Les Considérants

The Recitals

Excerpt from Bruno DUMAY's book: GDPR DECRYPTION – For Managers, Strategic Departments and employees of companies and organizations – Preface by Gaëlle MONTEILLER

We couldn't let you miss the recitals, at least the main ones that motivated the GDPR. They form the philosophy restored in the final regulation and the directive, they decipher and harmonize in a single prism, all the considerations of each legislation of the Member States in terms of data protection law. They embody European diversity while forming a single corpus. They illuminate our understanding and give meaning, they testify to the fact that something profound is happening, certainly and at first glance, in response to GAFAs, Google, Apple, Facebook, Amazon, Deezer, Instagram, Snapchat and others, who have plundered our behaviors, our desires and our wishes... Actors whose only consideration for us is that of our wallet!

It seemed essential to me to provide you with the main considerations and/or the most important passages. If you would like to go further, once again the CNIL website is particularly comprehensive, and I invite you to visit it...

(Recital 1) The protection of individuals with regard to the processing of personal data is a fundamental right. … provide that everyone has the right to the protection of personal data concerning them.

(Recital 2) The principles and rules governing the protection of natural persons with regard to the processing of personal data relating to them should, whatever the nationality or residence of those natural persons, respect their fundamental rights and freedoms, in particular their right to the protection of personal data. … to contribute to the creation of an area of freedom, security and justice and of an economic union, to economic and social progress, to the consolidation and convergence of economies within the internal market, and to the well-being of natural persons.

(Recital 3) … Council aims to harmonize the protection of fundamental rights and freedoms of natural persons with regard to processing activities and to ensure the free flow of personal data between Member States.

(Recital 4) The processing of personal data should be designed to serve humanity. The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and balanced against other fundamental rights, in accordance with the principle of proportionality. …respect for private and family life, home and communications, the protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, freedom to conduct a business, the right to an effective remedy and to a fair trial, and cultural, religious and linguistic diversity.

(Recital 6) Rapid technological developments and globalization have created new challenges for the protection of personal data. The scale of personal data collection and sharing has increased significantly. Technology allows both private companies and public authorities to use personal data in their business activities as never before. Individuals increasingly make information about themselves publicly and globally accessible. Technology has transformed both economic and social relations, and should further facilitate the free flow of personal data within the Union and their transfer to third countries and international organizations, while ensuring a high level of personal data protection.

(Recital 7) …it is important to build trust that will enable the digital economy to thrive across the entire internal market. Individuals should have control over their personal data. …

(Recital 9) … fragmentation of data protection implementation in the Union, legal uncertainty or a widespread public perception that significant risks to the protection of individuals remain, in particular in relation to the online environment. Differences in the level of protection of the rights and freedoms of natural persons, in particular the right to the protection of personal data, with regard to the processing of personal data in the Member States may prevent the free flow of such data throughout the Union. Such differences may therefore constitute an obstacle to the pursuit of economic activities at Union level, distort competition and prevent authorities from discharging their obligations under Union law. …

(Recital 10) In order to ensure a consistent and high level of protection of natural persons and to remove obstacles to flows of personal data within the Union, the level of protection of the rights and freedoms of natural persons with regard to the processing of such data should be equivalent in all Member States. It is therefore appropriate to ensure consistent and uniform application of the rules for the protection of fundamental rights and freedoms of natural persons with regard to the processing of personal data throughout the Union. …

(Recital 11) Effective protection of personal data throughout the Union requires strengthening and clarifying the rights of data subjects and the obligations of those who carry out and determine the processing of personal data, as well as providing, in the Member States, for equivalent powers of supervision and control of compliance with the rules on the protection of personal data and equivalent sanctions for violations.

(Recital 13)

In order to ensure a consistent level of protection of natural persons throughout the Union, and to avoid divergences hindering the free flow of personal data within the internal market, a regulation is necessary to provide legal certainty and transparency for economic operators, including micro, small and medium-sized enterprises, to provide natural persons in all Member States with the same level of enforceable rights and obligations and responsibilities for controllers and processors, and to ensure consistent supervision of the processing of personal data, and equivalent penalties in all Member States, as well as effective cooperation between supervisory authorities of different Member States. For the internal market to function properly, it is necessary that the free flow of personal data within the Union is neither restricted nor prohibited on grounds relating to the protection of natural persons with regard to the processing of personal data. …

(Recital 14) The protection afforded by this Regulation should apply to natural persons, irrespective of their nationality or place of residence, with regard to the processing of their personal data. This Regulation does not cover the processing of personal data concerning legal persons, …

 (Recital 17) Regulation (EC) No 45/2001 of the European Parliament and of the Council applies to the processing of personal data by the Union institutions, bodies, offices and agencies. …

(Recital 19) The protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security and the free movement of such data, is the subject of a specific Union legal act. …

(Recital 22) Any processing of personal data which takes place in the context of the activities of an establishment of a controller or processor in the territory of the Union should be carried out in accordance with this Regulation, whether or not the processing itself takes place in the Union. Establishment presupposes the effective and genuine exercise of an activity by means of a stable arrangement. …

