Like most documents to come out of the EU, the full document is vast and unwieldy so here's a summary of the key points. In the coming months there will no doubt be an ever increased gaggle of companies promising to make you compliant for significant sums of money. Its another Profit Creation Initiative (PCI) but it need not cost you any money - the majority of the document when you break it down is common sense and good business practice and the rest is clearly authored by eurocrats with the help of consultancies charging significant sums of money.
The bottom line here is don't panic - being compliant is as simple as understanding, protecting and maintaining personal information to the subject's satisfaction. If your business provides products & services to individuals then you really should read and consider the regulation, but if not and your solely b2b then its impact is tiny.
The legislation claims to be in scope for any data processing outside of the EU that processes data for subjects with the EU, but of course outside of the EU its just yet another pointless directive that has no enforceable merrit and the very nature of the internet means that processing of data can be anywhere in the world, so you decide if this legislation will in fact have any significant effect on privacy or whether those who abuse it will simply move data to servers hosted well outside the EU.
Chapter 1: General Provisions
Article 1: Subject matter and objectives
Article 2: Material scope
Article 3: Territorial scope
Article 4: Definitions
Chapter 2: Principles
Article 5: Principles relating to personal data processing
Article 6: Lawfulness of processing
Article 7: Conditions for consent
Article 8: Processing of personal data of a child
Article 9: Processing of special categories of personal data
Article 9a: Processing of data relating to criminal convictions and offences
Article 10: Processing not allowing identification
Chapter 3: Rights of the Data Subject
Article 10a: General principles for the rights of the data subject
Section 1: Transparency and Modalities
Article 11: Transparent information and communication
Article 12:Procedures and mechanisms for exercising the rights of the data subject
Article 13: Rights in relation to recipients
Article 13a: Standardized information policies
Section 2: Information and Access to Data
Article 14: Information to the data subject
Article 14a: Information to be provided where the data have not been obtained from the data subject
Article 15: Right of access for the data subject
Section 3: Rectification and Erasure
Article 16: Right to rectification
Article 17: Right to be forgotten and to erasure
Article 17a: Right to restriction of processing
Article 17b: Notification obligation regarding rectification, erasure, or restriction
Article 18: Right to data portability
Section 4: Right to object and automated individual decision making
Article 19: Right to object
Article 19a: Restriction of processing
Article 20: Measures based on profiling
Section 5: Restrictions
Article 21: Restrictions
Chapter 4: Controller and Processor
Section 1: General Obligations
Article 22: Responsibility of the controller
Article 23: Data protection by design and by default
Article 24: Joint controllers
Article 25: Representatives of controllers not established in the Union
Article 26: Processor
Article 27: Processing under the authority of the controller and processor
Article 28: Documentation
Article 29: Co-operation with the supervisory authority
Section 2: Data Security
Article 30: Security of processing
Article 31: Notification of a personal data breach to the supervisory authority
Article 32: Communication of a personal data breach to the data subject
Article 32a: Respect to Risk
Section 3: Data protection impact assessment and prior authorization
Article 33: Data protection impact assessment
Article 33a: Data protection compliance review
Article 34: Prior authorization and prior consultation
Section 4: Data protection officer
Article 35: Designation of the data protection officer
Article 36: Position of the data protection officer
Article 37: Tasks of the data protection officer
Section 5: Codes of conduct and certification
Article 38: Codes of conduct
Article 38a: Monitoring of approved codes of conduct
Article 39: Certification
Article 39a: Certification body and procedure
Chapter 5: Transfer of personal data to third countries of international organizations
Article 40: General principle for transfers
Article 41: Transfers with an adequacy decision
Article 42: Transfers by way of appropriate safeguards
Article 43: Transfers by way of binding corporate rules
Article 43a: Transfers or disclosures not authorized by Union law
Article 44: Derogations
Article 45: International co-operation for the protection of personal data
Article 45a: Report by the Commission
Chapter 6: Independent Supervisory Authorities
Section 1: Independent status
Article 46: Supervisory authority
Article 47: Independence
Article 48: General conditions for the members of the supervisory authority
Article 49: Rules on the establishment of the supervisory authority
Article 50: Professional secrecy
Section 2: Competence, Tasks, and Powers
Article 51: Competence
Article 51a: Competence of the lead supervisory authority
Article 52: Duties
Article 53: Powers
Article 54: Activity report
Article 54a: Lead Authority
Chapter 7: Co-operation and consistency
Section 1: Co-operation
Article 54a: Cooperation between the lead supervisory authority and other concerned supervisory authorities
Article 55: Mutual assistance
Article 56: Joint operations of supervisory authorities
Section 2: Consistency
Article 57: Consistency mechanism
Article 58: Opinion by the European Data Protection Board
Article 58a: Consistency in individual cases
Article 58b: Dispute Resolution by the European Data Protection Board
Article 59: Opinion by the Commission
Article 60: Suspension of a draft measure
Article 61: Urgency procedure
Article 62: Implementing acts
Article 63: Enforcement
Section 3: European Data Protection Board
Article 64: European Data Protection Board
Article 65: Independence
Article 66: Tasks of the European Data Protection Board
Article 67: Reports
Article 68: Procedure
Article 69: Chair
Article 70: Tasks of the chair
Article 71: Secretariat
Article 72: Confidentiality
Chapter 8: Remedies, Liability, and Sanctions
Article 73: Right to lodge a compliant with a supervisory authority
Article 74: Right to a judicial remedy against a supervisory authority
Article 75: Right to a judicial remedy against a controller or processor
Article 76: Common rules for court proceedings
Article 76a: Suspension of proceedings
Article 77: Right to compensation and liability
Article 78: Penalties
Article 79: Administrative sanctions
Article 79a: Administrative fines
Article 79b: Penalties
Chapter 9: Provisions relating to specific data processing situations
Article 80: Processing of personal data and freedom of expression
Article 80a: Access to documents
Article 80b: Processing of personal data and public access to official documents
Article 80c: Processing of national identification numbers
Article 81: Processing of personal data concerning health
Article 82: Processing in the employment context
Article 82a: Processing in the social security context
Article 83: Processing for historical, statistical and scientific research purposes
Article 83a: Processing of personal data by archive services
Article 83b: Notification to the Commission by Member States
Article 84: Obligations of secrecy
Article 85: Existing data protection rules of churches and religious associations
Article 85a: Respect of fundamental rights
Article 85b: Standard Forms
Chapter 10: Delegated Acts and Implementing Acts
Article 86: Exercise of the delegation
Article 87: Committee procedure
Chapter 11: Final provisions
Article 88: Repeal of Directive 95/46/EC
Article 89: Relationship to and amendment of Directive 2002/58/EC
Article 89a: Relationship to and amendment of Regulation (EC) No 45/2001
Article 89b: Relationship to previously concluded agreements
Article 89c: Relationship to Directive 2000/31/EC
Article 90: Evaluation
Article 91: Entry into force and application
Chapter 1: General Provisions
Article 1
Subject Matter and Objectives
Medium Variability
This regulation pertains solely to the protection of personal data, which is a fundamental human right, and the rules regarding the movement of said data.
*The Council text adds that individual member states may introduce more specific rules in regard to the lawful reasons for the processing of personal data (as they are stated in Article 6).
Article 2
Material Scope
High Variability
This regulation applies to the processing of personal data by automated means, or by non-automated means if such processing forms part of a filing system.
*The Parliament text adds to the scope by covering personal data “irrespective of the method of processing.”
It does not apply to the processing of personal data:
- for an activity that falls outside the scope of Union law
- by the Union institutions
- by Member States for activities that fall within the scope of Chapter 2 of Title V of the Treaty of the European Union (re: borders/immigration)
- by a person without any gainful interest for a personal activity
- by public authorities for the purposes surrounding criminal offenses
This regulation shall not impede the application of the E-Commerce Directive, especially with regards to the articles surrounding liability (Directive 2000/31/EC articles 12-15)
*The Council text does not include the final paragraph about the E-Commerce Directive.
Article 3
Territorial Scope
High Variability
This regulation applies to the processing of personal data by both data processors and data controllers within the EU.
It also applies to data controllers that outside of the EU that are offering goods and services or monitoring data subjects within the EU.
Where public international law calls for a data controller to fall under any member state’s laws, this regulation will also apply.
*The Parliament text is the most inclusive of the three with regards to this article, as it specifically mentions that data being processed outside the EU may still fall under the regulation, and it extends the non-EU jurisdiction to data processors as well.
*All three texts have individual takes on the applicability of including companies which are monitoring of data subjects or their behavior, with the Commission calling for simply those monitoring behavior, the Parliament calling for those monitoring the data subjects in any fashion, and the Council calling for those monitoring behaviours that take place within the EU only.
Article 4
Definitions
High Variability
For the purposes of the regulation:
- Personal Data - Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person
- *Parliament only:
- Pseudonymous Data - personal data that can’t be attributed to a specific data subject without the use of additional information, so long as the additional information is kept separate to ensure non-attribution
- Encrypted Data - personal data that is protected through technological measures to ensure that the data is only accessible/readable by those with specified access
- Processing - any operation performed on personal data, whether or not by automated means, including collection, use, recording, etc.
- *Parliament only:
- Profiling - any automated processing of personal data intended to evaluate, analyse, or predict data subject behavior
- *Council details profiling after Data Concerning Health
- *Council only:
- Restriction of Processing - the marking of stored personal data with the aim of limiting its processing in the future
- Pseudonymisation - the processing of personal data such that it can no longer be attributed to a single data subject without the use of additional data, so long as said additional data stays separate to ensure non-attribution
- Filing system - any specific set of personal data that is accessible according to specific criteria, or able to be queried.
- Data Controller - entity that determines the purposes, conditions and means of the processing of personal data
- Data Processor - entity that processes data on behalf of the Data Controller
- Recipient - entity to which the personal data are disclosed
- Data Subject’s Consent - freely given, specific, informed and explicit consent by statement or action signifying agreement to the processing of their personal data
- Personal Data Breach - a breach of security leading to the accidental or unlawful access to, destruction, misuse, etc. of personal data
- Genetic Data -
- *Commission: data concerning the characteristics of an individual which are inherited or acquired during early development
- *Parliament: data concerning the characteristics of an individual which are inherited or as they result from analysis of a biological sample
- *Council: data concerning the characteristics of an individual which are inherited or acquired which give unique information about the health or physiology of the individual
- Biometric Data - any personal data relating to the physical, physiological, or behavioral characteristics of an individual which allows their unique identification
- Data Concerning Health - any personal data related to the physical or mental health of an individual or the provision of health services to them
- Main Establishment -
- *Commission: with regard to the controller, the Main Establishment is the place within the Union that the main decisions surrounding data processing are made; with regard to the processor, the Main Establishment is the place of its central administration within the Union
- *Parliament: with regard to both the controller and the processor, the Main Establishment is the the place within the Union that the main decisions surrounding data processing are made, taking into consideration where the headquarters is located, which location is best placed in terms of management and administrative responsibilities, and where real and effective management activities are held
- *Council: with regard to a controller with establishments in multiple member states, the Main Establishment is the central administration within the EU, unless the main decisions surrounding the processing of personal data are made in another location with the power to have such decisions implemented, in which case the latter is considered the Main Establishment; with regard to a processor with establishments in multiple member states, the central administration is considered the Main Establishment, if there is no central administration, the location of the main processing of personal data is considered
- Representative - any person in the Union explicitly designated by the controller to be addressed by the supervisory authorities
- Enterprise - any entity engaged in economic activity, regardless of legal form, including persons, partnerships, associations, etc.
- Group of Undertakings - a controlling undertaking and its controlled undertakings
- Binding Corporate Rules - personal data protection policies adhered to by a controller or processor within the Union for transfers to a controller or processor outside of the Union but within a group of undertakings
- Child - any person under 18 years old
- Supervisory Authority - a public authority which is established by a member state in accordance with article 46
- *Council only:
- Concerned Supervisory Authority - the relevant supervisory authority (SA) in a situation due to the controller/processor in question being established in member state of said SA, data subjects being materially affected in the member state of said SA, or an underlying complaint being lodged specifically to said SA
- Transnational Processing of Personal Data - processing which takes place in the context of establishments in multiple member states, or processing in a single establishment that is likely to affect data subjects in multiple member states
- Relevant and Reasoned Objection - an objection as to whether there is an infringement of this regulation or not, with regards to the fundamental rights and freedoms of data subjects
- Information Society Service - any service laying down a procedure for the provision of information in the field of technical standards and regulations and of rules on Information Society services
- International Organisation - an organisation and its subordinate bodies governed by public international law or any body set up by an agreement between two or more countries
Chapter 2: Principles
Article 5
Principles Relating to Personal Data Processing
Low Variability
Personal Data must be:
- processed lawfully, fairly, and in a manner transparent to the data subject
- collected for specified, explicit purposes and only those purposes
- limited to the minimum amount of personal data necessary for a given situation
- accurate and where necessary, up to date
- kept in a form that permits identification of the data subject for only as long as is necessary, with the only exceptions being statistical or scientific research purposes pursuant to article 83a
- *Parliament adds that the data must be processed in a manner allowing the data subject to exercise his/her rights and protects the integrity of the data
- *Council adds that the data must be processed in a manner that ensures the security of the data
- processed under the responsibility and liability of the data controller
Article 6
Lawfulness of Processing
Medium Variability
Processing of personal data is lawful under at least one of the following:
- the data subject has given consent to one or more specific processing purposes
- processing is necessary for the performance of a contract to which the data subject is a party or at the request of the data subject in order to take steps toward a contract
- processing is necessary for compliance with a legal obligation upon the controller
- processing is necessary in order to protect the vital interests of the data subject
- processing is necessary for the purposes of the legitimate interest of the controller (or a third party) so long as the fundamental rights and freedoms of the data subject are in no way infringed.
- processing is necessary for the purposes of historical, statistical or scientific research subject to the conditions in Article 83
- The basis for processing under legal obligation or public interest must be provided for in:
- union law
- the law of the member state related to the data controller
- Further processing of personal data beyond the original use shall only be allowed should the processing continue to fall under one of the above guidelines for lawfulness
*Commission adds that it shall be empowered to adopt delegated acts in accordance with article 86 in order to further specify the conditions for legitimate interest of a data controller
Article 7
Conditions for Consent
High Variability
The data controller bears the burden of proof for the data subject’s consent to the processing of their data for specified purposes (contextual consent).
Any written request for consent must be presented in a manner which is clearly distinguishable from other matters.
*The Council text adds that a request must also be in an intelligible and easily accessible form, using clear and plain language.
The data subject will have the right to withdraw consent at any time, notwithstanding processing by other legal means than consent.
*The Parliament text adds that the ease of withdrawing consent should match the ease of giving it, and that the data controller must notify the data subject if withdrawing consent may lead to the termination of services or relationships.
Consent will not serve as a legal basis for processing when there is a significant imbalance between the position of the data subject and the controller.
*The Parliament text replaces this sentence and instead states, consent must be purpose-limited and shall immediately lose its validity when the purpose ceases to exist; and the execution of a contract shall not be conditional upon the processing of data that is not directly relevant to said contract.
*The Council has deleted this sentence.
Article 8
Processing of Personal Data of a Child
High Variability
The processing of the personal data of a child under the age of 13 shall only be lawful if the parent or legal guardian of said child gives consent. The controller shall make reasonable efforts to obtain verifiable consent, taking into account available technology.
*The Parliament text adds that the verification of consent should not cause otherwise unnecessary processing of personal data.
*The Council text further adds that consent may also be given by the child if said consent is treated as valid in Union or Member State law.
*In addition, the Parliament text adds that information surrounding the request for consent should be given in clear language appropriate for the intended audience.
The previous paragraph shall not affect the general contract law of Member States.
The Commission shall be empowered to adopt delegated acts in order to consider specific measures for smaller enterprises.
*The Parliament text changes the above paragraph to empower the European Data Protection Board to issue guidelines and recommendations for the verification of consent.
**The Council text deletes this paragraph entirely.
The Commission may also standard forms for specific methods to obtain verifiable consent.
