免責聲明


歡迎您光臨本站,為了讓您能夠安心的使用本網站的各項服務與資訊,特此向您說明本平台的隱私權保護政策,以保障您的權益,請您詳閱下列內容:

隱私權保護政策的適用範圍
隱私權保護政策內容,包括本平台如何處理在您使用網站服務時收集到的個人識別資料。隱私權保護政策不適用於本平台以外的相關連結網站,也不適用於非本平台所委託或參與管理的人員。

資料的蒐集與使用方式
為了在本平台上提供您最佳的互動性服務:如用戶註冊登記、參加平台上或公共論壇等各種活動時,可能會請您提供相關個人的資料,其範圍如下: 本網站在您使用服務信箱、聯絡我們等互動性功能時,將請保留您所提供資料: 如姓名、性別、年齡、出生日期、電話、通信地址、住址、電子郵件地址、等情況。 除非取得您的同意或其他法令之特別規定,本網站絕不會將您的個人資料揭露予第三人或使用於蒐集目的以外之其他用途。 但本平台將根據執法單位之要求或為公共安全之目的提供個人資料。在此情況下之任何披露,本平台均不承擔任何責任。

平台對外的相關連結
本平台站的網頁提供其他網站的網路連結,您也可經由本網站所提供的連結,點選進入其他網站。但該連結網站不適用本網站的隱私權保護政策,您必須參考該連結網站中的隱私權保護政策。

Cookie之使用
為了提供您最佳的服務,本平台可能會在您的電腦中放置並取用我們的Cookie,若您不願接受Cookie的寫入,您可在您使用的瀏覽器功能項中設定隱私權等級為高,即可拒絕Cookie的寫入,但可能會導至網站某些功能無法正常執行 。

個人資料查詢/更正/刪除之處理方式
您對於個人資料,有查詢及閱覽、補充或更正、刪除等需求時,可以電郵來信與客服中心聯絡,本平台客服中心將迅速進行處理。
客服中心電子郵件:[email protected]

隱私權保護政策之修正
本平台隱私權保護政策將因應需求隨時進行修正,修正後的條款將刊登於平台上。



歐盟一般資料保護規章(GDPR)


第一章 一般條款

第1條 主要事項與目標

1.本條例制定關於處理個人資料中對自然人進行保護的規則,以及個人資料自由流動的規則。

2.本條例保護自然人的基本權利與自由,特別是自然人享有的個人資料保護的權利。

3.不能以保護處理個人資料中的相關自然人為由,對歐盟內部個人資料的自由流動進行限制或禁止。

第2條 適用範圍

1.本條例適用於全自動個人資料處理、半自動個人資料處理,以及形成或旨在形成使用者畫像的非自動個人資料處理。

2.本條例不適用以下情形:

(a)歐盟法管轄之外的活動中所進行的個人資料處理;

(b)歐盟成員國為履行《歐盟基本條約》(TEU)第2章第5款所規定的活動而進行的個人資料處理;

(c)自然人在純粹個人或家庭活動中所進行的個人資料處理;

(d)有關主管部門為預防、調查、偵查、起訴刑事犯罪、執行刑事處罰、防範及預防公共安全威脅而進行的個人資料處理。

3.歐盟機構、實體、辦事處和規制機構所進行的個人資料處理,適用(EC)第 45/2001條例。根據本條例第98條,(EC)第45/2001條例和其他適用於此類個人資料處理的歐盟法案應當進行調整,以符合本條例的原則和規則。

4.本條例不影響2000/31/EC指令的適用,特別是2000/31/EC指令第12至15條所規定的中間服務商的責任規則的適用。

第3條 地域範圍

1.本例適用於在歐盟內部設立的資料控制者或處理者對個人資料的處理,不論其實際資料處理行為是否在歐盟內進行。

2.本條例適用於如下相關活動中的個人資料處理,即使資料控制者或處理者不在歐盟設立:

(a)為歐盟內的資料主體提供商品或服務——不論此項商品或服務是否要求資料主體支付對價;或

(b)對發生在歐洲範圍內的資料主體的活動進行監控。

3.本條例適用於在歐盟之外設立,但基於國際公法成員國的法律對其有管轄權的資料控制者的個人資料處理。

第4條 定義

就本條例而言:

(1)“個人資料”指的是任何已識別或可識別的自然人(“資料主體”)相關的資訊;一個可識別的自然人是一個能夠被直接或間接識別的個體,特別是通過諸如姓名、身份編號、地址資料、網上標識或者自然人所特有的一項或多項的身體性、生理性、遺傳性、精神性、經濟性、文化性或社會性身份而識別個體。

(2)“處理”是指任何一項或多項針對單一個人資料或系列個人資料所進行的操作行為,不論該操作行為是否採取收集、記錄、組織、構造、儲存、調整、更改、檢索、諮詢、使用、通過傳輸而公開、散佈或其他方式對他人公開、排列或組合、限制、刪除或銷燬而公開等自動化方式。

(3)“限制處理”是指對儲存的個人資料進行標記,以限制此後對該資料的處理行為。

(4)“使用者畫像”指的是為了評估自然人的某些條件而對個人資料進行的任何自動化處理,特別是為了評估自然人的工作表現、經濟狀況、健康、個人偏好、興趣、可靠性、行為方式、位置或行蹤而進行的處理。

(5)“匿名化”指的是在採取某種方式對個人資料進行處理後,如果沒有額外的資訊就不能識別資料主體的處理方式。此類額外資訊應當單獨儲存,並且已有技術與組織方式確保個人資料不能關聯到某個已識別或可識別的自然人。

(6)“檔案系統”指的是根據某種特定標準——不論這種標準是去中心化的、分散的、功能性的或是基於地理而設定的——而可以訪問的個人資料的結構化集合。

(7)“控制者”指的是那些決定——不論是單獨決定還是共同決定——個人資料處理目的與方式的自然人或法人、公共機構、規制機構或其他實體;如果此類處理的方式是由歐盟或成員國的法律決定的,那麼對控制者的定義或確定控制者的標準應當由歐盟或成員國的法律來規定。

(8)“處理者”指的是為資料控制者而處理個人資料的自然人或法人、公共機構、規制機構或其他實體。

(9)“接收者”指的是接收資料的自然人、法人、公共機構、規制機構或另一實體,不論其是否為第三方。然而,公共機構基於歐盟或成員國法律的某項特定調查框架而接收個人資料,則不應當被視為接收者;公共機構對此類資料的處理,應當根據處理目的遵循可適用的資料保護規則。

(10)“第三方”指的是除了資料主體、控制者、處理者、控制者或處理者直接授權其處理個人資料之外的自然人或法人、公共機構、規制機構或組織。

(11)資料主體的“同意”指的是資料主體通過一個宣告,或者通過某項清晰的確信行動而自由作出的、充分知悉的、不含混的、表明同意對其相關個人資料進行處理的意願。

(12) “個人資料洩露”是指由於違反安全政策而導致傳輸、儲存、處理中的個人資料被意外或非法損毀、丟失、更改或未經同意而被公開或訪問。

(13)“基因資料”指的是和自然人的遺傳性或獲得性基因特徵相關的個人資料,這些資料可以提供自然人生理或健康的獨特資訊,尤其是通過對自然人生物性樣本進行分析而可以得出的獨特資訊。

(14)“生物性識別資料”指的是基於特別技術處理自然人的相關身體、生理或行為特徵而得出的個人資料,這種個人資料能夠識別或確定自然人的獨特標識,例如臉部形象或指紋資料。

(15)“和健康相關的資料”指的是那些和自然人的身體或精神健康相關的、顯示其個人健康狀況資訊的個人資料,包括和衛生保健服務相關的服務。

(16)“主要營業機構”指的是:

(a)如果控制者在不止一個成員國內有多處營業機構,那麼其在歐盟的管理中心所在地是主要營業機構,除非個人資料處理的目的與方式是由控制者的另一個機構決定的,並且這一機構有權實施此決定,在這種情況下,做出此類決定的機構應當被認為是主要營業機構;

(b)如果處理者在不止一個成員國內具有多處機構,那麼其在歐盟的管理中心所在地是主要營業機構。如果處理者在歐盟沒有管理中心,那麼在處理者需要遵守本條例所規定的特殊責任的前提下,其在歐盟的主要處理活動發生地的機構應當被視為主要營業機構。

(17)“代表”指的是控制者或處理者根據第27條在歐盟書面委任,代表控制者或處理者承擔本條例所規定的相應責任的自然人或法人。

(18)“經濟主體”的含義是採用任意法律形式的進行經濟活動的自然人或法人,包括經常進行經濟活動的合夥企業或協會;

(19)“企業集團”的含義是控股企業和被控股企業;

(20)“有約束力的公司規則”指的是在某成員國內設立的控制者或處理者,為了在企業集團內部或進行聯合經濟活動的經濟主體內部將個人資料轉移或多次轉移給位於第三國或多個第三國的控制者或處理者,所遵循的個人資料保護政策。

(21)“監管機構”指的是成員國根據第51條而設立的獨立性公共機構。

(22)“相關監管機構”指的是基於如下原因而和個人資料處理相關的監管機構:

(a)控制者或處理者是在某監管機構所在的成員國的境內所設立的;

(b)資料處理對居住在某監管機構所在地成員國的資料主體具有實質性影響;或者

(c)該監管機構已經收到一項申訴;

(23)“跨境處理”指的是:

(a)個人資料處理發生在一個控制者或處理者在多個成員國所設立的多個營業機構內;或者

(b)個人資料處理是在歐盟內的控制者或處理者的單一營業機構內進行的,但其對不止一國的資料主體具有實質性影響。

(24)“相關和合理的異議”指的是對是否存在違反本條例的情形,或者某項和控制者或處理者相關的初步設想是否符合本條例的異議——已有證據表明,這種初步設想的決定會對資料主體的基本權利和自由,以及在某些情形下對歐盟的個人資料的自由流通會帶來風險。

(25)“資訊社會服務”指的是歐洲議會和歐盟理事會的(EU) 2015/1535指令在第1(1)條(b)點所定義的服務。

(26)“國際組織”指的是依照國際公法、或根據兩個或多個國家協議所設立的組織及其下屬機構。

1.本例適用於在歐盟內部設立的資料控制者或處理者對個人資料的處理,不論其實際資料處理行為是否在歐盟內進行。

2.本條例適用於如下相關活動中的個人資料處理,即使資料控制者或處理者不在歐盟設立:

(a)為歐盟內的資料主體提供商品或服務——不論此項商品或服務是否要求資料主體支付對價;或

(b)對發生在歐洲範圍內的資料主體的活動進行監控。

3.本條例適用於在歐盟之外設立,但基於國際公法成員國的法律對其有管轄權的資料控制者的個人資料處理。

第二章 原則

第5條 個人資料處理原則

1.對於個人資料,應遵循下列規定:

(a)對涉及到資料主體的個人資料,應當以合法的、合理的和透明的方式來進行處理(“合法性、合理性和透明性”);

(b)個人資料的收集應當具有具體的、清晰的和正當的目的,對個人資料的處理不應當違反初始目的。根據第89(1)條,因為公共利益、科學或歷史研究或統計目的而進一步處理資料,不視為違反初始目的(“目的限制”);

(c)個人資料的處理應當是為了實現資料處理目的而適當的、相關的和必要的(“資料最小化”);

(d)個人資料應當是準確的,如有必要,必須及時更新;必須採取合理措施確保不準確的個人資料,即違反初始目的的個人資料,及時得到擦除或更正(“準確性”);

(e)對於能夠識別資料主體的個人資料,其儲存時間不得超過實現其處理目的所必需的時間;超過此期限的資料處理只有在如下情況下才能被允許:為了實現公共利益、科學或歷史研究目的或統計目的,為了保障資料主體的權利和自由,並採取了本條例第89(1)條所規定的合理技術與組織措施。(“限期儲存”);

(f) 處理過程中應確保個人資料的安全,採取合理的技術手段、組織措施,避免資料未經授權即被處理或遭到非法處理,避免資料發生意外毀損或滅失(“資料的完整性與保密性”)。

2.控制者有責任遵守以上第1段,並且有責任對此提供證明。(“可問責性”)。

第6條 處理的合法性

1.只有滿足至少如下一項條件時,處理才是合法的,且處理的合法性只限於滿足條件內的處理:

(a)資料主體已經同意基於一項或多專案的而對其個人資料進行處理;

(b)處理對於完成某項資料主體所參與的契約是必要的,或者在簽訂契約前基於資料主體的請求而進行的處理;

(c) 處理是控制商履行其法定義務所必需的;

(d)處理對於保護資料主體或另一個自然人的核心利益所必要的;

(e)處理是資料控制者為了公共利益或基於官方權威而履行某項任務而進行的;

(f)處理對於控制者或第三方所追求的正當利益是必要的,這不包括需要通過個人資料保護以實現資料主體的優先性利益或基本權利與自由,特別是兒童的優先性利益或基本權利與自由。

第1段(f)點不適用公共機構在履行其任務時的處理。

2.對於第1段(c)和(e)所規定的處理,成員國可以維持或新制定更多具體條款,以適應本條例規則的適用,成員國為了確保合法與合理處理,可以制定更為明確的規定,包括第9章所規定的其他特定的處理情形。

3.第1段(c)和(e)所規定的處理的基準應當通過如下法律進行規定:

(a)歐盟法;或者

(b)控制者所屬的成員國的法律。

處理的目的應當在此法律基準上進行確定,而對於第1段(e)所規定的處理,處理的目的應當是控制者為了公共利益或基於官方權威而履行某項任務。此法律基準可以包含如下特定條款,以適應對本條例規則的適用:對控制者處理的合法性進行監控的一般條件;可以被處理的資料型別;相關資料主體;個人資料公開的目的,以及其可能被公開給的物件;目的限定;儲存期限;包括第9章所規定的其他特定的處理情形在內的處理操作和處理程式。歐盟或成員國的法律應當滿足公共利益的目標,且應當與實現正當目的成比例。

4.若處理是出於收集個人資料以外的其他目的,如果該目的未經資料主體同意或並非是基於聯盟或成員國的法律(在一個民主社會中,若要實現第23(1)條中的目的,法律是必要且合適的),那麼為確保該目的與初始目相容,控制商應當考慮以下因素,但不限於以下因素:

(a)個人資料收集時的目的與計劃進一步處理的目的之間的所有關聯性;

(b)個人資料收集時的語境,特別是資料主體與控制者之間的關係;

(c)個人資料的性質,特別是某些特定型別的個人資料是否符合第9條的規定,或者與刑事定罪和刑事違法相關的個人資料是否符合第10條的規定;

(d) 資料主體計劃進一步處理可能造成的結果;

(e)是否具有加密與匿名化措施等恰當保護措施;

第7條 同意的條件

1.當處理是建立在同意基礎上的,控制者需要能證明,資料主體已經同意對其個人資料進行處理。

2.如果資料主體的同意是在涉及到其他事項的書面宣告的情形下作出的,請求獲得同意應當完全區別於其他事項,並且應當以一種容易理解的形式,使用清晰和平白的語言。任何違反本條例的宣告都不具有約束力。

3.資料主體應當有權隨時撤回其同意。在撤回之前,對於基於同意的處理,其合法性不受影響。在資料主體表達同意之前,資料主體應當被告知這點。撤回同意應當和表達同意一樣簡單。

4.分析同意是否是自由做出的,應當最大限度地考慮一點是:對契約的履行——包括履行條款所規定的服務——是否要求同意履行契約所不必要的個人資料處理。

第8條 資訊社會服務中適用兒童同意的條件

1.在第6(1)條(a)適用的情形下,對於為兒童直接提供資訊社會服務的請求,當兒童年滿16週歲,對兒童個人資料的處理是合法的。當兒童不滿16週歲,只有當對兒童具有父母監護責任的主體同意或授權,此類處理才是合法的。

2.對於年滿13週歲的情形,成員國的法律可以降低年齡要求。

3.控制者應當採取合理的努力,結合技術可行性,確保此類情形中對兒童具有父母監護責任的主體已經授權或同意。

第1段不應影響成員國的一般合同法,例如關於兒童的合同有效性、形成與效力的規則。

第9條 對特殊型別個人資料的處理

1.對於那些顯示種族或民族背景、政治觀念、宗教或哲學信仰或工會成員的個人資料、基因資料、為了特定識別自然人的生物性識別資料、以及和自然人健康、個人性生活或性取向相關的資料,應當禁止處理。

2.如果具有如下條件之一,第1段將不適用:

(a)資料主體明確同意基於一個或多個特定目的而授權處理其個人資料,但依照歐盟或成員國的法律規定,資料主體無權解除第1段中所規定的禁令的除外;

(b)處理對於控制者履行責任以及行使其特定權利是必要的,或者對於在僱傭、社會安全與社會保障法領域採取符合歐盟或成員國法律或集體協議的措施以保護資料主體的根本權利和利益是必要的;

(c)資料主體因為身體原因或法律原因而無法表達同意,但處理對於保護資料主體或另一自然人的核心利益卻是必要的;

(d)基金、協會或其它具有政治、哲學、宗教或工會目的的非盈利機構的正當性活動中所進行的處理,並且已經採取了恰當的保護措施;或者處理目的僅僅和機構成員、之前成員或具有經常聯絡的人相關,並且個人資料在未經資料主體同意前不對實體外的人公開;

(e)對資料主體已經明顯公開的相關個人資料的處理;

(f)當處理對於提起、行使或辯護法律性主張必要時,或者法院在其所有的司法活動中所進行的處理;

(g)處理對實現實質性的公共利益必要的,建立在歐盟或成員國的法律基準之上、對實現目標是相稱的,尊重資料保護權的核心要素,並且為資料主體的基本權利和利益提供合適和特定的保護措施;

(h)處理對於預防性醫學或臨床醫學目的是必要的,或者對於評估僱員的工作能力、醫療診斷、提供——基於歐盟或成員國法律,或遵循和健康職業機構簽訂的契約並遵循第3段所規定的情形與保障措施——健康或社會保健或治療或管理健康或社會保健體系是必要的;

(i)在公共健康領域,處理是為了實現公共利益所必要的,例如,在歐盟或成員國內已經為保障資料主體的權利與自由而採取合適與特定措施的法律基礎上,處理對於預防嚴重的跨境健康威脅是必要的,或者為了保障醫療質量和安全、醫療產品或醫療裝置的高質量和安全是必要的;或者

(j)處理對於實現符合第89(1)條公共利益、科學或歷史研究目的或統計目的是必要的,處理採取了與其期望目的所相稱的處理,尊重資料保護權的核心要素,並且對資料主體的基本權利與利益採取了合適與特定的措施。

3.根據歐盟或成員國的有權機構所制定的法律或規則而具有保守職業性祕密責任的職業主體,或者根據歐盟或成員國的有權機構所制定的法律或規則而具有保守祕密責任的自然人,可以為了第2段(h)點所規定的目的而處理第1段所規定的個人資料。

4.對於基因資料、生物性識別資料或健康相關資料的處理,成員國可以維持原有規定,或者作出新的規定,包括對處理基因資料、生物性識別資料或健康相關資料進行限定。

第10條 處理涉及犯罪定罪與違法的個人資料

處理和犯罪定罪與違法相關的個人資料,或處理第6(1)條規定的與安全措施相關的個人資料,只有如下情形才能被允許:當個人資料處理為官方機構控制,或者當歐盟或成員國的法律授權進行處理,並且採取了恰當的措施保障資料主體的權利與自由。任何犯罪定罪的全面性登記只能由官方機構進行。

第11條 不需要識別的處理

1.如果控制者處理個人資料的目的不需要或不再需要控制者對資料主體進行識別,控制者就不再具有為了遵循本條例而維持、獲取或處理額外資訊以識別資料主體的責任。

2.對於第1段所規定的情形,如果控制者能夠證明其不適合識別資料主體,如有可能,資料控制者應當告知資料主體。在此類情形下,除非資料主體為了行使第15至20條所規定的權利,需要提供額外資訊而使得對其識別變得可能,第15至20條將不應適用。

第三章 資料主體的權利

第一部分 透明性與模式

第12條 資訊、交流與模式的透明性——保證資料主體權利的行使

1.對於和個人資訊處理相關的第13和第14條規定的所有資訊、或者第15條至22條以及34條所規定的所有交流,控制者應當以一種簡潔、透明、易懂和容易獲取的形式,以清晰和平白的語言來提供;對於針對兒童的所有資訊,尤其應當如此。資訊應當以書面形式或其他形式提供,包括在合適的情況下通過電子方式提供。若資料主體的身份可通過其他途徑得到證實,那麼控制者可依主體申請以口頭方式提供相關資訊。

2.控制者應當對資料主體行使第15至22條的權利而提供幫助。對於第11(2)條所規定的情形,當資料主體請求其行使第15至22條的權利,控制者不應拒絕,除非控制者能夠證明其並不適宜識別資料主體。

3.在資料主體根據第15至22條的規定提出請求後,控制者應當提供資訊,不應無故拖延,在任何情形下應當在收到請求後一個月內提供資訊。在必要的情形下,考慮到請求的複雜性和多樣性,這個期限可以再延長兩個月。如果有此類延長,控制者應當在收到請求的一個月內將此類延長以及延長原因告知資料主體。當資料主體以電子形式做出請求,在可行的情況下,對資訊的提供也應當以電子形式提供,除非資料主體有不同請求。

4.如果控制者沒有采取相應的行動對資料主體的請求做出迴應,那麼應當及時告知該資料主體其在收到請求後一個月內未能採取行動的具體原因,同時可向監管機構提出申訴,尋求司法救濟。

5.第13和第14條所規定的資訊以及第15至22條和34條所規定的所有交流與行為都應當是免費的。當資料主體的請求明顯不具備正當理由或超過必要限度,特別是當請求是重複性的時候,控制者可以:

(a)結合提供資訊、交流或相應行動的行政花費,收取一定的合理費用;或者

(b)拒絕對請求作出行動。

控制者有責任證明資料主體的請求明顯是毫無根據的或過分的。

6.在不影響第11條的前提下,控制者可以對第15至21條中提出要求的自然人的身份有合理懷疑,要求資料主體提供必要的額外資訊以確認資料主體的身份。

7.根據第13條和14條提供給資料主體的資訊可以和標準化的圖示一起提供,以便於資料主體以一種一目瞭然的、易懂的和清晰的方式對計劃的資料處理有全盤理解。當圖示以電子化的方式提供,它們必須是機器可讀的。

8.對於確定圖示所提供的資訊以及提供標準化圖示的程式,歐盟理事會將有權根據第92條制定授權行動。

第二部分 資訊與對個人資料的訪問

第13條 收集資料主體個人資料時應當提供的資訊

1.當收集和資料主體相關的個人資料時,控制者應當為資料主體提供如下資訊:

(a)控制者的身份與詳細聯絡方式,以及如果適用的話,控制者的代表;

(b)資料保護官的詳細聯絡方式,如果適用的話;

(c)處理將要涉及到的個人資料的目的,以及處理的法律基礎;

(d)當處理是基於(f)點或第6(1)條的時候,控制者或第三方的正當利益;

(e)個人資料的接收者或者接收者的型別,如果有的話;

(f)如果適用的話,控制者期望將資料轉移到第三國或國際組織的事實、歐盟委員會作出或未作出充分決定的事實,或者,在第46或47條或者第49(1)條的第二小段所規定的轉移情形中,所採取的適當保障措施的參考資料、獲取它們備份的方式,或者在那裡可以獲取它們。

2.除了第1段所規定的資訊,控制者應當在獲取個人資料時為資料主體提供確保合理與透明處理所必要的進一步資訊:

(a)個人資料將被儲存的期限,以及確定此期限的標準;

(b)資料主體所擁有的權利:可以要求控制者提供對個人資料的訪問、更正或擦除,或者限制或反對相關處理的權利;資料攜帶權;

(c)當處理是根據第6(1)條或第9(2)條的(a)點而進行的,資料主體擁有可以隨時撤回——這種撤回不會影響撤回之前根據同意而進行處理的合法性——同意的權利;

(d)向監管機構進行申訴的權利;

(e)提供個人資料是一項制定法還是合同法的要求,是否對於締結一項契約是必要的,資料主體是否有責任提供個人資料,以及沒有提供此類資料會造成的可能後果。

(f)存在自動化的決策,包括第22(1)和(4)條所規定的使用者畫像,以及在此類情形下,對於相關邏輯、包括此類處理對於資料主體的預期後果的有效資訊。

3.若控制者進一步處理個人資訊的目的與收集個人資訊的目的不一致,那麼,控制者應當在進一步處理之前向資料主體提供此類目的的資訊,以及提供第2段所規定的相關進一步資訊。

4.在資料主體已經擁有資訊的情況下,第1,2,3段不應當適用。

第14條 未獲得資料主體個人資料的情形下,應當提供的資訊

1.當個人資料還沒有從資料主體那裡收集,控制者應當向資料主體提供如下資訊:

(a)控制者的身份與詳細聯絡方式,以及如果適用的話,控制者的代表;

(b)如果適用的話,資料保護官的詳細聯絡方式;

(c)處理將要涉及到的個人資料的目的,以及處理的法律基礎;

(d)相關個人資料的型別;

(e)個人資料的接收者或者接收者的型別,如果有的話;

(f)如果適用的話,控制者期望將資料轉移到第三國或國際組織、歐盟委員會作出或未作出的充足保護的認定,或者,在第46或47條或者第49(1)條的第二小段所規定的轉移情形中,所採取的適當保障措施的參考資料、獲取它們備份的方式,或者在那裡可以獲取它們。

2.除了第1段所規定的資訊,控制者應當向資料主體提供如下確保涉及到資料主體的處理是合理與透明的必要資訊:

(a)個人資料將被儲存的期限,或者如果不可能的話,用來確定此期限的標準;

(b)當處理是根據第6(1)條(f)點而進行的,控制者或第三方所追求的正當利益;

(c)資料主體存在如下權利,可以要求控制者提供對個人資料的訪問、更正或擦除,或者限制或反對相關處理,資料攜帶權;

(d)當處理是根據第6(1)條或第9(2)條的(a)點而進行的,資料主體擁有可以隨時撤回——這種撤回不會影響撤回之前根據同意而進行處理的合法性——同意的權利;

(e)向監管機構進行申訴的權利;

(f)個人資料的來源,以及如果適用的話,其來源是否可以是公開性的資源;

(g)存在自動化的決策,包括第22(1)和(4)條所規定的使用者畫像,以及在此類情形下,對於相關邏輯、包括此類處理對於資料主體的預期後果的有效資訊。

3.控制者應當按如下方式提供第1段和第2段所規定的資訊:

(a)應當在獲得個人資料後的一段合理期限內提供資訊,如果考慮到個人資料處理的特定情形,應當至少在一個月以內;

(b)如果個人資料是被用來和資料主體進行溝通的,最晚應當在其和資料主體進行第一次溝通時提供資訊;

(c)如果個人資料將被計劃披露給另一個接收者,那麼最晚應當在個人資料被第一次披露時提供資訊。

4.當控制者因為與收集個人資訊時不一致的目的進一步處理個人資訊,控制者應當在進一步處理之前向資料主體提供此類目的的資訊,以及提供第2段所規定的相關進一步資訊。

5.在如下情形中,第1至4段不適用:

(a)資料主體已經擁有資訊;

(b)此類資訊的提供是不可能的,或者說需要付出某種不相稱的工作,在如下情形中尤其不適用:為了實現公共利益、科學或歷史研究目的或統計目的,為了保障資料主體的權利和自由,並採取了本條例第89(1)條所規定的合理技術與組織措施;或者本條第1段所規定的責任會嚴重妨礙實現處理的目標。在此類情形中,控制者應當採取恰當的措施保護資料主體的權利與自由與正當利益,包括使得資訊可以公開獲取;

(c)歐盟或成員國為控制者特別制定了獲取或公開資訊的法律,並且已經對保護資料主體的正當利益制定了恰當的措施;

(d)當個人資料必須保密,必須遵守歐盟或成員國法律所規定的職業祕密責任,包括制定法上的保守祕密責任。

第15條 資料主體的訪問權

1.資料主體應當有權從控制者那裡得知,關於其的個人資料是否正在被處理,如果正在被處理的話,其應當有權訪問個人資料和獲知如下資訊:

(a)處理的目的;

(b)相關個人資料的型別;

(c)個人資料已經被或將被披露給接收者或接收者的型別,特別是當接收者屬於第三國或國際組織時;

(d)在可能的情形下,個人資料將被儲存的預期期限,或者如果不可能的話,確定此期限的標準;

(e)資料主體要求控制者糾正或擦除個人資料、限制或反對對資料主體相關的個人資料進行處理的權利;

(f)向監管機構進行申訴的權利;

(g)當個人資料不是從資料主體那裡收集的,關於來源的任何資訊;

(h)存在自動化的決策,包括第22(1)和(4)條所規定的資料分析,以及在此類情形下,對於相關邏輯、包括此類處理對於資料主體的預期後果的有效資訊。

2.當個人資料被轉移到第三國或一個國際組織,資料主體應當有權獲知和轉移相關的符合第46條的恰當的保障措施。

3.控制者應當對進行處理的個人資料提供一份備份。對於任何資料主體所要求的額外備份,控制者可以根據管理花費而收取合理的費用。當資料主體通過電子方式而請求,且除非資料主體有其他請求,資訊應當以通常使用的電子形式提供。

4.獲取第三段中所規定的備份的權利不應當對他人的權利與自由產生負面影響。

第三部分 更正與擦除

第16條 更正權

資料主體應當有權從控制者那裡及時得知對與其相關的不正確資訊的更正。在考慮處理目的的前提下,資料主體應當有權完善不充分的個人資料,包括通過提供額外宣告的方式來進行完善。

第17條 擦除權(“被遺忘權”)

1.資料主體有權要求控制者擦除關於其個人資料的權利,當具有如下情形之一時,控制者有責任及時擦除個人資料:

(a)個人資料對於實現其被收集或處理的相關目的不再必要;

(b)處理是根據第6(1)條(a)點,或者第9(2)條(a)點而進行的,並且沒有處理的其他法律根據,資料主體撤回在此類處理中的同意;

(c)資料主體反對根據第21(1)條進行的處理,並且沒有壓倒性的正當理由可以進行處理,或者資料主體反對根據第21(2)條進行的處理;

(d)已經存在非法的個人資料處理;

(e)為了履行歐盟或成員國法律為控制者所設定的法律責任,個人資料需要被擦除;

(f)已經收集了第8(1)條所規定的和提供資訊社會服務相關的個人人資料。

2.當控制者已經公開個人資料,並且負有第1段所規定的擦除個人資料的責任,控制者應當考慮可行技術與執行成本,採取包括技術措施在內的合理措施告知正在處理個人資料的控制者們,資料主體已經要求他們擦除那些和個人資料相關的連結、備份或複製。

3.當處理對於如下目的是必要的,第1和第2段將不適用:

(a)為了行使表達自由和資訊自由的權利;

(b)控制者執行或者為了執行基於公共利益的某項任務,或者基於被授予的官方權威而履行某項任務,歐盟或成員國的法律要求進行處理,以便履行其法律職責;

(c)為了實現公共健康領域符合第9(2)條(h)和(i)點以及第9(3)條的公共利益而進行的處理;

(d)如果第1段所提到權利會受嚴重影響,或者會徹底阻礙實現第89(1)條的公共利益目的、科學或歷史研究目的或統計目的;或者

(e)為了提起、行使或辯護法律性主張。

第18條 限制處理權

1.當存在如下情形之一時,資料主體有權要求控制者對處理進行限制:

(a)資料主體對個人資料的準確性有爭議,並給與控制者以一定的期限以核實個人資料的準確性;

(b)處理是非法的,並且資料主體反對擦除個人資料,要求對使用其個人資料進行限制;

(c)控制者不再需要個人資料以實現其處理的目的,但資料主體為了提起、行使或辯護法律性主張而需要該個人資料;

(d)資料主體根據第21(1)條的規定而反對處理,因其需要確定控制者的正當理由是否優先於資料主體的正當理由。

2.當處理受第1段的規定所限制,除了儲存的情形,此類個人資料只有在如下情形中才能進行處理:獲取了資料主體的同意,或者為了提起、行使或辯護法律性主張,或者為了保護另一個自然人或法人的權利,或者為了歐盟或某個成員國的重要公共利益。

3.那些根據第1段規定已經獲取了對處理進行限制的資料主體,在限制被解除前,控制者應當告知資料主體。

第19條 關於更正或擦除或限制處理中的通知責任

對於所有根據第16、17(1)、18條而限制或擦除個人資料,或限制處理個人資料,控制者都應當將其告知個人資料已經被披露給的每個接收者——除非此類告知是不可能的,或者需要付出不相稱的工作。如果資料主體提出要求,控制者應當將關於接收者的情形告知資料主體。

第20條 資料攜帶權

1.當存在如下情形時,資料主體有權獲得其提供給控制者的相關個人資料,且其獲得個人資料應當是經過整理的、普遍使用的和機器可讀的,資料主體有權無障礙地將此類資料從其提供給的控制者那裡傳輸給給另一個控制者:

(a)處理是建立在第6(1)條(a)點或9(2)條(a)點所規定的同意,或者6(1)條所規定的合同的基礎上的;