(Recital 23) In order to ensure that a natural person is not excluded from the protection to which they are entitled under this Regulation, the processing of personal data relating to data subjects who are in the Union by a controller or processor not established in the Union should be subject to this Regulation where the processing activities are related to the offering of goods or services to those data subjects, whether or not payment is required. In order to determine whether such a controller or processor offers goods or services to data subjects who are in the Union, it should be established whether it is clear that the controller or processor intends to offer services to data subjects in one or more Member States of the Union. …

(Recital 24) The processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union should also be subject to this Regulation where such processing is related to the monitoring of the behaviour of those data subjects to the extent that it concerns their behaviour within the Union. In order to determine whether a processing activity can be considered as monitoring the behaviour of data subjects, it should be established whether natural persons are being tracked on the internet, which includes the possible subsequent use of techniques for processing personal data which consist of profiling a natural person, in particular to take decisions concerning him or her or to analyse or predict his or her preferences, behaviour and attitudes.

(Recital 25) Where the law of a Member State applies by virtue of public international law, this Regulation should also apply to a controller not established in the Union, …

(Recital 26) The principles of data protection should be applied to any information relating to an identified or identifiable natural person. Personal data which have been pseudonymised and which could be attributed to a natural person by means of additional information should be regarded as information relating to an identifiable natural person. In determining whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used by the controller …

(Recital 27) This Regulation does not apply to the personal data of deceased persons. Member States may lay down rules concerning the processing of personal data of deceased persons.

(Recital 28) Pseudonymisation of personal data can reduce risks for data subjects and help controllers and processors fulfil their data protection obligations. The explicit introduction of pseudonymisation in this Regulation is not intended to exclude any other data protection measures.

(Recital 29) In order to encourage pseudonymisation in the processing of personal data, pseudonymisation measures should be possible within the same controller, while allowing for a general analysis, where the controller has taken the necessary technical and organisational measures to ensure, for the processing concerned, that this Regulation is implemented, and that additional information allowing the attribution of the personal data to a specific data subject is kept separately. The controller processing the personal data should indicate the persons authorised for this purpose within the same controller.

(Recital 30) Individuals may be associated, through the devices, applications, tools and protocols they use, with online identifiers such as IP addresses and cookies or other identifiers, for example, radio frequency identification tags. These identifiers may leave traces which, particularly when combined with unique identifiers and other information received by servers, can be used to create profiles of individuals and to identify these individuals.

(Recital 31) Public authorities to which personal data are disclosed pursuant to a legal obligation for the exercise of their official functions, such as tax and customs authorities, financial investigation units, independent administrative authorities or financial market authorities responsible for the regulation and supervision of securities markets, should not be regarded as recipients if they receive personal data which are necessary to carry out a particular inquiry in the public interest, …

(Recital 32) Consent should be given by a clear affirmative action by which the data subject freely signifies, in a specific, informed and unambiguous manner, agreement to the processing of personal data relating to him or her, for example by means of a written statement, including by electronic means, or an oral statement. This could be, for example, by ticking a box when visiting a website, by opting for certain technical settings for information society services, or by means of a further statement or conduct which clearly indicates in this context that the data subject agrees to the proposed processing of his or her personal data. Consent cannot therefore be assumed to be based on silence, default ticks or inactivity. …

(Recital 36) The main establishment of a controller in the Union should be the place of its central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union, in which case that other establishment should be considered to be the main establishment. The main establishment of a controller in the Union should be determined on the basis of objective criteria and should involve the effective and genuine exercise of management activities determining the main decisions on the purposes and means of processing within a stable arrangement. …

(Recital 37) A group of undertakings should cover a controlling undertaking and its controlled undertakings, the former being the one that can exercise a dominant influence over the other undertakings by virtue of, for example, its ownership of capital, financial participation or the rules that govern it, or the power to enforce rules on the protection of personal data. An undertaking that controls the processing of personal data in undertakings affiliated with it should be considered as forming a group of undertakings with those undertakings.

(Recital 38) Children deserve specific protection with regard to their personal data because they may be less aware of the risks, consequences and safeguards concerned and of their rights related to the processing of personal data. This specific protection should, in particular, apply to the use of personal data relating to children for marketing purposes or for the creation of personality or user profiles and to the collection of personal data relating to children when using services offered directly to a child. The consent of the holder of parental responsibility should not be required in the context of prevention or counselling services offered directly to a child.

(Recital 39) All processing of personal data should be lawful and fair. The fact that personal data concerning natural persons are collected, used, accessed or otherwise processed and the extent to which such data are or will be processed should be transparent to the natural persons concerned. The principle of transparency requires that all information and communication relating to the processing of such personal data be easily accessible, easy to understand, and formulated in clear and plain language. This principle applies, in particular, to information provided to data subjects on the identity of the controller and the purposes of the processing, as well as to other information aimed at ensuring fair and transparent processing with regard to the natural persons concerned and their right to obtain confirmation and communication as to whether their personal data are being processed. Natural persons should be informed of the risks, rules, safeguards and rights related to the processing of personal data and of the modalities for exercising their rights in relation to such processing. …

(Recital 40) To be lawful, the processing of personal data should be based on the consent of the data subject or on any other legitimate ground provided for by law, …

(Recital 42) Where processing is based on the data subject's consent, the controller should be able to demonstrate that the data subject has consented to the processing operation. …

(Recital 43) To ensure that consent is freely given, it should not be a valid legal ground for processing personal data in a particular case where there is a manifest imbalance between the data subject and the controller, in particular where the controller is a public authority and it is unlikely that consent was freely given in all the circumstances of that particular situation. Consent shall be presumed not to have been freely given if separate consent cannot be given to different processing operations of personal data even though it would be appropriate in the individual case, or if the performance of a contract, including the provision of a service, is made conditional on consent even though consent is not necessary for such performance.

