Art. 1
Subject-matter and objectives
Rules for:
protection of natural persons with regard of processing PD
free movement of PD
Protects
fundamental rights and freedoms of natural persons
right to the protection of PD.
Art. 2
Material scope
GDPR applies to
processing of PD wholly or partly by automated means
processing other than by automated means of PD which form part of a filing system
GDPR does not apply to
activities outside the scope of Union Law
activities from Member states regarding security in the Union
purely personal or household activities
activities relating to the prevention, investigation, detection, or prosecution of criminal offenses or the execution of criminal penalties
Art. 3
Territorial Scope
processing of PD by a controller or a processor established in the Union
processing of PD of data subjects who are in the Union, where the processing activities are related to:
offering of goods or services
monitoring of their behaviour if their behaviour takes place within the Union
processing of PD by a controller not established in the Union, but in a place where Member State law applies
Art. 4
Personal Data (PD)
Processing
Restriction of processing
Profiling
Pseudonymization
filing system
controller
processor
recipient
third party
consent
personal data breach
genetic data
biometric data
data concerning health
….
Art. 5 (1)
PD shall be:
a. processed lawful, fair, and transparent
b. purpose limitation: collected for specified, explicit, and legitimate purposes
c. data minimisation: adequate, relevant, and limited to what is necessary
d. accuracy: accurate and, where necessary, kept up to date
e. storage limitation: PD kept for no longer than is necessary
f. integrity and confidentiality: appropriate security of the PD while processing
Art. 5 (2)
Accountability:
The controller shall be responsible for, and be able to demonstrate compliance with Art. 5(1)
Art. 6
Lawfulness of processing
1) at least one of the following applies:
consent for one or more specific purposes
performance of a contract
compliance with a legal obligation
protect vital interests of the data subject or another
performance of a task cared out by public interest or a public authority
legitimate interests of the controller
2) Member States may maintain or introduce more specific provisions to adapt the application of the rules
Art. 7
Conditions for consent
controller shall be able to demonstrate that the data subject has consented to processing of PD
If the consent is given in the context of a written declaration that also concerns other matters, the request for consent shall be presented clearly distinguishable from the other matters
data subject shall have the right to withdraw consent at any time
When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
Art. 8
Childs consent
processing of PD of a child shall be lawful where the child is at least 16 years old
below the age of 16 years, consent is needed from the holder of parental responsibility
controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology
Art. 9 (1)
Special categories of personal data
racial or ethnic origin
political opinions
religious or philosophical beliefs
trade union membership
health
sex life or sexual orientation
Art. 9 (2)
The processing of special category personal data is allowed, if:
explicit consent
exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection
necessary to protect the vital interests of the data subject or of another
legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim
personal data made public by the data subject
necessary for the establishment, exercise or defence of legal claims
substantial public interest
necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment
public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care
necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
Art. 10
Processing of personal data relating to criminal convictions and offences
Processing of personal data relating to criminal convictions and offences or related security measures based on Article 6(1) shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects.
