第一章 一般條款

第1條 主要事項與目標




第2條 適用範圍







3.歐盟機構、實體、辦事處和規制機構所進行的個人資料處理,適用(EC)第 45/2001條例。根據本條例第98條,(EC)第45/2001條例和其他適用於此類個人資料處理的歐盟法案應當進行調整,以符合本條例的原則和規則。


第3條 地域範圍






第4條 定義













(12) “個人資料洩露”是指由於違反安全政策而導致傳輸、儲存、處理中的個人資料被意外或非法損毀、丟失、更改或未經同意而被公開或訪問。




















(25)“資訊社會服務”指的是歐洲議會和歐盟理事會的(EU) 2015/1535指令在第1(1)條(b)點所定義的服務。







第二章 原則

第5條 個人資料處理原則







(f) 處理過程中應確保個人資料的安全,採取合理的技術手段、組織措施,避免資料未經授權即被處理或遭到非法處理,避免資料發生意外毀損或滅失(“資料的完整性與保密性”)。


第6條 處理的合法性




(c) 處理是控制商履行其法定義務所必需的;














(d) 資料主體計劃進一步處理可能造成的結果;


第7條 同意的條件





第8條 資訊社會服務中適用兒童同意的條件





第9條 對特殊型別個人資料的處理















第10條 處理涉及犯罪定罪與違法的個人資料


第11條 不需要識別的處理



第三章 資料主體的權利

第一部分 透明性與模式

第12條 資訊、交流與模式的透明性——保證資料主體權利的行使












第二部分 資訊與對個人資料的訪問

第13條 收集資料主體個人資料時應當提供的資訊

















第14條 未獲得資料主體個人資料的情形下,應當提供的資訊


























第15條 資料主體的訪問權













第三部分 更正與擦除

第16條 更正權


第17條 擦除權(“被遺忘權”)















第18條 限制處理權








第19條 關於更正或擦除或限制處理中的通知責任


第20條 資料攜帶權







第四部分 反對的權利和自動化的個人決策

第21條 反對權







第22條 自動化的個人決策,包括使用者畫像








第五部分 限制

第23條 限制





















第四章 控制者和處理者

第一部分 一般性責任

第24條 控制者的責任




第25條 通過設計的資料保護和預設的資料保護




第26條 共同控制者




第27條 不在歐盟所設立的控制者或處理者的代表








第28條 處理者




















第29條 代表控制者或處理者進行的處理


第30條 處理活動的記錄

















第31條 和監管機構的合作


第二部分 個人資料的安全

第32條 處理的安全









第33條 向監管機構報告對個人資料的洩露










第34條 向資料主體傳達個人資料洩露








第三部分 資料保護影響評估與提前諮詢

第35條 資料保護影響評估



















第36條 提前諮詢












第四部分 資料保護官

第37條 資料保護官的委任











第38條 資料保護官的職位







第39條 資料保護官的任務








第五部分 行為準則與認證

第40條 行為準則























第41條 對已生效行為準則的監控











第42條 認證









第43條 認證機構



(b)按照歐洲議會和理事會的(EC)No765/2008條例、EN-ISO/IEC 17065/2012設定的,以及滿足第55條或第56條的有權監管機構所規定的額外要求的全國性認證機構。







3.第1段和第2段所規定的委任認證機構應當建立在第55條或第66條所規定的有權監管機構所批准的基礎性標準之上,或者第63條所規定的歐盟資料保護委員會所批准的基礎性標準之上。對於本條第1段(b)點所規定的授權,此類要求應當補充(EC) No 765/2008指令所設想的要求,以及描述認證機構方法與程式的技術性規則。







第五章 將個人資料轉移到第三國或國際組織

第44條 轉移的一般性原則


第45條 基於認定具有充足保護的轉移














第46條 轉移所需要的適當安全保障














第47條 有約束力的公司規則





















第48條 未經歐盟法授權的轉移或披露


第49條 特殊情形下的克減















第50條 為保護個人資料的國際合作






第六章 獨立監管機構

第一部分 獨立性地位

第51條 監管機構





第52條 獨立性







第53條 監管機構成員的一般性要求









第54條 設立監管機構的規則









第二部分 職權、任務與權力

第55條 職權




第56條 領導性監管機構的職權







第57條 任務






(e) 基於要求為所有資料主體提供行使本條例所規定的權利,以及——如果適用的話——和其它成員國的監管機構為了實現這一目的而進行合作;





















第58條 權力

































第59條 活動報告


第七章 合作與一致性

第一部分 合作

第60條 領導性監管機構和其他相關監管機構的合作













第61條 互相協助












第62條 監管機構的聯合行動








第二部分 一致性

第63條 一致性機制


第64條 歐盟資料保護委員會的意見

















第65條 歐盟資料保護委員會的糾紛解決










第66條 緊急程式





第67條 資訊交換



第三部分 歐盟資料保護委員會

第68條 歐盟資料保護委員會







第69條 獨立性



第70條 歐盟資料保護委員會的任務






























第71條 報告



第72條 程式



第73條 主席



第74條 主席的任務






第75條 祕書










(d) 內部交流與外部交流中對電子手段的使用;




第76條 機密性


2.訪問提交給歐盟資料保護委員會的成員、專家與第三方代表的檔案,應當遵守歐洲議會和歐盟理事會的 (EC) No 1049/2001條例[1]。

第八章 救濟、責任與懲罰

第77條 向監管機構提起申訴的權利



第78條 針對監管機構的有效司法救濟權





第79條 針對控制者或處理者的有效司法救濟權



第80條 對資料主體的代表



第81條 法律訴訟的中止




第82條 獲取賠償的權利與責任







第83條 行政罰款的一般條件















4.違反如下條款,應當按第2段的規定施加最高10 000 000歐元的行政罰款,如果是企業的話,最高可處相當於其上一年全球總營業額2%的金額的罰款,兩者取其高的一項進行罰款:




5.違反如下條款,應當按第2段的規定施加最高20 000 000歐元的行政罰款,如果是企業的話,最高可處相當於其上一年全球總營業額4%的金額的罰款,兩者取其高的一項進行罰款:






6.違反第58(2)條規定的監管機構釋出的命令,應當按第2段的規定施加最高20 000 000歐元的行政罰款,如果是集團的話,可以施加最高前一年全球總營業額4%的罰款,兩者取其高的一項進行罰款。




第84條 懲罰



第九章 和特定處理情形相關的條款

第85條 處理、表達自由與資訊




第86條 處理與公眾對官方檔案的訪問


第87條 對全國性身份識別號碼的處理


第88條 僱傭語境下的處理




第89條 為了實現公共利益、科學或歷史研究或統計目的處理中的安全保障與克減





第90條 保密責任


2.每個成員國的應當[在本條例生效的兩年內] 將其按照第1段所制定的那些法律條款告知歐盟委員會,而且應當及時告知影響條款的後續修訂。

第91條 現有的的對教會和宗教協會的資料保護規則



第十章 授權法案與實施性法案

第92條 對授權的行使






第93條 委員會程式

1.歐盟委員會應當有一個小組對其進行協助。該小組應當是(EU) No 182/2011條例所規定的小組。

2.涉及到此段時,(EU) No182/2011指令第5條應當適用。

3.涉及到此段時,與(EU) No182/2011指令第5條配合的(EU) No182/2011指令第8條應當適用。

第十一章 最後條款

第94條 95/46/EC指令的廢止



第95條 與2002/58/EC的關係


第96條 和之前已經達成的協議的關係


第97條 委員會報告








第98條 對歐盟其他資料保護法案的審查


第99條 生效與適用




註釋:[1]歐洲議會和歐盟理事會關於公眾訪問歐洲議會、歐盟理事會與歐盟委員會檔案(OJ L 145, 31.5.2001, p. 43)的(EC) No1049/2001條例。


Welcome to this website. In order to allow you to use the various services and information of this website with peace of mind, we hereby explain to you the privacy protection policy of this platform to protect your rights and interests. Please read the following content carefully:

Scope of application of privacy protection policy
Privacy protection policy content, including how this platform handles personally identifiable information collected when you use website services. The privacy protection policy does not apply to related linked websites outside this platform, nor does it apply to people who are not entrusted by or involved in the management of this platform.

How information is collected and used
In order to provide you with the best interactive services on this platform: when you register as a user, participate in various activities on the platform or in public forums, you may be asked to provide relevant personal information, the scope of which is as follows: When you use this website When using interactive functions such as service mailbox and contact us, please retain the information you provide: such as name, gender, age, date of birth, phone number, mailing address, residential address, email address, etc. Unless we obtain your consent or other special provisions of laws, this website will never disclose your personal information to third parties or use it for other purposes other than the purpose of collection. However, this platform will provide personal information according to the requirements of law enforcement units or for the purpose of public safety. This platform does not assume any responsibility for any disclosure in this case.

External links to the platform
The web pages of this platform provide Internet links to other websites. You can also click to enter other websites through the links provided by this website. However, the privacy protection policy of this website does not apply to the linked website. You must refer to the privacy protection policy of the linked website.

Use of Cookies
In order to provide you with the best service, this platform may place and access our cookies on your computer. If you do not want to accept the writing of cookies, you can set privacy rights in the browser features you use. If the level is high, you can refuse the writing of cookies, but it may cause some functions of the website to not perform properly.

Processing methods for personal data inquiry/correction/deletion
When you need to inquire and read, supplement or correct, delete, etc. your personal data, you can contact the customer service center by email, and the customer service center of this platform will handle it quickly.
Customer service center email: hocom@1655.com.tw

Amendments to the Privacy Policy
The privacy protection policy of this platform will be revised at any time in response to needs, and the revised terms will be published on the platform.

EU General Data Protection Regulation (GDPR)

Chapter 1 General Terms

Article 1 Main Matters and Objectives

1. This Regulation establishes rules for the protection of natural persons in the processing of personal data, as well as rules for the free movement of personal data.

2. This Regulation protects the fundamental rights and freedoms of natural persons, especially the right to personal data protection enjoyed by natural persons.

3. The free movement of personal data within the EU cannot be restricted or prohibited on the grounds of protecting the natural persons concerned in the processing of personal data.

Article 2 Scope of application

1. This Ordinance applies to fully automated personal data processing, semi-automatic personal data processing, and non-automated personal data processing that forms or is intended to form a user profile.

2. This Regulation does not apply to the following situations:

(a) Personal data processed in activities outside the jurisdiction of EU law;

(b) Processing of personal data by a Member State of the European Union for the purpose of carrying out the activities specified in Article 2, paragraph 5, of the Basic Treaty on European Union (TEU);

(c) Processing of personal data carried out by natural persons in the course of purely personal or domestic activities;

(d) Personal data processing by relevant competent authorities for the purpose of preventing, investigating, investigating, prosecuting criminal offenses, enforcing criminal penalties, and preventing and preventing threats to public security.

3. The processing of personal data by EU institutions, entities, offices and regulatory authorities shall be governed by Regulation (EC) 45/2001. In accordance with Article 98 of this Regulation, Regulation (EC) 45/2001 and other EU legislation applicable to such processing of personal data shall be adapted to the principles and rules of this Regulation.

4. This Regulation does not affect the application of Directive 2000/31/EC, in particular the application of the liability rules for intermediary service providers stipulated in Articles 12 to 15 of Directive 2000/31/EC.

Article 3 Territorial Scope

1. This example applies to the processing of personal data by a data controller or processor established within the EU, regardless of whether the actual data processing is performed within the EU.

2. This Regulation applies to the processing of personal data in connection with the following activities, even if the data controller or processor is not established in the EU:

(a) provide goods or services to data subjects in the EU – whether or not the goods or services require payment of consideration by the data subject; or

(b) Monitor the activities of data subjects occurring within Europe.

3. This Regulation shall apply to the processing of personal data by a data controller established outside the EU but which has jurisdiction over it on the basis of public international law under the laws of a Member State.

Article 4 Definition

For the purposes of this Ordinance:

(1) "Personal data" refers to any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is an individual who can be identified, directly or indirectly, in particular by name, An individual can be identified by an identification number, address information, online identifier or one or more physical, physiological, genetic, mental, economic, cultural or social identities unique to a natural person.

(2) "Processing" refers to any one or more operations performed on a single personal data or a series of personal data, regardless of whether the operation takes the form of collecting, recording, organizing, structuring, storing, adjusting, changing, retrieving, Consultation, use, disclosure by transmission, dissemination or other disclosure to others, arrangement or combination, restriction, deletion or destruction and other automated means.

(3) "Restriction of processing" means marking stored personal data in order to limit subsequent processing of the data.

(4) "User profiling" refers to any automated processing of personal data for the purpose of evaluating certain conditions of a natural person, in particular to evaluate a natural person's work performance, economic situation, health, personal preferences, interests, reliability, Processing based on behavior, location or whereabouts.

(5) "Anonymization" refers to the processing of personal data in such a way that the data subject cannot be identified without additional information. Such additional information should be stored separately and technical and organizational measures are in place to ensure that the personal data cannot be linked to an identified or identifiable natural person.

(6) "Archive system" means personal data that can be accessed based on certain criteria - whether such criteria are decentralized, decentralized, functional or geographically based. Structured collection.

(7) “Controller” means the natural or legal person, public authority, regulatory body or other body which determines, whether individually or jointly, the purposes and means of the processing of personal data; if such processing is is determined by Union or Member State law, then the definition of controller or the criteria for determining the controller shall be provided for by Union or Member State law.

(8) “Processor” means the natural or legal person, public authority, regulatory body or other entity which processes personal data for the purpose of the data controller.

(9) "Recipient" means the natural person, legal person, public agency, regulatory agency or another entity who receives the data, whether a third party or not. However, public authorities which receive personal data in the framework of a specific inquiry under Union or Member State law shall not be regarded as recipients; the processing of such data by public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing. .

(10) "Third party" means a natural or legal person, public agency, regulatory agency or organization other than the data subject, controller, processor, controller or processor who directly authorizes the processing of personal data.

(11) The data subject's "consent" refers to the data subject's freely given, fully informed, unambiguous and expressed consent to the processing of his or her relevant personal data through a declaration or a clear affirmative action. .

(12) "Personal data leakage" means that personal data being transmitted, stored, and processed is accidentally or illegally damaged, lost, altered, or disclosed or accessed without consent due to violation of security policies.

(13) "Genetic information" refers to personal information related to the hereditary or acquired genetic characteristics of a natural person. This information can provide unique information about the natural person's physiology or health, especially through the analysis of biological samples of the natural person. unique information.

(14) "Biometric data" refers to personal data obtained by processing the relevant physical, physiological or behavioral characteristics of a natural person based on special technologies. This kind of personal data can identify or determine the natural person's unique identifier, such as facial image or Fingerprint data.

(15) "Health-related information" refers to personal information related to the physical or mental health of a natural person and showing information about his or her personal health status, including services related to health care services.

(16) "Main business establishment" refers to:

(a) If the controller has establishments in more than one Member State, the place of its center of management in the Union is the principal establishment, unless the purposes and means of the processing of personal data are determined by another establishment of the controller, and Such authority shall have the authority to implement such decision, in which case the authority making such decision shall be deemed to be the principal business establishment;

(b) If the processor has multiple establishments in more than one Member State, its main place of business is the place where its administrative center is located in the EU. If the processor does not have a management center in the EU, its establishment in the EU where its main processing activities take place shall be deemed to be its main establishment, subject to the processor's special responsibilities under this Regulation.

(17) “Representative” means a natural or legal person appointed in writing by the controller or processor in the EU in accordance with Article 27 to assume corresponding responsibilities under this Regulation on behalf of the controller or processor.

(18) "Economic entity" means a natural or legal person who carries out economic activities in any legal form, including partnerships or associations that regularly carry out economic activities;

(19) "Enterprise group" means holding companies and controlled companies;

(20) "Binding corporate rules" means the transfer or multiple transfers of personal data to a controller or processor established in a Member State for the purpose of the transfer or multiple transfers of personal data within a corporate group or within an economic entity carrying out joint economic activities. The personal data protection policies followed by the controller or processor in the third country or multiple third countries.

(21) “Regulatory authority” means an independent public authority established by a Member State in accordance with Article 51.

(22) "Relevant regulatory agencies" refer to regulatory agencies related to the processing of personal data for the following reasons:

(a) the controller or processor is established in the territory of the Member State in which a supervisory authority is located;

(b) the processing has a material effect on data subjects who are resident in the Member State where a supervisory authority is located; or

(c) the supervisory authority has received a complaint;

(23) "Cross-border processing" means:

(a) the processing of personal data takes place at more than one establishment of a controller or processor in more than one Member State; or

(b) the processing of personal data is carried out within a single establishment of the controller or processor in the EU, but it has a substantial effect on data subjects in more than one country.

(24) “Relevant and reasonable objection” means an objection as to whether there has been a breach of this Regulation, or whether a preliminary assumption relating to the controller or processor complies with this Regulation – there is evidence that such The initially envisaged decision would create risks for the fundamental rights and freedoms of data subjects and, in certain circumstances, for the free movement of personal data in the EU.

(25) “Information society services” means services as defined in Article 1(1)(b) of Directive (EU) 2015/1535 of the European Parliament and of the Council.

(26) "International organization" refers to an organization and its affiliated agencies established in accordance with public international law or in accordance with an agreement between two or more countries.

1. This example applies to the processing of personal data by a data controller or processor established within the EU, regardless of whether the actual data processing is performed within the EU.

2. This Regulation applies to the processing of personal data in connection with the following activities, even if the data controller or processor is not established in the EU:

(a) provide goods or services to data subjects in the EU – whether or not the goods or services require payment of consideration by the data subject; or

(b) Monitor the activities of data subjects occurring within Europe.

3. This Regulation shall apply to the processing of personal data by a data controller established outside the EU but which has jurisdiction over it on the basis of public international law under the laws of a Member State.

