38
15039/15
VH/np
32
ANNEX
DGD 2C
LIMITE
EN
(58) The data subject should have the right not to be subject to a decision, which may include a
measure, evaluating personal aspects relating to him or her which is based solely on
automated processing, which produces legal effects concerning him or her or similarly
significantly affects him or her, like automatic refusal of an on-line credit application or e-
recruiting practices without any human intervention. Such processing includes also 'profiling'
consisting in any form of automated processing of personal data evaluating personal aspects
relating to a natural person, in particular to analyse or predict aspects concerning performance
at work, economic situation, health, personal preferences or interests, reliability or behaviour,
location or movements as long as it produces legal effects concerning him or her or similarly
significantly affects him or her. However, decision making based on such processing,
including profiling, should be allowed when expressly authorised by Union or Member State
law, to which the controller is subject, including for fraud and tax evasion monitoring and
prevention purposes conducted in accordance with the regulations, standards and
recommendations of EU institutions or national oversight bodies and to ensure the security
and reliability of a service provided by the controller, or necessary for the entering or
performance of a contract between the data subject and a controller, or when the data subject
has given his or her explicit consent. In any case, such processing should be subject to
suitable safeguards, including specific information of the data subject and the right to obtain
human intervention and that such measure should not concern a child, to express his or her
point of view, to get an explanation of the decision reached after such assessment and the
right to contest the decision. In order to ensure fair and transparent processing in respect of
the data subject, having regard to the specific circumstances and context in which the personal
data are processed, the controller should use adequate mathematical or statistical procedures
for the profiling, implement technical and organisational measures appropriate to ensure in
particular that factors which result in data inaccuracies are corrected and the risk of errors is
minimized, secure personal data in a way which takes account of the potential risks involved
for the interests and rights of the data subject and which prevents inter alia discriminatory
effects against individuals on the basis of race or ethnic origin, political opinions, religion or
beliefs, trade union membership, genetic or healthstatus, sexual orientation or that result in
measures having such effect. Automated decision making and profiling based on special
categories of personal data should only be allowed under specific conditions.
33
15039/15
VH/np
33
ANNEX
DGD 2C
LIMITE
EN
(58a)Profiling as such is subject to the rules of this Regulation governing processing of personal
data, such as legal grounds of processing or data protection principles. The European Data
Protection Board should have the possibility to issue guidance in this context.
(59) Restrictions on specific principles and on the rights of information, access, rectification and
erasure or on the right to data portability, the right to object, decisions based on profiling, as
well as on the communication of a personal data breach to a data subject and on certain
related obligations of the controllers may be imposed by Union or Member State law, as far as
necessary and proportionate in a democratic society to safeguard public security, including the
protection of human life especially in response to natural or man made disasters, the
prevention, investigation and prosecution of criminal offences or the execution of criminal
penalties, including the safeguarding against and the prevention of threats to public security,
or of breaches of ethics for regulated professions, other public interests of the Union or of a
Member State, in particular an important economic or financial interest of the Union or of a
Member State, the keeping of public registers kept for reasons of general public interest,
furtherprocessing of archived personal data to provide specific information related to the
political behaviour under former totalitarian state regimes or the protection of the data subject
or the rights and freedoms of others, including social protection, public health and
humanitarian purposes.Those restrictions should be in compliance with requirements set out
by the Charterof Fundamental Rights of the European Union and by the European
Convention for the Protection of Human Rights and Fundamental Freedoms.
(60) The responsibility and liability of the controller for any processing of personal data carried
out by the controller or on the controller's behalf should be established. In particular, the
controller should be obliged to implement appropriate and effective measures and be able to
demonstrate the compliance of processing activities with this Regulation, including the
effectiveness of the measures. These measures should take into account the nature, scope,
context and purposes of the processing and the risk for the rights and freedoms of individuals.
35
15039/15
VH/np
34
ANNEX
DGD 2C
LIMITE
EN
(60a)Such risks, of varying likelihood and severity, may result from data processing which could
lead to physical, material or moral damage, in particular where the processing may give rise to
discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of
confidentiality of data protected by professional secrecy, unauthorized reversal of
pseudonymisation, or any other significant economic or social disadvantage; or where data
subjects might be deprived of their rights and freedoms or from exercising control over their
personal data; where personal data are processed which reveal racial or ethnic origin, political
opinions, religion or philosophical beliefs, trade-union membership, and the processing of
genetic data or data concerning health or sex life or criminal convictions and offences or
related security measures; where personal aspects are evaluated, in particular analysing or
prediction of aspects concerning performance at work, economic situation, health, personal
preferences or interests, reliability or behaviour, location or movements, in order to create or
use personal profiles; where personal data of vulnerable individuals, in particular of children,
are processed; where processing involves a large amount of personal data and affects a large
number of data subjects.