Art. 11
Processing which does not require identification
the controller shall not be obliged to maintain, acquire or process additional information in order to identify the data subject for the sole purpose of complying with this Regulation
where the controller is able to demonstrate that it is not in a position to identify the data subject, the controller shall inform the data subject accordingly, if possible
Art. 12
Transparent information, communication and modalities
The controller shall…
provide any information and any communication relating to processing in a concise, transparent, intelligible, and easily accessible form, using clear and plain language
facilitate the exercise of data subject rights
not refuse to act on the request of the data subject for exercising his or her rights unless the controller demonstrates that it is not in a position to identify the data subject
provide information on action taken on a request to the data subject without undue delay and in any event within one month of receipt of the request
inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay
inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action
information shall be provided free of charge
Art. 13 (1)
Information to be provided where personal data are collected from the data subject:
a. identity and contact details of the controller
b. contact details of the data protection officer, where applicable
c. purposes of the processing for which the personal data are intended as well as the legal basis for the processing
d. where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller
e. recipients or categories of recipients of the personal data
f. where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation
Art. 13 (2)
Additional Information when personal data are obtained from the data subject (ensuring fair and transparent processing):
period for which the personal data will be stored
existence of the right of access, right to rectification, tight to erasure, right to restriction and the right to object and the right to data portability
existence of the right to withdraw consent at any time (if processing is based on 6(1) or 9(2)
right to lodge a complaint with a supervisory authority
whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract
existence of automated decision-making, including profiling
Art. 14 (1)
Information to be provided where personal data have not been obtained from the data subject:
d. the categories of personal data concerned
Art. 14(2)
Additional Information when personal data are obtained not from the data subject (ensuring fair and transparent processing):
legitimate interests pursued by controller or third party
existence of the right of access, right to rectification, right to erasure, right to restriction and the right to object and the right to data portability
from which source the personal data originate, and if applicable, whether it came from publicly accessible sources
Art. 15
Right of access
The data subject shall have the right to access to the personal data and the following information
purposes of the processing
categories of personal data concerned
recipients or categories of recipient to whom the personal data will be disclosed
envisaged period for which the personal data will be stored
existence of the right to request, right to erasure, right of restriction and the right to object
where the personal data are not collected from the data subject, any available information as to their source
Art. 16
Right to rectification
right to obtain the rectification of inaccurate personal data concerning the data subject
without undue delay
right to complete incomplete personal data, including by providing a supplementary statement
Art. 17 (1)
Right to erasure (‘right to be forgotten’)
right to erasure of PD concerning the data subject without undue delay
controller shall have the obligation to erase PD without undue delay where one of the following grounds applies:
PD is no longer necessary in relation to the purposes for which they were collected
the data subject withdraws consent on which the processing is based
the data subject objects to the processing, and there are no overriding legitimate grounds for the processing
PD have been unlawfully processed
PD have to be erased for compliance with a legal obligation
PD have been collected in relation to the offer of information society services referred to in Article 8(1).
Art. 17(3)
The right to erasure (right to be forgotten) does not apply to the extent that processing is necessary:
exercising the right of freedom of expression and information
compliance with a legal obligation which requires processing by Union or Member State law
reasons of public interest in the area of public health
archiving purposes in the public interest, scientific or historical research purposes
establishment, exercise or defence of legal claims
Art. 18
Right to restriction of processing
The data subject shall have the right to restriction of processing where one of the following applies:
accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead
the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims
the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject
Art. 19
Notification obligation regarding rectification or erasure of personal data or restriction of processing
The controller shall
communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 to each recipient to whom the personal data have been disclosed
inform the data subject about those recipients if the data subject requests it.
Art. 20
The data subject shall have
the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format
the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
the processing is based on consent pursuant to point or on a contract
the processing is carried out by automated means
Art. 21
Right to object
The data subject shall have the right to object at any time to processing of PD which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions.
The controller shall no longer process the PD unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
Where PD are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of PD concerning him or her for such marketing, which includes profiling that it is related to such direct marketing
Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes
Art. 22
Automated individual decision-making, including profiling
The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling
Paragraph 1 shall not apply if the decision:
is necessary for entering into, or performance of, a contract
is authorised by Union or Member State law
is based on the data subject’s explicit consent.
The data controller shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests
Decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 9(1), unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests are in place.
Art. 23
Restrictions
Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of data subjects rights, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:
national security
defence
public security
the prevention, investigation, detection or prosecution of criminal offences or execution of criminal penalties
other important objectives of general public interest of the Union or of a Member State
protection of judicial independence and judicial proceedings
prevention, investigation, detection and prosecution of breaches of ethics for regulated professions
a monitoring, inspection or regulatory function connected
the protection of the data subject or the rights and freedoms of others
the enforcement of civil law claims
Zuletzt geändertvor 2 Jahren