Chapter one

general provisions

Article 1

Themes and objectives

1. This law makes rules for the protection of natural persons related to the processing of personal data and the free flow of personal data.

2. This law protects the fundamental rights and freedoms of natural persons, especially their right to personal data protection.

3. The free flow of personal data within the EU shall not be restricted or prohibited for the protection of natural persons related to the processing of personal data.

Article 2

Scope of application

1. This Law applies to the processing of personal data in full or in part by automatic means, with the exception of automatic means forming or intended to form part of a collation and collection system.

2. This law does not apply to the processing of the following personal data:

(a) It occurs in the process of activities outside the legal scope of the alliance;
(b) When activities are carried out by Member States within the framework of Chapter 2 of volume V of the Treaty of the European Union;
(c) By natural person in the process of pure personal or family activitie
(d) The purpose of criminal penalties imposed by competent authorities for the prevention, investigation, investigation or prosecution of criminal offences includes the prevention and prevention of threats to public safety.

3. Regulation No. 45 / 2001 is applicable to the processing of personal data by EU institutions, commissions, offices and professional administrations (agencies).

According to Article 98 of this law, the processing of personal data shall comply with the principles and rules of this law if regulation No. 45 / 2001 and other federal laws and regulations are applicable to the processing of personal data.

4. This law does not affect the application of Directive 2000 / 31 / EC, in particular the liability rules of intermediary service providers in Articles 12 to 15 of the directive.

Article 3

Geographical scope

1. This Law applies to the processing of personal data by controllers or processors established in the EU, regardless of whether or not the processing takes place in the EU.

2. This law is applicable to the processing of personal data of data subjects in the EU, even if the controllers and processors are not set up in the EU, their processing behaviors are as follows:
(a) Occurs in the course of providing goods or services to a data subject within the EU, regardless of whether the goods or services require consideration from the data subject; or
(b) It is used to monitor the behavior of data subjects in the EU.

3. This law is applicable to the processing of personal data by controllers established outside the EU but applicable to the laws of EU member states according to public international law.

Article 4

definition

For the purposes of this Law:

(1) “Personal data” means any information directed to an identified or identifiable natural person (the “data subject”). The identifiable natural person can be identified directly or indirectly, especially by referring to such identification as name, ID card number, positioning data, online identification, or by referring to one or more elements such as physical, physiological, genetic, psychological, economic, cultural or social identity of the natural person.

(2) “Processing” refers to any one or a series of operations on personal data or personal data collection, such as collection, recording, organization, construction, storage, adaptation or modification, retrieval, consultation, use, disclosure, dissemination or other utilization, arrangement, combination, restriction, deletion or destruction of personal data or collection of personal data, whether or not the operation is automated.

(3) “Processing restriction” means the identification of stored personal data to restrict their processing behavior in the future;

(4) “Analysis” refers to any automatic processing and utilization of personal data for the purpose of evaluating certain personal situations related to natural persons, especially for the analysis and prediction related to work performance, economic status, health status, personal preference, interest, reliability, habits, location or whereabouts of natural persons.

(5) “Anonymization” is a way to treat personal data that does not point to a specific data subject without using additional information. This processing method stores personal data and other additional information separately, and makes personal data unable to point to an identifiable and recognized natural person due to technical and organizational means.

(6) “Consolidation system” is a structured collection of personal data accessed according to specific standards, such as centralized, decentralized or functional distribution or geographical benchmarks.

(7) “Controller” refers to a natural person, legal person, public institution, administrative organ or other illegal person organization that can determine the purpose and method of personal data processing independently or jointly. The purpose and method of personal data processing and the specific standards of controller or controller qualification are regulated by the laws of EU or its member states.

(8) “Processor” refers to the natural person, legal person, public institution, administrative organ or other organization of illegal person who processes personal data for the controller.

(9) “Recipient” refers to the natural person, legal person, public institution, administrative organ or other organization of illegal person who receives the personal data transmitted, whether or not it is a third party. However, personal data received by the government due to specific investigations within the legal framework of the European Union or its member states shall not be regarded as “recipients”; the government shall process such data according to the purpose of data processing and comply with applicable data protection rules.

(10) “Third party” refers to the data subject, controller, processor, natural person, legal person, public institution, administrative organ or other illegal person organization except the data subject, controller, processor and other person who is directly authorized by the controller or processor to process personal data.

(11) The “consent” of the data subject refers to any designated, specific, informed and clear instructions made by the data subject voluntarily according to its will. Such an instruction, by way of a statement or an express affirmative action, implies his or her consent to the processing of personal data relating to him or her.

(12) “Personal data leakage” refers to the accidental or illegal destruction, loss, change, unauthorized disclosure or access of personal data caused by security problems in the transmission, storage or other processing of personal data.

(13) “Genetic data” refers to personal data related to the genetic characteristics of a natural person. Such data convey unique information related to the physical function or health status of the natural person, and the above data often come from the analysis results of biological samples of the natural person.

(14) “Biometric data” refers to personal data obtained through specific technical processing of physical, biological or behavioral characteristics of natural persons. This kind of data generates the unique identification of the natural person, such as face image or fingerprint identification data.

(15) “Health related data” means personal data relating to the physical or mental health of a natural person, including data provided by health care services that can reveal the state of his or her health.

(16) “Principal place of business” means:

(a) For a controller with a business establishment in more than one member state, the location of its main manager in the EU is deemed to be the main place of business unless another business organization of the controller in the EU can determine and have the ability to implement the purpose and method of processing personal data.
(b) For a processor whose business establishment is located in more than one member state, the place of its main manager in the EU shall bear specific obligations under this law; if the processor does not have a principal manager in the EU, the place of business in which the processor conducts the main treatment within the business scope of the processor’s business institution shall bear specific obligations under this law.

(17) “Representative” means a natural person or legal person within the European Union designated in writing by the controller and the processor in accordance with Article 27 to perform the obligations specified in this Law on behalf of the controller and the processor.

(18) “Enterprise” refers to the natural person or legal person participating in economic activities, regardless of its organizational form, which may include partnership or association participating in economic activities on a regular basis.

(19) “Enterprise group” refers to a regulated enterprise and the enterprise group under its control.

(20) “Binding enterprise rules” refer to the personal data protection policies that must be followed when personal data transmission or series transmission to controllers or processors of one or more third-party countries through the joint economic activities of controllers and processors in the territory of Member States through business groups or enterprise groups.

(21) “regulatory authority” means an independent public authority established by Member States in accordance with Article 51.

(22) “relevant regulatory authority” is a regulatory authority related to human data processing because:

(a) The controller or processor is established in the territory of the member state where the regulatory authority is located;

(b) Data subjects residing in the member state where the regulator is located are or may be seriously affected by processing behavior; or

(c) A complaint submitted by a regulatory body;

(23) “cross border processing” means one of the following situations:

(a) Personal data processing occurs in the activities of controllers or processors in multiple member states in one EU.

(b) The processing of personal data takes place in the activities of the controller or processor’s sole business agency within the EU, but such processing seriously affects or may seriously affect data subjects in multiple member states.

(24) “relevant and reasonable objection” refers to an objection to whether there is a violation of this law, or whether the controller or the processor has the preset behavior of complying with this law. This objection clearly demonstrates the significant impact of the risks posed by the draft resolution on the fundamental rights and freedoms of data subjects, and that this objection also applies to the free flow of personal data within the EU.

(25) “information society services” means services defined in Article 1 (1) (b) of directive (EU) 2015 / 1535 of the European Parliament and of the Council.

(26) “international organization” means an organization established in accordance with public international law and its subordinate organs, or other institutions established on the basis of or on the basis of agreements reached between two or more states.