Chapter 2 Principles

Article 5 Principles of Personal Data Processing

1. For personal data, the following provisions shall apply:

(a) Personal data involving data subjects shall be processed in a legal, reasonable and transparent manner ("Legality, Reasonability and Transparency");

(b) The collection of personal data should have a specific, clear and legitimate purpose, and the processing of personal data should not violate the original purpose. Pursuant to Article 89(1), further processing of data for reasons of public interest, scientific or historical research or statistical purposes is not deemed to be contrary to the original purpose ("purpose limitation");

(c) The processing of personal data shall be appropriate, relevant and necessary to achieve the purposes of the processing (“data minimization”);

(d) Personal data should be accurate and, if necessary, updated promptly; reasonable steps must be taken to ensure that inaccurate personal data, that is, personal data that violates the original purpose, is promptly erased or corrected ("Accuracy");

(e) Personal data that can identify the data subject shall not be stored longer than is necessary to achieve the purpose of the processing; data processing beyond this period shall only be permitted in the following circumstances: for the purpose of achieving public interest, scientific or historical research purposes or statistical purposes, in order to protect the rights and freedoms of the data subject and take reasonable technical and organizational measures specified in Article 89(1) of this Regulation. ("Limited Storage");

(f) The security of personal data should be ensured during the processing, and reasonable technical means and organizational measures should be adopted to prevent the data from being processed without authorization or being illegally processed, and to avoid accidental damage or loss of the data ("Integrity of the data and Confidentiality").

2. The controller is responsible for complying with paragraph 1 above and is responsible for proving this. ("Accountability").

Article 6 Lawfulness of processing

1. Processing is lawful only when at least one of the following conditions is met, and the lawfulness of processing is limited to processing that satisfies the conditions:

(a) The data subject has consented to the processing of his or her personal data on the basis of one or more projects;

(b) Processing is necessary for the completion of a contract to which the data subject is party, or processing is carried out at the request of the data subject before entering into a contract;

(c) processing is necessary for the fulfillment of a legal obligation of the controller;

(d) Processing is necessary to protect the core interests of the data subject or of another natural person;

(e) the processing is carried out by the data controller for the performance of a task in the public interest or on the basis of official authority;

(f) Processing is necessary for the legitimate interests pursued by the controller or by a third party, which does not include the overriding interests or fundamental rights and freedoms of the data subject which are necessary for protection of personal data, in particular the overriding interests or fundamental rights and freedoms of children. Rights and freedoms.

Point (f) of paragraph 1 does not apply to processing by public authorities in the performance of their tasks.

2. For the processing specified in paragraph 1 (c) and (e), Member States may maintain or formulate more specific provisions to adapt to the application of the rules of this Regulation. In order to ensure lawful and reasonable processing, Member States may formulate more specific provisions. stipulations, including other specific processing situations stipulated in Chapter 9.

3. The basis for the processing referred to in paragraph 1 (c) and (e) shall be provided for by the following legislation:

(a) EU law; or

(b)The laws of the Member State of which the controller is a member.

The purposes of the processing shall be determined on this legal basis and, in the case of processing referred to in paragraph 1(e), shall be the performance of a task carried out by the controller in the public interest or on the basis of official authority. This legal basis may contain the following specific provisions for the application of the rules of this Regulation: general conditions for monitoring the lawfulness of processing by the controller; types of data that may be processed; relevant data subjects; purposes for which personal data are disclosed, and their Items that may be disclosed; purpose limitation; storage period; processing operations and procedures including other specific processing situations specified in Chapter 9. Union or Member State law should meet objectives in the public interest and should be proportionate to the achievement of legitimate purposes.

4. If the processing is for a purpose other than the one for which the personal data were collected, if that purpose is not based on the consent of the data subject or is not based on Union or Member State law (in a democratic society, the purposes set out in Article 23(1) , the law is necessary and appropriate), then to ensure that the purpose is compatible with the original purpose, the controller should consider the following factors, but not limited to the following factors:

(a) any relevance between the purposes for which the personal data were collected and the purposes for which further processing is planned;

(b) The context in which the personal data are collected, in particular the relationship between the data subject and the controller;

(c) the nature of the personal data, in particular whether certain types of personal data fall within the provisions of Article 9, or whether personal data relating to criminal convictions and criminal offenses fall within the provisions of Article 10;

(d) the possible consequences of further processing planned by the data subject;

(e) Whether there are appropriate protection measures such as encryption and anonymization measures;

Article 7 Conditions of consent

1. When processing is based on consent, the controller needs to be able to prove that the data subject has consented to the processing of his or her personal data.

2. If the data subject's consent is given in the context of a written declaration involving other matters, the request for consent should be completely distinct from the other matters and should be in an easily understandable form, using clear and plain language. Any declaration of violation of these regulations shall not be binding.

3. Data subjects should have the right to withdraw their consent at any time. The lawfulness of processing based on consent is not affected until its withdrawal. The data subject shall be informed of this before the data subject expresses his or her consent. Withdrawing consent should be as easy as expressing consent.

4. When analyzing whether consent is freely given, the utmost consideration should be given to whether the performance of the contract - including the performance of the services stipulated in the terms - requires consent to the processing of personal data that is not necessary for the performance of the contract.

Article 8 Conditions for application of children’s consent in information society services

1. Where Article 6(1)(a) applies, the processing of the child's personal data shall be lawful for requests for the direct provision of information society services to children when the child has reached the age of 16. When a child is under the age of 16, such processing is lawful only with the consent or authorization of the person with parental responsibility for the child.

2. For those over 13 years of age, the laws of member states may lower the age requirement.

3. The controller shall use reasonable efforts, taking into account technical feasibility, to ensure that the person with parental custody responsibility for the child in such circumstances has authorized or consented.

Paragraph 1 shall not affect the general contract law of the Member States, such as the rules concerning the validity, formation and effect of contracts concerning children.

Article 9 Processing of special categories of personal data

1. For those personal data indicating racial or ethnic background, political opinions, religious or philosophical beliefs or trade union membership, genetic data, biometric data for the specific identification of a natural person, and data related to the natural person's health, personal sex life or sexual orientation, Processing should be prohibited.

2. Paragraph 1 will not apply if one of the following conditions applies:

(a) the data subject has expressly consented to the processing of his or her personal data for one or more specific purposes, unless the data subject is not entitled to lift the prohibition set out in paragraph 1 under Union or Member State law;

(b) the processing is necessary for the fulfillment of the obligations of the controller and the exercise of specific rights thereof or for the adoption of measures consistent with Union or Member State law or collective agreements in the fields of employment, social security and social security law to protect the fundamental rights of the data subject; Interest is necessary;

(c) the data subject is unable to give consent due to physical or legal reasons, but the processing is necessary to protect the core interests of the data subject or of another natural person;

(d) Processing carried out in the legitimate activities of foundations, associations or other non-profit organizations with political, philosophical, religious or trade union purposes, and appropriate protective measures have been taken; or the purpose of processing is only for members or former members of the organization or related to people with whom you have regular contact, and the personal data will not be disclosed to people outside the entity without the consent of the data subject;

(e) Processing of relevant personal data that has been clearly disclosed by the data subject;

(f) when the processing is necessary for the establishment, exercise or defense of legal claims or when the processing is carried out by the courts in the context of all their judicial activities;

(g) The processing is necessary to achieve substantive public interests, is based on Union or Member State legal standards, is proportionate to the achievement of the objectives, respects the core elements of the right to data protection and is in the fundamental rights and interests of the data subject provide appropriate and specific protective measures;

(h) Processing is necessary for preventive or clinical medical purposes or for the assessment of an employee's ability to work, for the diagnosis or provision of medical treatment - on the basis of Union or Member State law or in compliance with a contract with a health professions body and in compliance with Article 3 The circumstances and safeguards set out in paragraph 2 are necessary for health or social care or treatment or management of the health or social care system;

(i) In the field of public health, the processing is necessary for the purposes of the public interest, e.g. where the processing is necessary to prevent serious disease on the legal basis of the Union or a Member State which has adopted appropriate and specific measures to safeguard the rights and freedoms of the data subject; It is necessary because of a cross-border health threat, or it is necessary to ensure the quality and safety of medical care, medical products or medical devices; or

(j) the processing is necessary to achieve a public interest, scientific or historical research purpose or statistical purpose consistent with Article 89(1), the processing is proportionate to its intended purpose, the core elements of the right to data protection are respected and the processing is Appropriate and specific measures have been taken to protect the subject’s basic rights and interests.

3. A professional person who has a duty to keep professional confidentiality in accordance with the laws or rules established by the competent bodies of the Union or a Member State, or a natural person who has a duty to keep confidentiality in accordance with the laws or rules established by the competent bodies of the Union or a Member State, The personal data set out in paragraph 1 may be processed for the purposes set out in point (h) of paragraph 2.

4. For the processing of genetic data, biometric data or health-related data, member states may maintain the original regulations or make new regulations, including restrictions on the processing of genetic data, biometric data or health-related data.

Article 10 Processing of personal data involving criminal convictions and violations

The processing of personal data relating to criminal convictions and offenses, or the processing of personal data in connection with the security measures referred to in Article 6(1), is only permitted when the processing of personal data is controlled by an official body, or when the Union or Member State The processing is authorized by the laws of the country and appropriate measures have been taken to protect the rights and freedoms of the data subjects. Comprehensive registration of any criminal conviction can only be carried out by official authorities.

Article 11 Processing that does not require identification

1. If the purposes for which the controller processes the personal data do not or no longer require the controller's identification of the data subject, the controller has no further obligation to maintain, obtain or process additional information to identify the data subject for the purpose of compliance with this Regulation.

2. For the circumstances set out in paragraph 1, if the controller can demonstrate that it is not suitable to identify the data subject, the data controller shall, if possible, inform the data subject. In such cases, Articles 15 to 20 shall not apply unless the data subject needs to provide additional information that would make his or her identification possible in order to exercise the rights provided for in Articles 15 to 20.

Chapter 3 Rights of Data Subjects

Part One Transparency and Patterns

Article 12 Transparency of information, communication and models – ensuring the exercise of the data subject’s rights

1. The controller shall provide all information provided for in Articles 13 and 14, or all communications provided for in Articles 15 to 22 and 34, relating to the processing of personal data in a concise, transparent, understandable and accessible manner. form, in clear and plain language; this should be especially true of all information directed to children. Information should be provided in written or other form, including, where appropriate, electronically. If the identity of the data subject can be verified through other means, the controller may provide relevant information orally at the subject's request.

2. The controller shall provide assistance to data subjects in exercising their rights pursuant to Articles 15 to 22. For the circumstances provided for in Article 11(2), when a data subject requests to exercise the rights in Articles 15 to 22, the controller shall not refuse, unless the controller can prove that it is not suitable to identify the data subject.

3. Following a request by the data subject pursuant to Articles 15 to 22, the controller shall provide the information without undue delay and in any case within one month of receipt of the request. In necessary circumstances, taking into account the complexity and diversity of the request, this period may be extended by a further two months. In the event of such an extension, the controller shall inform the data subject of such extension and the reasons for the extension within one month of receipt of the request. When the data subject makes a request in electronic form, where practicable, the provision of information shall also be provided in electronic form, unless the data subject requests otherwise.

4. If the controller fails to take appropriate action to respond to the data subject's request, it shall promptly inform the data subject of the specific reasons for its failure to take action within one month after receiving the request, and may also file a complaint with the supervisory authority to seek Judicial relief.

5. The information provided for in Articles 13 and 14 and all communications and actions provided for in Articles 15 to 22 and 34 shall be free of charge. When the data subject's request is manifestly unjustified or excessive, in particular when the request is repetitive, the controller may:

(a) Charge a reasonable fee in conjunction with the administrative costs of providing information, communication or corresponding actions; or

(b) Decline to act on the request.

The controller has the burden of proving that the data subject's request is manifestly unfounded or excessive.

6. Without prejudice to Article 11, the controller may require the data subject to provide additional information necessary to confirm the identity of the data subject when there are reasonable doubts about the identity of the natural person making the request referred to in Articles 15 to 21.

7. The information provided to the data subject pursuant to Articles 13 and 14 may be provided together with standardized diagrams in order to facilitate the data subject's overall understanding of the planned data processing in an at-a-glance, understandable and unambiguous manner. When illustrations are provided electronically, they must be machine-readable.

8. The Council will have the power to take authorizing action under Article 92 regarding the procedures for determining the information provided by the icons and for providing standardized icons.

Part 2 Information and access to personal data

Article 13 Information that should be provided when collecting personal data of data subjects

1. When collecting personal data related to a data subject, the controller shall provide the data subject with the following information:

(a) the identity and contact details of the controller and, if applicable, a representative of the controller;

(b) Contact details of the Data Protection Officer, if applicable;

(c) The purposes for which the personal data will be processed and the legal basis for the processing;

(d) where the processing is based on point (f) or Article 6(1), the legitimate interests of the controller or of a third party;

(e) the recipients or types of recipients of the personal data, if any;

(f) where applicable, the fact that the controller wishes to transfer the data to a third country or international organization, the fact that an adequacy decision has been or has not been taken by the European Commission, or, under Article 46 or 47 or Article 49(1) References to the appropriate safeguards taken in the transfer situations specified in subparagraph 2, the means by which backups of them are obtained, or where they can be obtained.

2. In addition to the information provided for in paragraph 1, the controller shall provide the data subject at the time of obtaining personal data such further information as is necessary to ensure reasonable and transparent processing:

(a) The period for which the personal data will be stored, and the criteria for determining this period;

(b) The rights of the data subject: the right to request the controller to provide access to, correction or erasure of personal data, or to restrict or object to related processing; the right to data portability;

(c) Where processing is based on Article 6(1) or point (a) of Article 9(2), the data subject may withdraw it at any time – such withdrawal shall not affect processing based on consent prior to the withdrawal. the legality of – the right to consent;

(d) The right to lodge a complaint with the supervisory authority;

(e) Whether the provision of the personal data is a statutory or contractual requirement, whether it is necessary for the conclusion of a contract, whether the data subject is obliged to provide the personal data and the possible consequences of failure to provide such data.

(f) The existence of automated decision-making, including user profiling referred to in Article 22(1) and (4), and, in such cases, valid information regarding the relevant logic, including the envisaged consequences of such processing for the data subject .

3. If the controller further processes personal data for purposes that are inconsistent with the purposes for which the personal data were collected, the controller shall provide the data subject with information about such purposes before further processing and provide the relevant further information specified in paragraph 2.

4. Paragraphs 1, 2 and 3 shall not apply where the data subject already possesses the information.

Article 14 Information that should be provided when the personal data of the data subject has not been obtained

1. When personal data have not been collected from the data subject, the controller shall provide the data subject with the following information:

(a) the identity and contact details of the controller and, if applicable, a representative of the controller;

(b) If applicable, the contact details of the Data Protection Officer;

(c) The purposes for which the personal data will be processed and the legal basis for the processing;

(d) The type of relevant personal data;

(e) the recipients or types of recipients of the personal data, if any;

(f) where the controller wishes to transfer the data to a third country or an international organization, where a determination of adequacy of protection has been made or not made by the European Commission, or where the controller wishes to transfer the data to a third country or to an international organization, where the European Commission has made or failed to make a determination of adequate protection, or where the controller wishes to transfer the data to a third country or to an international organization, References to the appropriate safeguards in place in the transfer situations specified in subparagraphs, the means by which backups of them are obtained, or where they may be obtained.

2. In addition to the information specified in paragraph 1, the controller shall provide the data subject with the following information necessary to ensure that the processing involving the data subject is reasonable and transparent:

(a) the period for which the personal data will be stored, or, if not possible, the criteria used to determine this period;

(b) where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;

(c) The data subject has the following rights to request the controller to provide access to, correct or erase personal data, or to restrict or object to related processing, and the right to data portability;

(d) Where processing is based on Article 6(1) or point (a) of Article 9(2), the data subject may withdraw it at any time – such withdrawal shall not affect processing based on consent prior to the withdrawal. the legality of – the right to consent;

(e) The right to lodge a complaint with a supervisory authority;

(f) The source of the personal data and, if applicable, whether its source can be a publicly available source;

(g) The existence of automated decision-making, including user profiling referred to in Article 22(1) and (4), and in such cases, valid information on the relevant logic, including the envisaged consequences of such processing for the data subject .

3. The controller shall provide the information specified in paragraphs 1 and 2 as follows:

(a) Information should be provided within a reasonable period after obtaining the personal data, which should be at least one month if the specific circumstances of the processing of the personal data are taken into account;

(b) If the personal data is used to communicate with the data subject, the information should be provided at the latest during the first communication with the data subject;

(c) If the personal data are intended to be disclosed to another recipient, information should be provided at the latest when the personal data are first disclosed.

4. When the controller further processes personal information for purposes inconsistent with those for which the personal information was collected, the controller shall provide the data subject with information about such purposes before further processing, as well as the relevant further information specified in paragraph 2.

5. Paragraphs 1 to 4 do not apply in the following circumstances:

(a) The data subject already possesses the information;

(b) The provision of such information is impossible or would require a disproportionate amount of effort, and is particularly inapplicable in the following circumstances: in the public interest, for scientific or historical research purposes or statistical purposes, or for the protection of the data subject rights and freedoms and have taken reasonable technical and organizational measures as provided for in Article 89(1) of this Regulation; or the responsibilities set out in paragraph 1 of this Article would seriously impede the achievement of the objectives of the processing. In such cases, the controller shall take appropriate measures to protect the data subject's rights and freedoms and legitimate interests, including making the information publicly available;

(c) The European Union or a Member State has specially formulated laws for the controller to obtain or disclose information, and has developed appropriate measures to protect the legitimate interests of the data subject;

(d) When personal data must be kept confidential, professional confidentiality obligations under EU or Member State law must be observed, including statutory confidentiality obligations.

Article 15 Data subject’s right of access

1. The data subject shall have the right to learn from the controller whether personal data concerning him or her are being processed and, if so, to access the personal data and to obtain the following information:

(a) Purpose of processing;

(b)The type of relevant personal data;

(c) the personal data have been or will be disclosed to a recipient or categories of recipients, in particular where the recipients belong to a third country or an international organization;

(d) Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria for determining this period;

(e) The right of the data subject to request the controller to rectify or erase personal data, or to restrict or object to the processing of personal data related to the data subject;

(f) The right to lodge a complaint with the supervisory authority;

(g) where the personal data are not collected from the data subject, any information as to their source;

(h) The existence of automated decision-making, including data analysis referred to in Article 22(1) and (4), and, in such cases, valid information concerning the logic involved, including the envisaged consequences of such processing for the data subject.

