particular, those provisions may lay down specific rules for the processing of personal data by those competent authorities for the other purposes mentioned, taking into account the constitutional, organizational and administrative structure of the Member State in question. Where the processing of personal data by bodies governed by private law is covered by this Regulation, this Regulation should provide for the possibility for Member States to restrict obligations and rights established by law under specific conditions, if such restriction constitutes a necessary and proportionate measure in a democratic society to safeguard specific interests of importance, including public security and the prevention, investigation, detection and prosecution of criminal offences or the execution of criminal penalties, including the protection against and prevention of threats to public security. This is important, for example, in the context of combating money laundering or the work of forensic laboratories.

(20)

Although this Regulation applies inter alia to the activities of courts and other judicial authorities, Union or Member State law could further specify the processing operations and procedures relating to the processing of personal data by courts and other judicial authorities. The competence of supervisory authorities should not extend to the processing of personal data by courts in the performance of their judicial tasks, in order to ensure the independence of the judiciary in the performance of its judicial functions, including decision-making. It should be possible to entrust the monitoring of such data processing operations to specific bodies within the Member State's judiciary, which should in particular ensure compliance with the rules of this Regulation, raise members of the judiciary's awareness of their obligations under this Regulation, and address complaints relating to such data processing operations.

(21)

This regulation does not affect the application of Directive 2000/31/EC of the European Parliament and of the Council (⁸), in particular the rules on the liability of intermediary service providers in Articles 12 to 15 thereof. That Directive seeks to contribute to the better functioning of the internal market by ensuring the free movement of information society services between the Member States.

(22)

The processing of personal data in the context of the activities of an establishment of a controller or processor in the Union should be carried out in accordance with this Regulation, regardless of whether the actual processing takes place in the Union. Establishment presupposes the effective and real exercise of activities through stable relationships. The legal form of such relationships, whether a branch or an incorporated subsidiary, is not decisive in this regard.

(23)

In order to ensure that natural persons are not deprived of the protection to which they are entitled under this Regulation, this Regulation should apply to the processing of personal data of data subjects present in the Union by a controller or processor not established in the Union where the processing is related to the offering of goods or services to those data subjects, whether or not it is related to a payment. To determine whether such a controller or processor is offering goods or services to data subjects in the Union, it is necessary to determine whether the controller or processor apparently intends to offer services to data subjects in one or more Member States in the Union. The accessibility of the controller's, processor's or intermediary's website in the Union, of an e-mail address or other contact information, or the use of a language commonly used in the third country where the controller is located is insufficient in itself to establish such an intention, but other factors, such as the use of a language or currency commonly used in one or more Member States, with the possibility of ordering goods and services in that language, or the mention of customers or users in the Union, may also show that the controller intends to offer goods and services to data subjects in the Union.

(24)

Processing of personal data of data subjects in the Union by a controller or processor not established in the Union should also be covered by this Regulation where it is related to the monitoring of the behaviour of data subjects insofar as it takes place within the Union. In order to determine whether a processing operation can be considered as monitoring the behavior of data subjects, it should be determined whether natural persons are monitored on the Internet, including whether, in that context, personal data processing techniques may be used which aim at profiling a natural person, in particular in order to take decisions regarding him or her or to analyze or predict his or her personal preferences, behaviors and attitudes.

(25)

Where Member State law applies by virtue of public international law, this Regulation should also apply to a controller not established in the Union but operating, for example, at a diplomatic mission or consular post.

(26)

Data protection principles should apply to any data concerning an identified or identifiable natural person. Pseudonymized personal data that can be linked to a natural person through the use of additional data should be considered data about an identifiable natural person. To determine whether a natural person is identifiable, account must be taken of all means likely reasonably to be used by the controller or by another person to identify the natural person directly or indirectly, e.g., selection techniques. In determining whether means are reasonably likely to be used to identify the natural person, consideration should be given to all objective factors, such as the costs and time required for identification, taking into account the technology available at the time of processing and technological developments. Data protection principles should therefore not apply to anonymous data, namely data which do not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a way that the data subject is not or no longer identifiable. This Regulation therefore does not cover the processing of such anonymous data, including for statistical or research purposes.

(27)

This Regulation does not apply to the personal data of deceased persons. Member States may adopt rules concerning the processing of personal data of deceased persons.

(28)

The application of pseudonymization to personal data can reduce risks to data subjects and help controllers and processors meet their data protection obligations. The explicit introduction of "pseudonymization" in this Regulation is not intended to exclude other data protection measures.

(29)

In order to create incentives for pseudonymization in the processing of personal data, while still allowing for an overall analysis, pseudonymization measures should be able to be taken by the same controller where it has taken the necessary technical and organizational measures to ensure, in the processing in question, that this Regulation is implemented, and that the additional data to link the personal data to a specific data subject are kept separately. The controller processing the personal data must indicate who are authorized persons at the same controller.

(30)

Natural persons may be linked to online identifiers through their devices, applications, tools and protocols, such as Internet Protocol (IP) addresses, identification cookies or other identifiers such as radio frequency identification tags. This can leave traces that, especially when combined with unique identifiers and other information received by the servers, can be used to build profiles of natural persons and recognize natural persons.

(31)

Public authorities to which personal data are communicated in accordance with a legal obligation for the performance of their public tasks, such as tax or customs authorities, financial investigation departments, independent administrative authorities or financial market authorities in charge of regulating and supervising securities markets, should not be regarded as recipients if they receive personal data necessary for the performance of a particular investigation of public interest, in accordance with Union or Member State law. In any case, requests for disclosure made by public authorities should be in writing, justified and occasional, and should not concern a complete file or result in the combination of files. The processing of personal data by such public authorities must comply with the data protection rules applicable to the purposes of the processing.

(32)

Consent should be given by a clear active act, for example, a written statement, including by electronic means, or an oral statement, indicating that the data subject freely, specifically, informed and unambiguously consents to the processing of their personal data. This could include clicking on a box when visiting an Internet website, selecting technical settings for information society services, or any other statement or action which, in this context, clearly indicates that the data subject consents to the proposed processing of their personal data. Therefore, silence, the use of already checked boxes or inactivity should not count as consent. Consent must apply to all processing activities that serve the same purpose(s). If the processing has multiple purposes, consent must be given for each of them. If the data subject must give consent following a request by electronic means, the request must be clear and concise and not unduly disruptive to the use of the service in question.

(33)

It is often not possible at the time of collection of personal data to fully define the purpose of data processing for scientific research purposes. Therefore, data subjects should be allowed to give their consent for certain areas of scientific research while respecting recognized ethical standards for scientific research. Data subjects should be given the opportunity to give their consent only for certain areas or parts of research projects, as far as the intended purpose allows.

(34)

Genetic data should be defined as personal data relating to the inherited or acquired genetic characteristics of a natural person revealed by an analysis of a biological sample of the person in question, in particular a chromosome analysis, an analysis of deoxyribonucleic acid (DNA) or of ribonucleic acid (RNA), or from an analysis of other elements by which similar information can be obtained.

(35)

Personal data on health should include any data relating to the health status of a data subject that provides information about the data subject's past, present and future physical or mental health status. This includes information about the natural person collected in the context of registration for or provision of healthcare services as referred to in Directive 2011/24/EU of the European Parliament and of the Council (⁹) to that natural person; a number, symbol or attribute assigned to a natural person that uniquely identifies that natural person for health purposes; information resulting from the testing or examination of a body part or bodily substance, including genetic data and biological samples; and information on, for example, disease, disability, disease risk, medical history, clinical treatment or the physiological or biomedical state of the individual, regardless of the source, such as, for example, a physician or other health professional, a hospital, a medical device or an in vitro diagnostic test.

(36)

The main establishment of a controller in the Union should be the location of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union, in which case such other establishment should be considered as the main establishment. Which establishment is the main establishment of a controller in the Union should be determined on the basis of objective criteria, such as the effective and actual performance of management activities, with a view to taking the core decisions on the purposes and means of processing through consistent relationships. This criterion should not depend on whether the processing of personal data takes place at that location. The presence and use of technical means and technologies for the processing of personal data or processing activities do not determine the importance of a location and are therefore not decisive criteria for determining whether it is the main location. The main establishment of the processor should be the location of its central administration in the Union or, if it does not have a central administration in the Union, the location of its main processing activities in the Union. Where both the controller and the processor are involved, the supervisory authority of the Member State in which the controller has its main establishment should remain the competent lead supervisory authority, but the supervisory authority of the processor should be considered as an involved supervisory authority and that supervisory authority should participate in the cooperation procedure laid down in this Regulation. In any case, the supervisory authorities of the Member State or Member States in which the processor has one or more establishments should not be considered supervisory authorities concerned when the draft decision concerns only the controller. If the processing is carried out by a group of undertakings, the main establishment of the controlling undertaking should be considered to be the main establishment of the group, except if the purposes and means of processing are determined by another undertaking.

(37)

A group should consist of a controlling company and the controlled companies, where the controlling company should be the one that can exercise dominant influence over the other companies by virtue, for example, of ownership, financial participation or rules applicable to it, or by virtue of the power to enforce personal data protection rules. A company that supervises the processing of personal data in its affiliated companies should be considered a group together with these companies.

(38)

Children are entitled to specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards involved and of their rights in relation to the processing of personal data. Such specific protection should apply in particular to the use of children's personal data for marketing purposes or for personality or user profiling and the collection of personal data about children when using services provided directly to children. In the context of preventive or counseling services provided directly to a child, the consent of the person with parental responsibility is not required.

(39)

Any processing of personal data should be proper and lawful. It should be transparent to natural persons that personal data concerning them are being collected, used, accessed or otherwise processed and to what extent the personal data are being or will be processed. In accordance with the principle of transparency, information and communications relating to the processing of those personal data should be easily accessible and understandable, and clear and simple language should be used. In particular, that principle concerns informing data subjects of the identity of the controller and the purposes of processing, as well as further information to ensure proper and transparent processing in relation to the natural persons concerned and their right to obtain confirmation and communication of their personal data being processed. Individuals should be made aware of the risks, rules, safeguards and rights related to the processing of personal data, as well as how to exercise their rights in relation to such processing. In particular, the specific purposes for which personal data are processed must be explicit, justified and established when the personal data are collected. Personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. In particular, this requires ensuring that the storage period of personal data is kept to a strict minimum. Personal data may be processed only if the purpose of the processing cannot reasonably be achieved by other means. To ensure that personal data are not kept longer than necessary, the controller should set time limits for erasure or periodic review of data. All reasonable measures should be taken to ensure that inaccurate personal data are rectified or erased. Personal data must be processed in a manner that ensures appropriate security and confidentiality of that data, including to prevent unauthorized access to or use of personal data and the equipment used for processing.

(40)

Lawful processing of personal data shall require the consent of the data subject or some other legitimate basis provided by law, either in this Regulation or in other provisions of Union or Member State law referred to in this Regulation, or also that the processing is necessary for compliance with legal obligation incumbent on the controller or for the performance of a contract to which the data subject is a party or for taking action at the request of the data subject prior to entering into a contract.

