Subject matter and objectives
1. This Regulation lays down rules relating to the protection of individuals against infringements of their right to privacy and rules relating to the free flow of information and the free movement of goods and services.
2. This Regulation protects the fundamental rights and freedoms of natural persons, and in particular their right to privacy and their right to the protection of personal data as a result of the processing of personal information.
3. The free flow of information and the free movement of goods and services within the Union shall neither be restricted nor prohibited for reasons connected with the protection of individuals with regard to the processing of personal information.
1. This Regulation applies to the processing of personal information by private enterprises and private individuals.
2. This Regulation does not apply to the processing of personal information by the public authorities of the European Union and its Member States.
3. This Regulation shall be without prejudice to the application of Directive 2000/31/EC, in particular of the liability rules of intermediary service providers in Articles 12 to 15 of that Directive.
1. This Regulation applies to the processing of personal information in the context of the activities of an establishment of a controller or a processor in the Union.
2. This Regulation applies to the processing of personal information of individuals residing in the Union by a controller not established in the Union, where the processing activities are related to:
(a) the offering of goods or services to such individuals in the Union; or
(b) the collection of information about individuals in the Union.
3. This Regulation applies to the processing of personal information by a controller not established in the Union, but in a place where the national law of a Member State applies by virtue of public international law.
For the purposes of this Regulation:
(1) ‘personal information’ means any information that refers, directly or indirectly, to a natural person;
(2) ‘sensitive’ information means any information that – alone or in conjunction with other information – may reveal the inner thoughts or feelings of an individual and that is not normally shared outside a close relationship;
(3) ‘processing’ means any operation or set of operations which is performed upon personal information, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, transmission, use, dissemination, communication or otherwise making available, alignment or combination, erasure or destruction;
(4) ‘collection’ means the preparation or acquisition of information about an individual;
(5) ‘blocking’ means labelling stored personal information so as to restrict its further processing;
(6) ‘erasure’ means the physical destruction of personal information or any similar method of irreversibly preventing any future processing of personal information;
(7) ‘communication’ means the disclosure to a third party of personal information either
a. through passing the information on to the third party or
b. through the third party inspecting or retrieving information held ready for inspection or retrieval or
c. through dissemination, publication or otherwise making available;
(8) ‘third party’ means any natural or legal person other than the data processor or an enterprise within the same group of undertakings;
(9) ‘controller’ means the natural or legal person which alone or jointly with others determines the purposes, conditions and means of the processing of personal information; where the purposes, conditions and means of processing are determined by Union law or Member State law, the controller or the specific criteria for his nomination may be designated by Union law or by Member State law;
(10) ‘processor’ means a natural or legal person which processes personal information on behalf of the controller;
(11) ‘recipient’ means a natural or legal person to which the personal information is disclosed;
(12) ‘consent’ means any individual’s indication of his or her wishes by which the individual signifies agreement to personal information being processed;
(13) ‘personal information breach’ means a breach of security leading to the unauthorised disclosure of, or access to, personal information processed;
(14) ‘genetic information’ means all information, of whatever type, concerning the characteristics of an individual
which is inherited or acquired during early prenatal development;
(15) ‘biometric information’ means any information relating to the physical, physiological or behavioural characteristics of an individual which allow their unique identification, such as facial images, or dactyloscopic data;
(16) ‘health information’ means any information which relates to the physical or mental health of an individual, or to the provision of health services to the individual;
(17) ‘geodata’ means all information directly or indirectly related to a particular place or geographical area;
(18) ‘main establishment’ means as regards the controller, the place of its establishment in the Union where the main decisions as to the purposes, conditions and means of the processing of personal information are taken; if no decisions as to the purposes, conditions and means of the processing of personal information are taken in the Union, the main establishment is the place where the main processing activities in the context of the activities of an establishment of a controller in the Union take place. As regards the processor, main establishment means the place of its central administration in the Union;
(19) ‘representative’ means any natural or legal person established in the Union who, explicitly designated by the controller, acts and may be addressed by any supervisory authority and other bodies in the Union instead of the controller, with regard to the obligations of the controller under this Regulation;
(20) ‘enterprise’ means any entity engaged in an economic activity, irrespective of its legal form, thus including, in particular, natural and legal persons, partnerships or associations regularly engaged in an economic activity;
(21) ‘group of undertakings’ means a controlling undertaking and its controlled undertakings;
(22) ‘binding corporate rules’ means personal information protection policies which are adhered to by a controller or processor established on the territory of a Member State of the Union for transfers or a set of transfers of personal information to a controller or processor in one or more third countries within a group of undertakings;
(23) ‘child means any person below the age of 18 years;
(24) ‘supervisory authority’ means a public authority which is established by a Member State in accordance with Article 46.
