In such cases, a data protection impact assessment should be carried out by the controller prior to the processing in order to assess the particular likelihood and severity of the high risk, taking into account the nature, scope, context and purposes of the processing and the sources of the risk. 2That impact assessment should include, in particular, the measures, safeguards and mechanisms envisaged for mitigating that risk, ensuring the protection of personal data and demonstrating compliance with this Regulation.
Recitals
- ▼Recitals (173)
- Recital 1 : Data protection as a fundamental right
- Recital 2 : Respect of the fundamental rights and freedoms
- Recital 3 : Directive 95/46/EC harmonisation
- Recital 4 : Data protection in balance with other fundamental rights
- Recital 5 : Cooperation between Member States to exchange personal data
- Recital 6 : Ensuring a high level of data protection despite the increased exchange of data
- Recital 7 : The framework is based on control and certainty
- Recital 8 : Adoption into national law
- Recital 9 : Different standards of protection by the Directive 95/46/EC
- Recital 10 : Harmonised level of data protection despite national scope
- Recital 11 : Harmonisation of the powers and sanctions
- Recital 12 : Authorization of the European Parliament and the Council
- Recital 13 : Taking account of micro, small and medium-sized enterprises
- Recital 14 : Not applicable to legal persons
- Recital 15 : Technology neutrality
- Recital 16 : Not applicable to activities regarding national and common security
- Recital 17 : Adaptation of Regulation (EC) No 45/2001
- Recital 18 : Not applicable to personal or household activities
- Recital 19 : Not applicable to criminal prosecution
- Recital 20 : Respecting the independence of the judiciary
- Recital 21 : Liability rules of intermediary service providers shall remain unaffected
- Recital 22 : Processing by an establishment
- Recital 23 : Applicable to processors not established in the Union if data subjects within the Union are targeted
- Recital 24 : Applicable to processors not established in the Union if data subjects within the Union are profiled
- Recital 25 : Applicable to processors due to international law
- Recital 26 : Not applicable to anonymous data
- Recital 27 : Not applicable to data of deceased persons
- Recital 28 : Introduction of pseudonymisation
- Recital 29 : Pseudonymisation at the same controller
- Recital 30 : Online identifiers for profiling and identification
- Recital 31 : Not applicable to public authorities in connection with their official tasks
- Recital 32 : Conditions for consent
- Recital 33 : Consent to certain areas of scientific research
- Recital 34 : Genetic data
- Recital 35 : Health data
- Recital 36 : Determination of the main establishment
- Recital 37 : Enterprise group
- Recital 38 : Special protection of children's personal data
- Recital 39 : Principles of data processing
- Recital 40 : Lawfulness of data processing
- Recital 41 : Legal basis or legislative measures
- Recital 42 : Burden of proof and requirements for consent
- Recital 43 : Freely given consent
- Recital 44 : Performance of a contract
- Recital 45 : Fulfillment of legal obligations
- Recital 46 : Vital interests of the data subject
- Recital 47 : Overriding legitimate interest
- Recital 48 : Overriding legitimate interest within group of undertakings
- Recital 49 : Network and information security as overriding legitimate interest
- Recital 50 : Further processing of personal data
- Recital 51 : Protecting sensitive personal data
- Recital 52 : Exceptions to the prohibition on processing special categories of personal data
- Recital 53 : Processing of sensitive data in health and social sector
- Recital 54 : Processing of sensitive data in public health sector
- Recital 55 : Public interest in processing by official authorities for objectives of recognized religious communities
- Recital 56 : Processing personal data on people's political opinions by parties
- Recital 57 : Additional data for identification purposes
- Recital 58 : The principle of transparency
- Recital 59 : Procedures for the exercise of the rights of the data subjects
- Recital 60 : Information obligation
- Recital 61 : Time of information
- Recital 62 : Exceptions to the obligation to provide information
- Recital 63 : Identity verification
- Recital 64 : Right of access
- Recital 65 : Right of rectification and erasure
- Recital 66 : Right to be forgotten
- Recital 67 : Restriction of processing
- Recital 68 : Right of data portability
- Recital 69 : Right to object
- Recital 70 : Right to object to direct marketing
- Recital 71 : Profiling
- Recital 72 : Guidance of the European Data Protection Board regarding profiling
- Recital 73 : Restrictions of rights and principles
- Recital 74 : Responsibility and liability of the controller
- Recital 75 : Risks to the rights and freedoms of natural persons
- Recital 76 : Risk assessment
- Recital 77 : Risk assessment guidelines
- Recital 78 : Appropriate technical and organisational measures
- Recital 79 : Allocation of the responsibilities
- Recital 80 : Designation of a representative
- Recital 81 : The use of processors
- Recital 82 : Record of processing activities
- Recital 83 : Security of processing
- Recital 84 : Risk evaluation and impact assessment