2. When personal data are transferred to a third country or to an international organization, the data subject shall have the right to obtain information and the appropriate safeguards relevant to the transfer, in accordance with Article 46.

3. The controller shall provide a copy of the personal data processed. The Controller may charge a reasonable fee based on administrative costs for any additional backups requested by the Data Subject. When the data subject requests it by electronic means, and unless the data subject requests otherwise, the information shall be provided in commonly used electronic form.

4. The right to obtain backups provided for in paragraph 3 shall not adversely affect the rights and freedoms of others.

Part Three Corrections and Erasures

Article 16 Right to rectification

Data subjects shall have the right to obtain from the controller without delay the correction of inaccurate information concerning them. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by providing additional notifications.

Article 17 Right to erasure (“right to be forgotten”)

1. Data subjects have the right to request the controller to erase their personal data. When one of the following circumstances occurs, the controller is responsible for erasing the personal data in a timely manner:

(a) the personal data are no longer necessary to fulfill the purposes for which they were collected or processed;

(b) the processing is carried out pursuant to point (a) of Article 6(1), or point (a) of Article 9(2) and there is no other legal basis for the processing and the data subject withdraws his consent to such processing ;

(c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);

(d) There has been unlawful processing of personal data;

(e) the personal data need to be erased for compliance with any legal obligation imposed by Union or Member State law on the controller;

(f) Personal data relevant to the provision of information society services specified in Article 8(1) have been collected.

2. When the controller has made personal data public and is obliged to erase the personal data as set out in paragraph 1, the controller shall, taking into account feasible technology and the cost of implementation, take reasonable measures, including technical measures, to inform the controllers who are processing the personal data. The data subject has requested that they delete any links, backups or copies of the personal data.

3. Paragraphs 1 and 2 shall not apply when the processing is necessary for:

(a) To exercise the rights to freedom of expression and freedom of information;

(b) processing is required by Union or Member State law for the performance of a task carried out by the controller, or for the performance of a task carried out for reasons of public interest or on the basis of official authority conferred upon it, for the performance of its legal obligations;

(c) Processing carried out for the purpose of achieving public interests in the field of public health consistent with points (h) and (i) of Article 9(2) and Article 9(3);

(d) if the rights referred to in paragraph 1 would be seriously affected or would completely impede the achievement of the public interest purposes, scientific or historical research purposes or statistical purposes under section 89(1); or

(e) For the establishment, exercise or defense of legal claims.

Article 18 Right to restrict processing

1. When one of the following circumstances exists, the data subject has the right to request the controller to restrict processing:

(a) The data subject disputes the accuracy of the personal data and gives the controller a certain period of time to verify the accuracy of the personal data;

(b) the processing is unlawful and the data subject objects to the erasure of the personal data and requests restriction of the use of his or her personal data;

(c) the controller no longer needs the personal data to fulfill the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims;

(d) The data subject has objected to processing pursuant to Article 21(1) for the purpose of determining whether the legitimate grounds of the controller override those of the data subject.

2. Where processing is subject to paragraph 1, such personal data, except in the case of storage, may only be processed with the consent of the data subject or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for the purposes of important public interests of the Union or a Member State.

3. For data subjects who have obtained restriction of processing pursuant to paragraph 1, the controller shall inform the data subject before the restriction is lifted.

Article 19 Obligation for notification of correction or erasure or restriction of processing

For any restriction or erasure of personal data, or restriction of processing of personal data pursuant to Articles 16, 17(1) or 18, the controller shall inform each recipient to whom the personal data have been disclosed – unless such Informing is impossible or requires a disproportionate amount of effort. If requested by the data subject, the controller shall inform the data subject about the recipients.

Article 20 Right to data portability

1. When the following circumstances exist, the data subject has the right to obtain the relevant personal data provided to the controller, and the personal data obtained should be organized, commonly used and machine-readable, and the data subject has the right to obtain it without any hindrance. Class data are transmitted from the controller to which they were provided to another controller:

(a) the processing is based on consent referred to in Article 6(1)(a) or 9(2)(a), or on a contract referred to in Article 6(1);

(b) Processing is by automated means.

2. In exercising the right to portability set out in paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

3. The exercise of the rights provided for in paragraph 1 shall not affect the provisions of Article 17. This right does not apply to processing which is necessary for the public interest or in the exercise of official authority to which the controller is delegated.

4. The rights set out in paragraph 1 must not adversely affect the rights or freedoms of others.

Part 4 The right to object and automated personal decision-making

Article 21 Right to object

1. The data subject shall have the right to object at any time to the processing of data concerning the data subject in accordance with point (e) or (f) of Article 6(1), including the profiling of users in accordance with these Terms. At this time, the controller must immediately stop processing this part of the personal data, unless the controller proves that there are overriding legitimate reasons for the processing compared with the interests, rights and freedoms of the data subject, or the processing is for the purpose of filing or exercising or defend legal claims.

2. When personal data are processed for direct marketing purposes, the data subject has the right to object at any time to the processing of personal data for such marketing, including to object to the profiling of users in connection with such direct marketing.

3. Where the data subject objects to processing for direct marketing purposes, the personal data will not be processed for these purposes.

4. At the latest in the first communication with the data subject, the rights set out in paragraphs 1 and 2 shall be clearly made known to the data subject and shall be distinguished from other information and clearly communicated to the data subject.

5. In the context of applicable information society services, notwithstanding the provisions of Directive 2002/58/EC, the data subject may still exercise the right to object by automated means using technical conditions.

6. Where personal data are used for scientific or historical research purposes or statistical purposes referred to in Article 89(1), the data subject shall have the right, on grounds relating to his or her particular situation, to object to the processing of personal data concerning him or her, unless the processing is necessary for the realization of a public interest. A certain task is necessary.

Article 22 Automated personal decision-making, including user profiling

1. The data subject has the right to object to decisions that rely solely on automated processing—including user profiling—that have legal or similarly serious consequences for the data subject.

2. Paragraph 1 does not apply when the decision-making situation is as follows:

(a) when the decision is necessary for entering into, or the performance of, a contract between the data subject and the data controller;

(b) where the decision-making is authorized by Union or Member State law, the controller is the subject of the decision-making and has put in place appropriate measures to safeguard the data subject's rights, freedoms and legitimate interests; or

(c) When the decision is based on the explicit consent of the data subject.

3. In the cases set out in points (a) and (c) of paragraph 2, the data controller shall take appropriate measures to safeguard the rights, freedoms and legitimate interests of the data subject, as well as the possibility of manual intervention by the data subject against the controller for the purpose of expressing his or her rights. opinions and the fundamental right to contest decisions.

4. The basis for decision-making set out in paragraph 2 shall not apply to specific categories of personal data referred to in Article 9(1), except where the provisions of point (a) or (g) of Article 9(2) are met and have been Measures have been taken to protect the rights, freedoms and legitimate interests of data subjects.

Part 5 Limitations

Article 23 Restrictions

1. If the controller or processor is subject to EU law or the law of a Member State, then EU law or the law of the Member State may limit the scope of responsibilities and rights conferred by Articles 12 to 22, 34 and 5 through legislative means. , as long as its legal provisions and the responsibilities and rights conferred by Articles 12 to 22 correspond. Such restrictions should be permitted if they respect core elements of fundamental rights and freedoms and are necessary and proportionate to achieve the aims of a democratic society that:

(a) national security;

(b) national defense;

(c)Public safety;

(d) Prevent, investigate, investigate and prosecute criminal violations or enforce criminal laws, including ensuring public safety and preventing threats to public safety;

(e) Other important general public interests of the Union or a Member State, in particular economic or financial interests of the Union or a Member State, including finance, budgetary, taxation matters, public health and social security;

(f) Judicial independence and protection of judicial proceedings;

(g) To prevent, investigate, protect and prosecute ethical violations for the purposes of the regulated profession;

(h) A monitoring, investigative, or regulatory function associated with the exercise of official authority specified in point (a)(b)(c)(d)(e)(g);

(i) protect the rights and freedoms of the data subject or other persons;

(j) Enforce civil legal claims.

2. It is important to note that, at least when it comes to the following situations, any legislative measure specified in paragraph 1 should contain specific provisions providing:

(a) The purpose of the processing or the type of processing;

(b) Type of personal data;

(c)The scope of the restrictions imposed;

(d) Measures to prevent misuse or unlawful access or diversion;

(e) The specific circumstances of the controller or the specific circumstances of the type of controller;

(f) Storage periods and applicable safeguards established taking into account the nature, scope and purpose of the processing or type of processing;

(g) risks to the rights and freedoms of data subjects; and

(h) The right of the data subject to be informed of the restriction, unless such right may affect the fulfillment of the purpose of the restriction.

Chapter 4 Controllers and Processors

Part One General Liability

Article 24 Responsibilities of the controller

1. After taking into account the nature, scope, context and purpose of the processing, as well as the varying probabilities and degrees of risks that the processing may pose to the rights and freedoms of natural persons, the controller shall take appropriate technical and organizational measures to ensure that the processing complies with this provision. regulations and it can be proven that the processing complies with the regulations. Where necessary, these measures should be reviewed.

2. The measures referred to in paragraph 1 shall, when proportional to the processing activities, include an appropriate data protection policy adopted by the controller.

3. Compliance with a code of conduct in force under Article 40, or compliance with a certification scheme in force under Article 42, which may be used to demonstrate compliance with the controller's responsibilities.

Article 25 Data protection by design and default

1. The controller shall, when deciding on the method of processing, take into account the state of the art, the costs of implementation, the nature of the processing, the scope of the processing, the context and purposes of the processing, and the likelihood and severity of harm caused by the processing to the rights and freedoms of natural persons. and when deciding to process, appropriate technical and organizational measures shall be taken and the necessary safeguards shall be integrated into the processing in order to comply with the requirements of this Regulation and to protect the rights of the data subject. For example, the controller can adopt anonymization, a measure designed to implement data protection principles – such as the data minimization principle.

2. The controller is responsible for taking appropriate technical and organizational measures to ensure that, under the given circumstances, only personal data necessary for a specific purpose of processing are processed. This liability applies to the amount of personal data collected, the limits of processing, the period of storage and the accessibility. In particular, such measures must ensure that, under the preset circumstances, personal data cannot be accessed by an unspecified number of natural persons without the intervention of the individual.

3. A certification mechanism in force under Article 42 may be used to demonstrate compliance with the requirements set out in paragraphs 1 and 2 of this Article.

Article 26 Joint Controllers

1. Two or more controllers are joint controllers when they jointly determine the purposes and means of the processing. They should determine in a transparent manner the corresponding responsibilities for compliance with this Regulation, in particular where this relates to the exercise of individual rights of data subjects and where controllers provide data subjects - in accordance with their contractual arrangements - with Article 13 and Article 13 Responsibility for the information provided for in Article 14, unless EU or Member State law already imposes corresponding liability on the controller.

2. The contractual arrangements specified in paragraph 1 should appropriately reflect the respective roles and relationships of the joint controllers with respect to the data subject. The data subject should be able to know the nature of the arrangement.

3. Regardless of the terms of the contractual arrangement set out in paragraph 1, the data subject may assert his or her rights under this Regulation against any controller.

Article 27 Representatives of controllers or processors not established in the EU

1. Where Article 3(2) applies, the controller or processor shall appoint in writing a representative in the EU.

2. This liability shall not apply to:

(a) Except for large-scale processing of specific categories of data referred to in Article 9(1) or occasional processing of personal data in connection with a criminal conviction or offense referred to in Article 10, and taking into account the processing The nature, context, scope and purpose of the processing are not likely to pose a risk to the rights and freedoms of natural persons; or

(b)Public agency or entity.

3. To provide relevant goods or services to the data subject, or to monitor the data subject's behavior, a representative shall be established in one of the countries where the data subject is located.

4. In order to ensure compliance with this Regulation, in all matters involving processing, the controller or processor shall make mandatory provisions to ensure that its representatives can receive information outside the controller or processor, or on behalf of the controller or processor Information received, in particular with respect to matters requested by supervisory authorities and data subjects.

5. The appointment of a representative by the controller or processor cannot influence legal actions taken by the controller or processor.

Article 28 Processor

1. The processor processes on behalf of the controller, and the controller can only use processors that have sufficient guarantees, can take appropriate technical and organizational measures, and whose processing methods comply with the requirements of this Regulation and protect the rights of data subjects.

2. A Processor shall not engage another Processor without the Controller’s previous specific authorization or general written authorization. Subject to general written authorization, the processor shall inform the controller of any changes involving the addition or replacement of other processors in order to give the controller an opportunity to object to such changes.

3. The processor's processing should be subject to some type of contract or other EU law and Member State law. Such contracts or laws should stipulate the processor's responsibilities vis-à-vis the controller, the subject matter, the processing period, the nature and purpose of the processing, and the type of personal data. the type of data subject and the responsibilities and rights of the controller. In particular, such contracts or laws should provide for the following situations:

(a) Personal data may be processed only on receipt of written instructions from the controller, also in matters involving transfer of personal data to a third country or to an international organization, unless Union or Member State law prohibits the processor from transferring the personal data to a third country or to an international organization. is required; in such case, the processor shall inform the controller of the legal requirement before processing, unless notification would affect important public interests;

(b) For those authorized to process personal data, ensure that they fulfill their confidentiality obligations or legally appropriate confidentiality obligations;

(c) take all measures required by Article 32;

(d) respect the conditions for engaging another processor set out in paragraphs 2 and 4;

(e) Taking into account the nature of the processing, where possible, use appropriate technical and organizational means to help the controller perform its responsibilities, so as to enable the data subject to exercise its rights provided for in Chapter 3;

(f) assist the controller in fulfilling its obligations under Articles 32 to 36, taking into account the nature of the processing and the information available to the processor;

(g) Based on the option of the controller, delete or return the personal data to the controller after the provision and processing of relevant services, and delete existing backups, unless the storage of personal data is required by EU or Member State law;

(h) Provide the controller with all information that can prove that it has complied with its responsibilities under this article, as well as information that is beneficial to the controller or the auditor appointed by the controller for audit and verification.

With regard to point (h) of paragraph 1, the processor shall inform the controller without delay if it considers that an instruction infringes this Regulation or other Union or Member State data protection provisions.

4. When a processor engages another processor on behalf of the controller for the purpose of carrying out specific processing activities, the data protection obligations arising from the contract or other legal provisions between the controller and the processor referred to in paragraph 3 shall be established by contract or EU or The legal provisions of a Member State shall apply equally to another processor. In particular, adequate safeguards and appropriate technical and organizational means shall be adopted to meet the requirements of this Regulation. The processor shall be fully responsible for the failure of another processor to fulfill its data protection duties.

5. The Processor's compliance with an in force code of conduct set out in Article 40, or in compliance with an in force verification mechanism set out in Article 42, may be used as evidence that the Processor has adopted paragraphs 1 and 1 of this Article. Adequate safeguards provided for in paragraph 4.

6. Without prejudice to the separate contract between the controller and the processor, the contractual or legal provisions set out in paragraphs 3 and 4 may be governed in whole or in part by the standard contractual clauses set out in paragraphs 7 and 8 of this Article. , including when they fall within the verification mechanisms conferred on the controller or processor pursuant to Articles 42 and 43.

7. The European Commission may, with respect to the matters provided for in paragraphs 3 and 4 of this Article, formulate contractual clauses in accordance with the examination procedure set out in Article 93(2).

8. The supervisory authority may formulate standard contract terms in accordance with the consistency mechanism provided for in Article 63 for matters specified in paragraphs 3 and 4 of this Article.

9. The contractual or legal terms specified in paragraphs 3 and 4 must be in writing, including a written record in electronic form.

10. Without prejudice to Articles 82, 83 and 84, if a processor violates this Regulation by determining the purposes and methods of processing, the processor shall be deemed to be the controller for that processing.

Article 29 Processing on behalf of the controller or processor

The processor or controller, or the processor's representative, who has access to the personal data shall not process the personal data without the consent of the controller. Unless otherwise provided by EU law or Member State law.

Article 30 Records of processing activities

1. Each controller – and, if there is one – each controller’s representative, shall keep records of the processing activities for which it is responsible. Such records should contain all of the following information:

(a) The names and contact details of the controller and – if any – joint controllers, the controller’s representative and the data protection officer;

(b)Purposes of processing;

(c) A description of the type of data subject and the type of personal data;

(d) the categories of recipients, including recipients located in third countries or international organizations, to which the personal data have been or will be disclosed;

(e) where applicable, records of transfers of personal data to a third country or international organization, including records identifying such third country or international organization, and in the circumstances of the transfer referred to in subparagraph 2 of Article 49(1) , records of appropriate safeguards;

(f) If applicable, the estimated period for erasure of different data types;

(g) If applicable, a general description of the technical and organizational security measures specified in Article 32(1).

2. Each processor and - if applicable - the processor's representative shall maintain a record of processing carried out on behalf of the controller, containing the following information:

(a) the name and contact details of the processor or processors, each controller on whose behalf the processor represents and – if any – the controller’s or processor’s representative, the Data Protection Officer;

(b) The type of processing performed on behalf of each controller;

(c) where applicable, records of transfers of personal data to a third country or international organization, including records identifying such third country or international organization, and in the circumstances of the transfer referred to in subparagraph 2 of Article 49(1) , records of appropriate safeguards;

(d) If any, a general description of the technical and organizational security measures specified in Article 32(1).

3. The records specified in paragraphs 1 and 2 shall be in writing, including written records in electronic form.

4. Upon request by the supervisory authority, the controller or processor and – where appropriate – representatives of the controller or processor, shall make the records accessible.

5. The liability set out in paragraphs 1 and 2 does not apply to economic entities or organizations with fewer than 250 employees, unless the processing carried out is not occasional and may result in risks to the rights and freedoms of the data subject, or the processing The processing contains certain categories of data referred to in Article 9(1) or personal data relating to criminal offenses and offenses referred to in Article 10.