Chapter two

principle

Article 5

Principles related to personal data processing

1. Personal data shall:

(a) Dealing with data subject related (“legitimacy, fairness and transparency”) in a legal, fair and transparent manner;
(b) Collection for a specific, clear and legitimate purpose, which is inconsistent with the above-mentioned purposes, shall not be further dealt with in a certain way; further processing for public interest, scientific, or historical research purposes, or statistical purposes shall not be deemed to be inconsistent with the original purpose (“limitation of purpose”) in accordance with Article 89 (1);
(c) Sufficient, relevant and to the extent necessary for the purpose of such personal data processing (“data minimization”);
(d) Accurate, necessary and timely; all reasonable steps must be taken to ensure that personal data are inaccurate (“accurate”) for the purpose of processing, deleting or correcting personal data without delay;
(e) In order to protect the rights and freedom of data subjects, appropriate technical and organizational measures required by this Law shall be implemented in accordance with Article 89 (1), provided that personal data will be processed only for the purpose of public interest, scientific or historical research or statistics Human data can be stored for a long time (“storage limit”)
(f) Processing personal data in a manner that ensures appropriate security, including the use of appropriate technical or organizational measures to protect against unauthorized, illegal processing, accidental loss, loss or destruction (“integrity and confidentiality”).

2. The controller should be responsible and be able to demonstrate compliance with the first (accountability).

Article 6

Legality of processing

1. Treatment shall be deemed legal only if at least one of the following applies:

(a) The data subject agrees that his or her personal data is processed for one or more specific purposes;
(b) Processing is necessary to fulfill the contract in which the data subject participates, or it is a measure taken due to the request of the data subject before signing the contract;
(c) Handling is necessary to fulfill the legal obligation that the controller obeys;
(d) Processing is necessary to protect the vital interests of the data subject or another natural person;
(e) It is necessary to carry out tasks in the field of public interest or exercise the official functions and powers established by the controller;
(f) Processing is necessary for the controller or the third party to pursue legitimate interests, except for those whose interests are required to protect the interests or basic rights of the data subject of personal data and free coverage, especially when the data subject is children.

The first paragraph (f) does not apply to treatment by the administration in the discharge of its duties.

2. Member states may maintain or introduce more specific provisions to adapt to the application of the provisions on treatment in this law, and ensure legal and fair treatment by setting other specific treatment situations, including those specified in Part IX, and setting more accurate and specific treatment requirements and other measures, so as to comply with subparagraphs (C) and (E) of paragraph 1,

3. The basis for the treatment referred to in subparagraphs (c) and (E) of paragraph 1 is as follows:

(a) EU law; or
(b) The law of the member state to which the controller belongs.

The purpose of the treatment should be determined by law or according to the treatment referred to in paragraph 1 (E), that is, it should be necessary to perform tasks in the field of public interest or to exercise the official functions and powers established by the controller. The legal basis may include specific provisions in order to adapt to the application of the provisions of this law, in particular: the general conditions for regulating the legality of the controller’s processing; the types of data processed; those related to the data subject; the entity and purpose for which personal data may be disclosed; limitation of purpose; storage period; and processing operations and procedures, including measures to ensure legal and fair treatment, Such as those mentioned in part 9. The laws of the EU or member states should be consistent with the objectives of the public interest and be commensurate with the legitimate objectives pursued.

Four When processing is not for the purpose for which personal data were collected, and this purpose is not based on the consent of the data subject, nor on the laws of the European Union or member states that constitute a necessary and appropriate measure in a democratic society to safeguard the objectives referred to in Article 23 (1), the controller shall be required to ascertain whether the processing for other purposes is the same as that at the time of the initial collection of personal data In particular:

(a) Any link between the purpose at which personal data is collected and the purpose for which further processing is expected;

(b) The circumstances in which personal data are collected, especially with regard to the relationship between the data subject and the controller;

(c) The nature of personal data, in particular whether it is a special category of personal data processed under Article 9 or personal data relating to criminal convictions and crimes under Article 10;

(d) The possible consequences of further processing on data subjects are expected;

(e) Appropriate safeguards may include the existence of encryption or anonymity.

Article 7

Conditions of consent

1. If the processing is based on consent, the controller should be able to prove that the data subject has agreed to process his or her personal data.

2. If the data subject gives consent by means of a written statement, and the written statement involves other matters, the consent shall be presented in a form that is easy to understand and distinct from other matters. Any part of a declaration which constitutes a violation of this Law shall not be binding.

3. The data subject has the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawful data processing based on consent prior to withdrawal. The data subject shall be informed of such rights before giving consent. Withdrawing consent should be as easy as giving consent.

4. When assessing whether consent is freely given, consideration should be given to the greatest extent possible, and consideration should also be given to whether the performance of the contract, including the provision of services, is based on consent to unnecessary personal data for the performance of the contract.

Article 8

Conditions for children’s consent in information society services

1. If article 6 (1) (a) is applicable, the processing of personal data of children over the age of 16 is legal if information society services are provided directly to children. When a child is less than 16 years old, the treatment is only legal with the consent of the subject of parental responsibility or within the scope of the authorized child’s consent.

If the younger age is not less than 13 years of age, member states may provide for those purposes through law.

2. Considering the existing technology, the controller should make reasonable efforts to verify the consent or authorization of the subject of parental responsibility in this case.

3. Paragraph 1 shall not affect the general contract law of a member state, such as the validity, composition or operation of contracts relating to children.

Article 9

Special types of personal data processing

1. The processing of data revealing race or ethnic origin, political views, religious or philosophical beliefs, personal data of trade union members, genetic data, biological characteristics data, health, sexual life or sexual orientation of natural persons shall be prohibited.

2. Paragraph 1 does not apply if:

(a) The data subject has given explicit consent to the processing of the above personal data for one or more specific purposes, except that the prohibition specified in paragraph 1 cannot be invoked by the data subject in accordance with the laws of the European Union or member states.

(b) Data processing is necessary for the controller or data subject to fulfill obligations and exercise rights within the scope of work, social security and social security law. It should be implemented within the scope of collective agreements concluded under the legal recognition of the EU or member states, or in accordance with the legal provisions of Member States providing appropriate protection for the basic rights and interests of data subjects.
(c) Data processing is necessary to protect the vital interests of the data subject or another natural person, but the data subject cannot give consent physically or legally;
(d) Data processing is carried out by political, philosophical, religious, trade union nature associations, organizations or other non-profit organizations in the legitimate activities with appropriate security. The processing should only be related to the members or former members of the organization or the regular contacts of the organization in accordance with the purpose of the organization, and the relevant personal data shall not be disclosed to anyone outside the organization without the consent of the data subject 。
(e) Processing personal data that is obviously disclosed by the data subject;
(f) Data processing is necessary for the establishment, exercise or defense of legal claims or the exercise of judicial power of the court;
(g) Data processing is necessary for the substantial public interest. According to the laws of EU or member states, it is appropriate to pursue this goal. The basic rights of data protection should be respected, and appropriate and specific measures should be provided to protect the basic rights and interests of data subjects;

(h) In order to achieve the following purposes, data processing is necessary. For the purposes of preventive medicine and occupational medicine, for the assessment of the working ability of employees, medical diagnosis, provision of health social health care or treatment, or the construction of health and social health care systems and services, shall be in accordance with the laws of the European Union or member states or on the basis of contracts with health professionals, and shall comply with the conditions and guarantees required by paragraph 3.

(i) In the field of public health, for the sake of public interest, it is necessary to process the data of specific professional secrets. For example, to resist serious cross-border health threats, ensure the high quality and safety of health care, drugs or medical devices, and take appropriate and specific measures to protect the rights and freedom of data subjects according to the laws and regulations of the alliance or member states;

(j) For the purposes of public interest, scientific or historical research, or statistical purposes, it is appropriate to pursue this purpose in accordance with Article 89 (1) based on the laws of the union or member states. The basic rights of data protection shall be respected, and appropriate and specific measures shall be provided to protect the basic rights and interests of data subjects.

3. For the purpose of paragraph 2 (H), personal data in paragraph 1 may be processed, and those data shall be processed by a professional who has the obligation to keep professional secrets in accordance with the laws of the European Union or member states or rules formulated by national statutory bodies, or it is his responsibility; or by another person who is also under the laws or national laws of the European Union or member states The rules made by the organization are handled by those who comply with confidentiality obligations.