*Both the Parliament and Council text’s delete this paragraph
Article 9
Processing of Special Categories of Personal Data
Low Variability
The processing of personal data, revealing race or ethnic origin, political opinions, religion or beliefs, trade-union membership, and the processing of genetic data or data concerning health or sex life or criminal convictions or related security measures shall be prohibited.
Except under the following conditions:
- The data subject has given consent, and no member state or union law prohibits consent as a valid lawful reason for processing
- Processing is necessary for the completion of obligations on the part of the controller with respect to employment law
- Processing is necessary to protect the vital interest of the data subject and he/she is unable to give consent
- Processing is carried out with appropriate safeguards by a non-profit organization related to the type of data they will be processing, without having the data leave the organization
- Processing related to data that is manifestly made public by the data subject
- Processing is necessary in regards to legal claims
- Processing is necessary for the performance of a task carried out in the public interest
- Processing of data concerning health is necessary for health purposes
- *The Council text adds processing necessary for the interests of public health
- Processing is necessary for historical, statistical or scientific research purposes
- Processing of data relating to criminal convictions or related security measures that is carried out either by an official authority or in the public interest
- *The Council text deletes this sentence
The Commission provides for its own ability to further specify criteria for processing this type of personal data.
*The Parliament gives this power the the European Data Protection Board
**The Council removes this power entirely.
The Council text also adds the ability for data of this type to be processed by a professional under the obligation of secrecy under union or member state law.
Article 9a
Processing of Data Relating to Criminal Convictions and Offences
Council Only
Processing of data relating to criminal convictions and offences or related security measures may only be carried out either under the control of official authority or when the processing is authorised by Union law or Member State law. A complete register of criminal convictions may be kept only under the control of official authority.
Article 10
Processing not Allowing Identification
Low Variability
If the data processed by a controller do not permit the controller to identify a person, they are not required to gain additional information for the purposes of complying with this regulation.
*The Parliament text also includes data processors
*The Council text adds an exception where the data subject includes additional information enabling his/her identification, thus requiring the controller to once again comply with all provisions
Chapter 3: Rights of the Data Subject
Article 10a
General Principles for the Rights of the Data Subject
Parliament Only
The basis of data protection is clear and unambiguous rights for the data subject which shall be respected by the data controller. Such rights shall in general be exercised free of charge, and the data controller shall respond to requests from the data subject within a reasonable period of time.
Section 1: Transparency and Modalities
Article 11
Transparent Information and Communication
Low Variability
The controller shall have transparent and easily accessible policies, providing any information and any communication relating to the processing of personal data to the data subject in an intelligible form, using clear and plain language, adapted to the data subject, in particular for any information addressed specifically to a child.
*The Council text removes this paragraph entirely and includes it in the following article
Article 12
Procedures and Mechanisms for Exercising the Rights of the Data Subject
Medium Variability
The controller shall take appropriate measures to facilitate the exercise of the rights of the data subjects referred to in Articles 14 to 20.
Where personal data are processed by automated means, the controller shall also provide means for requests to be made electronically where possible.
*The Council text also adds the rules on transparent policies and plain language here
The controller shall inform the data subject without undue delay and at the latest within one month of receipt of a request for action to be taken with regards to articles 13 and 15 to 19. This period may be extended by one additional month should multiple data subjects exercise their rights, leading to additional complexity on the part of the data controller. If the data subject makes a request in an electronic form, it is to be responded to in an electronic form, where possible.
*The Parliament text increases the original limit to 40 calendar days
*The Council text only refers to articles 15 to 19 and includes an additional requirement for the controller to at least notify the data subject within the first month if the request will require the aforementioned additional month.
If the controller does not take action on behalf of the data subject’s request, it must then inform the data subject as to why, as well as providing information on the process for lodging a complaint with the relevant authority.
*The Council also imposes a one month time limit on this particular action
The above information requests shall be handled by the data controller free of charge, unless the requests become excessive, especially in repetitiveness. In the case of excessive requests, the controller may charge for or refuse requests. However, the burden is on the controller to provide proof that requests have become excessive.
*The Council adds that a controller may ask for additional information following a request from an unidentified data subject in order to properly identify before acting on said request.
The Commission shall be responsible for adopting delegated acts and standard forms for the further fulfillment of this article.
*The power removed in both Parliament and Council texts
Article 13
Rights in Relation to Recipients
Medium Variability
The controller shall communicate any rectification or erasure carried out in accordance with Articles 16 and 17 to each recipient to whom the data have been disclosed, unless this proves impossible or involves a disproportionate effort.
*The Parliament also includes that the controller shall inform the data subject about those recipients if the data subject requests this.
*The Council text removes this article entirely
Article 13a
Standardised Information Policies
Parliament Only
Where personal data is collected, the controller shall provide the following information prior to that necessary for compliance with article 14:
- whether personal data are collected or retained beyond the minimum necessary for each specific purpose of the processing
- whether personal data are processed beyond original purposes
- whether personal data are disseminated to third parties, sold, or rented out
- whether personal data are retained in an encrypted form
The particulars referred to in the above paragraph are to be depicted in a three column format including a graphical form of each particular, a description, and an indication of if it has been met.
The above information shall be presented in an easily intelligible format and when presented electronically, presented in a machine readable format.
The Commission will be able to adopt delegated acts regarding this article’s particulars following a recommendation by the European Data Protection Board.
Section 2: Information and Access to Data
Article 14
Information to the Data Subject
Medium Variability
When processing the personal data of a data subject, the data controller shall provide the data subject with the following information:
- The identity and contact information of the controller, it’s representative, and the data protection officer, where appropriate.
- The purpose of processing as well as its legitimate interests (Commission), security of the processing (Parliament), or the legal basis (Council).
- The period for which the data will be stored
- The existence of the rights to access, rectification, erasure, and portability
- The existence of the right to complain to a supervisory authority
- The recipients or categories of recipients of the data
- If the controller intends to transfer the data to a third country
- Any further information needed to ensure fair processing of the data
- Whether the data collection is mandatory or optional, as well as the consequences of not providing said data
- *Council additions:
- The existence of any sort of automated profiling of the data
- Information about any further processing outside of the original scope, to be given before the additional processing occurs
- *Parliament additions:
- Information about automated profiling and the effects of said profiling
- Information about the logic associated with automated profiling
- Information about processing that was indicated as high risk by a data protection impact assessment done by the controller
- If data has been provided to public authorities in the past 12 months
*The Council text separates the following section into article 14a.
When the data is not directly collected from the data subject, the controller shall inform the data subject of the source from which their collected data originated.
Time constraints:
- The above information shall be provided to the data subject at the time of collection
- Where the data is not collected directly from the data subject, the information shall be provided at the time of recording, or within a reasonable period after collection, and at the very latest when the data are first disclosed to another recipient.
- *The Parliament text adds that the information should be included with the first communication to the data subject, at the very latest.
Exceptions:
- If the data subject already has all of the above information
- If the data are not collected from the data subject and the provision of the information would involve disproportionate effort
- *The Parliament text changes this sentence to cover historical/statistical data and claims that the controller must have published the data publicly
- If the data are not collected from the data subject and recording or exposure is expressly laid down by law
- If the data are not collected from the data subject and the provision of such information would impair the rights and freedoms of others.
- *The Parliament text adds a caveat for controllers acting under professional secrecy
Should the data controller not be required to provide information about one’s data to the data subject, it shall still be required to protect the data subject’s legitimate interest.
The Commission shall be empowered to enact delegated acts and provide standard forms for the provision of information to data subjects.
*The Parliament text removes this power
Article 14a
Information to be provided where the data have not been obtained from the data subject
Council Only
Where data have not been obtained directly from the data subject, the controller shall provide the data subject with the identity and contact details of the controller, its representative, and the data protection officer. It shall also inform the data subject of the purpose and legal basis for processing.
In addition, the controller will provide all necessary information to ensure data processing is fair and transparent, including:
- the categories of personal data concerned
- the legitimate interests pursued by the controller or a third party
- the recipients or categories of recipients of the data
- if the controller intends to transfer the data to a third country
- the existence of the rights of the data subject to access, rectification, erasure, portability, and objection of data transfer
- the existence of the rights to withdraw consent, and lodge a complaint with the supervisory authority
- the sources of personal data, unless said data is publicly available
- the potential for automated profiling and the logic behind said profiling
Time Constraints:
- The above information shall be provided to the data subject within a reasonable period of obtaining the data, but at the latest within one month
- If the data are to be disclosed to another recipient, at the initial disclosure of said data at the latest
- Should the controller wish to use the data outside of the scope of the original purpose, it shall inform the data subject before the additional processing takes place
Exceptions:
- the above provisioning shall not be necessary if the data subject already has the information
- if the provisioning of said data involves disproportionate effort, in which case, the controller must take adequate measures to protect the data
- if the obtaining or disclosure of said data is expressly laid down by law
- if the data must remain confidential in accordance with the law
Article 15
Right of Access for the Data Subject
Low Variability
Data subjects shall at any time have the right to confirmation from the controller whether or not their personal data are being processed. If so, the controller shall provide the data subject with the following information:
- the purposes of the processing
- the categories of personal data concerned
- *The Council text removes this requirement
- the recipients or categories of recipients to whom the data has been disclosed, especially in the case of third countries
- the period for which personal data will be stored, if possible
- the existence of the right to rectification, erasure, and the objection to processing
- the right to lodge a complaint with the supervisory authority, and said authority’s contact details
- the source of data undergoing processing, the significance, and consequences of processing
- *The Parliament text adds the necessity to provide information about the logic involved in any automated processing, as well as the confirmation of whether or not a public authority has requested personal data concerning the data subject.
- *The Council text adds the necessity for a controller to provide information about the relevant safeguards on any information transferred to a third country.
The data subject shall have the right to obtain a copy of the personal data undergoing processing from the controller. If the request is made in an electronic form, the data shall be sent in an electronic form, unless specifically requested otherwise.
*The Council text adds that this right shall not apply if said copy of personal data would reveal the personal data of other data subjects, or confidential data of the controller.
*The Parliament text adds the necessity for the controller to verify to the best of its ability the identity of the data subject before sending any personal data, as well as the need for data to be sent in an electronic format that allows for the further use of said data by the data subject. Where technically feasible and available, the data shall be transferred directly from controller to controller at the request of the data subject. (Data portability, stated here and removed from article 18)
The Commission shall be empowered to enact delegated acts and provide standard forms for the provision of information to data subjects.
*The Parliament and Council texts remove this power
Section 3: Rectification and Erasure
Article 16
Right to Rectification
Low Variability
The data subject shall have the right to have the right to obtain from the controller the rectification of their personal data wherever it may be inaccurate, as well as the right to obtain completion of incomplete data, including by way of a supplementary statement given to the controller.
Article 17
Right to be Forgotten and to Erasure
Medium Variability
The data subject shall have the right to have personal data related to them erased by the data controller and have further dissemination ceased, especially data provided when the data subject was a child, in one of the following instances:
*The Parliament text removes the specification for children
- the data are no longer relevant to the purposes for which they were originally collected
- the data subject withdraws consent and there is no other legal ground for processing
- the data subject objects to the processing of the data, pursuant to article 19
- the data have been processed unlawfully
- the data have to be erased to comply with Union or member state law
- *The Parliament text adds the necessity for verification of the person requesting erasure
Where the controller has made the personal data public without a legal ground, it shall take all reasonable steps to have the data erased, including by third parties. The controller shall also inform the data subject, where possible, of the action taken by the relevant third parties.
The controller shall carry out the erasure without undue delay, except under the following circumstances:
- exercising the right of freedom of expression and information
- for reasons of public health, or historical and scientific research purposes
- for reasons of public interest, or as mandated by Union or member state law
*The below text refers only to that of the Commission and Parliament, as the Council has moved all portions of restriction to articles 17a and 17b.
Instead of erasure, the controller shall restrict processing of personal data where:
- the accuracy of the data is in question, restriction shall take place until resolution
- the controller no longer needs the data for processing, but the data is to be maintained for purposes of proof
- the processing is unlawful, but the data subject opposes its erasure and opts for restriction
- the data subject requests to transmit the data into another processing system
- *The Parliament text adds a caveat for a particular type of storage that does not allow for erasure and was implemented before the regulation
Data that has been restricted may only be processed for purposes of proof, an objective of public interest, for the protection of rights of another person, or with the data subject’s consent.
The controller shall inform the data subject before lifting the restriction on processing.
The controller shall implement mechanisms to ensure that the time limits established for the erasure of personal data are observed.
Where erasure is carried out, the controller shall not otherwise process the personal data.
The Commission shall be empowered to adopt delegated acts with respect to the criteria and conditions for the erasure and restriction of processing.
*The Parliament text adds the need for oversight from the Data Protection Board, while the Council removes the power entirely.
Article 17a
Right to Restriction of Processing
Council Only
The data subject shall have the right to restrict the processing of data where:
- the accuracy of the data is in question, restriction shall take place until resolution
- the controller no longer needs the data for processing, but the data is to be maintained for purposes relating to legal claims
- the data subject has objected to the processing, and there is a pending verification of whether the legitimate grounds of the controller override those of the data subject.
Where data has been restricted, processing may only happen for reasons of protection of the rights of another person, public interest, resolution of legal claims, or with the data subject’s consent.
The controller shall inform the data subject prior to lifting the restrictions on processing.
Article 17b
Notification Obligation Regarding Rectification, Erasure or Restriction
Council Only
The controller shall communicate any rectification, erasure or restriction of processing carried out to each recipient to whom the data have been disclosed, unless this proves impossible or involves disproportionate effort.
Article 18
Right to Data Portability
High Variability
Where the data subject has provided personal data and processing by the controller is based upon consent or a contract, the data subject shall have the right to receive that data for use with another controller, without hindrance from the original controller. The data shall be given in an electronic, structured, and commonly used format.
*The Council text adds the need for data to be in a machine-readable format, as well as an exclusion for disclosing personal data if it would infringe intellectual property rights of the controller in relation to the processing of those personal data.
*The Parliament text handles data portability in article 15 with regards to the right to access.
Section 4: Right to Object and Automated Individual Decision Making
Article 19
Right to Object
Medium Variability
The data subject shall have the right to object to the processing of data when the processing has its legal basis in either protecting the vital interests of the data subject, public interest, or legitimate interests of the controller unless the controller has legitimate grounds overruling the objection.
*The Parliament text removes the inclusion of legitimate interests of the controller
*The Council text removes the inclusion of vital interests of the data subject
Where personal data are processed for marketing purposes, the data subject shall have the right to object, free of charge, to the processing of their personal data for such marketing. This right shall be explicitly offered and clearly distinguishable from other information.
*The Parliament text adds the right for a data subject to object by automated means.
*The Council text adds the right to object to processing for historical and scientific purposes, unless the processing is carried out for reasons of public interest.
Where an objection is upheld, the controller shall no longer process the personal data concerned for the purposes determined in the objection
Article 20
Measures Based on Profiling
Medium Variability
Data subjects shall have the right to object or not be subject to a measure which produces legal or significant effects through decisions made predominantly or wholly by means of automated profiling.
*The Parliament text adds that the data subject shall be informed of this right in a highly visible manner.
Exceptions:
- the profiling is necessary for performance of a contract, so long as sufficient safeguards are in place to protect the data subject’s rights and interests
- the profiling is expressly authorized by law
- the profiling is based on the data subject’s consent
Profiling shall not be based upon the special categories of personal data setup in article 9, i.e. discrimination based on race or religion.
*The Parliament text adds that profiling that may affect the data subject shall not be solely based on automated processing, but also must include a human assessment.
The Commission shall be empowered to adopt delegated acts for specifying suitable measures for processing.
*The Parliament text gives this power to the Data Protection Board.
*The Council text removes this power entirely.
Section 5: Restrictions
Article 21
Restrictions
Medium Variability
Union or Member State law may restrict by way of a legislative measure the scope of the obligations and rights provided for data subjects when such a restriction constitutes a necessary and proportionate measure in a democratic society to safeguard:
- public security
- the prevention, investigation, detection and prosecution of criminal offences
- other public interests, in particular economic or financial interests of the Union
- *The Council text adds national security, defence, and the protection of judicial independence
- the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions
- a monitoring, inspection or regulatory function by a public authority in the above cases
- the protection of the data subject or the rights and freedoms of others.
