I(Legislativeacts)REGULATIONSREGULATION(EU)2016/679OFTHEEUROPEANPARLIAMENTANDOFTHECOUNCILof27April2016ontheprotectionofnaturalpersonswithregardtotheprocessingofpersonaldataandonthefreemovementofsuchdata,andrepealingDirective95/46/EC(GeneralDataProtectionRegulation)(TextwithEEArelevance)THEEUROPEANPARLIAMENTANDTHECOUNCILOFTHEEUROPEANUNION,HavingregardtotheTreatyontheFunctioningoftheEuropeanUnion,andinparticularArticle16thereof,HavingregardtotheproposalfromtheEuropeanCommission,Aftertransmissionofthedraftlegislativeacttothenationalparliaments,HavingregardtotheopinionoftheEuropeanEconomicandSocialCommittee(1),HavingregardtotheopinionoftheCommitteeoftheRegions(2),Actinginaccordancewiththeordinarylegislativeprocedure(3),Whereas:(1)Theprotectionofnaturalpersonsinrelationtotheprocessingofpersonaldataisafundamentalright.Article8(1)oftheCharterofFundamentalRightsoftheEuropeanUnion(the鈥楥harter鈥�andArticle16(1)oftheTreatyontheFunctioningoftheEuropeanUnion(TFEU)providethateveryonehastherighttotheprotectionofpersonaldataconcerninghimorher.(2)Theprinciplesof,andrulesontheprotectionofnaturalpersonswithregardtotheprocessingoftheirpersonaldatashould,whatevertheirnationalityorresidence,respecttheirfundamentalrightsandfreedoms,inparticulartheirrighttotheprotectionofpersonaldata.ThisRegulationisintendedtocontributetotheaccomplishmentofanareaoffreedom,securityandjusticeandofaneconomicunion,toeconomicandsocialprogress,tothestrengtheningandtheconvergenceoftheeconomieswithintheinternalmarket,andtothewell-beingofnaturalpersons.(3)Directive95/46/ECoftheEuropeanParliamentandoftheCouncil(4)seekstoharmonisetheprotectionoffundamentalrightsandfreedomsofnaturalpersonsinrespectofprocessingactivitiesandtoensurethefreeflowofpersonaldatabetweenMemberStates.4.5.2016L119/1OfficialJournaloftheEuropeanUnionEN(1)OJC229,31.7.2012,p.90.(2)OJC391,18.12.2012,p.127.(3)PositionoftheEuropeanParliamentof12March2014(notyetpublishedintheOfficialJournal)andpositionoftheCouncilatfirstreadingof8April2016(notyetpublishedintheOfficialJournal).PositionoftheEuropeanParliamentof14April2016.(4)Directive95/46/ECoftheEuropeanParliamentandoftheCouncilof24October1995ontheprotectionofindividualswithregardtotheprocessingofpersonaldataandonthefreemovementofsuchdata(OJL281,23.11.1995,p.31).(4)Theprocessingofpersonaldatashouldbedesignedtoservemankind.Therighttotheprotectionofpersonaldataisnotanabsoluteright;itmustbeconsideredinrelationtoitsfunctioninsocietyandbebalancedagainstotherfundamentalrights,inaccordancewiththeprincipleofproportionality.ThisRegulationrespectsallfundamentalrightsandobservesthefreedomsandprinciplesrecognisedintheCharterasenshrinedintheTreaties,inparticulartherespectforprivateandfamilylife,homeandcommunications,theprotectionofpersonaldata,freedomofthought,conscienceandreligion,freedomofexpressionandinformation,freedomtoconductabusiness,therighttoaneffectiveremedyandtoafairtrial,andcultural,religiousandlinguisticdiversity.(5)Theeconomicandsocialintegrationresultingfromthefunctioningoftheinternalmarkethasledtoasubstantialincreaseincross-borderflowsofpersonaldata.Theexchangeofpersonaldatabetweenpublicandprivateactors,includingnaturalpersons,associationsandundertakingsacrosstheUnionhasincreased.NationalauthoritiesintheMemberStatesarebeingcalleduponbyUnionlawtocooperateandexchangepersonaldatasoastobeabletoperformtheirdutiesorcarryouttasksonbehalfofanauthorityinanotherMemberState.