(b)處理是通過自動化方式的。

2.在行使第1段所規定的攜帶權時,如果技術可行,資料主體應當有權將個人資料直接從一個控制者傳輸到另一個控制者。

3.行使第1段所規定的權利,不能影響第17條的規定。對於控制者為了公共利益,或者為了行使其被授權的官方權威而進行的必要處理,這種權利不適用。

4.第1段所規定的權利不能對他人的權利或自由產生負面影響。

第四部分 反對的權利和自動化的個人決策

第21條 反對權

1.對於根據第6(1)條(e)或(f)點而進行的關乎資料主體的資料處理,包括根據這些條款而進行的使用者畫像,資料主體應當有權隨時反對。此時,控制者須立即停止針對這部分個人資料的處理行為,除非控制者證明,相比資料主體的利益、權利和自由,具有壓倒性的正當理由需要進行處理,或者處理是為了提起、行使或辯護法律性主張。

2.當因為直接營銷目的而處理個人資料,資料主體有權隨時反對為了此類營銷而處理相關個人資料,包括反對和此類直接營銷相關的使用者畫像。

3.當資料主體反對為了直接營銷目的而處理,將不能為了此類目的而處理個人資料。

4.至晚在和資料主體所進行的第一次溝通中,第1段和第2段所規定的權利應當讓資料主體明確知曉,且應當與其他資訊區分開來,清晰地告知資料主體。

5.在適用資訊社會服務的語境中,儘管存在2002/58/EC指令的規定,資料主體仍可以使用技術性條件、通過自動化方式行使反對權。

6.當個人資料是為了第89(1)條所規定的科學目的或歷史研究目的或統計目的,資料主體基於其特定情形應當有權反對對關乎其的個人資料進行處理,除非處理對於實現公共利益的某項任務是必要的。

第22條 自動化的個人決策,包括使用者畫像

1.資料主體有權反對此類決策:完全依靠自動化處理——包括使用者畫像——對對資料主體做出具有法律影響或類似嚴重影響的決策。

2.當決策存在如下情形時,第1段不適用:

(a)當決策對於資料主體與資料控制者的合同簽訂或合同履行是必要的;

(b)當決策是歐盟或成員國的法律所授權的,控制者是決策的主體,並且已經制定了恰當的措施保證資料主體的權利、自由與正當利益;或者

(c)當決策建立在資料主體的明確同意基礎之上。

3.在第2段所規定的(a)和(c)點的情形中,資料控制者應當採取適當措施保障資料主體的權利、自由、正當利益,以及資料主體對控制者進行人工干涉,以便表達其觀點和對決策進行異議的基本權利。

4.第2段所規定的決策的基礎不適用於第9(1)條所規定的特定型別的個人資料,除非符合第9(2)條(a)點或(g)點的規定,並且已經採取了保護資料主體權利、自由與正當利益的措施。

第五部分 限制

第23條 限制

1.若控制者或處理者受歐盟法律或某成員國法律的調整,那麼歐盟法律或該成員國法律可以通過立法手段限制第12至22條、34條以及第5條所賦予的責任範圍與權利範圍,只要其法律條款和第12至22條所賦予的責任與權利相對應。如果此類限制尊重基本權利與自由的核心要素,並且此類限制是實現如下民主社會中的目的所必要和成比例的措施,那麼此類限制應當被允許:

(a)國家安全;

(b)國防;

(c)公共安全;

(d)預防、調查、偵查、起訴刑事違法進行或者執行刑法,包括保障公共安全和預防對公共安全的威脅;

(e)其他些歐盟或某個成員國的重要一般公共利益,特別是歐盟或某個成員國的經濟或金融利益,包括財政、預算、稅收事項、公共健康和社會安全;

(f)司法獨立和司法訴訟的保護;

(g)為了規制性職業而預防、調查、保護和起訴違反倫理的行為;

(h)和行使(a)(b)(c)(d)(e)(g)點中所規定的官方權威相聯絡的某項監控、調查或規制功能;

(i)保護資料主體或其他人的權利和自由;

(j)實施民事法律主張。

2.需要特別注意的是,至少在涉及到如下情形時,任何第1段所規定的立法措施都應當包含特定條款,規定:

(a)處理的目的或處理的型別;

(b)個人資料的型別;

(c)施加限制的範圍;

(d)防止濫用或非法性訪問或轉移的措施;

(e)控制者的具體情況或控制者型別的具體情況;

(f)在考慮了處理的性質、範圍和目的或處理型別之後所制定的儲存期限和可適用的保障措施;

(g)資料主體的權利和自由所面臨的風險;以及

(h)資料主體獲知限制的權利,除非這種權利可能影響實現限制的目的。

第四章 控制者和處理者

第一部分 一般性責任

第24條 控制者的責任

1.在考慮了處理的性質、範圍、語境與目的,以及考慮了處理對自然人權利與自由所帶來的不同概率和程度的風險後,控制者應當採取恰當的技術與組織措施,保證處理符合本條例規定的,並且能夠證明處理符合本條例規定。必要時,這些措施應當被審查。

2.第1段所規定的措施,當和處理活動成比例時,應當包括控制者所採用的合適的資料保護政策。

3.遵守第40條所規定的已生效的行為準則,或遵守第42條規定的已生效的認證機制,這可以被用以證明控制者責任的合規性。

第25條 通過設計的資料保護和預設的資料保護

1.在考慮了最新水平、實施成本、處理的性質、處理的範圍、處理的語境與目的,以及處理給自然人權利與自由帶來的傷害可能性與嚴重性之後,控制者應當在決定處理方式時和決定處理時,應當採取合適的技術與組織措施,並且在處理中整合必要的保障措施,以便符合本條例的要求和保護資料主體的權利。例如,控制者可以採取匿名化,一種設計用來實施資料保護原則——比如資料最小化原則——的措施。

2.控制者有責任採取適當的技術與組織措施,以保障在預設情況下,只有某個特定處理目的所必要的個人資料被處理。這種責任適用於收集的個人資料的數量、處理的限度,儲存的期限以及可訪問性。尤其需要注意的是,此類措施必須確保,在預設情況下,如果沒有個體介入,個人資料不能為不特定數量的自然人所訪問。

3.根據第42條的某種已生效的認證機制,可以被用來證明本條第1段和第2段所規定的合規要求。

第26條 共同控制者

1.當兩個或更多控制者聯合確定處理的目的與方法,它們就是共同控制者。它們應當以一種透明的方式確定遵守本條例責任的相應責任,尤其當其涉及到行使資料主體個人權利,以及涉及控制者為資料主體——根據他們的合約安排——提供第13條和第14條所規定的資訊的相應責任,除非歐盟或成員國的法律已經對對控制者施加了相應責任。

2.第1段所規定的合約安排應當恰當地反映相對於資料主體的共同控制者的相應角色和相互關係。資料主體應當可以知曉安排的實質。

3.不論第1段所規定的合約安排的條款如何,資料主體都可以向任一控制者主張其本條例所賦予的權利。

第27條 不在歐盟所設立的控制者或處理者的代表

1.在第3(2)條適用的情形下,控制者或處理者應當以書面形式在歐盟委任一名代表。

2.此項責任不應當適用於:

(a)除了第9(1)條所規定的特定型別資料的大規模處理,或者第10條所規定的和刑事定罪或違法相關的個人資料處理之外的偶爾性處理,以及考慮到處理的性質、語境、範圍和目的,不太可能對自然人的權利與自由帶來風險的處理;或者

(b)公共機構或實體。

3.為資料主體提供相關商品或服務,或者監控資料主體的行為,資料主體的所在國之一應當設立代表。

4.為了確保對本條例的遵守,對於所有涉及到處理的事項,控制者或處理者應當做出強制性規定,確保其代表能在控制者或處理者之外收到資訊,或者替代控制者或處理者收到資訊,對於監管機構和資料主體所要求的事項尤其如此。

5.控制者或處理者委任代表,不能影響控制者或處理者進行的法律行動。

第28條 處理者

1.處理者代表控制者進行處理,控制者只能選用有充分保證的、可採取合適技術與組織措施的、其處理方式符合本條例要求並且保障資料主體權利的處理者。

2.如果沒有控制者之前的特別授權或一般書面授權,處理者不應聘用另一個處理者。在具有一般書面授權的情形下,對於涉及到補充或替換其他處理者的變動,處理者都應當告知控制者,以便使控制者有機會反對此類變化。

3.處理者的處理應當受某類合同或其他歐盟法與成員國法的約束,這類合同或法律應當規定處理者相對於控制者的責任、主體事項、處理期限、處理性質與目的、個人資料的型別、資料主體的型別以及控制者的責任與權利的。此類合同或法律尤其應當對如下情形做出規定:

(a)只有在收到控制者的書面指示時才可以處理個人資料,在涉及到將個人資料轉移到第三國或某個國際組織的事項中亦是如此,除非歐盟法或成員國法對處理者有要求;在這種情形下,處理者應當在處理之前將法律要求告知控制者,除非告知會影響重要的公共利益;

(b)對於被授權處理個人資料的人,確保其履行保密義務或法律上的適當保密責任;

(c)採取第32條所要求的所有措施;

(d)尊重第2段和第4段規定的聘用另一個處理者的條件;

(e)結合處理的性質,在可能的情形下,通過合適的技術與組織手段幫助控制者履行其責任,以便使得資料主體能夠行使其第三章所規定的權利;

(f)結合處理的性質和處理者所能得到的資訊,幫助控制者履行第32至36條所規定的責任;

(g)基於控制者的選擇,在提供和處理相關的服務結束後,將個人資料刪除或返還給控制者,並且刪除已有備份,除非歐盟或成員國的法律要求儲存個人資料;

(h)給控制者提供所有能夠證明其已經遵循本條款規定責任的資訊,以及有利於控制者或控制者委任的審計員進行審計和核查的資訊。

關於第1段(h)點,如果處理者認為某項指示違反了本條例或其它歐盟或成員國的資料保護條款,其應當立即告知控制者。

4.當處理者代表控制者為了進行特定的處理活動而應聘另一處理者,第3段所規定的控制者和處理者之間的合同或其它法律條款所規定的資料保護責任應當通過合同或歐盟或成員國的法律條款而同等適用於另一處理者,尤其是應當採取充分的保障措施、恰當的技術與組織手段以滿足本條例的要求。當另一個處理者無法完成其資料保護職責時,對其責任,處理者應當完全負擔。

5.處理者遵守第40條所規定的已生效的行為準則,或者遵守第42條所規定的已生效的驗證機制,這可以被作為證據之一,證明處理者已經採取了本條款第1段和第4段所規定的充分保障。

6.在不影響控制者和處理者之間的單獨合同的前提下,第3段和第4段所規定的合同或法律條款可以全部或部分運用本條第7段和第8段所規定的格式合同條款,包括它們何時屬於根據第42條和第43條規定的賦予給控制者或處理者的驗證機制。

7.歐盟委員會可以對於本條第3段和第4段所規定的事項,根據第93(2)條所規定的檢查程式而制定格式合同條款。

8.監管機構可以對本條第3段和第4段所規定的事項,根據第63條所規定的一致性機制而制定格式合同條款。

9.第3段和第4段所規定的合同或法律條款必須是書面的,包括以電子形式做出的書面記錄。

10.在不影響第82、83、84條的情形下,如果某個處理者因為確定處理目的與方法方而違反了本條例,處理者應當在此次處理中被視為控制者。

第29條 代表控制者或處理者進行的處理

對個人資料有訪問權的處理者或控制者、處理者的代表人,未經控制者允許,不得處理該個人資料。歐盟法律或成員國法律另有規定的除外。

第30條 處理活動的記錄

1.每個控制者——以及如果有的話——每個控制者的代表,都應當保持其所負責的處理活動的記錄。這種記錄應當包含所有如下資訊:

(a)控制者以及——如果有的話——共同控制者、控制者的代表、資料保護官的姓名、詳細聯絡方式;

(b)處理的目的;

(c)對資料主體的型別以及個人資料的型別的描述;

(d)個人資料已經被披露或將被披露給的接收者——包括位於第三國或國際組織的接收者——的型別;

(e)如果適用的話,將個人資料轉移到第三國或國際組織的記錄,包括識別此第三國或國際組織的記錄,以及在第49(1)條第二分段所提到轉移的情形中,對適當保障措施的記錄;

(f)如果適用的話,擦除不同種資料型別的預計期限;

(g)如果適用的話,對第32(1)條所規定的技術性與組織性安全措施的一般性描述。

2.每個處理者以及——如果適用的話——處理者的代表對於以控制者名義進行的處理都應當保持儲存一份記錄,包含如下資訊:

(a)處理者或處理者們的名字和詳細聯絡方式、處理者所代表的每個控制者以及——如果有的話——控制者或處理者的代表、資料保護官;

(b)代表每個控制者進行處理的型別;

(c)如果適用的話,將個人資料轉移到第三國或國際組織的記錄,包括識別此第三國或國際組織的記錄,以及在第49(1)條第二分段所提到轉移的情形中,對適當保障措施的記錄;

(d)如果有的話,對第32(1)條所規定的技術性和組織性安全措施的一般性描述。

3.第1段和第2段所規定的記錄應當是書面的,包括以電子形式作出的書面記錄。

4.基於監管機構的要求,控制者或處理者以及——在有的情況下——控制者或處理者的代表,應當提供可獲取的記錄。

5.第1和第2段所規定的責任不適用於僱員少於250人的經濟主體或組織,除非其進行的處理不是偶爾性的,而且可能會對資料主體的權利與自由帶來風險,或者其處理包含了第9(1)條規定的特定種類的資料或第10條規定的和刑事犯罪和違法相關的個人資料。

第31條 和監管機構的合作

在監管機構的要求下,控制者和處理者以及——在適用的情況下——它們的代表應當配合監管機構的工作。

第二部分 個人資料的安全

第32條 處理的安全

1.在考慮了最新水平、實施成本、處理的性質、處理的範圍、處理的語境與目的之後,以及處理給自然人權利與自由帶來的傷害可能性與嚴重性之後,控制者和處理者應當採取包括但不限於如下的適當技術與組織措施,以便保證和風險相稱的安全水平:

(a)個人資料的匿名化和加密;

(b)保持處理系統與服務的保密性、公正性、有效性以及重新恢復的能力;

(c)在遭受物理性或技術性事件的情形中,有能力恢復對個人資料的獲取與訪問;

(d)具有為保證處理安全而常規性地測試、評估與評價技術性與組織性手段有效性的流程。

2.在評估合適的安全級別的時候,應當特別考慮處理所帶來的風險,特別是在個人資料傳輸、儲存或處理過程中的的意外或非法銷燬、丟失、篡改、未經授權的披露或訪問。

3.遵守第40條所規定的已生效的行為準則,或者遵守第42條所規定的已生效的驗證機制,這可以被作為證據之一,證明已經遵守了本條款第1段的要求。

4.控制者和處理者應當採取措施確保,除非接到控制者的指示,任何有權訪問個人資料的處理者或任何代表控制者和處理者的自然人都不會進行處理,除非歐盟或成員國法律要求進行處理。

第33條 向監管機構報告對個人資料的洩露

1.在個人資料洩露的情形中,如果可行,控制者在知悉後應當及時——至遲在72小時內——將個人資料洩露告知第55條所規定的有權監管機構,除非個人資料洩露對於自然人的權利與自由不太可能會帶來風險。對於不能在72小時以內告知監管機構的情形,應當提供延遲告知的原因。

2.處理者在獲知個人資料洩露後,應當及時告知控制者。

3.第1段所規定的告知應當至少包括:

(a)描述個人資料洩露的性質,在可能的情形下,描述包括相關資料主體的型別和大致數量,以及涉及到個人資料的型別與大致數量;

(b)告知資料保護官的姓名與詳細聯絡方式,或者可以獲取更多資訊的其他聯絡方式;

(c)描述個人資料洩露的可能後果;

(d)描述控制者應對個人資料洩露已經採用或計劃採用的措施,包括——如果合適的話——減少負面影響的措施。

4.在不可能同時提供資訊的情形下,可以分階段地及時提供資訊。

5.控制者應當記錄所有對個人資料的洩露,包括洩露個人資料相關的事實、影響與已經採取的救濟行動。參照該記錄,監管機構得以核實控制者是否遵守本條例的有關規定。

第34條 向資料主體傳達個人資料洩露

1.當個人資料洩露很可能給自然人的權利與自由帶來高風險時,控制者應當及時向資料主體傳達對個人資料洩露。

2.本條第1段所規定的向資料主體傳達,應當以清晰和平白的語言傳達個人資料洩露的性質,並且應當至少包括第33(3)條(b)(c)(d)點所提供的資訊與建議。

3.當滿足如下情形之一時,不要求控制者告知資料主體其個人資料被洩露的資訊:

(a)控制者已經採取合適的技術與組織保證措施,並且那些措施已經應用於那些被個人資料洩露所影響的個人資料,特別是已經應用那些使得未被授權訪問的個人無法辨識個人資料的措施,例如加密;

(b)控制者已經採取後續措施,保證第1段所規定的給資料主體的權利與自由帶來的高風險不再有實現的可能;

(c)告知將需要付出不相稱的努力。此時,應存在公告機制或類似措施來承擔控制者的告知義務,並且與控制者告知相比,這種措施的告知效果應當至少有相同效果。

4.如果控制者仍然沒有將個人資料洩露告知資料主體,監管機構在考慮了個人資料洩露所可能帶來的高風險可能性後,可以要求其告知,或者可以認為符合第3段所規定的情形。

第三部分 資料保護影響評估與提前諮詢

第35條 資料保護影響評估

1.當某種型別的處理——特別是適用新技術進行的處理——很可能會對自然人的權利與自由帶來高風險時,在考慮了處理的性質、範圍、語境與目的後,控制者應當在處理之前評估計劃的處理程序對個人資料保護的影響。若多項高風險處理活動屬於同一種類,那麼此時僅對其中某一項活動進行評估即可。

2.如果控制者已經委任資料保護官,當其進行資料保護影響評估時,控制者應當向資料保護官進行諮詢。

3.在如下情形中,第1段所規定的資料保護影響評估是尤其必須的:

(a)對與自然人相關的個人因素進行系統性與全面性的評價,此類評價建立在自動化處理——包括使用者畫像——基礎上的,並且其決策對自然人產生法律影響或類似重大影響;

(b)以大規模處理的方式處理第9(1)條所規定的特定型別的資料,或者和第10條規定的定罪與違法相關的個人資料;或者

(c)以大規模的方式系統性地監控某個公眾可以訪問的空間。

4.監管機構應當建立並公開一個列表,列明符合第1段所要求的資料保護影響評估的處理操作的型別。監管機構應當將此類列表告知第68條所提到歐盟資料保護委員會。

5.監管機構還可以建立一個公開性的列表,列明符合不需要進行資料保護影響評估的處理操作的型別。監管機構應當將此類列表告知歐盟資料保護委員會。

6.在設定第4段與第5段所規定的列表之前,當此類列表涉及到為資料主體提供商品或服務,或者涉及到對多個成員國行為的監管,或者可能實質性地影響歐盟內部個人資料的自由流動,有職權的監管機構應當首先適用第63條所規定的一致性機制。

7.評估應當至少包括:

(a)對計劃的處理操作和處理目的的系統性描述,以及——如果適用的話——對控制者所追求的正當利益的描述;

(b)對和目的相關的處理操作的必要性與相稱性進行分析;

(c)對第1段所規定的給資料主體的權利與自由帶來的風險的評估;

(d)結合資料主體和其他相關個人的權利與正當利益,採取的計劃性風險應對措施,包括保障個人資料保護和證明遵循本條例的安全保障、安全措施和機制。

8.評估相關控制者或處理者的處理操作的影響時,特別是評估資料保護影響時,應當合理考慮其對第40條所規定的已生效的行為準則的遵守。

9.在合適的情形下,如果其不影響保護商業或公共利益或處理操作的安全性,控制者應當諮詢資料主體或資料主體代表對於其預期處理的觀點。

10.當基於第6(1)條(c)或(e)點而進行的處理符合歐盟或成員國為控制者制定涉及到處理操作的法律,並且在制定其法律基準時已經進行了作為一般性影響評估一部分的資料保護影響評估時,第1至7段不應當適用,除非成員國認為,有必要在處理活動前進行此類評估。

11.必要時,控制者應當進行核查,評估處理是否是符合資料保護影響評估,至少當處理操作所帶來的風險存在變化時,應進行核查。

第36條 提前諮詢

1.當第35條所規定的資料保護影響評估表明,如果控制者不採取措施,處理會帶來高風險,那麼控制者應當在處理之前諮詢監管機構。

2.當監管機構認為,第1段所規定的預期的處理將違反本條例,特別是當控制者無法識別或減小風險,監管機構應當在收到諮詢請求的八個星期以內向控制者以及——在適用的情況下——處理者提供書面建議,並且可以使用第58條所規定的權力。考慮到預期處理的複雜性,這種期限可以延長六個星期。監管機構應當在收到諮詢請求的一個月內向控制者以及——在適用的情況下——處理者告知延期以及延期的原因。監管機構可以延長期限,直到其獲取了諮詢所要求的資訊。

3.當諮詢第1段所規定的監管機構時,控制者應當向監管機構提供如下資訊:

(a)在適用的情形下,涉及到處理——特別是當處理是在一群企業內部進行的——的控制者、共同控制者和處理者的相應責任;

(b)預期處理的目的與方法;

(c)為了保障資料主體權利與自由所採取的符合本條例的方法與措施;

(d)在適用的情形下,資料保護官的詳細聯絡方式;

(e)第35條所規定的資料保護影響評估;以及

(f)監管機構要求的所有其它資訊。

4.成員國在起草相關立法草案以獲得國會通過時,或者根據此類立法措施制定處理相關的規制措施時,應當諮詢監管機構。

5.雖然有第1段的規定,但在和控制者履行實現公共利益任務相關的處理中,包括和社會保障與公共健康相關的處理中,成員國法律可以要求控制者在其處理相關的事項中諮詢監管機構並且提前獲取監管機構的授權。

第四部分 資料保護官

第37條 資料保護官的委任

1.在如下任一情形中,控制者和處理者應當委任資料保護官:

(a)處理是公共機構或公共實體進行操作的,法庭在履行其司法職能時除外;

(b)控制者或處理者的核心處理活動天然性地需要大規模性地對資料主體進行常規和系統性的監控;或者

(c)控制者或處理者的核心活動包含了第9條規定的對某種特殊型別資料的大規模處理和第10條規定的對定罪和違法相關的個人資料的處理。

2.如果一組企業的每一個機構都能很容易聯絡資料保護官,這一組企業可以任命一個單獨的資料保護官。

3.當控制者或處理者是一個公共機構或公共實體,基於它們的組織結構和規模,多個此類公共機構或實體可以共同委任一個資料保護官。

4.除了第1段所規定的情形,在歐盟或成員國法律要求的情形下,控制者或處理者,或代表某類控制者或處理者的協會和其他實體可以委任一名資料保護官。對於此類協會,或代表控制者或處理者的其他實體的活動,資料保護官有權代表它們進行活動。

5.資料保護官的委任必須基於其專業性的素質,其需要具有資料保護法律與實踐的專業知識,以及完成第39條所規定的任務的能力。

6.資料保護官應當是控制者或處理者或基於服務合同而完成任務的一名職員。

7.控制者或處理者應當釋出資料保護官的詳細聯絡方式,並向監管機構進行報告。

第38條 資料保護官的職位

1.控制者和處理者應當確保,在所有與個人資料保護相關的事項中,資料保護官都應當以一種恰當和及時的方式介入。

2.控制者和處理者應當支援資料保護官履行第39條所規定的責任,應當提供其履行此類責任、訪問個人資料、進行處理操作,以及維持其專業性知識的必要資源。

3.控制者和處理者應當確保個人資料保護官不會收到任何關於履行此類責任的指示。個人資料保護官不能因為完成其任務而被控制者或處理者解僱。其可以直接向控制者或處理者的最高管理層進行報告。

4.資料主體可以在所有和處理其個人資料相關的事項中,以及和行使本條例所賦予的權利相關的事項中聯絡資料保護官。

5.資料保護官在完成其任務時,應當遵守歐盟或成員國的法律,負有保密義務。

6.資料保護官可以完成其他任務或責任。控制者或處理者應當保證任何此類任務和責任不會導致利益衝突。

第39條 資料保護官的任務

1.資料保護官應當至少具有如下任務:

(a)對控制者或處理者,以及那些履行本條例和歐盟其他成員國資料保護條款所規定的處理責任的僱員進行告知,提供建議;

(b)確保遵守本條例、其他歐盟或成員國資料保護條款、和個人資料保護相關的控制者或處理者的政策,包括分配處理操作中以及相關審計中的責任、增強意識以及培訓職員;

(c)根據要求,應當對資料保護影響評估以及根據第35條對其實施進行監管的事項提供建議;

(d)和監管機構進行合作;

(e)在與處理相關的事項中,包括第36條所規定的提前諮詢中,以及——在適用的情況下——在其他所有相關事項的諮詢中,充當監管機構的聯絡人。

2.資料保護官在履行其任務時,應當結合處理的性質、範圍、語境與目的,合理地考慮處理操作所伴隨的風險。

第五部分 行為準則與認證

第40條 行為準則

1.成員國、監管機構以及歐盟資料保護委員會與歐盟委員會鼓勵在考慮不同處理部門的特徵以及微型、小型以及中型經濟主體的特定需求的基礎上起草促進本條例合理適用的行為準則。

2.協會以及其它代表某類控制者或處理者的實體為了對適用本規則進行細化,可以起草行為準則,或修正或延長此類準則,例如,它們可以起草涉及到如下事項的準則:

(a)合理與透明的處理;

(b)在特定情境下控制者所追求的正當利益;

(c)對個人資料的收集;

(d)對個人資料進行匿名化處置;

(e)提供給公眾與資料主體的資訊;

(f)資料主體權利的行使;

(g)提供給兒童和保護兒童的資訊,以及為了獲取兒童監護人同意所採取的形式;

(h)第24條和第25條所規定的措施與程式,以及為了保障第32條所規定的處理安全所採取的措施;

(i)向監管機構通報個人資料洩露,以及將此類個人資料洩露告知資料主體;

(j)將個人資料轉移到第三國或國際組織;或者

(k)不影響第77條和第99條所規定的資料主體權利的庭外訴訟性活動,以及為了解決控制者與資料主體在處理相關事項中爭議的糾紛解決程式。

3.控制者或處理者除了受本條例約束之外,對於根據第3條不受本條例約束的情形,為了保證在第46(2)條(e)點所規定的將個人資料轉移到第三國或國際組織的框架中提供合適的安全措施,也可以受本條第5段所規定的已生效的行為準則約束,或者受本條第9段規定的具有一般性效力的行為準則所約束。為了提供此類合適的安全措施,包括和資料主體權利相關的安全措施,此類控制者或處理者應當通過合同或其他具有法律強制力的措施制定有約束力和可執行的承諾。

4.在不影響第55或56條所規定的有權監管機構的任務與權利的前提下,本條第2段所規定的行為準則應當包括使第41(1)條所規定的實體能履行其監管任務的有效措施,保證負責實施行為準則的控制者或處理者遵循其條款的規定。

5.本條第2段所規定的計劃起草、修改行為準則或延長現有準則的協會或其他實體,應當將準則草案、修正案或延期提議提交給符合第55條的有權監管機構。監管機構應當提供一份意見書,表明草案、修正案或延期提議是否符合本條例的規定,如果監管機構認定已經採取了足夠和適當的安全保障,其應當批准草案、修正案或延期提議。

6.當準則草案、或修正案或延期提議是根據第5段的規定而被批准的,並且行為準則不涉及多個成員國的處理活動,監管機構應當進行登記並發表準則。

7.當行為準則的草案涉及到多個國家的處理活動,第55條所規定的有權監管機構應當在批准準則草案、修訂或延期之前將其按照第63條規定的程式提交給歐盟資料保護委員會,並應提供一份意見書,表明準則草案、修正案或延期是否遵循了本條例,或者——在第3段所規定的情形中——是否提供了恰當的安全措施。

8.當第7段中規定的意見書確認了準則草案、修正案或延期遵循了本條例,或者——在第3段所規定的情形中——提供了恰當的安全措施,歐盟資料保護委員會應當將意見書提交給歐盟委員會。

9.歐盟委員會應當通過制定實施法案確定,根據第8段規定而提交的已生效的行為準則、修正案或延期是否在歐盟具有一般效力。此類法案的制定應當符合第94(2)條所規定的核查程式。

10.對於已經被認定符合第9段中所規定的具有一般有效性的已生效準則,歐盟委員會應當保證其具有適當的公開性。

11.歐盟資料保護委員會應當核查所有登記的已生效行為準則、修正案以及延期,並且應當以恰當的方式使得公眾能夠獲取。

第41條 對已生效行為準則的監控

1.在不影響第57和第58條規定的有權監管機構的任務與權利的前提下,對根據第40條制定的行為準則的合規性監管可以交給如下實體:在準則所規定事項方面具有適當的專業性,並且其合規性監管權力已經得到有權監管機構認證。

2.第1段所規定的實體,當存在如下條件時,可以被委任為有權監管是否遵守行為準則的機構:

(a)已經證明在準則所規定事項方面具有獨立性與專業性,滿足有權監管機構的要求;

(b)已經確立了相關程式,可以通過程式評估相關控制者和處理者適用準則的資質,監控其對準則條款的遵守,以及間歇性地評估其操作;

(c)已經設立程式和體系,解決關於違反準則,或關於控制者或處理者已經實施、或正在實施準則的方式的申訴,並且已使得此類程式與體系對資料主體和公眾透明化;並且

(d)已經表明其符合有權監管機構的要求,其任務和職責不存在利益衝突的情形。

3.有權監管機構應當按照第63條所規定的一致性機制,將認證第1段中所規定的實體的標準草案提交給歐盟資料保護委員會。

4.當控制者或處理者違反準則,第1段所規定的實體在不影響有權監管機構的任務和權利、第八章條款的前提下,應當在適當安全措施的保障下采取合適的行動,包括準則中中止或剔除相關控制者或處理者。實體應當將此類行動以及行動的理由告知有權監管機構。

5.如果第1段所規定的實體不符合或不再符合認證的條件,或者其行為違反了本條例,有權監管機構應當撤回對其的認證。

6.本條不適用於公共機構和公共實體所進行的處理。

第42條 認證

1.成員國、監管機構、歐盟資料保護委員會和歐盟委員會應當鼓勵——尤其是在歐盟層面——建立資料保護認證機制、資料保護印章和標記,以證明控制者和處理者的處理操作符合本條例。對此應當考慮微型、小型以及中型經濟主體的特定需求。

2.控制者或處理者除了受本條例約束之外,也可以設立符合本條第5段的資料保護認證機制、印章或標記,以便證明,對於根據第3條不受本條例約束的情形,已經對第46(2)條(f)點所規定的將個人資料轉移到第三國或國際組織的情形採取了合適的安全措施。為了提供此類合適的安全措施,包括和資料主體權利相關的安全措施,此類控制者或處理者應當通過合同或其他具有法律強制力的措施制定有約束力和可執行的承諾。

3.認證應當是自願的,而且可以通過透明程式而獲得。

4.根據本條而進行的認證,不能減輕控制者或處理者遵循本條例的責任,而且也不對第55條或56條所規定的有權監管機構的任務和權利產生影響。

5.符合本條的認證應當為第43條所規定的認證機構所批准,應當建立在第58(3)條的有權監管機構或第63條的歐盟資料保護委員會所批准的標準之上。當標準被歐盟資料保護委員會所批准,這可以產生一個通用性認證——歐盟資料保護印章。

6.那些將其處理提交認證機制的控制者或處理者,應當將進行認證程式所必需的所有資訊與訪問權提交給第43條規定的認證機構,在適用的情形下,還應當提交給有權監管機構。

7.頒發給控制者或處理者的認證的有效期最長是三年,如果相關條件滿足,同樣的情形下有效期可以延長。當認證的條件不滿足或不再滿足時,在適用的情形下,第43條規定的認證實體或有權監管機構可以撤回認證。

8.歐盟資料保護委員會應當核查所有已登記的驗證機制、資料保護印章和標記,而且應當以恰當的方式使得公眾能夠獲取。

第43條 認證機構

1.在不影響第57條和第58條規定的有權監管機構的任務與權利的前提下,具有相應專業性的認證機構可以在告知監管機構後——以便監管機構可以行使第58(2)點h點所規定的權利——頒發和更新認證。成員國應當確保這些認證機構是如下一個機構認可或兩個機構同時認可的:

(a)第55或56條所規定的有權監管機構;

(b)按照歐洲議會和理事會的(EC)No765/2008條例、EN-ISO/IEC 17065/2012設定的,以及滿足第55條或第56條的有權監管機構所規定的額外要求的全國性認證機構。

2.只有存在如下情形時,第1段所規定的認證機構才能根據第1段的規定被認證:

(a)已經證明在準則所規定事項方面具有獨立性與專業性,滿足有權監管機構的要求;

(b)採取措施遵從第42(5)條所規定的標準,並且已經為第55條所規定的有權監管機構或第63條規定的歐盟資料保護委員會所批准;

(c)建立了發行、定期審查和撤回資料保護認證、印章和標記的程式;

(d)已經設立了解決關於違反準則,或關於控制者或處理者已經實施、或正在實施準則的方式的申訴程式和體系,並且資料主體和公眾已知悉此類程式和體系;且

(e)已經表明其符合有權監管機構的要求,其任務和職責不存在利益衝突的情形。

3.第1段和第2段所規定的委任認證機構應當建立在第55條或第66條所規定的有權監管機構所批准的基礎性標準之上,或者第63條所規定的歐盟資料保護委員會所批准的基礎性標準之上。對於本條第1段(b)點所規定的授權,此類要求應當補充(EC) No 765/2008指令所設想的要求,以及描述認證機構方法與程式的技術性規則。

