103
Data protection by design and by default
1. Having regard to the state of the art, current technical knowledge,
international best practices and the risks represented by the data
processing, the controller and the processor, if any, shall, both at the time
of the determination of the purposes and means for processing and at the
time of the processing itself, implement appropriate and proportionate
technical and organisational measures and procedures in such a way that
the processing will meet the requirements of this Regulation and ensure
the protection of the rights of the data subject, in particular with regard
to the principles laid out in Article 5. Data protection by design shall
have particular regard to the entire lifecycle management of personal
data from collection to processing to deletion, systematically focusing
on comprehensive procedural safeguards regarding the accuracy,
confidentiality, integrity, physical security and deletion of personal data.
Where the controller has carried out a data protection impact
assessment pursuant to Article 33, the results shall be taken into
account when developing those measures and procedures.
1a. In order to foster its widespread implementation in different
economic sectors, data protection by design shall be a prerequisite for
public procurement tenders according to Directive 2004/18/EC of the
European Parliament and of the Council
1
as well as according to
Directive 2004/17/EC of the European Parliament and of the Council
2
(Utilities Directive).
2. The controller shall ensure that, by default, only those personal data are
processed which are necessary for each specific purpose of the processing
and are especially not collected, retained or disseminated beyond the
minimum necessary for those purposes, both in terms of the amount of the
data and the time of their storage. In particular, those mechanisms shall
ensure that by default personal data are not made accessible to an
indefinite number of individuals and that data subjects are able to
control the distribution of their personal data.
1
Directive 2004/18/EC of the European Parliament and of the Council
Data protection by design and by default
8
1.
Having regard to the state of art
available technology
and
the cost of implementation and taking account of the nature, scope,
context and purposes of the processing as well as the likelihood
and severity of the risk for rights and freedoms of individuals posed
by the processing,
the controller shall both at the time of the
determination of the means for processing and at the time of the
processing itself
, implement appropriate
technical and
organisational measures and procedures
appropriate to the
processing activity being carried on and its objectives
, (including
minimisation and
pseudonymisation
)
9
,
in such a way that the
processing will meet the requirements of this Regulation and
ensure the protection of
protect
the rights of the
data subjects.
10
2.
The controller shall implement mechanisms
appropriate
measures
for ensuring that, by default, only those
personal data
are processed
which are necessary
11
for each specific purpose of
the processing a
nd are especially not collected or retained beyond
the minimum necessary for those purposes, both in terms of the
amount of the data and the time of their storage
are processed;
this
applies to
the amount of data collected, the extent of their
processing, the period of their storage and their accessibility
. In
particular,
Where
the purpose of the processing is not intended to
provide the public with information,
those mechanisms shall ensure
that by default personal data are not made accessible without
human intervention
to an indefinite number of individuals.
2a.
An approved certification mechanism pursuant to Article 39
may be used as an element to demonstrate compliance with the
requirements set out in paragraphs 1 and 2.
3.
The Commission shall be empowered to adopt delegated
acts in accordance with Article 86 for the purpose of specifying any
further criteria and requirements for appropriate measures and
62
of 31 March 2004 on the coordination of procedures for the award of
public works contracts, public supply contracts and public service
contracts (OJ L 134, 30.4.2004, p. 114).
2
Directive 2004/17/EC of the European Parliament and of the Council
of 31 March 2004 coordinating the procurement procedures of entities
operating in the water, energy, transport and postal services sector (OJ
L 134, 30.4.2004, p. 1).
mechanisms referred to in paragraph 1 and 2, in particular for data
protection by design requirements applicable across sectors,
products and services.
4.
The Commission may lay down technical standards for the
requirements laid down in paragraph 1 and 2. Those implementing
acts shall be adopted in accordance with the examination
procedure referred to in Article 87(2).
]
12
Article 24
Text adopted by Parliament
Consolidated text of the Commission and Council
Where several controllers jointly determine the purposes and means of
the processing of personal data, the joint controllers shall determine their
respective responsibilities for compliance with the obligations under this
Regulation, in particular as regards the procedures and mechanisms for
exercising the rights of the data subject, by means of an arrangement
between them. The arrangement shall duly reflect the joint controllers'
respective effective roles and relationships vis-à-vis data subjects, and
the essence of the arrangement shall be made available for the data
subject. In case of unclarity of the responsibility, the controllers shall be
jointly and severally liable.
Joint controllers
13
1.