(Recital 44) Processing should be considered lawful when it is necessary for the performance of a contract or the intention to enter into a contract.

(Recital 45) Where processing is carried out in compliance with a legal obligation to which the controller is subject or where it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority, the processing should have a basis in Union or Member State law. …

(Recital 46) The processing of personal data should also be considered lawful when it is necessary to protect an interest essential to the life of the data subject or that of another natural person. Processing of personal data based on the vital interest of another natural person should in principle only take place where the processing manifestly cannot be based on another legal basis. …

(Recital 47) The legitimate interests of a controller, including those of a controller to whom the personal data may be disclosed, or of a third party may constitute a legal basis for the processing, unless the interests or fundamental rights and freedoms of the data subject prevail, taking into account the reasonable expectations of data subjects based on their relationship with the controller. …

(Recital 48) Controllers that are part of a group of companies or establishments affiliated to a central body may have a legitimate interest in transmitting personal data within the group of companies for internal administrative purposes, including the processing of personal data relating to customers or employees. …

(Recital 49) The processing of personal data to the extent strictly necessary and proportionate for the purpose of ensuring network and information security, i.e. the ability of a network or information system to withstand, at a given level of trust, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of personal data stored or transmitted, as well as the security of related services offered or made accessible via such networks and systems, by public authorities, Computer Emergency Response Teams (CERTs), Computer Security Incident Response Teams (CSIRTs), providers of electronic communications networks and services and providers of security technologies and services, constitutes a legitimate interest of the controller concerned. This could include, for example, preventing unauthorized access to electronic communications networks and the distribution of malicious code, and stopping "denial of service" attacks and damage to computer and electronic communications systems.

(Recital 50) Processing of personal data for purposes other than those for which the personal data were originally collected should only be permitted if it is compatible with the purposes for which the personal data were originally collected. …

Where the data subject has given consent or the processing is based on Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to secure, in particular, important objectives of general public interest, the controller should be allowed to carry out further processing of the personal data regardless of the compatibility of the purposes. …

(Recital 51) Personal data which are, by their nature, particularly sensitive from the point of view of fundamental rights and freedoms deserve specific protection, as the context in which they are processed could give rise to significant risks to those rights and freedoms. Such personal data should include personal data revealing racial or ethnic origin, it being understood that the use of the term 'racial origin' in this Regulation does not imply that the Union endorses theories of the existence of distinct human races. …

(Recital 52) Derogations from the prohibition on processing special categories of personal data should also be permitted where Union or Member State law so provides, and subject to appropriate safeguards, so as to protect personal data and other fundamental rights, where the public interest so requires, including the processing of personal data in the field of employment law and social protection law, including pensions, and for the purposes of security, health surveillance and alert, prevention or control of communicable diseases and other serious threats to health. …

(Recital 53) Special categories of personal data which merit higher protection should only be processed for health-related purposes, where necessary to achieve those purposes in the interest of individuals and society as a whole, in particular in the context of the management of health or social care services and systems, including the processing by national management authorities and central health authorities of such data, for the purpose of quality control, information of managers and general supervision, at national and local level, of the health or social care system and for the purpose of ensuring the continuity of health or social care and cross-border health care or for health security, surveillance and alert purposes, or for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes, on the basis of Union or Member State law which must meet an objective of public interest, as well as for studies carried out in the public interest in the field of public health. …

(Recital 54) The processing of special categories of personal data may be necessary for reasons of public interest in the areas of public health, without the consent of the data subject. … Such processing of data concerning health for reasons of public interest should not result in personal data being processed for other purposes by third parties, such as employers or insurance companies and banks.

(Recital 56) Where, in the context of election-related activities, the functioning of the democratic system in a Member State requires political parties to collect personal data relating to the political opinions of individuals, the processing of such data may be permitted on grounds of public interest, provided that appropriate safeguards are provided.

(Recital 57) If the personal data it processes do not allow it to identify a natural person, the controller should not be required to obtain additional information to identify the data subject solely for the purpose of complying with a provision of this Regulation. However, the controller should not refuse additional information provided by the data subject in order to facilitate the exercise of his or her rights. Identification should include the digital identification of a data subject, for example by means of an authentication mechanism such as the same credentials used by the data subject to log in to the online service offered by the controller.

(Recital 58) The principle of transparency requires that any information addressed to the public or to the data subject be concise, easily accessible and easy to understand, and formulated in clear and simple terms and, in addition, where appropriate, illustrated with visual elements. Such information could be provided in electronic form, for example via a website when addressed to the public. … Since children deserve specific protection, all information and communication, when the processing concerns them, should be drafted in clear and simple terms that the child can easily understand.