(41)

Where reference is made in this Regulation to a legal basis or a legislative measure, this does not necessarily require a legislative act adopted by a parliament, without prejudice to the requirements in accordance with the constitutional order of the Member State concerned. However, that legal basis or legislative measure should be clear and precise, and its application should be predictable for those to whom it applies, as required by the case law of the Court of Justice of the European Union ("Court of Justice") and the European Court of Human Rights.

(42)

If the processing is based on the data subject's consent, the controller must be able to prove that the data subject has given consent to the processing. In particular, in the context of a written statement on another matter, it should be ensured that the data subject is aware that he or she is giving consent and the extent of that consent. In accordance with Council Directive 93/13/EEC (¹⁰) the controller shall make a prior declaration of consent in an intelligible and easily accessible form, using clear and simple language; this declaration shall not contain any unfair terms. For consent to be given in full knowledge of the facts, the data subject must at least be familiar with the identity of the controller and the purposes of processing personal data. Consent should not be deemed freely given if the data subject does not have a real or free choice or cannot refuse or withdraw consent without adverse consequences.

(43)

In order to ensure that consent is freely given, consent should not be a valid legal ground for processing personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority, and this makes it unlikely that consent was freely given in all the circumstances of that specific situation. Consent shall be deemed not to have been freely given if separate consent cannot be given for different personal data processing operations despite the fact that it is appropriate in the individual case, or if the performance of a contract, including the provision of a service, depends on the consent despite the fact that such consent is not necessary for such performance.

(44)

Processing necessary in the context of a contract or proposed contract must be lawful.

(45)

If the processing is carried out because the controller is required to do so by law or if the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority, the processing should have a basis in Union or Member State law. This Regulation does not require specific legislation for each individual processing operation. It is sufficient to have legislation as a basis for several processing operations based on a legal obligation incumbent on the controller, or for processing which is necessary for the performance of a task carried out in the public interest or in the exercise of official authority. It should also be Union or Member State law that determines the purpose of the processing. Furthermore, that law could further define the general conditions of this Regulation that personal data processing must fulfil in order to be lawful, and lay down specifications for determining the controller, the type of personal data processed, the data subjects, the entities to which the personal data may be disclosed, the purpose limitation, the storage period, and other measures to ensure lawful and proper processing. Union or Member State law should also determine whether the controller entrusted with a task in the public interest or in the exercise of official authority should be a public authority or other person governed by public law or, where justified for reasons of public interest, including health purposes such as public health, social protection and the management of health care services, a person governed by private law, such as a professional association.

(46)

The processing of personal data should also be considered lawful if it is necessary for the protection of an interest vital to the life of the data subject or of another natural person. Processing of personal data based on the vital interest for another natural person is in principle only permissible if the processing clearly cannot be based on any other legal ground. Some types of personal data processing may serve overriding reasons of public interest as well as the vital interests of the data subject, for example when the processing is necessary for humanitarian purposes, including for monitoring an epidemic and its spread or in humanitarian emergencies, in particular natural or man-made disasters.

(47)

The legitimate interests of a controller, including those of a controller to whom the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or fundamental rights and freedoms of the data subject are not overridden, taking into account the reasonable expectations of the data subject based on their relationship with the controller. Such a legitimate interest may be present, for example, where there is a relevant and appropriate relationship between the data subject and the controller, in situations where the data subject is a customer or is employed by the controller. In any case, a careful assessment is required to determine whether a legitimate interest exists, as well as to determine whether a data subject can reasonably expect, at the time and in the context of the collection of the personal data, that processing can be carried out for that purpose. In particular, the interests and fundamental rights of the data subject may outweigh the interest of the controller when personal data are processed in circumstances where data subjects do not reasonably expect further processing. Since it is up to the legislature to create the legal basis for personal data processing by public authorities, that legal basis should not apply to processing by public authorities in the performance of their duties. The processing of personal data strictly necessary for fraud prevention is also a legitimate interest of the controller in question. The processing of personal data for the purpose of direct marketing may be considered as carried out for the purpose of a legitimate interest.

(48)

Controllers that are part of a group or a group of institutions affiliated to a central body may have a legitimate interest in the transfer of personal data within the group for internal administrative purposes, including the processing of personal data of customers or employees. The general principles governing the transfer of personal data, within a group, to a company established in a third country remain unaffected.

(49)

The processing of personal data to the extent strictly necessary and proportionate for network and information security purposes, i.e. That a network or information system resists, at a given level of confidentiality, incidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of personal data stored or transmitted, and the security of related services provided by or accessed through these networks and systems, by government agencies, computer emergency response teams, computer security incident response teams, providers of electronic communications networks and services, and providers of security technology and services, constitutes a legitimate interest of the processing controller in question. For example, there may be a need to prevent unauthorized access to electronic communications networks and the spread of malicious code, as well as to stop denial of service attacks and damage to computers and electronic communications systems.

(50)

The processing of personal data for purposes other than those for which the personal data were originally collected may be permitted only if the processing is compatible with the purposes for which the personal data were originally collected. In this case, no separate legal basis other than the one under which the collection of personal data was authorized is required. If the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, Union law or Member State law may determine and specify the tasks and purposes for which further processing is to be considered lawful and compatible with the initial purposes. Further processing for archiving in the public interest, scientific or historical research or statistical purposes should be considered lawful processing compatible with the initial purposes. The provision of Union or Member State law that serves as a legal basis for processing personal data may also serve as a legal basis for further processing. To determine whether a purpose of further processing is compatible with the purpose for which the personal data were initially collected, the controller, after complying with all the requirements for lawfulness of the original processing, must consider, inter alia: any link between those purposes and the purposes of the intended further processing; the context in which the data were collected; in particular, the reasonable expectations of the data subjects based on their relationship with the controller regarding their further use; the nature of the personal data; the impact of the intended further processing on the data subjects; and appropriate safeguards in both the original and the intended further processing.

Where the data subject has given his consent or where the processing is based on Union law or Member State law which constitutes a necessary and proportionate measure in a democratic society, in particular for the safeguard of important public interest objectives, the controller should be allowed to further process the personal data regardless of whether or not it is compatible with the purposes. In any case, it should be ensured that the principles contained in this Regulation are applied and that the data subject is informed in particular of such other purposes and of his rights, including the right to object. The identification of possible criminal offences or threats to public security by the controller and the transmission of the relevant personal data in individual cases or in several cases involving the same criminal offence or threats to public security to a competent authority should be considered to be in the legitimate interest of the controller. However, the transfer in the legitimate interest of the controller or the further processing of personal data should be prohibited if the processing is not compatible with a legal, professional or otherwise binding obligation of confidentiality.

(51)

Personal data which by their nature are particularly sensitive as regards fundamental rights and freedoms deserve specific protection since the context of their processing is likely to present significant risks to fundamental rights and freedoms. Such personal data should include personal data revealing racial or ethnic origin, whereby the use of the term "race" in this Regulation does not imply that the Union accepts theories aimed at establishing the existence of different human races. The processing of photographs should not be systematically considered as processing special categories of personal data, since photographs fall within the definition of biometric data only when they are processed by certain technical means that allow the unique identification or authentication of a natural person. Such personal data should not be processed unless the processing is permitted in specific cases listed in this Regulation, taking into account that specific data protection provisions may be introduced in Member States' legislation in order to adapt the application of the rules of this Regulation for the fulfilment of a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. In addition to the specific rules for such processing, the general principles and other rules of this Regulation should be applied, in particular as regards the conditions for lawful processing. Among other things, explicit provision should be made for derogations from the general prohibition on the processing of those special categories of personal data where the data subject gives his or her explicit consent or in the event of specific needs, in particular where the processing is carried out in the course of legitimate activities by certain associations or foundations whose aim is to enable the exercise of fundamental freedoms.

(52)

Derogation from the prohibition on processing special categories of personal data should also be possible, where provided for by Union or Member State law and subject to appropriate safeguards for the protection of personal data and other fundamental rights, where it is in the public interest, in particular for the processing of personal data in the field of employment and social protection law, including pensions, and for purposes of health security, surveillance and alert, prevention or control of communicable diseases and other serious health threats. Such a derogation may be provided for health purposes, such as public health and the management of health care services, in particular to ensure the quality and cost-effectiveness of the procedures for processing claims for health insurance benefits and services, for archiving in the public interest, scientific or historical research or statistical purposes. A derogation must also provide for the processing of such personal data if necessary for the establishment, exercise or substantiation of a legal claim, in judicial proceedings or in administrative or extrajudicial proceedings.

(53)

Special categories of personal data requiring enhanced protection may be processed for health purposes only if necessary to achieve those purposes in the interests of natural persons and society as a whole, in particular in the management of health care services and systems or social services and systems of social services, including the processing by managing authorities and central national health authorities of such data for quality control purposes, management information and general national and local supervision of the healthcare system or social services system, and in ensuring continuity of healthcare or social services and cross-border healthcare or for health security, surveillance and alert purposes or for archiving in the public interest, scientific or historical research or statistical purposes based on Union or Member State law which must meet a public interest objective, as well as for public health studies. Therefore, this Regulation should provide for harmonized conditions for the processing of special categories of personal data concerning health, in case of specific needs, in particular if such data are processed for certain health purposes by persons bound by legal professional secrecy. Union or Member State law should provide for specific and appropriate measures for the protection of fundamental rights and personal data of natural persons. Member States should be allowed to maintain or introduce other conditions, including restrictions, relating to the processing of genetic, biometric or health data. However, where such conditions apply to the cross-border processing of these personal data, this should not constitute an obstacle to the free movement of data within the Union.

(54)

For reasons of public interest in the area of public health, it may be necessary to process special categories of personal data without the consent of the data subject. Such processing should be subject to appropriate and specific measures to protect the rights and freedoms of natural persons. In this context, "public health" according to the definition of Regulation (EC) No 1338/2008 of the European Parliament and of the Council should be (¹¹) should be interpreted as all elements related to health, namely health status, including morbidity and disability, the determinants having an impact on that health status, health care needs, health care resources, the provision of and universal access to health care, as well as health care expenditure and financing, and causes of death. Such processing of personal data on health for reasons of public interest should not result in personal data being processed by third parties such as employers, or insurance companies and banks for other purposes.

(55)

Moreover, the processing of personal data by public authorities to achieve objectives of officially recognized religious associations established by constitutional law or international law is carried out on the grounds of public interest.

(56)

If, in election activities, the proper functioning of democracy in a Member State requires political parties to collect personal data on the political views of individuals, the processing of such data may be permitted on public interest grounds, subject to the adoption of appropriate safeguards.

(57)

If the personal data it processes do not allow a controller to identify a natural person, the controller may not be required, for the sole purpose of complying with any provision of this Regulation, to obtain additional data in order to identify the data subject. However, the controller should not refuse to accept the additional data provided by the data subject in support of the exercise of their rights. The identity of the data subject should also be established digitally, for example by using the same personal security data, used by the data subject for logging on to the online service offered by the data processor.