(4) the conditions for the introduction of biological data, or the conditions for further data processing, including genetic data.

Article 10

Processing of personal data on convictions and crimes

The processing of personal data relating to criminal convictions and crimes, or to security measures based on Article 6, paragraph 1, shall be carried out under the control of official authority or authorized by the laws of the European Union or member states to provide protective measures to protect the freedom and rights of data subjects. The comprehensive registration of any criminal conviction should only be kept under the control of official functions and powers.

Article 11

Processing without certification

1. If the controller does not need or no longer need to authenticate the data subject of the personal data under his / her control, then the controller has no obligation to save, obtain or process additional information to authenticate the data subject only according to the requirements and provisions of the articles of association.

2. If there are any of the circumstances mentioned in the first paragraph of this article, the controller shall, where possible, inform the data subject that it has no responsibility to authenticate the data subject. Articles 15 to 20 can only be applied if the data subject is required to exercise its rights and provides additional identification information.

Chapter three

Data subject rights

Section 1

Information transparency and information mechanism

Article 12

Transparency, communication and mode of data subject’s exercise of rights

1. The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 in a simple, transparent, clear and easily accessible manner, in clear and unambiguous language, as well as communication information on the processing of the data subject referred to in Articles 15 to 22 and 34 (in particular any information about children). The controller shall provide written material and in other cases, if necessary, by electronic means. If the data subject can be authenticated by other means, the information can be provided orally at the request of the data subject.

2. The controller shall assist the data subject to exercise its rights in accordance with Articles 15 to 22. In the case of paragraph 2 of Article 11, unless the controller states that he / she does not have the certification responsibility of the data subject, the controller cannot refuse the request for the data subject to exercise its own rights under Articles 15 to 22.

3. The controller shall provide timely (in no case more than one month) information on the actions taken under Articles 15 to 22. This period can be extended for another two months if necessary, taking into account the complexity and quantity of requirements. For any delay in providing information, the controller should inform the data subject of the relevant circumstances and the reasons for the delay. Where possible, such information can be provided electronically, unless the data subject has special requirements for the mode of provision.

4. If the controller fails to take action according to the requirements of the data subject, the controller shall inform the data subject in time (no more than one month at the latest) of the reasons for the data subject’s failure to take action and the possibility of filing a complaint with the supervisory authority for judicial relief.

5. Information provided under Articles 13 and 14 and any communication provided under Articles 15 to 22 and 34 shall be provided free of charge. In the case that the requirements put forward by the data subject cannot be identified and beyond the scope of provision, especially in the case of repeated requests, the controller can also:

(a) Considering the administrative cost of providing information, communication or taking action, the administrative department may charge reasonable fees;
(b) Refuse to accept the data subject’s request.

The controller shall bear the responsibility to explain the data that cannot be identified or beyond the scope of its supply.

6. Subject to Article 11, the controller may request the data subject to provide additional necessary information to prove his identity when he has reasonable doubts about the requirements of a natural person under Articles 15 to 22.

7. In accordance with the requirements of Articles 13 and 14, the controller shall provide information to the data subject in a concise, clear and visible manner with standardized icons. These icons are presented electronically so that information can be read by machine.

8. The Commission shall be granted the right to take measures under Article 92 to develop information and procedures for standardized icons.

Section 2

Personal data information and access

Article 13

Provision of personal data collected by data subjects

1. Since the data subject can obtain personal data related to itself, the controller shall provide the data subject with the following information when obtaining personal information:

(a) The identity and contact details of the controller, and the identity and contact details of the representative when appropriate;
(b) Provide contact details of the data protection bureau when appropriate;
(c) The purpose and legal basis of personal information processing;
(d) When the handling process is carried out in accordance with (f) and the first paragraph of Article 6, the legislative interests pursued by the controller or the third party shall be stated;
(e) If possible, the type of the receiver or receiver of personal data shall be provided;
(f) Where appropriate, information should be provided on the facts of the controller’s intention to transmit personal data to a third country or national organization, whether the Commission has made adequate decisions on the matter, and the circumstances referred to in articles 46, 47 or 49, paragraph 1, second paragraph. In addition, it also includes the reasonable security measures taken to protect personal information and the way to obtain copies.

2. In addition to the information mentioned in the first paragraph, the controller shall, when obtaining personal data, provide the data subject with the following information in order to prove the fairness and transparency of the processing process, if necessary:

(a) In the case that the storage stage of personal data cannot be provided, the decision criteria for stage division shall be provided;
(b) Those who are qualified to process the data subject’s claims and can obtain, modify or delete personal information or the information of the controller controlling the data rights;
(c) Processing process information and information related to the arbitrary cancellation of satisfaction without violating the law in accordance with Article 6 (a) or Article 9 (2) (a);
(d) The right to appeal to the supervisory body;
(e) Whether personal data should be stipulated in the contract. It should be stipulated as a necessary condition for the conclusion of the contract. In addition, it should also include whether the data subject has the obligation to provide personal data and the possible consequences in the case of failure to provide data;
(f) Automatic decision-making mechanism, including the logical procedures involved in the analysis process mentioned in Article 22, paragraph 1 and paragraph 4, as well as the significance of the processing process for the data subject and the envisaged results.

3. In view of the controller’s intention to further process personal information, the controller shall provide the data subject with the information related to paragraph 2 before that.

4. When the data subject has obtained the information, paragraphs 1, 2 and 3 cannot be applied.

Article 14

Provision of personal data not obtained from the data subject

1. When the personal information is not obtained from the data subject, the controller shall provide the following information to the data subject;

(a) The identity and contact details of the controller, and the representative when appropriate;
(b) Provide contact details of the data protection bureau when appropriate;
(c) The purpose and legal basis of personal information processing;
(d) Types of relevant personal data;
(e) Types of recipients or receivers of personal data;
(f) Where appropriate, information should be provided on the facts of the controller’s intention to transmit personal data to a third country or national organization, whether the Commission has made sufficient decisions on the issue, and the circumstances referred to in articles 46, 47 or 49, paragraph 1 (b). In addition, it also includes the reasonable security measures taken to protect personal information and the way to obtain copies.

2. In addition to the information mentioned in the first paragraph, the controller shall, when obtaining personal data, provide the data subject with the following information in order to prove the fairness and transparency of the processing process, if necessary:

(a) In the case that the storage stage of personal data cannot be provided, the decision criteria for stage division shall be provided;
(b) In view of the treatment process of Article 6 (1) (f), the legislative interests pursued by the controller or the third party;
(c) Those who are qualified to process the data subject’s claims and can obtain, modify or delete personal information or the information of the controller controlling the data rights;
(d) Processing process information and information related to arbitrary cancellation of satisfaction without violating the law in accordance with Article 6, paragraph 1 (a) or Article 9, paragraph 2 (a);
(e) The right to appeal to the supervisory body;
(f) The source of personal data acquisition and, if appropriate, whether it is obtained through public means;
(g) Automatic decision-making mechanism, including the logical procedures involved in the analysis process mentioned in Article 22, paragraph 1 and paragraph 4, as well as the significance of the processing process for the data subject and the envisaged results.

3. The controller shall provide information in accordance with paragraphs 1 and 2:

(a) Provide information related to the specific circumstances of personal data acquisition within a reasonable period (no more than one month) after the acquisition of personal data;
(b) If personal data is to be used for communication between data subjects, the information shall be provided no later than the first communication activity;
(c) If the recipient can be disclosed, the information shall be provided no later than the first disclosure time of personal data.

4. In view of the controller’s intention to further process personal information, the controller shall provide the data subject with the information related to paragraph 2 before that.

5. Paragraphs 1 to 4 shall not apply if:

(a) The data subject has obtained the information;
(b) The provision of such information is not possible, in particular the unbalanced efforts made for the purposes of public interest, scientific or historical surveys and statistical surveys, in accordance with the provisions of Article 89, paragraph 1, or the obligations referred to in paragraph 1 of this article. In these cases, the controller should take appropriate measures to protect the rights and freedom of the data subject and the legal interests (including the measures of disclosing information);
(c) The controller should take appropriate measures to protect the legal interests of the data subject in accordance with the provisions on obtaining or disclosing personal information stipulated by the laws of the union or member states;
(d) According to the professional confidentiality system stipulated by the laws of the league or member states and the confidentiality law, personal data must be kept confidential.