General principle of information processing
Personal information must be processed fairly and in a manner respectful to the rights to privacy of the individuals concerned.
Processing by enterprises
Enterprises may only process personal information:
(a) for specified purposes and not further processed in a way incompatible with those purposes;
(b) in a transparent manner in accordance with Articles 9 and 10 of this Regulation;
(c) when personal information is accurate and kept up to date; every reasonable step must be taken to ensure that personal information that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay;
(d) when the processing of information does not inflict individuals’ rights pursuant to Articles 11 and 12 of this Regulation.
1. Processing of sensitive information shall be lawful for an enterprise only if and to the extent that at least one of the following applies:
(a) the individual has given explicit and specific consent to the processing of their sensitive information for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the individual is party or in order to take steps at the request of the individual prior to entering into a contract;
(c) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller in the field of employment law in so far as it is authorised by Union law or Member State law providing for adequate safeguards;
(d) processing is necessary for compliance with a legal obligation to which the controller is subject;
(e) processing is necessary to protect the vital interests of the individual or another person where the individual is physically or legally incapable of giving consent;
(f) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other non-profitseeking body with a political, philosophical, religious or trade-union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the information is not disclosed outside that body without the consent of the individual;
(g) processing relates to information which is manifestly made public by the individual;
(h) processing is necessary for the establishment, exercise or defence of legal claims;
(i) processing of health information is necessary for health purposes and subject to the conditions and safeguards referred to in Article 81.
2. Processing of sensitive information which is necessary for the purposes of historical, statistical or scientific research shall be lawful subject to the conditions and safeguards referred to in Article 83.
3. The basis of the processing referred to in point (d) of paragraph 1 must be provided for in:
(a) Union law, or
(b) the law of the Member State to which the controller is subject.
The law of the Member State must meet an objective of public interest or must be necessary to protect the rights and freedoms of others, respect the essence of the right to the protection of personal information and be proportionate to the legitimate aim pursued.
4. Where the purpose of further processing is not compatible with the one for which the personal information has been collected, the processing must have a legal basis at least in one of the grounds referred to in points (a) to (e) of paragraph 1. This shall in particular apply to any change of terms and general conditions of a contract.
Conditions for consent
1. The controller shall bear the burden of proof for the individual’s consent to the processing of their sensitive information for specified purposes.
2. If the individual’s consent is to be given in the context of a written declaration which also concerns another matter, the requirement to give consent must be presented distinguishable in its appearance from this other matter.
3. The individual shall have the right to withdraw his or her consent at any time with good cause. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
1. If an entrepreneur processes personal information for the purposes of creating, developing or amending a contractual relationship or through the operation of an information society service, the entrepreneur shall draw up and adhere to explicit and transparent privacy policies.
2. The entrepreneur shall provide privacy policies in an intelligible form, using clear and plain language, adapted to the clients or users.
3. In a contractual relationship, the entrepreneur shall provide privacy policies when the contract is entered into. The policies may be provided in form of a hard copy or electronically.
4. When operating an information society service, the entrepreneur shall provide easily accessible versions of current privacy policies. Users of the service must be enabled to download the privacy policies at all times.
