Section 2

Article 13

Information to be provided where personal data are collected from the data subject 1. Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information: ( a ) the identity and the contact details of the controller and, where applicable, of the controller’s representative; ( b ) »

Article 14

Information to be provided where personal data have not been obtained from the data subject 1. Where personal data have not been obtained from the data subject, the controller shall provide the data subject with the following information: ( a ) the identity and the contact details of the controller and, where applicable, of the controller’s representative; ( b ) the contact details of the data protection officer, where applicable; »

Article 15

Right of access by the data subject 1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: ( a ) the purposes of the processing; ( b ) the categories of personal data concerned; ( c ) »

Article 32

Security of processing 1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: »

Article 33

Notification of a personal data breach to the supervisory authority 1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. »

Article 34

Communication of a personal data breach to the data subject 1. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay. 2. The communication to the data subject referred to in paragraph 1 of this Article shall describe in clear and plain language the nature of the personal data breach and contain at least the information and measures referred to in points (b), ( c ) and (d) of Article 33(3). »

Article 55

Competence 1. Each supervisory authority shall be competent for the performance of the tasks assigned to and the exercise of the powers conferred on it in accordance with this Regulation on the territory of its own Member State. 2. Where processing is carried out by public authorities or private bodies acting on the basis of point ( c ) or (e) of Article 6(1), the supervisory authority of the Member State concerned shall be competent. »

Article 56

Competence of the lead supervisory authority 1. Without prejudice to Article 55, the supervisory authority of the main establishment or of the single establishment of the controller or processor shall be competent to act as lead supervisory authority for the cross-border processing carried out by that controller or processor in accordance with the procedure provided in Article 60. 2. By derogation from paragraph 1, each supervisory authority shall be competent to handle a complaint lodged with it or a possible infringement of this Regulation, if the subject matter relates only to an establishment in its Member State or substantially affects data subjects only in its Member State. »

Article 57

Tasks 1. Without prejudice to other tasks set out under this Regulation, each supervisory authority shall on its territory: ( a ) monitor and enforce the application of this Regulation; ( b ) promote public awareness and understanding of the risks, rules, safeguards and rights in relation to processing. Activities addressed specifically to children shall receive specific attention; ( c ) advise, in accordance with Member State law, the national parliament, the government, and other institutions and bodies on legislative and administrative measures relating to the protection of natural persons’ rights and freedoms with regard to processing; »

Article 58

Powers 1. Each supervisory authority shall have all of the following investigative powers: ( a ) to order the controller and the processor, and, where applicable, the controller’s or the processor’s representative to provide any information it requires for the performance of its tasks; ( b ) to carry out investigations in the form of data protection audits; ( c ) to carry out a review on certifications issued pursuant to Article 42(7); »