Article 31 Cooperation with supervisory authorities

At the request of the supervisory authority, the controller and processor and – where applicable – their representatives shall cooperate with the supervisory authority.

Part 2 Security of Personal Data

Article 32 Security of processing

1. The controller and processor shall take into account the state of the art, the costs of implementation, the nature of the processing, the scope of the processing, the context and purposes of the processing, and the likelihood and severity of harm caused by the processing to the rights and freedoms of natural persons. Including but not limited to the following appropriate technical and organizational measures to ensure a level of security commensurate with the risk:

(a) Anonymization and encryption of personal data;

(b) Maintain the confidentiality, impartiality, effectiveness and ability to recover of processing systems and services;

(c) The ability to restore access to personal data in the event of a physical or technical incident;

(d) Have processes in place to routinely test, evaluate, and evaluate the effectiveness of technical and organizational measures to ensure safe processing.

2. When assessing the appropriate level of security, particular consideration should be given to the risks posed by processing, in particular accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data during transmission, storage or processing.

3. Complying with the effective code of conduct specified in Article 40, or complying with the effective verification mechanism specified in Article 42, may be used as one of the evidences to prove that the requirements of paragraph 1 of this Article have been complied with.

4. The controller and processor shall take steps to ensure that no processing is carried out by any processor, or by any natural person acting on behalf of the controller and processor, who has access to the personal data except on instructions from the controller, except as required by Union or Member State law. for processing.

Article 33 Reporting breach of personal data to supervisory authority

1. In the case of a personal data breach, the controller shall, if feasible, notify the competent supervisory authority referred to in Article 55 of the personal data breach as soon as possible after becoming aware of it - and at the latest within 72 hours, unless the personal data breach concerns a natural person. rights and freedoms are unlikely to pose risks. For situations where the regulatory agency cannot be notified within 72 hours, the reasons for the delay in notification should be provided.

2. The processor shall promptly inform the controller upon becoming aware of a personal data breach.

3. The notification specified in paragraph 1 shall include at least:

(a) Describe the nature of the personal data breach, including, where possible, the type and approximate number of relevant data subjects, and the type and approximate number of personal data involved;

(b) Provide the name and contact details of the Data Protection Officer, or other contact information where further information can be obtained;

(c) describe the possible consequences of a personal data breach;

(d) A description of the measures that the controller has taken or plans to take in response to a personal data breach, including - where appropriate - measures to reduce negative impacts.

4. In situations where simultaneous provision of information is not possible, information can be provided in a timely manner in stages.

5. Controllers should record all breaches of personal data, including the facts, impact and remedial actions taken. With reference to this record, the supervisory authority is able to verify whether the controller complies with the relevant provisions of this Regulation.

Article 34 Communication of personal data breach to data subject

1. When a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall promptly communicate the personal data breach to the data subject.

2. The communication provided for in paragraph 1 of this Article to the data subject shall communicate the nature of the personal data breach in clear and plain language and shall include at least the information provided in point 33(3)(b)(c)(d) with suggestions.

3. When one of the following circumstances is met, the controller is not required to inform the data subject of information that his or her personal data has been leaked:

(a) The controller has put in place appropriate technical and organizational safeguards and those measures have been applied to the personal data affected by the personal data breach, and in particular those measures have been applied to render the personal data unidentifiable to individuals who have not authorized access. , such as encryption;

(b) The controller has taken subsequent measures to ensure that the high risk to the rights and freedoms of the data subject specified in paragraph 1 is no longer possible;

(c) Advise that a disproportionate effort will be required. At this time, there should be an announcement mechanism or similar measures to bear the controller's notification obligation, and the notification effect of such measures should be at least the same as that of the controller's notification.

4. If the controller still fails to inform the data subject of the personal data breach, the supervisory authority may require notification, having taken into account the likelihood of a high risk arising from the personal data breach, or may consider that the circumstances set out in paragraph 3 are met.

Part 3 Data Protection Impact Assessment and Advance Consultation

Article 35 Data protection impact assessment

1. When a type of processing - in particular processing involving new technologies - is likely to result in a high risk to the rights and freedoms of natural persons, control shall be carried out, taking into account the nature, scope, context and purposes of the processing. The operator should assess the impact of planned processing procedures on the protection of personal data before processing. If multiple high-risk processing activities belong to the same category, then only one of them can be evaluated at this time.

2. If the controller has appointed a data protection officer, the controller should consult the data protection officer when carrying out a data protection impact assessment.

3. A data protection impact assessment referred to in paragraph 1 is particularly necessary in the following circumstances:

(a) Conduct a systematic and comprehensive evaluation of personal factors related to natural persons, such evaluation is based on automated processing - including user profiling - and the decision-making has legal or similar significant impact on the natural person ;

(b) process on a large scale certain categories of data referred to in Article 9(1), or personal data relating to convictions or offenses referred to in Article 10; or

(c) Systematically monitor a publicly accessible space on a large scale.

4. The supervisory authority shall establish and make public a list of types of processing operations that are subject to a data protection impact assessment required by paragraph 1. The supervisory authority shall inform the EU Data Protection Board referred to in Article 68 of such lists.

5. The supervisory authority may also establish a publicly available list of types of processing operations that do not require a data protection impact assessment. The supervisory authority shall inform the EU Data Protection Board of such lists.

6. Before the establishment of the lists provided for in paragraphs 4 and 5, when such lists relate to the provision of goods or services to data subjects, or involve the supervision of the conduct of multiple Member States, or may materially affect the internal affairs of the European Union For the free flow of personal data, competent supervisory authorities should first apply the consistency mechanism stipulated in Article 63.

7. The assessment should include at least:

(a) A systematic description of the planned processing operations and the purposes of the processing and – if applicable – a description of the legitimate interests pursued by the controller;

(b) Analyze the necessity and proportionality of processing operations related to the purpose;

(c) an assessment of the risks to the rights and freedoms of the data subject referred to in paragraph 1;

(d) Planned risk response measures taken based on the rights and legitimate interests of the data subject and other relevant individuals, including security safeguards, security measures and mechanisms to protect personal data and demonstrate compliance with these Regulations.

8. When assessing the impact of the processing operations of the relevant controller or processor, and in particular when assessing the data protection impact, reasonable consideration should be given to its compliance with the applicable code of conduct set out in Article 40.

9. Where appropriate and where this does not affect the protection of commercial or public interests or the security of the processing operations, the controller shall consult the data subject or the data subject's representative with respect to the views of his or her intended processing.

10. When the processing based on point (c) or (e) of Article 6(1) is in compliance with Union or Member State law established by the controller concerning the processing operations and has been carried out as a general effect in establishing its legal basis Paragraphs 1 to 7 shall not apply when assessing part of a data protection impact assessment, unless the Member State considers that it is necessary to conduct such an assessment before processing activities.

11. Where necessary, the controller should conduct a check to assess whether processing is consistent with a data protection impact assessment, at least where there are changes in the risks posed by the processing operations.

Article 36 Advance consultation

1. Where the data protection impact assessment referred to in Article 35 indicates that the processing would pose a high risk if the controller does not take measures, the controller should consult the supervisory authority before processing.

2. When the supervisory authority considers that the processing envisaged in paragraph 1 would contravene this Regulation, in particular where the controller is unable to identify or mitigate the risk, the supervisory authority shall, within eight weeks of receipt of the request for consultation, communicate to the controller and— Where applicable - the Processor provides written advice and may use the powers set out in Article 58. This period may be extended by six weeks, taking into account the expected complexity of the processing. The supervisory authority shall inform the controller and – where applicable – the processor of the extension and the reasons for the extension within one month of receipt of the consultation request. The supervisory authority can extend the period until it has obtained the information requested by the consultation.

3. When consulting the supervisory authority referred to in paragraph 1, the controller shall provide the supervisory authority with the following information:

(a) where applicable, the corresponding responsibilities of the controller, joint controllers and processors in relation to the processing, in particular where the processing is carried out within a group of undertakings;

(b) The intended purposes and methods of processing;

(c) Methods and measures taken in compliance with this Regulation to protect the rights and freedoms of data subjects;

(d) Where applicable, the contact details of the Data Protection Officer;

(e)a data protection impact assessment required by section 35; and

(f) All other information required by the regulatory authority.

4. Member States should consult their supervisory authorities when drafting relevant legislation for approval by Parliament or when formulating regulatory measures to deal with such legislative measures.

5. Notwithstanding the provisions of paragraph 1, Member State law may require the controller to consult with the controller on matters relating to its processing in connection with the performance of tasks in the public interest by the controller, including processing related to social security and public health. Regulatory authorities and obtain authorization from regulatory authorities in advance.

Part 4 Data Protection Officer

Article 37 Appointment of Data Protection Officer

1. The controller and processor shall appoint a data protection officer in any of the following circumstances:

(a) the processing is carried out by public authorities or public entities, except by courts in the exercise of their judicial functions;

(b) the core processing activities of the controller or processor inherently require routine and systematic monitoring of data subjects on a large scale; or

(c) The core activities of the controller or processor include the large-scale processing of special categories of data referred to in Article 9 and the processing of personal data relating to convictions and offenses referred to in Article 10.

2. If each organization within a group of undertakings has easy access to a data protection officer, the group of undertakings may appoint a separate data protection officer.

3. Where the controller or processor is a public authority or public entity, based on their organizational structure and size, several such public authorities or entities may jointly appoint a single Data Protection Officer.

4. In addition to the circumstances set out in paragraph 1, the controller or processor, or associations and other entities representing a category of controllers or processors, may appoint a data protection officer where required by Union or Member State law. With regard to the activities of such associations, or other entities acting on behalf of controllers or processors, the Data Protection Officer is authorized to act on their behalf.

5. The appointment of the Data Protection Officer must be based on his or her professional qualities, which require specialized knowledge of data protection law and practice, as well as the ability to carry out the tasks set out in Article 39.

6. The Data Protection Officer shall be the controller or processor or an employee performing tasks based on a service contract.

7. The controller or processor should release the contact details of the data protection officer and report this to the supervisory authority.

Article 38 Position of Data Protection Officer

1. Controllers and processors should ensure that the Data Protection Officer intervenes in an appropriate and timely manner in all matters related to the protection of personal data.

2. Controllers and processors shall support the data protection officer in the discharge of his responsibilities arising from Article 39 and shall provide him with the necessary resources to discharge such responsibilities, to access personal data, to carry out processing operations and to maintain his professional knowledge.

3. Controllers and processors shall ensure that the Personal Data Protection Officer does not receive any instructions regarding the discharge of such duties. The Personal Data Protection Officer cannot be dismissed by the controller or processor for the performance of his or her tasks. It may report directly to the controller or to the top management of the processor.

4. Data subjects may contact the Data Protection Officer in all matters relating to the processing of their personal data and in matters relating to the exercise of their rights conferred by this Regulation.

5. In the performance of his or her tasks, the Data Protection Officer shall comply with EU or Member State law and shall have a duty of confidentiality.

6. The Data Protection Officer may fulfill other tasks or responsibilities. The controller or processor shall ensure that any such tasks and responsibilities do not give rise to a conflict of interest.

Article 39 Tasks of the Data Protection Officer

1. The data protection officer should have at least the following tasks:

(a) inform and provide advice to the controller or processor and to those employees who carry out processing responsibilities under this Regulation and the data protection provisions of other Member States of the European Union;

(b) ensure compliance with this Regulation, other Union or Member State data protection provisions and the policies of the controller or processor in relation to the protection of personal data, including by assigning responsibilities, raising awareness and training staff in processing operations and in related audits;

(c) provide advice on data protection impact assessments and the supervision of their implementation under Article 35, upon request;

(d) Cooperate with regulatory agencies;

(e) Act as the liaison person with the supervisory authority on matters relating to processing, including advance consultations under Article 36 and – where applicable – on all other relevant matters.

2. When performing their duties, the Data Protection Officer shall reasonably consider the risks associated with the processing operations in light of the nature, scope, context and purpose of the processing.

Part 5 Code of Conduct and Certification

Article 40 Code of Conduct

1. Member States, supervisory authorities and the EU Data Protection Board and the Commission encourage the drafting of codes of conduct that facilitate the appropriate application of this Regulation, taking into account the characteristics of the different processing sectors and the specific needs of micro, small and medium-sized economic entities.

2. Associations and other entities representing certain categories of controllers or processors may draft codes of conduct, or amend or extend such codes, in order to refine the application of these Rules. For example, they may draft codes covering the following matters:

(a) Reasonable and transparent handling;

(b) The legitimate interests pursued by the controller in a specific situation;

(c) Collection of personal information;

(d) Anonymize personal data;

(e) Information provided to the public and data subjects;

(f) Exercise of data subject rights;

(g) Information provided to and for the protection of children, and the form used to obtain the consent of children’s guardians;

(h) The measures and procedures specified in Articles 24 and 25, and the measures taken to ensure the security of processing specified in Article 32;

(i) notify the supervisory authority of the personal data breach and inform the data subject of such personal data breach;

(j) transfer personal data to a third country or international organization; or

(k) Out-of-court litigation activities that do not affect the rights of the data subject under Articles 77 and 99, as well as dispute resolution procedures to resolve disputes between the controller and the data subject in processing-related matters.

3. The controller or processor shall, in addition to being subject to this Regulation, in circumstances not subject to this Regulation under Article 3, in order to ensure the transfer of personal data to a third country referred to in point (e) of Article 46(2) or The provision of appropriate security measures within the framework of an international organization may also be governed by a code of conduct in force as provided for in paragraph 5 of this article, or by a code of conduct of general effect as provided for in paragraph 9 of this article. In order to provide such appropriate security measures, including those related to the rights of data subjects, such controllers or processors should establish binding and enforceable commitments through contracts or other legally enforceable measures.

4. Without prejudice to the tasks and powers of the supervisory authority provided for in Article 55 or 56, the code of conduct set out in paragraph 2 of this Article shall include provisions that enable the entities referred to in Article 41(1) to carry out their supervisory tasks. effective measures to ensure that the controller or processor responsible for implementing the code of conduct complies with its terms.

5. An association or other entity referred to in paragraph 2 of this Article that plans to draft, amend a code of conduct or extend an existing code shall submit the draft code, amendment or extension proposal to the competent supervisory authority in compliance with Article 55. The supervisory authority shall provide a submission indicating whether the draft, amendment or extension proposal complies with the provisions of these Regulations, and if the supervisory authority determines that sufficient and appropriate safeguards have been adopted, it shall approve the draft, amendment or extension proposal.

6. When a draft code, or a proposed amendment or extension is approved in accordance with the provisions of paragraph 5, and the code of conduct does not involve processing activities in more than one Member State, the supervisory authority shall register and publish the code.

7. Where a draft code of conduct relates to processing activities in more than one country, the competent supervisory authority referred to in Article 55 shall, before approving the draft code, amendment or extension, submit it to the European Data Protection Board in accordance with the procedure set out in Article 63, and shall provide a submission indicating whether the draft code, amendment or extension complies with this Regulation or - in the circumstances set out in paragraph 3 - provides appropriate safety measures.

8. When the submission referred to in paragraph 7 confirms that the draft guideline, amendment or extension complies with this Regulation or - in the case set out in paragraph 3 - provides appropriate security measures, the EU Data Protection Board shall Submissions submitted to the European Commission.

9. The Commission shall determine, by way of an implementing act, whether a code of conduct, amendment or extension submitted in accordance with paragraph 8 that has entered into force has general effect in the Union. The enactment of such Bills shall be subject to the verification procedures set out in Section 94(2).

10. The Commission shall ensure appropriate disclosure of the guidelines in force that have been deemed to comply with the general validity set out in paragraph 9.

11. The EU Data Protection Board shall verify all registered codes of conduct, amendments and extensions in force and shall make them available to the public in an appropriate manner.

Article 41 Monitoring of the Code of Conduct in force

1. Without prejudice to the tasks and powers of the competent supervisory authority set out in Articles 57 and 58, the supervision of compliance with the code of conduct established in accordance with Article 40 may be delegated to entities with expertise in matters covered by the code. Appropriate professionalism, and its compliance supervision authority has been certified by the competent regulatory agency.

2. The entities specified in paragraph 1 may be appointed as bodies with the authority to monitor compliance with the code of conduct when:

(a) It has proven to be independent and professional in matters stipulated in the Code and meets the requirements of competent regulatory agencies;

(b) Relevant procedures have been established by which relevant controllers and processors may be assessed for their qualifications to apply the Code, monitor their compliance with the provisions of the Code, and, on an intermittent basis, assess their operations;

(c) procedures and systems are in place to resolve complaints regarding breaches of the Code, or about the way in which a controller or processor has implemented or is implementing the Code, and such procedures and systems are made transparent to data subjects and the public; and

(d) It has shown that it meets the requirements of the competent regulatory agency and that there is no conflict of interest in its tasks and responsibilities.

3. The competent supervisory authority shall submit the draft standards for the certification of entities specified in paragraph 1 to the EU Data Protection Board in accordance with the consistency mechanism set out in Article 63.

4. When a controller or processor breaches the Code, the entities referred to in paragraph 1 shall, without prejudice to the tasks and powers of the competent supervisory authority or the provisions of Chapter 8, take appropriate actions, guaranteed by appropriate security measures, including The relevant controller or processor is suspended or eliminated from the Code. The entity shall notify the competent supervisory authority of such actions and the reasons for the actions.

5. If an entity specified in paragraph 1 does not or no longer meets the conditions for certification, or if it acts in violation of these Regulations, the competent supervisory authority shall withdraw its certification.

6. This article does not apply to processing carried out by public authorities and public entities.

Article 42 Certification

1. Member States, supervisory authorities, the EU Data Protection Board and the European Commission should encourage – in particular at EU level – the establishment of data protection certification schemes, data protection seals and markings to certify that processing operations by controllers and processors are in compliance with this Regulation. The specific needs of micro, small and medium-sized economic entities should be taken into account in this regard.