(58)

In accordance with the principle of transparency, information addressed to the public or to the data subject should be concise, easily accessible and understandable and should use clear and simple language and, where appropriate, supplementary visualization. Such information may be provided electronically, such as when addressed to the public, via a website. This applies in particular to situations, where due to both the large number of actors and the technological complexity of the practice, it is difficult for a data subject to know and understand whether, by whom and for what purpose their personal data are collected, such as in the case of online advertisements. Since children deserve specific protection, when the processing is specifically addressed to a child, the information and communication should be in such clear and simple language that the child can easily understand it.

(59)

Arrangements should be in place to enable data subjects to exercise their rights under this Regulation more easily, such as mechanisms to request, in particular, access and rectification or erasure of personal data and, where applicable, to obtain them free of charge, as well as to exercise the right to object. The controller should also provide means to make requests electronically, especially when personal data are processed electronically. The controller should be obliged to respond to a data subject's request without delay and at the latest within one month, and to provide reasons for any intended refusal to comply with such requests.

(60)

In accordance with the principles of decent and transparent processing, the data subject should be informed of the fact that processing is taking place and of its purposes. The controller should provide the data subject with the further information necessary to ensure proper and transparent processing vis-à-vis the data subject, taking into account the specific circumstances and context in which the personal data are processed. Furthermore, the data subject must be informed of the existence of profiling and its consequences. If the personal data must be obtained from the data subject, the data subject must be informed whether he is obliged to provide the personal data and the consequences of not providing the data. Such information may be provided by means of standardized icons in order to convey in a readily visible, understandable and clearly legible manner the meaning of the intended processing. Electronically displayed icons must be machine-readable.

(61)

The information about the processing of personal data concerning the data subject should be communicated to him when the data are collected from the data subject or, if the data have been obtained from another source, within a reasonable time depending on the circumstances of the case. Where the personal data may lawfully be disclosed to another recipient, the data subject shall be informed when the personal data are first disclosed to the recipient. Where the controller intends to process the personal data for a purpose other than that for which it was collected, the controller must provide the data subject with information about that other purpose and other necessary information prior to such further processing. Where the origin of the personal data cannot be disclosed to the data subject because different sources have been used, general information must be provided.

(62)

Nevertheless, it is not necessary to impose the obligation to provide information where the data subject already has the information, where the recording or communication of personal data is expressly required by law, or where the provision of information to the data subject proves impossible or would involve disproportionate effort. The latter could in particular be the case when processing for archiving in the public interest, scientific or historical research or statistical purposes. In this context, the number of data subjects concerned, the age of the data and the appropriate safeguards may be taken into account.

(63)

A data subject should have the right to access personal data collected about him, and to exercise that right easily and at reasonable intervals, in order to be informed of the processing and to verify its lawfulness. This also implies that data subjects should have the right to access their personal data concerning their health, such as the data in their medical records, which contain information on, for example, diagnoses, examination results, assessments by treating physicians and treatments or procedures performed. Every data subject should therefore have the right to know and be informed of the purposes for which the personal data are processed, if possible how long they are kept, who receives the personal data, the logic behind any automatic processing of the personal data and, at least when the processing is based on profiling, the consequences of such processing. If possible, the controller should be able to provide remote access to a secure system on which the data subject can directly access his personal data. That right should not infringe on the rights or freedoms of others, including trade secrets or intellectual property and, in particular, the copyright that protects software. However, these considerations should not result in the data subject being deprived of all information. Where the controller processes a large amount of data relating to the data subject, it should be able to request the data subject to specify, prior to the provision of information, the information or processing activities to which the request relates.

(64)

The controller shall take all reasonable steps, particularly with respect to online services and online identifiers, to verify the identity of a data subject who requests access. A controller should not retain personal data solely for the purpose of responding to any requests.

(65)

A data subject should have the right to have personal data concerning them rectified and should have a "right to oblivion" where the retention of such data infringes this Regulation or Union or Member State law applicable to the controller. Specifically, data subjects should have the right to have their personal data erased and not processed further where the personal data are no longer necessary for the purposes for which they were collected or otherwise processed, where data subjects have withdrawn their consent or objected to the processing of their personal data, or where the processing of their personal data does not comply with this Regulation in any other respect. That right is particularly relevant where the data subject gave consent as a child, when they were not yet fully aware of the processing risks, and later wishes to delete such personal data, especially from the Internet. The data subject should be able to exercise that right notwithstanding the fact that he is no longer a child. However, it should be lawful to retain personal data for a longer period when necessary for the exercise of the right to freedom of expression and information, for compliance with a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, for reasons of public health, for archiving in the public interest, scientific or historical research or statistical purposes or for the establishment, exercise or substantiation of legal claims.

(66)

To strengthen the right to oblivion in the online environment, the right to erasure should be extended by requiring the controller that has disclosed personal data to inform the controllers processing that personal data that the data subject has requested the erasure of links to, or copies or reproductions of, that personal data. In doing so, that controller shall take reasonable measures, including technical measures, taking into account the technology and resources available to it, to inform the controllers processing the personal data of the data subject's request.

(67)

Methods to restrict the processing of personal data could include temporarily transferring the selected personal data to another processing system, making the selected data unavailable to users, or temporarily removing published data from a website. In automated files, in principle, technical means should ensure that the processing of personal data is restricted in such a way that the personal data cannot be further processed and cannot be altered. The fact that the processing of personal data is restricted must be clearly indicated in the file.

(68)

To further strengthen the control over their own data, where personal data are processed by automated processes, data subjects should also have the possibility to obtain the personal data concerning them that they have provided to a controller in a structured, commonly used, machine-readable and interoperable format and to transmit it to another controller. Controllers should be encouraged to develop interoperable formats that allow data portability. This right should apply where the data subject has provided the personal data by giving consent or where the processing is necessary for the performance of a contract. This right should not apply when the processing is based on a legal ground other than consent or a contract. By its nature, this right should not be exercised against controllers processing personal data in the exercise of their public tasks. Therefore, this right should not apply if the processing of personal data is necessary for the fulfilment of a legal obligation incumbent on the controller, for the performance of a task carried out in the public interest or in the exercise of public authority vested in the controller. The right of the data subject to transmit or receive personal data concerning him shall not create an obligation for the controller to set up or maintain technically compatible data processing systems. Where a particular set of personal data concerns more than one data subject, the right to receive the personal data should not affect the rights and freedoms of other data subjects in accordance with this Regulation. Furthermore, this right should not interfere with the data subject's right to have their personal data erased or with the limitations placed on that right in this Regulation, and in particular should not include the erasure of personal data relating to them that the data subject has provided in performance of a contract to the extent and for as long as the personal data are necessary for the performance of that contract. To the extent technically feasible, the data subject should have the right to obtain the transfer of data directly from one controller to another.

(69)

Where personal data may lawfully be processed because the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, or on the basis of the legitimate interests of a controller or a third party, a data subject should nevertheless be able to object to the processing of data relating to his specific situation. The controller must demonstrate that its overriding legitimate interests are likely to override the interests or fundamental rights and freedoms of the data subject.

(70)

Where personal data are processed for the purposes of direct marketing, the data subject should have the right to object to such processing at any time and free of charge, including in the case of profiling insofar as it relates to direct marketing, whether it is an initial or a further processing. This right must be explicitly brought to the attention of the data subject in a clear manner and separated from other information.

(71)

The data subject should have the right not to be subject to a decision based solely on automated processing, which may include a measure - on personal aspects relating to him or her, which produces legal effects concerning him or her or significantly affects him or her in a similar way, such as the automatic refusal of a credit application submitted online or of processing of job applications over the Internet without human intervention. Processing of this kind includes "profiling", which consists of the automated processing of personal data for the purpose of evaluating personal aspects relating to a natural person, in particular in order to analyze or predict characteristics relating to that person's performance at work, economic situation, health, personal preferences or interests, reliability or behavior, location or movements, where such processing produces legal effects concerning him or her or significantly affects him or her in a similar way. However, decision-making based on such processing, including profiling, should be possible when expressly permitted by Union or Member State law applicable to the controller, including for the purposes of monitoring and preventing tax fraud and evasion in accordance with regulatory standards and recommendations of Union institutions or national oversight competent bodies, and in order to ensure the security and reliability of a service provided by the controller, or necessary for the conclusion or performance of a contract between the data subject and a controller, or where the data subject has given his or her express consent. In any case, such processing must be subject to appropriate safeguards, including specific information to the data subject and the right to human intervention, to make his or her point of view known, to obtain an explanation of the decision taken after such assessment, and to challenge the decision. Such action may not involve a child.

In order to ensure proper and transparent processing for the data subject, taking into account the concrete circumstances and context in which the personal data are processed, the controller should apply appropriate mathematical and statistical procedures for profiling and implement technical and organizational measures which correct factors giving rise to inaccuracies in personal data and minimize the risk of error and to store personal data in a way that takes into account the potential risks to the interests and rights of the data subject and, inter alia, prevents any such processing from having discriminatory effects on natural persons on grounds of racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or health status, or sexual orientation, or effects that would result in measures having a similar effect. Automated decision-making and profiling based on special categories of personal data may be permitted only under specific conditions.

(72)

Profiling is subject to the rules of this Regulation relating to the processing of personal data, for example, the legal grounds for processing or data protection principles. The European Data Protection Board established by this Regulation (the "Board") should be given the possibility to issue guidelines in that regard.

(73)

Union or Member State law may lay down restrictions on the specific principles and rights to information, access and rectification or erasure of data, the right to data portability, the right to object, as well as on decisions based on profiling, on the notification to the data subject of a personal data breach and certain related obligations of controllers, in so far as is necessary and proportionate in a democratic society for the protection of public security, including the protection of human life and, in particular, in cases of natural or man-made disasters, for the prevention, investigation and prosecution of criminal offences or the execution of criminal penalties, including for the protection against and prevention of dangers to public safety, or of violations of professional codes for regulated professions, for the protection of other important objectives of general and public interest in the Union or a Member State, in particular a substantial economic or financial interest of the Union or a Member State, for the keeping of public records necessary for reasons of public interest, for the further processing of archived personal data in order to obtain specific information on political behavior under former totalitarian regimes or for the protection of the data subject or the rights and freedoms of others, including social protection, public health and humanitarian purposes. These restrictions must be in line with the requirements of the Charter and the European Convention for the Protection of Human Rights and Fundamental Freedoms.

(74)

The responsibility and liability of the controller should be established for any processing of personal data carried out by it or on its behalf. In particular, the controller should be required to implement appropriate and effective measures and be able to demonstrate that any processing activity is carried out in accordance with this Regulation, including as regards the effectiveness of the measures. Such measures should take into account the nature, scope, context and purpose of the processing and the risk to the rights and freedoms of natural persons.

(75)

The risk to the rights and freedoms of natural persons, varying in probability and gravity, may arise from personal data processing that may result in serious physical, material or immaterial harm, in particular: where the processing may result in discrimination, identity theft or fraud, financial losses, reputational damage, loss of confidentiality of personal data protected by professional secrecy, unauthorized undoing of pseudonymization, or any other significant economic or social harm; where data subjects are unable to exercise their rights and freedoms or are prevented from exercising control over their personal data; when processing personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and when processing genetic data or data on health or sexual behavior or criminal convictions and offenses or related security measures; when personal aspects are evaluated, in particular to analyze or predict job performance, economic situation, health, personal preferences or interests, reliability or behavior, location or movements, in order to create or use personal profiles; when personal data of vulnerable natural persons, especially children, are processed; or when the processing involves a large amount of personal data and affects a large number of data subjects.