(6)Rapidtechnologicaldevelopmentsandglobalisationhavebroughtnewchallengesfortheprotectionofpersonaldata.Thescaleofthecollectionandsharingofpersonaldatahasincreasedsignificantly.Technologyallowsbothprivatecompaniesandpublicauthoritiestomakeuseofpersonaldataonanunprecedentedscaleinordertopursuetheiractivities.Naturalpersonsincreasinglymakepersonalinformationavailablepubliclyandglobally.Technologyhastransformedboththeeconomyandsociallife,andshouldfurtherfacilitatethefreeflowofpersonaldatawithintheUnionandthetransfertothirdcountriesandinternationalorganisations,whileensuringahighleveloftheprotectionofpersonaldata.(7)ThosedevelopmentsrequireastrongandmorecoherentdataprotectionframeworkintheUnion,backedbystrongenforcement,giventheimportanceofcreatingthetrustthatwillallowthedigitaleconomytodevelopacrosstheinternalmarket.Naturalpersonsshouldhavecontroloftheirownpersonaldata.Legalandpracticalcertaintyfornaturalpersons,economicoperatorsandpublicauthoritiesshouldbeenhanced.(8)WherethisRegulationprovidesforspecificationsorrestrictionsofitsrulesbyMemberStatelaw,MemberStatesmay,asfarasnecessaryforcoherenceandformakingthenationalprovisionscomprehensibletothepersonstowhomtheyapply,incorporateelementsofthisRegulationintotheirnationallaw.(9)TheobjectivesandprinciplesofDirective95/46/ECremainsound,butithasnotpreventedfragmentationintheimplementationofdataprotectionacrosstheUnion,legaluncertaintyorawidespreadpublicperceptionthattherearesignificantriskstotheprotectionofnaturalpersons,inparticularwithregardtoonlineactivity.Differencesinthelevelofprotectionoftherightsandfreedomsofnaturalpersons,inparticulartherighttotheprotectionofpersonaldata,withregardtotheprocessingofpersonaldataintheMemberStatesmaypreventthefreeflowofpersonaldatathroughouttheUnion.ThosedifferencesmaythereforeconstituteanobstacletothepursuitofeconomicactivitiesattheleveloftheUnion,distortcompetitionandimpedeauthoritiesinthedischargeoftheirresponsibilitiesunderUnionlaw.SuchadifferenceinlevelsofprotectionisduetotheexistenceofdifferencesintheimplementationandapplicationofDirective95/46/EC.(10)InordertoensureaconsistentandhighlevelofprotectionofnaturalpersonsandtoremovetheobstaclestoflowsofpersonaldatawithintheUnion,thelevelofprotectionoftherightsandfreedomsofnaturalpersonswithregardtotheprocessingofsuchdatashouldbeequivalentinallMemberStates.ConsistentandhomogenousapplicationoftherulesfortheprotectionofthefundamentalrightsandfreedomsofnaturalpersonswithregardtotheprocessingofpersonaldatashouldbeensuredthroughouttheUnion.Regardingtheprocessingofpersonaldataforcompliancewithalegalobligation,fortheperformanceofataskcarriedoutinthepublicinterestorintheexerciseofofficialauthorityvestedinthecontroller,MemberStatesshouldbeallowedtomaintainorintroducenationalprovisionstofurtherspecifytheapplicationoftherulesofthisRegulation.InconjunctionwiththegeneralandhorizontallawondataprotectionimplementingDirective95/46/EC,MemberStateshaveseveralsector-specificlawsinareasthatneedmorespecificprovisions.ThisRegulationalsoprovidesamarginofmanoeuvreforMemberStatestospecifyitsrules,includingfortheprocessingofspecialcategoriesofpersonaldata(鈥榮ensitivedata鈥�.Tothatextent,thisRegulationdoesnotexcludeMemberStatelawthatsetsoutthecircumstancesforspecificprocessingsituations,includingdeterminingmorepreciselytheconditionsunderwhichtheprocessingofpersonaldataislawful.4.5.2016L119/2OfficialJournaloftheEuropeanUnionEN(11)EffectiveprotectionofpersonaldatathroughouttheUnionrequiresthestrengtheningandsettingoutindetailoftherightsofdatasubjectsandtheobligationsofthosewhoprocessanddeterminetheprocessingofpersonaldata,aswellasequivalentpowersformonitoringandensuringcompliancewiththerulesfortheprotectionofpersonaldataandequivalentsanctionsforinfringementsintheMemberStates.