Article 15

Data access

The data subject shall have the right to confirm from the administrator whether the personal data about the subject is being processed, and have the right to access the personal data and the following information in such circumstances:

(a) The purpose of the treatment;
(b) Categories of personal data;
(c) Recipients or categories of recipients to which personal data has been or will be disclosed, especially recipients of third countries or international organizations;
(d) The expected period of personal data storage, where possible; or, when not possible, the criteria used to determine that period;
(e) Have the right to ask the manager to correct or delete the personal data or restrict or refuse to process the personal data about the data subject;
(f) The right to make complaints to the regulatory authorities;
(g) Any information available about the source of personal data where it is not collected by the data subject.
(h) Automated decision-making, including the outlines referred to in Article 22, paragraphs 1 and 4, as well as the information involved in logical aspects that are meaningful at least in the above cases, and the significance and expected consequences of such processing for the data subject.

If personal data is transferred to a third country or international organization, the data subject shall be entitled to notice of appropriate safeguards for the transfer in accordance with Article 46.

The controller shall provide a copy of the personal data being processed. For any further text required by the data subject, the controller may charge a reasonable fee based on the management cost. If the data subject makes a request electronically, the information shall be provided in a commonly used electronic form, unless otherwise requested by the data subject.

The right to copies referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.

Article 16

Right of correction

The person whose data is improperly controlled shall have no right to request the correction of the data. For the purpose of processing, data subjects should have the right to complete incomplete personal data, including by providing supplementary statements.

Article 17

Right of erasure (right to be forgotten)

The data subject has the right to require the controller to delete his personal data without undue delay, and the controller is obliged to delete the personal data without undue delay under one of the following reasons:

(a) Personal data is no longer necessary for the purpose of collecting or otherwise processing personal data;
(b) The data subject withdraws its consent in accordance with Article 6, paragraph 1 (a) or Article 9, paragraph 2 (a), and in the absence of any other legal basis for (data) processing;
(c) The data subject objects to processing in accordance with Article 21 (1) and has no primary legal basis for (data) processing, or the data subject objects to processing in accordance with Article 21, paragraph 2;
(d) Personal data is illegally processed;
(e) In order to comply with the legal obligations stipulated by the laws of the union or member states to which the controller is subject, personal data must be deleted;
(f) Personal data is collected in accordance with the provision of information society services referred to in Article 8, paragraph 1.

If the controller has made personal data public and is obliged to delete such personal data in accordance with paragraph 1, the controller shall take reasonable steps, including technical measures, after considering the existing technology and implementation costs, to inform the controller who is processing the personal data that the data subject has requested the controller to delete any link, copy or copy of the personal data.

Paragraphs 1 and 2 shall not apply when processing is necessary:

(a) In order to exercise the right to freedom of speech and information;
(b) In order to comply with legal obligations that need to be dealt with by the laws of the union or member states to which the controller is subject, or to perform tasks in the public interest or in the exercise of the official authority granted to the controller;
(c) For reasons of public interest in the field of public health in accordance with Article 9, paragraph 2 (H), (I) and Article 9, paragraph 3;
(d) According to Article 89, paragraph 1, for archival purposes, scientific or historical research purposes or statistical purposes, as long as the rights referred to in paragraph 1 are likely to appear impossible or likely to seriously impair the achievement of the treatment objective;
(e) To establish or exercise legal rights.

Article 18

Limited processing rights

The data subject shall have the right to restrict the processing of (data) by the controller under one of the following circumstances:

(a) The data subject disputes the accuracy of personal data and allows the controller to verify the accuracy of personal data within a certain period of time
(b) The processing is illegal, and the data subject objects to delete the personal data, but requests to restrict the use of the personal data;
(c) The controller no longer needs the personal data for the purpose of processing, but the data subject needs the personal data for the purpose of establishing, exercising or defending legal rights;
(d) Before verifying whether the legal basis of the controller takes precedence over the legal basis of the data subject, the data subject has objected to the processing in accordance with Article 21, paragraph 1.

If processing (conduct) is restricted under paragraph 1, such personal data, other than storage, shall be processed only with the consent of the data subject, or for the purpose of establishing, exercising or defending legitimate rights, or for the protection of the rights of other natural or legal persons, or for the important public interest of the union or member states.

A data subject entitled to restrict processing (data) under paragraph 1 shall receive notice from the controller before the processing restriction is lifted.

Article 19

Notification obligation on correction or deletion of personal data or restriction of processing

Unless it is proved impossible to complete or contain a disproportionate amount of work, the controller shall communicate to the recipient to whom the personal data has been disclosed any correction, deletion or processing restrictions imposed on personal data in accordance with Articles 16, 17, paragraph 1 and 18.

If the data subject requests, the controller shall inform the data subject of these recipients.

Article 20

Right of objection

A data subject has the right to refuse to process its personal data in accordance with Article 6, paragraph 1 (E) or (f), at any time for reasons related to its particular circumstances, including conducting profile analysis in accordance with these provisions. The controller may not process the personal data again unless the controller proves that its mandatory legal basis for (data) processing takes precedence over the interests, rights and freedoms of the data subject, or for the purpose of establishing, exercising or defending its legitimate rights.

If personal data is processed for the purpose of direct marketing, the data subject has the right at any time to object to the processing of its personal data for such marketing, including profile analysis related to such direct marketing.

If the data subject objects to processing for the purpose of direct marketing, personal data may no longer be processed for that purpose.

The rights referred to in paragraphs 1 and 2 shall be clearly brought to the attention of the data subject at the latest at the time of the first communication with the data subject and shall be submitted clearly and separately from any other information.

Section 4

Right to refuse and right to decide

Article 21

Right to refuse

1. The data subject has the right to refuse to process, at any time, personal data relating to him / her under Article 6, paragraph 1 (E) or (f), in his / her specific circumstances, including analysis based on those provisions. The controller cannot process personal data unless the controller can prove that there are convincing justifications for processing data or establishing, exercising or maintaining such legal rights regardless of the interests, rights and freedoms of the data subject.

2. If personal data is processed for the purpose of direct marketing, the data subject shall have the right to refuse to process his / her personal data at any time for the purpose of such commercial purpose, including the analysis of the extent of such direct marketing.

3. If the data subject refuses to process data for direct business purposes, personal data should not be processed for any such purpose.

4. At least in the first communication with the data subject, the rights referred to in paragraphs 1 and 2 should be clearly brought to the attention of the data subject, and should be clearly presented and distinguished from any other information.

5. In the context of the use of information society services, even if there is an EC Directive in 2002, the data subject can exercise his / her right of refusal through the use of automated technical specifications.

6. According to Article 89, paragraph 1, where personal data are processed for scientific or historical research or statistical purposes, the data subject has the right to refuse to process his / her personal data in the specific circumstances concerning him / her, unless such processing is necessary for the performance of a task in the public interest.

Article 22

Autonomous individual decision making, including analysis

1. The data subject has the right not to be limited by a decision to rely solely on automated processing including analysis, which may have legal consequences with respect to him / her or simply affecting him / her.

2. Paragraph 1 does not apply if the decision:

(a) It is necessary to establish and perform a contract between the data subject and a data controller.
(b) The controller is the data subject and appropriate measures to protect the rights, freedom and legitimate interests of the data subject are provided for in the laws of the union or member states; or
(c) Based on the explicit consent of the data subject.

3. In the case of paragraph 2 (a) and (c), the data controller shall implement appropriate measures to protect the rights, freedom and legitimate interests of the data subject, and at least obtain the artificial intervention right to the controller, to express his / her views and to compete for the decision-making power.