Any legislative procedure intending to impose restrictions in the above manner must expressly provide for the purposes and objectives of the processing of personal data.
*The Parliament text adds the need for information regarding the determination of the controller, specific purposes and means of processing, safeguards allotted to processing, and the right of data subjects to be informed about the restriction.
*The Council text adds the need for information regarding the purposes or categories of processing, categories of personal data, scope of restrictions, categories of controllers, safeguards allotted to processing, and the risks for the rights and freedoms of the data subjects.
Chapter 4: Controller and Processor
Section 1: General Obligations
Article 22
Responsibility of the Controller
High Variability
*Commission version:
The controller shall adopt policies and implement appropriate measures to ensure, and be able to demonstrate, that the processing of personal data is performed in compliance with this Regulation.
The measures provided for in the above paragraph shall include:
- keeping documentation pursuant to article 28
- implementing data security requirements pursuant to article 30
- performing a data protection impact assessment pursuant to article 33
- complying with the requirements for prior authorisation or prior consultation of the supervisory authority pursuant to Article 34
- designating a data protection officer pursuant to Article 35
The controller shall implement mechanisms to ensure the verification of the effectiveness of the measures referred to in the above paragraphs, carried out as appropriate by internal or external auditors.
The Commission shall be empowered to enact any delegated acts in order to further specify the above requirements.
*Parliament version:
The controller shall adopt appropriate policies and measures to ensure and be able to demonstrate in a transparent manner that the processing of personal data is performed in compliance with this regulation. The controller must take into account the full context and scope of processing both at the time of the determination of the means for processing and at the time of the processing itself.
The controller must implement compliance policies which shall be reviewed at least every two years and updated where necessary.
The controller shall be able to demonstrate the adequacy and effectiveness of the measures described above. Any regular general reports of the activities of the controller, such as the obligatory reports by publicly traded companies, shall contain a summary description of the policies and measures referred to.
The controller shall have the right to transmit personal data inside the Union within its own group of undertakings should the processing be necessary for legitimate internal administrative purposes, given the adequate protections are in place.
*Council version:
Taking into account the scope and context of the processing, the controller shall adopt policies and implement appropriate measures to ensure and be able to demonstrate that the processing of personal data is performed in compliance with this Regulation.
Adherence to approved codes of conduct pursuant to Article 38 or an approved certification mechanism pursuant to Article 39 may be used as an element to demonstrate compliance with the obligations of the controller.
Article 23
Data Protection by Design and by Default
Low Variability
Having regard to the state of the art and the cost of implementation, the controller shall, both at the time of the determination of the purposes and means for processing and at the time of the processing itself, adopt appropriate technical and organisational solutions in such a way that the processing of data will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.
*The Council text adds the suggestions of data minimization and pseudonymisation
*The Parliament text adds the necessity to take into account the full lifecycle of the data, the principles laid out in article 5, and the need for actions to be taken as a result of findings from the data protection impact assessment. It also adds the need for privacy by design to be taken into account in relation to public works.
The controller shall ensure that by default, only personal data necessary for specified purposes are processed, and the data is only held for the minimum amount of time necessary. In particular, no personal data shall by default be accessible by an indefinite number of individuals.
*The Parliament text adds that data subjects should be able to control the distribution of their data.
*The Council texts adds limitations on accessibility, as well as including that data should not be accessible by an indefinite number of individuals without human intervention.
The Commission shall be empowered to adopt delegated acts and technical standards for specifying criteria on the protection of data by default.
*The Parliament and Council texts remove this power.
Article 24
Joint Controllers
Medium Variability
Where multiple controllers jointly determine the processing of personal data, they shall determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the procedures for exercising the rights of the data subject, by means of an arrangement between them.
*The Parliament text adds that the arrangement shall reflect the joint controllers' respective effective roles and relationships to the data subjects, and that the arrangement shall be made available for the data subject. In case of unclarity of the responsibility, the controllers shall be jointly and severally liable.
*The Council text adds that the arrangement shall designate a single point of contact for data subjects to exercise their rights, and that data subjects may exercise their rights against any of the controllers except when the data subject has been informed in a transparent and unequivocal manner which of the joint controllers is responsible
Article 25
Representatives of Controllers Not Established in the Union
Medium Variability
Where a controller outside of the Union processes the personal data of EU citizens, thus being included under article 3(2), the controller shall designate a representative within the Union.
This obligation shall not apply to:
- controllers in a third country in which the commission has decided that an adequate level of protection exists
- *The Council text removes this statement
- controllers employing fewer than 250 people
- *The Parliament text changes the size requirement to controllers processing the personal data of less than 5000 data subjects in any 12 month period, not processing special categories of data, location data, or data on children or employees in large scale filing systems
- *The Council text changes the size requirement to controllers with processing that is occasional and unlikely to result in a risk to the rights and freedoms of individuals
- a public authority
- controllers only occasionally offering goods and services to EU data subjects
The representative shall be established in one of the member states in which the relevant data subjects reside.
*The Council adds that the representative shall be mandated by the controller to be addressed in addition to or instead of the controller on all issues related to the processing of personal data.
The designation of a representative by the controller shall be without prejudice to legal actions which could be initiated against the controller itself.
Article 26
Processor
Medium Variability
In choosing a processor, the controller shall select a processor providing sufficient guarantees to implement appropriate technical and organisational measures and procedures in such a way that the processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.
*The Council text adds that a processor shall not enlist another processor without the consent of the controller
The carrying out of processing by a processor shall be governed by a contract binding the processor to the controller and stipulating in particular that the processor shall:
- process personal data only on instructions from the controller, unless otherwise required by Union law or Member State law
- *The Council text adds that the processor must inform the controller if it is required to process personal data by law
- employ only staff who have committed themselves to confidentiality or are under a statutory obligation of confidentiality
- *The Council text removes this requirement
- take all required measures pursuant to Article 30 on security
- enlist another processor only with the prior permission of the controller
- where appropriate, assist the controller in complying with the obligations with regard to the exercise of the data subject rights
- assist the controller in ensuring compliance with the obligations pursuant to Articles 30-34
- hand over all results to the controller after the end of the processing and not process the personal data otherwise
- *The Parliament and Council texts add that data should be deleted unless required to be held by law
- make available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article
- *The Parliament text adds the allowance for on-site inspections
- *The Council text adds that processors must allow for and contribute to audits conducted by the controller, as well as instructing the controller if any instructions breach this regulation
*The Council text also adds that where another processor is brought on by the original processor, the second processor shall be under the same type of contract that binds the original processor to the controller. The Commission may lay down standard contractual clauses to be adopted by the supervisory authority in order to facilitate these contracts.
All agreements of controller’s instructions and processor’s obligations shall be made in writing.
If a processor processes personal data in a manner other than abiding by the instructions of the controller, that processor shall thereafter be considered a controller under this regulation.
*The Council text removes this consequence.
The Commission shall be empowered to adopt delegated acts in relation to the duties and obligations of the processor.
*The Parliament and Council texts remove this power.
Article 27
Processing Under the Authority of the Controller and Processor
Low Variability
The processor and any person acting under the authority of the controller or of the processor who has access to personal data shall not process them except on instructions from the controller, unless required to do so by Union or Member State law.
*The Council text has removed this article.
Article 28
Documentation
High Variability
Each controller and processor and shall maintain regularly updated documentation of all processing operations under its responsibility.
The documentation shall contain at least the following information:
- the name and contact details of the controller, or any joint controller or processor, and of the representative, if any
- the name and contact details of the data protection officer, if any;
- *The Council text removes this requirement
- the purposes of the processing, including the legitimate interests pursued by the controller
- *The Parliament text removes this requirement
- a description of categories of data subjects and of the categories of personal data relating to them;
- *The Parliament text removes this requirement
- the recipients or categories of recipients to whom the personal data have been disclosed
- where applicable, the categories of transfers of personal data to a third country, including the identification of that third country
- *The Parliament text removes this requirement
- a general indication of the time limits for erasure of the different categories of data;
- *The Parliament text removes this requirement
- the description of the mechanisms referring to the responsibility and security of the controller
- *The Parliament text removes this requirement
*The Council text adds that each processor shall maintain a record of all categories of personal data processing activities carried out on behalf of a controller, containing:
- the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and of the controller's representative, if any
- the name and contact details of the data protection officer, if any
- the categories of processing carried out on behalf of each controller
- where applicable, the categories of transfers of personal data to a third country
- where possible, a general description of the technical and organisational security measures referred to in Article 30
The controller and the processor shall make the documentation available, on request, to the supervisory authority.
*The Parliament text removes this requirement
The obligations referred to in paragraphs 1 and 2 shall not apply to the following controllers and processors:
*The Parliament text removes this section.
- a natural person processing personal data without a commercial interest
- *The Council text removes this exemption
- an enterprise or an organisation employing fewer than 250 persons that is processing personal data only as an activity ancillary to its main activities.
The Commission shall be empowered to adopt delegated acts and standard forms with respect to the criteria for documentation.
*The Parliament and Council texts remove this power.
Article 29
Co-operation with the Supervisory Authority
Medium Variability
*The Council removes this article entirely
The controller and the processor and, if any, the representative of the controller, shall co-operate with the supervisory authority in the performance of its duties.
In response to the supervisory authority's exercise of its powers, the controller and the processor shall reply to the supervisory authority within a reasonable period to be specified by the supervisory authority. The reply shall include a description of the measures taken and the results achieved.
Section 2: Data Security
Article 30
Security of Processing
High Variability
Descriptions of data security:
*Commission text:
- The controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected, having regard to the state of the art and the costs of their implementation.
- The controller and the processor shall, following an evaluation of the risks, take the measures referred to above to protect personal data against accidental or unlawful destruction or accidental loss and to prevent any unlawful forms of processing, in particular any unauthorised disclosure, dissemination or access, or alteration of personal data.
*Parliament text:
- The controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks represented by the processing, taking into account the results of a data protection impact assessment pursuant to Article 33, having regard to the state of the art and the costs of their implementation.
- Such a security policy shall include:
- the ability to ensure that the integrity of the personal data is validated
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of systems and services processing personal data
- the ability to restore the availability and access to data in a timely manner in the event of a physical or technical incident that impacts the availability, integrity and confidentiality of information systems and services
- in the case of sensitive personal data processing according to Articles 8 and 9, additional security measures to ensure situational awareness of risks and the ability to take preventive, corrective and mitigating action in near real time against vulnerabilities or incidents detected that could pose a risk to the data;
- a process for regularly testing, assessing and evaluating the effectiveness of security policies
- These measures shall at least:
- ensure that personal data can be accessed only by authorised personnel for legally authorised purposes
- protect personal data stored or transmitted against accidental or unlawful destruction, accidental loss or alteration, and unauthorised or unlawful storage, processing, access or disclosure
- ensure the implementation of a security policy with respect to the processing of personal data
*Council text:
- Having regard to available technology, costs of implementation, the nature, scope, context and purposes of the processing, as well as the likelihood and severity of the risk for the rights and freedoms of individuals, the controller and the processor shall implement appropriate technical and organisational measures, such as pseudonymisation of personal data to ensure a level of security appropriate.
- In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by data processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
- The controller and processor shall take steps to ensure that any person acting under the authority of the controller or the processor who has access to personal data shall not process them except on instructions from the controller, unless he or she is required to do so by Union or Member State law.
The Commission is empowered to further specify and implement guidelines for adherence to the above security requirements.
*The Parliament text gives this power to the Data Protection Board, while the Council removes them entirely.
Article 31
Notification of a Personal Data Breach to the Supervisory Authority
Medium Variability
In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 24 hours after having become aware of it, notify the personal data breach to the supervisory authority.
*The Parliament text does not impose a time limit and simply leaves it at “without undue delay”
*The Council text increases the time limit to 72 hours, and only imposes the need for notifications regarding breaches that are likely to result in a high risk for the rights and freedoms of individuals. It specifically does not require notification for data that is encrypted or otherwise protected.
The processor shall alert and inform the controller without undue delay after having become aware of a personal data breach.
The notification must at least:
- describe the nature of the personal data breach including the categories and number of data subjects (and records) concerned
- communicate the identity and contact details of the data protection officer or other contact point where more information can be obtained
- recommend measures to mitigate the possible adverse effects of the personal data breach
- *Council text removes this requirement
- describe the consequences of the personal data breach
- describe the measures proposed or taken by the controller to address the personal data breach and mitigate its effects
The controller shall record any personal data breach including the facts surrounding the breach, its effects and the remedial action taken.
The Commission shall be empowered to adopt delegated acts and standard forms for notification.
*The Parliament text gives this power to the Data Protection Board, while the Council removes it.
Article 32
Communication of a Personal Data Breach to the Data Subject
Low Variability
When the personal data breach is likely to adversely affect the privacy of the data subject, the controller shall communicate the personal data breach to the data subject without undue delay.
The communication to the data subject shall describe the nature of the personal data breach and contain at least the contact details of the DPO, recommended steps to mitigate damage, and the consequences of the breach.
The communication of a personal data breach shall not be required if the controller demonstrates to the satisfaction of the supervisory authority that it has implemented appropriate technological protection measures, such as encryption.
*The Council text adds exceptions for the ability to make a public statement should individual notification require disproportionate effort, as well as exceptions for public interest.
The Commission shall be empowered to adopt delegated acts and standard forms for notification.
*The Parliament text gives this power to the Data Protection Board, while the Council removes it.
Article 32a
Respect to Risk
Parliament Only
The controller, or where applicable the processor, shall carry out a Data Protection Impact Assessment (DPIA) of the intended data processing on the rights and freedoms of the data subjects.
Assessing whether its processing operations are likely to present specific risks, such as:
- processing of personal data relating to more than 5000 data subjects during any consecutive 12 month period
- processing of special categories of personal data as referred to in Article 9, location data or data on children or employees in large scale filing systems
- profiling on which measures are based that produce legal effects concerning the individual
- processing of personal data for the provision of health care, where the data are processed for taking decisions regarding specific individuals on a large scale
- automated monitoring of publicly accessible areas on a large scale
- other processing operations for which the consultation of the data protection officer or supervisory authority is required
- where a personal data breach would likely adversely affect the protection of the personal data
- the core activities of the controller or the processor consist of processing operations which require regular and systematic monitoring of data subjects
- where personal data are made accessible to a number of persons which cannot reasonably be expected to be limited
According to the results of the DPIA, the controller or processor should appoint a representative in the EU, appoint a Data Protection Officer, or consult the DPO or supervisory authority.The risk analysis shall be reviewed at the latest after one year, or immediately, if the nature, the scope or the purposes of the data processing operations change significantly.
Section 3: Data Protection Impact Assessment
Article 33
Data Protection Impact Assessment (DPIA)
High Variability
Where processing operations present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes, the controller shall carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.
*The Council text adds that the DPIA must be done prior to the processing.
A data protection impact assessment shall in particular be required in the following cases:
*The Parliament text removes this section.
- a systematic and extensive use of profiling resulting in measures that significantly affect the data subject
- processing of special categories of personal data, where the data are processed for taking measures or decisions regarding specific individuals on a large scale
- monitoring publicly accessible areas, especially on a large scale
- *The Commission adds processing that requires consultation of the supervisory authority, or any personal data in large scale filing systems on children, genetic or biometric data
*The Council adds that the supervisory authority shall keep a public list of the kind of processing operations that do and do not require a DPIA.
The assessment shall contain at least a general description of the envisaged processing operations, an assessment of the risks to the rights and freedoms of data subjects, the measures envisaged to address the risks, and security measures to ensure the protection of personal data, taking into account the rights and legitimate interests of data subjects.
*The Parliament text bolsters the requirements by saying that the entire lifecycle of the data must be accounted for, including (in addition the the above requirements):
- an assessment of the necessity of processing as it relates to the purposes
- an assessment of the risks to the rights and freedoms of data subjects
- an explanation of which data protection by design practices have been implemented
- a list of the recipients or categories of recipients of the personal data
- where applicable, a list of the intended transfers of data to a third country
- an assessment of the context of the data processing
*The Parliament also adds the requirement for the DPIA to be documented and provide a schedule for compliance reviews, as well as keeping the document updated.
