60
data of data subjects residing in the Union by a controller not established
in the Union should be subject to this Regulation where the processing
activities are related to the offering of goods or services, irrespective of
whether connected to a payment or not, to such data subjects, or to the
monitoring of such data subjects. In order to determine whether such a
controller is offering goods or services to such data subjects in the
Union, it should be ascertained whether it is apparent that the controller
is envisaging the offering of services to data subjects residing in one or
more Member States in the Union.
processing of personal data of data subjects residing in the Union
by a controller not established in the Union should be subject to
this Regulation where the processing activities are related to the
offering of goods or services to such data subjects or to the
monitoring of the behaviour of such data subjects
irrespective of
whether connected to a payment or not, which takes place in the
Union. In order to determine whether such a controller is offering
goods or services to such data subjects in the Union, it should be
ascertained whether it is apparent that the controller is envisaging
doing business with data subjects residing in one or more Member
States in the Union. Whereas the mere accessibility of the
controller’s or an intermediary’s website in the Union or of an email
address and of other contact details or the use of a language
generally used in the third country where the controller is
established, is insufficient to ascertain such intention, factors such
as the use of a language or a currency generally used in one or
more Member States with the possibility of ordering goods and
services in that other language, and/or the mentioning of customers
or users residing in the Union, may make it apparent that the
controller envisages offering goods or services to such data
subjects in the Union.]
13
Whereas (21)
Text adopted by Parliament
Consolidated text of the Commission and Council
In order to determine whether a processing activity can be considered to
‘monitor’ data subjects, it should be ascertained whether individuals are
tracked, regardless of the origins of the data, or if other data about them
is collected, including from public registers and announcements in the
Union that are accessible from outside of the Union, including with the
intention to use, or potential of subsequent use of data processing
techniques which consist of applying a ‘profile’, particularly in order to
take decisions concerning her or him or for analysing or predicting her or
his personal preferences, behaviours and attitudes.
[Where processing is carried out in compliance with a legal
obligation to which the controller is subject or where processing is
necessary for the performance of a task carried out in the public
interest or in the exercise of an official authority, the processing
should have a
legal
basis in Union law or in the national law of a
Member State
law
which meets the requirements of the Charter of
Fundamental Rights of the European Union for any limitation of the
rights and freedoms
. It
is
should be also for Union or national law to
determine the purpose of the processing. Furthermore, this basis
45
could,
specify the general conditions of the Regulation governing
the lawfulness of data processing
determine specifications for
determining the controller, the type of data which are subject to the
processing, the data subjects concerned, the entities to which the
data may be disclosed, the purpose limitations, the storage period
and other measures to ensure lawful and fair processing. It
is
should also be for Union or national law to determine whether the
controller performing a task carried out in the public interest or in
the exercise of official authority should be a public authority or
another natural or legal person governed by public law, or by
private law such as a professional association, where grounds of
public interest so justify including for health purposes, such as
public health and social protection and the management of health
care services.]
14
The processing of personal data of data subjects
residing in the Union by a controller not established in the Union
should also be subject to this Regulation when it is related to the
monitoring of their behaviour taking place within the European
Union
. In order to determine whether a processing activity can be
considered to ‘monitor the behaviour’ of data subjects, it should be
ascertained whether individuals are tracked on the internet with
data processing techniques which consist of applying a ‘profile’ to
profiling
an individual, particularly in order to take decisions
concerning her or him or for analysing or predicting her or his
personal preferences, behaviours and attitudes.]
15
Whereas (22)
Text adopted by Parliament
Consolidated text of the Commission and Council
[not amended]
Where the national law of a Member State applies by virtue of public
international law, this Regulation should also apply to a controller not
established in the Union, such as in a Member State's diplomatic mission
or consular post.
[Where the national law of a Member State applies by virtue of
public international law, this Regulation should also apply to a
controller not established in the Union, such as in a Member State's
diplomatic mission or consular post.]