(60b)The likelihood and severity of the risk for the rights and freedoms of the data subject should
be determined in function of the nature, scope, context and purposes of the data processing.
Risk should be evaluated based on an objective assessment, by which it is established whether
data processing operations involve a risk or a highrisk.
(60c)Guidance for the implementation of appropriate measures, and for demonstrating the
compliance by the controller or processor, especially as regards the identification of the risk
related to the processing, their assessment in terms of their origin, nature, likelihood and
severity, and the identification of best practices to mitigate the risk, could be provided in
particular by approved codes of conduct, approved certifications,guidelines of the European
Data Protection Board or through the indications provided by a data protection officer. The
European Data Protection Board may also issue guidelines on processing operations that are
considered to be unlikely to result in a high risk for the rights and freedoms of individuals and
indicate what measures may be sufficient in such cases to address such risk.
29
15039/15
VH/np
35
ANNEX
DGD 2C
LIMITE
EN
(61) The protection of the rights and freedoms of individuals with regard to the processing of
personal data require that appropriate technical and organisational measures are taken to
ensure that the requirements of this Regulation are met. In order to be able to demonstrate
compliance with this Regulation, the controller should adopt internal policies and implement
measures, which meet in particular the principles of data protection by design and data
protection by default. Such measures could consist inter alia of minimising the processing of
personal data, pseudonymising personal data as soon as possible, transparency with regard to
the functions and processing of personal data, enabling the data subject to monitor the data
processing, enabling the controller to create and improve security features. When developing,
designing, selecting and using applications, services and products that are either based on the
processing of personal data or process personal data to fulfil their task, producers of the
products, services and applications should be encouraged to take into account the right to data
protection when developing and designing such products, services and applications and, with
due regard to the state of the art, to make sure that controllers and processors are able to fulfil
their data protection obligations.The principles of data protection by design and by default
should also be taken into consideration in the context of public tenders.
(62) The protection of the rights and freedoms of data subjects as well as the responsibility and
liability of controllers and processors, also in relation to the monitoring by and measures of
supervisory authorities, requires a clear attribution of the responsibilities under this
Regulation, including where a controller determines the purposes, and means of the
processing jointly with other controllers or where a processing operation is carried out on
behalf of a controller.
26
15039/15
VH/np
36
ANNEX
DGD 2C
LIMITE
EN
(63) Where a controller or a processor not established in the Union is processing personal data of
data subjectswho are in the Union whose processing activities are related to the offering of
goods or services, irrespective of whether a payment of the data subject is required, to such
data subjects in the Union, or to the monitoring of their behaviour as far as their behaviour
takes place within the Union, the controller or the processor should designate a representative,
unless the processing is occasional, does not include processing, on a large scale, of special
categories of data as referred to in Article 9(1) or processing of data relating to criminal
convictions and offences referred to in Article 9a, and is unlikely to result in a risk for the
rights and freedoms of individuals, taking into account the nature, context, scope and
purposes of the processing or if the controller is a public authority or body. Therepresentative
should act on behalf of the controller or the processor and may be addressed by any
supervisory authority. The representative should be explicitly designated by a written mandate
of the controller or the processor to act on its behalf with regard to the latter's obligations
under this Regulation. The designation of such representative does not affect the
responsibility and liability of the controller or the processor under this Regulation. Such
representative should perform its tasks according to the received mandate from the controller,
including to cooperate with the competent supervisory authorities on any action taken in
ensuring compliance with this Regulation. The designated representative should be subjected
to enforcement actions in case of non-compliance by the controller.
33
15039/15
VH/np
37
ANNEX
DGD 2C
LIMITE
EN
(63a)To ensure compliance with the requirements of this Regulation in respect of the processing to
be carried out by the processor on behalf of the controller, when entrusting a processor with
processing activities, the controller should use only processors providing sufficient
guarantees, in particular in terms of expert knowledge, reliability and resources, to implement
technical and organisational measures which will meet the requirements of this Regulation,
including for the security of processing. Adherence of the processor to an approved code of
conduct or an approved certification mechanism may be used as an element to demonstrate
compliance with the obligations of the controller. The carrying out of processing by a
processor should be governed by a contract or other legal act under Union or Member State
law, binding the processor to the controller, setting out the subject-matter and duration of the
processing, the nature and purposes of the processing, the type of personal data and categories
of data subjects, taking into account the specific tasks and responsibilities of the processor in
the context of the processing to be carried out and the risk for the rights and freedoms of the
data subject. The controller and processor may choose to use an individual contract or
standard contractual clauses which are adopted either directly by the Commission or by a
supervisory authority in accordance with the consistency mechanism and then adopted by the
Commission. After the completion of the processing on behalf of the controller, the processor
should, at the choice of the controller, return or delete the personal data, unless there is a
requirement to store the data under Union or Member State law to which the processor is
subject.