2. In addition to being subject to this Regulation, the controller or processor may also establish a data protection certification mechanism, seal or mark consistent with paragraph 5 of this Article in order to certify that, in circumstances not subject to this Regulation under Article 3, it has Appropriate security measures are taken in the case of transfers of personal data to third countries or international organizations referred to in Article 46(2) point (f). In order to provide such appropriate security measures, including those related to the rights of data subjects, such controllers or processors should establish binding and enforceable commitments through contracts or other legally enforceable measures.

3. Certification should be voluntary and obtainable through a transparent process.

4. Certification under this Article does not relieve the controller or processor of the obligation to comply with this Regulation and does not affect the tasks and powers of the competent supervisory authority set out in Articles 55 or 56.

5. Certification in compliance with this Article shall be approved by the certification body referred to in Article 43 and shall be based on standards approved by the competent supervisory authority in Article 58(3) or the EU Data Protection Board in Article 63. When a standard is approved by the EU Data Protection Board, this can result in a universal certification - the EU Data Protection Seal.

6. Controllers or processors that submit their processing to a certification mechanism shall submit all information and access rights necessary to carry out the certification procedures to the certification body referred to in Article 43 and, where applicable, to the competent supervisory authority. mechanism.

7. The certification issued to a controller or processor is valid for a maximum period of three years and can be extended in the same circumstances if the relevant conditions are met. When the conditions for certification are not met or are no longer met, the certification entity or the competent supervisory authority specified in Article 43 may withdraw the certification, where applicable.

8. The EU Data Protection Board should verify that all registered verification mechanisms, data protection seals and markings should be made available to the public in an appropriate manner.

Article 43 Certification body

1. Without prejudice to the tasks and rights of the competent supervisory authority specified in Articles 57 and 58, a certification body with corresponding expertise may inform the supervisory authority so that the supervisory authority can exercise point 58(2) Rights under point h - issuance and renewal of certifications. Member States should ensure that these certification bodies are accredited by one or both of the following bodies:

(a) A competent supervisory authority specified in section 55 or 56;

(b) in accordance with Regulation (EC) No 765/2008 of the European Parliament and of the Council, EN-ISO/IEC 17065/2012, and in compliance with the additional requirements specified by the competent regulatory body in Article 55 or Article 56 National certification body.

2. The certification body specified in paragraph 1 can only be certified in accordance with the provisions of paragraph 1 if the following circumstances exist:

(a) It has proven to be independent and professional in matters stipulated in the Code and meets the requirements of competent regulatory agencies;

(b) adopt measures to comply with the standards set out in Article 42(5) and have been approved by the competent supervisory authority set out in Article 55 or the EU Data Protection Board set out in Article 63;

(c) Establish procedures for the issuance, periodic review and withdrawal of data protection certifications, seals and markings;

(d) procedures and systems for resolving complaints about breaches of the Code, or about the way in which a controller or processor has implemented or is implementing the Code, are in place and are made known to data subjects and the public; and

(e) It has demonstrated that it meets the requirements of the competent regulatory agency and that there is no conflict of interest in its tasks and responsibilities.

3. The accreditation of certification bodies referred to in paragraphs 1 and 2 shall be based on basic standards approved by the competent supervisory authority referred to in Article 55 or Article 66, or by the European Data Protection Board referred to in Article 63. based on approved standards. For authorizations referred to in point (b) of paragraph 1 of this Article, such requirements shall supplement the requirements envisaged in Directive (EC) No 765/2008 and technical rules describing the methods and procedures of certification bodies.

4. Without prejudice to the controller's or processor's compliance with this Regulation, the certification body referred to in paragraph 1 shall be responsible for the assessment of the validity of the certification or the withdrawal of such certification. The certification issued to a controller or processor is valid for a maximum period of five years and can be extended in the same circumstances if the relevant conditions are met.

5. The certification body specified in paragraph 1 shall report to the competent supervisory authority the reasons for the issuance or withdrawal of the required certification.

6. The supervisory authority shall make the requirements set out in paragraph 3 of this Article and the standards set out in paragraph 42(5) publicly available in an easily accessible manner. The supervisory authority should also transmit those requirements and standards to the EU Data Protection Board. The EU Data Protection Board should verify all registered certification mechanisms and data protection seals and should make them public in some appropriate way.

7. Without prejudice to Chapter 8, when the conditions for certification are not met or are no longer met, or when the certification body takes actions that infringe upon these Regulations, the competent regulatory agency or the national certification body shall cancel the provisions of paragraph 1 of this Article. Section accreditation of certification bodies.

8. In order to refine the conditions that need to be taken into account for the data protection verification mechanism specified in Article 42(1), the European Commission has the power to formulate delegated acts consistent with Article 92.

9. The European Commission may develop implementing acts to set technical standards for verification mechanisms and data protection seals, marks and mechanisms in order to promote and recognize those verification mechanisms, seals and marks. Such implementing legislation shall be formulated in accordance with the verification procedures set out in Article 94(2).

Chapter 5 Transfer of personal data to third countries or international organizations

Article 44 General principles of transfer

With respect to the transfer of personal data that are being processed or intended to be processed to a third country or international organization, including the transfer of personal data from a third country or international organization to another third country or to another international organization, the controller and processor shall only other provisions of this Regulation, and the transfer can only be effected if the conditions specified in this Chapter are met. In order to ensure that the protection of natural persons under this Regulation is not weakened, all provisions of this Chapter shall be complied with.

Article 45 Transfer based on determination of adequate protection

1. When the European Commission makes a determination that the relevant third country, a region or one or more specific sectors in a third country, or an international organization has adequate protection, personal data can be transferred to a third country or international organization. No specific authorization is required for such transfers.

2. When assessing the adequacy of the level of protection, the Commission shall consider in particular the following factors:

(a) The rule of law, respect for human rights and fundamental freedoms, including general and sectoral legislation on public safety, defence, national security, criminal law and access by public authorities to personal data, as well as the implementation of such legislation, data protection rules, professional Rules and security measures, including the rules of the third country or international organization that must be followed when transferring personal data to another third country or international organization, case law and valid and enforceable rights of the data subject, the data subject whose personal data is being transferred judicial relief;

(b) In the case where an international organization is the subject, the third country shall have one or more effectively functioning independent supervisory authorities ensuring the implementation of data protection rules, including having sufficient enforcement powers when data subjects exercise their rights and Providing assistance and advice when working with Member State supervisory authorities;

(c) International commitments that third countries or international organizations have made, or commitments to assume other responsibilities arising from legally binding treaties or legal files, and to participate in multilateral or regional systems, especially related to data protection other responsibilities arising from the system.

3. After assessing the adequacy of the degree of protection, the Commission may, by adopting implementing legislation, determine whether a third country, a territory within a third country or one or more specific sectors or an international organization within the meaning of paragraph 2 of this Article has an adequate level of protection. Protect. The implementing act should provide for a periodic review of all relevant developments in third countries or international organizations at least every four years. The implementing act shall specify its territorial and sectoral implementation and, where applicable, identify one or more supervisory authorities specified in point (b) of paragraph 2 of this Article. The formulation of implementing bills shall follow the verification procedures specified in Article 93(2).

4. The Commission shall monitor on an ongoing basis any actions by third countries or international organizations that may affect decisions taken pursuant to paragraph 3 of this Article and decisions based on Article 25(6) of Directive 95/46/EC. certain developments.

5. When information becomes available that a third country or one or more special authorities or international organizations within a third country no longer provides adequate protection as provided for in paragraph 2 of this Article, the Commission shall, in particular after having passed the procedure provided for in paragraph 3 After verification - to repeal, amend or suspend, to the extent necessary, the decision provided for in paragraph 3 of this article by enacting implementing legislation without retroactive effect. The enactment of such implementing legislation shall follow the verification procedures set out in Article 93(2).

In the event of a highly justifiable emergency, the Commission shall immediately enact implementing legislation in accordance with the procedure set out in Article 93(3).

6. In order to remedy the circumstances leading to Article 5 decisions, the Commission shall consult with third countries or international organizations.

7. A decision consistent with paragraph 5 of this Article shall not affect the transfer of personal data to a third country, a territory or authority or authorities within a third country, or to the relevant international organization referred to in Articles 46 to 49.

8. The European Commission shall publish in the official journal of the European Union and on its website a list of third countries, specific sectors within third countries and international organizations that it determines already have adequate protection or no longer have adequate protection.

9. A decision of the European Commission based on Article 25(6) of Directive 95/46/EC shall have effect until modified, replaced or annulled by the European Commission in accordance with paragraphs 3 or 5 of this Article.

Article 46 Appropriate security required for transfer

1. In the absence of a decision pursuant to Article 45(3), the controller or processor may transfer personal data to the third party only if it provides appropriate safeguards and provides the data subject with enforceable rights and effective legal remedies. three countries or an international organization.

2. Without requiring any specific authorization from the supervisory authority, appropriate safeguards set out in paragraph 1 may be provided as follows:

(a) A legally binding and enforceable agreement between public agencies or entities;

(b) binding corporate rules consistent with section 47;

(c) standard data protection clauses developed by the European Commission pursuant to the verification procedure set out in Article 93(2);

(d) standard data protection clauses established by the supervisory authority in accordance with the verification procedure set out in Article 93(2) and approved by the European Commission;

(e) a code of conduct established in accordance with Article 40 and a binding and enforceable undertaking by the controller or processor in the third country to adopt appropriate safeguards, including the rights of the data subject; or

(f) Verification mechanisms approved under Article 42 and binding and enforceable commitments by the controller or processor in the third country to adopt appropriate security safeguards, including the rights of the data subject.

3. In situations where authorization from the competent supervisory authority is required, appropriate security measures referred to in paragraph 1 may be specified in particular by:

(a) the terms of the contract between the controller or processor and the controller, processor or recipients of personal data in a third country or international organisation; or

(b) Provisions inserted in administrative arrangements between public authorities or public entities, including enforceable and effective data subject rights.

4. In the circumstances specified in paragraph 3 of this Article, the supervisory authority shall apply the consistency mechanism specified in paragraph 63.

5. An authorization made by a Member State or a supervisory authority under Article 26(2) of Directive 95/46/EC shall remain valid until it is modified, replaced or repealed by the supervisory authority. The decision of the European Commission in accordance with Article 26(4) of Directive 95/46/EC shall remain in effect until the European Commission makes a necessary decision to modify, replace or repeal it in accordance with paragraph 2 of this Article.

Article 47 Binding Corporate Rules

1. The competent supervisory authority shall approve binding corporate rules that comply with the consistency mechanism specified in Article 63 when the following conditions are met:

(a) is legally binding, applies to, and is executed by all relevant members of an enterprise group or a series of economic entities carrying out joint economic activities, including its employees.

(b) clearly provide the data subject with enforceable rights in relation to the processing of personal data; and

(c) Meet the requirements set out in paragraph 2.

2. The binding rules set out in paragraph 1 should at least specify:

(a) An enterprise group or a series of economic entities that conduct joint economic activities, and the structure and contact details of each member;

(b) Data transfer or series of data transfers, including the type of personal data; the type of processing and its purposes; the types of data subjects affected; and the identification of the third country or third countries involved;

(c) The legally binding effect of the rules includes both internal and external binding forces;

(d) The application of the general data protection principles, in particular purpose limitation, data minimization, limited storage period, data quality, data protection by design versus default data protection, legal basis for processing, treatment of specific categories of individuals Processing of data; measures to safeguard data security; and requirements for transfer of data to entities not subject to binding corporate rules;

(e) The rights of the data subject in relation to the processing and the manner in which they may be exercised, including the right not to be subject to a decision based solely on automated processing, including profiling in accordance with Article 22, the right to Complaints before the competent supervisory authorities and competent tribunals of the Member States in accordance with Article 79, as well as the right to obtain relief and – if applicable – compensation in the event of a breach of binding corporate rules;

(f) A controller or processor established in the territory of a Member State shall be liable for any breach of binding corporate rules by a relevant member of the controller or processor not established in the Union; this will only occur if the controller or processor proves that such Members are not responsible for events causing damage and the controller or processor is exempted from such liability;

(g) how information is provided to the data subject regarding the binding corporate rules, in particular in relation to point (d)(e)(f) set out in this paragraph in addition to Articles 13 and 14;

(h) The tasks of all data protection officers appointed in accordance with Article 37, or of all persons or entities within a corporate group or a series of economic entities carrying out joint economic activities, who are responsible for monitoring compliance with binding corporate rules, monitoring training and handling complaints tasks;

(i) Complaints procedure;

(j) An enterprise group or a series of economic entities carrying out joint economic activities has internal mechanisms for verifying compliance with binding corporate rules. Such mechanisms should include data protection checks and means to ensure that corrective actions are taken to protect the rights of data subjects. The results of such verification shall be notified to the individuals or entities specified in point (h), the enterprise group or a series of economic entities carrying out joint economic activities, and the verification results shall be made available upon request by the competent supervisory authority;

(k) Mechanisms for reporting and recording changes to the rules and for reporting such changes to regulators;

(l) Cooperation mechanisms established with regulatory agencies in order to ensure the compliance of enterprise groups or a series of economic entities engaging in joint economic activities, in particular providing the regulatory agencies with the verification results of the method specified in point (j);

(m) Members of an enterprise group or a series of economic entities carrying out joint economic activities are entities in a third country that may have a material negative impact on the guarantees provided by binding enterprise rules, reporting to the competent supervisory authority any concerns about such Whether the entity has the mechanisms required by law; and

(n) Appropriate data protection training for employees who have permanent or recurring access to personal data.

3. The Commission may specify the form and procedures for the exchange of information between controllers, processors and supervisory authorities for the purpose of binding corporate rules within the meaning of this Article. The enactment of such implementing legislation shall follow the verification procedures set out in Article 93(2).

Article 48 Transfer or disclosure not authorized by EU law

Any court judgment, arbitration award or decision of a third country administrative agency that requires the controller or processor to transfer or disclose personal data can only be recognized or enforced when the following conditions are met: First, the judgment, award or decision must Based on international treaties such as mutual legal assistance agreements between the requesting third country and the EU or its member states, and secondly, the judgment, award or decision will not have a negative impact on other forms of transfer specified in this chapter.

Article 49 Derogations under special circumstances

1. In the absence of a determination of adequacy of protection pursuant to Article 45(3) or of appropriate security measures, including binding corporate rules, in accordance with Article 46, personal data may only be transferred to a third country or international organization if the following circumstances are met: This can only be done if one of the following:

(a) The data subject is clearly informed that there are no adequate protections or appropriate security measures and the anticipated data transfer is risky, but the data subject still expressly consents to the anticipated data transfer;

(b) the transfer is necessary for the performance of a contract between the data subject and the controller, or for the fulfillment of a request made by the data subject prior to entering into a contract;

(c) the transfer is necessary to achieve the interests of the data subject when entering into or performing a contract between the controller and another natural or legal person;

(d) The transfer is necessary to achieve the public interest;

(e) the transfer is necessary for the establishment, exercise or defense of legal claims;

(f) When the data subject is unable to express consent due to physical or legal reasons, it is necessary to protect the vital interests of the data subject or others;

(g) The transfer is carried out on the basis of a register established under EU or Member State law for the purpose of advising the general public or persons with a legitimate interest. However, transfers in such cases may only be derogated if the necessary conditions for consultation laid down by EU or Member State law are met.

Transfer of data to a third country or internationally when the transfer cannot be carried out on the basis of the provisions of Article 45 or 46, including those based on the Binding Corporate Rules, and the conditions for derogation from points (a) to (g) are not met. Organization, this is only possible if the transfer: is non-repetitive; relates to the rights of a narrow subset of the data subjects; is necessary to achieve the overriding legitimate interests of the controller and does not violate the data subject's limitations interests or rights and freedoms; the controller has assessed the circumstances surrounding the transfer and, based on this assessment, has adopted appropriate security safeguards for the protection of the personal data. In addition to providing the information provided for in Articles 13 and 14, the controller shall inform the data subject of the transfer and the overriding legitimate interests pursued.

2. A transfer falling within point (g) of paragraph 1 shall not include all personal data or all categories of personal data in the register. When the register is for the purpose of advising persons with a legitimate interest, transfers may only be made if those persons request it or if those persons are the recipients.

3. Points (a)(b)(c) of paragraph 1 and the second subparagraph of paragraph 1 do not apply with respect to the activities of public bodies in the exercise of their public powers.

4. The public interest referred to in point (d) of paragraph 1 shall be recognized by EU or Member State law for the controller.

5. If there is no determination of adequate protection, Union or Member State law may expressly restrict the transfer of personal data to certain categories of personal data to third countries or international organizations on grounds of public interest. Member States should inform the European Commission of such provisions.

6. The controller or processor shall record in the file referred to in Article 30 the assessment referred to in the second subparagraph of paragraph 1 of this Article and the appropriate security measures.

Article 50 International cooperation for the protection of personal data

In situations involving third countries or international organizations, the European Commission and supervisory authorities should take appropriate measures to:

(a) develop international cooperation mechanisms in order to promote the effective implementation of personal data protection legislation;

(b) Provide international mutual assistance for the implementation of personal data protection legislation through notification, complaint referral, investigation assistance and information exchange, on the premise of taking appropriate security measures to protect personal data protection and other fundamental rights and freedoms;

(c) Closely engage relevant stakeholders in discussions and activities aimed at furthering international cooperation in the implementation of personal data protection legislation;

(d) Facilitate the exchange and recording of personal data legislation and practice, including conflicts with third country jurisdictions.

Chapter 6 Independent Regulatory Agency

Part One Independence Status

Article 51 Supervisory Authority

1. In order to protect the fundamental rights and freedoms of natural persons during processing and to promote the free flow of personal data within the Union, each Member State shall establish one or more independent public authorities responsible for monitoring the implementation of this Regulation.

2. Each supervisory authority should contribute to the consistent application of this Regulation across the EU. For this purpose, the supervisory authorities shall cooperate with each other and with the European Commission in accordance with the provisions of Chapter 7.