The controller shall seek the views of data subjects on the intended processing.
*The Parliament text removes this requirement.
Where the controller is a public authority or body and where the processing results from a legal obligation, the DPIA will not be necessary.
*The Parliament text removes this exemption.
The Commission shall be empowered to adopt delegated acts and standard forms for the criteria and specifics of DPIAs.
*The Parliament and Council texts remove this power.
Article 33a
Data Protection Compliance Review
Parliament Only
Within two years of completing a DPIA, the controller shall carry out a compliance review in order to demonstrate that the processing of personal data is performed in compliance with the DPIA.
The compliance review shall be carried out periodically at least once every two years, or immediately when there is a change in the specific risks presented by the processing operations.
Where the compliance review results show compliance inconsistencies, the review shall include recommendations on how to achieve full compliance.
Recommendations shall be documented and made available, on request, to the supervisory authority.
If the controller or the processor has designated a data protection officer, he or she shall be involved in the compliance review proceeding.
Article 34
Prior Authorisation and Prior Consultation
Medium Variability
The controller shall obtain an authorisation from the supervisory authority prior to the processing of personal data in order to ensure the compliance of the processing with this Regulation.
*The Parliament and Council texts remove this requirement.
The controller shall consult the supervisory authority prior to the processing of personal data in order to ensure the compliance of the intended processing with this Regulation and in particular to mitigate the risks involved for the data subjects where:
*The Parliament text also allows for a controller to just consult the DPO.
- The DPIA indicates that processing presents a high degree of risk.
- *The Commission and Parliament texts also allow for mandatory consultation should the supervisory authority deem that the processing presents a high degree of risk.
Where the competent supervisory authority determines, in accordance with its power, that the intended processing does not comply with this Regulation, it shall prohibit the intended processing and make appropriate proposals to remedy such non-compliance.
*The Council text imposes a maximum of 6 weeks beyond initial consultation to act against the processing, with an additional 6 weeks should the processing be particularly complex.
The supervisory authority shall make a public list of processing operations which are subject to prior consultation.
*The Parliament text requires the Data Protection Board to create the above list, while the Council text removes the list entirely.
*The Commission text adds that where processing occurs in multiple member states, the consistency mechanism shall be invoked.
The controller shall provide, upon request, the DPIA while undergoing consultation with the supervisory authority prior to processing.
*The Council also requires the controller to provide the contact details of the DPO, purposes and means of processing, safeguards protecting the data, and the respective responsibilities of the controller or joint controllers.
Member states shall consult the supervisory authority during the preparation of any legislative measures which provide for the processing of personal data.
The Commission shall be empowered to adopt delegated acts and standard forms for the criteria and specifics of prior consultation.
*The Parliament and Council texts remove this right.
Section 4: Data Protection Officer
Article 35
Designation of the Data Protection Officer (DPO)
High Variability
The controller and processor shall designate a Data Protection Officer in any case where:
- processing is carried out by a public authority
- the processing is carried out by an enterprise employing 250 people or more
- *The Parliament text changes this metric to those processing the personal data of over 5000 individuals in any 12 month period
- the core activities of the controller or the processor consist of processing operations which require regular and systematic monitoring of data subjects
- *The Parliament text adds any enterprise whose core activities relate to the processing of special categories of personal data
*The Council text only requires a DPO to be designated if required by Union or member state law.
A group of undertakings may appoint a single data protection officer.
Where the controller is a public authority, the data protection officer may be designated for several of its entities, taking account of the organisational structure.
The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and ability to fulfil its tasks.
The controller shall ensure that any other professional duties of the data protection officer are compatible with the person's duties as a DPO and do not result in a conflict of interests.
The DPO shall be appointed for at least a term of 2 years, he or she can also be reappointed for further terms, and a DPO can only be dismissed if he or she no longer fulfils the conditions required for the performance of their duties.
The data protection officer may be employed by the controller or processor, or fulfil his or her tasks on the basis of a service contract.
The controller shall communicate the name and contact details of the DPO to the supervisory authority and to the public.
Data subjects shall have the right to contact the data protection officer on all issues related to the processing of the data subject’s data and to request exercising the rights under this Regulation.
The Commission shall be empowered to adopt delegated acts concerning DPOs.
*The Parliament and Council texts remove this power.
Article 36
Position of the Data Protection Officer
Medium Variability
The controller shall ensure that the data protection officer is properly and in a timely manner involved in all issues which relate to the protection of personal data.
The controller shall ensure that the data protection officer performs duties independently and does not receive any instructions as regards the exercise of the function; he or she shall directly report to the management of the controller or processor.
The controller or processor shall support the data protection officer in performing the tasks and shall provide staff, premises, equipment and any other resources necessary to carry out the duties referred to in Article 37.
*The Parliament text includes the need for a controller to support the DPO in maintaining his or her professional knowledge.
*The Parliament and the Council provide that the DPO shall report directly to the executive, or highest level of management, respectively.
*the Parliament text also includes that data protection officers shall be bound by secrecy concerning the identity of data subjects, unless they are released from that obligation by the data subject
Article 37
Tasks of the Data Protection Officer
Low Variability
The Data Protection Officer shall have at least the following tasks:
- to inform and advise the controller or processor of their obligations pursuant to this regulation
- *the Council text adds the employees of the enterprise as well as the need to inform and advise on other data protection laws of member states or the EU
- to monitor the implementation of data protection policies and compliance with this Regulation
- to ensure and monitor all documentation is compliant as required under this regulation
- to monitor the performance of the data protection impact assessment and the application for prior authorisation or prior consultation, if required
- to assist interactions with the supervisory authority and to cooperate with the supervisory authority, where necessary
- to act as the contact point for the supervisory authority on issues related to the processing and consult with the supervisory authority, if appropriate, on his/her own initiative
- *The Parliament adds the requirement for the DPO to inform the employee representatives on data processing of the employees
The Commission shall be empowered to adopt delegated acts concerning the tasks of a DPO.
*The Parliament and Council texts remove this power.
Section 5: Codes of Conduct and Certification
Article 38
Codes of Conduct
Low Variability
The Member States, the supervisory authorities and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper application of this Regulation, taking account of the specific features of the various data processing sectors, in particular in relation to:
*The Council text adds the Data Protection Board to those doing the encouraging, and also makes note of the need to take into account the specific needs of smaller enterprises.
- fair and transparent data processing
- the collection of data
- the information of the public and of data subjects
- requests of data subjects in exercise of their rights
- information and protection of children
- transfer of data to third countries or international organisations
- mechanisms for monitoring and ensuring compliance with the code
- out-of-court proceedings and other dispute resolution procedures for resolving disputes between controllers and data subjects with respect to the processing of personal data
- *the Parliament text adds the respect for consumer rights
- *the Council text adds the legitimate interests pursued by controllers in specific context, the pseudonymisation of personal data, measures to ensure security of processing, and the notification of personal data breaches
Associations and other bodies representing categories of controllers in one Member State which intend to draw up codes of conduct may submit them to an opinion of the supervisory authority in that Member State. The supervisory authority will then give an opinion after consulting data subjects or their representatives for their views.
Associations and other bodies representing categories of controllers in several Member States may submit draft codes of conduct and amendments to the Commission.
*The Council text requires codes of conduct affecting multiple member states to first be given to the Data Protection Board, who will then submit it to the Commission.
The Commission may adopt implementing acts for deciding that the codes submitted to it have general validity within the Union.
*The Parliament text adds the necessity for the Commission to get the opinion of the Data Protection Board.
The Commission shall ensure appropriate publicity for the approved codes.
Article 38a
Monitoring of Approved Codes of Conduct
Council Only
Without prejudice to the tasks and powers of the competent supervisory authority, the monitoring of compliance with a code of conduct may be carried out by a body which has an appropriate level of expertise in relation to the subject matter and is accredited for this purpose by the competent supervisory authority.
A body may be accredited for this purpose if:
- it has demonstrated its independence and expertise in relation to the subject-matter of the code to the satisfaction of the competent supervisory authority
- it has established procedures which allow it to assess the eligibility of controllers concerned to apply the code, to monitor their compliance with its provisions, and to periodically review its operation
- it has established procedures to deal with complaints about infringements of the code or the manner in which the code has been implemented by a controller, and to make these procedures transparent to data subjects and the public.
- its tasks and duties do not result in a conflict of interests
The competent supervisory authority shall submit the draft criteria for accreditation of a body to the Data Protection Board
Without prejudice to the provisions of Chapter VIII, a body may take appropriate action in cases of infringement of the code, including suspension or exclusion of the controller or processor concerned. It shall inform the competent supervisory authority of such actions and its reasons.
The competent supervisory authority shall revoke the accreditation if conditions are no longer met, or actions are taken which are not in compliance with this regulation.
This article shall not apply to the processing of personal data carried out by public authorities and bodies.
Article 39
Certification
High Variability
The Member States and the Commission shall encourage, in particular at European level, the establishment of certification mechanisms and of data protection seals and marks, allowing data subjects to quickly assess the level of data protection provided by controllers and processors. The data protection certifications mechanisms shall contribute to the proper application of this Regulation, taking account of the specific features of the various sectors and different processing operations.
*The Council text allows for the certification of bodies not under the scope of this regulation to also be certified, pursuant to other laws concerning transfer of personal data to third countries. It also sets the maximum length of a certification to three years before it must be renewed.
*The Parliament text replaces the Commission’s general outline with more specific guidelines, stating that a controller or processor may request a supervisory authority to certify that the processing of personal data is performed in compliance with this Regulation. It adds:
- the certification shall be voluntary, affordable, and available via a process that is transparent
- the supervisory authorities and the European Data Protection Board shall cooperate in order to guarantee a harmonised data protection certification across the Union
- the supervisory authorities may accredit specialised third party auditors to carry out the auditing on their behalf
- supervisory authorities shall grant controllers and processors who have been certified the standardised data protection mark named "European Data Protection Seal"
- the seal shall be valid for as long as the data processing continues to comply with the regulation, up to a maximum of five years
- the Data Protection Board shall establish a public electronic register in which all valid and invalid certificates which have been issued in the Member States can be viewed
- the Data Protection Board may also, on its own initiative, certify that a data-protection enhancing technical standard is compliant with this Regulation
The Commission shall be empowered to adopt delegated acts and standard forms for the criteria and specifics concerning certification.
*The Parliament gives this power to the Data Protection Board while the Council provides for the certification body in the following article.
Article 39a
Certification Body and Procedure
Council Only
Certifications shall be issued and renewed by a certification body which has an appropriate level of expertise in relation to data protection. Each Member State shall provide whether these certification bodies are accredited by:
- the supervisory authority which is competent
- the National Accreditation Body named in accordance with Regulation (EC) 765/2008 setting out the requirements for accreditation and market surveillance relating to the marketing of products in compliance with EN-ISO/IEC 17065/2012 and with the additional requirements established by the competent supervisory authority
The certification body may be accredited for this purpose only if:
- it has demonstrated its independence and expertise in relation to the subject-matter of the certification
- it has undertaken to respect the criteria referred to in paragraph 2a of Article 39 and approved by the competent supervisory authority or the Data Protection Board
- it has established procedures for the issue, periodic review and withdrawal of data protection seals and marks
- it has established procedures to deal with complaints about infringements of the certification and has made these procedures transparent to data subjects
- its tasks and duties do not result in a conflict of interests
The accreditation of the certification bodies shall take place on the basis of criteria approved by the competent supervisory authority or Data Protection Board, as appropriate.
The certification body’s accreditation is issued for a maximum period of five years and can be renewed in the same conditions as long as the body meets the requirements.
The certification body shall provide the competent supervisory authority with the reasons for granting or withdrawing any requested certification.
The requirements and criteria surrounding certifications and accreditation shall be made public by the supervisory authority in an easily accessible form and transmitted to the Data Protection Board.
The competent supervisory authority or the National Accreditation Body shall revoke the accreditation if the conditions are not, or no longer, met or actions taken by the body are not in compliance with this Regulation
The Commission shall be empowered to adopt delegated acts and technical standards concerning certification and accreditation with the opinion of the Data Protection Board.
Chapter 5: Transfer of Personal Data to Third Countries or International Organisations
Article 40
General Principle for Transfers
Medium Variability
Any transfer of personal data to a third country or to an international organisation may only take place if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller or processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation.
Article 41
Transfers with an Adequacy Decision
Low Variability
A transfer may take place where the Commission has decided that the third country, or a territory or a processing sector within that third country, ensures an adequate level of protection. Such transfer shall not require any further authorisation.
When assessing the adequacy of the level of protection, the Commission shall give consideration to the following elements:
- the rule of law, relevant legislation in force (including concerning public security, defence, national security and criminal law), the professional rules and security measures which are complied with in that country or by that international organisation, as well as effective rights and judicial redress for data subjects
- *the Council text includes the respect for human rights and fundamental freedoms, as well as rules in the third country concerning onward transfers
- the existence and effective functioning of an independent supervisory authority in the third country responsible for ensuring compliance with the data protection rules, for assisting and advising the data subjects in exercising their rights and for cooperation with the supervisory authorities within Union
- international commitments the third country or international organisation in question has entered into
The Commission may decide that a third country, or a territory or a processing sector within that third country, or an international organisation ensures an adequate level of protection.
*The Parliament text requires this decision to be made via delegated acts with sunset clauses and the ability of revocation should the level of protection cease to be adequate.
*The Council text requires the opinion of the Data Protection Board to be taken prior to a decision.
The implementing act shall specify its geographical and sectoral application, and, where applicable, identify the supervisory authority.
*Both the Parliament and Council texts require the Commission to monitor the countries concerned in its decisions in order to ensure they remain compliant.
The Commission may also decide that a third country or international organisation does not, or no longer, ensure(s) an adequate level of protection.
Where the Commission decides a country or organisation does not provide adequate safety, any transfer of personal data to the third country or international organisation in question shall be prohibited, without prejudice to Articles 42 to 44. At the appropriate time, the Commission shall enter into consultations with the third country or international organisation with a view to remedying the situation.
*The Parliament text requires the Commission to get the opinion of the Data Protection Board prior to a decision for or against adequate safety protections.
The Commission shall publish in the Official Journal of the European Union a list of those third countries, territories and processing sectors within a third country and international organisations where it has decided that an adequate level of protection is or is not ensured.
Article 42
Transfers by way of Appropriate Safeguards
Medium Variability
Where the Commission has taken no decision, a controller may transfer personal data to a third country or an international organisation only if it has adduced appropriate safeguards with respect to the protection of personal data in a legally binding instrument.
The appropriate safeguards shall be provided for by:
- binding corporate rules in accordance with Article 43
- standard data protection clauses adopted by the Commission
- *the Parliament text removes this line
- standard data protection clauses adopted by a supervisory authority and adopted by the Commission
- contractual clauses between the controller and the recipient of the data authorised by a supervisory authority
- *the Parliament text also allows for transfers when all parties have a valid European Data Protection Seal
- *the Council text also allows for transfers through a legally binding instrument between public authorities, and an approved code of conduct or certification mechanism, pursuant to Articles 38 and 39, together with binding commitments of the controller in the third country
A transfer based on standard data protection clauses or binding corporate rules (*or a European Data Protection Seal) shall not require any further authorisation.
*The Council text removes this sentence.
Where a transfer is based on contractual clauses the controller shall obtain prior authorisation from the supervisory authority. If the transfer is related to processing activities which concern data subjects in other Member States, or substantially affect the free movement of personal data within the Union, the supervisory authority shall apply the consistency mechanism.
Authorisations by a supervisory authority on the basis of Article 26(2) of Directive 95/46/EC shall remain valid, until amended, replaced or repealed by that supervisory authority.
*The Parliament text says they are valid until two years after the entry into force of this Regulation.