4. The decision referred to in paragraph 2 shall not be based on the special classification of personal data referred to in Article 9, paragraph 1, unless subparagraphs (a) or (g) of paragraph 2 of Article 9 are applied and appropriate measures are established to safeguard the rights, freedoms and legitimate interests of data subjects.

Section 5

limit

Article 23

limit

1. The laws of the union or member states stipulate that the data controller or processor is the subject, and the scope of the rights and obligations in Articles 12 to 22 and Article 34 can be restricted by legislative measures, as well as the provisions in Article 5 corresponding to the rights and obligations in Articles 12 to 22. Such a restriction respects the essence of fundamental rights and freedoms, and is a necessary and consistent measure in a democratic society to safeguard:

(a) National security;
(b) Defense;
(c) Public safety;
(d) The prevention, investigation, investigation, prosecution of criminal crimes or the execution of criminal penalties, including the prevention and prevention of public security threats;
(e) Other important objectives of the general public interest of the union or a member state, especially the important economic or financial interests of the union or member states, including matters such as currency, budget and taxation, public health and social security;
(f) Judicial independence and the protection of judicial procedure;
(g) Prevention, investigation, investigation and prosecution of violation of professional ethics;
(h) Supervision, inspection or related regulatory functions, even the occasional exercise of official powers, in the case of subparagraphs (a) (b) (c) (d) (E) (f) and (g).
(i) Protection of the rights and freedoms of data subjects or other people
(j) The enforcement of civil action compensation.

2. In particular, any legislative measure referred to in paragraph 1 shall at least contain specific provisions, such as:

(a) The purpose or classification of treatment;
(b) Classification of personal data;
(c) The limitation range of the introduction;
(d) Safeguards against abuse or illegal use or transfer;
(e) Specific description or classification of controller;
(f) Storage life and applicable safeguards, taking into account the nature, extent and use of treatment or classification of treatment;
(g) Threats to the rights and freedoms of data subjects; and
(h) The data subject is informed of the right to limit, otherwise it will be detrimental to the purpose of the restriction.

Chapter four

Controllers and processors

Section 1

Basic obligations

Article 24

Obligations of the controller

1. The controller shall implement appropriate technical and organizational measures to ensure and be able to demonstrate that the treatment is carried out in accordance with this regulation, taking into account the nature, scope, content and use of the treatment, as well as the risks of different possibilities and severity brought about by the treatment to the rights and freedoms of natural persons. These measures should be reviewed and updated as necessary.

2. Where the processing activities are proportionate, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller.

3. Compliance with the code of conduct referred to in Article 40 or the approved certification mechanism referred to in Article 42 can be used as an element to demonstrate compliance with the controller’s obligations.

Article 25

Data protection through design and default

One Considering the status quo, the cost and nature of execution, the scope, content and purpose of processing, as well as the risks of different possibilities and severity brought by the treatment to the rights and freedoms of natural persons, the controller should implement appropriate technical and organizational measures, such as anonymization, at the same time of determining the processing means and processing, that is, the purpose is to implement data protection principles, such as data minimization, so as to In order to meet the legal requirements and protect the rights of data subjects, the necessary safeguard measures should be implemented in the process of processing.

2. Controllers should implement appropriate technical and organizational measures to ensure that, by default, only personal data necessary for each specific processing purpose can be processed. This obligation applies to the amount of personal data collected, the extent of data processing, the duration of data storage and the accessibility of data. In particular, these measures should ensure that personal data is inaccessible by default without individual interference with an unlimited number of natural persons.

3. An approved certification mechanism under Article 42 may be used as an element to demonstrate compliance with the requirements of paragraphs 1 and 2 of this article.

Article 26

Joint controller

1. When two or more controllers jointly decide the purpose and means of handling, they are joint controllers. They should determine in a clear manner their respective responsibilities and obligations under the regulatory provisions, in particular through arrangements between them, with regard to the exercise of the rights of data subjects and their respective duties of providing information referred to in Articles 13 and 14, unless until now, the respective responsibilities of controllers are determined by the laws of the union or member states. This arrangement can specify the contact point of the data subject.

2. The arrangement mentioned in the first paragraph should reflect the relationship between the respective roles and the joint controller relative to the data subject. The essence of the arrangement should be made known to the data subject.

3. Regardless of the terms of the arrangement referred to in paragraph 1, the data subject may exercise his or her rights under this provision, whether or not consistent with the controller.

Article 27

An agent of a controller or processor not set up in an alliance

1. If paragraph 2 of Article 3 applies, the controller or processor shall appoint the agent in the alliance in writing.

2. The obligation does not apply to:

(a) Incidental processing, to a large extent, does not include the processing of special categories of data referred to in Article 9, paragraph 1, or the processing of personal data relating to criminal conviction and punishment referred to in Article 10, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, content, scope and purpose of the processing; or
(b) An organ or institution of public power.

3. Agents should be established in a member state where the data subjects and their personal data are processed according to the goods or services provided to them, or their behavior is monitored.

4. For the purpose of ensuring compliance with this regulation, the agent shall be authorized by the controller or processor, and in particular by the regulatory authority and the data subject, to deal with all relevant issues.

5. The appointment of the agent by the controller or processor shall not damage the rights and interests of the legal acts that may be done by the agent against the controller or processor.

Article 28

Processor

1. When the processing is carried out in the name of the controller, the controller only uses the appropriate technical and organizational measures implemented by the processor to provide sufficient assurance, so as to make the processing meet the requirements of the regulations and ensure the protection of the rights of the data subject.

2. Without the special or general prior written authorization of the controller, the controller cannot introduce another controller to participate. In the case of general written authorization, the processor shall inform the controller of any changes in the addition or replacement of other controllers, so as to give the controller an opportunity to respond to such changes.

3. The processing of a processor shall comply with the contract or other legal acts under the laws of the union or member states, that is, the combination of the controller and the processor, proposing the subject of processing and the time limit of processing, the nature and purpose of processing, the categories of personal data, the classification of data subjects, and the rights and obligations of the controller. The contract or other legal act shall provide that, in particular, the processor:

(a) The processing of personal data can only be based on the written instructions of the controller, including the transfer of the personal data to a third world country or an international organization, unless permitted by the laws of the union or member states, the processor is the subject; in this case, the processor shall inform the controller of the requirements of the relevant laws before processing, unless the law is due to significant public interests It is forbidden to provide such information for the reason of interest;
(b) Ensure that individuals are authorized to process personal data and have committed to confidentiality or under appropriate statutory confidentiality obligations;
(c) Take all measures required under Article 32;
(d) Comply with the conditions for the introduction of other processors referred to in paragraphs 2 and 4;
(e) Taking into account the nature of the processing, appropriate technical and organizational measures should be used to assist the controller, as it has been possible so far, in order to fulfill the obligations of the controller to meet the requirements for the exercise of the rights of the data subject set out in Chapter 3;
(f) Assist the controller to ensure compliance with its obligations under Articles 32 to 36, taking into account the nature of the processing and the information available to the processor;
(g) Once a controller is selected, it is necessary to delete or return all personal data to the controller. At the end of providing relevant processing services, the existing version should be deleted, except for the personal data allowed by the laws of the union or member states;
(h) Provide the controller with all necessary information to demonstrate compliance with its obligations under this section and to permit and facilitate audits, including inspections, by the controller or another auditor authorized by the controller.

With regard to item h of the first paragraph, the processor shall immediately notify the controller if, in its opinion, an instruction violates this regulation or the data protection provisions of other union or member states.

Four When the processor introduces other processors to perform specific processing activities on behalf of the controller, the same data protection requirements in the contract or other legal acts between the controller and the processor referred to in paragraph 3 shall be imposed on the other processors in the contract or other legal acts through the laws of the union or member states, especially the implementation of appropriate technical and organizational measures, so as to provide sufficient guarantee In this way, the treatment can meet the requirements of this specification. If other processors fail to fulfill their data protection obligations, the original processor shall remain liable to the controller for the performance of other processors’ obligations.

5. A recognized code of conduct followed by a processor referred to in Article 40, or an approved certification mechanism referred to in Article 42, may be used as an element to demonstrate the adequate guarantees referred to in paragraphs 1 and 4 of this article.

