General Data Protection Regulation
Table of Contents
Principles relating to processing of personal data
Lawfulness of processing
Conditions for consent
Conditions applicable to child's consent in relation to information society services
Processing of special categories of personal data
Processing of personal data relating to criminal convictions and offences
Processing which does not require identification
Rights of the data subject
Transparency and modalities
Information and access to personal data
Rectification and erasure
Right to object and automated individual decision-making
Controller and processor
Responsibility of the controller
Data protection by design and by default
Representatives of controllers or processors not established in the Union
Processing under the authority of the controller or processor
Records of processing activities
Cooperation with the supervisory authority
Security of personal data
Data protection impact assessment and prior consultation
Data protection officer
Codes of conduct and certification
Transfers of personal data to third countries or international organisations
General principle for transfers
Transfers on the basis of an adequacy decision
Transfers subject to appropriate safeguards
Binding corporate rules
Transfers or disclosures not authorised by Union law
Derogations for specific situations
International cooperation for the protection of personal data
Independent supervisory authorities
Competence, tasks and powers
Cooperation and consistency
European data protection board
Remedies, liability and penalties
Right to lodge a complaint with a supervisory authority
Right to an effective judicial remedy against a supervisory authority
Right to an effective judicial remedy against a controller or processor
Representation of data subjects
Suspension of proceedings
Right to compensation and liability
General conditions for imposing administrative fines
Provisions relating to specific processing situations
Processing and freedom of expression and information
Processing and public access to official documents
Processing of the national identification number
Processing in the context of employment
Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
Obligations of secrecy
Existing data protection rules of churches and religious associations
Delegated acts and implementing acts
Official GDPR Summary
Without prejudice to the tasks and powers of the competent supervisory authority under Articles 57 and 58, certification bodies which have an appropriate level of expertise in relation to data protection shall, after informing the supervisory authority in order to allow it to exercise its powers pursuant to point (h) of Article 58(2) where necessary, issue and renew certification. Member States shall ensure that those certification bodies are accredited by one or both of the following:
the national accreditation body named in accordance with Regulation (EC) No 765/2008 of the European Parliament and of the Council (20) in accordance with EN-ISO/IEC 17065/2012 and with the additional requirements established by the supervisory authority which is competent pursuant to Article 55 or 56.
Certification bodies referred to in paragraph 1 shall be accredited in accordance with that paragraph only where they have:
demonstrated their independence and expertise in relation to the subject-matter of the certification to the satisfaction of the competent supervisory authority;
established procedures for the issuing, periodic review and withdrawal of data protection certification, seals and marks;
established procedures and structures to handle complaints about infringements of the certification or the manner in which the certification has been, or is being, implemented by the controller or processor, and to make those procedures and structures transparent to data subjects and the public; and
demonstrated, to the satisfaction of the competent supervisory authority, that their tasks and duties do not result in a conflict of interests.
The accreditation of certification bodies as referred to in paragraphs 1 and 2 of this Article shall take place on the basis of requirements approved by the supervisory authority which is competent pursuant to Article 55 or 56 or by the Board pursuant to Article 63. In the case of accreditation pursuant to point (b) of paragraph 1 of this Article, those requirements shall complement those envisaged in Regulation (EC) No 765/2008 and the technical rules that describe the methods and procedures of the certification bodies.
The certification bodies referred to in paragraph 1 shall be responsible for the proper assessment leading to the certification or the withdrawal of such certification without prejudice to the responsibility of the controller or processor for compliance with this Regulation. The accreditation shall be issued for a maximum period of five years and may be renewed on the same conditions provided that the certification body meets the requirements set out in this Article.
The certification bodies referred to in paragraph 1 shall provide the competent supervisory authorities with the reasons for granting or withdrawing the requested certification.
The requirements referred to in paragraph 3 of this Article and the criteria referred to in Article 42(5) shall be made public by the supervisory authority in an easily accessible form. The supervisory authorities shall also transmit those requirements and criteria to the Board.
Without prejudice to Chapter VIII, the competent supervisory authority or the national accreditation body shall revoke an accreditation of a certification body pursuant to paragraph 1 of this Article where the conditions for the accreditation are not, or are no longer, met or where actions taken by a certification body infringe this Regulation.
The Commission shall be empowered to adopt delegated acts in accordance with Article 92 for the purpose of specifying the requirements to be taken into account for the data protection certification mechanisms referred to in Article 42(1).
The Commission may adopt implementing acts laying down technical standards for certification mechanisms and data protection seals and marks, and mechanisms to promote and recognise those certification mechanisms, seals and marks. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 93(2).