4.在不影響控制者或處理者對本條例的遵守的前提下,第1段所規定的認證機構應當負責頒發認證或撤銷此類認證的有效評估。頒發給控制者或處理者的認證的有效期最長是五年,如果相關條件滿足,同樣的情形下有效期可以延長。

5.第1段所規定的驗證機構應當向有權監管機構報告頒發或撤銷所要求認證的理由。

6.監管機構應當以容易獲取的方式公開本條第3段所規定的要求,以及第42(5)段所規定的標準。監管機構還應當將那些要求和標準傳輸給歐盟資料保護委員會。歐盟資料保護委員會應當核查所有登記的認證機制與資料保護印章,而且應當通過某種恰當的方式將它們公開。

7.在不影響第八章的前提下,當認證的條件不符合或不再符合,或者當認證機構所採取的行為侵犯了本條例,有權監管機構或全國性的認證機構應當取消根據本條第1段對認證機構的認證。

8.為了細化第42(1)條所規定的資料保護驗證機制所需要考慮的條件,歐盟委員會有權制定符合第92條的授權法案。

9.歐盟委員會可以制定實施法案,為驗證機制與資料保護印章、標記與機制設定技術標準,以便促進和認可那些驗證機制、印章與標記。此類實施法條的制定應當符合第94(2)條所規定的驗證程式。

第五章 將個人資料轉移到第三國或國際組織

第44條 轉移的一般性原則

對於正在處理或計劃進行處理的個人資料,將其轉移到第三國或國際組織,包括將個人資料從第三國或國際組織轉移到另一第三國或另一國際組織,控制者和處理者只有滿足本條例的其他條款,以及滿足本章規定的條件才能進行轉移。為了保證本條例對於自然人的保護程度不會被削弱,本章的所有條款都應當被遵守。

第45條 基於認定具有充足保護的轉移

1.當歐盟委員會作出認定,認為相關的第三國、第三國中的某區域或一個或多個特定部門、或國際組織具有充足保護,可以將個人資料轉移到第三國或國際組織。此類轉移不需要特定的授權。

2.當評估保護程度的充足性時,歐盟委員會應當特別考慮如下因素:

(a)法治、對人權與基本自由的尊重、包括關於公共安全、國防、國家安全、刑法和公共機構訪問個人資料的一般性與部門性立法,以及此類立法的實施、資料保護規則、職業規則和安全措施,包括將個人資料轉移到另一第三國或國際組織所必須遵循的第三國或國際組織的規則、判例法以及有效可執行的資料主體權利、對其個人資料正在轉移的資料主體的司法救濟;

(b)在國際組織是主體的情形中,第三國記憶體在一個或多個有效運作的獨立監管機構,保證資料保護規則的實施,包括具有充分的執行權力,在資料主體行使其權利時和與成員國的監管機構合作時提供幫助和建議;

(c)第三國或國際組織已經許下的國際性承諾,或者承諾願意承擔有法律約束力的條約或法律檔案所引起的其它責任,以及參加多邊或地區性的體系,特別是和資料保護相關的體系所引起的其它責任。

3.在評估了保護程度的充足性之後,歐盟委員會可以通過制定實施性法案,確定本條第2段含義內的第三國、第三國內的領地或一個或多個特定部門或一個國際組織是否具有充足的保護。實施性法案應當提供一種週期性審查,至少每四年對第三國或國際組織的所有相關發展進行審查。實施性法案應當細化其領域性與部門性的實施,以及在適用的情況下確定本條第2段(b)點所規定的一個或多個監管機構。實施性法案的制定應當遵循第93(2)條所規定的驗證程式。

4.歐盟委員會應當持續性地監控第三國或國際組織的某些可能會影響根據本條第3款而作出的決定和建立在95/46/EC指令第25(6)條基礎之上的決定發揮作用的某些發展。

5.當已有資訊顯示,第三國或第三國內的一個或多個特殊部門或國際組織不再提供本條第2段所規定的充足的保護,歐盟委員會應當——尤其是在經過第3段所規定的核查後——通過制定不具有溯及力的實施性法案,在必要限度內廢止、修正或中止本條第3段所規定的決定。此類實施性法案的制定應當遵循第93(2)條所規定的驗證程式。

在具有高度正當性的緊急狀態情形中,歐盟委員會應當立即根據第93(3)條規定的程式而制定實施性法案。

6.為了補救導致第5條決定的情形,歐盟委員會應當與第三國或國際組織磋商。

7.符合本條第5段的決定不會影響到將個人資料轉移到第三國、第三國內的領地或一個或多個部門、或者第46條至49條所規定的相關國際組織。

8.歐盟委員會應當在歐盟的官方雜誌及其網站上發表名單,列明其確定已經具備充足保護或不再具有充足保護的第三國、第三國內的特定部門和國際組織。

9.歐盟委員會在95/46/EC指令第25(6)條基礎上而做出的決定,在被歐盟委員會根據本條第3段或第5段而修改、替代或廢止前應具有效力。

第46條 轉移所需要的適當安全保障

1.如果沒有根據第45(3)條而做出的決定,控制者或處理者只有提供適當的保障措施,以及為資料主體提供可執行的權利與有效的法律救濟措施,才能將個人資料轉移到第三國或一個國際組織。

2.在不要求監管機構提供任何具體授權的情形下,第1段所規定的適當保障措施可以如下方式提供:

(a)公共機構或實體之間之間簽訂的具有法律約束力和可執行性的檔案;

(b)符合第47條的有約束力的公司規則;

(c)歐盟委員會根據第93(2)條規定的核查程式而制定的資料保護標準條款;

(d)監管機構根據第93(2)條規定的核查程式制定並且為歐盟委員會批准的資料保護標準條款;

(e)根據第40條制定的行為準則,以及第三國的控制者或處理者為了採取合適的安全保障而做出的具有約束力和執行力的承諾,包括資料主體的權利;或者

(f)根據第42條而被批准的驗證機制,以及第三國的控制者或處理者為了採取合適的安全保障而做出的具有約束力和執行力的承諾,包括資料主體的權利。

3.在需要有權監管機構授權的情形下,第1段所規定的合適安全措施尤其可以通過如下方式進行規定:

(a)控制者或處理者與控制者、處理者或第三國或國際組織的個人資料接收者之間的合同條款;或者

(b)公共機構或公共實體之間在行政性安排中所插入的條款,包括可執行的與有效的資料主體權利。

4.在本條第3段所規定的情形中,監管機構應當適用第63段所規定的一致性機制。

5.成員國或監管機構根據95/46/EC指令的第26(2)條而做出的授權,在被監管機構修改、替代或廢止之前應當一直有效。歐盟委員會根據95/46/EC指令第26(4)條而做出的決定,在歐盟委員會按照本條第2段做出必要性的修改、替換或廢止決定前應當一直有效。

第47條 有約束力的公司規則

1.在滿足如下條件時,對於符合第63條所規定的一致性機制的有約束力的公司規則,有權監管機關應當批准:

(a)具有法律約束力,適用於進行聯合經濟活動的企業集團或一系列經濟主體的所有相關成員——包括其僱員,並且為他們所執行。

(b)在處理個人資料方面明確賦予資料主體以可執行的權利;以及

(c)滿足第2段所規定的要求。

2.第1段所規定的有約束力的規則應當至少明確:

(a)進行聯合經濟活動的企業集團或一系列經濟主體,及其每一個成員的架構和詳細聯絡方式;

(b)資料轉移或一系列的資料轉移,包括個人資料的型別;處理型別及其目的;受影響的資料主體的型別;以及涉及到的對第三國或多個第三國的確定;

(c)規則的法律約束效力,既包括內部的約束力,也包括外部的約束力;

(d)對一般資料保護原則的適用,特別是目的限定、資料最小化、有限的儲存期限、資料質量、通過設計的資料保護與預設的資料保護、處理的法律基礎、對特定型別個人資料的處理;保障資料安全的措施;以及將資料轉移到不受約束性公司規則所約束的實體所做的要求;

(e)和處理相關的資料主體的權利以及行使這些權利的方式,包括有權不被僅僅根據自動化處理——包括符合第22條的使用者畫像——而對資料主體做出決定,有權按照第79條向有權監管機構和成員國的有權管轄的法庭申訴,以及有權在違反有約束力的公司規則的情形下獲取救濟和——如果適用的話——賠償;

(f)對於任何不在歐盟設立的控制者或處理者的相關成員違反約束性公司規則,在成員國的領域內設立的控制者或處理者願意承擔責任;只有當控制者或處理者證明,該成員對於導致損害的事件沒有責任,控制者或處理者的此種責任才能被免除;

(g)關於約束性公司規則的資訊如何提供給資料主體,特別是第13和14條之外關於本段所規定的(d)(e)(f)點的資訊如何提供給資料主體;

(h)根據第37條所委任的所有資料保護官的任務,或者企業集團、或進行聯合經濟活動的一系列經濟主體內部負責監控遵守約束性公司規則、監控培訓和處置申訴的所有人或實體的任務;

(i)申訴程式;

(j)企業集團或進行聯合經濟活動的一系列經濟主體,為了核實對約束性公司規則的遵守的而在內部所設立機制。此類機制應當包括資料保護核查以及能夠確保採取矯正性活動保護資料主體權利的方法。此類核實結果應當告知(h)點所規定的個人或實體,企業集團或進行聯合經濟活動的一系列經濟主體,而且在有權監管機構的要求下應當能夠提供其核實結果;

(k)報告和記錄規則變化的機制,以及將此類變化報告給監管機構的機制;

(l)為了保證企業集團或進行聯合經濟活動的一系列經濟主體的合規性而和監管機構一起設立的合作機制,特別是向監管機構提供(j)點所規定的方法的核查結果;

(m)企業集團或進行聯合經濟活動的一系列經濟主體的成員是第三國的主體,可能會對約束性企業規則所提供的保障產生實質性的負面影響,向有權監管機構報告對此類主體是否有法律要求的機制;以及

(n)對於可永久性或經常性訪問個人資料的員工進行的適當資料保護培訓。

3.歐盟委員會可以明確控制者、處理者和監管機構之間為了本條含義內的約束性公司規則而進行資訊交換的形式和程式。此類實施性法案的制定應當遵循第93(2)條所規定的驗證程式。

第48條 未經歐盟法授權的轉移或披露

任何法庭判決、仲裁裁決或第三國行政機構的決定,若要求控制者或處理者對個人資料進行轉移或披露,同時滿足以下條件時方能得到認可或執行:一是該判決、裁決或決定必須基於提出請求的第三國與歐盟或其成員國之間訂立的法律互助協議等國際條約,二是該判決、裁決或決定不會對本章規定的其他轉移形式產生消極影響。

第49條 特殊情形下的克減

1.如果不存在根據第45(3)而做出的充足保護認定或根據第46條而制定的適當安全措施——包括約束性公司規則,將個人資料轉移到第三國或國際機構,只有滿足如下情形之一才能進行:

(a)資料主體被明確告知,不存在充足保護或適當的安全措施,預期的資料轉移存在風險,但之後資料主體仍然明確表示同意預期的資料轉移;

(b)轉移對於履行資料主體與控制者之間的合同,或者履行資料主體在簽訂契約前所提出要求是必要的;

(c)控制者和另一自然人或法人之間簽訂或履行合同時,轉移對於實現資料主體的利益是必要的;

(d)轉移對於實現公共利益是必要的;

(e)轉移對於確立、行使或辯護法律性主張是必要的;

(f)當資料主體基於身體性或法律性原因無法表達同意,為了保護資料主體或其他人的關鍵利益是必要的;

(g)轉移是根據登記冊而進行的——這種登記冊是歐盟法或成員國法律為了向具有正當利益的一般性公眾或個人提供諮詢。但是,只有滿足歐盟法或成員國法對諮詢所規定必要條件,此類個案中的轉移才能進行克減。

當轉移無法基於第45或第46條,包括基於約束性公司規則的條款的規定而進行,且從(a)點到(g)的克減條件都不符合,將資料轉移到第三國或國際組織,這隻有在轉移滿足如下條件時才可以:轉移是非重複性的;關乎很小一部分資料主體的權利;對於實現控制者壓倒性的正當利益是必要的,並且不會違反資料主體的有限性的利益或權利與自由;控制者已經對圍繞資料傳輸的情形進行評估,而且基於這種評估對個人資料保護採取了合適的安全保障。控制者除了提供第13條和第14條所規定的資訊之外,應當將轉移和追求的壓倒性正當利益告知資料主體。

2.符合第1段(g)點的轉移不應當包括登記冊裡的全部個人資料或所有型別的個人資料。當登記冊是為了給具有正當利益的人提供諮詢的,只有那些人提出要求,或者那些人是接收者的情形才能進行轉移。

3.對於公共機構在行使其公共權力時的活動,第1段的(a)(b)(c)點以及第1段的第二分段不適用。

4.第1段(d)點規定的公共利益應當為歐盟或成員國為控制者所制定的法律所確認。

5.如果不存在充足保護的認定,歐盟或成員國的法律可以基於公共利益而明確做出限制,限制將個人資料轉移到第三國或國際組織的特定型別。成員國應當將此類條款告知歐盟委員會。

6.控制者或處理者應當在第30條規定的檔案中記錄本條第1段第二分段所規定的評估以及合適的安全措施。

第50條 為保護個人資料的國際合作

在涉及到第三國或國際組織的情形中,歐盟委員會和監管機構應當採取合適的措施以:

(a)發展國際合作機制,以便促進對個人資料保護立法的有效實施;

(b)在採取合適安全措施保障個人資料保護和其它基本權利與自由的前提下,通過告知、申訴轉介、調查幫助和資訊互換為個人資料保護立法的實施提供國際性互助;

(c)在實施個人資料保護立法中,使相關利益方密切參與為了進一步國際合作而進行的討論和活動;

(d)促進個人資料立法與實踐——包括與第三國管轄權衝突——的交換與記錄。

第六章 獨立監管機構

第一部分 獨立性地位

第51條 監管機構

1.為了保護自然人在處理過程中的基本權利與自由,以及促進歐盟內部的個人資料的自由流通,每個成員國應當建立一個或多個獨立公共機構,負責監控本條例的實施。

2.每個監管機構都應當幫助本條例在歐盟的一致性適用。基於這種目的,監管機構應當按照第七章的規定彼此合作以及和歐盟委員會合作。

3.當一個成員國確立了不止一個監管機構,該成員國應當在歐盟資料保護委員會委任一個監管機構代表其他機構,而且應當建立一套機制,保證其他機構遵守第63條規定的一致性機制相關的規則。

4.每個成員國都應當將其根據本章所制定的法律條款告知歐盟委員會,[最遲應當在本條例生效的兩年內],而且應當及時將影響條款的修訂告知歐盟委員會。

第52條 獨立性

1.每個監管機構在行使其任務和行使符合本條例的權力時,應當保持完全的獨立性。

2.每個監管機構的一個或多個成員在行使其任務和行使符合本條例的權力時,應當不受外部影響,不論是直接的還是間接性的,而且不應接收任何人的指示。

3.監管機構的成員不得從事違反其監管職責的活動,任職期間不得擔任任何與其監管工作相沖突的有償或無償的職務。

4.每個成員國都必須確保,每個監管機構都具有為了有效履行其任務和行使其權利——包括在歐盟資料保護委員會中互助、合作和參與的履行任務和行使權利——所必需的人力性、技術性與資金資源,前提性與基礎性要素。

5.每個成員國都應當確保,每個監管機構都具有選擇和僱傭其成員的權力,這隻受相關監管機構的一個或多個成員的專門指令的約束。

6.每個成員國都必須確保,在不影響其獨立性以及其具有單獨和公共性的年度預算的前提下,每個監管機構都受資金控制——此類資金控制可能是州預算或國家預算一部分的——的約束。

第53條 監管機構成員的一般性要求

1.成員國應當通過如下機構以透明化的方式委任其監管機構的每個成員:

-它們的議會;

-它們的政府;

-它們的國家元首;或者

-成員國法律指派的獨立性實體。

2.每個成員都應當具有履行其職責和行使其權力所應當具有的資質、經驗與技巧,特別是在個人資料保護領域的資質、經驗與技巧。

3.成員根據成員國的相關法律結束其任期、辭職或強制性退休時,其職責也相應結束。

4.只有存在嚴重的不當行為,或者不再符合履行其職責的條件時,成員才可以被解職。

第54條 設立監管機構的規則

1.每個成員國都應當通過法律規定如下事項:

(a)每個監管機構的設立;

(b)被任命為每個監管機構的成員所需要的資質與合適的條件;

(c)任命每個監管機構的一個或多個成員的規則和程式;

(d)每個監管機構的一個或多個成員的不少於四年的任期,(在此條例生效之後的第一次任命例外),如果有必要通過間斷性的任命程式來保護監管機構的獨立性,一部分成員的任期可以更短;

(e)每個監管機構的一個或多個成員是否可以連任,如果可以的話,可以連任多少個任期;

(f)每個監管機構的成員和員工需要負責的情形,對於其任期內或任期結束後的具有衝突性的行為、任職和收益的禁止條款,以及中止僱傭的規則。

2.每個監管機構的成員和員工都應當遵循歐盟或成員國的法律,對於其履行任務或行使其權力期間所獲取的祕密資訊,在任職期間或任期結束後都具有保守職業祕密的職責。尤其在自然人報告具有違反本條例的情形下,成員或員工應當履行其保守職業祕密的職責。

第二部分 職權、任務與權力

第55條 職權

1.每個監管機構都有權在其所屬的成員國境內根據本條例履行分配給其的任務,行使授予其的權力。

2.當公共機構或私人實體基於第6(1)條的(c)或(e)點而進行處理,成員國的相關監管機構應當擁有職權。在此類情形中,第56條不適用。

3.對於法庭在其司法活動中進行處理操作,監管機構不具有監管職權。

第56條 領導性監管機構的職權

1.在不影響第55條的前提下,控制者或處理者的主要營業機構或唯一營業機構所在地的監管機構應可以充當領導性監管機構,監管控制者或處理者根據第60條程式而進行的跨境處理。

2.第1段的規定可以進行減免,如果主要事項只和成員國內的一個機構相關,或者只在一個成員國內對資料主體產生實質性影響,每個監管機構應當都有權對向其進行的申訴或違反本條例的行為進行處置。

3.對於第2段所規定的情形,監管機構應當將此事項及時告知領導性監管機構。在被告知的三個星期以內,領導性的監管機構應當——結合控制者或處理者是否在通知其的監管機構所在的成員國內有擁有機構——決定,其是否要根據第60條的規定的程式而處置該案例。

4.當領導性監管機構決定處理案件,第60條所規定的程式應當適用。那個告知領導性監管機構的監管機構可以向領導性監管機構提交一份決定草案。當領導性監管機構起草第60(3)條所規定的決定時,其應當盡最大限度地考慮提交的決定草案。

5.當領導性監管機構決定不處置案子,通知領導性監管機構的監管機構應當根據第61條和第62條進行處置。

6.對於控制者或處理者所進行的跨境處理,領導性監管機構應當是該控制者或處理者的唯一面談者。

第57條 任務

1.在不影響本條例規定的其他任務的前提下,在其管轄範圍內,每個監管機構應當:

(a)監控和執行對本條例的實施;

(b)提高公眾意識,對和處理相關的風險、規則、安全保障和權利的理解。對針對兒童的活動保持特別注意;

(c)根據成員國的法律、全國性議會、政府以及其他制度和實體對與處理相關的自然人的權利與自由提供建議;

(d)提高控制者與處理者對本條例所規定責任的意識;

(e) 基於要求為所有資料主體提供行使本條例所規定的權利,以及——如果適用的話——和其它成員國的監管機構為了實現這一目的而進行合作;

(f)處置資料主體或實體、組織或協會根據第80條的申訴,採用合適的手段調查申訴的主要事項,在合理期限內向申訴者告知進展和調查結論——特別是如果需要進一步的調查或和監管機構協調;

(g)為保證對本條例適用與執行的一致性和其他監管機構合作,包括分享資訊和提供相互協助;

(h)為本條例的適用進行調查,包括基於另一監管機構或其它公共機構提供的資訊而進行的調查;

(i)在相關發展——特別是資訊和通訊技術、商業實踐發展——對個人資料保護產生影響的情況下,對相關發展進行監控;

(j)採用第28(8)條和第46(2)條(d)點規定的標準格式合同;

(k)建立並維持和第35(4)條規定的個人資料保護影響評估相關的條目;

(l)對第36(2)條規定的處理操作給出建議;

(m)鼓勵起草符合第40條的行為準則,對符合第40(5)條提供充分安全保障的此類行為準則提供意見並進行批准;

(n)鼓勵設立資料保護認證機制以及符合第42(1)條的資料保護印章與標記,並批准符合第42(5)條的認證標準;

(o)在適用的情形下,對根據第42(7)條而頒發的認證進行階段性審查;

(p)對符合第41條規定的監控行為準則的委派實體,以及符合第43條規定的認證實體,對其標準進行起草併發布;

(q)委任符合第41條規定的監控行為準則的實體,以及符合第43條規定的認證實體;

(r)授權合同條款與第46(3)條規定的條款;

(s)批准符合第47條的約束性合同規則;

(t)歐盟資料保護委員會的活動提供幫助;

(u)對違反本條例的情形以及根據第58(2)條而採取的措施保持內部紀錄;並且

(v)完成和個人資料保護相關的其它任務。

2.每個監管機構都應當為第1段(f)點規定的提交申訴提供便利,例如在不排除其它通訊方式的前提下,提供可以通過電子方式填寫和提交的申訴方式。

3.每個監管機構的任務履行對於資料主體都應當是免費的,如果適用的話,對於資料保護官也應當是免費的。

4.當請求是明顯毫無根據的或過分的,特別是當請求是重複性的,監管可以基於行政花費而收取一定的合理費用,或拒絕對請求作出行動。監管機構有責任證明,請求是明顯毫無根據的或過分的。

第58條 權力

1.每個監管機構都具有所有如下調查權力:

(a)要求控制者和處理者,以及——在適合的情形下——控制者或處理者的代表提供履行其任務所需要的所有資訊;

(b)以資料保護核查的方式進行調查;

(c)對根據第42(7)所頒佈的認證進行審查;

(d)將可能侵犯本條例的情況告知控制者或處理者;

(e)從控制者或處理者那裡獲取訪問個人資料的權力,以及為了行使其任務而所需的所有資訊;

(f)按照歐盟與成員國法律的程式法,獲取對控制者和處理者的所有房屋建築及場地,包括資料處理設施和方法的訪問權。

2.每個監管機構都有所有如下矯正性權力:

(a)對控制者或處理者頒發警告,警告預期的處理操作可能會侵犯本條例的條款;

(b)當處理操作侵犯本條例條款的時候,對控制者或處理者進行申誡;

(c)命令控制者或處理者尊重資料主體行使符合本條例的權利;

(d)命令控制者或處理者的處理操作符合本條例條款,如果適合的話,應當在特定的期限內以特定的方式完成;

(e)命令控制者將個人資料洩露的情況告知資料主體;

(f)對處理施加暫時性或具有明確期限的禁令;

(g)要求對個人資料進行糾正或擦除,或根據第16條,17條和18條而對處理進行限制,以及將此類行動告知第17(2)條和第19條規定的個人資料披露給的接收者;

(h)撤回認證,或命令認證機構撤回根據第42條和第43條而頒發的認證,或者當認證的要求不滿足或不再滿足時,命令認證機構不要頒發認證;

(i)視每個案例的情形不同,在本段所規定的措施之外,或者替代本段所規定的措施而採取第83條規定的行政處罰;

(j)要求中止將資料傳輸到第三國或國際組織。

3.每個監管機構都有所有如下授權和建議的權力:

(a)根據第36條規定的提前諮詢條款向控制者提出建議;

(b)主動或根據要求為全國性議會、成員國政府提供意見,或者根據成員國法為其他機構、實體與公眾提供和個人資料保護相關的保護;

(c)如果成員國的法律要求此類提前諮詢,根據第36(5)條而授權處理;

(d)根據第40(5)條而釋出意見以及行為準則;

(e)根據第43條而委任認證機構;

(f)根據第42(5)條頒發認證和批准認證的標準;

(g)制定第28(8)條以及第46(2)條(d)點規定的資料保護標準條款;

(h)授權第46(3)條(a)點規定的合同條款;

(i)授權第46(3)條(b)點規定的行政性安排;

(j)批准符合第47條的約束性公司規則。

4.根據本條而行使賦予給監管機構的權力應當滿足合適的安全保障,包括根據歐盟憲章而在歐盟和成員國法律中規定的有效司法救濟和正當程式。

5.每個成員國應當通過法律規定,其監管機構為了執行本條例的條款,有權將違反本條例的情形訴諸司法機構,在合適的情形下可以提起或參與法律訴訟。

6.每個成員國都應當通過法律規定,其監管機構具有第1、2和3段規定的附加權力。對那些權利的行使不應當削弱第七章規定的有效執行。

第59條 活動報告

每個監管機構都應當起草一份關於其活動的年度報告,這可以包括其被告知的違法型別以及根據第58(2)條而採取的措施型別。此類報告應當傳輸給全國性議會、政府以及成員國法律所委任的其他機構。公眾、歐盟委員會和歐盟資料保護委員會應當能夠獲取這些報告。

第七章 合作與一致性

第一部分 合作

第60條 領導性監管機構和其他相關監管機構的合作

1.領導性監管機構應當根據本條和其他相關監管機構進行合作,努力達成共識。領導性監管機構和相關監管機構應當彼此分享相關資訊。

2.領導性監管機構可以隨時要求其他相關監管機構提供第61條規定的互助合作,而且可以根據第62條而進行聯合行動,這尤其適用於如下情形:為了進行調查,或者為了實施涉及到設立在另一成員國的控制者或處理者的措施。

3.領導性監管機構應當及時將事項相關資訊告知給其他相關監管機構。對於其他相關監管機構的意見,其應當充分考慮,並及時向其他相關監管機構提交一份決定草案。

4.當其他任何相關監管機構收到第3段中所規定的諮詢,並在四周內表達了對決定草案的相關與合理的反對,領導性監管機構如果不同意此相關與合理的反對,或者認為其意見是不相關或不合理的,應當將此事項提交給第63條規定的一致性機制。

5.如果領導性的監管機構同意相關與合理的反對意見,對於此反對意見,其應當將一份修訂後的草案決定提交給其他監管機構。修訂後的草案決定應當遵守第4段所規定的程式,並且應當在兩個星期內做出。

6.如果在第4段和第5段所規定的期間內,其他相關監管機構都沒有反對領導性監管機構所提交的決定草案,應當推定領導性的監管機構和相關監管機構對於決定草案具有一致意見,而且應當受其約束。

7.領導性監管機構應當做出決定,將決定的情況——包括相關事實和理由的總結——通知給控制者或處理者的主要營業機構或唯一營業機構,並視情況通過其他相關監管機構以及做出該決定的歐盟資料保護委員會。收到申訴的監管機構應當將決定的情況告知給申訴者。

8.在申訴被撤銷或駁回的情形中,第7段的規定可以進行克減,收到申訴的監管機構應當採用決定並將其告知申訴者,由此也告知了控制者。

9.當領導性監管機構和相關監管機構同意撤銷或駁回申訴的一部分,對申訴的其他部分採取行動,對於此類其他部分的事項,應當採取單獨的決定。領導性監管機構應當採用和控制者行動相關的那部分決定,將其通告給控制者或處理者在成員國境內的主要營業機構或唯一營業機構,由此也告知了申訴者。另一方面,申訴者的監管機構應當採用和撤銷或駁回申訴相關的那部分決定,將其告知申訴者,由此也告知了控制者或處理者。

10.當收到領導性監管機構根據第7段和第9段而進行的告知後,控制者或處理者應當採取必要措施,保證其在歐盟所有的所有機構的處理活動都符合決定。控制者或處理者應當向領導性監管機構告知為遵守決定而採取的措施,並通知其他相關監管機構。

11.在極端情形下,當某相關監管機構認為,有充分理由證明需要採取緊急行動以保護資料主體的利益,應當援引第66條有關緊急程式的規定。

12.領導性監管機構和其他相關監管機構應當通過電子方式,以標準化的格式為彼此提供本條所要求提供的資訊。

第61條 互相協助

1.監管機構應當為彼此提供資訊和互相協助,以便以一種一致性的方式執行和適用本條例,而且應當擁有有效資訊以進行有效的相互合作。互相協助尤其應當包括資訊請求和監管措施,例如在授權與諮詢、檢驗與調查之前請求資訊和採取監管措施。

2.對於另一監管機構的請求,每個監管機構都應當採取恰當的合適措施及時迴應,而且至遲應當在收到請求內的一個月內進行。此類措施尤其可以包括傳輸和調查相關的資訊。

3.請求協助應當包括所有必要資訊,包括請求的目的與原因。被交換的資訊只能被用於實現請求協助的目的。

4.除非存在如下情形,被請求的監管機構不應當拒絕請求:

(a)被請求的監管機構對被請求的主體事項或被請求執行的措施沒有職權;或者

(b)被請求的監管機構對請求進行照辦,這會侵犯本條例或歐盟或成員國的為被請求的監管機構所制定的法律。

5.被請求的監管機構應將結果告知發出請求的監管機構,而且應當視情況告知為了實現請求而採取的措施。被請求的監管機構如果拒絕按第4段而提出的請求,應當提供說明。

6.基於其他監管機構的請求,被請求的監管機構應當以電子形式,使用標準化的格式提供資訊,這應當成為一項規則。

7.所有被請求的監管機構根據請求而進行的互相協作,都不應當收取費用。對於特定情形下因為提供互相協作而產生的特定花費,監管機構之間可以簽訂補償規則。

8.當某監管機構在收到另一監管的請求後一個月內仍然不提供第5段所規定的資訊,做出請求的監管機構可以根據第55(1)條在其成員國境內採取臨時性措施。在這種情形中,可以推定為符合第66(1)條的緊急情況,歐盟資料保護委員會應根據第66(1)條而作出緊急約束性決定。

9.歐盟資料保護委員會可以通過制定實施性法案而細化本條規定的互相協助的形式與程式,在監管機構之間、監管機構和歐盟委員會之間以電子方式進行的資訊交換,特別是本條第6段所規定的標準化格式。此類實施性法案的制定應當遵循第93(2)條規定的驗證程式。

第62條 監管機構的聯合行動

1.在合適的時候,監管機構應當進行聯合行動,包括在涉及到其他成員國監管機構的成員或員工的情形下進行聯合調查和採取聯合執行措施。

2.當控制者或處理者在多個成員國設立機構,或者當兩國或兩國以上的資料主體可能會受處理操作的實質性影響,這些成員國的監管機構都有權參與聯合行動。按照第56(1)或56(4)條規定而擁有職權的監管機構可以邀請這些成員國中的每個國家的監管機構參與聯合行動,而且應當及時迴應某監管機構的參與請求。

3.一個監管機構可以按照成員國的法律,以及臨時調派的監管機構的授權,將調查權等權力授權給臨時調查的監管機構的成員或員工。或者,如果監管機構的成員國的法律允許,應當允許臨時調派的監管機構的成員或員工行使其符合成員國法律對其做出規定的調查權。只有在東道主監管機構的成員或員工的指導和見證之下,此類權力才能被行使。臨時調派的監管機構的成員或員工應當遵守東道主監管機構所在的成員國國家的法律。

4.當根據第一段的規定臨時調派的監管機構在另一成員國內活動,東道主監管機構所在的成員國應當對其行動承擔責任,包括對活動期間所引起的損害,應當按照其活動地所屬的成員國法律承擔責任。

5.對於成員國境內所造成的損害,如果其可以適用其成員國的損害賠償,成員國應當進行賠償。臨時調派的監管機構的某成員國的員工對另一成員國境內的人造成傷害,在另一成員國對個人進行補償後,某成員國應當對另一成員國進行補償。

6.除了第5段所規定的情形,在不影響行使相對於第三人權利的前提下,若出現第1段規定的情形,各成員國不得就第4段的損害向相關成員國提出損害賠償的要求。

7.當存在聯合行動的計劃,而且當監管機構拒絕遵守本條第2段第二句所設定的責任,其他監管機構可以根據第55條在其境內採取臨時性措施。在這種情形中,可以推定為符合第66(1)條的緊急情況,歐盟資料保護委員會應根據第66(2)條而作出緊急約束性決定。

第二部分 一致性

第63條 一致性機制

為了幫助本條例在歐盟的一致性適用,監管機構應當相互合作,以及在相關的情形下通過本部分規定的一致性機制而和歐盟委員會進行合作。

第64條 歐盟資料保護委員會的意見

1.當某個有權監管機構計劃採取如下任何一項措施,歐盟資料保護委員會應當釋出意見。為此,有權監管機構應當將決定草案告知歐盟資料保護委員會,如果:

(a)決定草案的目標是採取一系列符合第35(4)條所規定的資料保護影響評估要求的處理操作;

(b)決定草案涉及到第40(7)條規定的行為準則草案,或行為準則草案的修訂案或延期是否符合本條例;

(c)決定草案的目標是批准符合第41(3)條規定的委派實體,以及符合第43(3)條規定的認證實體的標準;

(d)決定草案的目標是確定第46(2)條(d)點和第28(8)條規定的標準資料保護條款;

(e)決定草案的目標是批准第46(3)條(a)點規定的合同條款;或者

(f)決定草案的目標是批准第47條所指的有效性公司規則。

2.任何監管機構、歐盟資料保護委員會或歐盟委員會的主席都可以提出要求,為了給出意見——特別是當有權監管機構不遵守第61條規定的相互協助的責任或第62條規定的聯合行動時——可以對任何關乎一般性使用的事項,或在不止一個成員國產生影響的事項進行核查。