6. Without prejudice to a single contract between the controller and the processor, the contract or other legal act referred to in paragraphs 3 and 4 of this article may be based on all or part of the standardized contract terms referred to in paragraphs 7 and 8 of this article, including when they become part of the certification granted to the controller and processor under Articles 42 and 43.

7. The Commission may establish standardized contract terms in respect of the matters referred to in paragraphs 3 and 4 of this article, and in accordance with the review procedure referred to in Article 93, paragraph 2.

8. The supervisory authority may adopt standardized contract terms in accordance with the matters referred to in paragraphs 3 and 4 of this article and in accordance with the consistency mechanism referred to in Article 63.

9. The contract or other legal act referred to in paragraphs 3 and 4 shall be in written form, including electronic form;

10. Without prejudice to articles 82, 83 and 84, a processor may be considered to be the controller in respect of the treatment if he decides the purpose and means of the treatment in violation of the provisions of this regulation.

Article 29

Process under the authority of the controller or processor

A processor with access to personal data and any person acting under the authority of the controller or processor shall not process that data except as directed by the controller, unless permitted by the laws of the union or member states.

Article 30

Record of processing activities

1. Each controller and, if applicable, the agent of the controller shall keep records of the handling activities in accordance with his / her duties. That record should include all of the following information:

(a) Name and contact information of the controller and, if applicable, the joint controller, controller’s agent and data protector
(b) The purpose of the treatment;
(c) Description of the categories of data subject and classification of personal data;
(d) Categories of recipients whose personal data have been or will be disclosed, including recipients in third world countries or international organizations
(e) Where applicable, the transmission of personal data to a third world country or international organization, including the identification of that third country or international organization, and appropriate security measures for the document in the case of the transmission referred to in Article 49, paragraph 1, paragraph 2;
(f) If possible, a time limit is set for erasing different types of data;
(g) If possible, a general description of the technical and organizational security measures referred to in Article 32, item 1.

Article 31

Cooperation with supervisory bodies

In the process of transaction execution, application controllers, application processors and their representatives should cooperate with regulatory authorities as required.

Article 32

Security of processing

1. Consider the most advanced technology, implementation cost, treatment process (including its nature, scope and purpose), as well as the risk of change possibility and severity of natural person’s free rights. Controllers and processors should implement appropriate technical measures and organized measures to ensure the safety level of reasonable response to risks, especially considering the following factors as appropriate:

(a) Anonymization and encryption of personal data;
(b) The ability of data system to maintain continuous confidentiality, integrity, availability and flexibility;
(c) The ability to store useful information and obtain personal information in time in the event of natural or technical accidents;
(d) Regularly handle the effectiveness of testing, visiting, evaluating technical measures and organizational measures to ensure the safety of the treatment process.

2. The level assessment of security account should pay special attention to the risk problems in the process of handling, especially the risk of accidental and illegal destruction, loss, change, unauthorized disclosure or the transmission, storage and processing of personal data.

3. Taking a legal action with reference to Article 40 or a certification mechanism with reference to Article 42 can be used to illustrate the compliance with the requirements of paragraph 1 of this article.

4. Controllers and processors should take steps gradually to ensure that natural persons operating personal data under departmental regulations cannot process data unless instructed by the controller or necessary under federal or state constitutions.

Article 33

Notification of disclosure of personal data by regulators

1. In the case of disclosure of personal data, the controller shall not unreasonably delay and shall notify the regulatory authority in accordance with Article 55 at least within 72 hours of becoming aware of it, unless the disclosure of personal data does not result in a risk to the rights and freedoms of natural persons. If the notice is later than 72 hours, the reason for the delay needs to be explained.

2. The processor shall inform the controller when the controller is aware of the information leakage and delay.

3. The notice mentioned in the first paragraph shall at least include:

(a) Describe the nature of the leaked personal data, including the relevant data subject, the type and approximate number of data records;
(b) Exchange names and contact information with data protection bureau or other contact points for more information;
(c) Describe the possible situation of personal information disclosure;
(d) Pay attention to the problem of personal data leakage, and describe the measures taken or planned by the controller, including measures that can mitigate the possible negative effects if appropriate.

4. As long as there is no undue further delay, it can be carried out in stages when the information cannot be provided at the same time.

5. The controller should record any personal data leakage, including the facts, effects and remedial measures taken in connection with the disclosure of personal data, which can enable the regulatory authority to verify the compliance of the conduct.

Article 34

Personal data exchange of data subject

When personal data leakage may cause high risk to natural person’s rights and freedom, the controller should communicate with the subject of personal data disclosure without delay.

The data subject communication mentioned in the first paragraph of this article shall at least include the information and suggestions involved in Item (b) (c) (d) of paragraph 3 of Article 33, and describe the nature and content of personal data leakage in clear and plain language.

The data subject communication referred to in paragraph 1 cannot be applied in the following cases:

(a) The controller has taken appropriate technical and organizational protection measures, and such measures have been applied to personal information affected by information disclosure, especially those technologies that no one can know without authorization, such as data encryption technology;
(b) The controller has taken measures to ensure that the high risk of infringement of the rights and freedoms referred to in paragraph 1 is no longer possible.
(c) It would involve disproportionate effort. In this case, there should be a public communication mechanism or similar measures that can make data subjects get equal and effective notice.

If the controller does not exchange personal data with respect to the data subject, the regulator may require the controller to do so or may determine that it meets any of the conditions set out in paragraph 3, taking into account the high risk of disclosure of personal data information.

Section 3

Data protection impact assessment and prior consultation

Article 35

Data protection impact assessment

1. In view of a data processing method, especially the use of new technologies for data processing, considering the nature, scope, content and purpose of the processing process, it is not difficult to know that this is likely to bring high risks to the rights and freedoms of natural persons. Prior to data processing, the controller should assess the impact of the processing operations envisaged for personal data protection. A single assessment method may be able to provide a similar set of operation methods for the current similar high-risk situation.

2. When conducting a data protection impact assessment, the appointed controller may seek help from the data protection bureau.

3. The following situations are particularly applicable to the data protection mentioned in the first paragraph:

(a) The systematic and broad understanding of the assessment of the personal situation of natural persons is also based on automatic processing (including analysis) and evidence-based
(b) Extensive data processing referred to in Article 9, paragraph 1, or personal information related to criminal conviction and crime as mentioned in Article 10.
(c) A large-scale access to the public area of the system.

4. The supervisory body shall establish and publish a set of data processing mechanism in accordance with the first paragraph to make it meet the needs of impact assessment. Regulators should communicate these with the board of directors referred to in Article 68.

5. The supervision agency can also establish and release to the public the types of processing mechanisms that do not require data evaluation and protection. Regulators should communicate this with the board of directors.

6. Before taking the measures in paragraph 4 (5), the regulatory authorities shall apply the regulatory mechanism of Article 63, including processing activities related to the provision of goods, the provision of services, the control of the conduct of data subjects or certain Member States, or those that may substantially affect the free movement of personal data.

7. The assessment shall at least include the following contents:

(a) A systematic description of the proposed mechanism and processing purposes (including data application, legislative interests pursued by the controller);
(b) Assessment of the necessity of treatment mechanisms related to the purpose of treatment;
(c) The risk assessment of the right freedom of the data subject mentioned in the first paragraph;
(d) The proposed measures to deal with risks include safeguard measures, security measures, mechanisms to ensure the security of personal data protection, and compliance measures to explain the rights of data subjects and legislative interests.

8. In the process of assessing the impact of the processing mechanism, the legality of the relevant managers and processors’ actions stipulated in Article 40 should be taken into account, especially the part concerning the purpose of data protection evaluation.

9. Where appropriate, managers should seek the views of data subjects or their representatives in the expected processing, and should not be biased against the protection of commercial interests, personal interests or the security of processing mechanisms.