(76)

The likelihood and seriousness of the risk to the rights and freedoms of the data subject must be determined with reference to the nature, scope, context and purposes of the processing. The risk should be determined on the basis of an objective assessment, and it should be determined whether the processing is associated with a risk or a high risk.

(77)

Guidance on the implementation of appropriate measures, and for demonstrating the controller's or processor's compliance, in particular as regards the identification of the risk associated with the processing, the assessment of its origin, nature, likelihood and seriousness, and the identification of best practices to mitigate the risk, may be provided in particular through approved codes of conduct, approved certifications, guidelines issued by the Committee or guidance issued by a Data Protection Officer. The Committee may also issue guidelines with respect to processing operations that are not likely to result in a high risk to the rights and freedoms of natural persons, and specify the measures sufficient to address that risk in that case.

(78)

To protect the rights and freedoms of natural persons with regard to the processing of personal data, appropriate technical and organizational measures are necessary to ensure compliance with the requirements of this Regulation. To demonstrate compliance with this Regulation, the controller should implement internal policies and measures that comply in particular with the principles of data protection by design and data protection by default. Such measures may include minimizing the processing of personal data, pseudonymizing personal data as soon as possible, transparency regarding the functions and processing of personal data, enabling the data subject to exercise control over information processing, and enabling the controller to create and enhance security features. In the development, elaboration, selection and use of applications, services and products that are based on the processing of personal data, or that process personal data in the performance of their tasks, the producers of the products, services and applications should be encouraged to take into account the right to protection of personal data when developing and elaborating such products, services and applications and, taking into account the state of the art, to ensure that controllers and processors are able to comply with their data protection obligations. The principles of data protection by design and data protection by default should also be taken into account in public procurement.

(79)

The protection of the rights and freedoms of data subjects and the responsibility and liability of controllers and processors requires, including as regards supervision by and action by supervisory authorities, that the responsibilities established by this Regulation be clearly allocated, including where the controller determines the purposes and means of processing jointly with other controllers, or where processing is carried out on behalf of a controller.

(80)

Where a controller or processor not established in the Union processes personal data of data subjects located in the Union, and the processing is related to the offering of goods or services - regardless of whether a payment by the data subjects is required - to those data subjects located in the Union or to the monitoring of their conduct in the Union, the controller or processor shall designate a representative unless the processing is occasional, does not involve the large-scale processing of special categories of personal data, or the processing of personal data relating to criminal convictions and offences and is unlikely to present a risk to the rights and freedoms of natural persons in view of the nature, context, scope and purposes of the processing, or unless the controller is a public authority or body. The representative must act on behalf of the controller or processor and may be contacted by any supervisory authority. The representative should be expressly designated by a written mandate from the controller or processor to act on their behalf with respect to its obligations under this Regulation. The appointment of such representative shall not affect the responsibility or liability of the controller or processor under this Regulation. Such representative shall perform his duties in accordance with the mandate received from the controller or processor, including cooperating with the competent supervisory authorities with respect to any action taken to comply with this Regulation. In case of non-compliance by the controller or processor, the designated representative should be subject to enforcement proceedings.

(81)

In order to ensure that the requirements of this Regulation are met in relation to the processing to be carried out by the processor on behalf of the controller, the controller, when entrusting processing operations to a processor, should only use processors that provide sufficient guarantees, in particular in terms of competence, reliability and resources, to ensure that the technical and organizational measures comply with the requirements of this Regulation, including as regards security of processing. The fact that the processor adheres to an approved code of conduct or certification scheme may be used as an element to demonstrate compliance with the obligations of the controller. The performance of the processing by a processor should be governed by Union or Member State law by a contract or other legal act binding the processor to the controller, which should specify the subject matter and duration of the processing, the nature and purposes of the processing, the type of personal data and the categories of data subjects, and should take into account the specific tasks and responsibilities of the processor in the context of the processing to be carried out and the risk in relation to the rights and freedoms of the data subject. The controller and the processor may opt for the use of an individual contract or standard contractual clauses, to be adopted either directly by the Commission or by a supervisory authority under the consistency mechanism and then by the Commission. Upon completion of the processing for the controller's benefit, the processor shall, according to the controller's wishes, return or erase the personal data, unless Union law or Member State law applicable to the processor imposes an obligation to store the personal data.

(82)

In order to demonstrate compliance with this Regulation, the controller or processor should keep a register of processing activities that have taken place under its responsibility. Each controller and processor should be obliged to cooperate with the supervisory authority and provide this register on request with a view to its use for monitoring processing activities.

(83)

In order to ensure security and to prevent processing in breach of this Regulation, the controller or processor should assess the risks inherent in the processing and implement measures, such as encryption, to mitigate those risks. Those measures should ensure an appropriate level of security, including confidentiality, taking into account the state of the art and the implementation costs compared to the risks and the nature of the personal data to be protected. In assessing data security risks, consideration should be given to risks arising from personal data processing, such as the destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, data transmitted, stored or otherwise processed, whether accidental or unlawful, which may result in particular in physical, material or immaterial damage.

(84)

In order to improve compliance with this Regulation where processing is likely to present high risks to the rights and freedoms of natural persons, the controller or processor should be responsible for carrying out a data protection impact assessment to evaluate in particular the origin, nature, specificity and seriousness of that risk. The result of the assessment should be taken into account in determining the appropriate measures to be taken to demonstrate compliance with this Regulation when processing personal data. Where a data protection impact assessment reveals that processing involves a high risk that cannot be mitigated by the controller by measures that are reasonable in view of the technology available and the costs of implementation, a consultation of the supervisory authority should take place prior to the processing.

(85)

A personal data breach, if not addressed in a timely and appropriate manner, may result in physical, material or immaterial harm to natural persons, such as loss of control over their personal data or the restriction of their rights, discrimination, identity theft or fraud, financial losses, unauthorized undoing of pseudonymization, reputational damage, loss of confidentiality of personal data protected by professional secrecy, or any other significant economic or social harm to the natural person concerned. Therefore, as soon as the controller becomes aware that a personal data breach has occurred, the controller must notify the supervisory authority of the personal data breach without undue delay and, where possible, not more than 72 hours after becoming aware of it, unless the controller can demonstrate, in accordance with the principle of accountability, that the breach is unlikely to pose risks to the rights and freedoms of natural persons. Where such notification cannot be achieved within 72 hours, the notification shall be accompanied by an explanation for the delay and the information may be provided in stages without unreasonable further delay.

(86)

The data controller must notify the data subject of the personal data breach without unreasonable delay when the personal data breach is likely to result in significant risks to the rights and freedoms of the natural person, so that the data controller can take the necessary precautions. The notification should include both the nature of the personal data breach and recommendations on how the natural person concerned can mitigate possible negative consequences. Such notifications to data subjects should be made as soon as reasonably possible, in close cooperation with the supervisory authority and taking into account guidance provided by itself or by other relevant authorities, such as law enforcement authorities. For example, data subjects should be notified promptly when an immediate risk of harm needs to be mitigated, while a longer notification period may be justified when appropriate measures need to be taken against persistent or similar personal data breaches.

(87)

It should be verified that all appropriate technical and organizational measures have been taken to determine whether a personal data breach has occurred and to notify the supervisory authority and the data subject without undue delay. The fact that the notification was made without unreasonable delay must be established, taking into account in particular the nature and seriousness of the personal data breach and the consequences and negative effects for the data subject. Such notification may result in the supervisory authority acting in accordance with its duties and powers set forth in this Regulation.

(88)

In establishing detailed rules on the method and procedures for reporting personal data breaches, due consideration should be given to the circumstances of that breach, including whether or not the personal data had been protected by adequate technical measures that limited the likelihood of identity fraud or other forms of misuse. Moreover, such rules and procedures should take into account the legitimate interests of law enforcement authorities where early disclosure would unnecessarily hamper the investigation of the circumstances of a personal data breach.

(89)

Directive 95/46/EC provided for a general obligation to notify the processing of personal data to the supervisory authorities. That obligation results in administrative and financial burdens, but has not contributed in all cases to better protection of personal data. Those undifferentiated general notification obligations should therefore be abolished and replaced by effective procedures and mechanisms targeted at the types of processing operations which, by their nature, scope, context and purposes, are likely to present significant risks to the rights and freedoms of natural persons. Such processing operations may be those that use new technologies in particular, or those that are of a new type and where there has been no prior data protection impact assessment by the controller, or when they become necessary in view of the time that has elapsed since the initial processing.

(90)

In such cases, the controller should conduct a data protection impact assessment prior to the processing to assess the specific likelihood and severity of the major risks, taking into account the nature, scope, context and purposes of the processing and the sources of the risks. In particular, this impact assessment should consider the measures, safeguards and mechanisms planned to mitigate that risk, protect personal data and demonstrate compliance with this Regulation.

(91)

This should apply in particular to large-scale processing operations intended to process a considerable amount of personal data at regional, national or supranational level, which could affect a large number of data subjects and which, for example, because of their sensitive nature, are likely to present a high degree of risk, when a new technology is used on a large scale in accordance with the level of technological knowledge achieved, as well as to other processing operations which present a high degree of risk to the rights and freedoms of data subjects, in particular when data subjects find it more difficult to exercise their rights as a result of such processing operations. A data protection impact assessment should also be made when personal data are processed for the purpose of making decisions regarding specific natural persons following a systematic and comprehensive assessment of personal aspects of natural persons based on the profiling of such data, or following the processing of special categories of personal data, biometric data, or data relating to criminal convictions and offences or related security measures. A data protection impact assessment is also necessary for the large-scale monitoring of publicly accessible areas, in particular when optical-electronic devices are used, or for all other processing operations when the competent supervisory authority considers that they are likely to present a high risk to the rights and freedoms of data subjects, in particular because data subjects are prevented from exercising a right or from having recourse to a service or a contract as a result of these processing operations, or because these processing operations are carried out systematically on a large scale. The processing of personal data should not be considered large-scale processing if it involves the processing of personal data of patients or clients by an individual doctor, another healthcare professional or by a lawyer. In those cases, a data protection impact assessment should not be required.

(92)

Under certain circumstances, it may be reasonable and useful for the data protection impact assessment not to be limited to a single project, for example, when public authorities or bodies want to establish a common application or processing platform or when multiple controllers intend to implement a common application or processing environment across an entire industry, or segment thereof, or across a common horizontal activity.

(93)

In the context of determining the Member State law on which the performance of the tasks of the public authority or body is based, and which regulates the specific processing operation or set of processing operations, Member States may deem it necessary to carry out such an assessment prior to the start of processing.