Where a controller determines the purposes, conditions and
means of the processing of personal data jointly with others, the
two or more controllers determine the purposes and means of the
processing of personal data, they are
joint controllers. They
shall in
a transparent manner
determine their respective responsibilities for
compliance with the obligations under this Regulation, in particular
as regards the procedures and mechanisms
for
exercising of
the
rights of the data subject and their respective duties to provide the
information referred to in Articles 14 and 14a
, by means of an
arrangement between them
14
unless, and in so far as, the
respective responsibilities of the controllers are determined by
Union or Member State law to which the controllers are subject.
The arrangement shall designate which of the joint controllers shall
act as single point of contact for data subjects to exercise their
rights.
2.
Irrespective of the terms of the arrangement referred to in
paragraph 1, the data subject may exercise his or her rights under
this Regulation in respect of and against each of the controllers.
76
3.
The arrangement shall duly reflect the joint controllers’
respective effective roles and relationships vis-a-vis data subjects,
̀
and the essence of the arrangement shall be made available for
the data subject.
Paragraph 2 does not apply where the data
subject has been informed in a transparent and unequivocal
manner which of the joint controllers is responsible, unless such
arrangement other than one determined by Union or Member State
law is unfair with regard to his or her rights.
]
15
Article 25
Text adopted by Parliament
Consolidated text of the Commission and Council
Representatives of controllers not established in the Union
1. In the situation referred to in Article 3(2), the controller shall designate
a representative in the Union.
2. This obligation shall not apply to:
(a) a controller established in a third country where the Commission has
decided that the third country ensures an adequate level of protection in
accordance with Article 41; or
(b) a controller processing personal data which relates to less than 5000
data subjects during any consecutive 12-month period and not
processing special categories of personal data as referred to in Article
9(1), location data or data on children or employees in large-scale filing
systems; or
(c) a public authority or body; or
(d) a controller only occasionally offering goods or services to data
subjects in the Union, unless the processing of personal data concerns
special categories of personal data as referred to in Article 9(1), location
data or data on children or employees in large-scale filing systems.
3. The representative shall be established in one of those Member States
Representatives of controllers not established in the Union
16
1.
In the situation referred to in
Where
Article 3(2) applies
, the
controller shall designate in writing
a representative in the Union
17
.
2.
This obligation shall not apply to:
(a)
a controller established in a third country where the
Commission has decided that the third country ensures an
adequate level of protection in accordance with Article 41
18
; or
(b)
an enterprise employing fewer than 250 persons
processing
which is occasional
19
and unlikely to result in a risk for the rights
and freedoms of individuals, taking into account the nature,
context, scope and purposes of the processing
; or
(c)
a public authority or body
20
.; or
(d)
a controller offering only occasionally goods or services to
data subjects
residing in the Union
.
21
3.
The representative shall be established in one of those
Member States where the data subjects whose personal data are
processed in relation to the offering of goods or services to them, or
76
where the offering of goods or services to the data subjects, or the
monitoring of them, take place.
4. The designation of a representative by the controller shall be without
prejudice to legal actions which could be initiated against the controller
itself.
whose behaviour is monitored, reside.
3a.
The representative shall be mandated by the controller to be
addressed in addition to or instead of the controller by, in particular,
supervisory authorities and data subjects, on all issues related to
the processing of personal data, for the purposes of ensuring
compliance with this Regulation.
4.
The designation of a representative by the controller shall be
without prejudice to legal actions which could be initiated against
the controller itself.
]
22
Article 26
Text adopted by Parliament
Consolidated text of the Commission and Council
Processor
1. Where processing is to be carried out on behalf of a controller, the
controller shall choose a processor providing sufficient guarantees to
implement appropriate technical and organisational measures and
procedures in such a way that the processing will meet the requirements of
this Regulation and ensure the protection of the rights of the data subject,
in particular in respect of the technical security measures and
organizational measures governing the processing to be carried out and
shall ensure compliance with those measures.
2. The carrying out of processing by a processor shall be governed by a
contract or other legal act binding the processor to the controller. The
controller and the processor shall be free to determine respective roles
and tasks with respect to the requirements of this Regulation, and shall
provide that the processor shall:
(a) process personal data only on instructions from the controller, unless
otherwise required by Union law or Member State law;
(b) employ only staff who have committed themselves to confidentiality
Processor
23
1.
Where a processing operation is to be carried out on behalf
of a controller
,
24
The controller shall choose a
use only
processors
providing sufficient guarantees
25
to implement appropriate technical
and organisational measures and procedures
in such a way that
the processing will meet the requirements of this Regulation and
ensure the protection of the rights of the data subject, in particular
in respect of the technical security measures and organizational
measures governing the processing to be carried out and shall
ensure compliance with those measures
26
.