10. The treatment under Article 6 (1) (c) or (E) is based on the laws of the union or the domestic laws of the Member States, in which the manager is the subject of one party. These laws regulate the specific handling methods or a series of controversial mechanisms. The data protection impact assessment approach has been implemented as part of the general impact assessment. Paragraphs 1 to 7 cannot be applied unless the member states consider it necessary to conduct a prior assessment of the processing activities.

11. Assessment should be made according to the processing mechanism of data protection when necessary.

Article 36

Prior consultation

1. The data protection impact assessment under Article 35 indicates that if the controller does not take measures to reduce the risk, the processing will be high-risk. Therefore, the controller should consult the supervisory authority before handling.

2. It is a violation of the first paragraph that the regulatory authority expects to deal with the situation that the controller does not fully identify or reduce the risk. The supervisory authority shall make a written recommendation to the controller no later than eight weeks, and may also use the powers provided for in Article 58. Given the complexity of the expected processing, the deadline can be extended by six weeks. The regulator shall inform the controller and the processor of any extended period, and explain the reasons for the delay. These periods can be suspended until the regulator has achieved the purpose of the consultation it requires.

3. When consulting the regulatory authority in accordance with paragraph 1, the manager shall provide:

(a) The responsibilities of the representative of the controller, the joint Department of the controller and the processor, especially the business group concerning the process;
(b) The purpose and means of expected treatment;
(c) Safeguard measures to protect the rights and freedom of data subjects in accordance with this law;
(d) The contact information of the data protection bureau during application;
(e) Data protection impact assessment under Article 35;
(d) Others.

4. Member States should consult with regulatory authorities on legislative measures designated by national parliaments or regulations related to data processing based on such legislative measures during the preparation of the scheme.

5. According to the first paragraph, the laws of Member States may need to consult the controller first, and the handling procedures involving public interests (including social protection and public health) should be authorized in advance by the regulatory authorities.

Section 4

Data Protection Bureau

Article 37

Assignment of Data Protection Bureau personnel

1. The controller and processor shall assign data protection personnel in the following cases:

(a) Measures imposed by public authorities or institutions, rather than by courts based on the exercise of judicial power;
(b) The core activities of controller or processor data processing mechanism are nature, scope and (or) purpose, which need regular and systematic large-scale data subject monitoring;
(c) According to the large-scale special data processing method in Article 9 and criminal charges and crimes in Article 10, the core activities of controllers and processors constitute large-scale special data types;

2. If data protection personnel can be appointed in the enterprise, the enterprise group can appoint an independent data protection personnel.

3. Since controllers and departments are public departments or institutions, considering their organizational structure and scale, independent data protection personnel can be assigned by some such departments or institutions.

4. In addition to the circumstances referred to in paragraph 1, data protection personnel shall be assigned to controllers, processors, processing associations, other departments representing different types or departments to be established under the laws of the union or member states. Data protection personnel can carry out activities according to these organizations and other topics of representative control or processor.

5. The data protection personnel shall be assigned with professional ability, especially the professional knowledge on data protection law and the experience and ability to complete the tasks mentioned in Article 39.

6. Data protection personnel can be members of controllers or processors. They complete tasks based on a service connection.

7. The controller or processor shall publish the contact information of data protection personnel and inform the regulatory authority of Mingdan.

Article 38

Status of data protection personnel

1. In carrying out any activities related to personal data protection, controllers and processors shall ensure that the participation of data processing personnel is appropriate and timely.

2. Controllers and processors shall support the activities carried out by data protection personnel in accordance with Article 39 (by providing the necessary resources for the performance of the task, the necessary means of access to personal data and processing mechanisms, and training of personal expertise)

3. Controllers and processors should ensure that no instructions are given to data protection personnel and that they are not dismissed or subject to criminal penalties for performing tasks. Data protection personnel report directly to top management. and

4. The data subject can contact the data protection personnel on all issues concerning their own data and their own rights under the articles of association.

5. According to the laws of the alliance or member states, data protection personnel shall keep the contents of their tasks confidential.

6. Data protection personnel can also perform other tasks and responsibilities. Or the actors should ensure that these activities do not lead to conflicts of interest.

Article 39

Tasks of data protection personnel

The tasks of data protection include at least 1

(a) To give notice and advice to controllers, processors and persons who process data in accordance with this constitution or under the laws of other member states of the union.
(b) And monitoring the compliance of the articles of association, laws of other member states of the alliance, relevant policies of the controller processor on personal data (including responsibilities, awareness raising, personnel training) and related audit activities;
(c) According to 35 articles, suggestions on data protection impact assessment and monitoring are put forward;
(d) Working with regulators;
(e) As the connection point between regulatory agencies and treatment activities, it includes prior consultation or other consulting activities mentioned in Article 36.

2. Data protection personnel should give due consideration to their tasks and risks related to the processing mechanism (taking into account the nature, scope, content and purpose of processing activities).

Chapter 5

Code of conduct and certification

Article 40

Code of conduct

1. For the better application of this constitution, Member States, regulators, boards and committees should encourage the drafting of codes of conduct. The drafting should take into account the specific characteristics of different processors, as well as the specific needs of small and micro enterprises and medium-sized enterprises.

2. In order to apply this law concretely, the association and other subjects representing different types can make preparations for the formulation, revision and expansion of the code of conduct

(a) Fair and transparent processing procedures;
(b) In specific circumstances, the legislative interests of the controller;
(c) Personal data collection;
(d) False information of personal data;
(e) Information provided to the public and other data subjects;
(f) The exercise of data subject’s rights;
(g) Collection of information on child protection and the manner in which the holder of parental responsibility agrees;
(h) The protective measures referred to in Articles 24 and 25 and the measures to ensure safety referred to in Article 32;
(i) Notification of disclosure of personal data to regulatory authorities and other data subjects;
(j) Transmitting personal data to third countries or international organizations;
(k) According to articles 77 and 79, the rights of data subjects should be treated without violation, and the out of court procedures concerning conflict resolution between controllers and other data subjects and other conflict resolution procedures should be emphasized.

3. The controller and the processor should make binding and compulsory commitment, which can be used as guarantee when protecting the rights of the data subject.

4. The code of conduct referred to in the second paragraph shall include the code that enables the subject mentioned in Article 41, paragraph 1, to apply in compulsory monitoring. The code should be implemented in an impartial manner in accordance with Article 55 or Article 56, free from the authority of the regulatory authority.

5. The associations mentioned in the second paragraph of this article and other subjects intending to revise or expand the existing code shall submit the draft code and amendment in accordance with Article 55. The regulatory authority shall put forward opinions on whether the draft and amendment conform to the provisions of the articles of association. If there are sufficient and reasonable safeguards, the regulatory authority shall approve it.

6. When a draft or amendment in accordance with paragraph 5 has been approved and is not linked to the processing activities carried out by Member States, the regulatory authority shall register the disclosure code.

7. With regard to the draft code of conduct of some member states dealing with activities, according to Article 55, the regulatory authority shall submit the draft code and amendment to the board of directors in accordance with the procedure of Article 63, and shall attach the opinions on whether the draft code and the amendment are in compliance with the provisions of paragraph 3, and provide reasonable safeguard measures according to the situation in paragraph 3.

8. The board of directors shall submit its opinions to the Committee on reasonable safeguard measures in accordance with the opinions in paragraph 7.

9. The committee may, by taking measures, decide that the approved code of conduct or amendment submitted in accordance with paragraph 8 has universal validity in the union. The act of implementation shall comply with the provisions of Article 93, paragraph 2.

10. The Commission shall ensure the disclosure of information on codes of practice which are valid in accordance with the provisions of paragraph 9.

11. The board of directors shall sort out and register the code of conduct and amendments, and make information public in an appropriate way.

Article 41

Monitoring the legality of behavior laws and regulations

1. In accordance with the provisions of articles 57 and 58, the regulatory authorities shall perform their tasks and exercise their powers in accordance with the provisions of articles 57 and 58. The legitimacy of activities carried out under Article 40 can be monitored by an institutional body.