(94)

Where a data protection impact assessment reveals that, in the absence of safeguards, security measures and risk mitigation mechanisms, the processing would present a high risk to the rights and freedoms of natural persons, and the controller considers that it is not possible to mitigate that risk by measures which are reasonable in view of the available technology and implementation costs, the supervisory authority should be consulted before the processing is initiated. Such a high risk is likely to occur for certain types of personal data processing and the scope and frequency of the processing, which may result in damage or harm to the rights and freedoms of natural persons. The supervisory authority must respond to the request for consultation within a specified period of time. However, the absence of a response from the supervisory authority within that period should be without prejudice to any action by the supervisory authority in accordance with its duties and powers set out in this Regulation, including the power to prohibit processing operations. As part of that consultation procedure, the result of a data protection impact assessment carried out for the processing in question may be submitted to the supervisory authority, in particular as regards the measures envisaged to mitigate the risk to the rights and freedoms of natural persons.

(95)

The processor should assist the controller, where necessary and upon request, to ensure compliance with the obligations pursuant to the performance of data protection impact assessments and prior consultation of the supervisory authority.

(96)

The supervisory authority should also be consulted during the preparation of a legislative or regulatory measure involving the processing of personal data, in order to ensure the compliance of the intended processing with this Regulation, and in particular to mitigate the risks involved for data subjects.

(97)

If the processing is carried out by a public authority, with the exception of courts or independent judicial authorities acting within the scope of their judicial duties, or if in the private sector the processing is carried out by a controller whose core task is to carry out processing activities that require large-scale regular and systematic observation of data subjects, if the core task of the controller or processor is large-scale processing of special categories of personal data and data relating to criminal convictions and offenses, a person with expert knowledge of data protection laws and practices should assist the controller or processor in monitoring internal compliance with this Regulation. In the private sector, the core functions of a controller relate to its main activities and not to the processing of personal data as an ancillary activity. In particular, the level of expertise required should be determined by the data processing activities carried out and the protection required for the data processed by the controller or processor. Such data protection officers should be able to perform their duties and obligations independently, regardless of whether they are employed by the controller.

(98)

Associations and other bodies representing categories of controllers or processors should be encouraged to draw up codes of conduct, within the limits of this Regulation, to promote the effective implementation of this Regulation, taking into account the specific nature of processing in some sectors and the specific needs of micro, small and medium-sized enterprises. In particular, these codes of conduct could be the benchmark for the obligations of controllers and processors, taking into account the risks to the rights and freedoms of natural persons associated with processing.

(99)

When drafting a code of conduct, or amending or extending such a code, associations and other bodies representing categories of controllers or processors should consult with relevant stakeholders, including, where possible, data subjects, and take into account contributions and views resulting from such consultations.

(100)

In order to strengthen transparency and compliance with this Regulation, the establishment of certification mechanisms and data protection seals and marks should be promoted so that data subjects can quickly assess the level of data protection of relevant products and services.

(101)

Movement of personal data to and from countries outside the Union and international organizations is necessary for the development of international trade and cooperation. The growth of this traffic raises new challenges and concerns for the protection of personal data. However, transfers of personal data from the Union to controllers, processors or other recipients in third countries or international organizations should not compromise the level of protection that natural persons in the Union are assured by this Regulation, including in cases of onward transfers of personal data from the third country or international organization to controllers, processors in the same or another third country or in the same or another international organization. In any case, transfers to third countries and international organizations may only take place in full compliance with this Regulation. A transfer may take place only if the controller or processor, subject to the other provisions of this Regulation, complies with the provisions of this Regulation regarding the transfer of personal data to third countries or international organizations.

(102)

This Regulation is without prejudice to international agreements concluded between the Union and third countries to regulate the transfer of personal data and providing for appropriate safeguards for data subjects. Member States may conclude international agreements on the transfer of personal data to third countries or international organizations, provided that such agreements are without prejudice to this Regulation or other provisions of Union law and provide for an adequate level of protection of the fundamental rights of data subjects.

(103)

The Commission may decide, with legal effect throughout the Union, that a third country, a territory or a well-defined sector within a third country, or an international organization affords an adequate level of data protection, thereby providing legal certainty and uniformity throughout the Union with respect to the third country or international organization deemed to afford such a level of protection. In such cases, personal data may be transferred to that third country or international organization without further consent being necessary. The Commission may also decide, after informing the third country or international organization and providing a full explanation of its rationale, to revoke such a decision.

(104)

In line with the fundamental values on which the Union is founded, in particular the protection of human rights, the Commission, in its assessment of the third country or of a territory or a specific processing sector within a third country, should consider the extent to which the rule of law, access to justice and international human rights standards and rules are respected in the third country, and should take into account the general and sectoral legislation, including public security, defense and national security and public order and criminal law, of the country. When establishing an adequacy decision (decision declaring the level of protection adequate) for a territory or a specific sector in a third country, clear and objective criteria should be established, such as specific processing activities and the scope of applicable legal standards and legislation in the third country. The third country should undertake to ensure an adequate level of protection, in fact equivalent to that ensured in the Union, especially when personal data are processed in one or more specific sectors. In particular, the third country should ensure effective and independent data protection supervision and cooperation mechanisms with the data protection authorities of the Member States. Furthermore, data subjects should be provided with effective and enforceable rights and effective administrative and judicial redress.

(105)

In addition to the international obligations assumed by the third country or international organization, the Commission should take into account the obligations arising from the participation of the third country or international organization in multilateral or regional arrangements, in particular as regards the protection of personal data, as well as the implementation of these obligations. In particular, account should be taken of the third country's accession to the Council of Europe Convention of 28 January 1981 for the Protection of Individuals with regard to Automatic Processing of Personal Data and its Additional Protocol. When assessing the level of protection in third countries or international organizations, the Commission should consult with the Committee.

(106)

The Commission should monitor the functioning of adequacy decisions adopted under Article 25(6) or 26(4) of Directive 95/46/EC in a third country, a territory or a specific sector within a third country or an international organization. The Commission should include in its adequacy decisions declaring the level of protection to be adequate a periodic review mechanism for its functioning. That periodic review should be conducted in consultation with the third country or international organization concerned and should take into account any relevant developments in the third country or international organization. For the purpose of monitoring and conducting the periodic reviews, the Commission should take into account the views and findings of the European Parliament and of the Council, as well as other relevant organizations and sources. The Commission should, within a reasonable time, review the functioning of the latter decisions and report any relevant findings to the Committee within the meaning of Regulation (EU) No 182/2011 of the European Parliament and of the Council (¹²)as established under this Regulation, to the European Parliament and to the Council.

(107)

The Commission may determine that a third country, a territory or a particular sector of processing in a third country, or an international organization no longer ensures an adequate level of protection. The transfer of personal data to that third country or international organization should then be prohibited unless the requirements of this Regulation regarding transfers subject to appropriate safeguards, including binding corporate rules, and derogations for specific situations are met. Provision should be made for consultation between the Commission and the third countries or international organizations concerned in such cases. The Commission should inform the third country or international organization of its reasons in a timely manner and enter into consultations with the other party to remedy the situation.

(108)

If no adequacy decision has been made, the controller or processor should take measures to remedy the inadequate level of data protection in a third country by means of appropriate safeguards for the data subject. Such appropriate safeguards may include the use of binding corporate rules, standard data protection clauses adopted by the Commission, standard data protection clauses adopted by a supervisory authority, or contractual clauses authorized by a supervisory authority. Those safeguards should ensure compliance with data protection requirements and applicable data subjects' rights for processing operations within the Union, including the availability of enforceable data subjects' rights and effective remedies, such as administrative or judicial redress and seeking redress in the Union or in a third country. In particular, they should address compliance with the general principles governing the processing of personal data, the principles of data protection by design and data protection by default. Transfers may also be made by public authorities or bodies with public authorities or bodies in third countries or with international organizations with corresponding tasks and functions, including on the basis of provisions to be included in administrative arrangements, such as a memorandum of understanding with enforceable and usable rights for data subjects. The consent of the competent supervisory authority should be obtained when the safeguards are provided in non-legally binding administrative arrangements.

(109)

The fact that the controller or processor may use standard data protection clauses adopted by the Commission or a supervisory authority should not prevent it from incorporating the standard data protection clauses into a broader contract, such as a contract between the processor and another processor, or from adding other clauses or additional safeguards, provided that they do not directly or indirectly contradict the standard contractual clauses adopted by the Commission or a supervisory authority and do not infringe the fundamental rights or freedoms of data subjects. Controllers and processors should be encouraged to provide further safeguards in addition to the standard data protection clauses through contractual obligations.

(110)

A corporate group or a group of undertakings engaged in a joint economic activity should be able to make use of approved binding corporate rules for its international transfers from the Union to organizations within the same corporate group or group of undertakings engaged in a joint economic activity, provided that they lay down all the essential principles and enforceable rights that provide adequate safeguards with respect to the transfer or categories of transfers of personal data.

(111)

Transfer should be possible in certain cases where the data subject has given his or her express consent, where the transfer is occasional and necessary in relation to a contract or a legal claim, be it for judicial, administrative or extrajudicial proceedings, including proceedings before regulatory authorities. Transfer should also be possible where important grounds of public interest laid down in Union or Member State law so require, or where the transfer is from a register established by law and intended for consultation by the public or persons having a legitimate interest. In the latter case, such a transfer may not include all of the personal data or categories of data contained in that register; where a register is intended for consultation by persons having a legitimate interest, the transfer may be made only at the request of those persons or if the data are intended for them, taking full account of the interests and fundamental rights of the data subject.

(112)

Those derogations should apply in particular to data transfers that are necessary for important reasons of public interest, such as international data exchanges between competition authorities, tax or customs administrations, financial supervisory authorities, services with competence in the area of social security or public health, for example in the case of contact tracing in the context of the fight against infectious diseases or with a view to the reduction and/or elimination of doping in sport. Transfer of personal data should also be considered lawful when it is necessary for the protection of an interest essential to the vital interests of the data subject or another person, including his or her physical integrity or life, if the data subject is unable to give his or her consent. In the absence of an adequacy decision, Union law or Member State law may expressly set limits on the transfer of specific categories of data to a third country or an international organization for important public interest reasons. Member States should communicate such provisions to the Commission. Any transfer to an international humanitarian organization of personal data of a data subject who is physically or legally incapable of giving his or her consent may, if made for the purpose of carrying out a task assigned under the Geneva Conventions or for the purpose of complying with international humanitarian law in armed conflicts, be considered necessary for an important reason of public interest or because it is vital for the data subject.

(113)

Transfers that can be described as non-repetitive and concern only a small number of data subjects should also be possible for the purposes of pursuing compelling legitimate interests of the controller, where the interests or the rights and freedoms of the data subject do not outweigh those interests and where the controller has assessed all the circumstances surrounding the data transfer. The controller shall pay particular attention to the nature of the personal data, the purpose and duration of the proposed processing operation or operations, as well as the situation in the country of origin, the third country and the country of final destination, and must provide appropriate safeguards to protect the fundamental rights and freedoms of natural persons in relation to the processing of their personal data. Such transfers should only be possible in residual cases where the other grounds for transfer do not apply. For the purpose of scientific or historical research or statistical purposes, the legitimate expectation of society to gain knowledge should be taken into account. The controller must inform the supervisory authority and the data subject of the transfer.

(114)

In any case, where the Commission has not decided whether the level of data protection in a third country is appropriate, the controller or processor should make use of means that provide data subjects with enforceable and actionable rights in the Union with respect to the processing of their data, even after the transfer, so that they can continue to enjoy fundamental rights and safeguards.