3. Where a Member State has established more than one supervisory authority, the Member State shall appoint a supervisory authority to represent the other authorities in the EU Data Protection Board and shall establish a mechanism to ensure that the other authorities comply with the rules relating to the consistency mechanism set out in Article 63 .

4. Each Member State shall inform the Commission of the legal provisions it has adopted under this Chapter [at the latest within two years of the entry into force of this Regulation] and shall promptly inform the Commission of any amendments affecting the provisions.

Article 52 Independence

1. Each supervisory authority shall maintain complete independence in the exercise of its tasks and in the exercise of its powers consistent with these Regulations.

2. The member or members of each supervisory authority shall be free from external influence, whether direct or indirect, in the performance of their tasks and the exercise of their powers consistent with this Regulation and shall not receive instructions from any person.

3. Members of regulatory agencies shall not engage in activities that violate their supervisory duties, and shall not hold any paid or unpaid positions that conflict with their supervisory duties during their tenure.

4. Each Member State must ensure that each supervisory authority has the human resources, human resources, and capabilities necessary to effectively carry out its tasks and exercise its rights, including mutual assistance, cooperation and participation in the EU Data Protection Board. Technical and financial resources, prerequisites and basic elements.

5. Each Member State shall ensure that each supervisory authority has the power to select and employ its members, subject only to specific instructions from the member or members of the supervisory authority concerned.

6. Each Member State must ensure that, without prejudice to its independence and its separate and public annual budget, each supervisory authority is subject to financial controls - such financial controls may be part of the state budget or the national budget ——Constraints.

Article 53 General requirements for members of the supervisory body

1. Member States should appoint each member of their supervisory authority in a transparent manner through:

-their parliament;

-their governments;

-their head of state; or

- An independent entity designated by the laws of a member state.

2. Each member should have the qualifications, experience and skills to perform their duties and exercise their powers, especially in the field of personal data protection.

3. A member's duties end when he or she ends his or her term of office, resigns or retires compulsorily in accordance with the relevant laws of a Member State.

4. Members may be dismissed only for serious misconduct or if they are no longer qualified to perform their duties.

Article 54 Rules for establishing regulatory bodies

1. Each Member State shall adopt laws providing for the following matters:

(a) The establishment of each regulatory authority;

(b) the qualifications and suitability required for appointment as a member of each regulatory body;

(c) the rules and procedures for the appointment of the member or members of each regulatory authority;

(d) a term of not less than four years for one or more members of each supervisory authority, (except for the first appointment after the commencement of this Regulation), if it is necessary to protect the supervisory authority through an intermittent appointment procedure Independence, some members may serve shorter terms;

(e) Whether one or more members of each regulatory body are eligible for reappointment and, if so, for how many terms;

(f) The circumstances under which each regulatory body member and employee is held accountable, the prohibitions on conflicting conduct, employment and earnings, and the rules on termination of employment during or after the term of such authority.

2. Members and employees of each supervisory authority shall, subject to Union or Member State law, have a duty to maintain professional confidentiality with respect to confidential information obtained in the performance of their tasks or in the exercise of their powers, during or after their term of office. In particular, in the event that a natural person reports a violation of these Regulations, members or employees shall fulfill their duty to maintain professional confidentiality.

Part 2 Authority, Tasks and Powers

Article 55 Authority

1. Each supervisory authority shall have the authority to carry out the tasks assigned to it and exercise the powers conferred upon it in accordance with this Regulation in the Member State to which it belongs.

2. Where processing is carried out by public authorities or private entities on the basis of point (c) or (e) of Article 6(1), the relevant supervisory authority of the Member State shall have competence. In such cases, Article 56 does not apply.

3. The supervisory authority does not have supervisory authority over the processing operations of courts in their judicial activities.

Article 56 Competencies of the leading supervisory authority

1. Without prejudice to Article 55, the supervisory authority in which the controller or processor has its principal or only place of business shall be able to act as the lead supervisory authority for the supervision of cross-border transactions carried out by the controller or processor in accordance with the procedure in Article 60. environmental processing.

2. The provisions of paragraph 1 may be exempted. Each supervisory authority shall have the right to respond to complaints or complaints made to it if the main matter relates to only one institution in a Member State or has a material impact on data subjects in only one Member State. Violations of these regulations will be dealt with.

3. For the situations specified in paragraph 2, the supervisory authority shall promptly notify the leading supervisory authority of the matter. Within three weeks of being notified, the leading supervisory authority shall decide – taking into account whether the controller or processor has an establishment in the Member State in which the supervisory authority notified it – whether or not it is required to comply with the provisions of Article 60 procedures to handle the case.

4. When the lead supervisory authority decides to handle a case, the procedure set out in Article 60 shall apply. The supervisory authority that notifies the lead supervisory authority may submit a draft decision to the lead supervisory authority. When the lead supervisory authority drafts a decision referred to in Article 60(3), it shall give due consideration to the submitted draft decision to the maximum extent possible.

5. When the leading regulatory agency decides not to handle the case, the regulatory agency that notifies the leading regulatory agency shall handle the case in accordance with Articles 61 and 62.

6. For cross-border processing by a controller or processor, the lead supervisory authority should be the sole interviewer of that controller or processor.

Article 57 Tasks

1. Without prejudice to its other tasks under these Regulations, each supervisory authority within its jurisdiction shall:

(a) monitor and enforce the implementation of these Regulations;

(b) Raise public awareness and understanding of the risks, rules, safeguards and rights associated with handling and processing. Maintain special attention to activities aimed at children;

(c) advise on the rights and freedoms of natural persons to whom the processing relates in accordance with the laws of the Member States, national parliaments, governments and other institutions and entities;

(d) raise awareness of controllers and processors of their responsibilities under this Regulation;

(e) provide all data subjects upon request with the opportunity to exercise the rights provided for in this Regulation and - where applicable - cooperate with the supervisory authorities of other Member States for this purpose;

(f) handle complaints made by data subjects or entities, organizations or associations under Article 80, use appropriate means to investigate the main matters of the complaint and inform the complainant of the progress and conclusions of the investigation within a reasonable period - in particular if further investigation is required or Coordinate with regulatory agencies;

(g) Cooperate with other regulatory authorities to ensure consistent application and enforcement of this Ordinance, including sharing information and providing mutual assistance;

(h) conduct investigations for the application of this Ordinance, including investigations based on information provided by another regulatory authority or other public body;

(i) monitor relevant developments - in particular developments in information and communications technology and business practices - where they have an impact on the protection of personal data;

(j) Adopt the standard form contract specified in Article 28(8) and Article 46(2)(d);

(k) establish and maintain records relevant to the personal data protection impact assessment provided for in Article 35(4);

(l) Give advice on processing operations specified in Article 36(2);

(m) encourage the drafting of codes of conduct consistent with section 40 and provide advice and approval of such codes of conduct that provide adequate safeguards consistent with section 40(5);

(n) encourage the establishment of data protection certification schemes and data protection seals and marks that comply with Article 42(1), and approve certification standards that comply with Article 42(5);

(o) Where applicable, conduct periodic reviews of certifications issued under section 42(7);

(p) draft and publish standards for accredited entities that comply with the monitoring code of conduct specified in Article 41, and certification entities that comply with Article 43;

(q) Appoint an entity that complies with the monitoring code of conduct specified in section 41 and a certification entity that complies with section 43;

(r) The terms of the authorization contract and the terms specified in Article 46(3);

(s) approve binding contract rules consistent with Article 47;

(t) Assistance with the activities of the European Data Protection Board;

(u) maintain internal records of contraventions of this Ordinance and measures taken under section 58(2); and

(v) Complete other tasks related to personal data protection.

2. Each supervisory authority shall facilitate the submission of complaints referred to in paragraph 1(f), for example by providing means for complaints to be completed and submitted electronically, without excluding other means of communication.

3. The performance of the tasks of each supervisory authority shall be free of charge for the data subject and, where applicable, the data protection officer.

4. When a request is manifestly unfounded or excessive, especially when the request is repetitive, the supervisory authority may charge a reasonable fee based on administrative costs or refuse to act on the request. The burden is on the regulator to prove that the request is manifestly unfounded or excessive.

Article 58 Powers

1. Each regulator has all of the following investigative powers:

(a) require the controller and processor and - where appropriate - representatives of the controller or processor to provide all information necessary for the performance of their tasks;

(b) Conduct investigations by means of data protection checks;

(c) review certification issued under section 42(7);

(d) inform the controller or processor of a possible infringement of this Regulation;

(e) obtain from the controller or processor access to the personal data and all information necessary for the performance of its tasks;

(f) obtain access to all premises and premises of the controller and processor, including data processing facilities and methods, in accordance with procedural law of Union and Member State law.

2. Each regulatory authority has all of the following corrective powers:

(a) issue a warning to the controller or processor that contemplated processing operations may infringe the provisions of this Regulation;

(b) reprimand the controller or processor when processing operations infringe the provisions of this Regulation;

(c) order the controller or processor to respect the data subject’s exercise of rights consistent with this Regulation;

(d) order the controller or processor that the processing operations shall be carried out in compliance with the terms of this Regulation and, if appropriate, within a specified period and in a specified manner;

(e) order the controller to inform the data subject of the personal data breach;

(f) impose a temporary or specified ban on processing;

(g) request rectification or erasure of personal data or restriction of processing pursuant to Articles 16, 17 and 18, and notification of such action to the personal data referred to in Articles 17(2) and 19 Recipients to whom disclosure is made;

(h) withdraw certification, or order a certification body to withdraw a certification issued under sections 42 and 43, or order a certification body not to issue a certification when the requirements for certification are or are no longer met;

(i) Administrative penalties specified in Article 83 shall be imposed in addition to or in lieu of the measures specified in this paragraph, depending on the circumstances of each case;

(j) Request the suspension of data transfer to third countries or international organizations.

3. Each regulatory authority has all of the following authorizing and advisory powers:

(a) make recommendations to the controller in accordance with the advance consultation provisions set out in Article 36;

(b) Providing advice to national parliaments and member state governments on its own initiative or upon request, or providing other institutions, entities and the public with protection related to personal data protection in accordance with member state laws;

(c) processing is authorized in accordance with Article 36(5) if the law of a Member State requires such advance consultation;

(d) issue opinions and codes of conduct under section 40(5);

(e) the appointment of a certification body under section 43;

(f) the standards for issuing certification and approving certification under section 42(5);

(g) formulate standard data protection clauses as set out in Article 28(8) and Article 46(2)(d);

(h) authorize the terms of the contract specified in point (a) of Article 46(3);

(i) Authorize the administrative arrangements specified in Article 46(3)(b);

(j) Approve binding corporate rules consistent with section 47.

4. The exercise of the powers conferred on the supervisory authority under this Article shall be subject to appropriate safeguards, including effective judicial remedies and due process provided for in Union and Member State law in accordance with the Charter of the European Union.

5. Each Member State shall adopt legislation providing that its supervisory authorities shall have the right to bring violations of this Regulation to judicial authorities and may, in appropriate cases, initiate or participate in legal proceedings for the purpose of enforcing the provisions of this Regulation.

6. Each Member State shall provide by law that its supervisory authority shall have the additional powers set out in paragraphs 1, 2 and 3. The exercise of those rights should not undermine the effective enforcement of the provisions of Chapter 7.

Article 59 Activity Report

Each supervisory authority shall prepare an annual report on its activities, which may include the types of offenses to which it was informed and the types of measures taken under Article 58(2). Such reports shall be transmitted to national parliaments, governments and other bodies mandated by the laws of the Member States. These reports should be accessible to the public, the European Commission and the EU Data Protection Board.

Chapter 7 Cooperation and Consistency

Part One Cooperation

Article 60 Cooperation between the Lead Supervisory Authority and Other Relevant Supervisory Authorities

1. The leading regulatory agency shall cooperate with other relevant regulatory agencies in accordance with this Article and strive to reach a consensus. Lead regulators and relevant regulators should share relevant information with each other.

2. The lead supervisory authority may at any time require other relevant supervisory authorities to provide mutual assistance and cooperation as provided for in Article 61 and may carry out joint actions in accordance with Article 62. This applies in particular to the following circumstances: for the purpose of conducting investigations or for the purpose of enforcing matters involving matters established in another country. Measures taken by the controller or processor in a Member State.

3. The leading regulatory agency shall promptly notify other relevant regulatory agencies of relevant information on the matter. It shall fully consider the opinions of other relevant regulatory agencies and submit a draft decision to other relevant regulatory agencies in a timely manner.

4. When any other relevant supervisory authority receives the consultation referred to in paragraph 3 and expresses relevant and justified objections to the draft decision within four weeks, the lead supervisory authority shall not agree to the relevant and justified objections or considers that it The opinion is irrelevant or unreasonable and the matter should be referred to the consistency mechanism set out in Article 63.

5. If the lead supervisory authority agrees with a relevant and justified objection, it shall submit a revised draft decision to the other supervisory authorities in response to the objection. The decision on the revised draft shall comply with the procedure set out in paragraph 4 and shall be taken within two weeks.

6. If within the period specified in paragraphs 4 and 5, no other relevant supervisory authority objects to the draft decision submitted by the leading supervisory authority, it shall be presumed that the leading supervisory authority and the relevant supervisory authority have unanimous opinions on the draft decision. and should be bound by it.

7. The lead supervisory authority shall take a decision and notify the controller or processor of its principal place of business or sole place of business of the decision, including a summary of the relevant facts and reasons, and, as appropriate, through other relevant supervisory authorities and The European Data Protection Board that issued the decision. The supervisory authority that receives the complaint shall inform the complainant of the decision.

8. In the event that the complaint is withdrawn or rejected, the provisions of paragraph 7 may be derogated from and the supervisory authority receiving the complaint shall adopt the decision and communicate it to the complainant and thus to the controller.

9. When the lead regulator and the relevant regulator agree to withdraw or dismiss one part of the complaint and take action on the other parts of the complaint, a separate decision shall be taken with respect to the matters in such other parts. The lead supervisory authority shall adopt that part of the decision that relates to the controller's actions and communicate it to the controller's or processor's main establishment or sole establishment in a Member State and thereby also inform the complainant. On the other hand, the complainant's supervisory authority shall adopt that part of the decision relating to the withdrawal or rejection of the complaint and communicate this to the complainant and thus to the controller or processor.

10. Upon receipt of a notification from the leading supervisory authority pursuant to paragraphs 7 and 9, the controller or processor shall take the necessary measures to ensure that processing activities at all its establishments in the Union comply with the decision. The controller or processor shall inform the lead supervisory authority of the measures taken to comply with the decision and inform the other relevant supervisory authorities.

11. In extreme circumstances, when a relevant supervisory authority considers that there are sufficient grounds to demonstrate the need to take emergency action to protect the interests of the data subject, the provisions of Article 66 on emergency procedures should be invoked.

12. The lead supervisory authority and other relevant supervisory authorities shall provide each other with the information required by this Article by electronic means and in a standardized format.

Article 61 Mutual Assistance

1. Supervisory authorities should provide each other with information and mutual assistance to implement and apply this Regulation in a consistent manner and should have valid information to enable effective mutual cooperation. Mutual assistance should include in particular requests for information and supervisory measures, for example prior to authorizations and consultations, inspections and investigations.

2. Each supervisory authority shall respond promptly to a request by another supervisory authority by taking appropriate appropriate measures and shall do so within one month of receipt of the request at the latest. Such measures may include, inter alia, the transmission and investigation of relevant information.

3. Requests for assistance should include all necessary information, including the purpose and reason for the request. The information exchanged may only be used to fulfill the purpose of requesting assistance.

4. The requested supervisory authority shall not deny the request unless:

(a) The requested supervisory authority has no authority over the subject matter being requested or the measures being requested; or

or (b) the requested supervisory authority complies with the request in a manner that would infringe this Regulation or Union or Member State law for the requested supervisory authority.

5. The requested supervisory authority shall inform the requesting supervisory authority of the outcome and, where appropriate, of the measures taken to implement the request. The requested supervisory authority shall provide an explanation if it refuses a request made under paragraph 4.

6. It should be a rule that the requested supervisory authority should provide information electronically, using a standardized format, upon request from other supervisory authorities.

7. All requested regulatory agencies shall be free of charge for their mutual collaboration upon request. Regulators may enter into compensation rules for specific costs incurred in providing mutual collaboration in specific circumstances.

8. Where a supervisory authority fails to provide the information specified in paragraph 5 within one month of receipt of a request from another supervisory authority, the requesting supervisory authority may take provisional measures in its Member State in accordance with Article 55(1) . In such circumstances, an emergency situation consistent with Article 66(1) may be presumed and the EU Data Protection Board shall make an urgent binding decision in accordance with Article 66(1).

9. The EU Data Protection Board may, by adopting implementing legislation, specify the forms and procedures for mutual assistance provided for in this Article with regard to the exchange of information by electronic means between supervisory authorities and between supervisory authorities and the European Commission, in particular paragraph 6 of this Article. standardized format. The enactment of such implementing legislation shall follow the verification procedures set out in Article 93(2).

Article 62 Joint action of supervisory authorities

1. Where appropriate, supervisory authorities should conduct joint actions, including joint investigations and joint enforcement measures where members or employees of supervisory authorities in other Member States are involved.

2. Where the controller or processor has establishments in more than one Member State, or where data subjects in two or more Member States may be materially affected by processing operations, the supervisory authorities of those Member States are entitled to participate in joint actions. A supervisory authority with competence under Article 56(1) or 56(4) may invite the supervisory authority of each of these Member States to participate in joint operations and shall respond promptly to a supervisory authority's request for participation.

3. A supervisory authority may, in accordance with the law of the Member State and the authorization of the temporarily deployed supervisory authority, delegate powers such as investigative powers to members or employees of the temporarily assigned supervisory authority. Alternatively, if the law of the Member State of the supervisory authority so permits, temporarily deployed members or employees of the supervisory authority should be allowed to exercise their investigative powers in accordance with the provisions of the law of that Member State. Such powers may be exercised only under the direction and witness of a member or employee of the host regulatory agency. Members or employees of a temporarily seconded supervisory authority shall comply with the laws of the Member State in which the host supervisory authority is located.