3.對於第1段和第2段提到的情形,歐盟資料保護委員會如果此前沒有對類似事項發表過意見,應當對提交給它的事項釋出一份意見。這份意見應當在八週內根據歐盟資料保護委員會成員的簡單多數來決定。考慮到主要事項的複雜性,八週的期限可以再延長六週。關於第1段規定的按照第5段而在歐盟資料保護委員會中流通的決議草案,如果某成員在歐盟資料保護委員會主席所表明的合理期限內不提出異議,就應當視為同意決議草案。

4.監管機構和歐盟資料保護委員會應當及時以電子化手段,使用標準化的格式將任何相關資訊進行溝通。此類資訊可以是事實的總結、決議草案、採取此類必要措施的理由,以及其他相關機構的觀點。

5.歐盟資料保護委員會的主席應當及時通過電子手段:

(a)通過標準化格式將任何已經獲知的相關資訊告知歐盟資料保護委員會和歐盟委員會的成員。如有需要,歐盟資料保護委員會的祕書應當提供相關資訊的翻譯;並且

(b)將意見告知第1段和第2段規定的監管機構和歐盟委員會,並公開意見。

6.在第3段規定的期間內,有權監管機構不應當採用第1段所規定的決議草案。

7.第1段中所規定的監管機構應當最大限度地考慮歐盟資料保護委員會的意見,而且應在收到意見的兩週內以電子方式告知歐盟資料保護委員會的主席,其是否會維持或修改其決議草案,以及修改後的決議草案——如果有的話。

8.當相關監管機構在本條第7段規定的期限內通知委員會主席,其並無意遵守委員會的所有意見或意見的一部分,並且提供了相關理由,此種情形下第65(1)條應當適用。

第65條 歐盟資料保護委員會的糾紛解決

1.為了確保在個案中對本條例的正確與融貫適用,歐盟資料保護委員會應當在如下情形中做出有約束力的決定:

(a)在第60(4)條規定的情形中,相關監管機構對領導性機構的草案決定提出了相關與合理的反對,或者領導性機構駁回了反對,認為其不相關或不合理。約束性決定應當涉及相關與合理反對所涉及的所有事項,特別是當其存在違反本條例的情形;

(b)對於哪個監管機構有權管轄主要營業機構存在不同意見;

(c)在第64(1)條規定的情形中,有權監管機構並不請求獲得歐盟資料保護委員會的意見,或者並不遵守歐盟資料保護委員會按照第64條釋出的意見。在這種情形下,任何相關監管機構或歐盟資料保護委員會都可以將此事項告知歐盟資料保護委員會。

2.三分之二多數的歐盟資料保護委員會成員在將主體事項轉交後,應當在1個月以內做出第1段所規定的決定。考慮到主體事項的複雜性,這個期間可以再延長一個月。第1段所規定的決定應當是合理的,應當告知領導性監管機構和所有相關監管機構,並且對它們具有約束力。

3.當歐盟資料保護委員會無法在第2段所規定的期限內做出決定,其應當以歐盟資料保護委員會成員簡單多數的方式在第2段所規定的第二個月的期限結束後的兩星期內做出決定。如果歐盟資料保護委員會成員的投票剛好完全分裂,那麼決定將根據主席的投票而做出。

4.在第2段和第3段所規定的期限內,相關監管機構不應當對根據第1段而提交給歐盟資料保護委員會的主體事項做出決定。

5.歐盟資料保護委員會的主席應當及時將第1段所規定的決定告知相關監管機構。這也就告知了歐盟委員會。在監管機構告知第6段規定的最終決定後,決定應當在歐盟資料保護委員會的網站上及時發表。

6.領導性監管機構或者收到申訴的監管機構應當根據本條第1段所規定的決定性基礎及時做出最終決定,至遲應當在歐盟資料保護委員會告知其決定後的一個月以內做出。領導性的監管機構或收到申訴的監管機構應當向歐盟資料保護委員會報告其將該決定告知控制者或處理者以及資料主體的時間。相關監管機構的最終決定應當根據第60(7)(8)(9)條的條款而做出。最終決定應當涉及本條第1段所規定的決定,而且應當具體說明,本條第1段所規定的決定將會根據本條第5段而在歐盟資料保護委員會的網站上發表。最終決定應當附上本條第1段所規定的決定。

第66條 緊急程式

1.在例外情形中,當相關監管機構認為有必要對保護資料主體的權利與自由採取緊急行動,其可以通過第63、64和65條規定的一致性機制或第60條規定的程式來進行克減,立即採取在其境內一段時間內——不超過3個月——具有法律效力的臨時性措施。監管機構應當及時將採取這些措施的手段與原因告知其他相關監管機構、歐盟資料保護委員會與歐盟委員會。

2.當監管機構採取符合第1段的措施,以及考慮亟需採用的最終措施,其可以請求歐盟資料保護委員會出具一份緊急意見或緊急約束性決定,並說明提出此請求的原因。

3.如果有必要對保護資料主體的權利與自由採取緊急行動,而有權監管機構卻沒有采取合適措施,任何監管機構都可以向歐盟資料保護委員會請求一份緊急意見或緊急約束性決定,說明提出此請求的原因,包括需要採取緊急行動的原因。

4.對於第64(3)條和第65(2)條規定的的克減,歐盟資料保護委員會成員的簡單多數應當在兩個星期內做出本條第2段和第3段規定的緊急意見或緊急約束性決定。

第67條 資訊交換

對於監管機構之間、監管機構與歐盟資料保護委員會之間以電子方式進行的資訊交換,特別是對於第64條規定的標準化格式,歐盟委員會可以進一步制定細化的實施性法案。

這些實施性法案應當根據第93(2)條規定的驗證程式制定。

第三部分 歐盟資料保護委員會

第68條 歐盟資料保護委員會

1.歐盟資料保護委員會特此被設立為歐盟的一個機構,而且將具有法人身份。

2.歐盟資料保護委員會的代表是其主席。

3.歐盟資料保護委員會應當包括每個成員國的每個監管機構的首長、歐盟資料保護監管者的首長,或者他們的代表。

4.當一個成員國內不止一個監管機構負責監控對本條例條款的適用,應當按照成員國的法律任命一個聯合代表。

5.歐盟委員會應當有權參與歐盟資料保護委員會的活動與會議,但沒有投票權。歐盟委員會應當委任一名代表。歐盟資料保護委員會的主席應當將其活動告知歐盟委員會。

6.對於第65條規定的情形,只有當決議涉及到適用於和本條例規定有實質性對應的歐盟機構、實體、辦公室、規制機構的原則和規則時,歐盟資料保護監管者才具有投票權。

第69條 獨立性

1.當根據第70條和第71條履行其任務或行使其權力時,歐盟資料保護委員會應當保持其獨立性。

2.在不影響第70(1)條(b)點和第70(2)條所規定的歐盟委員會的請求的前提下,歐盟資料保護委員會在履行其任務或行使其權力時,應當避免從任何人那裡獲取指示。

第70條 歐盟資料保護委員會的任務

1.歐盟資料保護委員會應當確保對本條例的一致性適用。為了實現這一目的,在相關情形中,歐盟資料保護委員應當主動或根據歐盟委員會的請求而採取如下行動:

(a)在不影響全國性監管機構的任務的前提下,確保在第64條和65條所規定的情形中正確適用本條例;

(b)對歐盟資料保護相關的所有事項,包括對本條例的修改動議,向歐盟委員會提供建議;

(c)對為制定約束性公司規則而在控制者、處理者和監管機構之間進行的資訊交換的格式與程式向歐盟委員會提供建議;

(d)從第17(2)條規定的公眾可以獲取的通訊服務中擦除個人資訊的連結、備份或複製品,對這種活動的程式釋出指導方針、建議和最佳操作;

(e)主動或根據其成員的請求,或根據歐盟委員會的請求核查涉及本條例適用的任何問題,為了鼓勵對本條例的適用,釋出指導方針、建議和最佳操作;

(f)為了進一步細化第22(2)條規定的基於使用者畫像的決策的標準和條件,釋出符合本段(e)點的指導方針、建議和最佳操作;

(g)為了認定個人資料洩露,確定是否存在第33(1)、(2)條所規定的無理拖延,以及控制者或處理者是否需要告知個人資料洩露,釋出符合本段(e)點的指導方針、建議和最佳操作;

(h)對於個人資料違法可能會對第34(1)條規定的自然人的權利與自由帶來高風險的情形,釋出符合本段(e)點的綱領、建議和最佳操作;

(i)對於符合控制者所遵守的約束性公司規則、處理者所遵守的約束性公司規則的資料轉移,以及符合為了保證第47條規定的對資料主體的個人資料保障而採取的必要措施的個人資料轉移,為了細化此類轉移的標準和要求,釋出符合本段(e)點的指導方針、建議和最佳操作;

(j)為了進一步細化第49(1)條規定的個人資料轉移所需要的標準和要求,釋出符合本段(e)點的指導方針、建議和最佳操作;

(k)對於涉及第58(1)、(2)、(3)條規定的適用措施和確定第83條規定的行政處罰,為監管機構起草指導方針;

(l)對本段(e)點和(f)點規定的指導方針、建議和最佳操作的實際運用進行審查;

(m)對自然人設報告侵犯本條例的行為,為其設立符合第54(2)條的一般程式,,釋出符合本段(e)點的指導方針、建議和最佳操作;

(n)鼓勵起草行為準則,設立符合第40條和第42條的資料保護認證機制、資料保護印章和標記;

(o)對認證機構進行委任,根據第43條而進行階段性審查,對符合第43(6)條的委任機構、符合第42(7)條而在第三國設立的被認證的控制者或處理者進行持續性的公共登記;

(p)為了委任第42條規定的認證機構而細化第43(3)條規定的要求;

(q)向歐盟委員會提供關於第43(8)條規定的驗證要求的意見;

(r)向歐盟委員會提供關於第12(7)條規定的圖示的意見;

(s)評估第三國或國際組織的保護程度,包括評估第三國、某個地區、或該第三國的一個或多個特定部門,或國際組織是否仍然提供足夠程度的保護。為了實現這一目的,歐盟委員會應當向歐盟資料保護委員會提供所有必要的記錄,包括和該第三國政府的進行的涉及到第三國、某個地區、或該第三國的一個或多個特定部門,或國際組織的通訊。

(t)釋出按照第64(1)條規定的一致性機制而做出的關於監管機構的決議草案,按第64(2)條提交的事項,以及釋出根據第65條,包括第66條規定的約束性決定。

(u)促進監管機構之間的合作,有效的雙邊或多邊資訊交換,以及最好的實踐;

(v)促進共同培訓專案,協助監管機構之間以及——如果適用的話——監管機構與第三國監管機構或國際組織之間的人員交換;

(w)促進與全球資料保護監管機構的知識交流、資料保護立法的記錄與實踐。

(x)釋出關於根據第40(9)條在歐盟層面起草的行為準則的意見;以及

(y)對於監管機構和法庭做出的決定以及根據一致性機制所處置的事項,保持一份公眾可以訪問的電子登記。

2.當歐盟委員會請求歐盟資料保護委員會提供意見,歐盟委員會可以在考慮事項的緊急程度後表明期限要求。

3.歐盟資料保護委員會應當將其意見、指導綱領、推薦以及最佳操作告知歐盟委員會和第93條規定的理事會,而且應當將它們公開。

4.如果適用的話,歐盟資料保護委員會應當諮詢當事人,給與他們在一段合理期限內進行評論的機會。在不影響第76條的前提下,歐盟資料保護委員會應當將諮詢程式的結果公之於眾。

第71條 報告

1.對於歐盟內部、相關第三國以及國際組織中的資料處理活動,若涉及自然人的保護,歐盟資料保護委員會應當起草年度報告。報告應當公開,而且應當傳輸給歐洲議會、歐盟理事會和歐盟委員會。

2.年度報告應當包括第70(1)條(l)點規定的對指導方針、建議和最佳操作的實際運用進行審查,以及第65條規定的約束性決議。

第72條 程式

1.歐盟資料保護委員會應當通過其成員的簡單多數做出決定,除非本條例有相反規定。

2.歐盟資料保護委員會應當以其成員的三分之二多數制定程式規則,組建其自身的操作機制。

第73條 主席

1.歐盟資料保護委員會應當通過簡單多數的方式從其成員中選舉一位主席、兩位副主席。

2.主席以及副主席職位的任期應當是5年,可以連任一屆。

第74條 主席的任務

1.主席具有如下任務:

(a)召集歐盟資料保護委員會的會議,準備會議議程;

(b)將委員會根據第65條而做出的決定告知第65條規定的領導性監管機構和相關監管機構;

(c)保證歐盟資料保護委員會任務的及時履行,特別是和第63規定的一致性機制相關的任務。

2.歐盟資料保護委員會應當在其程式規則中對主席與副主席的任務分工進行分配。

第75條 祕書

1.歐盟資料保護委員會應當有一名祕書,其應當由歐盟資料保護監督者來任命。

2.祕書應當嚴格按照歐盟資料保護委員會主席的指示履行其職責。

3.歐盟資料保護監管者的員工,如果涉及履行到本條例賦予給歐盟資料保護委員會的任務,應當與涉及履行賦予給歐盟資料保護監管者的任務的員工遵守不同的報告程式。

4.在適用的情況下,歐盟資料保護委員會和歐盟資料保護監管者應當撰寫與釋出一份實施本條的諒解備忘錄,確定它們之間合作的條款,在涉及履行本條例賦予給歐盟資料保護委員會的任務時,諒解備忘錄適用於歐盟資料保護監管者的員工。

5.祕書應當向歐盟資料保護委員會提供分析、管理與後期支援。

6.祕書應當對如下事項負責:

(a)歐盟資料保護委員會的日常事務;

(b)歐盟資料保護委員會、歐盟資料保護委員會主席與歐盟委員會之間的交流;

(c)與其他機構及公眾的交流;

(d) 內部交流與外部交流中對電子手段的使用;

(e)對相關資訊的翻譯;

(f)對歐盟資料保護委員會會議的準備與跟蹤;

(g)準備、起草與釋出歐盟資料保護委員會對監管機構之間分歧的意見與決定,以及其他文字。

第76條 機密性

1.歐盟資料保護委員會若認為根據程式規則的要求,有必要祕密開展某項討論活動,那麼該討論活動就應當嚴格保密。

2.訪問提交給歐盟資料保護委員會的成員、專家與第三方代表的檔案,應當遵守歐洲議會和歐盟理事會的 (EC) No 1049/2001條例[1]。

第八章 救濟、責任與懲罰

第77條 向監管機構提起申訴的權利

1.在不影響任何其他行政或司法救濟的前提下,每個資料主體都有向監管機構進行申訴的權利,這尤其適用於以下地點的監管機構:資料主體所屬的成員國或經常居住地、工作地、或資料主體認為處理其個人資料違反本條例的發生地。

2.收到申訴的監管機構應當告知申訴者申訴的進展和結果,包括符合第78條的司法救濟的可能性。

第78條 針對監管機構的有效司法救濟權

1.在不影響其他任何行政或司法救濟的前提下,任何自然人或法人都有權對關乎他們的監管機構的有法律約束力的決定獲得有效的司法救濟。

2.在不影響其他任何行政或司法救濟的前提下,如果根據第55條和第56條的有權監管機構不處置申訴,或者在三個月內沒有向資料主體告知第77條規定的申訴的進展或結果,任何自然人或法人都有權獲得有效的司法救濟。

3.針對監管機構的法律訴訟應當在監管機構所在的成員國的法庭提起。

4.如果針對監管機構決定的法律訴訟發生在歐盟資料保護委員會根據一致性機制而做出意見或決定之前,監管機構應當將其意見或決定告知法院。

第79條 針對控制者或處理者的有效司法救濟權

1.在不影響其他任何行政或司法救濟的前提下,包括在不影響第77條規定的向監管機構提交申訴的前提下,任何資料主體認為,由於違反本條例而處理其個人資料,導致其被本條例所賦予的權利被侵犯,在這些情形下其都有獲取司法救濟的權利。

2.針對控制者或處理者的法律訴訟應當在它們擁有機構的成員國的法庭提起。在其他情形下,此類法律訴訟可以在資料主體的經常居住地的法庭提起,除非控制者或處理者是成員國行使其公共權力的公共機構。

第80條 對資料主體的代表

1.資料主體有權委託非盈利機構、實體或協會代表其行使第77、78、79條規定的權利,以及在成員國法律規定的情形下,代表其行使第82條規定的獲得賠償的權利。非盈利機構、實體或協會應具備如下條件:按照成員國法律設立,其章程目標是實現公共利益,在為了保護資料主體的權利與自由而代表個人提起申訴方面表現積極。

2.不論資料主體是否委託,成員國都可以規定,本條第1段所規定的任何機構、組織或協會如果認為本條例所規定的資料主體的權利已經因為處理而受到侵犯,都有權在成員國向第77條規定的有權監管機構提起申訴,行使第78條和第79條規定的權利。

第81條 法律訴訟的中止

1.當一個成員國的有管轄權的法院獲知,另一成員國的法院準備對涉及同一個控制者或處理者處理的同一主要事項進行判決,該法院應當通知另一成員國的法院已經存在此類法律程式。

2.當另一成員國法院準備對涉及同一個控制者或處理者處理的同一主要事項進行判決,除了首先接收案件的法院,所有有權審理的法院都可以停止其法律程式。

3.在那些訴訟等待初審的情形中,如果首先接收案件的法院對涉及的活動具有管轄權而且其法律允許合併審理,所有除了首先接收案件的法院都可以基於相關一方的申請而拒絕管轄。

第82條 獲取賠償的權利與責任

1.任何因為違反本條例而受到物質或非物質性傷害的人都有權從控制者或資料者那裡獲得對損害的賠償。

2.任何涉及到處理的控制者都應當對因為違反本條例的處理而受到的損害承擔責任。對於處理者,當其沒有遵守本條例明確規定的對處理者的要求,或者當其違反控制者的合法指示時,其應當對處理所造成的損失負責。

3.控制者或處理者如果證明自己對引起損失的事件沒有任何責任,那麼其第2段所規定的責任可以免除。

4.當不止一個控制者或處理者,或控制者與處理者同時涉及到同一處理,而且它們對第2段和第3段規定的處理所引起的所有損失承擔責任,每個控制者或處理者都應當對損失負有連帶責任,以便保證對資料主體的有效賠償。

5.當控制者或處理者已經根據第4段的規定對所受損失進行全額賠償,該控制者或處理者可以按照第2段所規定的條件,要求另一控制者或處理者返回其造成的那部分損失。

6.為了行使其獲得賠償的權利,根據第79(2)條的規定,應當在成員國認可的有管轄權的法院提起訴訟請求。

第83條 行政罰款的一般條件

1..每個監管機構都應當保證,其根據本條而對第4、5、6條所規定的違反本條例的行為進行罰款,在每個案件中都應當是有效的、成比例的和勸誡性的。

2.根據每個案件的具體情形,行政處罰應當在第58(2)條的(a)至(h)點以及(j)點規定的措施基礎上進行追加,或者應當代替這些措施。當在每個具體案件中決定是否應當進行行政處罰,以及決定行政處罰的金額,應當充分考慮如下因素:

(a)結合相關處理的性質、範圍或目的,被影響的資料主體的數量以及損害程度而確定的違法的性質、嚴重性與持續時間;

(b)違法的性質是基於故意還是過失;

(c)控制者或處理者為了減輕資料主體損失而採取的所有行動;

(d)結合控制者或處理者採取的符合第25條和第32條的技術性與組織性措施而認定的控制者或處理者的責任程度;

(e)控制者或處理者之前的所有相關違法行為;

(f)為了糾正違法行為和減輕違法所造成的可能負面影響而和監管機構進行合作的程度;

(g)為違法行為所影響的個人資料型別;

(h)監管機構得知違法行為的方式,特別是控制者或處理者是否對違法行為進行了報告,以及在何種程度上進行了報告;

(i)如果對同一主題事項已經對控制者或處理者釋出第58(2)條規定的措施,對這些措施是否遵守;

(j)遵守符合第40條的已生效的行為準則或符合第42條的已生效的認證機制;以及

(k)對於案件情形可以適用的所有加重或減輕因素,例如因為違法而直接或間接導致的經濟收益、避免的損失。

3.如果控制者或處理者故意或過失性地因為同一或相關的處理操作而違反本條例的條款,行政罰款的總額不應當超過最嚴重違法所確定的額度。

4.違反如下條款,應當按第2段的規定施加最高10 000 000歐元的行政罰款,如果是企業的話,最高可處相當於其上一年全球總營業額2%的金額的罰款,兩者取其高的一項進行罰款:

(a)第8,11,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,42和43條規定的控制者和處理者的責任;

(b)第42條和第43條規定的認證機構的責任;

(c)第41(4)條規定的監管機構的責任。

5.違反如下條款,應當按第2段的規定施加最高20 000 000歐元的行政罰款,如果是企業的話,最高可處相當於其上一年全球總營業額4%的金額的罰款,兩者取其高的一項進行罰款:

(a)處理的基本原則,包括第5、6、7和9條規定的同意的條件;

(b)第12條至22條規定的資料主體的權利;

(c)第44條至第49條規定的將個人資料轉移到第三國或一個國際組織的接收者;

(d)所有第九章規定的符合成員國法律的責任;

(e)違反監管機構根據第58(2)條對處理所釋出的命令、或暫時性或確定性的限制,或對資料流動的中止,或違反第58(1)條拒絕提供訪問。

6.違反第58(2)條規定的監管機構釋出的命令,應當按第2段的規定施加最高20 000 000歐元的行政罰款,如果是集團的話,可以施加最高前一年全球總營業額4%的罰款,兩者取其高的一項進行罰款。

7.在不影響符合第58(2)條的監管機構的矯正權力的前提下,每個成員國都可以制定規則,確定在什麼情況下對在其境內設立的公共機構和實體進行行政處罰。

8.監管機構行使本條所規定的權力,應當採取符合歐盟和成員國法律所規定的合適的程式性保障,包括有效的司法救濟和正當程式。

9.當成員國的法律體系並不提供行政處罰,本條可以以如下方式適用:可以通過有權監管機構提出行政處罰,然後有職權的全國性法院進行適用,同時,應保證那些法律救濟是有效的,而且這些法律救濟與監管機構所施加的行政處罰具有同等效力。不論在何種情形中,所施加的處罰必須是有效的、成比例的和勸誡性的。那些成員國應當[在本條例生效兩年內]將根據本段所制定的法律條款、所有後續的修正性法律或影響它們的法律修訂及時告知歐盟委員會。

第84條 懲罰

1.成員國應當制定可適用於違反本條例的其他懲罰的規則,特別是對於那些不受第83條規定的行政處罰約束的違法行為,成員國應當制定必要措施保證這些懲罰規則得到執行。此類懲罰應當是有效的、成比例的和勸誡性的。

2.對於符合第1段所制定的法律,每個成員國的應當[在本條例生效的兩年內]將其法律條款告知歐盟委員會,而且應當及時告知影響條款的後續修訂。

第九章 和特定處理情形相關的條款

第85條 處理、表達自由與資訊

1.成員國應當通過制定法律調和符合本條例制定的個人資料保護權與表達自由權與資訊權,包括調和為了新聞目的和學術、藝術或文學表達目的而進行的處理。

2.對於出於新聞目的和學術、藝術或文學表達目的而進行的處理,如果對於調和符合本條例制定的個人資料保護權與表達自由權與資訊權有必要,成員國應當對第二章(原則)、第三章(資料主體的權利)、第四章(控制者和處理者)、第五章(個人資料轉移到第三國或國際組織)、第六章(獨立監管機構)、第七章(合作與一致性)和第九章(特定資料處理的情形)的規定進行豁免或克減。

3.每個成員國都應當將其按照第2段所制定的法律條款告知歐盟委員會,而且應當將所有後續的修正性法律或影響它們的法律修訂及時告知歐盟委員會。

第86條 處理與公眾對官方檔案的訪問

為了調和公眾對官方檔案的訪問與本條例規定的個人資料保護權,對於公共機構或公共實體或為了實現公共利益而履行任務的私人實體所擁有的官方檔案中的個人資料,機構或實體可以根據成員國為機構或實體而制定的法律而公開。

第87條 對全國性身份識別號碼的處理

成員國可以對處理全國性身份識別號碼或其他一般性識別標識的特定情形做出規定。在這種情形下,只有對本條例規定的資料主體的權利與自由採取適當安全保障,才能使用全國性身份識別號碼或其他一般性識別標識。

第88條 僱傭語境下的處理

1.多個成員國可以通過法律或通過協定製定特定規則,以保證在僱傭語境下處理僱員個人資料保證其權利與自由。這在如下情形中尤其適用:為了招聘、履行僱傭合同,包括法律或集體合同規定的免除合同;對工作的管理、計劃與組織;工作場所的合理性與多樣性;工作中的健康與安全,對員工與顧客財產的保護;為了行使和享受僱傭相關的權利與收益;以及為了終止僱傭關係。

2.此類規則應當包括為保障資料主體人身尊嚴、正當利益與基本權利的合適與特定的措施。這在涉及到如下事項時尤其適用:處理的透明性;在一群企業中轉移個人資料;或進行聯合經濟活動的一群企業和工作場所的監管系統。

3.每個成員國應當[在本條例生效的兩年內]將其按照第1段所制定的那些法律條款告知歐盟委員會,而且應當及時告知影響條款的後續修訂。

第89條 為了實現公共利益、科學或歷史研究或統計目的處理中的安全保障與克減

1.為了實現公共利益、科學或歷史研究或統計目而處理,應當採取符合本條例的恰當防護措施,保障資料主體的權利與自由。這些防護措施應當確保,為了保證資料最小化原則,已經採取技術與組織性的措施。這些措施可以包括匿名化,如果匿名化也能實現上訴目的。如果在進一步處理中實現對資料主體無法識別也可以實現上訴目的,那就應當採取這種方式處理。

2.對於為了實現公共利益、科學或歷史研究或統計目的處理,成員國的法律可以按照本條第1段所規定的情形與防護措施對第15、16、18、21條所規定的權利進行克減——如果此類權利可能徹底阻礙或嚴重阻礙實現上述目的,而此類克減對於實現上訴目的是必要的。

3.當個人資料處理是為了實現公共利益,歐盟或成員國的法律可以按照本條第1段所規定的情形與防護措施對第15、16、18、19、20和21條規定的權利進行克減——如果此類權利可能徹底阻礙或嚴重阻礙實現上述目的,而此類克減對於實現上訴目的是必要的。

4.如果第2段和第3段所規定的處理還有其他目的,克減將只適用於為了實現第2段和第3段中所規定的目的的處理。

第90條 保密責任

1.成員國可以制定特定的規則,對第58(1)條(3)和(f)點所規定的、和作為主體的控制者或處理者相關的、全國性有權機構所設立的監管機構的權力進行規定,如果有必要對個人資料保護與保守祕密進行調和與比例性保護,此特定規則可以施加職業性祕密保守責任或其他同等責任。只有在那些保守祕密責任所涉及的活動中或因為此類活動而接收個人資料,此類規則才適用於控制者或處理者。

2.每個成員國的應當[在本條例生效的兩年內] 將其按照第1段所制定的那些法律條款告知歐盟委員會,而且應當及時告知影響條款的後續修訂。

第91條 現有的的對教會和宗教協會的資料保護規則

1.在本條例生效後,對於適用於某成員國境內教會、宗教協會或團體的保護自然人在處理相關中的綜合性規則,如果它們和本條例保持一致,仍然應當適用。

2.對於那些適用符合第1段的綜合性規則的教會和宗教協會,其應當接受一個獨立監管機構的監管,如果其滿足本條例第六章規定的條件,這種獨立監管機構可以是特別指定的。

第十章 授權法案與實施性法案

第92條 對授權的行使

1.歐盟委員會享有授權法案的制定權,此權力受本條所規定的條件所約束。

2.第12(8)條和43(8)條所規定的授權應當[在本條例生效後]的一段不確定的時間內賦予給歐盟委員會。

3.第12(8)條和43(8)條所規定的授權可以隨時被歐洲議會或歐盟理事會撤銷。撤銷決定應當終止決定所特別指明的授予性權力。撤銷決定生效日是歐盟官方雜誌釋出後的第二天或決定所特別標明的日期。撤銷決定不應影響任何已經生效的授權性法案。

4.歐盟委員會一旦制定授權性法案,其應當立刻同時告知歐洲議會和歐盟理事會。

5.根據第12(8)條和第43(8)條而指定的授權性法案,只有歐洲議會或歐盟理事會在其收到通知後三個月內都沒有表達反對,或者在三個月內歐洲議會或歐盟理事會已經告知歐洲委員會它們不會反對,其才能生效。如果歐洲議會或歐盟理事會提出延期,這個期間可以再延長三個月。

第93條 委員會程式

1.歐盟委員會應當有一個小組對其進行協助。該小組應當是(EU) No 182/2011條例所規定的小組。

2.涉及到此段時,(EU) No182/2011指令第5條應當適用。

3.涉及到此段時,與(EU) No182/2011指令第5條配合的(EU) No182/2011指令第8條應當適用。

第十一章 最後條款

第94條 95/46/EC指令的廢止

1.在[本條例生效後的兩年]後95/46/EC指令將被廢止。

2.當參照廢止指令時,應當通過參照本條例來進行解釋。對於參照工作小組在95/46/EC指令第29條所規定的處理個人資料中個人保護,這應當以參照本條例所規定的歐盟資料保護委員會來進行解釋。

第95條 與2002/58/EC的關係

在歐盟的公共通訊網路中提供公眾可獲取的電子通訊服務的情形中,對於2002/58/EC指令已經施加特殊責任的事項,本條例不應再對同一事項再向自然人或法人施加額外責任。

第96條 和之前已經達成的協議的關係

對於[在此條例生效]之前的,符合[在此條例生效]之前所制定的法律的,涉及到將個人資料傳輸到第三國或國際組織的成員國之間已經達成的國際性協議,在其被修改、替代或撤銷之前,應當一直具有效力。

第97條 委員會報告

1.在[本條例生效後的四年後],以及在這之後的每四年,歐盟委員會應當向歐洲議會和歐盟理事會提交一份對本條例的評價與審查。該報告應當公之於眾。

2.在第1段所規定的評價與審查情形中,歐盟委員會應當尤其檢查如下事項的適用與運作:

(a)第五章規定的將個人資料轉移到第三國或國際組織,特別是按照本條例第45(3)條而做出的決定,以及根據95/46/EC第25(6)條而做出的決定;

(b)第七章規定的合作與一致性。

3.為了實現第1段的目的,歐盟委員會可以要求成員國和監管機構提供相關資訊。

4.為了進行第1段和第2段規定的評價與審查,歐盟理事會應當考慮歐洲議會、歐盟理事會以及其他相關實體與生產商的立場與調查。

5.在必要的情形下,歐盟委員會應當提交修改本條例的合適動議,特別是如果考慮了資訊科技的發展以及資訊社會中的發展狀態。

第98條 對歐盟其他資料保護法案的審查

如果合適的話,歐盟委員會應當提交立法性動議,以便對歐盟的其他個人資料保護法案進行保護,以便保證在處理中對自然人進行一致與一致性的保護。這尤其應當涉及到歐盟機構、實體、辦公室和規制機構處理中和自然人保護相關的規則,以及此類資料的自由流動。

第99條 生效與適用

1.本條例的生效時間是其在歐盟官方雜誌釋出後的二十天後。

2.其適用時間是[本條例生效後的兩年後]。

本條例的所有條款都具有約束力,而且應當直接適用於成員國。

註釋:[1]歐洲議會和歐盟理事會關於公眾訪問歐洲議會、歐盟理事會與歐盟委員會檔案(OJ L 145, 31.5.2001, p. 43)的(EC) No1049/2001條例。



您可能會使用到的連結


前往FB系統設定 - 可供使用者移除使用FB造訪好康網站之授權









Disclaimer


Welcome to this website. In order to allow you to use the various services and information of this website with peace of mind, we hereby explain to you the privacy protection policy of this platform to protect your rights and interests. Please read the following content carefully:

Scope of application of privacy protection policy
Privacy protection policy content, including how this platform handles personally identifiable information collected when you use website services. The privacy protection policy does not apply to related linked websites outside this platform, nor does it apply to people who are not entrusted by or involved in the management of this platform.

How information is collected and used
In order to provide you with the best interactive services on this platform: when you register as a user, participate in various activities on the platform or in public forums, you may be asked to provide relevant personal information, the scope of which is as follows: When you use this website When using interactive functions such as service mailbox and contact us, please retain the information you provide: such as name, gender, age, date of birth, phone number, mailing address, residential address, email address, etc. Unless we obtain your consent or other special provisions of laws, this website will never disclose your personal information to third parties or use it for other purposes other than the purpose of collection. However, this platform will provide personal information according to the requirements of law enforcement units or for the purpose of public safety. This platform does not assume any responsibility for any disclosure in this case.

External links to the platform
The web pages of this platform provide Internet links to other websites. You can also click to enter other websites through the links provided by this website. However, the privacy protection policy of this website does not apply to the linked website. You must refer to the privacy protection policy of the linked website.

Use of Cookies
In order to provide you with the best service, this platform may place and access our cookies on your computer. If you do not want to accept the writing of cookies, you can set privacy rights in the browser features you use. If the level is high, you can refuse the writing of cookies, but it may cause some functions of the website to not perform properly.