(115)

Some third countries enact laws, administrative provisions and other legal acts that purport to directly regulate data processing activities of natural and legal persons under the jurisdiction of Member States. These may include court decisions or decisions of administrative bodies of third countries that require the controller or processor to transfer or disclose personal data and are not based on an applicable international agreement, such as a mutual legal assistance treaty, between the requesting third country and the Union or Member State in question. The extraterritorial application of these laws, regulations and other legal acts may be contrary to international law and may impede the protection of natural persons in the Union guaranteed by this Regulation. Transfers should be able to take place only when the conditions for transfers to third countries under this Regulation are met. This may include where disclosure is necessary for a public interest recognised in Union law or in the Member State law of which the controller is a national.

(116)

Cross-border movement of personal data to countries outside the Union may make it more difficult for individuals to exercise their data protection rights, in particular to protect themselves from unlawful use or disclosure of that information. Moreover, it may become impossible for supervisory authorities to handle complaints or conduct investigations regarding activities abroad. In addition, their ability to cooperate across borders may be hampered by inadequate preventive or remedial powers, inconsistent legal frameworks and practical obstacles, such as limited resources. Therefore, closer cooperation between data protection supervisory authorities should be promoted with a view to exchanging information with similar bodies abroad. With a view to developing international cooperation mechanisms to facilitate and provide international mutual assistance in the enforcement of personal data protection law, the Commission and supervisory authorities should exchange information and cooperate with competent authorities in third countries in activities related to the exercise of their competences, on a reciprocal basis and in accordance with this Regulation.

(117)

It is essential for the protection of natural persons with regard to the processing of personal data that a supervisory authority be established in each Member State which is competent to exercise its functions and powers with complete independence. Member States should have the possibility to establish more than one supervisory authority in accordance with their constitutional, organizational and administrative structure.

(118)

The independence of supervisory authorities does not mean that supervisory authorities cannot be subject to control or supervisory mechanisms concerning their financial expenditures or to judicial review.

(119)

Where a Member State establishes multiple supervisory authorities, that Member State should establish by law mechanisms to ensure the effective participation of supervisory authorities in the consistency mechanism. In particular, the Member State in question should designate the supervisory authority to act as the single point of contact for the effective participation of those authorities in the review in order to ensure smooth and flexible cooperation with other supervisory authorities, the Committee and the Commission.

(120)

Each supervisory authority should have the financial and human resources and premises and infrastructure necessary to effectively perform its tasks, including those in the context of mutual assistance and cooperation with other supervisory authorities in the Union. Each supervisory authority should have its own public annual budget, which may be part of the general state or national budget.

(121)

The general conditions for the members of the supervisory authority should be laid down by law in each Member State and should, in particular, provide that the members are appointed, through a transparent procedure, either by the parliament, the government or the head of state of the Member State, on a proposal from the government, a member of the government, the parliament or a chamber of the parliament, or by an independent body entrusted for that purpose by Member State law. In order to ensure the independence of the supervisory authority, the members of the supervisory authority should act with integrity, refrain from any action incompatible with their duties and refrain from engaging in any occupation, whether gainful or not, incompatible with their duties during their term of office. The supervisory authority should have its own staff, selected by the supervisory authority or an independent body established by Member State law, which should be exclusively under the direction of the members of the supervisory authority.

(122)

Each supervisory authority should be competent on the territory of its Member State to exercise the powers and tasks conferred on it in accordance with this Regulation. These should include, in particular, processing carried out in the context of the activities of an establishment of the controller or processor on the territory of its own Member State, processing of personal data by public authorities or private bodies acting in the public interest, processing which affects data subjects on its territory, or processing, by a controller or processor not established in the Union, aimed at data subjects residing on its territory. It should also include dealing with complaints lodged by a data subject, evaluating the application of this Regulation and making the general public better aware of the risks, rules, safeguards and rights in relation to the processing of personal data.

(123)

The supervisory authorities should monitor the application of the provisions adopted under this Regulation and contribute to its consistent application throughout the Union, in order to protect natural persons in relation to the processing of their personal data and facilitate the free flow of personal data within the internal market. Therefore, the supervisory authorities should cooperate with each other and with the Commission, without the need for an agreement between Member States on the provision of mutual assistance or such cooperation.

(124)

Where the processing of personal data takes place in the context of the activities of an establishment of a controller or processor in Union and the controller or processor is established in more than one Member State, or where the processing carried out in the context of the activities of a single establishment of a controller or processor in Union, materially affects or is likely to materially affect data subjects in more than one Member State, the supervisory authority of the main establishment of the controller or processor or of the single establishment of the controller or processor should act as the leading supervisory authority. It should cooperate with the other supervisory authorities concerned because the controller or processor has an establishment on the territory of their Member State, because data subjects residing on their territory are substantially affected, or because a complaint has been lodged with them. Where a non-resident data subject has lodged a complaint, the supervisory authority to which that complaint has been lodged should also become an affected supervisory authority. As part of its tasks to issue guidelines on questions concerning the application of this Regulation, the Committee should be able to issue guidelines, in particular on the criteria to be taken into account for determining whether the processing in question substantially affects data subjects in more than one Member State, as well as on what constitutes a relevant and substantiated objection.

(125)

The leading supervisory authority should have the power to adopt binding decisions on measures implementing the powers conferred on it under this Regulation. In its capacity as leading supervisory authority, the supervisory authority should closely involve and coordinate the supervisory authorities concerned in the decision-making process. When a decision is taken to reject all or part of the data subject's complaint, that decision should be adopted by the supervisory authority to which the complaint was filed.

(126)

The decision should be jointly approved by the leading supervisory authority and the supervisory authorities concerned, be addressed to the main establishment or any establishment of the controller or processor and have binding effects on the controller or processor. The controller or processor shall take the necessary measures to comply with this Regulation and to implement the decision communicated by the leading supervisory authority to the main establishment of the controller or processor regarding the processing operations in the Union.

(127)

Each supervisory authority not acting as the leading supervisory authority should be competent to deal with local cases where the controller or processor is established in more than one Member State, but where the subject matter of the specific processing operation concerns only processing carried out in a single Member State and involves only persons from that single Member State, for example where it concerns the processing of personal data of workers in the specific labor market context of a Member State. In such cases, the supervisory authority should notify the leading supervisory authority of the case without delay. After it has been informed, the leading supervisory authority should decide whether to deal with the case under the provision on cooperation between the leading supervisory authority and other supervisory authority concerned ("one-stop-shop mechanism") or whether the supervisory authority that has notified it of the case should deal with it at local level. When deciding whether or not to hear the case, the leading supervisory authority should take into account whether or not the controller or processor has an establishment in the Member State of the supervisory authority that notified it, in order to ensure that a decision is effectively enforced against the controller or processor. Where the lead supervisory authority decides to hear the case, the supervisory authority that notified it should have the opportunity to submit a draft decision, and the lead supervisory authority should take this into maximum consideration when preparing its draft decision under that one-stop mechanism.

(128)

The rules on the leading supervisory authority and the one-stop shop mechanism should not apply where processing is carried out by public authorities or private bodies in the public interest. In those cases, the supervisory authority of the Member State where the public authority or private body is established should be the sole competent supervisory authority under this Regulation.

(129)

In order to ensure consistent monitoring and uniform enforcement of this Regulation throughout the Union, the supervisory authorities in all Member States should have the same duties and actual powers, including powers to conduct investigations, take remedial measures and impose sanctions, to grant authorisations and issue opinions, in particular in cases of complaints from natural persons, and, without prejudice to the powers conferred on the authorities responsible for prosecution under Member State law, to bring infringements of this Regulation to the attention of the judicial authorities and to initiate judicial proceedings. Such powers should include the power to impose temporary or definitive restrictions on processing, including a ban on processing. Member States may specify other tasks related to the protection of personal data under this Regulation. The powers of supervisory authorities should be exercised in accordance with appropriate procedural safeguards laid down in Union and Member State law, impartially, fairly and within a reasonable time. In particular, any measure should be appropriate, necessary and proportionate for the purpose of complying with this Regulation, taking into account the circumstances of each individual case, respecting the right of every person to be heard before the adoption of any individual measure which would adversely affect them, and avoiding undue expense and inconvenience for the persons concerned. Investigative powers concerning access to premises should be exercised in accordance with the specific requirements of Member State procedural law, such as a mandatory prior judicial authorization. Any legally binding measure by the supervisory authority should be in writing, clear and unambiguous, specify the supervisory authority that issued the measure and the date of issuance, be signed by the head or a member of the supervisory authority authorized by the head, contain the reasons for the measure, and refer to the right to an effective remedy. This should not exclude additional rules in accordance with Member State procedural law. The adoption of legally binding decisions implies the possibility of judicial review in the Member State of the supervisory authority that adopted the decision.

(130)

Where the supervisory authority with which the complaint was lodged is not the leading supervisory authority, the leading supervisory authority should cooperate closely with the supervisory authority with which the complaint was lodged in accordance with the provisions of this Regulation on cooperation and coherence. In such cases, the leading supervisory authority should, when taking measures intended to produce legal effects, including the imposition of administrative fines, take far-reaching account of the position of the supervisory authority with which the complaint was lodged, which should remain competent, in consultation with the leading supervisory authority, to conduct any investigation on the territory of its own Member State.

(131)

If another supervisory authority is to act as the lead supervisory authority for the processing activities of the controller or processor, but the subject of a complaint or possible breach concerns only processing activities of the controller or processor in the Member State where the complaint has been lodged or where the breach has been detected, and the case does not have or risks having a substantial impact on data subjects in other Member States the supervisory authority to which a complaint is lodged, or which has detected or is otherwise informed of situations involving possible breaches of this Regulation, should endeavor to find an amicable solution with the controller and, if this is not possible, to exercise the full scope of its powers. This should include: specific processing on the territory of the Member State of the supervisory authority or in relation to data subjects on the territory of that Member State; processing in the context of an offer of goods or services specifically aimed at data subjects on the territory of the Member State of the supervisory authority; or processing which must be assessed in compliance with relevant Member State legal obligations.

(132)

In public information activities, supervisory authorities should take specific measures for controllers and processors, including small, medium and micro enterprises, as well as natural persons, especially in the education sector.

(133)

The supervisory authorities should assist each other in carrying out their duties in order to ensure the consistent application and uniform enforcement of this Regulation within the internal market. A supervisory authority requesting mutual assistance may take a provisional measure if it does not receive a response to a request for mutual assistance within one month of receipt of that request by the other supervisory authority.

(134)

Each supervisory authority should participate in joint actions with other supervisory authorities as appropriate. Each requested supervisory authority should be obliged to respond to the request within a defined period of time.

(135)

In order to ensure the consistent application of this Regulation throughout the Union, a consistency mechanism for cooperation between supervisory authorities should be established. That mechanism should apply in particular where a supervisory authority intends to adopt a measure concerning processing activities having a substantial impact on a significant number of data subjects in several Member States and intended to produce legal effects. It should also apply where a supervisory authority concerned or the Commission requests that such a matter be submitted to the consistency mechanism. That mechanism should be without prejudice to any measures that the Commission may adopt in the exercise of its powers under the Treaties.