(12)Article16(2)TFEUmandatestheEuropeanParliamentandtheCounciltolaydowntherulesrelatingtotheprotectionofnaturalpersonswithregardtotheprocessingofpersonaldataandtherulesrelatingtothefreemovementofpersonaldata.(13)InordertoensureaconsistentlevelofprotectionfornaturalpersonsthroughouttheUnionandtopreventdivergenceshamperingthefreemovementofpersonaldatawithintheinternalmarket,aRegulationisnecessarytoprovidelegalcertaintyandtransparencyforeconomicoperators,includingmicro,smallandmedium-sizedenterprises,andtoprovidenaturalpersonsinallMemberStateswiththesameleveloflegallyenforceablerightsandobligationsandresponsibilitiesforcontrollersandprocessors,toensureconsistentmonitoringoftheprocessingofpersonaldata,andequivalentsanctionsinallMemberStatesaswellaseffectivecooperationbetweenthesupervisoryauthoritiesofdifferentMemberStates.TheproperfunctioningoftheinternalmarketrequiresthatthefreemovementofpersonaldatawithintheUnionisnotrestrictedorprohibitedforreasonsconnectedwiththeprotectionofnaturalpersonswithregardtotheprocessingofpersonaldata.Totakeaccountofthespecificsituationofmicro,smallandmedium-sizedenterprises,thisRegulationincludesaderogationfororganisationswithfewerthan250employeeswithregardtorecord-keeping.Inaddition,theUnioninstitutionsandbodies,andMemberStatesandtheirsupervisoryauthorities,areencouragedtotakeaccountofthespecificneedsofmicro,smallandmedium-sizedenterprisesintheapplicationofthisRegulation.Thenotionofmicro,smallandmedium-sizedenterprisesshoulddrawfromArticle2oftheAnnextoCommissionRecommendation2003/361/EC(1).(14)TheprotectionaffordedbythisRegulationshouldapplytonaturalpersons,whatevertheirnationalityorplaceofresidence,inrelationtotheprocessingoftheirpersonaldata.ThisRegulationdoesnotcovertheprocessingofpersonaldatawhichconcernslegalpersonsandinparticularundertakingsestablishedaslegalpersons,includingthenameandtheformofthelegalpersonandthecontactdetailsofthelegalperson.(15)Inordertopreventcreatingaseriousriskofcircumvention,theprotectionofnaturalpersonsshouldbetechnolo颅gicallyneutralandshouldnotdependonthetechniquesused.Theprotectionofnaturalpersonsshouldapplytotheprocessingofpersonaldatabyautomatedmeans,aswellastomanualprocessing,ifthepersonaldataarecontainedorareintendedtobecontainedinafilingsystem.Filesorsetsoffiles,aswellastheircoverpages,whicharenotstructuredaccordingtospecificcriteriashouldnotfallwithinthescopeofthisRegulation.(16)ThisRegulationdoesnotapplytoissuesofprotectionoffundamentalrightsandfreedomsorthefreeflowofpersonaldatarelatedtoactivitieswhichfalloutsidethescopeofUnionlaw,suchasactivitiesconcerningnationalsecurity.ThisRegulationdoesnotapplytotheprocessingofpersonaldatabytheMemberStateswhencarryingoutactivitiesinrelationtothecommonforeignandsecuritypolicyoftheUnion.(17)Regulation(EC)No45/2001oftheEuropeanParliamentandoftheCouncil(2)appliestotheprocessingofpersonaldatabytheUnioninstitutions,bodies,officesandagencies.Regulation(EC)No45/2001andotherUnionlegalactsapplicabletosuchprocessingofpersonaldatashouldbeadaptedtotheprinciplesandrulesestablishedinthisRegulationandappliedinthelightofthisRegulation.InordertoprovideastrongandcoherentdataprotectionframeworkintheUnion,thenecessaryadaptationsofRegulation(EC)No45/2001shouldfollowaftertheadoptionofthisRegulation,inordertoallowapplicationatthesametimeasthisRegulation.