Article 43
Transfers by way of Binding Corporate Rules
Low Variability
A supervisory authority shall in, accordance with the consistency mechanism, approve binding corporate rules (BCRs), provided that they:
- are legally binding and apply to every member within the controller’s group of undertakings, and include their employees
- *The Parliament text adds external subcontractors under the scope of the BCRs
- expressly confer enforceable rights on data subjects
- fulfill the requirements laid down in the following paragraph
The binding corporate rules shall at least specify:
- the structure and contact details of the group of undertakings and its members
- the data transfers, including the categories of personal data, the type of processing and its purposes, the type of data subjects affected and the identification of the third country or countries in question
- their legally binding nature, both internally and externally
- the general data protection principles, in particular purpose limitation, data quality, legal basis for the processing, processing of special categories of personal data; measures to ensure data security; and the requirements for onward transfers to outside organisations
- the rights of data subjects and the means to exercise these rights, including the right not to be subject to profiling, the right to lodge a complaint to the competent supervisory authority, and to obtain redress for a breach of the binding corporate rules
- the acceptance by the controller established on the territory of a Member State of liability for any breaches of the binding corporate rules by any member of the group of undertakings not established in the Union; the controller may only be exempted from this liability, in whole or in part, if it proves that that member is not responsible for the event giving rise to the damage
- how the information on the binding corporate rules is provided to the data subjects
- the tasks of the data protection officer designated in accordance with Article 35, including monitoring within the group of undertakings the compliance with the binding corporate rules, as well as monitoring the training and complaint handling
- the mechanisms within the group of undertakings aiming at ensuring the verification of compliance with the binding corporate rules
- the mechanisms for reporting and recording changes to the policies and reporting these changes to the supervisory authority
- the co-operation mechanism with the supervisory authority to ensure compliance by any member of the group of undertakings
- *The Council text adds the mechanisms for reporting to the supervisory authority any legal requirements to which a member of the group is subject in a third country which are likely to have an adverse effect on the guarantees provided by the BCRs, and the appropriate data protection training to personnel having regular access to personal data
The Commission shall be empowered to adopt delegated acts for specifying the format, criteria and requirements for BCRs.
*The Council adds that the Data Protection Board will advise the Commission in these duties.
Article 43a
Transfers or Disclosures not Authorised by Union Law
Parliament Only
No judgment of a court or decision of an administrative authority of a third country requiring a controller or processor to disclose personal data shall be recognised without prejudice to a mutual legal assistance treaty or an international agreement in force between the requesting third country and the Union or Member State.
In the above situation, the controller shall notify the supervisory authority without undue delay and must obtain prior authorisation for the transfer or disclosure by the supervisory authority.
The supervisory authority shall assess the compliance of the requested disclosure with the Regulation, and where data subjects from other Member States are affected, the supervisory authority shall apply the consistency mechanism.
The supervisory authority shall inform the competent national authority of the request. Without prejudice to Article 21, the controller shall also inform the data subjects of the request and of the authorisation by the supervisory authority, and where applicable inform the data subject whether personal data was provided to public authorities during the last 12 month period.
Article 44
Derogations
Medium Variability
In the absence of an adequacy decision or of appropriate safeguards, a transfer of personal data to a third country or an international organisation may take place only on condition that:
- the data subject has explicitly consented to the proposed transfer, after having been informed of the risks of such transfers
- the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of precontractual measures
- the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject
- the transfer is necessary for important grounds of public interest
- the transfer is necessary for the establishment, exercise or defence of legal claims
- the transfer is necessary in order to protect the vital interests of the data subject or of another person, where the data subject is incapable of giving consent
- the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, to the extent that the conditions are fulfilled in the particular case
- the transfer is necessary for the purposes of the legitimate interests pursued by the controller, is not frequent or large, and where the controller has assessed all the circumstances surrounding the data transfer operation
- *The Parliament removes this sentence
A transfer from a register shall not involve the entirety of the personal data or entire categories of the personal data contained in the register.
Where the processing is based on legitimate interests of the controller, it shall give particular consideration to the nature of the data, the purpose and duration of the proposed processing operations, as well as the situation in the country of origin and of final destination, and adduced appropriate safeguards with respect to the protection of personal data.
*The Parliament and Council texts remove this paragraph.
Exclusions apply to activities carried out by public authorities in the exercise of their public powers.
The public interest must be recognised in Union law or in the law of the Member State to which the controller is subject.
*The Council text adds that, in the absence of an adequacy decision, Union law or Member State law may, for important reasons of public interest, expressly set limits to the transfer of specific categories of personal data to a third country.
The Controller shall document and inform the supervisory authority of the assessment and appropriate safeguards regarding any transfers on the basis of the legitimate interest.
The Commission shall be empowered to adopt delegated acts in order to further specify important grounds of public interest.
*The Parliament text gives this power to the Data Protection Board while the Council text removes it entirely.
Article 45
International Co-operation for the Protection of Personal Data
Low Variability
In relation to third countries and international organisations, the Commission and supervisory authorities shall take appropriate steps to:
- develop effective international co-operation mechanisms to facilitate the enforcement of legislation for the protection of personal data
- provide international mutual assistance in the enforcement of legislation for the protection of personal data
- engage relevant stakeholders in discussion and activities aimed at furthering international cooperation
- promote the exchange and documentation of personal data protection legislation and practice
- *The Parliament text adds consulting on jurisdictional conflicts with third countries
The Commission shall take appropriate steps to advance the relationship with third countries or international organisations, and in particular their supervisory authorities.
*The Council text removes this paragraph.
Article 45a
Report by the Commission
Parliament Only
The Commission shall submit to the European Parliament and the Council at regular intervals, starting not later than four years after the date referred to in Article 91, a report on the application of Articles 40 to 45. For that purpose, the Commission may request information from the Member States and supervisory authorities, which shall be supplied without undue delay. The report shall be made public.
Chapter 6: Independent Supervisory Authorities
Section 1: Independent Status
Article 46
Supervisory Authority
Low Variability
Each Member State shall provide that one or more public authorities are responsible for monitoring the application of this Regulation and for contributing to its consistent application throughout the Union. The supervisory authorities shall co-operate with each other and the Commission.
In the case of multiple supervisory authorities, a Member State shall set out the mechanisms to designate the supervisory authority which shall represent those authorities in the European Data Protection Board and to ensure compliance by the other authorities with the rules relating to the consistency mechanism.
Each Member State shall notify to the Commission those provisions of its law which it adopts pursuant to this Chapter.
Article 47
Independence
Low Variability
Each supervisory authority shall act with complete independence in performing the duties and exercising the powers entrusted to it in accordance with this Regulation.
The members of the supervisory authority shall, in the performance of their duties, neither seek nor take instructions from anybody.
Members of the supervisory authority shall refrain from any action incompatible with their duties and shall not, during their term of office, engage in any incompatible occupation.
*The Council removes this sentence.
Each Member State shall ensure that the supervisory authority is provided with the resources necessary for the effective performance of its duties and powers, including those to be carried out in the context of mutual assistance and participation in the European Data Protection Board.
Each Member State shall ensure that the supervisory authority has its own staff which shall be appointed by and be subject to the direction of the head of the supervisory authority.
Member States shall ensure that the supervisory authority is subject to financial control which shall not affect its independence. Member States shall ensure that the supervisory authority has separate annual budgets. The budgets shall be made public.
The supervisory authority shall be accountable to the national parliament for reasons of budgetary control.
Article 48
General Conditions for the Members of the Supervisory Authority
Low Variability
Member States shall provide that the members of the supervisory authority are appointed either by the parliament or the government of the Member State concerned.
*The Council text adds the Head of State or an independent body entrusted by Member State law with the appointment by means of a transparent procedure.
The members shall be chosen from persons whose independence is beyond doubt and whose experience and skills required to perform their duties notably in the area of protection of personal data are demonstrated.
The duties of a member shall end in the event of the expiry of the term of office, resignation or compulsory retirement in accordance with the law of the Member State concerned.
A member may be dismissed or deprived of the right to benefits by the competent national court, if the member no longer fulfils the conditions required for the performance of the duties or is guilty of serious misconduct.
Where the term of office expires or the member resigns, the member shall continue to exercise the duties until a new member is appointed.
Article 49
Rules on the Establishment of the Supervisory Authority
Low Variability
Each Member State shall provide by law for:
- the establishment and status of the supervisory authority
- the qualifications required to perform the duties of the members
- the rules and procedures for the appointment of the members, as well the rules on actions or occupations incompatible with the duties of the office
- the duration of the term of the members which shall be no less than four years, except for the first appointment after entry into force of this Regulation, part of which may take the form of a staggered appointment procedure
- whether the members of the supervisory authority shall be eligible for reappointment
- the regulations and common conditions governing the duties of the members and staff
- the rules and procedures on the termination of the duties of the members
- *The Council text removes this sentence
*The Council text adds that members shall be subject, in accordance with Union and member state law, to a duty of professional secrecy regarding any confidential information.
Article 50
Professional Secrecy
Low Variability
The members and the staff of the supervisory authority shall be subject, both during and after their term of office, to a duty of professional secrecy with regard to any confidential information which has come to their knowledge in the course of the performance of their official duties.*The Council text has moved secrecy to article 49.
Section 2: Competence, Tasks, and Powers
Article 51
Competence
High Variability
Each supervisory authority shall be competent to exercise, on the territory of its own Member State, the powers conferred on it in accordance with this Regulation.
*The Parliament and Council texts adds that data processing by a public authority shall be supervised only by the supervisory authority of that Member State.
Where a controller is established in multiple member states, the supervisory authority of the main establishment of the controller shall be competent for the supervision of the processing activities of in all Member States, without prejudice to the provisions of Chapter VII of this Regulation.
*The Parliament and Council texts discuss one-stop-shop in articles 54a and 51a, respectively.
The supervisory authority shall not be competent to supervise processing operations of courts acting in their judicial capacity.
Article 51a
Competence of the Lead Supervisory Authority
Council Only
Without prejudice to Article 51, the supervisory authority of the main establishment of the controller or processor shall be competent to act as lead supervisory authority.
By derogation, each supervisory authority shall be competent to deal with a complaint lodged with it or to deal with a possible infringement of this Regulation, if the subject matter relates only to an establishment in its Member State or substantially affects data subjects only in its Member State.
In the case of a supervisory authority acting in its own member state, it shall inform the lead supervisory authority without delay. Within a period of three weeks after being informed the lead supervisory authority shall decide whether or not it will deal with the case, taking into account whether or not there is an establishment in the Member State of the original supervisory authority.
Where the lead supervisory authority decides to deal with the case, the procedure provided in Article 54a shall apply. The supervisory authority which informed the lead supervisory authority may submit a draft for a decision
In case the lead supervisory authority decides not to deal with it, the supervisory authority which informed the lead supervisory authority shall deal with the case.
The lead supervisory authority shall be the sole interlocutor of the controller or processor for their transnational processing.
Article 52
Duties
High Variability
Each supervisory authority shall:
- monitor and enforce the application of this Regulation
- *The Council text adds the need to promote public awareness and understanding, advise governmental bodies, promote the awareness of obligations to enterprises, and provide any requested information in regards to the protection of personal data.
- hear complaints lodged by any data subject or organisation, investigate, to the extent appropriate, the matter and inform the concerned parties
- share information with and provide mutual assistance to other supervisory authorities and ensure the consistency of application and enforcement of this Regulation
- conduct investigations on the application of this Regulation, including on the basis of information received from another supervisory authority or public body
- monitor relevant developments that have an impact on the protection of personal data, in particular the development of new technologies and commercial practices
- be consulted by Member State institutions and bodies on legislative and administrative measures
- authorise and be consulted on the processing operations referred to in Article 34
- issue an opinion on the draft codes of conduct pursuant to Article 38
- approve binding corporate rules pursuant to Article 43
- participate in the activities of the European Data Protection Board
- *Parliament text adds the need to certify controllers and processors pursuant to Article 39
- *The Council text adds the need to:
- adopt standard contractual clauses referred to in Article 26
- establish a list for the requirements relating to data protection impact assessments
- encourage the drawing up of codes of conduct pursuant to Article 38 and approve those which provide sufficient safeguards
- promote the establishment of data protection certification mechanisms and of data protection seals and marks, and approve the criteria of certification pursuant to Article 39
- where applicable, carry out a periodic review of certifications issued
- publish the criteria for accreditation of a body for monitoring codes of conduct and of a certification body, as well as accrediting them
- authorise contractual clauses referred to in Article 42
- fulfil any other tasks related to the protection of personal data
Each supervisory authority shall promote the awareness of the public on risks, rules, safeguards and rights in relation to the processing of personal data. Activities addressed specifically to children shall receive specific attention.
*The Parliament text adds the need for keeping a register of sanctions and breaches.
*The Council text removes this paragraph.
The supervisory authority shall, upon request, advise any data subject in exercising their rights under this Regulation and co-operate with other supervisory authorities to this end.
*The Council text removes this paragraph.
The supervisory authority shall provide a complaint submission form, which can be completed electronically, without excluding other means of communication.
The performance of the duties of the supervisory authority shall be free of charge for the data subject.
Where requests are manifestly excessive, in particular due to their repetitive character, the supervisory authority may charge a fee or not take the action requested by the data subject. The supervisory authority shall bear the burden of proving the manifestly excessive character of the request.
*The Parliament text adds that the fee shall not exceed the costs of taking the action requested.
*The Council text only allows the supervisory authority to refuse a request.
Article 53
Powers
High Variability
*The Commission and Parliament texts are fairly similar, while the Council text has many differences including in the way it is structured. For this reason, the below summary is split into two versions.
*Commission and Parliament version:
Each supervisory authority shall have the power:
- to notify the controller or the processor of an alleged breach of the provisions governing the processing of personal data, and, where appropriate, order them to remedy the breach
- to order the controller or the processor to comply with the data subject's requests to exercise their rights
- to order the controller and the processor to provide any information relevant for the performance of its duties
- to ensure the compliance with prior authorisations and prior consultations referred to in Article 34
- to warn or admonish the controller or the processor
- to order the rectification, erasure or destruction of all data when they have been processed in breach of this Regulation and the notification of such actions to third parties to whom the data have been disclosed
- to impose a temporary or definitive ban on processing
- to suspend data flows to a recipient in a third country or to an international organisation
- to issue opinions on any issue related to the protection of personal data
- *The Parliament text adds the certification of controllers pursuant to Article 39
- to inform the national parliament, the government or other political institutions as well as the public on any issue related to the protection of personal data
- *The Parliament text adds putting in place effective mechanisms to encourage confidential reporting of breaches of this Regulation, taking into account guidance issued by the European Data Protection Board pursuant to Article 66
Each supervisory authority shall have the investigative power to obtain from the controller or the processor:
- access to all personal data and to information necessary for the performance of its duties
- access to any of its premises, including to any data processing equipment and means, subject to Union and member state law
Each supervisory authority shall have the power to bring violations of this Regulation to the attention of the judicial authorities and to engage in legal proceedings.
Each supervisory authority shall have the power to sanction administrative offences.
*Council version:
Each Member State shall provide by law that its supervisory authority shall have at least the following investigative powers:
- to order the controller to provide any information it requires for the performance of its tasks
- to carry out investigations in the form of data protection audits
- to carry out a review on certifications issued
- to notify the controller or the processor of an alleged infringement of this Regulation
- to obtain access to all personal data and information necessary for the performance of its tasks
- to obtain access to any premises of the controller and the processor, including to any data processing equipment and means, in conformity with Union law or Member State law
Each Member State shall provide by law that its supervisory authority shall have the following corrective powers:
- to issue warnings to a controller or processor that intended processing operations are likely to infringe provisions of this Regulation
- to order the controller or the processor to comply with the data subject's requests to exercise his or her rights pursuant to this Regulation
- to order the controller or processor to bring processing operations into compliance with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period
- to impose a temporary or definitive limitation on processing
- to impose an administrative fine pursuant to Articles 79 and 79a, in addition to, or instead of measures referred to in this paragraph, depending on individual circumstances
- to order the suspension of data flows to a recipient in a third country or to an international organisation
Each Member State shall provide by law that its supervisory authority shall have the following authorisation and advisory powers:
- to advise the controller in accordance with the prior consultation procedure
- to issue opinions to the national parliament, the Member State government or other institutions and bodies, as well as to the public, on any issue related to the protection of personal data
- to authorise processing referred to in Article 34
- to issue an opinion and approve draft codes of conduct pursuant to article 38
- to accredit certification bodies under the terms of Article 39
- to issue certifications and approve criteria of certification in accordance with Article 39
- to adopt standard data protection clauses referred to in Article 42
- to authorise administrative agreements referred to in Article 42
- to approve binding corporate rules pursuant to Article 43
The exercise of the powers conferred on the supervisory authority pursuant to this Article shall be subject to appropriate safeguards, including effective judicial remedy and due process, set out in Union and Member State law in accordance with the Charter of Fundamental Rights of the EU.