(64) (…)
(65) In order to demonstrate compliance with this Regulation, the controller or processor should
maintain records of processing activities under its responsibility. Each controller and
processor should be obliged to co-operate with the supervisory authority and make these
records, on request, available to it, so that it might serve for monitoring those processing
operations.
26
15039/15
VH/np
38
ANNEX
DGD 2C
LIMITE
EN
(66) In order to maintain security and to prevent processing in breach of this Regulation, the
controller or processor should evaluate the risks inherent to the processing and implement
measures to mitigate those risks, such as encryption. These measures should ensure an
appropriate level of security including confidentiality, taking into account the state of the art
and the costs of implementation in relation to the risks and the nature of the personal data to
be protected. In assessing data security risk, consideration should be given to the risks that are
presented by data processing, such as accidental or unlawful destruction, loss, alteration,
unauthorised disclosure of, or access to personal data transmitted, stored or otherwise
processed, which may in particular lead to physical, material or moral damage.
(66a)In order to enhance compliance with this Regulation in cases where the processing operations
are likely to result in a high risk for the rights and freedoms of individuals, the controller
should be responsible for the carrying out of a data protection impact assessment to evaluate,
in particular, the origin, nature, particularity and severity of this risk. The outcome of the
assessment should be taken into account when determining the appropriate measures to be
taken in order to demonstrate that the processing of personal data is in compliance with this
Regulation. Where a data protection impact assessment indicates that processing operations
involve a high risk which the controller cannot mitigate by appropriate measures in terms of
available technology and costs of implementation, a consultation of the supervisory authority
should take place prior to the processing.
30
15039/15
VH/np
39
ANNEX
DGD 2C
LIMITE
EN
(67) A personal data breach may, if not addressed in an adequate and timely manner, result in
physical, material or moral damage to individuals such as loss of control over their personal
data or limitation of their rights, discrimination, identity theft or fraud, financial loss,
unauthorized reversal of pseudonymisation, damage to the reputation, loss of confidentiality
of data protected by professional secrecy or any other economic or social disadvantage to the
individual concerned. Therefore, as soon as the controller becomes aware that a personal data
breach has occurred, the controller should without undue delay and, where feasible, not later
than 72 hours after having become aware of it, notify the personal data breach to the
competent supervisory authority, unless the controller is able to demonstrate, in accordance
with the accountability principle, that the personal data breach is unlikely to result in a risk for
the rights and freedoms of individuals. Where this cannot be achieved within 72 hours, an
explanation of the reasons for the delay should accompany the notification and information
may be provided in phases without unduefurther delay.
(67a new) The individuals should be notified without undue delay if the personal data breach is
likely to result in a high risk for for the rights and freedoms of individuals, in order to allow
them to take the necessary precautions. Thenotification should describe the nature of the
personal data breach as well as recommendations for the individual concerned to mitigate
potential adverse effects. Notifications to data subjects should be made as soon as reasonably
feasible, and in close cooperation with the supervisory authority and respecting guidance
provided by it or other relevant authorities (e.g. law enforcement authorities). For example,
the need to mitigate an immediate risk of damage would call for a prompt notification of data
subjects whereas the need to implement appropriate measures against continuing or similar
data breaches may justify a longer delay.
33
15039/15
VH/np
40
ANNEX
DGD 2C
LIMITE
EN
(68) It must be ascertained whether all appropriate technological protection and organisational
measures have been implemented to establish immediately whether a personal data breach has
taken place and to inform promptly the supervisory authority and the data subject. The fact
that the notification was made without undue delay should be established taking into account
in particular the nature and gravity of the personal data breach and its consequences and
adverse effects for the data subject. Such notification may result in an intervention of the
supervisory authority in accordance with its tasks and powers laid down in this Regulation.
(68a)(…)
(69) In setting detailed rules concerning the format and procedures applicable to the notification of
personal data breaches, due consideration should be given to the circumstances of the breach,
including whether or not personal data had been protected by appropriate technical protection
measures, effectively limiting the likelihood of identity fraud or other forms of misuse.
Moreover, such rules and procedures should take into account the legitimate interests of law
enforcement authorities in cases where early disclosure could unnecessarily hamper the
investigation of the circumstances of a breach.
(70) Directive 95/46/EC provided for a general obligation to notify processing of personal data to
the supervisory authorities. While this obligation produces administrative and financial
burdens, it did not in all cases contribute to improving the protection of personal data.
Therefore such indiscriminate general notification obligations should be abolished, and
replaced by effective procedures and mechanisms which focus instead on those types of
processing operations which are likely to result in a high risk to the rights and freedoms of
individuals by virtue of their nature, scope, context and purposes. Such types of processing
operations may be those which in particular, involve using new technologies, or are of a new
kind and where no data protection impact assessment has been carried out before by the
controller, or where they become necessary in the light of the time that has elapsed since the
initial processing.
Documents you may be interested
Documents you may be interested