Processing methods for personal data inquiry/correction/deletion
When you need to inquire and read, supplement or correct, delete, etc. your personal data, you can contact the customer service center by email, and the customer service center of this platform will handle it quickly.
Customer service center email: [email protected]

Amendments to the Privacy Policy
The privacy protection policy of this platform will be revised at any time in response to needs, and the revised terms will be published on the platform.



EU General Data Protection Regulation (GDPR)


Chapter 1 General Terms

Article 1 Main Matters and Objectives

1. This Regulation establishes rules for the protection of natural persons in the processing of personal data, as well as rules for the free movement of personal data.

2. This Regulation protects the fundamental rights and freedoms of natural persons, especially the right to personal data protection enjoyed by natural persons.

3. The free movement of personal data within the EU cannot be restricted or prohibited on the grounds of protecting the natural persons concerned in the processing of personal data.

Article 2 Scope of application

1. This Ordinance applies to fully automated personal data processing, semi-automatic personal data processing, and non-automated personal data processing that forms or is intended to form a user profile.

2. This Regulation does not apply to the following situations:

(a) Personal data processed in activities outside the jurisdiction of EU law;

(b) Processing of personal data by a Member State of the European Union for the purpose of carrying out the activities specified in Article 2, paragraph 5, of the Basic Treaty on European Union (TEU);

(c) Processing of personal data carried out by natural persons in the course of purely personal or domestic activities;

(d) Personal data processing by relevant competent authorities for the purpose of preventing, investigating, investigating, prosecuting criminal offenses, enforcing criminal penalties, and preventing and preventing threats to public security.

3. The processing of personal data by EU institutions, entities, offices and regulatory authorities shall be governed by Regulation (EC) 45/2001. In accordance with Article 98 of this Regulation, Regulation (EC) 45/2001 and other EU legislation applicable to such processing of personal data shall be adapted to the principles and rules of this Regulation.

4. This Regulation does not affect the application of Directive 2000/31/EC, in particular the application of the liability rules for intermediary service providers stipulated in Articles 12 to 15 of Directive 2000/31/EC.

Article 3 Territorial Scope

1. This example applies to the processing of personal data by a data controller or processor established within the EU, regardless of whether the actual data processing is performed within the EU.

2. This Regulation applies to the processing of personal data in connection with the following activities, even if the data controller or processor is not established in the EU:

(a) provide goods or services to data subjects in the EU – whether or not the goods or services require payment of consideration by the data subject; or

(b) Monitor the activities of data subjects occurring within Europe.

3. This Regulation shall apply to the processing of personal data by a data controller established outside the EU but which has jurisdiction over it on the basis of public international law under the laws of a Member State.

Article 4 Definition

For the purposes of this Ordinance:

(1) "Personal data" refers to any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is an individual who can be identified, directly or indirectly, in particular by name, An individual can be identified by an identification number, address information, online identifier or one or more physical, physiological, genetic, mental, economic, cultural or social identities unique to a natural person.

(2) "Processing" refers to any one or more operations performed on a single personal data or a series of personal data, regardless of whether the operation takes the form of collecting, recording, organizing, structuring, storing, adjusting, changing, retrieving, Consultation, use, disclosure by transmission, dissemination or other disclosure to others, arrangement or combination, restriction, deletion or destruction and other automated means.

(3) "Restriction of processing" means marking stored personal data in order to limit subsequent processing of the data.

(4) "User profiling" refers to any automated processing of personal data for the purpose of evaluating certain conditions of a natural person, in particular to evaluate a natural person's work performance, economic situation, health, personal preferences, interests, reliability, Processing based on behavior, location or whereabouts.

(5) "Anonymization" refers to the processing of personal data in such a way that the data subject cannot be identified without additional information. Such additional information should be stored separately and technical and organizational measures are in place to ensure that the personal data cannot be linked to an identified or identifiable natural person.

(6) "Archive system" means personal data that can be accessed based on certain criteria - whether such criteria are decentralized, decentralized, functional or geographically based. Structured collection.

(7) “Controller” means the natural or legal person, public authority, regulatory body or other body which determines, whether individually or jointly, the purposes and means of the processing of personal data; if such processing is is determined by Union or Member State law, then the definition of controller or the criteria for determining the controller shall be provided for by Union or Member State law.

(8) “Processor” means the natural or legal person, public authority, regulatory body or other entity which processes personal data for the purpose of the data controller.

(9) "Recipient" means the natural person, legal person, public agency, regulatory agency or another entity who receives the data, whether a third party or not. However, public authorities which receive personal data in the framework of a specific inquiry under Union or Member State law shall not be regarded as recipients; the processing of such data by public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing. .

(10) "Third party" means a natural or legal person, public agency, regulatory agency or organization other than the data subject, controller, processor, controller or processor who directly authorizes the processing of personal data.

(11) The data subject's "consent" refers to the data subject's freely given, fully informed, unambiguous and expressed consent to the processing of his or her relevant personal data through a declaration or a clear affirmative action. .

(12) "Personal data leakage" means that personal data being transmitted, stored, and processed is accidentally or illegally damaged, lost, altered, or disclosed or accessed without consent due to violation of security policies.

(13) "Genetic information" refers to personal information related to the hereditary or acquired genetic characteristics of a natural person. This information can provide unique information about the natural person's physiology or health, especially through the analysis of biological samples of the natural person. unique information.

(14) "Biometric data" refers to personal data obtained by processing the relevant physical, physiological or behavioral characteristics of a natural person based on special technologies. This kind of personal data can identify or determine the natural person's unique identifier, such as facial image or Fingerprint data.

(15) "Health-related information" refers to personal information related to the physical or mental health of a natural person and showing information about his or her personal health status, including services related to health care services.

(16) "Main business establishment" refers to:

(a) If the controller has establishments in more than one Member State, the place of its center of management in the Union is the principal establishment, unless the purposes and means of the processing of personal data are determined by another establishment of the controller, and Such authority shall have the authority to implement such decision, in which case the authority making such decision shall be deemed to be the principal business establishment;

(b) If the processor has multiple establishments in more than one Member State, its main place of business is the place where its administrative center is located in the EU. If the processor does not have a management center in the EU, its establishment in the EU where its main processing activities take place shall be deemed to be its main establishment, subject to the processor's special responsibilities under this Regulation.

(17) “Representative” means a natural or legal person appointed in writing by the controller or processor in the EU in accordance with Article 27 to assume corresponding responsibilities under this Regulation on behalf of the controller or processor.

(18) "Economic entity" means a natural or legal person who carries out economic activities in any legal form, including partnerships or associations that regularly carry out economic activities;

(19) "Enterprise group" means holding companies and controlled companies;

(20) "Binding corporate rules" means the transfer or multiple transfers of personal data to a controller or processor established in a Member State for the purpose of the transfer or multiple transfers of personal data within a corporate group or within an economic entity carrying out joint economic activities. The personal data protection policies followed by the controller or processor in the third country or multiple third countries.

(21) “Regulatory authority” means an independent public authority established by a Member State in accordance with Article 51.

(22) "Relevant regulatory agencies" refer to regulatory agencies related to the processing of personal data for the following reasons:

(a) the controller or processor is established in the territory of the Member State in which a supervisory authority is located;

(b) the processing has a material effect on data subjects who are resident in the Member State where a supervisory authority is located; or

(c) the supervisory authority has received a complaint;

(23) "Cross-border processing" means:

(a) the processing of personal data takes place at more than one establishment of a controller or processor in more than one Member State; or

(b) the processing of personal data is carried out within a single establishment of the controller or processor in the EU, but it has a substantial effect on data subjects in more than one country.

(24) “Relevant and reasonable objection” means an objection as to whether there has been a breach of this Regulation, or whether a preliminary assumption relating to the controller or processor complies with this Regulation – there is evidence that such The initially envisaged decision would create risks for the fundamental rights and freedoms of data subjects and, in certain circumstances, for the free movement of personal data in the EU.

(25) “Information society services” means services as defined in Article 1(1)(b) of Directive (EU) 2015/1535 of the European Parliament and of the Council.

(26) "International organization" refers to an organization and its affiliated agencies established in accordance with public international law or in accordance with an agreement between two or more countries.

1. This example applies to the processing of personal data by a data controller or processor established within the EU, regardless of whether the actual data processing is performed within the EU.

2. This Regulation applies to the processing of personal data in connection with the following activities, even if the data controller or processor is not established in the EU:

(a) provide goods or services to data subjects in the EU – whether or not the goods or services require payment of consideration by the data subject; or

(b) Monitor the activities of data subjects occurring within Europe.

3. This Regulation shall apply to the processing of personal data by a data controller established outside the EU but which has jurisdiction over it on the basis of public international law under the laws of a Member State.

Chapter 2 Principles

Article 5 Principles of Personal Data Processing

1. For personal data, the following provisions shall apply:

(a) Personal data involving data subjects shall be processed in a legal, reasonable and transparent manner ("Legality, Reasonability and Transparency");

(b) The collection of personal data should have a specific, clear and legitimate purpose, and the processing of personal data should not violate the original purpose. Pursuant to Article 89(1), further processing of data for reasons of public interest, scientific or historical research or statistical purposes is not deemed to be contrary to the original purpose ("purpose limitation");

(c) The processing of personal data shall be appropriate, relevant and necessary to achieve the purposes of the processing (“data minimization”);

(d) Personal data should be accurate and, if necessary, updated promptly; reasonable steps must be taken to ensure that inaccurate personal data, that is, personal data that violates the original purpose, is promptly erased or corrected ("Accuracy");

(e) Personal data that can identify the data subject shall not be stored longer than is necessary to achieve the purpose of the processing; data processing beyond this period shall only be permitted in the following circumstances: for the purpose of achieving public interest, scientific or historical research purposes or statistical purposes, in order to protect the rights and freedoms of the data subject and take reasonable technical and organizational measures specified in Article 89(1) of this Regulation. ("Limited Storage");

(f) The security of personal data should be ensured during the processing, and reasonable technical means and organizational measures should be adopted to prevent the data from being processed without authorization or being illegally processed, and to avoid accidental damage or loss of the data ("Integrity of the data and Confidentiality").

2. The controller is responsible for complying with paragraph 1 above and is responsible for proving this. ("Accountability").

Article 6 Lawfulness of processing

1. Processing is lawful only when at least one of the following conditions is met, and the lawfulness of processing is limited to processing that satisfies the conditions:

(a) The data subject has consented to the processing of his or her personal data on the basis of one or more projects;

(b) Processing is necessary for the completion of a contract to which the data subject is party, or processing is carried out at the request of the data subject before entering into a contract;

(c) processing is necessary for the fulfillment of a legal obligation of the controller;

(d) Processing is necessary to protect the core interests of the data subject or of another natural person;

(e) the processing is carried out by the data controller for the performance of a task in the public interest or on the basis of official authority;

(f) Processing is necessary for the legitimate interests pursued by the controller or by a third party, which does not include the overriding interests or fundamental rights and freedoms of the data subject which are necessary for protection of personal data, in particular the overriding interests or fundamental rights and freedoms of children. Rights and freedoms.

Point (f) of paragraph 1 does not apply to processing by public authorities in the performance of their tasks.

2. For the processing specified in paragraph 1 (c) and (e), Member States may maintain or formulate more specific provisions to adapt to the application of the rules of this Regulation. In order to ensure lawful and reasonable processing, Member States may formulate more specific provisions. stipulations, including other specific processing situations stipulated in Chapter 9.

3. The basis for the processing referred to in paragraph 1 (c) and (e) shall be provided for by the following legislation:

(a) EU law; or

(b)The laws of the Member State of which the controller is a member.

The purposes of the processing shall be determined on this legal basis and, in the case of processing referred to in paragraph 1(e), shall be the performance of a task carried out by the controller in the public interest or on the basis of official authority. This legal basis may contain the following specific provisions for the application of the rules of this Regulation: general conditions for monitoring the lawfulness of processing by the controller; types of data that may be processed; relevant data subjects; purposes for which personal data are disclosed, and their Items that may be disclosed; purpose limitation; storage period; processing operations and procedures including other specific processing situations specified in Chapter 9. Union or Member State law should meet objectives in the public interest and should be proportionate to the achievement of legitimate purposes.

4. If the processing is for a purpose other than the one for which the personal data were collected, if that purpose is not based on the consent of the data subject or is not based on Union or Member State law (in a democratic society, the purposes set out in Article 23(1) , the law is necessary and appropriate), then to ensure that the purpose is compatible with the original purpose, the controller should consider the following factors, but not limited to the following factors:

(a) any relevance between the purposes for which the personal data were collected and the purposes for which further processing is planned;

(b) The context in which the personal data are collected, in particular the relationship between the data subject and the controller;

(c) the nature of the personal data, in particular whether certain types of personal data fall within the provisions of Article 9, or whether personal data relating to criminal convictions and criminal offenses fall within the provisions of Article 10;

(d) the possible consequences of further processing planned by the data subject;

(e) Whether there are appropriate protection measures such as encryption and anonymization measures;

Article 7 Conditions of consent

1. When processing is based on consent, the controller needs to be able to prove that the data subject has consented to the processing of his or her personal data.

2. If the data subject's consent is given in the context of a written declaration involving other matters, the request for consent should be completely distinct from the other matters and should be in an easily understandable form, using clear and plain language. Any declaration of violation of these regulations shall not be binding.

3. Data subjects should have the right to withdraw their consent at any time. The lawfulness of processing based on consent is not affected until its withdrawal. The data subject shall be informed of this before the data subject expresses his or her consent. Withdrawing consent should be as easy as expressing consent.

4. When analyzing whether consent is freely given, the utmost consideration should be given to whether the performance of the contract - including the performance of the services stipulated in the terms - requires consent to the processing of personal data that is not necessary for the performance of the contract.

Article 8 Conditions for application of children’s consent in information society services

1. Where Article 6(1)(a) applies, the processing of the child's personal data shall be lawful for requests for the direct provision of information society services to children when the child has reached the age of 16. When a child is under the age of 16, such processing is lawful only with the consent or authorization of the person with parental responsibility for the child.

2. For those over 13 years of age, the laws of member states may lower the age requirement.

3. The controller shall use reasonable efforts, taking into account technical feasibility, to ensure that the person with parental custody responsibility for the child in such circumstances has authorized or consented.

Paragraph 1 shall not affect the general contract law of the Member States, such as the rules concerning the validity, formation and effect of contracts concerning children.

Article 9 Processing of special categories of personal data

1. For those personal data indicating racial or ethnic background, political opinions, religious or philosophical beliefs or trade union membership, genetic data, biometric data for the specific identification of a natural person, and data related to the natural person's health, personal sex life or sexual orientation, Processing should be prohibited.

2. Paragraph 1 will not apply if one of the following conditions applies:

(a) the data subject has expressly consented to the processing of his or her personal data for one or more specific purposes, unless the data subject is not entitled to lift the prohibition set out in paragraph 1 under Union or Member State law;

(b) the processing is necessary for the fulfillment of the obligations of the controller and the exercise of specific rights thereof or for the adoption of measures consistent with Union or Member State law or collective agreements in the fields of employment, social security and social security law to protect the fundamental rights of the data subject; Interest is necessary;

(c) the data subject is unable to give consent due to physical or legal reasons, but the processing is necessary to protect the core interests of the data subject or of another natural person;

(d) Processing carried out in the legitimate activities of foundations, associations or other non-profit organizations with political, philosophical, religious or trade union purposes, and appropriate protective measures have been taken; or the purpose of processing is only for members or former members of the organization or related to people with whom you have regular contact, and the personal data will not be disclosed to people outside the entity without the consent of the data subject;

(e) Processing of relevant personal data that has been clearly disclosed by the data subject;

(f) when the processing is necessary for the establishment, exercise or defense of legal claims or when the processing is carried out by the courts in the context of all their judicial activities;

(g) The processing is necessary to achieve substantive public interests, is based on Union or Member State legal standards, is proportionate to the achievement of the objectives, respects the core elements of the right to data protection and is in the fundamental rights and interests of the data subject provide appropriate and specific protective measures;

(h) Processing is necessary for preventive or clinical medical purposes or for the assessment of an employee's ability to work, for the diagnosis or provision of medical treatment - on the basis of Union or Member State law or in compliance with a contract with a health professions body and in compliance with Article 3 The circumstances and safeguards set out in paragraph 2 are necessary for health or social care or treatment or management of the health or social care system;

(i) In the field of public health, the processing is necessary for the purposes of the public interest, e.g. where the processing is necessary to prevent serious disease on the legal basis of the Union or a Member State which has adopted appropriate and specific measures to safeguard the rights and freedoms of the data subject; It is necessary because of a cross-border health threat, or it is necessary to ensure the quality and safety of medical care, medical products or medical devices; or

(j) the processing is necessary to achieve a public interest, scientific or historical research purpose or statistical purpose consistent with Article 89(1), the processing is proportionate to its intended purpose, the core elements of the right to data protection are respected and the processing is Appropriate and specific measures have been taken to protect the subject’s basic rights and interests.

3. A professional person who has a duty to keep professional confidentiality in accordance with the laws or rules established by the competent bodies of the Union or a Member State, or a natural person who has a duty to keep confidentiality in accordance with the laws or rules established by the competent bodies of the Union or a Member State, The personal data set out in paragraph 1 may be processed for the purposes set out in point (h) of paragraph 2.

4. For the processing of genetic data, biometric data or health-related data, member states may maintain the original regulations or make new regulations, including restrictions on the processing of genetic data, biometric data or health-related data.

Article 10 Processing of personal data involving criminal convictions and violations

The processing of personal data relating to criminal convictions and offenses, or the processing of personal data in connection with the security measures referred to in Article 6(1), is only permitted when the processing of personal data is controlled by an official body, or when the Union or Member State The processing is authorized by the laws of the country and appropriate measures have been taken to protect the rights and freedoms of the data subjects. Comprehensive registration of any criminal conviction can only be carried out by official authorities.

Article 11 Processing that does not require identification

1. If the purposes for which the controller processes the personal data do not or no longer require the controller's identification of the data subject, the controller has no further obligation to maintain, obtain or process additional information to identify the data subject for the purpose of compliance with this Regulation.

2. For the circumstances set out in paragraph 1, if the controller can demonstrate that it is not suitable to identify the data subject, the data controller shall, if possible, inform the data subject. In such cases, Articles 15 to 20 shall not apply unless the data subject needs to provide additional information that would make his or her identification possible in order to exercise the rights provided for in Articles 15 to 20.

Chapter 3 Rights of Data Subjects

Part One Transparency and Patterns

Article 12 Transparency of information, communication and models – ensuring the exercise of the data subject’s rights

1. The controller shall provide all information provided for in Articles 13 and 14, or all communications provided for in Articles 15 to 22 and 34, relating to the processing of personal data in a concise, transparent, understandable and accessible manner. form, in clear and plain language; this should be especially true of all information directed to children. Information should be provided in written or other form, including, where appropriate, electronically. If the identity of the data subject can be verified through other means, the controller may provide relevant information orally at the subject's request.

2. The controller shall provide assistance to data subjects in exercising their rights pursuant to Articles 15 to 22. For the circumstances provided for in Article 11(2), when a data subject requests to exercise the rights in Articles 15 to 22, the controller shall not refuse, unless the controller can prove that it is not suitable to identify the data subject.

3. Following a request by the data subject pursuant to Articles 15 to 22, the controller shall provide the information without undue delay and in any case within one month of receipt of the request. In necessary circumstances, taking into account the complexity and diversity of the request, this period may be extended by a further two months. In the event of such an extension, the controller shall inform the data subject of such extension and the reasons for the extension within one month of receipt of the request. When the data subject makes a request in electronic form, where practicable, the provision of information shall also be provided in electronic form, unless the data subject requests otherwise.

4. If the controller fails to take appropriate action to respond to the data subject's request, it shall promptly inform the data subject of the specific reasons for its failure to take action within one month after receiving the request, and may also file a complaint with the supervisory authority to seek Judicial relief.

5. The information provided for in Articles 13 and 14 and all communications and actions provided for in Articles 15 to 22 and 34 shall be free of charge. When the data subject's request is manifestly unjustified or excessive, in particular when the request is repetitive, the controller may:

(a) Charge a reasonable fee in conjunction with the administrative costs of providing information, communication or corresponding actions; or

(b) Decline to act on the request.

The controller has the burden of proving that the data subject's request is manifestly unfounded or excessive.

6. Without prejudice to Article 11, the controller may require the data subject to provide additional information necessary to confirm the identity of the data subject when there are reasonable doubts about the identity of the natural person making the request referred to in Articles 15 to 21.

7. The information provided to the data subject pursuant to Articles 13 and 14 may be provided together with standardized diagrams in order to facilitate the data subject's overall understanding of the planned data processing in an at-a-glance, understandable and unambiguous manner. When illustrations are provided electronically, they must be machine-readable.

8. The Council will have the power to take authorizing action under Article 92 regarding the procedures for determining the information provided by the icons and for providing standardized icons.

Part 2 Information and access to personal data

Article 13 Information that should be provided when collecting personal data of data subjects

1. When collecting personal data related to a data subject, the controller shall provide the data subject with the following information:

(a) the identity and contact details of the controller and, if applicable, a representative of the controller;

(b) Contact details of the Data Protection Officer, if applicable;

(c) The purposes for which the personal data will be processed and the legal basis for the processing;

(d) where the processing is based on point (f) or Article 6(1), the legitimate interests of the controller or of a third party;

(e) the recipients or types of recipients of the personal data, if any;

(f) where applicable, the fact that the controller wishes to transfer the data to a third country or international organization, the fact that an adequacy decision has been or has not been taken by the European Commission, or, under Article 46 or 47 or Article 49(1) References to the appropriate safeguards taken in the transfer situations specified in subparagraph 2, the means by which backups of them are obtained, or where they can be obtained.

2. In addition to the information provided for in paragraph 1, the controller shall provide the data subject at the time of obtaining personal data such further information as is necessary to ensure reasonable and transparent processing:

(a) The period for which the personal data will be stored, and the criteria for determining this period;

(b) The rights of the data subject: the right to request the controller to provide access to, correction or erasure of personal data, or to restrict or object to related processing; the right to data portability;

(c) Where processing is based on Article 6(1) or point (a) of Article 9(2), the data subject may withdraw it at any time – such withdrawal shall not affect processing based on consent prior to the withdrawal. the legality of – the right to consent;

(d) The right to lodge a complaint with the supervisory authority;

(e) Whether the provision of the personal data is a statutory or contractual requirement, whether it is necessary for the conclusion of a contract, whether the data subject is obliged to provide the personal data and the possible consequences of failure to provide such data.

(f) The existence of automated decision-making, including user profiling referred to in Article 22(1) and (4), and, in such cases, valid information regarding the relevant logic, including the envisaged consequences of such processing for the data subject .

3. If the controller further processes personal data for purposes that are inconsistent with the purposes for which the personal data were collected, the controller shall provide the data subject with information about such purposes before further processing and provide the relevant further information specified in paragraph 2.

4. Paragraphs 1, 2 and 3 shall not apply where the data subject already possesses the information.

Article 14 Information that should be provided when the personal data of the data subject has not been obtained

1. When personal data have not been collected from the data subject, the controller shall provide the data subject with the following information:

(a) the identity and contact details of the controller and, if applicable, a representative of the controller;

(b) If applicable, the contact details of the Data Protection Officer;

(c) The purposes for which the personal data will be processed and the legal basis for the processing;

(d) The type of relevant personal data;

(e) the recipients or types of recipients of the personal data, if any;

(f) where the controller wishes to transfer the data to a third country or an international organization, where a determination of adequacy of protection has been made or not made by the European Commission, or where the controller wishes to transfer the data to a third country or to an international organization, where the European Commission has made or failed to make a determination of adequate protection, or where the controller wishes to transfer the data to a third country or to an international organization, References to the appropriate safeguards in place in the transfer situations specified in subparagraphs, the means by which backups of them are obtained, or where they may be obtained.

2. In addition to the information specified in paragraph 1, the controller shall provide the data subject with the following information necessary to ensure that the processing involving the data subject is reasonable and transparent:

(a) the period for which the personal data will be stored, or, if not possible, the criteria used to determine this period;

(b) where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;

(c) The data subject has the following rights to request the controller to provide access to, correct or erase personal data, or to restrict or object to related processing, and the right to data portability;

(d) Where processing is based on Article 6(1) or point (a) of Article 9(2), the data subject may withdraw it at any time – such withdrawal shall not affect processing based on consent prior to the withdrawal. the legality of – the right to consent;

(e) The right to lodge a complaint with a supervisory authority;

(f) The source of the personal data and, if applicable, whether its source can be a publicly available source;

(g) The existence of automated decision-making, including user profiling referred to in Article 22(1) and (4), and in such cases, valid information on the relevant logic, including the envisaged consequences of such processing for the data subject .

3. The controller shall provide the information specified in paragraphs 1 and 2 as follows:

(a) Information should be provided within a reasonable period after obtaining the personal data, which should be at least one month if the specific circumstances of the processing of the personal data are taken into account;

(b) If the personal data is used to communicate with the data subject, the information should be provided at the latest during the first communication with the data subject;

(c) If the personal data are intended to be disclosed to another recipient, information should be provided at the latest when the personal data are first disclosed.

4. When the controller further processes personal information for purposes inconsistent with those for which the personal information was collected, the controller shall provide the data subject with information about such purposes before further processing, as well as the relevant further information specified in paragraph 2.

5. Paragraphs 1 to 4 do not apply in the following circumstances:

(a) The data subject already possesses the information;

(b) The provision of such information is impossible or would require a disproportionate amount of effort, and is particularly inapplicable in the following circumstances: in the public interest, for scientific or historical research purposes or statistical purposes, or for the protection of the data subject rights and freedoms and have taken reasonable technical and organizational measures as provided for in Article 89(1) of this Regulation; or the responsibilities set out in paragraph 1 of this Article would seriously impede the achievement of the objectives of the processing. In such cases, the controller shall take appropriate measures to protect the data subject's rights and freedoms and legitimate interests, including making the information publicly available;

(c) The European Union or a Member State has specially formulated laws for the controller to obtain or disclose information, and has developed appropriate measures to protect the legitimate interests of the data subject;

(d) When personal data must be kept confidential, professional confidentiality obligations under EU or Member State law must be observed, including statutory confidentiality obligations.

Article 15 Data subject’s right of access

1. The data subject shall have the right to learn from the controller whether personal data concerning him or her are being processed and, if so, to access the personal data and to obtain the following information:

(a) Purpose of processing;

(b)The type of relevant personal data;

(c) the personal data have been or will be disclosed to a recipient or categories of recipients, in particular where the recipients belong to a third country or an international organization;

(d) Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria for determining this period;

(e) The right of the data subject to request the controller to rectify or erase personal data, or to restrict or object to the processing of personal data related to the data subject;

(f) The right to lodge a complaint with the supervisory authority;

(g) where the personal data are not collected from the data subject, any information as to their source;

(h) The existence of automated decision-making, including data analysis referred to in Article 22(1) and (4), and, in such cases, valid information concerning the logic involved, including the envisaged consequences of such processing for the data subject.

2. When personal data are transferred to a third country or to an international organization, the data subject shall have the right to obtain information and the appropriate safeguards relevant to the transfer, in accordance with Article 46.

3. The controller shall provide a copy of the personal data processed. The Controller may charge a reasonable fee based on administrative costs for any additional backups requested by the Data Subject. When the data subject requests it by electronic means, and unless the data subject requests otherwise, the information shall be provided in commonly used electronic form.

4. The right to obtain backups provided for in paragraph 3 shall not adversely affect the rights and freedoms of others.

Part Three Corrections and Erasures

Article 16 Right to rectification

Data subjects shall have the right to obtain from the controller without delay the correction of inaccurate information concerning them. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by providing additional notifications.

Article 17 Right to erasure (“right to be forgotten”)

1. Data subjects have the right to request the controller to erase their personal data. When one of the following circumstances occurs, the controller is responsible for erasing the personal data in a timely manner:

(a) the personal data are no longer necessary to fulfill the purposes for which they were collected or processed;

(b) the processing is carried out pursuant to point (a) of Article 6(1), or point (a) of Article 9(2) and there is no other legal basis for the processing and the data subject withdraws his consent to such processing ;

(c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);

(d) There has been unlawful processing of personal data;

(e) the personal data need to be erased for compliance with any legal obligation imposed by Union or Member State law on the controller;

(f) Personal data relevant to the provision of information society services specified in Article 8(1) have been collected.

2. When the controller has made personal data public and is obliged to erase the personal data as set out in paragraph 1, the controller shall, taking into account feasible technology and the cost of implementation, take reasonable measures, including technical measures, to inform the controllers who are processing the personal data. The data subject has requested that they delete any links, backups or copies of the personal data.

3. Paragraphs 1 and 2 shall not apply when the processing is necessary for:

(a) To exercise the rights to freedom of expression and freedom of information;

(b) processing is required by Union or Member State law for the performance of a task carried out by the controller, or for the performance of a task carried out for reasons of public interest or on the basis of official authority conferred upon it, for the performance of its legal obligations;

(c) Processing carried out for the purpose of achieving public interests in the field of public health consistent with points (h) and (i) of Article 9(2) and Article 9(3);

(d) if the rights referred to in paragraph 1 would be seriously affected or would completely impede the achievement of the public interest purposes, scientific or historical research purposes or statistical purposes under section 89(1); or

(e) For the establishment, exercise or defense of legal claims.

Article 18 Right to restrict processing

1. When one of the following circumstances exists, the data subject has the right to request the controller to restrict processing:

(a) The data subject disputes the accuracy of the personal data and gives the controller a certain period of time to verify the accuracy of the personal data;

(b) the processing is unlawful and the data subject objects to the erasure of the personal data and requests restriction of the use of his or her personal data;

(c) the controller no longer needs the personal data to fulfill the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims;

(d) The data subject has objected to processing pursuant to Article 21(1) for the purpose of determining whether the legitimate grounds of the controller override those of the data subject.

2. Where processing is subject to paragraph 1, such personal data, except in the case of storage, may only be processed with the consent of the data subject or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for the purposes of important public interests of the Union or a Member State.

3. For data subjects who have obtained restriction of processing pursuant to paragraph 1, the controller shall inform the data subject before the restriction is lifted.

Article 19 Obligation for notification of correction or erasure or restriction of processing

For any restriction or erasure of personal data, or restriction of processing of personal data pursuant to Articles 16, 17(1) or 18, the controller shall inform each recipient to whom the personal data have been disclosed – unless such Informing is impossible or requires a disproportionate amount of effort. If requested by the data subject, the controller shall inform the data subject about the recipients.

Article 20 Right to data portability

1. When the following circumstances exist, the data subject has the right to obtain the relevant personal data provided to the controller, and the personal data obtained should be organized, commonly used and machine-readable, and the data subject has the right to obtain it without any hindrance. Class data are transmitted from the controller to which they were provided to another controller:

(a) the processing is based on consent referred to in Article 6(1)(a) or 9(2)(a), or on a contract referred to in Article 6(1);

(b) Processing is by automated means.

2. In exercising the right to portability set out in paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

3. The exercise of the rights provided for in paragraph 1 shall not affect the provisions of Article 17. This right does not apply to processing which is necessary for the public interest or in the exercise of official authority to which the controller is delegated.

4. The rights set out in paragraph 1 must not adversely affect the rights or freedoms of others.

Part 4 The right to object and automated personal decision-making

Article 21 Right to object

1. The data subject shall have the right to object at any time to the processing of data concerning the data subject in accordance with point (e) or (f) of Article 6(1), including the profiling of users in accordance with these Terms. At this time, the controller must immediately stop processing this part of the personal data, unless the controller proves that there are overriding legitimate reasons for the processing compared with the interests, rights and freedoms of the data subject, or the processing is for the purpose of filing or exercising or defend legal claims.

2. When personal data are processed for direct marketing purposes, the data subject has the right to object at any time to the processing of personal data for such marketing, including to object to the profiling of users in connection with such direct marketing.

3. Where the data subject objects to processing for direct marketing purposes, the personal data will not be processed for these purposes.

4. At the latest in the first communication with the data subject, the rights set out in paragraphs 1 and 2 shall be clearly made known to the data subject and shall be distinguished from other information and clearly communicated to the data subject.

5. In the context of applicable information society services, notwithstanding the provisions of Directive 2002/58/EC, the data subject may still exercise the right to object by automated means using technical conditions.

6. Where personal data are used for scientific or historical research purposes or statistical purposes referred to in Article 89(1), the data subject shall have the right, on grounds relating to his or her particular situation, to object to the processing of personal data concerning him or her, unless the processing is necessary for the realization of a public interest. A certain task is necessary.

Article 22 Automated personal decision-making, including user profiling

1. The data subject has the right to object to decisions that rely solely on automated processing—including user profiling—that have legal or similarly serious consequences for the data subject.

2. Paragraph 1 does not apply when the decision-making situation is as follows:

(a) when the decision is necessary for entering into, or the performance of, a contract between the data subject and the data controller;

(b) where the decision-making is authorized by Union or Member State law, the controller is the subject of the decision-making and has put in place appropriate measures to safeguard the data subject's rights, freedoms and legitimate interests; or

(c) When the decision is based on the explicit consent of the data subject.

3. In the cases set out in points (a) and (c) of paragraph 2, the data controller shall take appropriate measures to safeguard the rights, freedoms and legitimate interests of the data subject, as well as the possibility of manual intervention by the data subject against the controller for the purpose of expressing his or her rights. opinions and the fundamental right to contest decisions.

4. The basis for decision-making set out in paragraph 2 shall not apply to specific categories of personal data referred to in Article 9(1), except where the provisions of point (a) or (g) of Article 9(2) are met and have been Measures have been taken to protect the rights, freedoms and legitimate interests of data subjects.