(18)ThisRegulationdoesnotapplytotheprocessingofpersonaldatabyanaturalpersoninthecourseofapurelypersonalorhouseholdactivityandthuswithnoconnectiontoaprofessionalorcommercialactivity.Personalor4.5.2016L119/3OfficialJournaloftheEuropeanUnionEN(1)CommissionRecommendationof6May2003concerningthedefinitionofmicro,smallandmedium鈥憇izedenterprises(C(2003)1422)(OJL124,20.5.2003,p.36).(2)Regulation(EC)No45/2001oftheEuropeanParliamentandoftheCouncilof18December2000ontheprotectionofindividualswithregardtotheprocessingofpersonaldatabytheCommunityinstitutionsandbodiesandonthefreemovementofsuchdata(OJL8,12.1.2001,p.1).householdactivitiescouldincludecorrespondenceandtheholdingofaddresses,orsocialnetworkingandonlineactivityundertakenwithinthecontextofsuchactivities.However,thisRegulationappliestocontrollersorprocessorswhichprovidethemeansforprocessingpersonaldataforsuchpersonalorhouseholdactivities.(19)Theprotectionofnaturalpersonswithregardtotheprocessingofpersonaldatabycompetentauthoritiesforthepurposesoftheprevention,investigation,detectionorprosecutionofcriminaloffencesortheexecutionofcriminalpenalties,includingthesafeguardingagainstandthepreventionofthreatstopublicsecurityandthefreemovementofsuchdata,isthesubjectofaspecificUnionlegalact.ThisRegulationshouldnot,therefore,applytoprocessingactivitiesforthosepurposes.However,personaldataprocessedbypublicauthoritiesunderthisRegulationshould,whenusedforthosepurposes,begovernedbyamorespecificUnionlegalact,namelyDirective(EU)2016/680oftheEuropeanParliamentandoftheCouncil(1).MemberStatesmayentrustcompetentauthoritieswithinthemeaningofDirective(EU)2016/680withtaskswhicharenotnecessarilycarriedoutforthepurposesoftheprevention,investigation,detectionorprosecutionofcriminaloffencesortheexecutionofcriminalpenalties,includingthesafeguardingagainstandpreventionofthreatstopublicsecurity,sothattheprocessingofpersonaldataforthoseotherpurposes,insofarasitiswithinthescopeofUnionlaw,fallswithinthescopeofthisRegulation.WithregardtotheprocessingofpersonaldatabythosecompetentauthoritiesforpurposesfallingwithinscopeofthisRegulation,MemberStatesshouldbeabletomaintainorintroducemorespecificprovisionstoadapttheapplicationoftherulesofthisRegulation.Suchprovisionsmaydeterminemorepreciselyspecificrequirementsfortheprocessingofpersonaldatabythosecompetentauthoritiesforthoseotherpurposes,takingintoaccounttheconstitutional,organisationalandadministrativestructureoftherespectiveMemberState.WhentheprocessingofpersonaldatabyprivatebodiesfallswithinthescopeofthisRegulation,thisRegulationshouldprovideforthepossibilityforMemberStatesunderspecificconditionstorestrictbylawcertainobligationsandrightswhensucharestrictionconstitutesanecessaryandproportionatemeasureinademocraticsocietytosafeguardspecificimportantinterestsincludingpublicsecurityandtheprevention,investigation,detectionorprosecutionofcriminaloffencesortheexecutionofcriminalpenalties,includingthesafeguardingagainstandthepreventionofthreatstopublicsecurity.Thisisrelevantforinstanceintheframeworkofanti-moneylaunderingortheactivitiesofforensiclaboratories.