4. When a supervisory authority temporarily deployed in accordance with the provisions of paragraph 1 operates in another Member State, the Member State in which the host supervisory authority is located shall be liable for its actions, including for damage caused during the activity, in accordance with the provisions of the Member State in which the host supervisory authority is located. liability under the laws of the country.

5. For damage caused in the territory of a Member State, a Member State shall compensate it if its Member State's compensation for damages is applicable. If an employee of a member state who is temporarily deployed as a supervisory authority causes harm to a person in another member state, one member state shall compensate the other member state after the other member state compensates the individual.

6. Except for the circumstances provided for in paragraph 5, without affecting the exercise of rights vis-à-vis third parties, if the circumstances provided for in paragraph 1 occur, each member state shall not seek compensation from the relevant member state for the damage caused in paragraph 4. Require.

7. When there are plans for joint action and when a supervisory authority refuses to comply with the responsibilities set out in the second sentence of paragraph 2 of this Article, other supervisory authorities may take provisional measures on their territory in accordance with Article 55. In such circumstances, an emergency situation consistent with Article 66(1) may be presumed and the EU Data Protection Board shall make an urgent binding decision in accordance with Article 66(2).

Part 2 Consistency

Article 63 Consistency Mechanism

In order to facilitate the consistent application of this Regulation in the EU, supervisory authorities shall cooperate with each other and, where relevant, with the Commission through the consistency mechanisms set out in this Part.

Article 64 Opinion of the European Data Protection Board

1. When a competent supervisory authority plans to take any of the following measures, the EU Data Protection Board shall issue an opinion. To this end, the competent supervisory authority shall inform the EU Data Protection Board of the draft decision if:

(a) The objective of the draft decision is to undertake a range of processing operations that are consistent with the requirements of a data protection impact assessment under Article 35(4);

(b) determine whether the draft code of conduct under section 40(7), or an amendment or extension to the draft code of conduct, is consistent with this Ordinance;

(c) The objective of the draft decision is the approval of accredited entities in compliance with Article 41(3) and the criteria for accreditation entities in compliance with Article 43(3);

(d) The objective of the draft decision is to establish standard data protection clauses under point (d) of Article 46(2) and Article 28(8);

(e) the object of the draft decision is the approval of the terms of the contract specified in point (a) of Article 46(3); or

(f) The object of the draft decision is to approve the validity of the Company Rules referred to in Article 47.

2. Any supervisory authority, the EU Data Protection Board or the President of the European Commission may make a request in order to give an opinion - in particular where the competent supervisory authority fails to comply with the duty to mutual assistance under Article 61 or joint action under Article 62 - Any matter of general use or matter affecting more than one Member State may be checked.

3. In the cases referred to in paragraphs 1 and 2, the EU Data Protection Board shall issue an opinion on a matter submitted to it if it has not previously issued an opinion on a similar matter. This opinion should be decided by a simple majority of the members of the EU Data Protection Board within eight weeks. Taking into account the complexity of the main matter, the eight-week period may be extended by a further six weeks. With regard to a draft resolution referred to in paragraph 1 that is circulated in the EU Data Protection Board in accordance with paragraph 5, a Member shall be deemed to have agreed to the draft resolution if a Member does not raise an objection within a reasonable period of time indicated by the Chairman of the EU Data Protection Board.

4. Supervisory authorities and the EU Data Protection Board should communicate any relevant information electronically and in a standardized format in a timely manner. Such information may be a summary of the facts, a draft resolution, the reasons for taking such necessary measures, and the views of other relevant bodies.

5. The President of the EU Data Protection Board shall promptly by electronic means:

(a) Notify the EU Data Protection Board and members of the European Commission through a standardized format of any relevant information that becomes known. If necessary, the Secretary of the European Data Protection Board shall provide translation of the relevant information; and

(b) inform the supervisory authority referred to in paragraphs 1 and 2 and the European Commission of the opinion and make it public.

6. During the period specified in paragraph 3, the competent supervisory authority shall not adopt the draft resolution specified in paragraph 1.

7. The supervisory authority referred to in paragraph 1 shall give due consideration to the opinion of the EU Data Protection Board to the greatest extent possible and shall inform the President of the EU Data Protection Board electronically within two weeks of receipt of the opinion whether it will maintain or modify its decision. draft resolution, and the revised draft resolution, if any.

8. Article 65(1) shall apply when the relevant supervisory authority notifies the Chairman of the Commission within the period specified in paragraph 7 of this Article that it does not intend to comply with all or part of the Commission's opinions and provides the relevant reasons.

Article 65 Dispute Resolution before the European Data Protection Board

1. In order to ensure the correct and consistent application of this Regulation in individual cases, the EU Data Protection Board shall make binding decisions in the following situations:

(a) In the circumstances set out in Article 60(4), the relevant supervisory authority raises a relevant and reasonable objection to the lead body's draft decision, or the lead body rejects the objection as irrelevant or unreasonable. The binding decision shall cover all matters to which relevant and reasonable objections arise, in particular where there is a violation of these Regulations;

(b) There are different opinions as to which regulatory agency has jurisdiction over the main business establishment;

(c) In the circumstances referred to in Article 64(1), the competent supervisory authority does not request an opinion from the European Data Protection Board or fails to comply with an opinion issued by the European Data Protection Board in accordance with Article 64. In such circumstances, any relevant supervisory authority or the EU Data Protection Board may inform the EU Data Protection Board of the matter.

2. A two-thirds majority of the members of the EU Data Protection Board shall make the decision specified in paragraph 1 within one month after the transfer of the subject matter. Considering the complexity of the subject matter, this period can be extended for another month. The decision specified in paragraph 1 shall be reasoned, shall be communicated to the lead supervisory authority and all relevant supervisory authorities, and shall be binding upon them.

3. If the European Data Protection Board is unable to make a decision within the period specified in paragraph 2, it shall, by a simple majority of the members of the European Data Protection Board, within two weeks after the end of the second month period specified in paragraph 2 Make a decision. If the vote of the EU Data Protection Board members happens to be completely split, the decision will be taken based on the vote of the President.

4. During the period specified in paragraphs 2 and 3, the relevant supervisory authority shall not take a decision on the subject matter submitted to the EU Data Protection Board pursuant to paragraph 1.

5. The Chairman of the EU Data Protection Board shall promptly inform the relevant supervisory authority of the decision referred to in paragraph 1. This was also informed to the European Commission. The decision shall be published promptly on the website of the European Data Protection Board after the supervisory authority has communicated the final decision referred to in paragraph 6.

6. The lead supervisory authority or the supervisory authority to which the complaint has been lodged shall make a final decision promptly on the decisive basis specified in paragraph 1 of this Article and at the latest within one month after the EU Data Protection Board has communicated its decision. The lead supervisory authority or the supervisory authority to which the complaint is filed shall report to the EU Data Protection Board the time at which it notified the controller or processor and the data subject of the decision. The final decision of the relevant regulatory authority shall be made in accordance with the terms of Article 60(7)(8)(9). The final decision shall refer to the decision referred to in paragraph 1 of this Article and shall specify that the decision referred to in paragraph 1 of this Article will be published on the website of the European Data Protection Board in accordance with paragraph 5 of this Article. The final decision shall be accompanied by the decision specified in paragraph 1 of this Article.

Article 66 Emergency procedures

1. In exceptional circumstances, when the relevant supervisory authority considers that urgent action is necessary to protect the rights and freedoms of the data subject, it may derogate through the consistency mechanism set out in Articles 63, 64 and 65 or the procedure set out in Article 60 , immediately take temporary measures that are legally effective within its territory for a period of time - no more than 3 months. Supervisory authorities should promptly inform other relevant supervisory authorities, the EU Data Protection Board and the European Commission of the means and reasons for taking these measures.

2. When the supervisory authority takes measures consistent with paragraph 1 and considers urgent final measures, it may request an urgent opinion or urgent binding decision from the European Data Protection Board, stating the reasons for such request.

3. If urgent action is necessary to protect the rights and freedoms of the data subject and the competent supervisory authority fails to take appropriate measures, any supervisory authority may request an urgent opinion or an urgent binding decision from the European Data Protection Board stating the need for such action. The reason for the request, including why urgent action is required.

4. With respect to the derogations provided for in Article 64(3) and Article 65(2), a simple majority of the members of the EU Data Protection Board shall, within two weeks, make an urgent opinion or emergency opinion as provided for in paragraphs 2 and 3 of this Article. Binding decision.

Article 67 Information exchange

For the electronic exchange of information between supervisory authorities and between supervisory authorities and the European Data Protection Board, especially for the standardized format specified in Article 64, the European Commission can further develop detailed implementing legislation.

These implementing acts shall be drawn up in accordance with the verification procedures set out in Article 93(2).

Part 3 European Data Protection Board

Article 68 EU Data Protection Board

1. The European Data Protection Board is hereby established as an institution of the European Union and will have legal personality.

2. The representative of the European Data Protection Board is its Chairman.

3. The EU Data Protection Board shall include the head of each supervisory authority in each Member State, the head of the EU data protection supervisor, or their representatives.

4. When more than one supervisory authority in a Member State is responsible for monitoring the application of the provisions of this Regulation, a joint representative shall be appointed in accordance with the law of the Member State.

5. The European Commission should have the right to participate in the activities and meetings of the EU Data Protection Board, but without voting rights. The European Commission should appoint a representative. The President of the EU Data Protection Board shall inform the European Commission of his activities.

6. For the situations specified in Article 65, the EU data protection supervisor will have voting rights only if the resolution involves principles and rules applicable to EU institutions, entities, offices and regulatory bodies that substantially correspond to the provisions of this Regulation.

Article 69 Independence

1. When carrying out its tasks or exercising its powers under Articles 70 and 71, the EU Data Protection Board shall maintain its independence.

2. Without prejudice to a request by the Commission referred to in Article 70(1)(b) and Article 70(2), the European Data Protection Board shall, in the performance of its tasks or in the exercise of its powers, refrain from receiving any information from any person. Get instructions there.

Article 70 Tasks of the European Data Protection Board

1. The EU Data Protection Board shall ensure consistent application of this Regulation. To achieve this purpose, the EU Data Protection Commissioner shall, in relevant circumstances, take the following actions on its own initiative or at the request of the European Commission:

(a) without prejudice to the tasks of the national supervisory authority, ensure the correct application of this Regulation in the circumstances set out in articles 64 and 65;

(b) provide advice to the European Commission on all matters related to EU data protection, including proposals for amendments to this Regulation;

(c) advise the European Commission on the format and procedures for the exchange of information between controllers, processors and supervisory authorities for the purpose of setting binding corporate rules;

(d) erase links, backups or copies of personal information from communications services that are accessible to the public under Article 17(2) and issue guidelines, recommendations and best practices regarding the procedures for such activities;

(e) to examine, on its own initiative or at the request of its Members or at the request of the European Commission, any issues relating to the application of this Regulation and to issue guidance, recommendations and best practice with a view to encouraging the application of this Regulation;

(f) In order to further refine the criteria and conditions for decision-making based on user profiling specified in Article 22(2), release guidelines, recommendations and best practices consistent with point (e) of this paragraph;

(g) For the purpose of establishing a personal data breach, determine whether there has been unreasonable delay under Article 33(1) and (2) and whether the controller or processor needs to be notified of the personal data breach, the release complies with point (e) of this paragraph guidelines, recommendations and best practices;

(h) In situations where personal data violations may pose high risks to the rights and freedoms of natural persons as provided for in Article 34(1), release guidelines, recommendations and best practices consistent with point (e) of this paragraph;

(i) For data transfers that are in compliance with binding corporate rules to which the controller is subject and to which the processor is subject and which are consistent with the measures necessary to ensure the protection of the personal data of the data subject referred to in Article 47 Transfers of personal data, in order to refine the standards and requirements for such transfers, release guidelines, recommendations and best practices consistent with point (e) of this paragraph;

(j) In order to further refine the standards and requirements required for the transfer of personal data specified in Article 49(1), release guidelines, recommendations and best practices consistent with point (e) of this paragraph;

(k) draft guidelines for supervisory authorities concerning the applicable measures provided for in Article 58(1), (2) and (3) and the determination of administrative penalties provided for in Article 83;

(l) Review the actual application of the guidelines, recommendations, and best practices specified in points (e) and (f) of this paragraph;

(m) establish general procedures consistent with section 54(2) for reporting violations of this Ordinance by natural persons and issue guidelines, recommendations and best practices consistent with point (e) of this paragraph;

(n) encourage the drafting of codes of conduct and the establishment of data protection certification mechanisms, data protection seals and markings consistent with Articles 40 and 42;

(o) Appoint a certification body and conduct a periodic review in accordance with Article 43, for an appointed body that complies with Article 43(6), a certified controller established in a third country that complies with Article 42(7), or an ongoing public register of processors;

(p) specify the requirements under section 43(3) for the purpose of appointing a certification body under section 42;

(q) provide advice to the European Commission on the verification requirements set out in Article 43(8);

(r) provide opinions to the European Commission regarding the illustrations provided for in Article 12(7);

(s) Assessing the degree of protection provided by a third country or international organization, including assessing whether a third country, a region, or one or more specific sectors of that third country, or an international organization still provides an adequate level of protection. In order to achieve this purpose, the European Commission shall provide to the European Data Protection Board all necessary records of transactions with the government of the third country involving the third country, a region, or one or more specific departments of the third country, or communications from international organizations.

(t) the release of draft resolutions concerning the supervisory authority in accordance with the consistency mechanism provided for in section 64(1), matters submitted under section 64(2), and the release of draft resolutions made under section 64(1), including section 66 binding decisions stipulated in this article.

(u) Promote cooperation among regulators, effective bilateral or multilateral exchange of information, and best practices;

(v) facilitate joint training programs and facilitate the exchange of personnel between supervisory authorities and, where applicable, between supervisory authorities and third country supervisory authorities or international organizations;

(w) Promote knowledge exchange with global data protection regulators and the recording and practice of data protection legislation.

(x) issue views on the code of conduct drafted at EU level under Article 40(9); and

(y) Maintain a publicly accessible electronic register of decisions taken by regulators and courts and matters dealt with under the consistency mechanism.

2. When the European Commission requests an opinion from the EU Data Protection Board, the European Commission may indicate the time limit required, taking into account the urgency of the matter.

3. The EU Data Protection Board shall inform the European Commission and the Council referred to in Article 93 of its opinions, guidelines, recommendations and best practices and shall make them publicly available.

4. If applicable, the EU Data Protection Board shall consult the parties concerned and give them an opportunity to comment within a reasonable period. Without prejudice to Article 76, the EU Data Protection Board shall make the results of the consultation process publicly available.

Article 71 Reporting

1. For data processing activities within the EU, relevant third countries and international organizations, if the protection of natural persons is involved, the EU Data Protection Board should draft an annual report. The report should be made public and should be transmitted to the European Parliament, the Council of the European Union and the European Commission.

2. The annual report shall include a review of the practical application of the guidelines, recommendations and best practices specified in Article 70(1)(l), as well as the binding resolutions specified in Article 65.

Article 72 Procedure

1. The EU Data Protection Board shall take decisions by a simple majority of its members, unless this Regulation provides to the contrary.

2. The EU Data Protection Board should formulate procedural rules and establish its own operating mechanism by a two-thirds majority of its members.

Article 73 Chairman

1. The EU Data Protection Board shall elect a Chairman and two Vice-Chairmen from among its members by a simple majority.

2. The term of office of Chairman and Vice Chairman shall be 5 years and may be reappointed for one term.

Article 74 Duties of the Chairman

1. The chairman has the following tasks:

(a) Convene a meeting of the European Data Protection Committee and prepare the meeting agenda;

(b) inform the lead supervisory authority specified in section 65 and the relevant supervisory authority of decisions taken by the Commission under section 65;

(c) ensure the timely fulfillment of the tasks of the EU Data Protection Board, in particular those related to the consistency mechanism specified in Article 63.

2. The EU Data Protection Board shall allocate the division of tasks between the Chairman and the Vice-Presidents in its procedural rules.

Article 75 Secretary

1. The EU Data Protection Board shall have a secretary, who shall be appointed by the EU Data Protection Supervisor.

2. The Secretary shall perform his or her duties strictly in accordance with the instructions of the President of the EU Data Protection Board.

3. Employees of the EU data protection supervisor who are involved in the performance of the tasks assigned to the EU Data Protection Board under this Regulation shall be subject to different reporting procedures than employees who are involved in the performance of tasks assigned to the EU data protection supervisor.

4. Where applicable, the EU Data Protection Board and the EU Data Protection Supervisor shall draw up and publish a memorandum of understanding implementing this Article setting out the terms of cooperation between them in relation to the performance of the tasks conferred on the EU Data Protection Board by this Regulation. The MOU applies to employees of the EU Data Protection Supervisor.

5. The Secretary shall provide analysis, management and follow-up support to the EU Data Protection Board.

6. The secretary shall be responsible for the following matters:

(a) The daily affairs of the European Data Protection Board;

(b) Communication between the European Data Protection Board, the President of the European Data Protection Board and the European Commission;

(c) Communication with other organizations and the public;

(d) Use of electronic means for internal and external communications;

(e) Translation of relevant information;

(f) Preparation and follow-up for EU Data Protection Committee meetings;

(g) Prepare, draft and publish EU Data Protection Board opinions and decisions on disagreements between supervisory authorities and other texts.

Article 76 Confidentiality

1. If the EU Data Protection Board considers that a discussion is necessary to be held confidentially in accordance with the requirements of the procedural rules, the discussion shall be kept strictly confidential.

2. Access to files submitted to members, experts and third-party representatives of the European Data Protection Committee shall be subject to Regulation (EC) No 1049/2001 of the European Parliament and of the Council [1].

Chapter 8 Remedies, Responsibilities and Punishments

Article 77 Right to lodge a complaint with the supervisory authority

1. Without prejudice to any other administrative or judicial remedies, each data subject has the right to lodge a complaint with a supervisory authority. This applies in particular to the supervisory authority in the following locations: the Member State to which the data subject belongs or his habitual residence or place of work. , or the place where the data subject considers that the processing of his or her personal data violates this Ordinance.