Part 5 Limitations

Article 23 Restrictions

1. If the controller or processor is subject to EU law or the law of a Member State, then EU law or the law of the Member State may limit the scope of responsibilities and rights conferred by Articles 12 to 22, 34 and 5 through legislative means. , as long as its legal provisions and the responsibilities and rights conferred by Articles 12 to 22 correspond. Such restrictions should be permitted if they respect core elements of fundamental rights and freedoms and are necessary and proportionate to achieve the aims of a democratic society that:

(a) national security;

(b) national defense;

(c)Public safety;

(d) Prevent, investigate, investigate and prosecute criminal violations or enforce criminal laws, including ensuring public safety and preventing threats to public safety;

(e) Other important general public interests of the Union or a Member State, in particular economic or financial interests of the Union or a Member State, including finance, budgetary, taxation matters, public health and social security;

(f) Judicial independence and protection of judicial proceedings;

(g) To prevent, investigate, protect and prosecute ethical violations for the purposes of the regulated profession;

(h) A monitoring, investigative, or regulatory function associated with the exercise of official authority specified in point (a)(b)(c)(d)(e)(g);

(i) protect the rights and freedoms of the data subject or other persons;

(j) Enforce civil legal claims.

2. It is important to note that, at least when it comes to the following situations, any legislative measure specified in paragraph 1 should contain specific provisions providing:

(a) The purpose of the processing or the type of processing;

(b) Type of personal data;

(c)The scope of the restrictions imposed;

(d) Measures to prevent misuse or unlawful access or diversion;

(e) The specific circumstances of the controller or the specific circumstances of the type of controller;

(f) Storage periods and applicable safeguards established taking into account the nature, scope and purpose of the processing or type of processing;

(g) risks to the rights and freedoms of data subjects; and

(h) The right of the data subject to be informed of the restriction, unless such right may affect the fulfillment of the purpose of the restriction.

Chapter 4 Controllers and Processors

Part One General Liability

Article 24 Responsibilities of the controller

1. After taking into account the nature, scope, context and purpose of the processing, as well as the varying probabilities and degrees of risks that the processing may pose to the rights and freedoms of natural persons, the controller shall take appropriate technical and organizational measures to ensure that the processing complies with this provision. regulations and it can be proven that the processing complies with the regulations. Where necessary, these measures should be reviewed.

2. The measures referred to in paragraph 1 shall, when proportional to the processing activities, include an appropriate data protection policy adopted by the controller.

3. Compliance with a code of conduct in force under Article 40, or compliance with a certification scheme in force under Article 42, which may be used to demonstrate compliance with the controller's responsibilities.

Article 25 Data protection by design and default

1. The controller shall, when deciding on the method of processing, take into account the state of the art, the costs of implementation, the nature of the processing, the scope of the processing, the context and purposes of the processing, and the likelihood and severity of harm caused by the processing to the rights and freedoms of natural persons. and when deciding to process, appropriate technical and organizational measures shall be taken and the necessary safeguards shall be integrated into the processing in order to comply with the requirements of this Regulation and to protect the rights of the data subject. For example, the controller can adopt anonymization, a measure designed to implement data protection principles – such as the data minimization principle.

2. The controller is responsible for taking appropriate technical and organizational measures to ensure that, under the given circumstances, only personal data necessary for a specific purpose of processing are processed. This liability applies to the amount of personal data collected, the limits of processing, the period of storage and the accessibility. In particular, such measures must ensure that, under the preset circumstances, personal data cannot be accessed by an unspecified number of natural persons without the intervention of the individual.

3. A certification mechanism in force under Article 42 may be used to demonstrate compliance with the requirements set out in paragraphs 1 and 2 of this Article.

Article 26 Joint Controllers

1. Two or more controllers are joint controllers when they jointly determine the purposes and means of the processing. They should determine in a transparent manner the corresponding responsibilities for compliance with this Regulation, in particular where this relates to the exercise of individual rights of data subjects and where controllers provide data subjects - in accordance with their contractual arrangements - with Article 13 and Article 13 Responsibility for the information provided for in Article 14, unless EU or Member State law already imposes corresponding liability on the controller.

2. The contractual arrangements specified in paragraph 1 should appropriately reflect the respective roles and relationships of the joint controllers with respect to the data subject. The data subject should be able to know the nature of the arrangement.

3. Regardless of the terms of the contractual arrangement set out in paragraph 1, the data subject may assert his or her rights under this Regulation against any controller.

Article 27 Representatives of controllers or processors not established in the EU

1. Where Article 3(2) applies, the controller or processor shall appoint in writing a representative in the EU.

2. This liability shall not apply to:

(a) Except for large-scale processing of specific categories of data referred to in Article 9(1) or occasional processing of personal data in connection with a criminal conviction or offense referred to in Article 10, and taking into account the processing The nature, context, scope and purpose of the processing are not likely to pose a risk to the rights and freedoms of natural persons; or

(b)Public agency or entity.

3. To provide relevant goods or services to the data subject, or to monitor the data subject's behavior, a representative shall be established in one of the countries where the data subject is located.

4. In order to ensure compliance with this Regulation, in all matters involving processing, the controller or processor shall make mandatory provisions to ensure that its representatives can receive information outside the controller or processor, or on behalf of the controller or processor Information received, in particular with respect to matters requested by supervisory authorities and data subjects.

5. The appointment of a representative by the controller or processor cannot influence legal actions taken by the controller or processor.

Article 28 Processor

1. The processor processes on behalf of the controller, and the controller can only use processors that have sufficient guarantees, can take appropriate technical and organizational measures, and whose processing methods comply with the requirements of this Regulation and protect the rights of data subjects.

2. A Processor shall not engage another Processor without the Controller’s previous specific authorization or general written authorization. Subject to general written authorization, the processor shall inform the controller of any changes involving the addition or replacement of other processors in order to give the controller an opportunity to object to such changes.

3. The processor's processing should be subject to some type of contract or other EU law and Member State law. Such contracts or laws should stipulate the processor's responsibilities vis-à-vis the controller, the subject matter, the processing period, the nature and purpose of the processing, and the type of personal data. the type of data subject and the responsibilities and rights of the controller. In particular, such contracts or laws should provide for the following situations:

(a) Personal data may be processed only on receipt of written instructions from the controller, also in matters involving transfer of personal data to a third country or to an international organization, unless Union or Member State law prohibits the processor from transferring the personal data to a third country or to an international organization. is required; in such case, the processor shall inform the controller of the legal requirement before processing, unless notification would affect important public interests;

(b) For those authorized to process personal data, ensure that they fulfill their confidentiality obligations or legally appropriate confidentiality obligations;

(c) take all measures required by Article 32;

(d) respect the conditions for engaging another processor set out in paragraphs 2 and 4;

(e) Taking into account the nature of the processing, where possible, use appropriate technical and organizational means to help the controller perform its responsibilities, so as to enable the data subject to exercise its rights provided for in Chapter 3;

(f) assist the controller in fulfilling its obligations under Articles 32 to 36, taking into account the nature of the processing and the information available to the processor;

(g) Based on the option of the controller, delete or return the personal data to the controller after the provision and processing of relevant services, and delete existing backups, unless the storage of personal data is required by EU or Member State law;

(h) Provide the controller with all information that can prove that it has complied with its responsibilities under this article, as well as information that is beneficial to the controller or the auditor appointed by the controller for audit and verification.

With regard to point (h) of paragraph 1, the processor shall inform the controller without delay if it considers that an instruction infringes this Regulation or other Union or Member State data protection provisions.

4. When a processor engages another processor on behalf of the controller for the purpose of carrying out specific processing activities, the data protection obligations arising from the contract or other legal provisions between the controller and the processor referred to in paragraph 3 shall be established by contract or EU or The legal provisions of a Member State shall apply equally to another processor. In particular, adequate safeguards and appropriate technical and organizational means shall be adopted to meet the requirements of this Regulation. The processor shall be fully responsible for the failure of another processor to fulfill its data protection duties.

5. The Processor's compliance with an in force code of conduct set out in Article 40, or in compliance with an in force verification mechanism set out in Article 42, may be used as evidence that the Processor has adopted paragraphs 1 and 1 of this Article. Adequate safeguards provided for in paragraph 4.

6. Without prejudice to the separate contract between the controller and the processor, the contractual or legal provisions set out in paragraphs 3 and 4 may be governed in whole or in part by the standard contractual clauses set out in paragraphs 7 and 8 of this Article. , including when they fall within the verification mechanisms conferred on the controller or processor pursuant to Articles 42 and 43.

7. The European Commission may, with respect to the matters provided for in paragraphs 3 and 4 of this Article, formulate contractual clauses in accordance with the examination procedure set out in Article 93(2).

8. The supervisory authority may formulate standard contract terms in accordance with the consistency mechanism provided for in Article 63 for matters specified in paragraphs 3 and 4 of this Article.

9. The contractual or legal terms specified in paragraphs 3 and 4 must be in writing, including a written record in electronic form.

10. Without prejudice to Articles 82, 83 and 84, if a processor violates this Regulation by determining the purposes and methods of processing, the processor shall be deemed to be the controller for that processing.

Article 29 Processing on behalf of the controller or processor

The processor or controller, or the processor's representative, who has access to the personal data shall not process the personal data without the consent of the controller. Unless otherwise provided by EU law or Member State law.

Article 30 Records of processing activities

1. Each controller – and, if there is one – each controller’s representative, shall keep records of the processing activities for which it is responsible. Such records should contain all of the following information:

(a) The names and contact details of the controller and – if any – joint controllers, the controller’s representative and the data protection officer;

(b)Purposes of processing;

(c) A description of the type of data subject and the type of personal data;

(d) the categories of recipients, including recipients located in third countries or international organizations, to which the personal data have been or will be disclosed;

(e) where applicable, records of transfers of personal data to a third country or international organization, including records identifying such third country or international organization, and in the circumstances of the transfer referred to in subparagraph 2 of Article 49(1) , records of appropriate safeguards;

(f) If applicable, the estimated period for erasure of different data types;

(g) If applicable, a general description of the technical and organizational security measures specified in Article 32(1).

2. Each processor and - if applicable - the processor's representative shall maintain a record of processing carried out on behalf of the controller, containing the following information:

(a) the name and contact details of the processor or processors, each controller on whose behalf the processor represents and – if any – the controller’s or processor’s representative, the Data Protection Officer;

(b) The type of processing performed on behalf of each controller;

(c) where applicable, records of transfers of personal data to a third country or international organization, including records identifying such third country or international organization, and in the circumstances of the transfer referred to in subparagraph 2 of Article 49(1) , records of appropriate safeguards;

(d) If any, a general description of the technical and organizational security measures specified in Article 32(1).

3. The records specified in paragraphs 1 and 2 shall be in writing, including written records in electronic form.

4. Upon request by the supervisory authority, the controller or processor and – where appropriate – representatives of the controller or processor, shall make the records accessible.

5. The liability set out in paragraphs 1 and 2 does not apply to economic entities or organizations with fewer than 250 employees, unless the processing carried out is not occasional and may result in risks to the rights and freedoms of the data subject, or the processing The processing contains certain categories of data referred to in Article 9(1) or personal data relating to criminal offenses and offenses referred to in Article 10.

Article 31 Cooperation with supervisory authorities

At the request of the supervisory authority, the controller and processor and – where applicable – their representatives shall cooperate with the supervisory authority.

Part 2 Security of Personal Data

Article 32 Security of processing

1. The controller and processor shall take into account the state of the art, the costs of implementation, the nature of the processing, the scope of the processing, the context and purposes of the processing, and the likelihood and severity of harm caused by the processing to the rights and freedoms of natural persons. Including but not limited to the following appropriate technical and organizational measures to ensure a level of security commensurate with the risk:

(a) Anonymization and encryption of personal data;

(b) Maintain the confidentiality, impartiality, effectiveness and ability to recover of processing systems and services;

(c) The ability to restore access to personal data in the event of a physical or technical incident;

(d) Have processes in place to routinely test, evaluate, and evaluate the effectiveness of technical and organizational measures to ensure safe processing.

2. When assessing the appropriate level of security, particular consideration should be given to the risks posed by processing, in particular accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data during transmission, storage or processing.

3. Complying with the effective code of conduct specified in Article 40, or complying with the effective verification mechanism specified in Article 42, may be used as one of the evidences to prove that the requirements of paragraph 1 of this Article have been complied with.

4. The controller and processor shall take steps to ensure that no processing is carried out by any processor, or by any natural person acting on behalf of the controller and processor, who has access to the personal data except on instructions from the controller, except as required by Union or Member State law. for processing.

Article 33 Reporting breach of personal data to supervisory authority

1. In the case of a personal data breach, the controller shall, if feasible, notify the competent supervisory authority referred to in Article 55 of the personal data breach as soon as possible after becoming aware of it - and at the latest within 72 hours, unless the personal data breach concerns a natural person. rights and freedoms are unlikely to pose risks. For situations where the regulatory agency cannot be notified within 72 hours, the reasons for the delay in notification should be provided.

2. The processor shall promptly inform the controller upon becoming aware of a personal data breach.

3. The notification specified in paragraph 1 shall include at least:

(a) Describe the nature of the personal data breach, including, where possible, the type and approximate number of relevant data subjects, and the type and approximate number of personal data involved;

(b) Provide the name and contact details of the Data Protection Officer, or other contact information where further information can be obtained;

(c) describe the possible consequences of a personal data breach;

(d) A description of the measures that the controller has taken or plans to take in response to a personal data breach, including - where appropriate - measures to reduce negative impacts.

4. In situations where simultaneous provision of information is not possible, information can be provided in a timely manner in stages.

5. Controllers should record all breaches of personal data, including the facts, impact and remedial actions taken. With reference to this record, the supervisory authority is able to verify whether the controller complies with the relevant provisions of this Regulation.

Article 34 Communication of personal data breach to data subject

1. When a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall promptly communicate the personal data breach to the data subject.

2. The communication provided for in paragraph 1 of this Article to the data subject shall communicate the nature of the personal data breach in clear and plain language and shall include at least the information provided in point 33(3)(b)(c)(d) with suggestions.

3. When one of the following circumstances is met, the controller is not required to inform the data subject of information that his or her personal data has been leaked:

(a) The controller has put in place appropriate technical and organizational safeguards and those measures have been applied to the personal data affected by the personal data breach, and in particular those measures have been applied to render the personal data unidentifiable to individuals who have not authorized access. , such as encryption;

(b) The controller has taken subsequent measures to ensure that the high risk to the rights and freedoms of the data subject specified in paragraph 1 is no longer possible;

(c) Advise that a disproportionate effort will be required. At this time, there should be an announcement mechanism or similar measures to bear the controller's notification obligation, and the notification effect of such measures should be at least the same as that of the controller's notification.

4. If the controller still fails to inform the data subject of the personal data breach, the supervisory authority may require notification, having taken into account the likelihood of a high risk arising from the personal data breach, or may consider that the circumstances set out in paragraph 3 are met.

Part 3 Data Protection Impact Assessment and Advance Consultation

Article 35 Data protection impact assessment

1. When a type of processing - in particular processing involving new technologies - is likely to result in a high risk to the rights and freedoms of natural persons, control shall be carried out, taking into account the nature, scope, context and purposes of the processing. The operator should assess the impact of planned processing procedures on the protection of personal data before processing. If multiple high-risk processing activities belong to the same category, then only one of them can be evaluated at this time.

2. If the controller has appointed a data protection officer, the controller should consult the data protection officer when carrying out a data protection impact assessment.

3. A data protection impact assessment referred to in paragraph 1 is particularly necessary in the following circumstances:

(a) Conduct a systematic and comprehensive evaluation of personal factors related to natural persons, such evaluation is based on automated processing - including user profiling - and the decision-making has legal or similar significant impact on the natural person ;

(b) process on a large scale certain categories of data referred to in Article 9(1), or personal data relating to convictions or offenses referred to in Article 10; or

(c) Systematically monitor a publicly accessible space on a large scale.

4. The supervisory authority shall establish and make public a list of types of processing operations that are subject to a data protection impact assessment required by paragraph 1. The supervisory authority shall inform the EU Data Protection Board referred to in Article 68 of such lists.

5. The supervisory authority may also establish a publicly available list of types of processing operations that do not require a data protection impact assessment. The supervisory authority shall inform the EU Data Protection Board of such lists.

6. Before the establishment of the lists provided for in paragraphs 4 and 5, when such lists relate to the provision of goods or services to data subjects, or involve the supervision of the conduct of multiple Member States, or may materially affect the internal affairs of the European Union For the free flow of personal data, competent supervisory authorities should first apply the consistency mechanism stipulated in Article 63.

7. The assessment should include at least:

(a) A systematic description of the planned processing operations and the purposes of the processing and – if applicable – a description of the legitimate interests pursued by the controller;

(b) Analyze the necessity and proportionality of processing operations related to the purpose;

(c) an assessment of the risks to the rights and freedoms of the data subject referred to in paragraph 1;

(d) Planned risk response measures taken based on the rights and legitimate interests of the data subject and other relevant individuals, including security safeguards, security measures and mechanisms to protect personal data and demonstrate compliance with these Regulations.

8. When assessing the impact of the processing operations of the relevant controller or processor, and in particular when assessing the data protection impact, reasonable consideration should be given to its compliance with the applicable code of conduct set out in Article 40.

9. Where appropriate and where this does not affect the protection of commercial or public interests or the security of the processing operations, the controller shall consult the data subject or the data subject's representative with respect to the views of his or her intended processing.

10. When the processing based on point (c) or (e) of Article 6(1) is in compliance with Union or Member State law established by the controller concerning the processing operations and has been carried out as a general effect in establishing its legal basis Paragraphs 1 to 7 shall not apply when assessing part of a data protection impact assessment, unless the Member State considers that it is necessary to conduct such an assessment before processing activities.

11. Where necessary, the controller should conduct a check to assess whether processing is consistent with a data protection impact assessment, at least where there are changes in the risks posed by the processing operations.

Article 36 Advance consultation

1. Where the data protection impact assessment referred to in Article 35 indicates that the processing would pose a high risk if the controller does not take measures, the controller should consult the supervisory authority before processing.

2. When the supervisory authority considers that the processing envisaged in paragraph 1 would contravene this Regulation, in particular where the controller is unable to identify or mitigate the risk, the supervisory authority shall, within eight weeks of receipt of the request for consultation, communicate to the controller and— Where applicable - the Processor provides written advice and may use the powers set out in Article 58. This period may be extended by six weeks, taking into account the expected complexity of the processing. The supervisory authority shall inform the controller and – where applicable – the processor of the extension and the reasons for the extension within one month of receipt of the consultation request. The supervisory authority can extend the period until it has obtained the information requested by the consultation.

3. When consulting the supervisory authority referred to in paragraph 1, the controller shall provide the supervisory authority with the following information:

(a) where applicable, the corresponding responsibilities of the controller, joint controllers and processors in relation to the processing, in particular where the processing is carried out within a group of undertakings;

(b) The intended purposes and methods of processing;

(c) Methods and measures taken in compliance with this Regulation to protect the rights and freedoms of data subjects;

(d) Where applicable, the contact details of the Data Protection Officer;

(e)a data protection impact assessment required by section 35; and

(f) All other information required by the regulatory authority.

4. Member States should consult their supervisory authorities when drafting relevant legislation for approval by Parliament or when formulating regulatory measures to deal with such legislative measures.

5. Notwithstanding the provisions of paragraph 1, Member State law may require the controller to consult with the controller on matters relating to its processing in connection with the performance of tasks in the public interest by the controller, including processing related to social security and public health. Regulatory authorities and obtain authorization from regulatory authorities in advance.

Part 4 Data Protection Officer

Article 37 Appointment of Data Protection Officer

1. The controller and processor shall appoint a data protection officer in any of the following circumstances:

(a) the processing is carried out by public authorities or public entities, except by courts in the exercise of their judicial functions;

(b) the core processing activities of the controller or processor inherently require routine and systematic monitoring of data subjects on a large scale; or

(c) The core activities of the controller or processor include the large-scale processing of special categories of data referred to in Article 9 and the processing of personal data relating to convictions and offenses referred to in Article 10.

2. If each organization within a group of undertakings has easy access to a data protection officer, the group of undertakings may appoint a separate data protection officer.

3. Where the controller or processor is a public authority or public entity, based on their organizational structure and size, several such public authorities or entities may jointly appoint a single Data Protection Officer.

4. In addition to the circumstances set out in paragraph 1, the controller or processor, or associations and other entities representing a category of controllers or processors, may appoint a data protection officer where required by Union or Member State law. With regard to the activities of such associations, or other entities acting on behalf of controllers or processors, the Data Protection Officer is authorized to act on their behalf.

5. The appointment of the Data Protection Officer must be based on his or her professional qualities, which require specialized knowledge of data protection law and practice, as well as the ability to carry out the tasks set out in Article 39.

6. The Data Protection Officer shall be the controller or processor or an employee performing tasks based on a service contract.

7. The controller or processor should release the contact details of the data protection officer and report this to the supervisory authority.

Article 38 Position of Data Protection Officer

1. Controllers and processors should ensure that the Data Protection Officer intervenes in an appropriate and timely manner in all matters related to the protection of personal data.

2. Controllers and processors shall support the data protection officer in the discharge of his responsibilities arising from Article 39 and shall provide him with the necessary resources to discharge such responsibilities, to access personal data, to carry out processing operations and to maintain his professional knowledge.

3. Controllers and processors shall ensure that the Personal Data Protection Officer does not receive any instructions regarding the discharge of such duties. The Personal Data Protection Officer cannot be dismissed by the controller or processor for the performance of his or her tasks. It may report directly to the controller or to the top management of the processor.

4. Data subjects may contact the Data Protection Officer in all matters relating to the processing of their personal data and in matters relating to the exercise of their rights conferred by this Regulation.

5. In the performance of his or her tasks, the Data Protection Officer shall comply with EU or Member State law and shall have a duty of confidentiality.

6. The Data Protection Officer may fulfill other tasks or responsibilities. The controller or processor shall ensure that any such tasks and responsibilities do not give rise to a conflict of interest.

Article 39 Tasks of the Data Protection Officer

1. The data protection officer should have at least the following tasks:

(a) inform and provide advice to the controller or processor and to those employees who carry out processing responsibilities under this Regulation and the data protection provisions of other Member States of the European Union;

(b) ensure compliance with this Regulation, other Union or Member State data protection provisions and the policies of the controller or processor in relation to the protection of personal data, including by assigning responsibilities, raising awareness and training staff in processing operations and in related audits;

(c) provide advice on data protection impact assessments and the supervision of their implementation under Article 35, upon request;

(d) Cooperate with regulatory agencies;

(e) Act as the liaison person with the supervisory authority on matters relating to processing, including advance consultations under Article 36 and – where applicable – on all other relevant matters.

2. When performing their duties, the Data Protection Officer shall reasonably consider the risks associated with the processing operations in light of the nature, scope, context and purpose of the processing.

Part 5 Code of Conduct and Certification

Article 40 Code of Conduct

1. Member States, supervisory authorities and the EU Data Protection Board and the Commission encourage the drafting of codes of conduct that facilitate the appropriate application of this Regulation, taking into account the characteristics of the different processing sectors and the specific needs of micro, small and medium-sized economic entities.

2. Associations and other entities representing certain categories of controllers or processors may draft codes of conduct, or amend or extend such codes, in order to refine the application of these Rules. For example, they may draft codes covering the following matters:

(a) Reasonable and transparent handling;

(b) The legitimate interests pursued by the controller in a specific situation;

(c) Collection of personal information;

(d) Anonymize personal data;

(e) Information provided to the public and data subjects;

(f) Exercise of data subject rights;

(g) Information provided to and for the protection of children, and the form used to obtain the consent of children’s guardians;

(h) The measures and procedures specified in Articles 24 and 25, and the measures taken to ensure the security of processing specified in Article 32;

(i) notify the supervisory authority of the personal data breach and inform the data subject of such personal data breach;

(j) transfer personal data to a third country or international organization; or

(k) Out-of-court litigation activities that do not affect the rights of the data subject under Articles 77 and 99, as well as dispute resolution procedures to resolve disputes between the controller and the data subject in processing-related matters.

3. The controller or processor shall, in addition to being subject to this Regulation, in circumstances not subject to this Regulation under Article 3, in order to ensure the transfer of personal data to a third country referred to in point (e) of Article 46(2) or The provision of appropriate security measures within the framework of an international organization may also be governed by a code of conduct in force as provided for in paragraph 5 of this article, or by a code of conduct of general effect as provided for in paragraph 9 of this article. In order to provide such appropriate security measures, including those related to the rights of data subjects, such controllers or processors should establish binding and enforceable commitments through contracts or other legally enforceable measures.

4. Without prejudice to the tasks and powers of the supervisory authority provided for in Article 55 or 56, the code of conduct set out in paragraph 2 of this Article shall include provisions that enable the entities referred to in Article 41(1) to carry out their supervisory tasks. effective measures to ensure that the controller or processor responsible for implementing the code of conduct complies with its terms.

5. An association or other entity referred to in paragraph 2 of this Article that plans to draft, amend a code of conduct or extend an existing code shall submit the draft code, amendment or extension proposal to the competent supervisory authority in compliance with Article 55. The supervisory authority shall provide a submission indicating whether the draft, amendment or extension proposal complies with the provisions of these Regulations, and if the supervisory authority determines that sufficient and appropriate safeguards have been adopted, it shall approve the draft, amendment or extension proposal.

6. When a draft code, or a proposed amendment or extension is approved in accordance with the provisions of paragraph 5, and the code of conduct does not involve processing activities in more than one Member State, the supervisory authority shall register and publish the code.

7. Where a draft code of conduct relates to processing activities in more than one country, the competent supervisory authority referred to in Article 55 shall, before approving the draft code, amendment or extension, submit it to the European Data Protection Board in accordance with the procedure set out in Article 63, and shall provide a submission indicating whether the draft code, amendment or extension complies with this Regulation or - in the circumstances set out in paragraph 3 - provides appropriate safety measures.

8. When the submission referred to in paragraph 7 confirms that the draft guideline, amendment or extension complies with this Regulation or - in the case set out in paragraph 3 - provides appropriate security measures, the EU Data Protection Board shall Submissions submitted to the European Commission.

9. The Commission shall determine, by way of an implementing act, whether a code of conduct, amendment or extension submitted in accordance with paragraph 8 that has entered into force has general effect in the Union. The enactment of such Bills shall be subject to the verification procedures set out in Section 94(2).

10. The Commission shall ensure appropriate disclosure of the guidelines in force that have been deemed to comply with the general validity set out in paragraph 9.

11. The EU Data Protection Board shall verify all registered codes of conduct, amendments and extensions in force and shall make them available to the public in an appropriate manner.

Article 41 Monitoring of the Code of Conduct in force

1. Without prejudice to the tasks and powers of the competent supervisory authority set out in Articles 57 and 58, the supervision of compliance with the code of conduct established in accordance with Article 40 may be delegated to entities with expertise in matters covered by the code. Appropriate professionalism, and its compliance supervision authority has been certified by the competent regulatory agency.

2. The entities specified in paragraph 1 may be appointed as bodies with the authority to monitor compliance with the code of conduct when:

(a) It has proven to be independent and professional in matters stipulated in the Code and meets the requirements of competent regulatory agencies;

(b) Relevant procedures have been established by which relevant controllers and processors may be assessed for their qualifications to apply the Code, monitor their compliance with the provisions of the Code, and, on an intermittent basis, assess their operations;

(c) procedures and systems are in place to resolve complaints regarding breaches of the Code, or about the way in which a controller or processor has implemented or is implementing the Code, and such procedures and systems are made transparent to data subjects and the public; and

(d) It has shown that it meets the requirements of the competent regulatory agency and that there is no conflict of interest in its tasks and responsibilities.

3. The competent supervisory authority shall submit the draft standards for the certification of entities specified in paragraph 1 to the EU Data Protection Board in accordance with the consistency mechanism set out in Article 63.

4. When a controller or processor breaches the Code, the entities referred to in paragraph 1 shall, without prejudice to the tasks and powers of the competent supervisory authority or the provisions of Chapter 8, take appropriate actions, guaranteed by appropriate security measures, including The relevant controller or processor is suspended or eliminated from the Code. The entity shall notify the competent supervisory authority of such actions and the reasons for the actions.

5. If an entity specified in paragraph 1 does not or no longer meets the conditions for certification, or if it acts in violation of these Regulations, the competent supervisory authority shall withdraw its certification.

6. This article does not apply to processing carried out by public authorities and public entities.

Article 42 Certification

1. Member States, supervisory authorities, the EU Data Protection Board and the European Commission should encourage – in particular at EU level – the establishment of data protection certification schemes, data protection seals and markings to certify that processing operations by controllers and processors are in compliance with this Regulation. The specific needs of micro, small and medium-sized economic entities should be taken into account in this regard.

2. In addition to being subject to this Regulation, the controller or processor may also establish a data protection certification mechanism, seal or mark consistent with paragraph 5 of this Article in order to certify that, in circumstances not subject to this Regulation under Article 3, it has Appropriate security measures are taken in the case of transfers of personal data to third countries or international organizations referred to in Article 46(2) point (f). In order to provide such appropriate security measures, including those related to the rights of data subjects, such controllers or processors should establish binding and enforceable commitments through contracts or other legally enforceable measures.

3. Certification should be voluntary and obtainable through a transparent process.

4. Certification under this Article does not relieve the controller or processor of the obligation to comply with this Regulation and does not affect the tasks and powers of the competent supervisory authority set out in Articles 55 or 56.

5. Certification in compliance with this Article shall be approved by the certification body referred to in Article 43 and shall be based on standards approved by the competent supervisory authority in Article 58(3) or the EU Data Protection Board in Article 63. When a standard is approved by the EU Data Protection Board, this can result in a universal certification - the EU Data Protection Seal.

6. Controllers or processors that submit their processing to a certification mechanism shall submit all information and access rights necessary to carry out the certification procedures to the certification body referred to in Article 43 and, where applicable, to the competent supervisory authority. mechanism.

7. The certification issued to a controller or processor is valid for a maximum period of three years and can be extended in the same circumstances if the relevant conditions are met. When the conditions for certification are not met or are no longer met, the certification entity or the competent supervisory authority specified in Article 43 may withdraw the certification, where applicable.

8. The EU Data Protection Board should verify that all registered verification mechanisms, data protection seals and markings should be made available to the public in an appropriate manner.

Article 43 Certification body

1. Without prejudice to the tasks and rights of the competent supervisory authority specified in Articles 57 and 58, a certification body with corresponding expertise may inform the supervisory authority so that the supervisory authority can exercise point 58(2) Rights under point h - issuance and renewal of certifications. Member States should ensure that these certification bodies are accredited by one or both of the following bodies:

(a) A competent supervisory authority specified in section 55 or 56;

(b) in accordance with Regulation (EC) No 765/2008 of the European Parliament and of the Council, EN-ISO/IEC 17065/2012, and in compliance with the additional requirements specified by the competent regulatory body in Article 55 or Article 56 National certification body.

2. The certification body specified in paragraph 1 can only be certified in accordance with the provisions of paragraph 1 if the following circumstances exist:

(a) It has proven to be independent and professional in matters stipulated in the Code and meets the requirements of competent regulatory agencies;

(b) adopt measures to comply with the standards set out in Article 42(5) and have been approved by the competent supervisory authority set out in Article 55 or the EU Data Protection Board set out in Article 63;

(c) Establish procedures for the issuance, periodic review and withdrawal of data protection certifications, seals and markings;

(d) procedures and systems for resolving complaints about breaches of the Code, or about the way in which a controller or processor has implemented or is implementing the Code, are in place and are made known to data subjects and the public; and

(e) It has demonstrated that it meets the requirements of the competent regulatory agency and that there is no conflict of interest in its tasks and responsibilities.

3. The accreditation of certification bodies referred to in paragraphs 1 and 2 shall be based on basic standards approved by the competent supervisory authority referred to in Article 55 or Article 66, or by the European Data Protection Board referred to in Article 63. based on approved standards. For authorizations referred to in point (b) of paragraph 1 of this Article, such requirements shall supplement the requirements envisaged in Directive (EC) No 765/2008 and technical rules describing the methods and procedures of certification bodies.

4. Without prejudice to the controller's or processor's compliance with this Regulation, the certification body referred to in paragraph 1 shall be responsible for the assessment of the validity of the certification or the withdrawal of such certification. The certification issued to a controller or processor is valid for a maximum period of five years and can be extended in the same circumstances if the relevant conditions are met.

5. The certification body specified in paragraph 1 shall report to the competent supervisory authority the reasons for the issuance or withdrawal of the required certification.

6. The supervisory authority shall make the requirements set out in paragraph 3 of this Article and the standards set out in paragraph 42(5) publicly available in an easily accessible manner. The supervisory authority should also transmit those requirements and standards to the EU Data Protection Board. The EU Data Protection Board should verify all registered certification mechanisms and data protection seals and should make them public in some appropriate way.

7. Without prejudice to Chapter 8, when the conditions for certification are not met or are no longer met, or when the certification body takes actions that infringe upon these Regulations, the competent regulatory agency or the national certification body shall cancel the provisions of paragraph 1 of this Article. Section accreditation of certification bodies.

8. In order to refine the conditions that need to be taken into account for the data protection verification mechanism specified in Article 42(1), the European Commission has the power to formulate delegated acts consistent with Article 92.

9. The European Commission may develop implementing acts to set technical standards for verification mechanisms and data protection seals, marks and mechanisms in order to promote and recognize those verification mechanisms, seals and marks. Such implementing legislation shall be formulated in accordance with the verification procedures set out in Article 94(2).