(20)WhilethisRegulationapplies,interalia,totheactivitiesofcourtsandotherjudicialauthorities,UnionorMemberStatelawcouldspecifytheprocessingoperationsandprocessingproceduresinrelationtotheprocessingofpersonaldatabycourtsandotherjudicialauthorities.Thecompetenceofthesupervisoryauthoritiesshouldnotcovertheprocessingofpersonaldatawhencourtsareactingintheirjudicialcapacity,inordertosafeguardtheindependenceofthejudiciaryintheperformanceofitsjudicialtasks,includingdecision-making.ItshouldbepossibletoentrustsupervisionofsuchdataprocessingoperationstospecificbodieswithinthejudicialsystemoftheMemberState,whichshould,inparticularensurecompliancewiththerulesofthisRegulation,enhanceawarenessamongmembersofthejudiciaryoftheirobligationsunderthisRegulationandhandlecomplaintsinrelationtosuchdataprocessingoperations.(21)ThisRegulationiswithoutprejudicetotheapplicationofDirective2000/31/ECoftheEuropeanParliamentandoftheCouncil(2),inparticularoftheliabilityrulesofintermediaryserviceprovidersinArticles12to15ofthatDirective.ThatDirectiveseekstocontributetotheproperfunctioningoftheinternalmarketbyensuringthefreemovementofinformationsocietyservicesbetweenMemberStates.(22)AnyprocessingofpersonaldatainthecontextoftheactivitiesofanestablishmentofacontrolleroraprocessorintheUnionshouldbecarriedoutinaccordancewiththisRegulation,regardlessofwhethertheprocessingitselftakesplacewithintheUnion.Establishmentimpliestheeffectiveandrealexerciseofactivitythroughstablearrangements.Thelegalformofsucharrangements,whetherthroughabranchorasubsidiarywithalegalpersonality,isnotthedeterminingfactorinthatrespect.4.5.2016L119/4OfficialJournaloftheEuropeanUnionEN(1)Directive(EU)2016/680oftheEuropeanParliamentandoftheCouncilof27April2016ontheprotectionofnaturalpersonswithregardtotheprocessingofpersonaldatabycompetentauthoritiesforthepurposesofprevention,investigation,detectionorprosecutionofcriminaloffencesortheexecutionofcriminalpenalties,andthefreemovementofsuchdataandrepealingCouncilFrameworkDecision2008/977/JHA(seepage89ofthisOfficialJournal).(2)Directive2000/31/ECoftheEuropeanParliamentandoftheCouncilof8June2000oncertainlegalaspectsofinformationsocietyservices,inparticularelectroniccommerce,intheInternalMarket(鈥楧irectiveonelectroniccommerce鈥�(OJL178,17.7.2000,p.1).(23)InordertoensurethatnaturalpersonsarenotdeprivedoftheprotectiontowhichtheyareentitledunderthisRegulation,theprocessingofpersonaldataofdatasubjectswhoareintheUnionbyacontrolleroraprocessornotestablishedintheUnionshouldbesubjecttothisRegulationwheretheprocessingactivitiesarerelatedtoofferinggoodsorservicestosuchdatasubjectsirrespectiveofwhetherconnectedtoapayment.InordertodeterminewhethersuchacontrollerorprocessorisofferinggoodsorservicestodatasubjectswhoareintheUnion,itshouldbeascertainedwhetheritisapparentthatthecontrollerorprocessorenvisagesofferingservicestodatasubjectsinoneormoreMemberStatesintheUnion.Whereasthemereaccessibilityofthecontroller's,processor'soranintermediary'swebsiteintheUnion,ofanemailaddressorofothercontactdetails,ortheuseofalanguagegenerallyusedinthethirdcountrywherethecontrollerisestablished,isinsufficienttoascertainsuchintention,factorssuchastheuseofalanguageoracurrencygenerallyusedinoneormoreMemberStateswiththepossibilityoforderinggoodsandservicesinthatotherlanguage,orthementioningofcustomersoruserswhoareintheUnion,maymakeitapparentthatthecontrollerenvisagesofferinggoodsorservicestodatasubjectsintheUnion.