(136)

In the application of the coherence mechanism, the Committee should issue an opinion within a specified period, if a majority of its members so decides or if requested by a supervisory authority concerned or by the Commission. The Committee should also have the power to adopt legally binding decisions where disputes exist between supervisory authorities. In well-defined cases where there are disagreements between supervisory authorities, especially in the procedure for cooperation between the lead supervisory authority and the supervisory authorities concerned, in particular as to whether there has been a breach of this Regulation, the Committee should in principle issue legally binding decisions by a two-thirds majority of its members.

(137)

Urgent action may be required to protect the rights and freedoms of data subjects, in particular where there is a risk that the enforcement of a right of a data subject could be substantially impeded. Therefore, a supervisory authority on its territory should be able to adopt duly justified provisional measures with a defined period of validity of up to three months.

(138)

In cases where such review is mandatory, its conduct should be a condition for the legality of an action of a supervisory authority seeking legal effects. In other cross-border cases, the procedure for cooperation between the lead supervisory authority and the supervisory authority concerned should be applied. On a bilateral or multilateral basis, mutual assistance may be provided between the supervisory authorities concerned and joint measures may be implemented without triggering the application of the coherence mechanism.

(139)

In order to promote the consistent application of the Regulation, the Committee should be established as an independent body of the Union. In order to achieve its objectives, the Committee should have legal personality. The Committee should be represented by its Chairman. This Committee should replace the Working Party on the Protection of Individuals with regard to the Processing of Personal Data established by Directive 95/46/EC. It should consist of the heads of the supervisory authority of each Member State and of the European Data Protection Supervisor or their respective representatives. The Commission should participate in the activities of the Committee without voting rights and the European Data Protection Supervisor should have specific voting rights. The Committee should contribute to the consistent application of this Regulation in the Union, including by advising the Commission, in particular on the level of protection in third countries or in international organizations, and by fostering cooperation between the supervisory authorities in the Union. In performing its tasks, the Committee should act independently.

(140)

The Committee should be assisted by a secretariat organized by the European Data Protection Supervisor. The staff of the European Data Protection Supervisor involved in carrying out the tasks entrusted to the Committee under this Regulation should perform their duties solely on the instructions of the chair of the Committee, and should report to him.

(141)

Every data subject should have the right to lodge a complaint with a single supervisory authority, in particular in the Member State where he or she habitually resides, and to seek effective remedy in accordance with Article 47 of the Charter, if he or she considers that his or her rights under this Regulation have been infringed, or if the supervisory authority does not act on a complaint, rejects or rejects a complaint in part or in full, or does not act where such action is necessary to protect the rights of the data subject. The investigation carried out in response to a complaint shall not go beyond what is appropriate in the specific case and may be subject to judicial review. The supervisory authority must inform the data subject of the progress and outcome of the complaint within a reasonable period of time. If the case requires further investigation or coordination with another supervisory authority, interim information should be provided to the data subject. Each supervisory authority should take measures to facilitate the filing of complaints, such as providing a complaint form that can also be completed electronically, without excluding other means of communication.

(142)

Where a data subject considers that his rights under this Regulation have been infringed, he should have the right to authorize bodies, organizations or non-profit associations, constituted according to the law of a Member State, which have statutory objectives which are in the public interest and are active in the field of the protection of personal data, to lodge a complaint on his behalf with a supervisory authority, to exercise on behalf of data subjects the right to a judicial remedy, or to exercise on behalf of data subjects the right to obtain redress if provided for in Member State law. Member States may provide that such bodies, organizations or associations shall have the right, irrespective of any authorisation by a data subject, to lodge a complaint in that Member State and the right to an effective remedy if they have grounds for believing that the rights of a data subject have been infringed as a result of the processing of personal data in breach of this Regulation. For these bodies, organizations or associations, it may be provided that they shall not have the right to seek redress on behalf of a data subject beyond the data subject's authorization.

(143)

Any natural or legal person has the right to bring an action for annulment before the Court of Justice against a decision of the Committee under the conditions provided for in Article 263 TFEU. As addressees of such decisions, the supervisory authorities concerned who wish to challenge such decisions must lodge an appeal in accordance with Article 263 TFEU within two months of their notification. Where the controller, processor or complainant is directly and individually concerned by decisions of the Committee, it may bring an action for annulment of such decisions in accordance with Article 263 TFEU within two months of their publication on the Committee's website. Without prejudice to this right under Article 263 TFEU, any natural or legal person should have the right to an effective remedy before the competent national court against a decision of a supervisory authority which produces legal effects in respect of that person. Such a decision shall relate in particular to the supervisory authority's exercise of powers related to investigation, correction and consent, or to the rejection of complaints. However, the right to an effective remedy does not apply to measures taken by supervisory authorities that are not legally binding, such as opinions. An action against a supervisory authority should be brought before the courts of the Member State where the supervisory authority is established, and should comply with the procedural law of that Member State. Those courts should exercise full jurisdiction, including jurisdiction to examine all questions of fact and law relating to the dispute before them.

If a complaint is rejected by a supervisory authority, the complainant may appeal to the courts in the same Member State. Within the scope of jurisdiction in connection with the application of this Regulation, national courts which consider that a decision on the matter is necessary for their judgment may, or, in the case of Article 267 TFEU, must, request the Court of Justice for a preliminary ruling on the interpretation of Union law, including this Regulation. Moreover, where a decision of a supervisory authority implementing a decision of the Committee is challenged before a national court and the validity of the Committee's decision is at issue, that national court does not have the power to declare the Committee's decision invalid, but, if it considers the decision invalid, it must refer the question of validity to the Court of Justice in accordance with Article 267 TFEU as interpreted by the Court of Justice. However, a national court may not refer a question on the validity of a decision of the Committee to the Court at the request of a natural or legal person who had the possibility to bring an action for the annulment of that decision, in particular if he was directly and individually affected by that decision, but did not do so within the time limit set by Article 263 TFEU.

(144)

Where a court before which proceedings are pending against a decision of a supervisory authority has reason to believe that proceedings concerning the same processing are already pending before a court having jurisdiction in another Member State, which may, for example, involve the same subject-matter of the processing, the same activities of the controller or processor, or the same cause of action, it shall contact that authority in order to verify the existence of the related proceedings. If related proceedings are pending before a court in another Member State, any court other than the one first seized may stay its proceedings, or may, at the request of one of the parties, transfer them to the court first seized, if that court has jurisdiction to hear the proceedings in question and provided that its law permits the joinder of those related proceedings. Related proceedings are those which are so closely connected that the proper administration of justice requires their simultaneous hearing and trial in order to avoid the risk of irreconcilable judgments in separate proceedings.

(145)

For proceedings against a controller or processor, the complainant should be able to choose to bring the case before the courts in the Member State where the controller or processor has an establishment, or to do so in the Member State where the data subject resides, unless the controller is a public authority of a Member State acting under public powers.

(146)

The controller or processor should compensate any damage that a person may suffer as a result of processing that violates this Regulation. The controller or processor should be exempted from liability if it proves that it is not responsible for the damage. The concept of "damage" should be interpreted broadly in the light of the case law of the Court of Justice, in a way that takes full account of the objectives of this Regulation. This is without prejudice to any claims for compensation for breaches of other rules of Union or Member State law. Processing in breach of this Regulation also includes processing in breach of delegated and implementing acts adopted pursuant to this Regulation and Member State law specifying rules contained in this Regulation. Data subjects should receive full and effective compensation for damages suffered by them. Where controllers or processors are involved in the same processing operation, they should each be held liable for the entire damage. However, where they are joined in the same legal proceedings under Member State law, each controller or processor may bear part of the compensation according to its share of responsibility for the damage caused by the processing, provided that the data subject who has suffered damage is fully and effectively compensated. Any controller or processor who has paid the full compensation may then bring a recourse action against other controllers or processors involved in the same processing.

(147)

Where this Regulation provides for specific jurisdiction rules, in particular as regards proceedings seeking a remedy, including compensation, against a controller or processor, general jurisdiction rules, such as those set out in Regulation (EU) No 1215/2012 of the European Parliament and of the Council (¹³), should not prejudice the application of those specific rules.

(148)

In order to strengthen the enforcement of the rules of this Regulation, penalties, including administrative fines, should be imposed for any violation of the Regulation, in addition to or in lieu of appropriate measures imposed by supervisory authorities pursuant to this Regulation. If the violation is minor or if the likely fine would impose a disproportionate burden on a natural person, a reprimand may be chosen instead of a fine. However, the nature, gravity and duration of the breach, the intentional nature of the breach, mitigation measures, degree of responsibility, or previous relevant breaches, how the breach came to the attention of the supervisory authority, compliance with measures taken against the controller or processor, adherence to a code of conduct, and any other aggravating or mitigating factors should be taken into account. The imposition of penalties, including administrative fines, should be subject to appropriate procedural safeguards in accordance with general principles of Union law and the Charter, including effective remedy and due process.

(149)

Member States should be able to lay down the rules on penalties applicable to infringements of this Regulation, including for infringements of national rules pursuant to and within the limits of this Regulation. Such penalties may include the remittance of profits obtained through infringements of this Regulation. However, the imposition of penalties for violations of such national rules and of administrative sanctions should not result in the violation of the ne bis in idem principle as interpreted by the Court of Justice.

(150)

In order to strengthen and harmonize administrative sanctions against infringements of this Regulation, each supervisory authority should have the power to impose administrative fines. This Regulation should set out infringements, ceilings and criteria for establishing the related administrative pecuniary sanctions, which should be determined by the competent supervisory authority on a case-by-case basis, taking into account all relevant circumstances of the specific situation, having regard, in particular, to the nature, gravity and duration of the infringement and of its effects, as well as to the measures taken to ensure compliance with the obligations under this Regulation and to prevent or mitigate its effects. Where the administrative fines are imposed on an undertaking, an undertaking should in that context be considered an undertaking pursuant to Articles 101 and 102 TFEU. Where administrative fines are imposed on persons who are not undertakings, the supervisory authority should take into account the general level of income in the Member State and the economic situation of the person concerned when determining an appropriate amount for the fine. The coherence mechanism can also be used to promote consistent application of administrative fines. It should be up to Member States to determine whether and to what extent public authorities should be subject to administrative fines. The imposition of an administrative fine or the issuing of a warning does not affect the exercise of other powers of supervisory authorities or the application of other sanctions under this Regulation.

(151)

The legal systems of Denmark and Estonia do not permit the administrative fines described in this Regulation. The rules on administrative fines may be applied in such a way that the fine is imposed as a criminal sanction by a competent court in Denmark and by the supervisory authority in proceedings for criminal offenses in Estonia, provided that these applications of the rules have the same effect in those Member States as administrative fines imposed by supervisory authorities. Therefore, the competent national courts should take into account the recommendation of the supervisory authority that initiated the fine. In any case, fines should be effective, proportionate and dissuasive.

(152)

Where this Regulation does not provide for the harmonization of administrative penalties, or if necessary in other cases, such as serious infringements of this Regulation, Member States should apply a system of effective, proportionate and dissuasive penalties. The nature of those penalties, criminal or administrative, should be determined by Member State law.