Each Member State shall provide by law that its supervisory authority shall have the power to bring infringements of this Regulation to the attention of the judicial authorities and where appropriate, to commence or engage otherwise in legal proceedings in order to enforce the provisions of this Regulation.
Article 54
Activity Report
Low Variability
Each supervisory authority shall draw up an annual report on its activities. The report shall be given to the relevant national authorities and shall be made be available to the public, the Commission and the European Data Protection Board.
*The Parliament text adds that it must be done at least every two years.
Article 54a
Lead Authority
Parliament Only
Where the processing of personal data takes place with a controller or processor established in more than one Member State, or where personal data of the residents of several Member States are processed, the supervisory authority of the main establishment shall act as the lead authority responsible for the supervision of the processing activities in all Member States.
The lead authority shall take appropriate measures for the supervision of processing activities for which it is responsible only after consulting all other competent supervisory authorities in an endeavour to reach a consensus. The lead authority shall take the utmost account of the opinions of the competent authorities involved. The lead authority shall be the sole authority empowered to decide on measures intended to produce legal effects as regards the processing activities.
The European Data Protection Board shall, at the request of a competent supervisory authority, issue an opinion on the identification of the lead authority responsible in cases where:
- it is unclear from the facts of the case where the main establishment of the controller or processor is located
- the competent authorities do not agree on which supervisory authority shall act as lead authority
- the controller is not established in the Union, and residents of different Member States are affected by processing operations
Where the controller exercises also activities as a processor, the supervisory authority of the main establishment of the controller shall act as lead authority for the supervision of processing activities.
The European Data Protection Board may decide on the identification of the lead authority.
Chapter 7: Co-operation and Consistency
Section 1: Co-operation
Article 54a
Cooperation between the Lead Supervisory Authority and other Concerned Supervisory Authorities
Council Only
The lead supervisory authority shall cooperate with the other concerned supervisory authorities in accordance with this article in an endeavour to reach consensus. The lead supervisory authority and the concerned supervisory authorities shall exchange all relevant information with each other.
The lead supervisory authority may request at any time other concerned supervisory authorities to provide mutual assistance pursuant to Article 55 and may conduct joint operations pursuant to Article 56.
The lead supervisory authority shall, without delay, communicate the relevant information on the matter and submit a draft decision to the other concerned supervisory authorities, and take due account of their views.
Where any of the other concerned supervisory authorities, within a period of four weeks, expresses a reasoned objection to the draft decision, the lead supervisory authority shall follow the objection, or else submit the matter to the consistency mechanism.
Where the lead supervisory authority intends to follow the objection made, it shall submit to the other concerned supervisory authorities a revised draft decision for their opinion with a two week time frame.
If no objection is made within four weeks, all authorities shall be deemed to be in agreement with this draft decision and shall be bound by it.
The lead supervisory authority shall adopt and notify the decision to the controller or processor and inform the other concerned supervisory authorities and the Data Protection Board of the decision, including a summary. The supervisory authority to which a complaint has been lodged shall inform the complainant on the decision.
Where a complaint is dismissed or rejected, the supervisory authority to which the complaint was lodged shall adopt the decision and notify the complainant and shall inform the controller.
Where the lead and the concerned supervisory authorities are in agreement to dismiss or reject parts of a complaint and to act on other parts of that complaint, a separate decision shall be adopted for each of those parts of the matter. The lead authority shall take charge of the adopted decision while the concerned authority shall take charge of the dismissal.
After being notified of the decision, the controller or processor shall take the necessary measures to ensure compliance with the decision in the context of all its establishments in the Union. They shall notify the measures taken for complying with the decision to the lead supervisory authority, which shall inform the other concerned supervisory authorities.
Where, in exceptional circumstances, a concerned supervisory authority has reasons to consider that there is an urgent need to act in order to protect the interests of data subjects, the urgency procedure referred to in Article 61 shall apply.
The lead supervisory authority and the supervisory authorities concerned shall supply the information required under this Article to each other by electronic means, using a standardised format.
Article 55
Mutual Assistance
Low Variability
Supervisory authorities shall provide each other relevant information and mutual assistance in order to implement and apply this Regulation in a consistent manner, and shall put in place measures for effective co-operation with one another.
*The Parliament text adds that the lead authority will act as the single contact point for the controller or processor.
Each supervisory authority shall take all appropriate measures required to reply to the request of another supervisory authority without delay and no later than one month after having received the request.
The request shall contain all the necessary information, including the purpose of the request and reasons for the request. Information exchanged shall be used only in respect of the matter for which it was requested.
A supervisory authority may not refuse to comply with a request, unless:
- it is not competent for the request
- compliance with the request would be incompatible with the provisions of this Regulation or with Union or Member State law
The requested shall inform the requesting of the results, progress or measures taken in order to meet the request by the requesting supervisory authority.
*The Council adds that a refusal must be accompanied with a reason for said refusal.
Supervisory authorities shall supply the information requested by other supervisory authorities by electronic means and within the shortest possible period of time, using a standardised format.
No fee shall be charged to the requesting supervisory authority for any action taken following a request for mutual assistance.
*The Council text adds that rules may be made amongst authorities for payments in exceptional circumstances.
Where a supervisory authority does not act on a request within one month, the requesting supervisory authorities shall be competent to take a provisional or interim measure on the territory of its Member State and it shall submit the matter to the European Data Protection Board in accordance with the procedure referred to in Article 57.
The supervisory authority shall specify the period of validity of such provisional measure. This period shall not exceed three months. It shall, without delay, communicate those measures, with full reasons, to the European Data Protection Board and to the Commission.
The Commission shall be empowered to adopt implementing acts in order to specify the format and procedures for mutual assistance in this article.
*The Parliament text gives this power to the Data Protection Board.
Article 56
Joint Operations of Supervisory Authorities
Low Variability
In order to step up co-operation and mutual assistance, the supervisory authorities may carry out joint investigative tasks, joint enforcement measures and other joint operations, in which designated members or staff from other Member States' supervisory authorities are involved.
In cases where data subjects in several Member States are likely to be affected by processing operations, a supervisory authority of each of those Member States shall have the right to participate in the joint operations. The lead supervisory authority shall invite those of each of the Member States to take part in the respective joint operations.
Each supervisory authority may, as a host and in compliance with its own national law, and with another supervisory authority’s authorisation, confer executive powers, on the second supervisory authority’s members or staff involved in joint operations or, in so far as the host’s law permits, allow the seconding supervisory authority’s members or staff to exercise their executive powers in accordance with the seconding supervisory authority’s law. Such executive powers may be exercised only under the guidance and, as a rule, in the presence of members or staff from the host supervisory authority. The seconding supervisory authority's members or staff shall be subject to the host's national law. The host shall assume responsibility for their actions.
*The Council text adds that the host nation is liable for any damages caused with a second supervisory authority’s staff while in their country, but the second supervisory authority shall reimburse any damages paid out on their behalf.
Where a supervisory authority does not comply within one month with the obligation laid down in a joint operation, the other supervisory authorities shall be competent to take a provisional measure on the territory of its Member State in accordance with Article 51.
The supervisory authority shall specify the period of validity of a provisional measure referred to in the previous paragraph. This period shall not exceed three months. The supervisory authority shall, without delay, communicate those measures, with full reasons, to the Data Protection Board and to the Commission and shall submit the matter to the consistency mechanism.
Section 2: Consistency
Article 57
Consistency Mechanism
High Variability
In order to contribute to the consistent application of this Regulation, the supervisory authorities shall co-operate with each other through the consistency mechanism as set out in this section.
*Council Only:
- The European Data Protection Board shall issue an opinion whenever a competent supervisory authority intends to adopt any of the measures below. To that end, the authority shall communicate its draft decision to the Board, when it:
- aims at adopting a list of the processing operations subject to the requirement for a data protection impact assessment
- concerns a matter whether a draft code of conduct or an amendment is in compliance with this Regulation
- aims at approving the criteria for accreditation of a body or a certification body
- aims at determining standard data protection clauses
- aims to authorising contractual clauses
- aims at approving binding corporate rules
The European Data Protection Board shall adopt a binding decision in the following cases :
- Where a concerned supervisory authority has expressed a reasoned objection to a draft decision of the lead authority or the lead authority has rejected an objection
- Where there are conflicting views on which of the concerned supervisory authorities is competent for the main establishment
- Where a competent supervisory authority does not request the opinion of the Data Protection Board or does not follow its opinion. In that case, any concerned supervisory authority or the Commission may communicate the matter to the Board.
Any supervisory authority, the Chair of the European Data Protection Board or the Commission may request that any matter of general application or producing effects in more than one Member State be examined by the European Data Protection Board with a view to obtaining an opinion.
Supervisory authorities and the Commission shall electronically communicate to the European Data Protection Board, using a standardised format any relevant information, including as the case may be a summary of the facts, the draft decision, the grounds which make the enactment of such measure necessary, and the views of other concerned supervisory authorities .
The chair of the European Data Protection Board shall without undue delay electronically inform the members of the European Data Protection Board and the Commission of any relevant information which has been communicated to it using a standardised format.
Article 58
Opinion by the European Data Protection Board
High Variability
The European Data Protection Board may issue an opinion whenever a competent supervisory authority intends to adopt any of the measures below. To that end, the competent supervisory authority shall communicate the draft decision to the European Data Protection Board, when the measure:
- relates to processing activities which are related to the offering of goods or services, or the monitoring of data subjects in several Member States
- may substantially affect the free movement of personal data within the Union
- aims at adopting a list of the processing operations subject to prior consultation
- *The above three instances are only in the Commission text
- aims to determine standard data protection clauses referred
- aims to authorise contractual clauses
- aims to approve binding corporate rules
Any supervisory authority or the European Data Protection Board may request that any matter of general application shall be dealt with in the consistency mechanism.
In order to ensure correct and consistent application of this Regulation, the Commission may request that any matter shall be dealt with in the consistency mechanism.
Supervisory authorities and the Commission shall electronically communicate any relevant information using a standardised format.
The chair of the European Data Protection Board shall immediately electronically inform the members of the European Data Protection Board and the Commission of any relevant information which has been communicated to it, using a standardised format.
*The Parliament text adds that the Data Protection Board shall issue an opinion on matters sent to it.
*The Council text removes all of the above information and relays it in article 57.
In the cases referred to the Board shall issue an opinion to be adopted within one month by simple majority of the members of the Board.
*The Council text adds that this period may be extended by a further month, taking into account the complexity of the subject matter.
The supervisory authority shall take the utmost account of the opinion of the Board and shall within two weeks after receiving the opinion communicate to the Board whether it maintains or will amend its draft decision and, if any, the amended draft decision.
Article 58a
Consistency in Individual Cases
Parliament Only
Before taking a measure intended to produce legal effects, the lead authority shall share all relevant information and submit the draft measure to all other competent authorities. The lead authority shall not adopt the measure if a competent authority has, within three weeks, objected.
Where a competent authority has objected, or the lead authority has not communicated a draft measure or has otherwise failed to comply with the obligations for mutual assistance, the issue shall be considered by the Data Protection Board.
The lead authority and/or other competent authorities involved and the Commission shall without undue delay electronically communicate to the European Data Protection Board, using a standardised format, any relevant information.
The Board shall consider the issue and decide, by simple majority, whether or not to issue an opinion on the matter within two weeks after the relevant information has been provided.
In case the European Data Protection Board decides to issue an opinion, it shall do so within six weeks and make the opinion public
The lead authority shall take utmost account of the opinion of the Board and, within two weeks, electronically communicate to the chair of the Board and to the Commission whether it maintains or amends its draft measure, with a reasoned justification.
In case the European Data Protection Board still objects to the measure of the supervisory authority, it may within one month adopt, by a two thirds majority, a binding measure.
Article 58a
Dispute Resolution by the European Data Protection Board
Council Only
Where a binding decision is made by the Data Protection Board, the decision shall be adopted, within one month of the referral, by a two-third majority of the members of the Board. This period may be extended by a further month on account of the complexity of the subject-matter.
Should the above time frame be missed, the board will have another two weeks to decide by simple majority. In case the members of the Board are split, the decision shall be adopted by the vote of its Chair.
The concerned supervisory authorities shall not adopt a decision on the subject matter submitted to the Board until these timeframes are over.
The Chair of the Board shall notify, without undue delay, the decision to the concerned supervisory authorities and the Commission. The decision shall be published on the website.
The supervisory authority shall adopt its final decision on the basis of the board decision, without undue delay and at the latest within one month after the Board has notified it. The final decision shall refer to the published decision of the Board.
Article 59
Opinion by the Commission
Commission Only
Within ten weeks after a matter has been raised under Article 58, or at the latest within six weeks in the case of Article 61, the Commission may adopt, its own opinion on the matter.
Where the Commission has adopted an opinion, the supervisory authority concerned shall take utmost account of it.
During the period of a possible Commission opinion, the draft measure shall not be adopted by the supervisory authority.
Where the supervisory authority concerned intends not to follow the opinion of the Commission, it shall inform the Commission and the Data Protection Board and provide a justification. In this case the draft measure shall not be adopted for one further month.
Article 60
Suspension of a Draft Measure
Commission Only
Within one month after the communication of a supervisory authority not following a Commission opinion,, the Commission may adopt a reasoned decision requiring the supervisory authority to suspend the adoption of the draft measure, taking into account the opinion issued by the European Data Protection Board, where it appears necessary in order to:
- reconcile the diverging positions of the supervisory authority and the European Data Protection Board
- adopt a measure pursuant to article 62
The Commission shall specify the duration of the suspension which shall not exceed 12 months.
During this period, the supervisory authority may not adopt the draft measure.
Article 60a
Notification of the European Parliament and the Council
Parliament Only
The Commission shall notify the European Parliament and the Council at regular intervals, at least every six months, on the basis of a report from the Chair of the European Data Protection Board, of the matters dealt with under the consistency mechanism, setting out the conclusions drawn by the Commission and the Board with a view to ensuring the consistent application of this Regulation.
Article 61
Urgency Procedure
Low Variability
In exceptional circumstances, where a supervisory authority considers that there is an urgent need to act in order to protect the interests of data subjects, it may immediately adopt provisional measures with a specified period of validity. The authority shall, without delay, communicate those measures, with full reasons, to the Data Protection Board and to the Commission.
*The Council text adds that measures should only affect its own member state.
Where said supervisory authority has taken a measure described above and considers that final measures need to be urgently adopted, it may request an urgent opinion of the Data Protection Board, giving reasons for requesting such opinion, including for urgency.
Any supervisory authority may request an urgent opinion where the competent supervisory authority has not taken an appropriate measure in a situation where there is an urgent need.
An urgent opinion by the Data Protection Board shall be adopted within two weeks by simple majority.
Article 62
Implementing Acts
High Variability
The Commission may adopt implementing acts for:
*The Parliament text adds that it must first request the opinion of the Data Protection Board.
- deciding on the correct application of this Regulation in accordance with its objectives and requirements in relation to matters communicated by supervisory authorities for urgency or Data Protection Board decisions, concerning a matter in relation to which a reasoned decision has been adopted, or concerning a matter in relation to which a supervisory authority does not submit a draft measure and that supervisory authority has indicated that it does not intend to follow the opinion of the Commission
- *The Parliament and Council texts remove this ability
- deciding, within the appropriate time period, whether it declares draft standard data protection clauses as having general validity
- *The Council text removes this ability
- specifying the format and procedures for the application of the consistency mechanism
- *The Parliament and Council texts remove this ability
- specifying the arrangements for the exchange of information by electronic means between supervisory authorities, and between supervisory authorities and the European Data Protection Board
On duly justified imperative grounds of urgency relating to the interests of data subjects, the Commission shall adopt immediately applicable implementing acts which shall remain in force for a period not exceeding 12 months.