(Recital 59) Arrangements should be provided to facilitate the exercise by the data subject of his or her rights under this Regulation, including means to request and, where applicable, obtain free of charge, in particular, access to, and rectification or erasure of, personal data and the exercise of a right to object. The controller should also provide means to submit requests by electronic means, in particular where personal data are processed electronically. The controller should be required to respond to requests from the data subject without undue delay and at the latest within one month and to provide reasons for its response where it intends not to comply with such requests.

(Recital 60) The principle of fair and transparent processing requires that the data subject be informed of the existence of the processing operation and its purposes. The controller should provide the data subject with any other information necessary to ensure fair and transparent processing, taking into account the specific circumstances and context in which the personal data are processed. In addition, the data subject should be informed of the existence of profiling and of the consequences thereof. Where personal data are collected from the data subject, it is important that the data subject also knows whether he or she is obliged to provide the personal data and of the consequences of not providing them. …

(Recital 61) Information on the processing of personal data relating to the data subject should be provided to him or her at the time when the personal data are collected from him or her or, if the personal data are obtained from another source, within a reasonable timeframe depending on the circumstances of each case. Where personal data may lawfully be disclosed to another recipient, the data subject should be informed of the time at which the personal data are first disclosed to that recipient. …

(Recital 62) However, it is not necessary to impose an obligation to provide information where the data subject already has this information, where the recording or disclosure of personal data is expressly provided for by law or where the provision of information to the data subject proves impossible or would require disproportionate effort. …

(Recital 63) A data subject should have the right to access the personal data collected about them and to exercise this right easily and at reasonable intervals, in order to be aware of the processing and to verify its lawfulness. This includes the right of data subjects to access data concerning their health, for example data from their medical records containing information such as diagnoses, examination results, opinions of treating physicians and any treatment or intervention administered. Accordingly, every data subject should have the right to know and be informed, in particular, of the purposes of the processing of personal data, if possible the duration of the processing of those personal data, the identity of the recipients of those personal data, the logic involved in any automated processing and the possible consequences of such processing, at least in the case of profiling. …

(Recital 64) The controller should take all reasonable steps to verify the identity of a data subject requesting access to data, in particular in the context of online services and identifiers. A controller should not retain personal data for the sole purpose of being able to respond to potential requests.

(Recital 65) Data subjects should have the right to have personal data concerning them rectified, and should have a 'right to be forgotten' where the retention of those data infringes this Regulation or Union or Member State law to which the controller is subject. In particular, data subjects should have the right to have their personal data erased and no longer processed, where such personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed, where data subjects have withdrawn their consent to the processing or object to the processing of personal data concerning them, or where the processing of their personal data is otherwise inconsistent with this Regulation. This right is relevant, in particular, where the data subject gave consent when they were a child and were not fully aware of the risks involved in the processing, and subsequently wishes to have those personal data deleted, in particular on the internet. …

(Recital 66) In order to strengthen the digital 'right to be forgotten', the right to erasure should also be extended so that the controller who made personal data public is required to inform controllers processing those personal data that any links to, or copies or reproductions of, those data should be erased. …

(Recital 67) Methods for restricting the processing of personal data could include, inter alia, temporarily moving selected data to another processing system, making selected personal data inaccessible to users, or temporarily removing published data from a website. In automated filing systems, restriction of processing should in principle be ensured by technical means in such a way that the personal data are not subject to further processing operations and cannot be altered. The fact that the processing of personal data is restricted should be clearly indicated in the filing system.

(Recital 68) To further strengthen their control over their own data, data subjects should also have the right, where personal data are processed by automated means, to receive the personal data concerning them, which they have provided to a controller, in a structured, commonly used, machine-readable and interoperable format and to transmit those data to another controller. Controllers should be encouraged to develop interoperable formats allowing data portability. …

(Recital 69) Where personal data could be lawfully processed because the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, or because of the legitimate interests of the controller or a third party, data subjects should nevertheless have the right to object to processing of any personal data relating to their particular situation. The burden of proving that its compelling legitimate interests override the interests or fundamental rights and freedoms of the data subject should rest with the controller.

(Recital 70) Where personal data are processed for direct marketing purposes, the data subject should have the right to object at any time and free of charge to such processing, including profiling to the extent that it is related to such direct marketing, whether for the initial processing or for further processing. …

(Recital 71) The data subject should have the right not to be subject to a decision, which may include a measure, involving the evaluation of certain personal aspects relating to him or her, which is based solely on automated processing and which produces legal effects concerning him or her or similarly significantly affects him or her, such as the automatic rejection of an online credit application or online recruitment practices without any human intervention. This type of processing includes “profiling” which consists of any form of automated processing of personal data to evaluate personal aspects relating to a natural person, in particular to analyze or predict aspects concerning the data subject’s performance at work, economic situation, health, personal preferences or interests, reliability or behavior, or location and movements, as long as it produces legal effects concerning the data subject or similarly significantly affects him or her. …

(Recital 73) Limitations to certain specific principles as well as to the right to information, the right of access to personal data, the right to rectification or erasure of such data, the right to data portability, the right to object, to decisions based on profiling, as well as to the communication of a personal data breach to a data subject and to certain related obligations of controllers may be imposed by Union or Member State law, …