1a
. The processor shall not enlist another processor without the
prior specific or general written consent of the controller. In the
latter case, the processor should always inform the controller on
any intended changes concerning the addition or replacement of
other processors, thereby giving the opportunity to the controller to
object to such changes
.
27
2.
The carrying out of processing by a processor shall be
governed by a contract or other
a
legal act
28
under Union or
85
or are under a statutory obligation of confidentiality;
(c) take all required measures pursuant to Article 30;
(d) determine the conditions for enlisting another processor only with the
prior permission of the controller, unless otherwise determined;
(e) insofar as this is possible given the nature of the processing, create in
agreement with the controller the appropriate and relevant technical and
organisational requirements for the fulfilment of the controller’s
obligation to respond to requests for exercising the data subject’s rights
laid down in Chapter III;
(f) assist the controller in ensuring compliance with the obligations
pursuant to Articles 30 to 34, taking into account the nature of
processing and the information available to the processor;
(g) return all results to the controller after the end of the processing, not
process the personal data otherwise and delete existing copies unless
Union or Member State law requires storage of the data;
(h) make available to the controller all information necessary to
demonstrate compliance with the obligations laid down in this Article
and allow on-site inspections;
3. The controller and the processor shall document in writing the
controller's instructions and the processor's obligations referred to in
paragraph 2.
3a. The sufficient guarantees referred to in paragraph 1 may be
demonstrated by adherence to codes of conduct or certification
mechanisms pursuant to Articles 38 or 39 of this Regulation.
4. If a processor processes personal data other than as instructed by the
controller or becomes the determining party in relation to the purposes
and means of data processing, the processor shall be considered to be a
controller in respect of that processing and shall be subject to the rules on
joint controllers laid down in Article 24.
Member State law
binding the processor to the controller, setting
out the subject-matter and duration of the processing, the nature
and purpose of the processing, the type of personal data and
categories of data subjects, the rights of controller
and stipulating,
in particular that the processor shall:
(a)
act
process the personal data only
on instructions from the
controller, in particular, where the transfer of the personal data
used is prohibited
unless required to do so by Union or Member
State law to which the processor is subject; in such a case, the
processor shall inform the controller of that legal requirement,
before processing the data, unless that law prohibits such
information on important grounds of public interest;
(b)
employ only staff who have committed themselves to
confidentiality or are under a statutory obligation of confidentiality
;
(c)
take all required
measures required pursuant to Article 30;
(d)
respect
the conditions for
enlisting
another processor only
with the
such as a requirement of specific
prior permission of the
controller;
(e)
insofar as this is possible given
, taking into account
the
nature of the processing, create in agreement with the controller
the necessary technical and organisational requirements for the
fulfilment of the controller’s obligation to
assist the controller in
responding
to requests for exercising the data subject’s rights laid
down in Chapter III;
(f)
assist the controller in ensuring compliance with the
obligations pursuant to Articles 30 to 34;
(g)
hand over all results to the controller after the end of the
processing and not process the personal data otherwise;
return or
delete, at the choice of the controller, the personal data
upon the
termination of the provision of data processing services
specified in
45
the contract or other legal act,
unless there is a requirement to
store the data under Union or Member State law to which the
processor is subjec
t
;
(h)
make available to the controller and the supervisory
authority
all information necessary to control
demonstrate
compliance with the obligations laid down in this Article and allow
for and contribute to audits conducted by the controller
.
The processor shall immediately inform the controller if, in his
opinion, an instruction breaches this Regulation or Union or
Member State data protection provisions
.
2a.
Where a processor enlists another processor for carrying out
specific processing activities on behalf of the controller, the same
data protection obligations as set out in the contract or other legal
act between the controller and the processor as referred to in
paragraph 2 shall be imposed on that other processor by way of a
contract or other legal act under Union or Member State law
29
, in
particular providing sufficient guarantees to implement appropriate
technical and organisational measures in such a way that the
processing will meet the requirements of this Regulation. Where
that other processor fails to fulfil its data protection obligations, the
initial processor shall remain fully liable to the controller for the
performance of that other processor's obligations.
2aa.
Adherence of the processor to an approved code of conduct
pursuant to Article 38 or an approved certification mechanism
pursuant to Article 39
30
may be used as an element to demonstrate
sufficient guarantees referred to in paragraphs 1 and 2a.
2ab
. Without prejudice to an individual contract between the
controller and the processor, the contract or the other legal act
referred to in paragraphs 2 and 2a may be based, in whole or in
part, on standard contractual clauses referred to in paragraphs 2b
Documents you may be interested
Documents you may be interested