*The Parliament and Council texts remove this ability
The absence or adoption of a measure under this Section does not prejudice any other measure by the Commission under the Treaties.
*The Council text removes this paragraph.
Article 63
Enforcement
Medium Variability
For the purposes of this Regulation, an enforceable measure of the supervisory authority of one Member State shall be enforced in all Member States concerned.
Where a supervisory authority does not submit a draft measure to the consistency mechanism in breach of Article 58, the measure shall not be legally valid and enforceable.
*The Council text removes this article entirely.
Section 3: European Data Protection Board
Article 64
European Data Protection Board
Medium Variability
A European Data Protection Board is hereby set up.
*The council text adds that this Board shall become a body of the Union with legal personality and be represented by its Chair.
The European Data Protection Board shall be composed of the head of one supervisory authority of each Member State and of the European Data Protection Supervisor.
Where more than one supervisory authority is responsible for a single member state, they shall nominate the head of one of those authorities as joint representative.
The Commission shall have the right to participate in the activities and meetings of the Data Protection Board through a representative. The chair of the Board shall, without delay, inform the Commission on all of its activities.
*The Council text adds the European Data Protection Supervisor (or representative) and clarifies that they will have no voting rights.
Article 65
Independence
Low Variability
The European Data Protection Board shall act independently when exercising its tasks.
Without prejudice to requests by the Commission, the European Data Protection Board shall neither seek nor take instructions from anybody in the performance of its tasks.
Article 66
Tasks of the European Data Protection Board
High Variability
The European Data Protection Board shall ensure the consistent application of this Regulation. To this effect, the European Data Protection Board shall, on its own initiative or at the request of the European Parliament, Council or Commission, in particular:
- advise the European institutions on any issue related to the protection of personal data in the Union, including on any proposed amendment of this Regulation
- examine any question covering the application of this Regulation and issue guidelines, recommendations and best practices in order to encourage consistent application
- review the practical application of the guidelines, recommendations and best practices referred to above and report regularly to the Commission on these
- *The Council text removes the need to report to the Commission
- issue opinions on draft decisions of supervisory authorities pursuant to the consistency mechanism
- promote the co-operation and the effective multilateral exchange of information and practices between the supervisory authorities
- promote common training programmes and facilitate personnel exchanges between the supervisory authorities, as well as those of third countries, where appropriate
- promote the exchange of knowledge and documentation on data protection legislation and practice with data protection supervisory authorities worldwide
- *The Parliament text adds the following tasks:
- provide an opinion on which authority should be the lead authority
- give its opinion to the Commission in the preparation of delegated and implementing acts
- give its opinion on codes of conduct drawn up at Union level
- give its opinion on requirements for data protection certification mechanisms
- maintain a public electronic register on valid and invalid certificates
- provide assistance to national supervisory authorities, at their request
- establish and make public a list of the processing operations which are subject to prior consultation
- maintain a registry of sanctions imposed on controllers or processors by the competent supervisory authorities
- *The Council text adds the following tasks:
- monitor and ensure the correct application of this Regulation in the cases provided for in Article 57 without prejudice to the tasks of national supervisory authorities
- draw up guidelines for supervisory authorities concerning the application of its powers and the fixing of administrative fines
- encourage the drawing-up of codes of conduct and the establishment of data protection certification mechanisms and data protection seals
- carry out the accreditation of certification bodies and its periodic review, maintain a public register of accredited bodies and of the accredited controllers or processors established in third countries
- specify the requirements with a view to the accreditation of certification bodies
- give the Commission an opinion on the level of protection of personal data in third countries or international organisations
- maintain a publicly accessible electronic register of decisions taken by supervisory authorities and courts on issues dealt with in the consistency mechanism
Where the Commission requests advice from the Data Protection Board, it may lay out a time limit, taking into account the urgency of the matter.
The European Data Protection Board shall forward its opinions, guidelines, recommendations, and best practices to the Commission and to the committee referred to in Article 87 and make them public.
The Commission shall inform the Data Protection Board of the action it has taken following the opinions, guidelines, recommendations and best practices issued by the Board.
*The Council removes this requirement.
*The Parliament text adds that the Data Protection Board shall, where appropriate, consult interested parties and give them the opportunity to comment within a reasonable period, as well as making such interactions public.
Article 67
Reports
Medium Variability
The European Data Protection Board shall regularly and timely inform the Commission about the outcome of its activities. It shall draw up an annual report on the situation regarding the protection of natural persons with regard to the processing of personal data in the Union and in third countries.
*The Parliament text adds that the report shall be given to all EU bodies at least every 2 years.
*The Council text calls for an annual report to be made public.
The report shall include the review of the practical application of the guidelines, recommendations and best practices
Article 68
Procedure
Low Variability
The European Data Protection Board shall take decisions by a simple majority of its members, unless otherwise provided for in its own rules or this regulation.
The European Data Protection Board shall adopt its own rules of procedure and organise its own operational arrangements.
*The Council text adds that rules must be adopted by a two-thirds majority.
Article 69
Chair
Low Variability
The European Data Protection Board shall elect a Chair and two deputy Chairpersons from amongst its members by simple majority.
*The Commission text provides that one of these must be the Data Protection Supervisor.
The term of office of the chair and of the deputy chairpersons shall be five years and be renewable.
*The Parliament text adds that the position of the chair shall be a full-time position.
Article 70
Tasks of the Chair
Low Variability
The chair shall have the following tasks:
- to convene the meetings of the Board and prepare its agenda
- *The Parliament text adds to notify decisions adopted by the Board pursuant to Article 58a to the concerned supervisory authorities
- to ensure the timely fulfilment of the tasks of the European Data Protection Board, in particular in relation to the consistency mechanism
The board shall lay down the attribution of tasks between the chair and the deputy chairpersons in its rules of procedure.
Article 71
Secretariat
Low Variability
The European Data Protection Board shall have a secretariat. The European Data Protection Supervisor shall provide that secretariat.
*The Council text adds that the secretariat shall perform its tasks exclusively under the instructions of the Chair, the staff shall be organizationally separated from, and subject to separate reporting lines from the staff of the Data Protection Supervisor, and where needed, the Board in consultation with the Data Protection Supervisor shall establish and publish a Code of Conduct.
The secretariat shall provide analytical, administrative and logistical support to the Board under the direction of the chair.
The secretariat shall be responsible in particular for:
- the day-to-day business of the Board
- the communication between its members, with the Commission and other institutions and the public
- the use of electronic means for the internal and external communication
- the translation of relevant information
- the preparation and follow-up of the meetings of the Board
- the preparation, drafting and publication of opinions and other texts adopted by the Board
Article 72
Confidentiality
Low Variability
The discussions of the European Data Protection Board shall be confidential.
*The Parliament text says that they may be confidential if necessary, but the agendas shall be made public.
Documents submitted to members of the Board, experts and representatives of third parties shall be confidential, unless access is granted to those documents in accordance with Regulation (EC) No 1049/2001 or the Board otherwise makes them public.
The members of the Board, as well as experts and representatives of third parties, shall be required to respect the confidentiality obligations set out in this Article.
*The Council removes this sentence.
Chapter 8: Remedies, Liability, and Sanctions
Article 73
Right to Lodge a Complaint with a Supervisory Authority
Medium Variability
Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority in any Member State if they consider that the processing of personal data relating to them does not comply with this Regulation.
Any body or organisation which acts in the public’s interest and has been properly constituted according to the law of a Member State shall have the right to lodge a complaint with a supervisory authority in any Member State on behalf of data subjects, or if it considers that breach of this regulation has occurred.
*The Council text removes the above paragraph and adds that the authority to which the complaint has been lodged shall be responsible for informing the complainant of the outcome.
Article 74
Right to a Judicial Remedy Against a Supervisory Authority
Medium Variability
Without prejudice to any other administrative or non-judicial remedy, each person shall have the right to a judicial remedy against decisions of a supervisory authority concerning them.
Each data subject shall have the right to a judicial remedy obliging the supervisory authority to act on a complaint in the absence of a decision necessary to protect their rights, or where the supervisory authority does not inform the data subject within three months on the progress or outcome of the complaint
Proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority is established.
Data subjects may request the supervisory authority of their own Member State to bring proceedings on their behalf against the competent supervisory authority in another Member State.
The Member States shall enforce final decisions by the courts referred to in this Article.
*The council text removes the previous two sentences.
Article 75
Right to a Judicial Remedy Against a Controller or Processor
Low Variability
Without prejudice to any available administrative remedy, every natural person shall have the right to a judicial remedy if they consider that their rights under this Regulation have been infringed as a result of the processing of their personal data.
Proceedings against a controller or a processor shall be brought before the courts of the Member State in which they has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has its habitual residence, unless the controller is a public authority acting in the exercise of its public powers.
A court may suspend proceedings if the matter is under scrutiny by the consistency mechanism, unless the urgency of the matter requires more immediate action.
The Member States shall enforce final decisions by the courts referred to in this Article.
*The council text removes the previous two sentences.
Article 76
Common Rules for Court Proceedings
Medium Variability
Any body or organisation referred to in Article 73 may exercise before the courts the rights referred to in Article 74, 75, and 77, if mandated by one or more data subjects.
Each supervisory authority shall have the right to engage in legal proceedings and bring an action to court, in order to enforce the provisions of this Regulation or to ensure consistency of the protection of personal data within the Union.
Where a competent court of a Member State has reasonable grounds to believe that parallel proceedings are being conducted in another Member State, it shall contact the other Member State to confirm such proceedings.
Where such parallel proceedings in another Member State concern the same measure, decision or practice, the court may suspend the proceedings.
Member States shall ensure that court actions available under national law allow for the rapid adoption of measures including interim measures, designed to terminate any alleged infringement and to prevent any further impairment of the interests involved.
*The Council text only includes the first paragraph and continues to detail suspension of the proceedings in the following article.
Article 76a
Suspension of Proceedings
Council Only
Where a competent court of a Member State has information on proceedings concerning the same subject matter as pending in a court in another Member State, it shall contact the other Member State to confirm such proceedings.
In such a case, any competent court other than the court first seized may suspend its proceedings.
Where these proceedings are pending at first instance, any court other than the court first seized may also, on the application of one of the parties, decline jurisdiction if the court first seized has jurisdiction over the actions in question and its law permits the consolidation.
Article 77
Right to Compensation and Liability
Medium Variability
Any person who has suffered damage as a result of an unlawful processing operation or of an action incompatible with this Regulation shall have the right to receive compensation from the controller or the processor for the damage suffered.
Where more than one controller or processor is involved in the processing, each controller or processor shall be jointly and severally liable for the entire amount of the damage.
*The Parliament text adds only unless they have an appropriate written agreement determining the responsibilities.
*The Council text adds that an entity shall be liable for the damage caused by the processing only where it has not complied with obligations of this Regulation.
The controller or the processor may be exempted from this liability, in whole or in part, if the controller or the processor proves that they are not responsible for the event giving rise to the damage.
*The Council text adds that where a controller or processor has paid full compensation for the damage jointly caused, that entity shall be entitled to claim back from the other entities involved, that part of the compensation corresponding to their part of responsibility for the damage. Court proceedings for exercising the right to receive compensation shall be brought before the courts competent under national law of the Member State.
Article 78
Penalties
Medium Variability
Member States shall lay down the rules on penalties, applicable to infringements of the provisions of this Regulation and shall take all measures necessary to ensure that they are implemented. The penalties provided for must be effective, proportionate and dissuasive.
Where the controller has established a representative, any penalties shall be applied to the representative, without prejudice to any penalties which could be initiated against the controller.
Each Member State shall notify to the Commission those provisions of its law which it adopts pursuant to paragraph 1, by the date specified in Article 91 at the latest and, without delay, any subsequent amendment affecting them.
*The Council removes this article entirely and covers penalties in subsequent articles.
Article 79
Administrative Sanctions
High Variability
*Commission text:
Each supervisory authority shall be empowered to impose administrative sanctions in accordance with this Article.
The administrative sanction shall be in each individual case effective, proportionate and dissuasive. The amount of the administrative fine shall be fixed with due regard to the nature, gravity and duration of the breach, the intentional or negligent character of the infringement, the degree of responsibility of the person and of previous breaches by this person, the technical and organisational measures provided for, and the cooperation with the supervisory authority in order to remedy the breach.
In case of a first and nonintentional non-compliance with this Regulation, a warning in writing may be given and no sanction imposed, where:
- a natural person is processing personal data without a commercial interest
- an enterprise or an organisation employing fewer than 250 persons is processing personal data only as an activity ancillary to its main activities
A fine up to 250 000 EUR, or in case of an enterprise up to 0,5 % of its annual worldwide turnover, to anyone who, intentionally or negligently:
- does not provide the mechanisms for requests by data subjects or does not respond promptly or not in the required format to data subjects
- charges a fee for the information or for responses to the requests of data subjects in violation of Article 12
A fine up to 500 000 EUR, or in case of an enterprise up to 1 % of its annual worldwide turnover, to anyone who, intentionally or negligently:
- does not provide the information, or does provide incomplete information, or does not provide the information in a sufficiently transparent manner, to the data subject
- does not provide access for the data subject or does not rectify personal data or communicate the relevant information to a recipient pursuant
- does not comply with the right to be forgotten or to erasure, or fails to put mechanisms in place to ensure that the time limits are observed or does not take all necessary steps to inform third parties that a data subjects requests to erase any links to, or copy or replication of the personal data
- does not provide a copy of the personal data in electronic format or hinders the data subject to transmit the personal data to another application
- does not or not sufficiently determine the respective responsibilities with co -controllers
- does not or not sufficiently maintain the documentation pursuant
- does not comply with rules in relation to freedom of expression or with rules on the processing in the employment context or with the conditions for processing for historical, statistical and scientific research purposes
A fine up to 1 000 000 EUR or, in case of an enterprise up to 2 % of its annual worldwide turnover, to anyone who, intentionally or negligently:
- processes personal data without any or sufficient legal basis for the processing or does not comply with the conditions for consent
- processes special categories of data in violation of Articles 9 and 81
- does not comply with an objection
- does not comply with the conditions in relation to measures based on profiling
- does not adopt internal policies or does not implement appropriate measures for ensuring and demonstrating compliance
- does not designate a representative
- processes or instructs the processing of personal data in violation of the obligations in relation to processing on behalf of a controller
- does not alert on or notify a personal data breach or does not timely or completely notify the data breach to the supervisory authority or to the data subject
- does not carry out a data protection impact assessment pursuant or processes personal data without prior authorisation or prior consultation of the supervisory authority
- does not designate a data protection officer or does not ensure the conditions for fulfilling the tasks
- misuses a data protection seal or mark
- carries out or instructs a data transfer to a third country or an international organisation that is not allowed by an adequacy decision or by appropriate safeguards
- does not comply with an order or a temporary or definite ban on processing or the suspension of data flows by the supervisory authority
- does not comply with the obligations to assist or respond or provide relevant information to, or access to premises by, the supervisory authority
- does not comply with the rules for safeguarding professional secrecy
The Commission shall be empowered to adopt delegated acts for the purpose of updating the amounts of the administrative fines.
*Parliament text:
Each supervisory authority shall be empowered to impose administrative sanctions in accordance with this Article. The supervisory authorities shall cooperate with each other to guarantee a harmonized level of sanctions within the Union.
The administrative sanction shall be in each individual case effective, proportionate and dissuasive.
To anyone who does not comply with the obligations laid down in this Regulation, the supervisory authority shall impose at least one of the following sanctions:
- a warning in writing in cases of first and non-intentional noncompliance
- regular periodic data protection audits
- a fine up to 100 000 000 EUR or up to 5% of the annual worldwide turnover in case of an enterprise, whichever is higher
If the controller or the processor is in possession of a valid "European Data Protection Seal", a fine shall only be imposed in cases of intentional or negligent non-compliance.