5. Where the entrepreneur expects that his clients or users will often be children, he shall word privacy policies in a way that can be easily understood by children. Union and Member State law on the protection of minors remains unaffected.
1. Privacy policies must inform clients or users about:
(a) the identity and the contact details of the controller and, if any, of the controller’s representative and of the data protection officer;
(b) the kind of personal information that is processed;
(c) the purpose of the processing of personal information as well as the reason why this information is required for this purpose;
(d) the transmission of personal information to third parties;(e) the rights reserved by the entrepreneur to process and use personal information after the termination of a contract or after the termination of use of the information
(f) the setting-up and processing of movement profiles obtained through geodata;
(g) the technical and organisational measures takenby the entrepreneur in order to protect personal information against unauthorised access or damage by third parties including the process used to encrypt and anonymise the information (data security);
(h) the means by which individuals can obtain information regarding the personal information that is processed, transmitted in order to ensure that errors are corrected, including the means by which individuals can obtain access to the information and correct it themselves;
(i) the rights of the individual to object to the processing of personal information in part or in whole;
(j) the codes of practice and other rules of conduct by which the entrepreneur is bound;
(k) the rights reserved by the entrepreneur to change the circumstances and conditions of the processing, of personal information as defined under letters (a) to (j) above.
2. Where the processing of personal information is carried out in connection with a contractual relationship, the entrepreneur shall inform the client of all major changes and revisions to the applicable privacy policies. The entrepreneur is entitled to revisions (revision right)
(a) when legitimate interests are pursued; and
(b) when the revision does not create a new right to transmit personal information to a third party.
3. If the entrepreneur makes use of a revision right, he shall inform clients of all significant changes to the
privacy policies. A client is entitled to reject changes insofar as his legitimate interests outweigh those of the entrepreneur. The entrepreneur shall inform clients of their right of recourse when informing them about changes.
4. When an entrepreneur processes personal information for a specific purpose stated in his privacy policies, he shall only change the purpose
(a) insofar as this is permitted by his privacy policies; and
(b) when the entrepreneur acts in accordance with paragraphs 1 to 3.
5. An entrepreneur shall not transmit personal information to a third party unless
(a) this is permitted by his privacy policies in accordance with paragraphs 1 to 3; or
(b) the person concerned has given his consent thereto.
6. The Commission may lay down standard forms for the privacy policies referred to in Article 9 of this Regulation, taking into account the specific characteristics and needs of various sectors and processing situations where necessary. In doing so, the Commission shall take the appropriate measures for micro, small and medium-sized enterprises. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
Right to rectification
1. The individual shall have the right to obtain from the controller the rectification of personal information
relating to them which are inaccurate. The individual shall have the right to obtain completion of incomplete personal information, including by way of supplementing a corrective statement.
2. Instead of rectification, the controller shall block personal information where its accuracy is contested by the individual, for a period enabling the controller to verify the accuracy of the information.
Right to erasure
1. The individual shall have the right to obtain from the controller the erasure of personal information and the abstention from further dissemination of such information, especially in relation to personal information which was made available by the individual while he or she was a child, where one of the following grounds applies:
(a) the information is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
(b) the individual objects to the processing of personal information pursuant to Article 13;
(c) the processing of the information does not comply with this Regulation for other reasons.
2. The controller shall carry out the erasure without delay, except to the extent that the retention of the personal information is necessary:
(a) for exercising the right of freedom of communication if such right outweighs the individual’s right to privacy;
(b) for reasons of public interest in the area of public health in accordance with Article 81;
(c) for historical, statistical and scientific research purposes in accordance with Article 83;
(d) for compliance with a legal obligation to retain the personal information by Union or Member State law to which the controller is subject; Member State laws shall meet an objective of public interest, respect the essence of the right to the protection of personal information and be proportionate to the legitimate aim pursued;
(e) in the cases referred to in paragraph 3.
3. Instead of erasure, the controller shall block personal information where:
(a) the controller no longer needs the personal information for the accomplishment of its task but they have to be maintained for purposes of proof;
(b) the processing is unlawful and the individual opposes its erasure and requests the restriction of its use instead.