(24)TheprocessingofpersonaldataofdatasubjectswhoareintheUnionbyacontrollerorprocessornotestablishedintheUnionshouldalsobesubjecttothisRegulationwhenitisrelatedtothemonitoringofthebehaviourofsuchdatasubjectsinsofarastheirbehaviourtakesplacewithintheUnion.Inordertodeterminewhetheraprocessingactivitycanbeconsideredtomonitorthebehaviourofdatasubjects,itshouldbeascertainedwhethernaturalpersonsaretrackedontheinternetincludingpotentialsubsequentuseofpersonaldataprocessingtechniqueswhichconsistofprofilinganaturalperson,particularlyinordertotakedecisionsconcerningherorhimorforanalysingorpredictingherorhispersonalpreferences,behavioursandattitudes.(25)WhereMemberStatelawappliesbyvirtueofpublicinternationallaw,thisRegulationshouldalsoapplytoacontrollernotestablishedintheUnion,suchasinaMemberState'sdiplomaticmissionorconsularpost.(26)Theprinciplesofdataprotectionshouldapplytoanyinformationconcerninganidentifiedoridentifiablenaturalperson.Personaldatawhichhaveundergonepseudonymisation,whichcouldbeattributedtoanaturalpersonbytheuseofadditionalinformationshouldbeconsideredtobeinformationonanidentifiablenaturalperson.Todeterminewhetheranaturalpersonisidentifiable,accountshouldbetakenofallthemeansreasonablylikelytobeused,suchassinglingout,eitherbythecontrollerorbyanotherpersontoidentifythenaturalpersondirectlyorindirectly.Toascertainwhethermeansarereasonablylikelytobeusedtoidentifythenaturalperson,accountshouldbetakenofallobjectivefactors,suchasthecostsofandtheamountoftimerequiredforidentification,takingintoconsiderationtheavailabletechnologyatthetimeoftheprocessingandtechnologicaldevelopments.Theprinciplesofdataprotectionshouldthereforenotapplytoanonymousinformation,namelyinformationwhichdoesnotrelatetoanidentifiedoridentifiablenaturalpersonortopersonaldatarenderedanonymousinsuchamannerthatthedatasubjectisnotornolongeridentifiable.ThisRegulationdoesnotthereforeconcerntheprocessingofsuchanonymousinformation,includingforstatisticalorresearchpurposes.(27)ThisRegulationdoesnotapplytothepersonaldataofdeceasedpersons.MemberStatesmayprovideforrulesregardingtheprocessingofpersonaldataofdeceasedpersons.(28)Theapplicationofpseudonymisationtopersonaldatacanreducetheriskstothedatasubjectsconcernedandhelpcontrollersandprocessorstomeettheirdata-protectionobligations.Theexplicitintroductionof鈥榩seudony颅misation鈥�inthisRegulationisnotintendedtoprecludeanyothermeasuresofdataprotection.(29)Inordertocreateincentivestoapplypseudonymisationwhenprocessingpersonaldata,measuresofpseudonymi颅sationshould,whilstallowinggeneralanalysis,bepossiblewithinthesamecontrollerwhenthatcontrollerhastakentechnicalandorganisationalmeasuresnecessarytoensure,fortheprocessingconcerned,thatthisRegulationisimplemented,andthatadditionalinformationforattributingthepersonaldatatoaspecificdatasubjectiskeptseparately.Thecontrollerprocessingthepersonaldatashouldindicatetheauthorisedpersonswithinthesamecontroller.4.5.2016L119/5OfficialJournaloftheEuropeanUnionEN(30)Naturalpersonsmaybeassociatedwithonlineidentifiersprovidedbytheirdevices,applications,toolsandprotocols,suchasinternetprotocoladdresses,
本文档为【gdpr一般数据保护法案】,请使用软件OFFICE或WPS软件打开。作品中的文字与图均可以修改和编辑,
图片更改请在作品中右键图片并更换,文字修改请直接点击文字进行修改,也可以新增和删除文档中的内容。
该文档来自用户分享,如有侵权行为请发邮件ishare@vip.sina.com联系网站客服,我们会及时删除。
[版权声明] 本站所有资料为用户分享产生,若发现您的权利被侵害,请联系客服邮件isharekefu@iask.cn,我们尽快处理。
本作品所展示的图片、画像、字体、音乐的版权可能需版权方额外授权,请谨慎使用。
网站提供的党政主题相关内容(国旗、国徽、党徽..)目的在于配合国家政策宣传,仅限个人学习分享使用,禁止用于任何广告和商用目的。
浙公网安备 33021202002483