- Recital 85 : Notification obligation of breaches to the supervisory authority
- Recital 86 : Notification of data subjects in case of data breaches
- Recital 87 : Promptness of reporting / notification
- Recital 88 : Format and procedures of the notification
- Recital 89 : Elimination of the general reporting requirement
- Recital 90 : Data protection impact assessement
- Recital 91: Necessity of a data protection impact assessment
- Recital 92: Broader data protection impact assessment
- Recital 93: Data protection impact assessment at authorities
- Recital 94: Consultation of the supervisory authority
- Recital 95: Support by the processor
- Recital 96: Consultation of the supervisory authority in the course of a legislative process
- Recital 97: Data protection officer
- Recital 98: Preparation of codes of conduct by organisations and associations
- Recital 99: Consultation of stakeholders and data subjects in the development of codes of conduct
- Recital 100: Certification
- Recital 101: General principles for international data transfers
- Recital 102: International agreements for an appropriate level of data protection
- Recital 103: Appropriate level of data protection based on an adequacy decision
- Recital 104: Criteria for an adequacy decision
- Recital 105: Consideration of international agreements for an adequacy decision
- Recital 106: Monitoring and periodic review of the level of data protection
- Recital 107: Amendment, revocation and suspension of adequacy decisions
- Recital 108: Appropriate safeguards
- Recital 109: Standard data protection clauses
- Recital 110: Binding corporate rules
- Recital 111: Exceptions for certain cases of international transfers
- Recital 112: Data transfers due to important reasons of public interest
- Recital 113: Transfers qualified as not repetitive and that only concern a limited number of data subjects
- Recital 114: Safeguarding of enforceability of rights and obligations in the absence of an adequacy decision
- Recital 115: Rules in third countries contrary to the Regulation
- Recital 116: Cooperation among supervisory authorities
- Recital 117: Establishment of supervisory authorities
- Recital 118: Monitoring of the supervisory authorities
- Recital 119: Organisation of several supervisory authorities of a Member State
- Recital 120: Features of supervisory authorities
- Recital 121: Independence of the supervisory authorities
- Recital 122: Responsibility of the supervisory authorities
- Recital 123: Cooperation of the supervisory authorities with each other and with the Commission
- Recital 124: Lead authority bregarding processing in several Member States
- Recital 125: Competences of the lead authority
- Recital 126: Joint decisions
- Recital 127: Information of the supervisory authority regarding local processing
- Recital 128: Responsibility regarding processing in the public interest
- Recital 129: Tasks and powers of the supervisory authorities
- Recital 130: Consideration of the authority with which the complaint has been lodged
- Recital 131: Attempt of an amicable settlement
- Recital 132: Awareness-raising activities and specific measures
- Recital 133: Mutual assistance and provisional measures
- Recital 134: Participation in joint operations
- Recital 135: Consistency mechanism
- Recital 136: Binding decisions and opinions of the Board
- Recital 137: Provisional measures
- Recital 138: Urgency procedure
- Recital 139: European Data Protection Board
- Recital 140: Secretariat and staff of the Board
- Recital 141: Right to lodge a complaint
- Recital 142: The right of data subjects to mandate a not-for-profit body, organisation or association
- Recital 143: Judicial remedies
- Recital 144: Related proceedings
- Recital 145: Choice of venue
- Recital 146: Indemnity
- Recital 147: Jurisdiction
- Recital 148: Penalties
- Recital 149: Penalties for infringements of national rules
- Recital 150: Administrative fines
- Recital 151: Administrative fines in Denmark and Estonia
- Recital 152: Power of sanction of the Member States
- Recital 153: Processing of personal data solely for journalistic purposes or for the purposes of academic, artistic or literary expression
- Recital 154: Principle of public access to official documents
- Recital 155: Processing in the employment context
- Recital 156: Processing for archiving, scientific or historical research or statistical purposes
- Recital 157: Information from registries and scientific research
- Recital 158: Processing for archiving purposes
- Recital 159: Processing for scientific research purposes
- Recital 160: Processing for historical research purposes
- Recital 161: Consenting to the participation in clinical trials
- Recital 162: Processing for statistical purposes
- Recital 163: Production of European and national statistics
- Recital 164: Professional or other equivalent secrecy obligations
- Recital 165: No prejudice of the status of churches and religious associations
- Recital 166: Delegated acts of the Commission
- Recital 167: Implementing powers of the Commission
- Recital 168: Implementing acts on standard contractual clauses
- Recital 169: Immediately applicable implementing acts
- Recital 170 : Principle of subsidiarity and principle of proportionality
- Recital 171: Repeal of Directive 95/46/EC and transitional provisions