(Recital 74) It is appropriate to establish the responsibility of the controller for any processing of personal data carried out by the controller or on its behalf. In particular, it is important that the controller is required to implement appropriate and effective measures and is able to demonstrate the compliance of processing activities with this Regulation, including the effectiveness of the measures. …

(Recital 75) Risks to the rights and freedoms of natural persons, the likelihood and severity of which vary, may result from the processing of personal data which is likely to result in physical, material or non-pecuniary damage, in particular: where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to reputation, loss of confidentiality of data protected by professional secrecy, unauthorized reversal of the pseudonymization process or any other significant economic or social damage; where data subjects may be deprived of their rights and freedoms or prevented from exercising control over their personal data; where the processing concerns personal data revealing racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, as well as genetic data, data concerning health or data concerning sex life or data relating to criminal convictions and offenses, or related security measures; when personal aspects are evaluated, in particular in the context of analyzing or predicting elements concerning work performance, economic situation, health, personal preferences or interests, reliability or behavior, location or movements, with a view to creating or using individual profiles; when the processing concerns personal data relating to vulnerable natural persons, in particular children; or when the processing concerns a large volume of personal data and affects a large number of data subjects.

(Recital 76) The likelihood and severity of the risk to the rights and freedoms of the data subject should be determined in light of the nature, scope, context and purposes of the processing. …

(Recital 78) The protection of the rights and freedoms of natural persons with regard to the processing of personal data requires the adoption of appropriate technical and organisational measures to ensure that the requirements of this Regulation are complied with. In order to be able to demonstrate compliance with this Regulation, the controller should adopt internal rules and implement measures which respect, in particular, the principles of data protection by design and data protection by default. Such measures could include, inter alia, minimising the processing of personal data, pseudonymising personal data where possible, ensuring transparency regarding the functions and processing of personal data, allowing the data subject to control the processing of data, allowing the controller to implement or improve security features. When developing, designing, selecting and using applications, services and products that rely on the processing of personal data or process personal data to perform their functions, product manufacturers, service providers and application producers should be encouraged to take into account the right to data protection when developing and designing such products, services and applications and, with due regard to the state of the art, to ensure that controllers and processors are able to fulfil their data protection obligations. The principles of data protection by design and data protection by default should also be taken into account in public procurement.

(Recital 79) The protection of the rights and freedoms of data subjects, as well as the liability of controllers and processors, including in the context of supervision by supervisory authorities and measures taken by them, requires a clear allocation of responsibilities under this Regulation, …

(Recital 80) Where a controller or processor not established in the Union processes personal data of data subjects who are in the Union and its processing activities are related to the offering of goods or services to those data subjects in the Union, whether or not payment is required, or to the monitoring of their behaviour, to the extent that it takes place within the Union, the controller or processor should designate a representative, unless the processing is occasional, does not involve processing, on a large scale, of special categories of personal data or the processing of personal data relating to criminal convictions and offences, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing, or the controller is a public authority or body. The representative should act on behalf of the controller or processor and may be contacted by any supervisory authority. The representative should be expressly designated by a written mandate from the controller or processor to act on its behalf in relation to its obligations under this Regulation. The designation of that representative shall be without prejudice to the responsibilities of the controller or processor under this Regulation. …

(Recital 81) In order to ensure that the requirements of this Regulation are met in the context of processing carried out by a processor on behalf of the controller, where the latter entrusts processing activities to a processor, the controller should only use processors who provide sufficient guarantees, in particular in terms of expert knowledge, reliability and resources, for the implementation of technical and organisational measures which will meet the requirements of this Regulation, including the security of the processing. …

(Recital 82) In order to demonstrate compliance with this Regulation, the controller or processor should keep records of the processing activities under its responsibility. …

(Recital 83) In order to ensure security and prevent processing in breach of this Regulation, it is important that the controller or processor assesses the risks inherent in the processing and implements measures to mitigate them, such as encryption. Those measures should ensure an appropriate level of security, including confidentiality, taking into account the state of the art and the costs of implementation in relation to the risks and the nature of the personal data to be protected. …

(Recital 84) In order to better ensure compliance with this Regulation where processing operations are likely to result in a high risk to the rights and freedoms of natural persons, the controller should be responsible for carrying out a data protection impact assessment to assess, in particular, the origin, nature, specificity and severity of that risk. The outcome of that assessment should be taken into account when determining the appropriate measures to demonstrate that the processing of personal data complies with this Regulation. Where the data protection impact assessment shows that the data processing operations involve a high risk which cannot be mitigated by the controller by taking appropriate measures, taking into account available techniques and the costs related to their implementation, the supervisory authority should be consulted before the processing takes place.

(Recital 85) A personal data breach may, if no timely and appropriate action is taken, cause physical, material or moral harm to the natural persons concerned, such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorized reversal of the pseudonymization procedure, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or other significant economic or social damage. Accordingly, as soon as the controller becomes aware of a personal data breach, it should notify the supervisory authority without undue delay and, where possible, no later than 72 hours after becoming aware of it, unless it can demonstrate, in accordance with the principle of accountability, that the breach in question is unlikely to result in a risk to the rights and freedoms of natural persons. If such notification cannot be given within the 72-hour period, the notification should be accompanied by the reasons for the delay and information may be provided in stages without further undue delay.