(153)

Member States' legislation should reconcile the rules governing freedom of expression and information, including journalistic, academic, artistic and/or literary forms of expression, with the right to protection of personal data under this Regulation. For the processing of personal data solely for journalistic purposes or for the purpose of academic, artistic and literary forms of expression, derogations or exemptions from certain provisions of this Regulation should be put in place in order to reconcile, where necessary, the right to the protection of personal data with the right to freedom of expression and information enshrined in Article 11 of the Charter. This should apply in particular to the processing of personal data for audiovisual purposes and in news and press archives. Member States should therefore take legislative action to establish the exceptions and derogations necessary to strike a balance between those fundamental rights. Member States should lay down such exceptions and derogations in relation to general principles, data subjects' rights, controllers and processors, transfers of personal data to third countries or international organizations, independent supervisory authorities, cooperation and consistency, and concerning specific data processing situations. If those exceptions or derogations differ from one Member State to another, the law of the Member State to which the controller is subject shall apply. Given the importance of the right to freedom of expression in any democratic society, concepts relating to that freedom, such as journalism, should be interpreted broadly.

(154)

This regulation offers the possibility to take into account the principle right of public access to official documents in its application. Public access to official documents can be considered a public interest. Personal data contained in documents held by a public authority or public body should be able to be disclosed by that authority or body if Union or Member State law applicable to the public authority or public body provides for the disclosure of such data. Such legislation should reconcile public access to official documents and the re-use of public sector information with the right to the protection of personal data, and may therefore provide for the necessary alignment with the right to the protection of personal data under this Regulation. The reference to public authorities and bodies in that context should include all authorities and other bodies covered by Member State law on public access to documents. Directive 2003/98/EC of the European Parliament and of the Council (¹⁴) does not prejudice or affect the level of protection of natural persons with regard to the processing of personal data under Union and Member State law, and in particular does not alter the obligations and rights set out in this Regulation. In particular, that Directive should not apply to documents that are not or only to a limited extent accessible under the access regimes for reasons of protection of personal data, and to parts of documents that are accessible under those regimes, but which contain personal data, the re-use of which has been declared by law to be incompatible with the law on the protection of individuals with regard to the processing of personal data.

(155)

Member State law or collective agreements, including "company agreements," may lay down specific rules for the processing of employees' personal data in the employment relationship, in particular for the conditions under which personal data may be processed in the employment relationship on the basis of the employee's consent, for recruitment, for the performance of the employment contract including for compliance with legal or collective agreement obligations, for the management, planning and organization of work, for equality, diversity, health and safety at work, for the exercise and enjoyment of individual or collective rights and benefits related to the employment relationship, and for the termination of the employment relationship.

(156)

The processing of personal data for archiving in the public interest, scientific or historical research or statistical purposes should be subject to appropriate safeguards for the rights and freedoms of data subjects in accordance with this Regulation. Such safeguards should ensure that technical and organizational measures are taken to ensure, in particular, compliance with the principle of data minimization. Further processing of personal data for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes should be carried out when the controller has assessed whether those purposes can be achieved by processing personal data on the basis of which the data subjects are not or no longer identifiable, provided that appropriate safeguards exist,such as the pseudonymization of the personal data. Member States should provide appropriate safeguards for the processing of personal data for archiving in the public interest, scientific or historical research or statistical purposes. Member States should be empowered to specify, under specific conditions and with appropriate safeguards for data subjects, the specifications and derogations applicable to information requirements and to provide for the right to rectification, the right to erasure, the right to oblivion, the right to restriction of processing and the right to data portability and the right to object to processing of personal data for archiving in the public interest, scientific or historical research or statistical purposes. If appropriate against the background of the purposes envisaged by the specific processing, the conditions and safeguards mentioned may include specific procedures for the exercise of these rights by data subjects, combined with technical and organizational measures to minimize, in the light of the principles of proportionality and necessity, the processing of personal data. The processing of personal data for scientific purposes should also comply with other applicable legislation, such as that on clinical trials.

(157)

By linking data from different registries, researchers can gain new and very valuable knowledge about common medical conditions such as cardiovascular disease, cancer and depression. Because they are based on a larger proportion of the population, registry-based research results can be improved. In the social sciences, registry research allows scientists to gain essential knowledge about the long-term interaction of a number of social factors, such as unemployment and education with other life conditions. Research results obtained through registries provide solid high-quality knowledge that can be used to develop and implement knowledge-based policies, improve the quality of life of a segment of the population, and make social services more efficient. Therefore, in order to facilitate scientific research, it is necessary to provide that personal data may be processed, subject to appropriate conditions and safeguards laid down in Union or Member State law, for the purpose of scientific research.

(158)

Where personal data are processed for archival purposes, this Regulation should also apply to processing for this purpose, it being understood that this Regulation should not apply to personal data of deceased persons. Public authorities or public or private bodies holding data of public interest should be services which are legally obliged, in accordance with Union or Member State law, to acquire, retain, evaluate, organize, describe, communicate, draw attention to, disseminate and make accessible data of continuing value for the public interest. Member States should also be empowered to provide that personal data may be further processed for archival purposes, for example to provide specific information on political behavior under former totalitarian regimes, on genocide, crimes against humanity, in particular the Holocaust, or on war crimes.

(159)

Where personal data are processed for the purpose of scientific research, this Regulation should also apply to processing for that purpose. For the purposes of this Regulation, the processing of personal data for the purpose of scientific research should be interpreted broadly and include, for example, technological development and demonstration, basic research, applied research and privately funded research. Moreover, the Union's objective under Article 179(1) TFEU, namely the creation of a European Research Area, should be respected. Scientific research purposes include public health studies undertaken in the public interest. To qualify as processing of personal data for the purpose of scientific research, the processing must meet specific conditions, in particular with regard to publishing or otherwise disclosing personal data for scientific research purposes. If the results of scientific research, especially in the area of health, give rise to further measures in the interest of the data subject, the general rules of this Regulation shall apply for the purpose of such measures.

(160)

Where personal data are processed for the purpose of historical research, this regulation should also apply to processing for that purpose. This should include historical research and research for genealogical purposes, except that this regulation should not apply to deceased persons.

(161)

Regarding the authorization for participation in scientific research activities in clinical trials, the relevant provisions of Regulation (EU) No. 536/2014 of the European Parliament and of the Council should be (¹⁵) should apply.

(162)

Where personal data are processed for statistical purposes, this Regulation should apply to processing for that purpose. Provisions on statistical content, access control, specifications for the processing of personal data for statistical purposes and appropriate measures to protect the rights and freedoms of data subjects and to ensure statistical confidentiality should be laid down, within the limits of this Regulation, in Union or Member State law. Statistical purposes mean the collection and processing of personal data necessary for statistical surveys and for the production of statistical results. These statistical results may also be used for other purposes, including for scientific research purposes. purposesThe statistical purpose means that the result of the processing for statistical purposes does not consist of personal data, but of aggregated data, and that this result and the personal data are not used as supporting material for measures or decisions affecting a particular natural person.

(163)

The confidential data collected by Union and national statistical authorities for the production of official European and official national statistics should be protected. European statistics should be developed, produced and disseminated in accordance with the statistical principles set out in Article 338(2) TFEU; national statistics should also comply with Member State law. Regulation (EC) No 223/2009 of the European Parliament and of the Council (¹⁶), contains further specifications on statistical confidentiality for European statistics.

(164)

As regards the powers of supervisory authorities to obtain from the controller or processor access to personal data and to its business premises, Member States may adopt by law, within the limits of this Regulation, specific rules to safeguard professional secrecy or other equivalent duties of confidentiality to the extent necessary to reconcile the right to the protection of personal data with professional secrecy. This shall be without prejudice to obligations in Member States to comply with rules on professional secrecy where Union law so requires.

(165)

In accordance with Article 17 TFEU, this Regulation respects and does not prejudice the status under current constitutional law of churches and religious associations or communities in the Member States.

(166)

In order to achieve the objectives of this Regulation, namely to protect the fundamental rights and freedoms of natural persons, in particular their right to the protection of personal data, and to ensure the free flow of personal data in the Union, the power to adopt acts in accordance with Article 290 TFEU should be delegated to the Commission. In particular, delegated acts should be adopted concerning the criteria and requirements for certification mechanisms, the information to be displayed by standardized icons and the procedures for the provision of those icons. It is of particular importance that the Commission carry out adequate consultations in its preparatory work, including at expert level. The Commission, when preparing and drawing up delegated acts, should ensure timely and appropriate simultaneous transmission of relevant documents to the European Parliament and to the Council.

(167)

In order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission where provided for in this Regulation. Those powers should be exercised in accordance with Regulation (EU) No 182/2011. In that context, the Commission should consider specific measures for micro, small and medium-sized enterprises.

(168)

The examination procedure should be used for the adoption of implementing acts on standard contractual clauses between controllers and processors, and between processors; codes of conduct; technical standards and mechanisms for certification; the adequate level of protection afforded by a third country, a territory or a well-defined sector within that third country or an international organization; standard terms of protection; models and procedures for the electronic exchange of information between controllers, processors and supervisory authorities as regards binding corporate rules; mutual assistance; and arrangements for the electronic exchange of information between supervisory authorities and between supervisory authorities and the Committee.

(169)

Where the available evidence indicates that a third country, a territory or a well-defined sector within that third country, or an international organization does not ensure an adequate level of protection, and where imperative grounds of urgency so require, the Commission should adopt implementing acts which should enter into force immediately.

(170)

Since the objective of this Regulation, namely to ensure an equivalent level of protection of natural persons and the free flow of personal data throughout the Union, cannot be sufficiently achieved by the Member States alone and can therefore, by reason of the scale and effects of the action, be better achieved at Union level, the Union may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union (TEU). In accordance with the principle of proportionality, as set out in the same Article, this Regulation does not go beyond what is necessary in order to achieve this objective.

(171)

Directive 95/46/EC should be replaced by this Regulation. Processing operations already in progress on the date of application of this Regulation should be brought into conformity with this Regulation within two years of its entry into force. In order to allow the controller to continue processing after the date of application of this Regulation, the data subject should not be required to give consent again for a processing operation to which he has consented under Directive 95/46/EC in a way which meets the conditions of this Regulation. Commission decisions and authorizations granted by supervisory authorities based on Directive 95/46/EC shall remain in force until amended, replaced or repealed.

(172)

The European Data Protection Supervisor has been consulted in accordance with Article 28(2) of Regulation (EC) No 45/2001 and on March 7, 2012 (¹⁷) Opinion.

(173)

This Regulation should apply to all matters relating to the protection of fundamental rights and freedoms in the context of the processing of personal data for which the obligations laid down in Directive 2002/58/EC of the European Parliament and of the Council (¹⁸) specific obligations with the same objective do not apply, including the obligations of the controller and the rights of natural persons. In order to clarify the relationship between this Regulation and Directive 2002/58/EC, that Directive should be amended accordingly. Once this Regulation is adopted, Directive 2002/58/EC should be reviewed, in particular to ensure consistency with this Regulation,