2. The supervisory authority that receives a complaint shall inform the complainant of the progress and outcome of the complaint, including the possibility of judicial relief consistent with Article 78.

Article 78 Effective judicial remedies against regulatory agencies

1. Without prejudice to any other administrative or judicial remedies, any natural or legal person has the right to obtain effective judicial remedies against legally binding decisions concerning their supervisory authorities.

2. Without prejudice to any other administrative or judicial remedies, if the competent supervisory authority under Articles 55 and 56 does not handle the complaint or fails to inform the data subject within three months of the progress of the complaint under Article 77 or result, any natural or legal person is entitled to effective judicial relief.

3. Legal proceedings against a supervisory authority shall be brought before the courts of the Member State in which the supervisory authority is located.

4. If legal proceedings against a supervisory authority's decision arise before the EU Data Protection Board's opinion or decision under the consistency mechanism, the supervisory authority shall inform the court of its opinion or decision.

Article 79 Effective judicial remedies against the controller or processor

1. Without prejudice to any other administrative or judicial remedies, including the submission of a complaint to a supervisory authority under Article 77, any data subject considers that the processing of his or her personal data in violation of this Regulation has resulted in the If the rights conferred by the regulations are violated, in these circumstances, they have the right to obtain judicial relief.

2. Legal proceedings against the controller or processor shall be instituted before the courts of the Member State in which they have establishments. In other cases, such legal proceedings may be brought before the courts of the data subject's place of habitual residence, unless the controller or processor is a public authority of a Member State exercising its public powers.

Article 80 Representation of data subjects

1. The data subject has the right to entrust a non-profit organization, entity or association to exercise on his behalf the rights set out in Articles 77, 78 and 79 and, in the circumstances provided for by the law of the Member State, to exercise on his behalf the right to compensation set out in Article 82. A non-profit institution, entity or association shall meet the following conditions: it shall be established in accordance with the law of the Member State, its charter shall have the public interest as its objective, and it shall be active in bringing complaints on behalf of individuals in order to protect the rights and freedoms of data subjects.

2. Member States may provide that any body, organization or association referred to in paragraph 1 of this Article, whether or not the data subject has delegated it, shall have the right, in a Member State, to lodge a request in a Member State with The competent supervisory authority specified in Article 77 files a complaint and exercises the rights specified in Articles 78 and 79.

Article 81 Suspension of legal proceedings

1. When a competent court of one Member State is informed that a court of another Member State is preparing to give judgment in the same subject matter involving the same controller or processor, that court shall inform the court of the other Member State that such a court has existed legal process.

2. When a court of another Member State is preparing to pass judgment on the same main matter involving the same controller or processor, all competent courts, except the court that first received the case, may stay their proceedings.

3. In those cases where the proceedings are pending preliminary hearing, all courts other than the first court to which the case was filed may refuse jurisdiction on the application of the party concerned, if the court that first received the case has jurisdiction over the activities involved and its law permits consolidation.

Article 82 Rights and responsibilities for compensation

1. Anyone who suffers material or immaterial harm as a result of a violation of this Regulation shall have the right to obtain compensation for the damage from the controller or data provider.

2. Any controller involved in processing shall be liable for damage suffered as a result of processing in violation of this Regulation. A processor shall be liable for damage resulting from processing when it fails to comply with the requirements imposed on the processor expressly set out in this Regulation or when it violates the lawful instructions of the controller.

3. The controller or processor may be exempted from liability under paragraph 2 if it proves that it is not responsible for the event giving rise to the loss.

4. Where more than one controller or processor, or where both controllers and processors are involved in the same processing at the same time, and they are liable for all damages arising out of the processing referred to in paragraphs 2 and 3, each controller or processor shall Should be jointly and severally liable for losses to ensure effective compensation to the data subject.

5. Where a controller or processor has made full compensation for the losses suffered in accordance with the provisions of paragraph 4, that controller or processor may, subject to the conditions set out in paragraph 2, require another controller or processor to return the losses caused by it. That part of the loss.

6. In order to exercise its right to compensation, a claim shall be brought in a court of competent jurisdiction recognized by a Member State in accordance with Article 79(2).

Article 83 General conditions for administrative fines

1. .Each supervisory authority shall ensure that the fines it imposes under this Article for infringements of these Regulations set out in Articles 4, 5 and 6 shall be effective, proportionate and dissuasive in each case. .

2. Depending on the specific circumstances of each case, administrative penalties shall be in addition to or in lieu of the measures specified in points (a) to (h) and point (j) of Article 58(2). When deciding whether administrative penalties should be imposed and the amount of administrative penalties in each specific case, the following factors should be fully considered:

(a) The nature, severity and duration of the violation as determined by taking into account the nature, scope or purpose of the relevant processing, the number of affected data subjects and the extent of the damage;

(b) Whether the nature of the violation is intentional or negligent;

(c) all actions taken by the controller or processor to mitigate the loss of the data subject;

(d) the degree of responsibility of the controller or processor determined in conjunction with the technical and organizational measures taken by the controller or processor in compliance with Articles 25 and 32;

(e) all relevant previous unlawful acts by the controller or processor;

(f) The extent of cooperation with regulatory authorities to correct violations and mitigate possible negative impacts caused by violations;

(g) The type of personal data affected by the illegal act;

(h) The manner in which the supervisory authority became aware of the violation, and in particular whether and to what extent the controller or processor reported the violation;

(i) If the measures specified in Article 58(2) have been imposed on the controller or processor in relation to the same subject matter, whether these measures have been complied with;

(j) comply with an effective code of conduct consistent with section 40 or an effective certification scheme consistent with section 42; and

(k) All aggravating or mitigating factors that may be applicable to the circumstances of the case, such as economic gains and avoided losses directly or indirectly caused by the violation of the law.

3. If the controller or processor intentionally or negligently violates the provisions of this Regulation in relation to the same or related processing operations, the total amount of the administrative fine shall not exceed the amount determined for the most serious infringement.

4. Violations of the following provisions shall be subject to an administrative fine in accordance with paragraph 2 of up to 10 000 000 euros or, in the case of an enterprise, an amount equal to 2% of its total global turnover in the previous year, whichever The higher the penalty:

(a) Controllers and processors specified in Articles 8, 11, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 42 and 43 responsibility;

(b) the responsibilities of the certification body under Articles 42 and 43;

(c) Responsibilities of the supervisory authority under section 41(4).

5. Violations of the following provisions shall be subject to an administrative fine in accordance with paragraph 2 of up to 20 000 000 euros or, in the case of an enterprise, up to an amount equivalent to 4% of its total global turnover in the previous year, whichever The higher the penalty:

(a) the fundamental principles of processing, including the conditions of consent set out in Articles 5, 6, 7 and 9;

(b) The rights of the data subject set out in Articles 12 to 22;

(c) transfer of personal data to a recipient in a third country or an international organization as provided for in Articles 44 to 49;

(d) all responsibilities under Chapter 9 that are consistent with the laws of Member States;

(e) breach an order or temporary or definitive restriction on processing issued by a supervisory authority under Article 58(2), or a suspension of the flow of data, or refuse to provide access in breach of Article 58(1).

6. An order issued by the supervisory authority in violation of Article 58(2) shall impose an administrative fine in accordance with paragraph 2 of up to €20 000 000 or, in the case of a group, up to 4% of the total global turnover of the previous year. fine, whichever is higher shall be imposed.

7. Without prejudice to the corrective powers of supervisory authorities consistent with Article 58(2), each Member State may establish rules determining the circumstances under which administrative sanctions may be imposed on public institutions and entities established in its territory.

8. In exercising the powers provided for in this Article, supervisory authorities shall adopt appropriate procedural safeguards consistent with EU and Member State law, including effective judicial remedies and due process.

9. When the legal system of a Member State does not provide for administrative penalties, this Article may be applied in the following manner: Administrative penalties may be imposed through competent supervisory authorities and then applied by competent national courts. At the same time, it shall be ensured that those legal remedies are effective. Moreover, these legal remedies have the same effect as administrative penalties imposed by regulatory agencies. Whatever the circumstances, the penalties imposed must be effective, proportionate and dissuasive. Those Member States shall promptly inform the Commission [within two years of the entry into force of this Regulation] of the legal provisions made pursuant to this paragraph and of any subsequent amending legislation or changes in legislation affecting them.

Article 84 Punishment

1. Member States shall establish rules that may apply to other penalties for violations of this Regulation, in particular for those offenses that are not subject to the administrative penalties provided for in Article 83, and Member States shall establish the necessary measures to ensure that these penalty rules are implemented. Such punishment should be effective, proportionate and dissuasive.

2. Each Member State shall inform the European Commission [within two years of the entry into force of this Regulation] of the provisions of its legislation in conformity with paragraph 1 and shall promptly inform the Commission of subsequent amendments affecting the provisions.

Chapter 9 Provisions related to specific processing situations

Article 85 Processing, freedom of expression and information

1. Member States should adopt legislation that reconciles the right to protection of personal data with the right to freedom of expression and the right to information consistent with the provisions of this Regulation, including with regard to processing for journalistic purposes and for purposes of academic, artistic or literary expression.

2. Where processing for journalistic purposes and for purposes of academic, artistic or literary expression is necessary to reconcile the right to protection of personal data with the rights to freedom of expression and the right to information established in this Regulation, Member States shall apply to Chapter 2 (Principles) , Chapter 3 (Rights of the Data Subject), Chapter 4 (Controller and Processor), Chapter 5 (Transfer of Personal Data to Third Countries or International Organizations), Chapter 6 (Independent Supervisory Authority), Chapter 7 ( Cooperation and consistency) and Chapter 9 (Certain circumstances of data processing).

3. Each Member State shall inform the Commission of the legal provisions it has adopted pursuant to paragraph 2 and shall promptly inform the Commission of any subsequent amending legislation or changes affecting them.

Article 86 Handling and public access to official records

In order to reconcile public access to official archives with the right to the protection of personal data under this Regulation, with respect to personal data in official archives held by public agencies or public entities or private entities performing tasks in the public interest, the agency or entity may rely on The laws enacted by member states for institutions or entities are made public.

Article 87 Handling of National Identification Numbers

Member States may provide for specific situations in which national identification numbers or other general identifiers are dealt with. In such cases, national identification numbers or other general identifiers may be used only if appropriate safeguards are implemented to safeguard the rights and freedoms of the data subjects specified in this Regulation.

Article 88 Processing in the employment context

1. Several Member States may establish specific rules by law or by agreement to guarantee the rights and freedoms of employees when processing their personal data in the context of employment. This applies in particular in the following situations: for recruitment, performance of employment contracts, including exemptions provided for by law or collective agreements; management, planning and organization of work; rationality and diversity in the workplace; health and safety at work, Protection of employee and customer property; for the exercise and enjoyment of employment-related rights and benefits; and for the termination of employment.

2. Such rules should include appropriate and specific measures to protect the personal dignity, legitimate interests and fundamental rights of data subjects. This applies in particular where matters related to: transparency of processing; transfer of personal data within a group of undertakings; or regulatory systems for a group of undertakings and workplaces carrying out joint economic activities.

3. Each Member State shall inform the Commission [within two years of the entry into force of this Regulation] those legal provisions it has adopted pursuant to paragraph 1 and shall promptly inform the Commission of subsequent amendments affecting the provisions.

Article 89 Safeguards and derogations in processing carried out in the public interest, scientific or historical research or statistical purposes

1. For processing in the public interest, scientific or historical research or statistical purposes, appropriate protective measures consistent with this Regulation shall be taken to protect the rights and freedoms of the data subject. These safeguards should ensure that technical and organizational measures are taken to ensure the principle of data minimization. These measures may include anonymization, if anonymization also serves appeal purposes. If the purpose of the appeal can be achieved even if the data subject cannot be identified during further processing, then this should be adopted.

2. The laws of Member States may derogate from the rights set out in Articles 15, 16, 18 and 21 in accordance with the circumstances and safeguards set out in paragraph 1 of this Article for processing carried out for purposes of public interest, scientific or historical research or statistical purposes - —If such rights may completely impede or seriously impede the achievement of the above purposes and such derogation is necessary to achieve the purposes of the appeal.

3. Where the processing of personal data is necessary to achieve a public interest, Union or Member State law may derogate from the rights set out in Articles 15, 16, 18, 19, 20 and 21 in accordance with the circumstances and safeguards set out in paragraph 1 of this Article— —If such rights may completely impede or seriously impede the achievement of the above purposes and such derogation is necessary to achieve the purposes of the appeal.

4. If the processing provided for in paragraphs 2 and 3 also serves other purposes, the derogation will only apply to the processing for the purpose of achieving the purposes provided for in paragraphs 2 and 3.

Article 90 Duty of confidentiality

1. Member States may adopt specific rules concerning supervisory authorities established by national competent authorities in relation to controllers or processors as entities referred to in points (3) and (f) of Article 58(1). This specific rule may impose a professional duty of confidentiality or other equivalent duties if it is necessary to reconcile and proportionate the protection of personal data with the maintenance of confidentiality. Such rules shall apply to the controller or processor only insofar as the personal data are received in the course of or as a result of those activities to which the duty of confidentiality is concerned.

2. Each Member State shall inform the Commission [within two years of the entry into force of this Regulation] those legal provisions it has adopted pursuant to paragraph 1 and shall promptly inform the Commission of subsequent amendments affecting the provisions.

Article 91 Existing data protection rules for churches and religious associations

1. After the entry into force of this Regulation, comprehensive rules applicable to the protection of natural persons in relation to the processing of churches, religious associations or groups in a Member State shall continue to apply if they are consistent with this Regulation.

2. Churches and religious associations to which the comprehensive rules in accordance with paragraph 1 apply shall be subject to the supervision of an independent supervisory authority, which may be specially designated if they meet the conditions set out in Chapter 6 of this Regulation.

Chapter 10 Authorizing Acts and Implementing Acts

Article 92 Exercise of authorization

1. The European Commission has the power to enact delegated acts, subject to the conditions set out in this Article.

2. The authorizations provided for in Articles 12(8) and 43(8) shall be conferred on the Commission for an unspecified period of time [after the entry into force of this Regulation].

3. The authorizations provided for in Articles 12(8) and 43(8) may be revoked at any time by the European Parliament or the Council. Revoking a decision shall terminate the conferring powers specifically specified in the decision. The effective date of the revocation decision is the day after the official journal of the European Union is published or the date specifically indicated in the decision. The decision to revoke shall not affect any authorizing act that is already in force.

4. Once the European Commission develops a delegating act, it should immediately inform the European Parliament and the Council of the European Union at the same time.

5. Delegating acts designated under Articles 12(8) and 43(8) will only be provided if neither the European Parliament nor the Council of the European Union expresses its objections within three months of their receipt of the notification, or if within three months the European It can only come into force if the Parliament or the Council of the European Union has informed the European Commission that they will not object. This period can be extended by a further three months if the European Parliament or Council proposes an extension.

Article 93 Committee Procedure

1. The European Commission should have a team to assist it. The group shall be the group specified in Regulation (EU) No 182/2011.

2. Where this paragraph is concerned, Article 5 of Directive (EU) No 182/2011 shall apply.

3. Where this paragraph is concerned, Article 8 of Directive (EU) No 182/2011 shall apply in conjunction with Article 5 of Directive (EU) No 182/2011.

Chapter 11 Final Terms

Article 94 Repeal of Directive 95/46/EC

1. Directive 95/46/EC will be repealed [two years after this Regulation comes into force].

2. When reference is made to a repealed directive, it shall be construed by reference to this Regulation. This shall be interpreted by reference to the European Data Protection Board as provided for in this Regulation by reference to the Working Group on the Protection of Individuals in the Processing of Personal Data set out in Article 29 of Directive 95/46/EC.

Article 95 Relationship with 2002/58/EC

In the case of providing publicly accessible electronic communications services on public communications networks in the European Union, this Regulation shall not impose additional responsibilities on natural or legal persons for the same matter for which Directive 2002/58/EC already imposes special responsibilities.

Article 96 Relationship with previously concluded agreements

For international agreements between Member States concerning the transfer of personal data to third countries or international organizations that were in compliance with laws enacted before [the entry into force of this Regulation] and are subject to laws enacted before [the entry into force of this Regulation], the It shall remain in effect until modified, replaced or withdrawn.

Article 97 Report of the Committee

1. After [four years after the entry into force of this Regulation], and every four years thereafter, the Commission shall submit an evaluation and review of this Regulation to the European Parliament and the Council. The report should be made public.

2. In the context of the evaluation and review specified in paragraph 1, the Commission shall examine in particular the application and functioning of:

(a) Transfers of personal data to third countries or international organizations provided for in Chapter 5, in particular decisions taken pursuant to Article 45(3) of this Regulation and Article 25(6) of 95/46/EC decisions made;

(b) Cooperation and consistency under Chapter 7.

3. In order to achieve the purposes of paragraph 1, the Commission may request relevant information from Member States and supervisory authorities.

4. For the purpose of carrying out the evaluation and review specified in paragraphs 1 and 2, the Council of the European Union shall take into account the positions and investigations of the European Parliament, the Council of the European Union and other relevant entities and manufacturers.

5. Where necessary, the Commission shall submit appropriate motions to amend this Regulation, in particular if it takes into account developments in information technology and the state of development in the information society.

Article 98 Review of other EU data protection legislation

If appropriate, the European Commission should submit legislative initiatives for the protection of other EU personal data protection acts in order to ensure consistent and consistent protection of natural persons in processing. This should concern in particular the rules relating to the protection of natural persons in the processing by EU agencies, entities, offices and regulatory bodies, as well as the free movement of such data.

Article 99 Effectiveness and application

1. This Regulation shall enter into force twenty days after its publication in the Official Journal of the European Union.

2. Its application time is [two years after the entry into force of this Regulation].

All provisions of this Regulation are binding and shall apply directly to Member States.

Notes: [1] Regulation (EC) No 1049/2001 of the European Parliament and of the Council on public access to the archives of the European Parliament, the Council of the European Union and the European Commission (OJ L 145, 31.5.2001, p. 43).