(Recital 86) The controller should notify the data subject of a personal data breach without undue delay where the breach is likely to result in a high risk to the rights and freedoms of the natural person so that the data subject can take appropriate precautions. …

(Recital 87) It should be verified whether all appropriate technical and organizational safeguards have been implemented to immediately establish whether a personal data breach has occurred and to promptly inform the supervisory authority and the data subject. …

(Recital 91) This should apply in particular to large-scale processing operations which aim to process a considerable amount of personal data at regional, national or supranational level, which may affect a significant number of data subjects and which are likely to result in a high risk, for example, due to their sensitivity, where, in accordance with the state of the art, a new technique is applied on a large scale, as well as to other processing operations which result in a high risk to the rights and freedoms of data subjects, in particular where, as a result of such operations, it is more difficult for data subjects to exercise their rights. A data protection impact assessment should also be carried out where personal data are processed for the purpose of taking decisions relating to specific natural persons following a systematic and in-depth evaluation of personal aspects specific to natural persons based on profiling of those data or following the processing of special categories of personal data, biometric data or data relating to criminal convictions and offences, or related security measures. …

(Recital 92) There are cases in which it may be reasonable and cost-effective to broaden the scope of the data protection impact assessment beyond a single project, for example where public authorities or public bodies intend to implement a common application or processing platform, or where several controllers intend to create a common application or processing environment across an entire sector or professional segment, or for a widely used cross-functional activity.

(Recital 94) Where a data protection impact assessment shows that, in the absence of safeguards, security measures and risk mitigation mechanisms, the processing would result in a high risk to the rights and freedoms of natural persons and the controller is of the opinion that the risk cannot be mitigated by reasonable means taking into account available technology and the costs of implementation, the supervisory authority should be consulted before processing operations begin. …

(Recital 97) Where processing is carried out by a public authority, with the exception of courts or independent judicial authorities acting in their judicial capacity, where, in the private sector, it is carried out by a controller whose core activities consist of processing operations requiring regular and systematic monitoring of data subjects on a large scale, or where the core activities of the controller or processor consist of large-scale processing of special categories of personal data and data relating to criminal convictions and offences, a person with expert knowledge of data protection law and practice should assist the controller or processor in verifying internal compliance with this Regulation. …

(Recital 98) Associations or other bodies representing categories of controllers or processors should be encouraged to draw up codes of conduct, within the limits of this Regulation, so as to facilitate its proper application, taking into account the specificities of processing carried out in certain sectors and the specific needs of micro, small and medium-sized enterprises. …

(Recital 101) Flows of personal data to and from countries outside the Union and international organisations are necessary for the development of international trade and international cooperation. The increase in such flows has created new challenges and concerns regarding the protection of personal data. However, it is important that, when personal data are transferred from the Union to controllers, processors or other recipients in third countries or to international organisations, the level of protection of natural persons guaranteed in the Union by this Regulation is not undermined, including in the case of onward transfers of personal data from the third country or international organisation to controllers or processors in the same or a different third country, or to another international organisation. In any event, transfers to third countries and to international organisations may only take place in full compliance with this Regulation. …

(Recital 103) The Commission may decide, with effect throughout the Union, that a third country, a territory or a specific sector within a third country, or an international organisation offers an adequate level of data protection, thereby ensuring legal certainty and uniformity throughout the Union with regard to the third country or international organisation deemed to offer such a level of protection. In that case, transfers of personal data to that third country or international organisation may take place without the need to obtain further authorisation. …

(Recital 104) Having regard to the fundamental values on which the Union is founded, in particular the protection of human rights, the Commission should, in its assessment of a third country, a territory or a specific sector within a third country, take into account the manner in which a specific third country respects the rule of law, ensures access to justice and observes international rules and standards in the field of human rights, as well as its general and sectoral legislation, including legislation on public security, defence and national security as well as public order and criminal law. …

(Recital 105) In addition to the international commitments entered into by the third country or international organisation, the Commission should take into account the obligations arising from the participation of the third country or international organisation in multilateral or regional systems, in particular as regards the protection of personal data, and the implementation of those obligations. In particular, account should be taken of the accession of the third country to the Council of Europe Convention of 28 January 1981 for the Protection of Individuals with regard to Automatic Processing of Personal Data and its Additional Protocol. …

(Recital 108) In the absence of an adequacy decision, the controller or processor should take measures to compensate for the inadequacy of data protection in the third country through appropriate safeguards for the data subject. …

(Recital 109) The possibility for controllers and processors to use standard data protection clauses adopted by the Commission or by a supervisory authority should not prevent them from including those clauses in a broader contract, such as a contract between the processor and another processor, or from adding other clauses or additional safeguards, provided that these do not contradict, directly or indirectly, the standard contractual clauses adopted by the Commission or by a supervisory authority and do not adversely affect the fundamental rights and freedoms of data subjects. …

(Recital 110) A group of undertakings or a group of undertakings engaged in a joint economic activity should be able to use approved binding corporate rules for its international transfers from the Union to entities in the same group of undertakings, or in the same group of undertakings engaged in a joint economic activity, provided that those corporate rules include all essential principles and enforceable rights to ensure appropriate safeguards for transfers or categories of transfers of personal data.