The administrative sanction shall take into account the following factors:
- the nature, gravity and duration of the non -compliance
- the intentional or negligent character of the infringement
- the degree of responsibility of the person and of previous breaches by this person
- the repetitive nature of the infringement
- the degree of co -operation with the supervisory authority, in order to remedy the infringement
- the specific categories of personal data affected
- the level of damage, including non -pecuniary damage, suffered by the data subjects
- the action taken by the controller or processor to mitigate the damage suffered by data subjects
- any financial benefits intended or gained, or losses avoided, directly or indirectly from the infringement
- the degree of technical and organisational measures and procedures implemented pursuant to privacy by design, security, data protection impact assessments, compliance reviews, and data protection officers
- the refusal to cooperate with or obstruction of inspections, audits and controls carried out by the supervisory authority
- other aggravating or mitigating factors applicable to the circumstance of the case
The Commission shall be empowered to adopt delegated acts for the purpose of updating the absolute amounts of the administrative fines.
*Council text:
Each supervisory authority shall ensure that the imposition of administrative fines shall be effective, proportionate and dissuasive.
Administrative fines shall be imposed in addition to, or instead of, measures referred to in Article 53. When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following:
- the nature, gravity and duration of the infringement having regard to the purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them
- the intentional or negligent character of the infringement
- action taken by the controller or processor to mitigate the damage suffered by data subjects
- the degree of responsibility of the controller or processor having regard to technical and organisational measures implemented by them
- any relevant previous infringement
- the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement
- in case measures have previously been ordered against the controller or processor concerned with regard to the same subject-matter
- adherence to approved codes of conduct or approved certification mechanisms
- any other aggravating or mitigating factor applicable to the circumstances of the case
Each Member State may lay down the rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that Member State.
The exercise by the supervisory authority of its powers under this Article shall be subject to appropriate procedural safeguards in conformity with Union law and Member State law, including effective judicial remedy and due process.
Member states may abstain from administrative fines if they already provide for criminal sanctions in their national law, only while ensuring that these criminal sanctions are effective, proportionate and dissuasive, taking into account the level of administrative fines provided for in this Regulation.
Article 79a
Administrative Fines
Council Only
The supervisory authority may impose a fine that shall not exceed 250 000 EUR, or in case of an undertaking 0,5 % of its total worldwide annual turnover, a controller who intentionally or negligently:
- does not respond within the appropriate period to requests of the data subject
- charges a fee in violation of Article 12
A fine that shall not exceed 500 000 EUR, or in case of an undertaking 1% of its total worldwide annual turnover if a controller:
does not provide the information, or provides incomplete information, or does not provide the information timely or in a transparent manner, to the data subject
- does not provide access for the data subject or does not rectify personal data
- does not erase personal data in violation of the right to erasure and 'to be forgotten'
- processes personal data in violation of the right to restriction of processing or does not inform the data subject before the restriction of processing is lifted
- does not communicate any rectification, erasure or restriction of processing to each recipient to whom the controller has disclosed personal data
- does not provide the data subject’s personal data concerning him or her
- processes personal data after the objection of the data subject
- does not provide the data subject with information concerning the right to object processing for direct marketing purposes
- does not or not sufficiently determine the respective responsibilities with joint controllers
- does not or not sufficiently maintain documentation
A fine that shall not exceed 1 000 000 EUR, or in case of an undertaking 2% of its total worldwide annual turnover if a controller:
- processes personal data without a legal basis for the processing or does not comply with the conditions for consent
- does not comply with the conditions in relation to automated individual decision making, including profiling
- does not implement appropriate measures or is not able to demonstrate compliance
- does not designate a representative in violation of Article 2
- processes or instructs the processing of personal data in violation of Articles 26
- does not alert on or notify a personal data breach
- does not carry out a data protection impact assessment in violation of Article 33 or processes personal data without prior consultation of the supervisory authority
- misuses a data protection seal or mark
- carries out or instructs a data transfer to a recipient in a third country or an international organisation in violation of Articles 41 to 44
- does not comply with an order or a temporary or definite limitation on processing or the suspension of data flows by the supervisory authority
If a controller or processor intentionally or negligently violates several provisions of this Regulation listed above, the total amount of the fine may not exceed the amount specified for the gravest violation.
Article 79b
Penalties
Council Only
For infringements of this Regulation, in particular for infringements which are not subject to administrative fines, Member States shall lay down the rules on penalties applicable to such infringements and shall take all measures necessary to ensure that they are implemented. Such penalties shall be effective, proportionate and dissuasive.
Each Member State shall notify to the Commission those provisions of its law which it adopts.
Chapter 9: Provisions Relating to Specific Data Processing Situations
Article 80
Processing of Personal Data and Freedom of Expression
Low Variability
Member States shall provide for exemptions or derogations from the provisions in Chapters II, III, IV, V, VI, and VII for the processing of personal data carried out solely for journalistic purposes or the purpose of artistic or literary expression to the extent necessary to reconcile the rights to privacy and to the protection of personal data with the rules governing freedom of expression.
Each Member State shall notify to the Commission those provisions of its law which it has adopted and, without delay, any subsequent amendment law or amendment affecting them.
Article 80a
Access to Documents
Parliament Only
Personal data in documents held by a public authority or a public body may be disclosed by this authority or body in accordance with Union or Member State legislation regarding public access to official documents, which reconciles the right to the protection of personal data with the principle of public access to official documents.
Each Member State shall notify to the Commission provisions of its law which it adopts.
Article 80a
Processing of Personal Data and Public Access to Official Documents
Council Only
Personal data in official documents held by a public authority, or a private body for the performance of a task carried out in the public interest, may be disclosed in accordance with Union law or Member State law to which it is subject in order to reconcile public access to official documents with the right to the protection of personal data pursuant to this Regulation.
Article 80aa
Processing of Personal Data and Reuse of Public Sector Information
Council Only
Personal data in public sector information held by a public authority, or a private body for the performance of a task carried out in the public interest, may be disclosed by in accordance with Union law or Member State law to which it is subject in order to reconcile the reuse of such official documents and public sector information with the right to the protection of personal data pursuant to this Regulation.
Article 80b
Processing of National Identification Number
Council Only
Member States may determine the specific conditions for the processing of a national identification number or any other identifier of general application. In this case it shall be used only under appropriate safeguards for the rights and freedoms of the data subject pursuant to this Regulation.
Article 81
Processing of Personal Data Concerning Health
High Variability
Within the limits of this Regulation, processing of personal data concerning health must be on the basis of Union law or Member State law, and be necessary for:
- the purposes of preventive or occupational medicine, medical diagnosis, the provision of care or treatment or the management of health-care services, and where those data are processed by a health professional subject to the obligation of professional secrecy or another person also subject to an equivalent obligation of confidentiality under Member State law
- reasons of public interest in the area of public health
- other reasons of public interest in areas such as social protection, especially in order to ensure the quality and cost-effectiveness of the procedures used for settling claims for benefits and services in the health insurance system and the provision of health services
*The Parliament text adds that when the purposes referred to above can be achieved without the use of personal data, such data shall not be used for those purposes, unless based on the consent of the data subject or Member State law. Where the data subject's consent is required, the consent may be given for one or more specific and similar researches. However, the data subject may withdraw the consent at any time.
Processing of personal data concerning health which is necessary for historical, statistical or scientific research purposes, is subject to the conditions and safeguards referred to in Article 83.
*The Parliament text adds the need for data subject consent in this instance, however, it also provides for member state law to remove this need for consent in certain circumstances such as research that serves a high public interest, if that research cannot possibly be carried out otherwise.
The Commission shall be empowered to adopt delegated acts in order to specify criteria and details surrounding data processing related to public health.
*The Parliament text adds the need for a Data Protection Board opinion.
*The Council text removes this article entirely.
Article 82
Processing in the Employment Context
Medium Variability
Within the limits of this Regulation, Member States may adopt by law specific rules regulating the processing of employees' personal data in the employment context, in particular for the purposes of the recruitment, the performance of the contract of employment, including discharge of obligations laid down by law or by collective agreements, management, planning and organisation of work, health and safety at work, and for the purposes of the exercise and enjoyment, on an individual or collective basis, of rights and benefits related to employment, and for the purpose of the termination of the employment relationship.
*The Parliament text adds the following:
- The purpose of processing such data must be linked to the reason it was collected for and stay within the context of employment.
- Consent of an employee shall not provide a legal basis for the processing of data by the employer when the consent has not been given freely.
- Notwithstanding the other provisions of this Regulation, the legal provisions of Member States shall include at least the following minimum standards:
- the processing of employee data without the employee's' knowledge shall not be permitted. Member States may, by law, provide for the admissibility of this practice
- Clandestine surveillance shall be prohibited and inadmissible under all circumstance
- where undertakings or authorities collect and process personal data in the context of medical examinations and/or aptitude tests, they must explain to the applicant or employee beforehand the purpose for which these data are being used
- whether and to what extent the use of telephone, e -mail, internet and other telecommunications services shall also be permitted for private use may be regulated by collective agreement. Where there is no regulation by collective agreement, the employer shall reach an agreement on this matter directly with the employee
- workers’ personal data, especially sensitive data such as political orientation and membership of and activities in trade unions, may under no circumstances be used to put workers on so -called ‘blacklists’, and to vet or bar them from future employment
- Transmission and processing of personal employee data between legally independent undertakings within a group of undertakings and with professionals providing legal and tax advice shall be permitted, providing it is relevant to the operation of the business and is used for the conduct of specific operations and is not contrary to the interests of the person.
Each Member State shall notify to the Commission those provisions of its law which it adopts.
The Commission shall be empowered to adopt delegated acts in order to specify the criteria and details surrounding processing in the employment context.
*The Parliament text adds the need for a Data Protection Board opinion.
*The Council text gives this power to the member states.
Article 82a
Processing in a Social Security Context
Parliament Only
Member States may, in accordance with the rules set out in this Regulation, adopt specific legislative rules particularising the conditions for the processing of personal data by their public institutions and departments in the social security context if carried out in the public interest.
Each Member State shall notify to the Commission those provisions which it adopts.
Article 83
Processing for Historical, Statistical and Scientific Research Purposes
High Variability
Within the limits of this Regulation, personal data may be processed for historical, statistical or scientific research purposes only if:
- these purposes cannot be otherwise fulfilled by processing data which does not permit the identification of the data subject
- data enabling the attribution of information to an identified or identifiable data subject is kept separately from the other information as long as these purposes can be fulfilled in this manner
*The Council text only allows for member states to make their own laws involving derogations of previous rights in the regulation if necessary for specific purposes, making sure to lay down the specific safeguards and technical standards necessary.
Bodies conducting historical, statistical or scientific research may publish or otherwise publicly disclose personal data only if:
- the data subject has given consent
- the publication of personal data is necessary to present research findings or to facilitate research insofar as the interests or the fundamental rights or freedoms of the data subject do not override these interests
- the data subject has made the data public
*The Parliament and Council texts remove these provisions for disclosure.
The Commission shall be empowered to adopt delegated acts regarding processing of profiling.
*The Parliament and Council texts remove this power.
Article 83a
Processing of Personal Data by Archive Services
Parliament Only
Once the initial processing for which they were collected has been completed, personal data may be processed by archive services whose main or mandatory task is to collect, conserve, provide information about, exploit and disseminate archives in the public interest.
Each Member State shall notify to the Commission provisions of its law which it adopts concerning the archive services.
Article 84
Obligations of Secrecy
Low Variability
Within the limits of this Regulation, Member States may adopt specific rules to set out the investigative powers by the supervisory authorities in relation to controllers or processors that are subject to an obligation of professional secrecy, where this is necessary to reconcile the right of the protection of personal data with the obligation of secrecy. These rules shall only apply with regard to personal data received from or obtained in an activity covered by this obligation of secrecy.
Each Member State shall notify to the Commission the rules adopted.
Article 85
Existing Data Protection Rules of Churches and Religious Associations
Low Variability
Where in a Member State, churches and religious associations apply, at the time of entry into force of this Regulation, comprehensive rules relating to the protection of individuals with regard to the processing of personal data, such rules may continue to apply, provided that they are brought in line with the provisions of this Regulation.
*The Parliament text requires these organisations to obtain a compliance opinion.
Article 85a
Respect of Fundamental Rights
Parliament Only
This Regulation shall not have the effect of modifying the obligation to respect fundamental rights and fundamental legal principles as enshrined in Article 6 of the TEU.
Article 85b
Standard Forms
Parliament Only
The Commission may, taking into account the specific features and necessities of various sectors and data processing situations, lay down standard forms for:
specific methods to obtain verifiable consent
the communication referred to in Article 12, including the electronic format
providing the information referred to in paragraphs 1 to 3 of Article 14
requesting and granting access to the information referred to in Article 15(1), including for communicating the personal data to the data subject
documentation referred to in Article 28
breach notifications to the supervisory authority and the documentation referred to in Article 31
prior consultations, and for informing the supervisory authorities
In doing so, the Commission shall take the appropriate measures for micro, small and medium -sized enterprises.
Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87.
Chapter 10: Delegated Acts and Implementing Acts
Article 86
Exercise of the Delegation
Medium Variability
The power to adopt delegated acts is conferred on the Commission subject to the conditions laid down in this Article.
As soon as it adopts a delegated act, the Commission shall notify it simultaneously to the European Parliament and to the Council.
The Parliament and Council may revoke any delegated acts by the Commission within two months, with a potential two month extension; a decision of revocation shall put an end to the delegation of power specified in that decision.
*The Parliament allows for the extension to run for an additional six months.
Article 87
Committee Procedure
Low Variability
The Commission shall be assisted by a committee. That committee shall be a committee within the meaning of Regulation (EU) No 182/2011.
Where reference is made to this paragraph, Article 5 of Regulation (EU) No 182/2011 shall apply.Where reference is made to this paragraph, Article 8 of Regulation (EU) No 182/2011, in conjunction with Article 5 thereof, shall apply.
Chapter 11: Final Provisions
Article 88
Repeal of Directive 95/46/EC
Low Variability
Directive 95/46/EC is repealed.
References to the repealed Directive shall be construed as references to this Regulation. References to the Working Party on the Protection of Individuals with regard to the Processing of Personal Data established by Article 29 of Directive 95/46/EC shall be construed as references to the European Data Protection Board established by this Regulation.
Article 89
Relationship to and Amendment of Directive 2002/58/EC
Low Variability
This Regulation shall not impose additional obligations on natural or legal persons in relation to the processing of personal data in connection with the provision of publicly available electronic communications services in public communication networks in the Union in relation to matters for which they are subject to specific obligations with the same objective set out in Directive 2002/58/EC.
*The Parliament text adds that The Commission shall present, without delay, a proposal for the revision of the legal framework for the processing of personal data and the protection of privacy in electronic communications, in order to align the law with this Regulation and ensure consistent and uniform legal provisions on the fundamental right to protection of personal data in the European Union.
Article 89a
Relationship to and Amendment of Regulation (EC) No 45/2001
Parliament Only
The rules set out in this Regulation shall apply to the processing of personal data by Union institutions, bodies, offices and agencies in relation to matters for which they are not subject to additional rules set out in Regulation (EC) No 45/2001.
The Commission shall present, without delay, a proposal for the revision of the legal framework applicable to the processing of personal data by the Union institutions, bodies, offices and agencies.
Article 89a
Relationship to Previously Concluded Agreements
Council Only
International agreements involving the transfer of personal data to third countries or international organisations which were concluded by Member States prior to the entry into force of this Regulation, and which are in compliance with Directive 95/46/EC, shall remain in force until amended, replaced or revoked.
Article 90
Evaluation
Low Variability
The Commission shall submit reports on the evaluation and review of this Regulation to the European Parliament and the Council at regular intervals. The first report shall be submitted no later than four years after the entry into force of this Regulation. Subsequent reports shall be submitted every four years thereafter. The Commission shall, if necessary, submit appropriate proposals with a view to amending this Regulation, and aligning other legal instruments, in particular taking account of developments in information technology and in the light of the state of progress in the information society. The reports shall be made public.
*The Council text adds that reports should take into consideration the functioning of Chapter VII on Cooperation and Consistency.
Article 91
Entry into Force and Application
Low Variability
This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.
It shall apply from [two years from the date referred to in paragraph 1].This Regulation shall be binding in its entirety and directly applicable in all Member States.