16
53
Whereas (23)
Text adopted by Parliament
Consolidated text of the Commission and Council
The principles of data protection should apply to any information
concerning an identified or identifiable natural person. To determine
whether a person is identifiable, account should be taken of all the means
reasonably likely to be used either by the controller or by any other
person to identify or single out the individual directly or indirectly. To
ascertain whether means are reasonably likely to be used to identify the
individual, account should be taken of all objective factors, such as the
costs of and the amount of time required for identification, taking into
consideration both available technology at the time of the processing
and technological development. The principles of data protection should
therefore not apply to anonymous data, which is information that does
not relate to an identified or identifiable natural person. This
Regulation does therefore not concern the processing of such
anonymous data, including for statistical and research purposes.
The principles of data
protection should apply to any information
concerning an identified or identifiable natural
person. Data including
pseudonymised data, which could be attributed to a natural person by the
use of additional information, should be considered as information on an
identifiable natural person
. To determine whether a person is identifiable,
account should be taken of all the means reasonably likely to be used
either by the controller or by any other person to identify the individual
directly or indirectly. To ascertain whether means are reasonable likely to
be used to identify the individual, account should be taken of all objective
factors, such as the costs of and the amount of time required for
identification, taking into consideration both available technology at the
time of the processing and technological development.
The principles of
data protection should therefore
not apply to anonymous information, that
is information which does not relate to an identified or identifiable natural
person or to
data rendered anonymous in such a way that the data subject
is not or no longer identifiable. This Regulation does therefore not
concern the processing of such anonymous information, including for
statistical and research purposes
. The principles of data protection should
not apply to deceased persons, unless information on deceased persons is
related to an identified or identifiable natural person.
Whereas (23a)
Text adopted by Parliament
Consolidated text of the Commission and Council
The application of pseudonymisation to data can reduce the risks for the
data subjects concerned and help controllers and processors meet their
data protection obligations. The explicit introduction of
‘pseudonymisation’ through the articles of this Regulation is thus not
intended to preclude any other measures of data protection.
Comment: Proposal GER
29
Whereas (23b)
Text adopted by Parliament
Consolidated text of the Commission and Council
The general definition of pseudonymisation in Article 4 (3b) shall apply to
all sectors that fall under the material scope of this Regulation. Numerous
articles of this Regulation provide for a margin of manoeuvre for Member
State law to define the circumstances of specific processing situations,
including determining more precisely the conditions under which
processing of personal data is lawful. National law may also provide for
specific and suitable technical implementation measures for
pseudonymisation and additional requirements for encryption.
Comment: Proposal GER
Whereas (23c)
Text adopted by Parliament
Consolidated text of the Commission and Council
As a general rule personal data shall be collected for specified, explicit
and legitimate purposes and not further processed in a way incompatible
with those purposes. However, where further processing takes place by
using measures of pseudonymisation, it should not be considered as
incompatible with the purpose for which the data have been initially
collected as long as the data subject is not identified or identifiable (Art. 6
(3a) (f)).
Comment: Proposal GER
Whereas (23d)
Text adopted by Parliament
Consolidated text of the Commission and Council
(Re-)identification is the act of revealing individual data subjects in
pseudonymised data sets. Individuals can be (re-)identified by cross-
referencing pseudonymised data sets with a related set of data that
36
includes identifiers or pseudonymisation keys or other data sources, using
inference, deduction and/or correlation to identify individuals.
T he
additional information for (re)-identification should be kept separately and
should be subject to technical and organisational measures to ensure non-
attribution. U
nder specific circumstances (
re)-identification of the data
subject should be allowed if the controller demonstrates compelling
legitimate grounds which override the interests or fundamental rights and
freedoms of the data subject.
The controller shall consider all the
determinants of risk and assess whether a threat to the data subject exists.
In addition to stronger pseudonymisation techniques, controllers shall put
in place stringent administrative and legal safeguards to minimize the risk
of (re)-identification.
Any unlawful (re)-identification constitutes an
infringement or violation and should be subject to appropriate,
proportionate and effective sanctions including compensation for damages
suffered as a result of an infringement of data protection rules.
Comment: Proposal GER
Whereas (23e)
Text adopted by Parliament
Consolidated text of the Commission and Council
This Regulation shall not prescribe particular safeguards, but shall provide
for a broad range of measures to consider in a privacy impact assessment
as appropriate for a particular data analysis. T
he broad approach to
safeguards shall include the use of encryption, trusted third-party
arrangements, use of pseudonymisation keys and arrangement for
separation and security of decryption keys within the organisation of a
controller or among several controllers, contractual restrictions on the
disclosure of data, training of staff with access to the data, professional
secrecy or other confidentiality obligations, personal background checks
for those granted access to the data.