(Recital 114) In any event, where the Commission has not taken a position on the adequacy of the level of data protection in a third country, the controller or processor should adopt solutions which guarantee data subjects enforceable and effective rights with regard to the processing of their data in the Union once those data have been transferred, so that those data subjects continue to benefit from fundamental rights and guarantees.

(Recital 116) When personal data crosses the external borders of the Union, this may increase the risk that individuals will not be able to exercise their data protection rights, in particular to protect themselves against the unlawful use or disclosure of that information. … Accordingly, it is necessary to foster closer cooperation between data protection supervisory authorities, to help them exchange information and conduct investigations with their international counterparts. …

(Recital 121) The general conditions applicable to the member(s) of the supervisory authority should be laid down by law in each Member State and should provide in particular that those members are appointed, in accordance with a transparent procedure, by the parliament, the government or the Head of State of that Member State, on a proposal from the government or a member of the government, or from the parliament or a chamber of parliament, or by an independent body entrusted with this task under the law of a Member State. …

(Recital 122) Each supervisory authority should be competent in the territory of its Member State to exercise the tasks and powers conferred on it in accordance with this Regulation. …

(Recital 124) Where the processing of personal data takes place in the context of the activities of an establishment of a controller or processor in the Union and that controller or processor is established in more than one Member State, or where the processing which takes place in the context of the activities of a single establishment of a controller or processor in the Union substantially affects or is likely to substantially affect data subjects in more than one Member State, the supervisory authority having jurisdiction over the main or single establishment of the controller or processor should act as lead authority. …

(Recital 125) The lead authority should be competent to adopt binding decisions on measures to implement the powers conferred on it in accordance with this Regulation. In its capacity as lead authority, the supervisory authority should closely involve the relevant supervisory authorities in the decision-making process and ensure close coordination in that context. …

(Recital 129) In order to ensure consistent enforcement and monitoring of this Regulation across the Union, supervisory authorities should have, in each Member State, the same tasks and effective powers, including powers of investigation, the power to adopt corrective measures and impose sanctions, as well as the power to authorise and issue advisory opinions, in particular in the case of complaints lodged by natural persons, and, without prejudice to the powers of prosecuting authorities under Member State law, the power to bring infringements of this Regulation to the attention of judicial authorities and to take legal action. Those powers should also include the power to impose a temporary or permanent restriction on processing, including a prohibition. …

(Recital 130) Where the supervisory authority to which the complaint has been lodged is not the lead supervisory authority, the lead supervisory authority should cooperate closely with the supervisory authority to which the complaint has been lodged in accordance with the provisions on cooperation and consistency laid down in this Regulation. …

(Recital 137) Urgent action may be necessary to protect the rights and freedoms of data subjects, in particular where there is a danger that the exercise of a data subject's right could be significantly impeded. Accordingly, a supervisory authority should be able to adopt, within its territory, provisional measures which are duly justified and have a specified period of validity which should not exceed three months.

(Recital 138) The application of such a mechanism should condition the legality of a measure intended to produce legal effects taken by a supervisory authority in cases where such application is mandatory. …

(Recital 141) Every data subject should have the right to lodge a complaint with a single supervisory authority, in particular in the Member State where he or she has his or her habitual residence, and the right to an effective judicial remedy in accordance with Article 47 of the Charter if he or she considers that his or her rights under this Regulation are infringed or if the supervisory authority does not act on his or her complaint, refuses or rejects it, in whole or in part, or fails to act when action is necessary to protect the data subject's rights. The investigation following a complaint should be conducted, under judicial supervision, to the appropriate extent required by the individual case.

(Recital 142) Where a data subject considers that his or her rights under this Regulation are infringed, he or she should have the right to mandate a non-profit body, organisation or association, established in accordance with the law of a Member State, whose statutory objectives are of public interest and which is active in the field of personal data protection, to lodge a complaint on his or her behalf with a supervisory authority, to exercise the right to a judicial remedy on behalf of data subjects or, if provided for by Member State law, to exercise the right to obtain compensation on behalf of data subjects. …

(Recital 143) Any natural or legal person has the right to bring an action for annulment of the Committee's decisions before the Court of Justice under the conditions laid down in Article 263 of the Treaty on the Functioning of the European Union. Upon receipt of such decisions, the supervisory authorities concerned wishing to challenge them must do so within two months of notification thereof, in accordance with Article 263 of the Treaty on the Functioning of the European Union. …

Where a complaint has been rejected or refused by a supervisory authority, the complainant may bring an action before the courts of that same Member State. …

(Recital 144) Where a court seised of an action against a decision taken by a supervisory authority has reason to believe that actions concerning the same processing, for example the same subject matter, carried out by the same controller or processor, or the same cause of action, are being brought before a competent court in another Member State, it should contact that other court in order to confirm the existence of such related actions. …

(Recital 145) With regard to actions against a controller or processor, the applicant should be able to choose to bring the action before the courts of the Member States in which the controller or processor has an establishment or in the Member State in which the data subject resides, unless the controller is a public authority of a Member State acting in the exercise of its public powers.