2. The subject mentioned in the first paragraph is a kind of subject that can be recognized for supervision and compliance. Be responsible for the following actions:

(a) Explain its independence and professionalism on the subject of the code in order to obtain the approval of the regulatory body;
(b) Establish the procedure that can make them obtain the assessment qualification of managers and processors, and conduct periodic review on the legitimacy of farmers’ behavior and their own mechanism;
(c) Establish procedures and structures for handling complaints against violators or controllers of the code, and the previous and current enforcement of the code by the handler. Make procedures and structures transparent and open;
(d) Explain to the responsible regulator that there is no conflict of interest in the performance of its tasks and responsibilities.

3. The responsible regulatory authority shall submit to the board of directors the standardized draft of the relevant subjects mentioned in the first paragraph of this article in accordance with Article 63.

4. The subject mentioned in the first paragraph shall comply with reasonable safeguard mechanism and take reasonable measures in case of violation of laws and regulations, including suspending or excluding the management power of managers or processors. In addition, the relevant monitoring subjects responsible for these actions and the reasons for the actions should be informed

5. If the subject behavior violates or no longer meets the qualification, the regulatory authority shall revoke the subject qualification.

6. This article does not apply to public sectors and bodies.

Article 42

authentication

1. For the needs of data protection confidentiality marks and the legitimacy of the manager processor processing mechanism, the directors of Member States, regulatory bodies and committees should encourage the data protection authentication mechanism especially in the alliance. In particular, the special requirements of small and micro enterprises and medium-sized enterprises should be considered.

2. The data protection authentication mechanism and the sealed mark in accordance with paragraph 5 of this article may be established for the purpose of explaining the rationality of the behavior of the controller and processor. These controllers or processors should make binding and mandatory commitments, including the relevant rights of data subjects.

3. Certification should be voluntary and the procedure should be transparent.

4. The responsibilities of managers and processors shall not be reduced due to the certification conducted in accordance with this article, and shall be authorized by the regulatory authority without violating Article 55 or Article 56.

5. Certification must be conducted by the certification body referred to in Article 43, based on the standards established by the regulatory authority under Article 58, paragraph 3, or the standards established by the board of directors under Article 63. If the standard is set by the board, it will be certified by the European Data Protection Agency.

6. When the controlling department and the processor submit their processing process according to the certification mechanism, they should provide the information of the certification subject or the responsible regulatory agency as mentioned in Article 43, as well as the specific processing activities, which are necessary for the implementation of certification procedures.

7. The longest certification time of controller and processor shall not exceed three years. However, if it is necessary to continue, the period can be recalculated under the same circumstances. When the certification subject or the responsible regulatory body no longer meets the requirements, the certification process will be cancelled.

8. The board of directors shall sort out and register all authentication mechanisms and data protection seal marks, and make them public to the public in any reasonable way.

Article 43

Certification subject

1. A certification body with a certain degree of experience in data protection issues may publish and update the certification after notifying the regulatory authority in order to exercise the power obtained under Article 58. Member States shall determine that these entities shall be authorized by at least one of the following institutions:

(a) Regulatory body of Article 55 or Article 56 volume;
(b) Subject of international witnesses meeting the requirements of EC 765 / 2008 adopted by the European Parliament, EN-ISO / IEC 17065 / 2012 adopted by the Commission, and additional requirements established by regulatory bodies under Articles 55 or 56.

2. The certification subject mentioned in the first paragraph can be authorized only if:

(a) According to the requirements of the regulatory agencies, the independence and experience of data subjects are explained;
(b) Undertake to comply with the criteria referred to in Article 42 (5) and to obtain the approval of the regulatory body of the board of directors referred to in Article 55, Article 56 or Article 63;
(c) Establish the procedures of open, periodic review and cancellation of data protection certification and confidentiality mark;
(d) Establish procedures and structures for handling complaints against violators or controllers of the code, and the previous and current enforcement of the code by the handler. Make procedures and structures transparent and open;
(e) Explain to the responsible regulator that there is no conflict of interest in the performance of its tasks and responsibilities.

3. The authorization of the certification body referred to in paragraphs 1 and 2 must be based on the approval of the regulatory body of the board of directors referred to in Article 55, Article 56 or Article 63. Subject to the conditions set out in the first paragraph of this article, the relevant requirements shall be supplemented in accordance with EC article 765 / 2008 adopted by the European Parliament and the technical requirements describing the methods and procedures for the certification body.

4. The certification subject mentioned in the first paragraph shall be responsible for the reasonable assessment leading to the initiation or cancellation of certification. The longest time for a qualified appraisal shall be announced within five years. If the conditions listed in this article are met, the period may be re started under the same circumstances.

5. The data subject mentioned in the first paragraph shall provide the regulatory authority with the reasons for approval and revocation of certification.

6. The requirements referred to in paragraph 3 and the criteria referred to in Article 42, paragraph 5, shall be made public in a convenient manner. Regulators should also communicate specific requirements and standards to the board. The board of directors shall sort out and register all authentication mechanisms and data protection seal marks, and make them public to the public in any reasonable way.

7. In accordance with the provisions of Chapter 8, the responsible regulatory body or the international appraisal subject shall revoke the certification in case of violation of the provisions by the certification subject or the certification conditions are not met or no longer satisfied.

8. The Commission shall be authorized under Article 92 to take actions authorized for the purpose of specifying authentication requirements (taking into account the data protection authentication mechanism referred to in Article 42, paragraph 1)

9. The Commission may take measures to establish technical standards for certification mechanisms and data protection seal marks. Action shall be carried out in accordance with Article 93, paragraph 2.

Chapter five

Transmission of personal data to third countries or international organization

Article 44

General principles of transmission

Article 45

Data transmission based on sufficient decision

Article 46

Safeguard measures of subject transfer

Article 47

Binding cooperation regulations

Article 48

Transmission or disclosure not authorized by the Consortium

Article 49

Partial breach under specific circumstances

Article 50

International cooperation on personal data

Chapter six

Independent regulators

Section 1

Independent status

Article 51

Regulators

Article 52

Independence

Article 53

General conditions for members of regulators

Article 54

Provisions on the establishment of regulatory agencies

Section 2

Authority, task and authority

Article 55

jurisdiction

Article 56

Authority of the principal regulator

Article 57

task

Article 58

powers

Article 59

Activity report

Chapter 7

Cooperation and coordination

Section 1

cooperation

Article 60

Cooperation between the main regulatory body and other relevant regulatory bodies

Article 61

Mutual assistance

Article 62

Joint processing by regulators

Section 2

uniformity

Article 63

Consistency mechanism

Article 64

Handling opinions of the Council

Article 65

Council dispute settlement

Article 66

Emergency procedures

Section 3

EU Data Protection Council

Article 68

EU Data Protection Council

Article 69

Independence

Article 70

Tasks of the Council

Article 71

report

Article 72

program

Article 73

chairman

Article 74

Duties of the chairman

Article 75

secretary

Article 76

Confidentiality

Chapter 8

Remedies, responsibilities and penalties

Article 77

Right to file complaints with regulators

Article 78

The right to judicial relief against regulator

Article 79

Effective judicial relief rights for data controllers and processor

Article 80

Agent of data subject

Article 81

Suspension of proceedings

Article 82

Right to compensation and liability

Article 83

General situation of imposing administrative fine

Article 84

punish

Chapter 9

Relevant provisions in the case of specific data processing

Article 85

The processing and freedom of information and its manifestation

Article 86

Processing of official documents and public access

Article 87

Processing of national identification data

Article 88

Workplace data processing

Article 89

Involving the public interest, scientific history research, o

Protection and limitation of data processing for statistical purposes

Article 90

Confidentiality obligation

Article 91

Existing data protection rules of churches and religious associations

Chapter 10

Entrustment and Implementation

Article 9

Exercise of delegation

Article 93

Committee procedures

Chapter 11

Final terms

Article 94

Repealing Directive 95 / 46 / EC

Article 95

Relationship with Directive 2002 / 58 / EC

Article 96

Relationship with prior agreements

Article 97

Report of the Committee

Article 98

Review of other Union bills on data protection

Article 99

Effectiveness and Application