- Recital 172: Consultation of the European Data Protection Supervisor
- Recital 173: Relationship to Directive 2002/58/EC
GDPR
- ▼Chapter 1 – general provisions (4)
- ▼Chapter 2 – principles (7)
- Article 10 – Processing of personal data relating to criminal convictions and offences
- Article 11 – Processing which does not require identification
- Article 5 – Principles relating to processing of personal data
- Article 6 – Lawfulness of processing
- Article 7 – Conditions for consent
- Article 8 – Conditions applicable to child’s consent in relation to information society services
- Article 9 – Processing of special categories of personal data
- ▼Chapter 3 – rights of the data subject (24)
- Article 12 – Transparent information, communication and modalities for the exercise of the rights of the data subject
- Article 13 – Information to be provided where personal data are collected from the data subject
- Article 14 – Information to be provided where personal data have not been obtained from the data subject
- Article 15 – Right of access by the data subject
- Article 16 – Right to rectification
- Article 17 – Right to erasure (‘right to be forgotten’)
- Article 18 – Right to restriction of processing
- Article 19 – Notification obligation regarding rectification or erasure of personal data or restriction of processing
- Article 20 – Right to data portability
- Article 21 – Right to object
- Article 22 – Automated individual decision-making, including profiling
- Article 23 – Restrictions
- ▼Chapter 4 – controller and processor (40)
- Article 24 – Responsibility of the controller
- Article 25 – Data protection by design and by default
- Article 26 – Joint controllers
- Article 27 – Representatives of controllers or processors not established in the Union
- Article 28 – Processor
- Article 29 – Processing under the authority of the controller or processor
- Article 30 – Records of processing activities
- Article 31 – Cooperation with the supervisory authority
- Article 32 – Security of processing
- Article 33 – Notification of a personal data breach to the supervisory authority
- Article 34 – Communication of a personal data breach to the data subject
- Article 35 – Data protection impact assessment
- Article 36 – Prior consultation
- Article 37 – Designation of the data protection officer
- Article 38 – Position of the data protection officer
- Article 39 – Tasks of the data protection officer
- Article 40 – Codes of conduct
- Article 41 – Monitoring of approved codes of conduct
- Article 42 – Certification
- Article 43 – Certification bodies
- ▼Chapter 5 – transfers of personal data to third countries or international organisations (7)
- Article 44 – General principle for transfers
- Article 45 – Transfers on the basis of an adequacy decision
- Article 46 – Transfers subject to appropriate safeguards
- Article 47 – Binding corporate rules
- Article 48 – Transfers or disclosures not authorised by Union law
- Article 49 – Derogations for specific situations
- Article 50 – International cooperation for the protection of personal data
- ▼Chapter 6 – independent supervisory authorities (18)
- Article 51 – Supervisory authority
- Article 52 – Independence
- Article 53 – General conditions for the members of the supervisory authority
- Article 54 – Rules on the establishment of the supervisory authority
- Article 55 – Competence
- Article 56 – Competence of the lead supervisory authority
- Article 57 – Tasks
- Article 58 – Powers
- Article 59 – Activity reports
- ▼Chapter 7 – cooperation and consistency (34)
- Article 60 – Cooperation between the lead supervisory authority and the other supervisory authorities concerned
- Article 61 – Mutual assistance
- Article 62 – Joint operations of supervisory authorities
- Article 63 – Consistency mechanism
- Article 64 – Opinion of the Board
- Article 65 – Dispute resolution by the Board
- Article 66 – Urgency procedure
- Article 67 – Exchange of information
- Article 68 – European Data Protection Board
- Article 69 – Independence
- Article 70 – Tasks of the Board
- Article 71 – Reports
- Article 72 – Procedure
- Article 73 – Chair
- Article 74 – Tasks of the Chair
- Article 75 – Secretariat
- Article 76 – Confidentiality
- ▼Chapter 8 – remedies, liability and penalties (8)
- Article 77 – Right to lodge a complaint with a supervisory authority
- Article 78 – Right to an effective judicial remedy against a supervisory authority
- Article 79 – Right to an effective judicial remedy against a controller or processor
- Article 80 – Representation of data subjects
- Article 81 – Suspension of proceedings
- Article 82 – Right to compensation and liability
- Article 83 – General conditions for imposing administrative fines
- Article 84 – Penalties
- ▼Chapter 9 – provisions relating to specific processing situations (7)
- Article 85 – Processing and freedom of expression and information
- Article 86 – Processing and public access to official documents
- Article 87 – Processing of the national identification number
- Article 88 – Processing in the context of employment
- Article 89 – Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
- Article 90 – Obligations of secrecy
- Article 91 – Existing data protection rules of churches and religious associations
- ▼Chapter 10 – delegated acts and implementing acts (2)
- ▼Chapter 11 – final provisions (6)
- ►Recitals (173)