(Recital 146) The controller or processor should compensate any damage that a data subject may suffer as a result of processing carried out in breach of this Regulation. The controller or processor should be exempt from liability if it proves that the damage is in no way attributable to it. … However, where controllers and processors are involved in the same legal proceedings, in accordance with the law of a Member State, compensation may be apportioned according to the share of responsibility of each controller or processor for the damage caused by the processing, provided that the damage suffered by the data subject is fully and effectively compensated. …

(Recital 148) In order to strengthen the enforcement of the rules of this Regulation, sanctions, including administrative fines, should be imposed for any infringement of this Regulation, in addition to or instead of appropriate measures imposed by the supervisory authority pursuant to this Regulation. In the case of a minor infringement or if the fine that may be imposed would impose a disproportionate burden on a natural person, a warning may be issued instead of a fine. However, due account should be taken of the nature, gravity and duration of the infringement, the intentional nature of the infringement and the measures taken to mitigate the damage suffered, the degree of responsibility or any previous relevant infringements, how the supervisory authority became aware of the infringement, compliance with measures ordered against the controller or processor, the application of a code of conduct, and any other aggravating or mitigating circumstances. The application of sanctions, including administrative fines, should be subject to appropriate procedural safeguards in accordance with the general principles of Union law and the Charter, including the right to effective judicial protection and due process.

(Recital 150) In order to strengthen and harmonise the administrative penalties applicable to infringements of this Regulation, each supervisory authority should have the power to impose administrative fines. This Regulation should define the infringements, the maximum amount and the criteria for setting the administrative fines to which they are subject, which should be set by the competent supervisory authority in each individual case, taking into account all the specific characteristics of each case and having due regard, in particular, to the nature, gravity and duration of the infringement and its consequences, as well as to the measures taken to ensure compliance with the obligations arising from the Regulation and to prevent or mitigate the consequences of the infringement. …

(Recital 152) Where this Regulation does not harmonise administrative sanctions or, where necessary in other circumstances, for example in cases of serious infringements of this Regulation, Member States should implement a system which provides for effective, proportionate and dissuasive sanctions. The nature of those sanctions, whether criminal or administrative, should be determined by the law of the Member States.

(Recital 153) Member State law should reconcile the rules governing freedom of expression and information, including journalistic, academic, artistic or literary expression, with the right to the protection of personal data under this Regulation. In the context of the processing of personal data solely for journalistic purposes or for the purposes of academic, artistic or literary expression, derogations or exemptions from certain provisions of this Regulation should be provided for if this is necessary to reconcile the right to the protection of personal data with the right to freedom of expression and information, as enshrined in Article 11 of the Charter. …

(Recital 154) This Regulation allows for the principle of public access to official documents to be taken into account in its application. Public access to official documents may be considered to be in the public interest. …

(Recital 155) Member State law or collective agreements, including 'company agreements', may provide for specific rules on the processing of employees' personal data in the context of employment relationships, including the conditions under which personal data in the context of employment relationships may be processed on the basis of the employee's consent, for the purposes of recruitment, performance of the employment contract, including compliance with obligations laid down by law or by collective agreements, management, planning and organisation of work, equality and diversity in the workplace, health and safety at work, and for the purpose of exercising and enjoying employment rights and benefits, individually or collectively, as well as for the purpose of terminating the employment relationship.

(Recital 162) Where personal data are processed for statistical purposes, this Regulation should apply to that processing. Union or Member State law should, within the limits of this Regulation, determine the statistical content, define the control of access to the data and lay down specific provisions for the processing of personal data for statistical purposes and appropriate measures to safeguard the rights and freedoms of the data subject and to maintain statistical confidentiality. …

(Recital 163) Confidential information collected by Union and Member State statistical authorities for the purpose of producing official European and national statistics should be protected. …

(Recital 164) As regards the powers of supervisory authorities to obtain from the controller or processor access to personal data and access to their premises, Member States may, within the limits of this Regulation, adopt by law specific rules to ensure the obligation of professional secrecy or other equivalent obligations of secrecy, insofar as this is necessary to reconcile the right to the protection of personal data and the obligation of professional secrecy. …

 (Recital 166) In order to achieve the objectives of this Regulation, namely to protect the fundamental rights and freedoms of natural persons, and in particular their right to the protection of personal data, and to ensure the free movement of such data within the Union, the power to adopt acts in accordance with Article 290 of the Treaty on the Functioning of the European Union should be delegated to the Commission. In particular, delegated acts should be adopted concerning the criteria and requirements for certification mechanisms, the information to be presented in the form of standardised icons and the procedures for the provision of such icons. …

(Recital 168) Given the general scope of the acts concerned, the examination procedure should be used for the adoption of implementing acts in relation to standard contractual clauses between controllers and processors and between processors; codes of conduct; technical standards and certification mechanisms; …

(Recital 170) Since the objective of this Regulation, namely to ensure an equivalent level of protection of natural persons and the free flow of personal data throughout the Union, cannot be sufficiently achieved by the Member States but can rather, by reason of the scale or effects of the action, be better achieved at Union level, the Union may adopt measures, …

Discover Viqtor®
en_USEN
fr_FRFR de_DE_formalDE es_ESES elEL it_ITIT hrHR pt_PTPT nl_NL_formalNL de_ATDE_AT etET fiFI lvLV lt_LTLT sk_SKSK sl_SISL en_USEN