Comment: Proposal GER
38
Whereas (23f)
Text adopted by Parliament
Consolidated text of the Commission and Council
In order to create incentives for pseudonymisation, measures of
pseudonymisation whilst allowing general analysis shall be possible
within the same controller when the controller has taken technical and
organisational measures necessary to ensure that the provisions of this
Regulation are implemented. The concrete requirements for those
measures shall depend on the respective data processing so that the
personal data remain pseudonymised. The controller who processes the
data within the meaning of Art. 4 (3b) shall also refer to authorised
persons within the same controller. In this case however the controller
shall make sure that the individual(s) performing the pseudonymisation
are not referenced in the meta-data.
Comment: Proposal GER
Whereas (24)
Text adopted by Parliament
Consolidated text of the Commission and Council
This Regulation should be applicable to processing involving identifiers
provided by devices, applications, tools and protocols, such as Internet
Protocol addresses, cookie identifiers and Radio Frequency
Identification tags, unless those identifiers do not relate to an identified
or identifiable natural person.
Art. 7a gives data subjects the right to use aliases in information society
services and serves two purposes: the effective exercise and enforcement
of their right to freedom of expression within the framework of this
Regulation and the ascertainment of the principles stipulated in Article 5
of this Regulation, namely data economy and use of pseudonymised data
where applicable. The freedom to use blogs, forums and social networks
and hold opinions is an expression of the rights conferred in Art. 11 of the
Charter of Fundamental Rights of the European Union.
The exercise of
this right however shall not preclude necessary measures of criminal
proceedings, especially measures to combat cyber-crime.
]
17
Comment: Proposal GER (with the same number as next point)
Whereas (24)
59
Text adopted by Parliament
Consolidated text of the Commission and Council
When using online services, individuals may be associated with online
identifiers provided by their devices, applications, tools and protocols,
such as Internet Protocol addresses or cookie identifiers. This may leave
traces which, when
combined with unique identifiers and other
information received by the servers, may be used to create profiles of the
individuals and identify them. It follows that identification numbers,
location data, online identifiers or other specific factors as such need not
necessarily be considered as personal data in all circumstances.
Identification numbers, location data, online identifiers or other specific
factors as such should not be considered as personal data if they do not
identify an individual or make an individual identifiable
.
18
Whereas (25)
Text adopted by Parliament
Consolidated text of the Commission and Council
Consent should be given explicitly by any appropriate method enabling a
freely given specific and informed indication of the data subject's wishes,
either by a statement or by a clear affirmative action that is the result of
choice by the data subject, ensuring that individuals are aware that they
give their consent to the processing of personal data. Clear affirmative
action could include ticking a box when visiting an Internet website or
any other statement or conduct which clearly indicates in this context the
data subject's acceptance of the proposed processing of their personal
data. Silence, mere use of a service or inactivity should therefore not
constitute consent. Consent should cover all processing activities carried
out for the same purpose or purposes. If the data subject's consent is to be
given following an electronic request, the request must be clear, concise
and not unnecessarily disruptive to the use of the service for which it is
provided.
Consent should be given explicitly
unambiguously
by any appropriate
method enabling a freely given, specific and informed indication of the
data subject's wishes, either by a written, oral or other
statement or by a
clear affirmative action by the data subject ensuring that individuals are
aware that they give their consent to the processing of personal data,
including by
signifying his or her agreement to personal data relating to
him or her being processed
. This could include
ticking a box when
visiting an Internet website or any other statement or conduct which
clearly indicates in this context the data subject's acceptance of the
proposed processing of their personal data. Silence or inactivity should
therefore not constitute consent. Where it is technically feasible and
effective, the data subject's consent to processing may be given by using
the appropriate settings of a browser or other application.
Consent should
cover all processing activities carried out for the same purpose or
purposes. When the processing has multiple purposes,
unambiguous
consent should be granted for all of the processing purposes.
If the data
subject's consent is to be given following an electronic request, the request
60
must be clear, concise and not unnecessarily disruptive to the use of the
service for which it is provided.