Chapter 5 Transfer of personal data to third countries or international organizations

Article 44 General principles of transfer

With respect to the transfer of personal data that are being processed or intended to be processed to a third country or international organization, including the transfer of personal data from a third country or international organization to another third country or to another international organization, the controller and processor shall only other provisions of this Regulation, and the transfer can only be effected if the conditions specified in this Chapter are met. In order to ensure that the protection of natural persons under this Regulation is not weakened, all provisions of this Chapter shall be complied with.

Article 45 Transfer based on determination of adequate protection

1. When the European Commission makes a determination that the relevant third country, a region or one or more specific sectors in a third country, or an international organization has adequate protection, personal data can be transferred to a third country or international organization. No specific authorization is required for such transfers.

2. When assessing the adequacy of the level of protection, the Commission shall consider in particular the following factors:

(a) The rule of law, respect for human rights and fundamental freedoms, including general and sectoral legislation on public safety, defence, national security, criminal law and access by public authorities to personal data, as well as the implementation of such legislation, data protection rules, professional Rules and security measures, including the rules of the third country or international organization that must be followed when transferring personal data to another third country or international organization, case law and valid and enforceable rights of the data subject, the data subject whose personal data is being transferred judicial relief;

(b) In the case where an international organization is the subject, the third country shall have one or more effectively functioning independent supervisory authorities ensuring the implementation of data protection rules, including having sufficient enforcement powers when data subjects exercise their rights and Providing assistance and advice when working with Member State supervisory authorities;

(c) International commitments that third countries or international organizations have made, or commitments to assume other responsibilities arising from legally binding treaties or legal files, and to participate in multilateral or regional systems, especially related to data protection other responsibilities arising from the system.

3. After assessing the adequacy of the degree of protection, the Commission may, by adopting implementing legislation, determine whether a third country, a territory within a third country or one or more specific sectors or an international organization within the meaning of paragraph 2 of this Article has an adequate level of protection. Protect. The implementing act should provide for a periodic review of all relevant developments in third countries or international organizations at least every four years. The implementing act shall specify its territorial and sectoral implementation and, where applicable, identify one or more supervisory authorities specified in point (b) of paragraph 2 of this Article. The formulation of implementing bills shall follow the verification procedures specified in Article 93(2).

4. The Commission shall monitor on an ongoing basis any actions by third countries or international organizations that may affect decisions taken pursuant to paragraph 3 of this Article and decisions based on Article 25(6) of Directive 95/46/EC. certain developments.

5. When information becomes available that a third country or one or more special authorities or international organizations within a third country no longer provides adequate protection as provided for in paragraph 2 of this Article, the Commission shall, in particular after having passed the procedure provided for in paragraph 3 After verification - to repeal, amend or suspend, to the extent necessary, the decision provided for in paragraph 3 of this article by enacting implementing legislation without retroactive effect. The enactment of such implementing legislation shall follow the verification procedures set out in Article 93(2).

In the event of a highly justifiable emergency, the Commission shall immediately enact implementing legislation in accordance with the procedure set out in Article 93(3).

6. In order to remedy the circumstances leading to Article 5 decisions, the Commission shall consult with third countries or international organizations.

7. A decision consistent with paragraph 5 of this Article shall not affect the transfer of personal data to a third country, a territory or authority or authorities within a third country, or to the relevant international organization referred to in Articles 46 to 49.

8. The European Commission shall publish in the official journal of the European Union and on its website a list of third countries, specific sectors within third countries and international organizations that it determines already have adequate protection or no longer have adequate protection.

9. A decision of the European Commission based on Article 25(6) of Directive 95/46/EC shall have effect until modified, replaced or annulled by the European Commission in accordance with paragraphs 3 or 5 of this Article.

Article 46 Appropriate security required for transfer

1. In the absence of a decision pursuant to Article 45(3), the controller or processor may transfer personal data to the third party only if it provides appropriate safeguards and provides the data subject with enforceable rights and effective legal remedies. three countries or an international organization.

2. Without requiring any specific authorization from the supervisory authority, appropriate safeguards set out in paragraph 1 may be provided as follows:

(a) A legally binding and enforceable agreement between public agencies or entities;

(b) binding corporate rules consistent with section 47;

(c) standard data protection clauses developed by the European Commission pursuant to the verification procedure set out in Article 93(2);

(d) standard data protection clauses established by the supervisory authority in accordance with the verification procedure set out in Article 93(2) and approved by the European Commission;

(e) a code of conduct established in accordance with Article 40 and a binding and enforceable undertaking by the controller or processor in the third country to adopt appropriate safeguards, including the rights of the data subject; or

(f) Verification mechanisms approved under Article 42 and binding and enforceable commitments by the controller or processor in the third country to adopt appropriate security safeguards, including the rights of the data subject.

3. In situations where authorization from the competent supervisory authority is required, appropriate security measures referred to in paragraph 1 may be specified in particular by:

(a) the terms of the contract between the controller or processor and the controller, processor or recipients of personal data in a third country or international organisation; or

(b) Provisions inserted in administrative arrangements between public authorities or public entities, including enforceable and effective data subject rights.

4. In the circumstances specified in paragraph 3 of this Article, the supervisory authority shall apply the consistency mechanism specified in paragraph 63.

5. An authorization made by a Member State or a supervisory authority under Article 26(2) of Directive 95/46/EC shall remain valid until it is modified, replaced or repealed by the supervisory authority. The decision of the European Commission in accordance with Article 26(4) of Directive 95/46/EC shall remain in effect until the European Commission makes a necessary decision to modify, replace or repeal it in accordance with paragraph 2 of this Article.

Article 47 Binding Corporate Rules

1. The competent supervisory authority shall approve binding corporate rules that comply with the consistency mechanism specified in Article 63 when the following conditions are met:

(a) is legally binding, applies to, and is executed by all relevant members of an enterprise group or a series of economic entities carrying out joint economic activities, including its employees.

(b) clearly provide the data subject with enforceable rights in relation to the processing of personal data; and

(c) Meet the requirements set out in paragraph 2.

2. The binding rules set out in paragraph 1 should at least specify:

(a) An enterprise group or a series of economic entities that conduct joint economic activities, and the structure and contact details of each member;

(b) Data transfer or series of data transfers, including the type of personal data; the type of processing and its purposes; the types of data subjects affected; and the identification of the third country or third countries involved;

(c) The legally binding effect of the rules includes both internal and external binding forces;

(d) The application of the general data protection principles, in particular purpose limitation, data minimization, limited storage period, data quality, data protection by design versus default data protection, legal basis for processing, treatment of specific categories of individuals Processing of data; measures to safeguard data security; and requirements for transfer of data to entities not subject to binding corporate rules;

(e) The rights of the data subject in relation to the processing and the manner in which they may be exercised, including the right not to be subject to a decision based solely on automated processing, including profiling in accordance with Article 22, the right to Complaints before the competent supervisory authorities and competent tribunals of the Member States in accordance with Article 79, as well as the right to obtain relief and – if applicable – compensation in the event of a breach of binding corporate rules;

(f) A controller or processor established in the territory of a Member State shall be liable for any breach of binding corporate rules by a relevant member of the controller or processor not established in the Union; this will only occur if the controller or processor proves that such Members are not responsible for events causing damage and the controller or processor is exempted from such liability;

(g) how information is provided to the data subject regarding the binding corporate rules, in particular in relation to point (d)(e)(f) set out in this paragraph in addition to Articles 13 and 14;

(h) The tasks of all data protection officers appointed in accordance with Article 37, or of all persons or entities within a corporate group or a series of economic entities carrying out joint economic activities, who are responsible for monitoring compliance with binding corporate rules, monitoring training and handling complaints tasks;

(i) Complaints procedure;

(j) An enterprise group or a series of economic entities carrying out joint economic activities has internal mechanisms for verifying compliance with binding corporate rules. Such mechanisms should include data protection checks and means to ensure that corrective actions are taken to protect the rights of data subjects. The results of such verification shall be notified to the individuals or entities specified in point (h), the enterprise group or a series of economic entities carrying out joint economic activities, and the verification results shall be made available upon request by the competent supervisory authority;

(k) Mechanisms for reporting and recording changes to the rules and for reporting such changes to regulators;

(l) Cooperation mechanisms established with regulatory agencies in order to ensure the compliance of enterprise groups or a series of economic entities engaging in joint economic activities, in particular providing the regulatory agencies with the verification results of the method specified in point (j);

(m) Members of an enterprise group or a series of economic entities carrying out joint economic activities are entities in a third country that may have a material negative impact on the guarantees provided by binding enterprise rules, reporting to the competent supervisory authority any concerns about such Whether the entity has the mechanisms required by law; and

(n) Appropriate data protection training for employees who have permanent or recurring access to personal data.

3. The Commission may specify the form and procedures for the exchange of information between controllers, processors and supervisory authorities for the purpose of binding corporate rules within the meaning of this Article. The enactment of such implementing legislation shall follow the verification procedures set out in Article 93(2).

Article 48 Transfer or disclosure not authorized by EU law

Any court judgment, arbitration award or decision of a third country administrative agency that requires the controller or processor to transfer or disclose personal data can only be recognized or enforced when the following conditions are met: First, the judgment, award or decision must Based on international treaties such as mutual legal assistance agreements between the requesting third country and the EU or its member states, and secondly, the judgment, award or decision will not have a negative impact on other forms of transfer specified in this chapter.

Article 49 Derogations under special circumstances

1. In the absence of a determination of adequacy of protection pursuant to Article 45(3) or of appropriate security measures, including binding corporate rules, in accordance with Article 46, personal data may only be transferred to a third country or international organization if the following circumstances are met: This can only be done if one of the following:

(a) The data subject is clearly informed that there are no adequate protections or appropriate security measures and the anticipated data transfer is risky, but the data subject still expressly consents to the anticipated data transfer;

(b) the transfer is necessary for the performance of a contract between the data subject and the controller, or for the fulfillment of a request made by the data subject prior to entering into a contract;

(c) the transfer is necessary to achieve the interests of the data subject when entering into or performing a contract between the controller and another natural or legal person;

(d) The transfer is necessary to achieve the public interest;

(e) the transfer is necessary for the establishment, exercise or defense of legal claims;

(f) When the data subject is unable to express consent due to physical or legal reasons, it is necessary to protect the vital interests of the data subject or others;

(g) The transfer is carried out on the basis of a register established under EU or Member State law for the purpose of advising the general public or persons with a legitimate interest. However, transfers in such cases may only be derogated if the necessary conditions for consultation laid down by EU or Member State law are met.

Transfer of data to a third country or internationally when the transfer cannot be carried out on the basis of the provisions of Article 45 or 46, including those based on the Binding Corporate Rules, and the conditions for derogation from points (a) to (g) are not met. Organization, this is only possible if the transfer: is non-repetitive; relates to the rights of a narrow subset of the data subjects; is necessary to achieve the overriding legitimate interests of the controller and does not violate the data subject's limitations interests or rights and freedoms; the controller has assessed the circumstances surrounding the transfer and, based on this assessment, has adopted appropriate security safeguards for the protection of the personal data. In addition to providing the information provided for in Articles 13 and 14, the controller shall inform the data subject of the transfer and the overriding legitimate interests pursued.

2. A transfer falling within point (g) of paragraph 1 shall not include all personal data or all categories of personal data in the register. When the register is for the purpose of advising persons with a legitimate interest, transfers may only be made if those persons request it or if those persons are the recipients.

3. Points (a)(b)(c) of paragraph 1 and the second subparagraph of paragraph 1 do not apply with respect to the activities of public bodies in the exercise of their public powers.

4. The public interest referred to in point (d) of paragraph 1 shall be recognized by EU or Member State law for the controller.

5. If there is no determination of adequate protection, Union or Member State law may expressly restrict the transfer of personal data to certain categories of personal data to third countries or international organizations on grounds of public interest. Member States should inform the European Commission of such provisions.

6. The controller or processor shall record in the file referred to in Article 30 the assessment referred to in the second subparagraph of paragraph 1 of this Article and the appropriate security measures.

Article 50 International cooperation for the protection of personal data

In situations involving third countries or international organizations, the European Commission and supervisory authorities should take appropriate measures to:

(a) develop international cooperation mechanisms in order to promote the effective implementation of personal data protection legislation;

(b) Provide international mutual assistance for the implementation of personal data protection legislation through notification, complaint referral, investigation assistance and information exchange, on the premise of taking appropriate security measures to protect personal data protection and other fundamental rights and freedoms;

(c) Closely engage relevant stakeholders in discussions and activities aimed at furthering international cooperation in the implementation of personal data protection legislation;

(d) Facilitate the exchange and recording of personal data legislation and practice, including conflicts with third country jurisdictions.

Chapter 6 Independent Regulatory Agency

Part One Independence Status

Article 51 Supervisory Authority

1. In order to protect the fundamental rights and freedoms of natural persons during processing and to promote the free flow of personal data within the Union, each Member State shall establish one or more independent public authorities responsible for monitoring the implementation of this Regulation.

2. Each supervisory authority should contribute to the consistent application of this Regulation across the EU. For this purpose, the supervisory authorities shall cooperate with each other and with the European Commission in accordance with the provisions of Chapter 7.

3. Where a Member State has established more than one supervisory authority, the Member State shall appoint a supervisory authority to represent the other authorities in the EU Data Protection Board and shall establish a mechanism to ensure that the other authorities comply with the rules relating to the consistency mechanism set out in Article 63 .

4. Each Member State shall inform the Commission of the legal provisions it has adopted under this Chapter [at the latest within two years of the entry into force of this Regulation] and shall promptly inform the Commission of any amendments affecting the provisions.

Article 52 Independence

1. Each supervisory authority shall maintain complete independence in the exercise of its tasks and in the exercise of its powers consistent with these Regulations.

2. The member or members of each supervisory authority shall be free from external influence, whether direct or indirect, in the performance of their tasks and the exercise of their powers consistent with this Regulation and shall not receive instructions from any person.

3. Members of regulatory agencies shall not engage in activities that violate their supervisory duties, and shall not hold any paid or unpaid positions that conflict with their supervisory duties during their tenure.

4. Each Member State must ensure that each supervisory authority has the human resources, human resources, and capabilities necessary to effectively carry out its tasks and exercise its rights, including mutual assistance, cooperation and participation in the EU Data Protection Board. Technical and financial resources, prerequisites and basic elements.

5. Each Member State shall ensure that each supervisory authority has the power to select and employ its members, subject only to specific instructions from the member or members of the supervisory authority concerned.

6. Each Member State must ensure that, without prejudice to its independence and its separate and public annual budget, each supervisory authority is subject to financial controls - such financial controls may be part of the state budget or the national budget ——Constraints.

Article 53 General requirements for members of the supervisory body

1. Member States should appoint each member of their supervisory authority in a transparent manner through:

-their parliament;

-their governments;

-their head of state; or

- An independent entity designated by the laws of a member state.

2. Each member should have the qualifications, experience and skills to perform their duties and exercise their powers, especially in the field of personal data protection.

3. A member's duties end when he or she ends his or her term of office, resigns or retires compulsorily in accordance with the relevant laws of a Member State.

4. Members may be dismissed only for serious misconduct or if they are no longer qualified to perform their duties.

Article 54 Rules for establishing regulatory bodies

1. Each Member State shall adopt laws providing for the following matters:

(a) The establishment of each regulatory authority;

(b) the qualifications and suitability required for appointment as a member of each regulatory body;

(c) the rules and procedures for the appointment of the member or members of each regulatory authority;

(d) a term of not less than four years for one or more members of each supervisory authority, (except for the first appointment after the commencement of this Regulation), if it is necessary to protect the supervisory authority through an intermittent appointment procedure Independence, some members may serve shorter terms;

(e) Whether one or more members of each regulatory body are eligible for reappointment and, if so, for how many terms;

(f) The circumstances under which each regulatory body member and employee is held accountable, the prohibitions on conflicting conduct, employment and earnings, and the rules on termination of employment during or after the term of such authority.

2. Members and employees of each supervisory authority shall, subject to Union or Member State law, have a duty to maintain professional confidentiality with respect to confidential information obtained in the performance of their tasks or in the exercise of their powers, during or after their term of office. In particular, in the event that a natural person reports a violation of these Regulations, members or employees shall fulfill their duty to maintain professional confidentiality.

Part 2 Authority, Tasks and Powers

Article 55 Authority

1. Each supervisory authority shall have the authority to carry out the tasks assigned to it and exercise the powers conferred upon it in accordance with this Regulation in the Member State to which it belongs.

2. Where processing is carried out by public authorities or private entities on the basis of point (c) or (e) of Article 6(1), the relevant supervisory authority of the Member State shall have competence. In such cases, Article 56 does not apply.

3. The supervisory authority does not have supervisory authority over the processing operations of courts in their judicial activities.

Article 56 Competencies of the leading supervisory authority

1. Without prejudice to Article 55, the supervisory authority in which the controller or processor has its principal or only place of business shall be able to act as the lead supervisory authority for the supervision of cross-border transactions carried out by the controller or processor in accordance with the procedure in Article 60. environmental processing.

2. The provisions of paragraph 1 may be exempted. Each supervisory authority shall have the right to respond to complaints or complaints made to it if the main matter relates to only one institution in a Member State or has a material impact on data subjects in only one Member State. Violations of these regulations will be dealt with.

3. For the situations specified in paragraph 2, the supervisory authority shall promptly notify the leading supervisory authority of the matter. Within three weeks of being notified, the leading supervisory authority shall decide – taking into account whether the controller or processor has an establishment in the Member State in which the supervisory authority notified it – whether or not it is required to comply with the provisions of Article 60 procedures to handle the case.

4. When the lead supervisory authority decides to handle a case, the procedure set out in Article 60 shall apply. The supervisory authority that notifies the lead supervisory authority may submit a draft decision to the lead supervisory authority. When the lead supervisory authority drafts a decision referred to in Article 60(3), it shall give due consideration to the submitted draft decision to the maximum extent possible.

5. When the leading regulatory agency decides not to handle the case, the regulatory agency that notifies the leading regulatory agency shall handle the case in accordance with Articles 61 and 62.

6. For cross-border processing by a controller or processor, the lead supervisory authority should be the sole interviewer of that controller or processor.

Article 57 Tasks

1. Without prejudice to its other tasks under these Regulations, each supervisory authority within its jurisdiction shall:

(a) monitor and enforce the implementation of these Regulations;

(b) Raise public awareness and understanding of the risks, rules, safeguards and rights associated with handling and processing. Maintain special attention to activities aimed at children;

(c) advise on the rights and freedoms of natural persons to whom the processing relates in accordance with the laws of the Member States, national parliaments, governments and other institutions and entities;

(d) raise awareness of controllers and processors of their responsibilities under this Regulation;

(e) provide all data subjects upon request with the opportunity to exercise the rights provided for in this Regulation and - where applicable - cooperate with the supervisory authorities of other Member States for this purpose;

(f) handle complaints made by data subjects or entities, organizations or associations under Article 80, use appropriate means to investigate the main matters of the complaint and inform the complainant of the progress and conclusions of the investigation within a reasonable period - in particular if further investigation is required or Coordinate with regulatory agencies;

(g) Cooperate with other regulatory authorities to ensure consistent application and enforcement of this Ordinance, including sharing information and providing mutual assistance;

(h) conduct investigations for the application of this Ordinance, including investigations based on information provided by another regulatory authority or other public body;

(i) monitor relevant developments - in particular developments in information and communications technology and business practices - where they have an impact on the protection of personal data;

(j) Adopt the standard form contract specified in Article 28(8) and Article 46(2)(d);

(k) establish and maintain records relevant to the personal data protection impact assessment provided for in Article 35(4);

(l) Give advice on processing operations specified in Article 36(2);

(m) encourage the drafting of codes of conduct consistent with section 40 and provide advice and approval of such codes of conduct that provide adequate safeguards consistent with section 40(5);

(n) encourage the establishment of data protection certification schemes and data protection seals and marks that comply with Article 42(1), and approve certification standards that comply with Article 42(5);

(o) Where applicable, conduct periodic reviews of certifications issued under section 42(7);

(p) draft and publish standards for accredited entities that comply with the monitoring code of conduct specified in Article 41, and certification entities that comply with Article 43;

(q) Appoint an entity that complies with the monitoring code of conduct specified in section 41 and a certification entity that complies with section 43;

(r) The terms of the authorization contract and the terms specified in Article 46(3);

(s) approve binding contract rules consistent with Article 47;

(t) Assistance with the activities of the European Data Protection Board;

(u) maintain internal records of contraventions of this Ordinance and measures taken under section 58(2); and

(v) Complete other tasks related to personal data protection.

2. Each supervisory authority shall facilitate the submission of complaints referred to in paragraph 1(f), for example by providing means for complaints to be completed and submitted electronically, without excluding other means of communication.

3. The performance of the tasks of each supervisory authority shall be free of charge for the data subject and, where applicable, the data protection officer.

4. When a request is manifestly unfounded or excessive, especially when the request is repetitive, the supervisory authority may charge a reasonable fee based on administrative costs or refuse to act on the request. The burden is on the regulator to prove that the request is manifestly unfounded or excessive.

Article 58 Powers

1. Each regulator has all of the following investigative powers:

(a) require the controller and processor and - where appropriate - representatives of the controller or processor to provide all information necessary for the performance of their tasks;

(b) Conduct investigations by means of data protection checks;

(c) review certification issued under section 42(7);

(d) inform the controller or processor of a possible infringement of this Regulation;

(e) obtain from the controller or processor access to the personal data and all information necessary for the performance of its tasks;

(f) obtain access to all premises and premises of the controller and processor, including data processing facilities and methods, in accordance with procedural law of Union and Member State law.

2. Each regulatory authority has all of the following corrective powers:

(a) issue a warning to the controller or processor that contemplated processing operations may infringe the provisions of this Regulation;

(b) reprimand the controller or processor when processing operations infringe the provisions of this Regulation;

(c) order the controller or processor to respect the data subject’s exercise of rights consistent with this Regulation;

(d) order the controller or processor that the processing operations shall be carried out in compliance with the terms of this Regulation and, if appropriate, within a specified period and in a specified manner;

(e) order the controller to inform the data subject of the personal data breach;

(f) impose a temporary or specified ban on processing;

(g) request rectification or erasure of personal data or restriction of processing pursuant to Articles 16, 17 and 18, and notification of such action to the personal data referred to in Articles 17(2) and 19 Recipients to whom disclosure is made;

(h) withdraw certification, or order a certification body to withdraw a certification issued under sections 42 and 43, or order a certification body not to issue a certification when the requirements for certification are or are no longer met;

(i) Administrative penalties specified in Article 83 shall be imposed in addition to or in lieu of the measures specified in this paragraph, depending on the circumstances of each case;

(j) Request the suspension of data transfer to third countries or international organizations.

3. Each regulatory authority has all of the following authorizing and advisory powers:

(a) make recommendations to the controller in accordance with the advance consultation provisions set out in Article 36;

(b) Providing advice to national parliaments and member state governments on its own initiative or upon request, or providing other institutions, entities and the public with protection related to personal data protection in accordance with member state laws;

(c) processing is authorized in accordance with Article 36(5) if the law of a Member State requires such advance consultation;

(d) issue opinions and codes of conduct under section 40(5);

(e) the appointment of a certification body under section 43;

(f) the standards for issuing certification and approving certification under section 42(5);

(g) formulate standard data protection clauses as set out in Article 28(8) and Article 46(2)(d);

(h) authorize the terms of the contract specified in point (a) of Article 46(3);

(i) Authorize the administrative arrangements specified in Article 46(3)(b);

(j) Approve binding corporate rules consistent with section 47.

4. The exercise of the powers conferred on the supervisory authority under this Article shall be subject to appropriate safeguards, including effective judicial remedies and due process provided for in Union and Member State law in accordance with the Charter of the European Union.

5. Each Member State shall adopt legislation providing that its supervisory authorities shall have the right to bring violations of this Regulation to judicial authorities and may, in appropriate cases, initiate or participate in legal proceedings for the purpose of enforcing the provisions of this Regulation.

6. Each Member State shall provide by law that its supervisory authority shall have the additional powers set out in paragraphs 1, 2 and 3. The exercise of those rights should not undermine the effective enforcement of the provisions of Chapter 7.

Article 59 Activity Report

Each supervisory authority shall prepare an annual report on its activities, which may include the types of offenses to which it was informed and the types of measures taken under Article 58(2). Such reports shall be transmitted to national parliaments, governments and other bodies mandated by the laws of the Member States. These reports should be accessible to the public, the European Commission and the EU Data Protection Board.

Chapter 7 Cooperation and Consistency

Part One Cooperation

Article 60 Cooperation between the Lead Supervisory Authority and Other Relevant Supervisory Authorities

1. The leading regulatory agency shall cooperate with other relevant regulatory agencies in accordance with this Article and strive to reach a consensus. Lead regulators and relevant regulators should share relevant information with each other.

2. The lead supervisory authority may at any time require other relevant supervisory authorities to provide mutual assistance and cooperation as provided for in Article 61 and may carry out joint actions in accordance with Article 62. This applies in particular to the following circumstances: for the purpose of conducting investigations or for the purpose of enforcing matters involving matters established in another country. Measures taken by the controller or processor in a Member State.

3. The leading regulatory agency shall promptly notify other relevant regulatory agencies of relevant information on the matter. It shall fully consider the opinions of other relevant regulatory agencies and submit a draft decision to other relevant regulatory agencies in a timely manner.

4. When any other relevant supervisory authority receives the consultation referred to in paragraph 3 and expresses relevant and justified objections to the draft decision within four weeks, the lead supervisory authority shall not agree to the relevant and justified objections or considers that it The opinion is irrelevant or unreasonable and the matter should be referred to the consistency mechanism set out in Article 63.

5. If the lead supervisory authority agrees with a relevant and justified objection, it shall submit a revised draft decision to the other supervisory authorities in response to the objection. The decision on the revised draft shall comply with the procedure set out in paragraph 4 and shall be taken within two weeks.

6. If within the period specified in paragraphs 4 and 5, no other relevant supervisory authority objects to the draft decision submitted by the leading supervisory authority, it shall be presumed that the leading supervisory authority and the relevant supervisory authority have unanimous opinions on the draft decision. and should be bound by it.

7. The lead supervisory authority shall take a decision and notify the controller or processor of its principal place of business or sole place of business of the decision, including a summary of the relevant facts and reasons, and, as appropriate, through other relevant supervisory authorities and The European Data Protection Board that issued the decision. The supervisory authority that receives the complaint shall inform the complainant of the decision.

8. In the event that the complaint is withdrawn or rejected, the provisions of paragraph 7 may be derogated from and the supervisory authority receiving the complaint shall adopt the decision and communicate it to the complainant and thus to the controller.

9. When the lead regulator and the relevant regulator agree to withdraw or dismiss one part of the complaint and take action on the other parts of the complaint, a separate decision shall be taken with respect to the matters in such other parts. The lead supervisory authority shall adopt that part of the decision that relates to the controller's actions and communicate it to the controller's or processor's main establishment or sole establishment in a Member State and thereby also inform the complainant. On the other hand, the complainant's supervisory authority shall adopt that part of the decision relating to the withdrawal or rejection of the complaint and communicate this to the complainant and thus to the controller or processor.

10. Upon receipt of a notification from the leading supervisory authority pursuant to paragraphs 7 and 9, the controller or processor shall take the necessary measures to ensure that processing activities at all its establishments in the Union comply with the decision. The controller or processor shall inform the lead supervisory authority of the measures taken to comply with the decision and inform the other relevant supervisory authorities.

11. In extreme circumstances, when a relevant supervisory authority considers that there are sufficient grounds to demonstrate the need to take emergency action to protect the interests of the data subject, the provisions of Article 66 on emergency procedures should be invoked.

12. The lead supervisory authority and other relevant supervisory authorities shall provide each other with the information required by this Article by electronic means and in a standardized format.

Article 61 Mutual Assistance

1. Supervisory authorities should provide each other with information and mutual assistance to implement and apply this Regulation in a consistent manner and should have valid information to enable effective mutual cooperation. Mutual assistance should include in particular requests for information and supervisory measures, for example prior to authorizations and consultations, inspections and investigations.

2. Each supervisory authority shall respond promptly to a request by another supervisory authority by taking appropriate appropriate measures and shall do so within one month of receipt of the request at the latest. Such measures may include, inter alia, the transmission and investigation of relevant information.

3. Requests for assistance should include all necessary information, including the purpose and reason for the request. The information exchanged may only be used to fulfill the purpose of requesting assistance.

4. The requested supervisory authority shall not deny the request unless:

(a) The requested supervisory authority has no authority over the subject matter being requested or the measures being requested; or

or (b) the requested supervisory authority complies with the request in a manner that would infringe this Regulation or Union or Member State law for the requested supervisory authority.

5. The requested supervisory authority shall inform the requesting supervisory authority of the outcome and, where appropriate, of the measures taken to implement the request. The requested supervisory authority shall provide an explanation if it refuses a request made under paragraph 4.

6. It should be a rule that the requested supervisory authority should provide information electronically, using a standardized format, upon request from other supervisory authorities.

7. All requested regulatory agencies shall be free of charge for their mutual collaboration upon request. Regulators may enter into compensation rules for specific costs incurred in providing mutual collaboration in specific circumstances.

8. Where a supervisory authority fails to provide the information specified in paragraph 5 within one month of receipt of a request from another supervisory authority, the requesting supervisory authority may take provisional measures in its Member State in accordance with Article 55(1) . In such circumstances, an emergency situation consistent with Article 66(1) may be presumed and the EU Data Protection Board shall make an urgent binding decision in accordance with Article 66(1).

9. The EU Data Protection Board may, by adopting implementing legislation, specify the forms and procedures for mutual assistance provided for in this Article with regard to the exchange of information by electronic means between supervisory authorities and between supervisory authorities and the European Commission, in particular paragraph 6 of this Article. standardized format. The enactment of such implementing legislation shall follow the verification procedures set out in Article 93(2).

Article 62 Joint action of supervisory authorities

1. Where appropriate, supervisory authorities should conduct joint actions, including joint investigations and joint enforcement measures where members or employees of supervisory authorities in other Member States are involved.

2. Where the controller or processor has establishments in more than one Member State, or where data subjects in two or more Member States may be materially affected by processing operations, the supervisory authorities of those Member States are entitled to participate in joint actions. A supervisory authority with competence under Article 56(1) or 56(4) may invite the supervisory authority of each of these Member States to participate in joint operations and shall respond promptly to a supervisory authority's request for participation.

3. A supervisory authority may, in accordance with the law of the Member State and the authorization of the temporarily deployed supervisory authority, delegate powers such as investigative powers to members or employees of the temporarily assigned supervisory authority. Alternatively, if the law of the Member State of the supervisory authority so permits, temporarily deployed members or employees of the supervisory authority should be allowed to exercise their investigative powers in accordance with the provisions of the law of that Member State. Such powers may be exercised only under the direction and witness of a member or employee of the host regulatory agency. Members or employees of a temporarily seconded supervisory authority shall comply with the laws of the Member State in which the host supervisory authority is located.

4. When a supervisory authority temporarily deployed in accordance with the provisions of paragraph 1 operates in another Member State, the Member State in which the host supervisory authority is located shall be liable for its actions, including for damage caused during the activity, in accordance with the provisions of the Member State in which the host supervisory authority is located. liability under the laws of the country.

5. For damage caused in the territory of a Member State, a Member State shall compensate it if its Member State's compensation for damages is applicable. If an employee of a member state who is temporarily deployed as a supervisory authority causes harm to a person in another member state, one member state shall compensate the other member state after the other member state compensates the individual.

6. Except for the circumstances provided for in paragraph 5, without affecting the exercise of rights vis-à-vis third parties, if the circumstances provided for in paragraph 1 occur, each member state shall not seek compensation from the relevant member state for the damage caused in paragraph 4. Require.

7. When there are plans for joint action and when a supervisory authority refuses to comply with the responsibilities set out in the second sentence of paragraph 2 of this Article, other supervisory authorities may take provisional measures on their territory in accordance with Article 55. In such circumstances, an emergency situation consistent with Article 66(1) may be presumed and the EU Data Protection Board shall make an urgent binding decision in accordance with Article 66(2).

Part 2 Consistency

Article 63 Consistency Mechanism

In order to facilitate the consistent application of this Regulation in the EU, supervisory authorities shall cooperate with each other and, where relevant, with the Commission through the consistency mechanisms set out in this Part.

Article 64 Opinion of the European Data Protection Board

1. When a competent supervisory authority plans to take any of the following measures, the EU Data Protection Board shall issue an opinion. To this end, the competent supervisory authority shall inform the EU Data Protection Board of the draft decision if:

(a) The objective of the draft decision is to undertake a range of processing operations that are consistent with the requirements of a data protection impact assessment under Article 35(4);

(b) determine whether the draft code of conduct under section 40(7), or an amendment or extension to the draft code of conduct, is consistent with this Ordinance;

(c) The objective of the draft decision is the approval of accredited entities in compliance with Article 41(3) and the criteria for accreditation entities in compliance with Article 43(3);

(d) The objective of the draft decision is to establish standard data protection clauses under point (d) of Article 46(2) and Article 28(8);

(e) the object of the draft decision is the approval of the terms of the contract specified in point (a) of Article 46(3); or

(f) The object of the draft decision is to approve the validity of the Company Rules referred to in Article 47.