4. Personal information referred to in paragraph 3 may, with the exception of storage, only be processed for purposes of proof, or with the individual’s consent, or for the protection of the rights of another natural or legal person or for an objective of public interest.
5. Where processing of personal information is restricted pursuant to paragraph 4, the controller shall inform the individual before lifting the restriction on processing.
6. Where the erasure is carried out, the controller shall not otherwise process such personal information.
1. Where personal information is processed for direct marketing purposes, the individual shall have the right to object free of charge to the processing of their personal information for such marketing. This right shall be explicitly offered to the individual in an intelligible manner and shall be clearly distinguishable from other information.
2. Where an objection is upheld, the controller shall no longer use or otherwise process the personal information concerned.
Measures based on profiling
1. Every natural person shall have the right not to be subject to a measure which produces legal effects concerning this natural person or significantly affects this natural person, and which is based solely on automated processing intended to evaluate certain personal aspects relating to this natural person or to analyse or predict in particular the natural person’s performance at work, economic situation, location, health, personal preferences, reliability or behaviour.
2. Subject to the other provisions of this Regulation, a person may be subjected to a measure of the kind referred to in paragraph 1 only if the processing:
(a) is carried out in the course of the entering into, or performance of, a contract, where the request for the entering into or the performance of the contract, lodged by the individual, has been satisfied or where suitable measures to safeguard the individual’s legitimate interests have been adduced, such as the right to obtain human intervention; or
(b) is expressly authorized by a Union or Member State law which also lays down suitable measures to safeguard the individual’s legitimate interests; or
(c) is based on the individual’s consent, subject to the conditions laid down in Article 8.
3. Automated processing of personal information to evaluate certain personal aspects relating to a natural person shall not be based solely on sensitive information.
4. In the cases referred to in paragraph 2, the information to be provided by the controller under Article 10 shall include information as to the existence of processing for a measure of the kind referred to in paragraph 1 and the envisaged effects of such processing on the individual.
1. When an entrepreneur operates an information society service, it may collect and process information on an individual’s use of the service (behavioural tracking) for the purposes of
(a) maintenance and data security; or
(b) analysis of the use of an online service; or
(c) marketing services, including targeted advertising; or
(d) similar purposes.
2. Behavioural tracking is only legitimate when privacy policies provided pursuant to Article 9 contain highlighted provisions on behavioural tracking.3. An entrepreneur shall provide individuals with efficient means to prevent behavioural tracking when using an information society service unless the entrepreneur’s legitimate interests outweigh those of the individuals. 24. For the purpose of behavioural tracking, sensitive information shall only be processed with the individual’s consent pursuant to Article 8.
Privacy by design
1. The entrepreneur must ensure at each stage of the development, design, amendment and expansion of procedures used or intended to be used, that the following guidelines are adhered to insofar as this is
(a) possible and reasonable;
(b) without imposing a burden on the entrepreneur that cannot be justified by individuals’ legitimate rights to privacy.
2. Procedures are to be so designed that personal information is deleted automatically as soon as it is no longer required for the original purpose and as long as there is no legal requirement for this information to be stored. Archiving and use exclusively for the purpose of proof is permitted.
3. Security measures are to be of the highest technical standard. In particular, personal information must be protected against unlawful access by third parties as far as current technology allows.
4. Sensitive information must be afforded a higher degree of protection. This must be a particular consideration in the context of the design of administrator and viewing rights.
5. Privacy policies (Article 9) and declarations of consent (Article 8) must be worded and designed in line with generally prevailing standards and in a form familiar to users.
6. Personal information that is processed should be traceable. This also applies to all versions of privacy policies (Article 10).
7. When movement profiles (Art. 10 paragraph 1 e) are created and processed and when behavioural tracking is performed (Art. 15), individuals should be provided with the technical means to prevent the creation of such profiles, either permanently or temporarily.
8. The individual should be provided with appropriate technical means with which to detect and correct incorrect personal data.