Whereas (25a)
Text adopted by Parliament
Consolidated text of the Commission and Council
Genetic data should be defined as personal data
relating to the genetic
characteristics of an individual which have been inherited or acquired as
they result from an analysis of a biological sample from the individual in
question, in particular by chromosomal, deoxyribonucleic acid (DNA) or
ribonucleic acid (RNA) analysis or analysis of any other element enabling
equivalent information to be obtained.
Whereas (26)
Text adopted by Parliament
Consolidated text of the Commission and Council
[not amended]
Personal data relating to health should include in particular all data
pertaining to the health status of a data subject; information about the
registration of the individual for the provision of health services;
information about payments or eligibility for healthcare with respect to the
individual; a number, symbol or particular assigned to an individual to
uniquely identify the individual for health purposes; any information
about the individual collected in the course of the provision of health
services to the individual; information derived from the testing or
examination of a body part or bodily substance, including biological
samples; identification of a person as provider of healthcare to the
individual; or any information on e.g. a disease, disability, disease risk,
medical history, clinical treatment, or the actual physiological or
biomedical state of the data subject independent of its source, such as e.g.
from a physician or other health professional, a hospital, a medical device,
or an in vitro diagnostic test.
Personal data relating
concerning
health should include in particular all
data pertaining to the health status of a data subject which reveal
information relating to the past, current or future physical or mental health
of the data subject;
19
including
information about the registration of the
individual for the provision of health;
services information about
payments or eligibility for healthcare with respect to the individual
; a
number, symbol or particular assigned to an individual to uniquely
identify the individual for health purposes; any information about the
individual collected in the course of the provision of health services to the
individual
; information derived from the testing or examination of a body
part or bodily substance, including genetic data and
biological samples;
identification of a person as provider of healthcare to the individual;
or
any information on for example
a disease, disability, disease risk, medical
history, clinical treatment, or the actual physiological or biomedical state
of the data subject independent of its source, such as for example
from a
physician or other health professional, a hospital, a medical device, or an
in vitro diagnostic test.
52
Whereas (27)
Text adopted by Parliament
Consolidated text of the Commission and Council
[not amended]
The main establishment of a controller in the Union should be determined
according to objective criteria and should imply the effective and real
exercise of management activities determining the main decisions as to
the purposes, conditions and means of processing through stable
arrangements. This criterion should not depend whether the processing of
personal data is actually carried out at that location; the presence and use
of technical means and technologies for processing personal data or
processing activities do not, in themselves, constitute such main
establishment and are therefore no determining criteria for a main
establishment. The main establishment of the processor should be the
place of its central administration in the Union.
The main establishment of a controller in the Union should be the place of
its central administration in the Union, unless the decisions on the
purposes and means of the processing of personal data are taken in
another establishment of the controller in the Union. In this case the latter
should be considered as the main establishment
. The main establishment
of a controller in the Union should be determined according to objective
criteria and should imply the effective and real exercise of management
activities determining the main decisions as to the purposes conditions
and
means of processing through stable arrangements. This criterion should
not depend on whether the processing of personal data is actually carried
out at that location; the presence and use of technical means and
technologies for processing personal data or processing activities do not,
in themselves, constitute such main establishment and are therefore not
determining criteria for a main establishment. The main establishment of
the processor should be the place of its central administration in the Union
and, if it has no central administration in the Union, the place where the
main processing activities take place in the Union.
Where the processing is carried out by a group of undertakings, the main
establishment of the controlling undertaking should be considered as the
main establishment of the group of undertakings, except where the
purposes and means of processing are determined by another undertaking.
Whereas (28)
Text adopted by Parliament
Consolidated text of the Commission and Council
[not amended]
A group of undertakings should cover a controlling undertaking and its
controlled undertakings, whereby the controlling undertaking should be
the undertaking which can exercise a dominant influence over the other
undertakings by virtue, for example, of ownership, financial participation
A group of undertakings should cover a controlling undertaking and its
controlled undertakings, whereby the controlling undertaking should be
the undertaking which can exercise a dominant influence over the other
undertakings by virtue, for example, of ownership, financial participation
or the rules which govern it or the power to have personal data protection
rules implemented.
Documents you may be interested
Documents you may be interested