2. Any supervisory authority, the EU Data Protection Board or the President of the European Commission may make a request in order to give an opinion - in particular where the competent supervisory authority fails to comply with the duty to mutual assistance under Article 61 or joint action under Article 62 - Any matter of general use or matter affecting more than one Member State may be checked.

3. In the cases referred to in paragraphs 1 and 2, the EU Data Protection Board shall issue an opinion on a matter submitted to it if it has not previously issued an opinion on a similar matter. This opinion should be decided by a simple majority of the members of the EU Data Protection Board within eight weeks. Taking into account the complexity of the main matter, the eight-week period may be extended by a further six weeks. With regard to a draft resolution referred to in paragraph 1 that is circulated in the EU Data Protection Board in accordance with paragraph 5, a Member shall be deemed to have agreed to the draft resolution if a Member does not raise an objection within a reasonable period of time indicated by the Chairman of the EU Data Protection Board.

4. Supervisory authorities and the EU Data Protection Board should communicate any relevant information electronically and in a standardized format in a timely manner. Such information may be a summary of the facts, a draft resolution, the reasons for taking such necessary measures, and the views of other relevant bodies.

5. The President of the EU Data Protection Board shall promptly by electronic means:

(a) Notify the EU Data Protection Board and members of the European Commission through a standardized format of any relevant information that becomes known. If necessary, the Secretary of the European Data Protection Board shall provide translation of the relevant information; and

(b) inform the supervisory authority referred to in paragraphs 1 and 2 and the European Commission of the opinion and make it public.

6. During the period specified in paragraph 3, the competent supervisory authority shall not adopt the draft resolution specified in paragraph 1.

7. The supervisory authority referred to in paragraph 1 shall give due consideration to the opinion of the EU Data Protection Board to the greatest extent possible and shall inform the President of the EU Data Protection Board electronically within two weeks of receipt of the opinion whether it will maintain or modify its decision. draft resolution, and the revised draft resolution, if any.

8. Article 65(1) shall apply when the relevant supervisory authority notifies the Chairman of the Commission within the period specified in paragraph 7 of this Article that it does not intend to comply with all or part of the Commission's opinions and provides the relevant reasons.

Article 65 Dispute Resolution before the European Data Protection Board

1. In order to ensure the correct and consistent application of this Regulation in individual cases, the EU Data Protection Board shall make binding decisions in the following situations:

(a) In the circumstances set out in Article 60(4), the relevant supervisory authority raises a relevant and reasonable objection to the lead body's draft decision, or the lead body rejects the objection as irrelevant or unreasonable. The binding decision shall cover all matters to which relevant and reasonable objections arise, in particular where there is a violation of these Regulations;

(b) There are different opinions as to which regulatory agency has jurisdiction over the main business establishment;

(c) In the circumstances referred to in Article 64(1), the competent supervisory authority does not request an opinion from the European Data Protection Board or fails to comply with an opinion issued by the European Data Protection Board in accordance with Article 64. In such circumstances, any relevant supervisory authority or the EU Data Protection Board may inform the EU Data Protection Board of the matter.

2. A two-thirds majority of the members of the EU Data Protection Board shall make the decision specified in paragraph 1 within one month after the transfer of the subject matter. Considering the complexity of the subject matter, this period can be extended for another month. The decision specified in paragraph 1 shall be reasoned, shall be communicated to the lead supervisory authority and all relevant supervisory authorities, and shall be binding upon them.

3. If the European Data Protection Board is unable to make a decision within the period specified in paragraph 2, it shall, by a simple majority of the members of the European Data Protection Board, within two weeks after the end of the second month period specified in paragraph 2 Make a decision. If the vote of the EU Data Protection Board members happens to be completely split, the decision will be taken based on the vote of the President.

4. During the period specified in paragraphs 2 and 3, the relevant supervisory authority shall not take a decision on the subject matter submitted to the EU Data Protection Board pursuant to paragraph 1.

5. The Chairman of the EU Data Protection Board shall promptly inform the relevant supervisory authority of the decision referred to in paragraph 1. This was also informed to the European Commission. The decision shall be published promptly on the website of the European Data Protection Board after the supervisory authority has communicated the final decision referred to in paragraph 6.

6. The lead supervisory authority or the supervisory authority to which the complaint has been lodged shall make a final decision promptly on the decisive basis specified in paragraph 1 of this Article and at the latest within one month after the EU Data Protection Board has communicated its decision. The lead supervisory authority or the supervisory authority to which the complaint is filed shall report to the EU Data Protection Board the time at which it notified the controller or processor and the data subject of the decision. The final decision of the relevant regulatory authority shall be made in accordance with the terms of Article 60(7)(8)(9). The final decision shall refer to the decision referred to in paragraph 1 of this Article and shall specify that the decision referred to in paragraph 1 of this Article will be published on the website of the European Data Protection Board in accordance with paragraph 5 of this Article. The final decision shall be accompanied by the decision specified in paragraph 1 of this Article.

Article 66 Emergency procedures

1. In exceptional circumstances, when the relevant supervisory authority considers that urgent action is necessary to protect the rights and freedoms of the data subject, it may derogate through the consistency mechanism set out in Articles 63, 64 and 65 or the procedure set out in Article 60 , immediately take temporary measures that are legally effective within its territory for a period of time - no more than 3 months. Supervisory authorities should promptly inform other relevant supervisory authorities, the EU Data Protection Board and the European Commission of the means and reasons for taking these measures.

2. When the supervisory authority takes measures consistent with paragraph 1 and considers urgent final measures, it may request an urgent opinion or urgent binding decision from the European Data Protection Board, stating the reasons for such request.

3. If urgent action is necessary to protect the rights and freedoms of the data subject and the competent supervisory authority fails to take appropriate measures, any supervisory authority may request an urgent opinion or an urgent binding decision from the European Data Protection Board stating the need for such action. The reason for the request, including why urgent action is required.

4. With respect to the derogations provided for in Article 64(3) and Article 65(2), a simple majority of the members of the EU Data Protection Board shall, within two weeks, make an urgent opinion or emergency opinion as provided for in paragraphs 2 and 3 of this Article. Binding decision.

Article 67 Information exchange

For the electronic exchange of information between supervisory authorities and between supervisory authorities and the European Data Protection Board, especially for the standardized format specified in Article 64, the European Commission can further develop detailed implementing legislation.

These implementing acts shall be drawn up in accordance with the verification procedures set out in Article 93(2).

Part 3 European Data Protection Board

Article 68 EU Data Protection Board

1. The European Data Protection Board is hereby established as an institution of the European Union and will have legal personality.

2. The representative of the European Data Protection Board is its Chairman.

3. The EU Data Protection Board shall include the head of each supervisory authority in each Member State, the head of the EU data protection supervisor, or their representatives.

4. When more than one supervisory authority in a Member State is responsible for monitoring the application of the provisions of this Regulation, a joint representative shall be appointed in accordance with the law of the Member State.

5. The European Commission should have the right to participate in the activities and meetings of the EU Data Protection Board, but without voting rights. The European Commission should appoint a representative. The President of the EU Data Protection Board shall inform the European Commission of his activities.

6. For the situations specified in Article 65, the EU data protection supervisor will have voting rights only if the resolution involves principles and rules applicable to EU institutions, entities, offices and regulatory bodies that substantially correspond to the provisions of this Regulation.

Article 69 Independence

1. When carrying out its tasks or exercising its powers under Articles 70 and 71, the EU Data Protection Board shall maintain its independence.

2. Without prejudice to a request by the Commission referred to in Article 70(1)(b) and Article 70(2), the European Data Protection Board shall, in the performance of its tasks or in the exercise of its powers, refrain from receiving any information from any person. Get instructions there.

Article 70 Tasks of the European Data Protection Board

1. The EU Data Protection Board shall ensure consistent application of this Regulation. To achieve this purpose, the EU Data Protection Commissioner shall, in relevant circumstances, take the following actions on its own initiative or at the request of the European Commission:

(a) without prejudice to the tasks of the national supervisory authority, ensure the correct application of this Regulation in the circumstances set out in articles 64 and 65;

(b) provide advice to the European Commission on all matters related to EU data protection, including proposals for amendments to this Regulation;

(c) advise the European Commission on the format and procedures for the exchange of information between controllers, processors and supervisory authorities for the purpose of setting binding corporate rules;

(d) erase links, backups or copies of personal information from communications services that are accessible to the public under Article 17(2) and issue guidelines, recommendations and best practices regarding the procedures for such activities;

(e) to examine, on its own initiative or at the request of its Members or at the request of the European Commission, any issues relating to the application of this Regulation and to issue guidance, recommendations and best practice with a view to encouraging the application of this Regulation;

(f) In order to further refine the criteria and conditions for decision-making based on user profiling specified in Article 22(2), release guidelines, recommendations and best practices consistent with point (e) of this paragraph;

(g) For the purpose of establishing a personal data breach, determine whether there has been unreasonable delay under Article 33(1) and (2) and whether the controller or processor needs to be notified of the personal data breach, the release complies with point (e) of this paragraph guidelines, recommendations and best practices;

(h) In situations where personal data violations may pose high risks to the rights and freedoms of natural persons as provided for in Article 34(1), release guidelines, recommendations and best practices consistent with point (e) of this paragraph;

(i) For data transfers that are in compliance with binding corporate rules to which the controller is subject and to which the processor is subject and which are consistent with the measures necessary to ensure the protection of the personal data of the data subject referred to in Article 47 Transfers of personal data, in order to refine the standards and requirements for such transfers, release guidelines, recommendations and best practices consistent with point (e) of this paragraph;

(j) In order to further refine the standards and requirements required for the transfer of personal data specified in Article 49(1), release guidelines, recommendations and best practices consistent with point (e) of this paragraph;

(k) draft guidelines for supervisory authorities concerning the applicable measures provided for in Article 58(1), (2) and (3) and the determination of administrative penalties provided for in Article 83;

(l) Review the actual application of the guidelines, recommendations, and best practices specified in points (e) and (f) of this paragraph;

(m) establish general procedures consistent with section 54(2) for reporting violations of this Ordinance by natural persons and issue guidelines, recommendations and best practices consistent with point (e) of this paragraph;

(n) encourage the drafting of codes of conduct and the establishment of data protection certification mechanisms, data protection seals and markings consistent with Articles 40 and 42;

(o) Appoint a certification body and conduct a periodic review in accordance with Article 43, for an appointed body that complies with Article 43(6), a certified controller established in a third country that complies with Article 42(7), or an ongoing public register of processors;

(p) specify the requirements under section 43(3) for the purpose of appointing a certification body under section 42;

(q) provide advice to the European Commission on the verification requirements set out in Article 43(8);

(r) provide opinions to the European Commission regarding the illustrations provided for in Article 12(7);

(s) Assessing the degree of protection provided by a third country or international organization, including assessing whether a third country, a region, or one or more specific sectors of that third country, or an international organization still provides an adequate level of protection. In order to achieve this purpose, the European Commission shall provide to the European Data Protection Board all necessary records of transactions with the government of the third country involving the third country, a region, or one or more specific departments of the third country, or communications from international organizations.

(t) the release of draft resolutions concerning the supervisory authority in accordance with the consistency mechanism provided for in section 64(1), matters submitted under section 64(2), and the release of draft resolutions made under section 64(1), including section 66 binding decisions stipulated in this article.

(u) Promote cooperation among regulators, effective bilateral or multilateral exchange of information, and best practices;

(v) facilitate joint training programs and facilitate the exchange of personnel between supervisory authorities and, where applicable, between supervisory authorities and third country supervisory authorities or international organizations;

(w) Promote knowledge exchange with global data protection regulators and the recording and practice of data protection legislation.

(x) issue views on the code of conduct drafted at EU level under Article 40(9); and

(y) Maintain a publicly accessible electronic register of decisions taken by regulators and courts and matters dealt with under the consistency mechanism.

2. When the European Commission requests an opinion from the EU Data Protection Board, the European Commission may indicate the time limit required, taking into account the urgency of the matter.

3. The EU Data Protection Board shall inform the European Commission and the Council referred to in Article 93 of its opinions, guidelines, recommendations and best practices and shall make them publicly available.

4. If applicable, the EU Data Protection Board shall consult the parties concerned and give them an opportunity to comment within a reasonable period. Without prejudice to Article 76, the EU Data Protection Board shall make the results of the consultation process publicly available.

Article 71 Reporting

1. For data processing activities within the EU, relevant third countries and international organizations, if the protection of natural persons is involved, the EU Data Protection Board should draft an annual report. The report should be made public and should be transmitted to the European Parliament, the Council of the European Union and the European Commission.

2. The annual report shall include a review of the practical application of the guidelines, recommendations and best practices specified in Article 70(1)(l), as well as the binding resolutions specified in Article 65.

Article 72 Procedure

1. The EU Data Protection Board shall take decisions by a simple majority of its members, unless this Regulation provides to the contrary.

2. The EU Data Protection Board should formulate procedural rules and establish its own operating mechanism by a two-thirds majority of its members.

Article 73 Chairman

1. The EU Data Protection Board shall elect a Chairman and two Vice-Chairmen from among its members by a simple majority.

2. The term of office of Chairman and Vice Chairman shall be 5 years and may be reappointed for one term.

Article 74 Duties of the Chairman

1. The chairman has the following tasks:

(a) Convene a meeting of the European Data Protection Committee and prepare the meeting agenda;

(b) inform the lead supervisory authority specified in section 65 and the relevant supervisory authority of decisions taken by the Commission under section 65;

(c) ensure the timely fulfillment of the tasks of the EU Data Protection Board, in particular those related to the consistency mechanism specified in Article 63.

2. The EU Data Protection Board shall allocate the division of tasks between the Chairman and the Vice-Presidents in its procedural rules.

Article 75 Secretary

1. The EU Data Protection Board shall have a secretary, who shall be appointed by the EU Data Protection Supervisor.

2. The Secretary shall perform his or her duties strictly in accordance with the instructions of the President of the EU Data Protection Board.

3. Employees of the EU data protection supervisor who are involved in the performance of the tasks assigned to the EU Data Protection Board under this Regulation shall be subject to different reporting procedures than employees who are involved in the performance of tasks assigned to the EU data protection supervisor.

4. Where applicable, the EU Data Protection Board and the EU Data Protection Supervisor shall draw up and publish a memorandum of understanding implementing this Article setting out the terms of cooperation between them in relation to the performance of the tasks conferred on the EU Data Protection Board by this Regulation. The MOU applies to employees of the EU Data Protection Supervisor.

5. The Secretary shall provide analysis, management and follow-up support to the EU Data Protection Board.

6. The secretary shall be responsible for the following matters:

(a) The daily affairs of the European Data Protection Board;

(b) Communication between the European Data Protection Board, the President of the European Data Protection Board and the European Commission;

(c) Communication with other organizations and the public;

(d) Use of electronic means for internal and external communications;

(e) Translation of relevant information;

(f) Preparation and follow-up for EU Data Protection Committee meetings;

(g) Prepare, draft and publish EU Data Protection Board opinions and decisions on disagreements between supervisory authorities and other texts.

Article 76 Confidentiality

1. If the EU Data Protection Board considers that a discussion is necessary to be held confidentially in accordance with the requirements of the procedural rules, the discussion shall be kept strictly confidential.

2. Access to files submitted to members, experts and third-party representatives of the European Data Protection Committee shall be subject to Regulation (EC) No 1049/2001 of the European Parliament and of the Council [1].

Chapter 8 Remedies, Responsibilities and Punishments

Article 77 Right to lodge a complaint with the supervisory authority

1. Without prejudice to any other administrative or judicial remedies, each data subject has the right to lodge a complaint with a supervisory authority. This applies in particular to the supervisory authority in the following locations: the Member State to which the data subject belongs or his habitual residence or place of work. , or the place where the data subject considers that the processing of his or her personal data violates this Ordinance.

2. The supervisory authority that receives a complaint shall inform the complainant of the progress and outcome of the complaint, including the possibility of judicial relief consistent with Article 78.

Article 78 Effective judicial remedies against regulatory agencies

1. Without prejudice to any other administrative or judicial remedies, any natural or legal person has the right to obtain effective judicial remedies against legally binding decisions concerning their supervisory authorities.

2. Without prejudice to any other administrative or judicial remedies, if the competent supervisory authority under Articles 55 and 56 does not handle the complaint or fails to inform the data subject within three months of the progress of the complaint under Article 77 or result, any natural or legal person is entitled to effective judicial relief.

3. Legal proceedings against a supervisory authority shall be brought before the courts of the Member State in which the supervisory authority is located.

4. If legal proceedings against a supervisory authority's decision arise before the EU Data Protection Board's opinion or decision under the consistency mechanism, the supervisory authority shall inform the court of its opinion or decision.

Article 79 Effective judicial remedies against the controller or processor

1. Without prejudice to any other administrative or judicial remedies, including the submission of a complaint to a supervisory authority under Article 77, any data subject considers that the processing of his or her personal data in violation of this Regulation has resulted in the If the rights conferred by the regulations are violated, in these circumstances, they have the right to obtain judicial relief.

2. Legal proceedings against the controller or processor shall be instituted before the courts of the Member State in which they have establishments. In other cases, such legal proceedings may be brought before the courts of the data subject's place of habitual residence, unless the controller or processor is a public authority of a Member State exercising its public powers.

Article 80 Representation of data subjects

1. The data subject has the right to entrust a non-profit organization, entity or association to exercise on his behalf the rights set out in Articles 77, 78 and 79 and, in the circumstances provided for by the law of the Member State, to exercise on his behalf the right to compensation set out in Article 82. A non-profit institution, entity or association shall meet the following conditions: it shall be established in accordance with the law of the Member State, its charter shall have the public interest as its objective, and it shall be active in bringing complaints on behalf of individuals in order to protect the rights and freedoms of data subjects.

2. Member States may provide that any body, organization or association referred to in paragraph 1 of this Article, whether or not the data subject has delegated it, shall have the right, in a Member State, to lodge a request in a Member State with The competent supervisory authority specified in Article 77 files a complaint and exercises the rights specified in Articles 78 and 79.

Article 81 Suspension of legal proceedings

1. When a competent court of one Member State is informed that a court of another Member State is preparing to give judgment in the same subject matter involving the same controller or processor, that court shall inform the court of the other Member State that such a court has existed legal process.

2. When a court of another Member State is preparing to pass judgment on the same main matter involving the same controller or processor, all competent courts, except the court that first received the case, may stay their proceedings.

3. In those cases where the proceedings are pending preliminary hearing, all courts other than the first court to which the case was filed may refuse jurisdiction on the application of the party concerned, if the court that first received the case has jurisdiction over the activities involved and its law permits consolidation.

Article 82 Rights and responsibilities for compensation

1. Anyone who suffers material or immaterial harm as a result of a violation of this Regulation shall have the right to obtain compensation for the damage from the controller or data provider.

2. Any controller involved in processing shall be liable for damage suffered as a result of processing in violation of this Regulation. A processor shall be liable for damage resulting from processing when it fails to comply with the requirements imposed on the processor expressly set out in this Regulation or when it violates the lawful instructions of the controller.

3. The controller or processor may be exempted from liability under paragraph 2 if it proves that it is not responsible for the event giving rise to the loss.

4. Where more than one controller or processor, or where both controllers and processors are involved in the same processing at the same time, and they are liable for all damages arising out of the processing referred to in paragraphs 2 and 3, each controller or processor shall Should be jointly and severally liable for losses to ensure effective compensation to the data subject.

5. Where a controller or processor has made full compensation for the losses suffered in accordance with the provisions of paragraph 4, that controller or processor may, subject to the conditions set out in paragraph 2, require another controller or processor to return the losses caused by it. That part of the loss.

6. In order to exercise its right to compensation, a claim shall be brought in a court of competent jurisdiction recognized by a Member State in accordance with Article 79(2).

Article 83 General conditions for administrative fines

1. .Each supervisory authority shall ensure that the fines it imposes under this Article for infringements of these Regulations set out in Articles 4, 5 and 6 shall be effective, proportionate and dissuasive in each case. .

2. Depending on the specific circumstances of each case, administrative penalties shall be in addition to or in lieu of the measures specified in points (a) to (h) and point (j) of Article 58(2). When deciding whether administrative penalties should be imposed and the amount of administrative penalties in each specific case, the following factors should be fully considered:

(a) The nature, severity and duration of the violation as determined by taking into account the nature, scope or purpose of the relevant processing, the number of affected data subjects and the extent of the damage;

(b) Whether the nature of the violation is intentional or negligent;

(c) all actions taken by the controller or processor to mitigate the loss of the data subject;

(d) the degree of responsibility of the controller or processor determined in conjunction with the technical and organizational measures taken by the controller or processor in compliance with Articles 25 and 32;

(e) all relevant previous unlawful acts by the controller or processor;

(f) The extent of cooperation with regulatory authorities to correct violations and mitigate possible negative impacts caused by violations;

(g) The type of personal data affected by the illegal act;

(h) The manner in which the supervisory authority became aware of the violation, and in particular whether and to what extent the controller or processor reported the violation;

(i) If the measures specified in Article 58(2) have been imposed on the controller or processor in relation to the same subject matter, whether these measures have been complied with;

(j) comply with an effective code of conduct consistent with section 40 or an effective certification scheme consistent with section 42; and

(k) All aggravating or mitigating factors that may be applicable to the circumstances of the case, such as economic gains and avoided losses directly or indirectly caused by the violation of the law.

3. If the controller or processor intentionally or negligently violates the provisions of this Regulation in relation to the same or related processing operations, the total amount of the administrative fine shall not exceed the amount determined for the most serious infringement.

4. Violations of the following provisions shall be subject to an administrative fine in accordance with paragraph 2 of up to 10 000 000 euros or, in the case of an enterprise, an amount equal to 2% of its total global turnover in the previous year, whichever The higher the penalty:

(a) Controllers and processors specified in Articles 8, 11, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 42 and 43 responsibility;

(b) the responsibilities of the certification body under Articles 42 and 43;

(c) Responsibilities of the supervisory authority under section 41(4).

5. Violations of the following provisions shall be subject to an administrative fine in accordance with paragraph 2 of up to 20 000 000 euros or, in the case of an enterprise, up to an amount equivalent to 4% of its total global turnover in the previous year, whichever The higher the penalty:

(a) the fundamental principles of processing, including the conditions of consent set out in Articles 5, 6, 7 and 9;

(b) The rights of the data subject set out in Articles 12 to 22;

(c) transfer of personal data to a recipient in a third country or an international organization as provided for in Articles 44 to 49;

(d) all responsibilities under Chapter 9 that are consistent with the laws of Member States;

(e) breach an order or temporary or definitive restriction on processing issued by a supervisory authority under Article 58(2), or a suspension of the flow of data, or refuse to provide access in breach of Article 58(1).

6. An order issued by the supervisory authority in violation of Article 58(2) shall impose an administrative fine in accordance with paragraph 2 of up to €20 000 000 or, in the case of a group, up to 4% of the total global turnover of the previous year. fine, whichever is higher shall be imposed.

7. Without prejudice to the corrective powers of supervisory authorities consistent with Article 58(2), each Member State may establish rules determining the circumstances under which administrative sanctions may be imposed on public institutions and entities established in its territory.

8. In exercising the powers provided for in this Article, supervisory authorities shall adopt appropriate procedural safeguards consistent with EU and Member State law, including effective judicial remedies and due process.

9. When the legal system of a Member State does not provide for administrative penalties, this Article may be applied in the following manner: Administrative penalties may be imposed through competent supervisory authorities and then applied by competent national courts. At the same time, it shall be ensured that those legal remedies are effective. Moreover, these legal remedies have the same effect as administrative penalties imposed by regulatory agencies. Whatever the circumstances, the penalties imposed must be effective, proportionate and dissuasive. Those Member States shall promptly inform the Commission [within two years of the entry into force of this Regulation] of the legal provisions made pursuant to this paragraph and of any subsequent amending legislation or changes in legislation affecting them.

Article 84 Punishment

1. Member States shall establish rules that may apply to other penalties for violations of this Regulation, in particular for those offenses that are not subject to the administrative penalties provided for in Article 83, and Member States shall establish the necessary measures to ensure that these penalty rules are implemented. Such punishment should be effective, proportionate and dissuasive.

2. Each Member State shall inform the European Commission [within two years of the entry into force of this Regulation] of the provisions of its legislation in conformity with paragraph 1 and shall promptly inform the Commission of subsequent amendments affecting the provisions.

Chapter 9 Provisions related to specific processing situations

Article 85 Processing, freedom of expression and information

1. Member States should adopt legislation that reconciles the right to protection of personal data with the right to freedom of expression and the right to information consistent with the provisions of this Regulation, including with regard to processing for journalistic purposes and for purposes of academic, artistic or literary expression.

2. Where processing for journalistic purposes and for purposes of academic, artistic or literary expression is necessary to reconcile the right to protection of personal data with the rights to freedom of expression and the right to information established in this Regulation, Member States shall apply to Chapter 2 (Principles) , Chapter 3 (Rights of the Data Subject), Chapter 4 (Controller and Processor), Chapter 5 (Transfer of Personal Data to Third Countries or International Organizations), Chapter 6 (Independent Supervisory Authority), Chapter 7 ( Cooperation and consistency) and Chapter 9 (Certain circumstances of data processing).

3. Each Member State shall inform the Commission of the legal provisions it has adopted pursuant to paragraph 2 and shall promptly inform the Commission of any subsequent amending legislation or changes affecting them.

Article 86 Handling and public access to official records

In order to reconcile public access to official archives with the right to the protection of personal data under this Regulation, with respect to personal data in official archives held by public agencies or public entities or private entities performing tasks in the public interest, the agency or entity may rely on The laws enacted by member states for institutions or entities are made public.

Article 87 Handling of National Identification Numbers

Member States may provide for specific situations in which national identification numbers or other general identifiers are dealt with. In such cases, national identification numbers or other general identifiers may be used only if appropriate safeguards are implemented to safeguard the rights and freedoms of the data subjects specified in this Regulation.

Article 88 Processing in the employment context

1. Several Member States may establish specific rules by law or by agreement to guarantee the rights and freedoms of employees when processing their personal data in the context of employment. This applies in particular in the following situations: for recruitment, performance of employment contracts, including exemptions provided for by law or collective agreements; management, planning and organization of work; rationality and diversity in the workplace; health and safety at work, Protection of employee and customer property; for the exercise and enjoyment of employment-related rights and benefits; and for the termination of employment.

2. Such rules should include appropriate and specific measures to protect the personal dignity, legitimate interests and fundamental rights of data subjects. This applies in particular where matters related to: transparency of processing; transfer of personal data within a group of undertakings; or regulatory systems for a group of undertakings and workplaces carrying out joint economic activities.

3. Each Member State shall inform the Commission [within two years of the entry into force of this Regulation] those legal provisions it has adopted pursuant to paragraph 1 and shall promptly inform the Commission of subsequent amendments affecting the provisions.

Article 89 Safeguards and derogations in processing carried out in the public interest, scientific or historical research or statistical purposes

1. For processing in the public interest, scientific or historical research or statistical purposes, appropriate protective measures consistent with this Regulation shall be taken to protect the rights and freedoms of the data subject. These safeguards should ensure that technical and organizational measures are taken to ensure the principle of data minimization. These measures may include anonymization, if anonymization also serves appeal purposes. If the purpose of the appeal can be achieved even if the data subject cannot be identified during further processing, then this should be adopted.

2. The laws of Member States may derogate from the rights set out in Articles 15, 16, 18 and 21 in accordance with the circumstances and safeguards set out in paragraph 1 of this Article for processing carried out for purposes of public interest, scientific or historical research or statistical purposes - —If such rights may completely impede or seriously impede the achievement of the above purposes and such derogation is necessary to achieve the purposes of the appeal.

3. Where the processing of personal data is necessary to achieve a public interest, Union or Member State law may derogate from the rights set out in Articles 15, 16, 18, 19, 20 and 21 in accordance with the circumstances and safeguards set out in paragraph 1 of this Article— —If such rights may completely impede or seriously impede the achievement of the above purposes and such derogation is necessary to achieve the purposes of the appeal.

4. If the processing provided for in paragraphs 2 and 3 also serves other purposes, the derogation will only apply to the processing for the purpose of achieving the purposes provided for in paragraphs 2 and 3.

Article 90 Duty of confidentiality

1. Member States may adopt specific rules concerning supervisory authorities established by national competent authorities in relation to controllers or processors as entities referred to in points (3) and (f) of Article 58(1). This specific rule may impose a professional duty of confidentiality or other equivalent duties if it is necessary to reconcile and proportionate the protection of personal data with the maintenance of confidentiality. Such rules shall apply to the controller or processor only insofar as the personal data are received in the course of or as a result of those activities to which the duty of confidentiality is concerned.

2. Each Member State shall inform the Commission [within two years of the entry into force of this Regulation] those legal provisions it has adopted pursuant to paragraph 1 and shall promptly inform the Commission of subsequent amendments affecting the provisions.

Article 91 Existing data protection rules for churches and religious associations

1. After the entry into force of this Regulation, comprehensive rules applicable to the protection of natural persons in relation to the processing of churches, religious associations or groups in a Member State shall continue to apply if they are consistent with this Regulation.

2. Churches and religious associations to which the comprehensive rules in accordance with paragraph 1 apply shall be subject to the supervision of an independent supervisory authority, which may be specially designated if they meet the conditions set out in Chapter 6 of this Regulation.

Chapter 10 Authorizing Acts and Implementing Acts

Article 92 Exercise of authorization

1. The European Commission has the power to enact delegated acts, subject to the conditions set out in this Article.

2. The authorizations provided for in Articles 12(8) and 43(8) shall be conferred on the Commission for an unspecified period of time [after the entry into force of this Regulation].

3. The authorizations provided for in Articles 12(8) and 43(8) may be revoked at any time by the European Parliament or the Council. Revoking a decision shall terminate the conferring powers specifically specified in the decision. The effective date of the revocation decision is the day after the official journal of the European Union is published or the date specifically indicated in the decision. The decision to revoke shall not affect any authorizing act that is already in force.

4. Once the European Commission develops a delegating act, it should immediately inform the European Parliament and the Council of the European Union at the same time.

5. Delegating acts designated under Articles 12(8) and 43(8) will only be provided if neither the European Parliament nor the Council of the European Union expresses its objections within three months of their receipt of the notification, or if within three months the European It can only come into force if the Parliament or the Council of the European Union has informed the European Commission that they will not object. This period can be extended by a further three months if the European Parliament or Council proposes an extension.

Article 93 Committee Procedure

1. The European Commission should have a team to assist it. The group shall be the group specified in Regulation (EU) No 182/2011.

2. Where this paragraph is concerned, Article 5 of Directive (EU) No 182/2011 shall apply.

3. Where this paragraph is concerned, Article 8 of Directive (EU) No 182/2011 shall apply in conjunction with Article 5 of Directive (EU) No 182/2011.

Chapter 11 Final Terms

Article 94 Repeal of Directive 95/46/EC

1. Directive 95/46/EC will be repealed [two years after this Regulation comes into force].

2. When reference is made to a repealed directive, it shall be construed by reference to this Regulation. This shall be interpreted by reference to the European Data Protection Board as provided for in this Regulation by reference to the Working Group on the Protection of Individuals in the Processing of Personal Data set out in Article 29 of Directive 95/46/EC.

Article 95 Relationship with 2002/58/EC

In the case of providing publicly accessible electronic communications services on public communications networks in the European Union, this Regulation shall not impose additional responsibilities on natural or legal persons for the same matter for which Directive 2002/58/EC already imposes special responsibilities.

Article 96 Relationship with previously concluded agreements

For international agreements between Member States concerning the transfer of personal data to third countries or international organizations that were in compliance with laws enacted before [the entry into force of this Regulation] and are subject to laws enacted before [the entry into force of this Regulation], the It shall remain in effect until modified, replaced or withdrawn.

Article 97 Report of the Committee

1. After [four years after the entry into force of this Regulation], and every four years thereafter, the Commission shall submit an evaluation and review of this Regulation to the European Parliament and the Council. The report should be made public.

2. In the context of the evaluation and review specified in paragraph 1, the Commission shall examine in particular the application and functioning of:

(a) Transfers of personal data to third countries or international organizations provided for in Chapter 5, in particular decisions taken pursuant to Article 45(3) of this Regulation and Article 25(6) of 95/46/EC decisions made;

(b) Cooperation and consistency under Chapter 7.

3. In order to achieve the purposes of paragraph 1, the Commission may request relevant information from Member States and supervisory authorities.

4. For the purpose of carrying out the evaluation and review specified in paragraphs 1 and 2, the Council of the European Union shall take into account the positions and investigations of the European Parliament, the Council of the European Union and other relevant entities and manufacturers.

5. Where necessary, the Commission shall submit appropriate motions to amend this Regulation, in particular if it takes into account developments in information technology and the state of development in the information society.

Article 98 Review of other EU data protection legislation

If appropriate, the European Commission should submit legislative initiatives for the protection of other EU personal data protection acts in order to ensure consistent and consistent protection of natural persons in processing. This should concern in particular the rules relating to the protection of natural persons in the processing by EU agencies, entities, offices and regulatory bodies, as well as the free movement of such data.

Article 99 Effectiveness and application

1. This Regulation shall enter into force twenty days after its publication in the Official Journal of the European Union.

2. Its application time is [two years after the entry into force of this Regulation].

All provisions of this Regulation are binding and shall apply directly to Member States.

Notes: [1] Regulation (EC) No 1049/2001 of the European Parliament and of the Council on public access to the archives of the European Parliament, the Council of the European Union and the European Commission (OJ L 145, 31.5.2001, p. 43).



Links you may use


Go to FB system settings - Allows users to remove authorization to use FB to visit Haokang website