This document is an excerpt from the EUR-Lex website
Document 02016L0680-20160504
Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA
Consolidated text: Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA
Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA
02016L0680 — EN — 04.05.2016 — 000.001
This text is meant purely as a documentation tool and has no legal effect. The Union's institutions do not assume any liability for its contents. The authentic versions of the relevant acts, including their preambles, are those published in the Official Journal of the European Union and available in EUR-Lex. Those official texts are directly accessible through the links embedded in this document
DIRECTIVE (EU) 2016/680 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 (OJ L 119 4.5.2016, p. 89) |
Corrected by:
DIRECTIVE (EU) 2016/680 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
of 27 April 2016
on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA
CHAPTER I
General provisions
Article 1
Subject-matter and objectives
In accordance with this Directive, Member States shall:
protect the fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data; and
ensure that the exchange of personal data by competent authorities within the Union, where such exchange is required by Union or Member State law, is neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.
Article 2
Scope
This Directive does not apply to the processing of personal data:
in the course of an activity which falls outside the scope of Union law;
by the Union institutions, bodies, offices and agencies.
Article 3
Definitions
For the purposes of this Directive:
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
‘restriction of processing’ means the marking of stored personal data with the aim of limiting their processing in the future;
‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
‘filing system’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;
‘competent authority’ means:
any public authority competent for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security; or
any other body or entity entrusted by Member State law to exercise public authority and public powers for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;
‘controller’ means the competent authority which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
‘recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
‘genetic data’ means personal data, relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;
‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;
‘data concerning health’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;
‘supervisory authority’ means an independent public authority which is established by a Member State pursuant to Article 41;
‘international organisation’ means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.
CHAPTER II
Principles
Article 4
Principles relating to processing of personal data
Member States shall provide for personal data to be:
processed lawfully and fairly;
collected for specified, explicit and legitimate purposes and not processed in a manner that is incompatible with those purposes;
adequate, relevant and not excessive in relation to the purposes for which they are processed;
accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which they are processed;
processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Processing by the same or another controller for any of the purposes set out in Article 1(1) other than that for which the personal data are collected shall be permitted in so far as:
the controller is authorised to process such personal data for such a purpose in accordance with Union or Member State law; and
processing is necessary and proportionate to that other purpose in accordance with Union or Member State law.
Article 5
Time-limits for storage and review
Member States shall provide for appropriate time limits to be established for the erasure of personal data or for a periodic review of the need for the storage of personal data. Procedural measures shall ensure that those time limits are observed.
Article 6
Distinction between different categories of data subject
Member States shall provide for the controller, where applicable and as far as possible, to make a clear distinction between personal data of different categories of data subjects, such as:
persons with regard to whom there are serious grounds for believing that they have committed or are about to commit a criminal offence;
persons convicted of a criminal offence;
victims of a criminal offence or persons with regard to whom certain facts give rise to reasons for believing that he or she could be the victim of a criminal offence; and
other parties to a criminal offence, such as persons who might be called on to testify in investigations in connection with criminal offences or subsequent criminal proceedings, persons who can provide information on criminal offences, or contacts or associates of one of the persons referred to in points (a) and (b).
Article 7
Distinction between personal data and verification of quality of personal data
Article 8
Lawfulness of processing
Article 9
Specific processing conditions
Article 10
Processing of special categories of personal data
Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be allowed only where strictly necessary, subject to appropriate safeguards for the rights and freedoms of the data subject, and only:
where authorised by Union or Member State law;
to protect the vital interests of the data subject or of another natural person; or
where such processing relates to data which are manifestly made public by the data subject.
Article 11
Automated individual decision-making
CHAPTER III
Rights of the data subject
Article 12
Communication and modalities for exercising the rights of the data subject
Member States shall provide for the information provided under Article 13 and any communication made or action taken pursuant to Articles 11, 14 to 18 and 31 to be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either:
charge a reasonable fee, taking into account the administrative costs of providing the information or communication or taking the action requested; or
refuse to act on the request.
The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.
Article 13
Information to be made available or given to the data subject
Member States shall provide for the controller to make available to the data subject at least the following information:
the identity and the contact details of the controller;
the contact details of the data protection officer, where applicable;
the purposes of the processing for which the personal data are intended;
the right to lodge a complaint with a supervisory authority and the contact details of the supervisory authority;
the existence of the right to request from the controller access to and rectification or erasure of personal data and restriction of processing of the personal data concerning the data subject.
In addition to the information referred to in paragraph 1, Member States shall provide by law for the controller to give to the data subject, in specific cases, the following further information to enable the exercise of his or her rights:
the legal basis for the processing;
the period for which the personal data will be stored, or, where that is not possible, the criteria used to determine that period;
where applicable, the categories of recipients of the personal data, including in third countries or international organisations;
where necessary, further information, in particular where the personal data are collected without the knowledge of the data subject.
Member States may adopt legislative measures delaying, restricting or omitting the provision of the information to the data subject pursuant to paragraph 2 to the extent that, and for as long as, such a measure constitutes a necessary and proportionate measure in a democratic society with due regard for the fundamental rights and the legitimate interests of the natural person concerned, in order to:
avoid obstructing official or legal inquiries, investigations or procedures;
avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties;
protect public security;
protect national security;
protect the rights and freedoms of others.
Article 14
Right of access by the data subject
Subject to Article 15, Member States shall provide for the right of the data subject to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
the purposes of and legal basis for the processing;
the categories of personal data concerned;
the recipients or categories of recipients to whom the personal data have been disclosed, in particular recipients in third countries or international organisations;
where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject;
the right to lodge a complaint with the supervisory authority and the contact details of the supervisory authority;
communication of the personal data undergoing processing and of any available information as to their origin.
Article 15
Limitations to the right of access
Member States may adopt legislative measures restricting, wholly or partly, the data subject's right of access to the extent that, and for as long as such a partial or complete restriction constitutes a necessary and proportionate measure in a democratic society with due regard for the fundamental rights and legitimate interests of the natural person concerned, in order to:
avoid obstructing official or legal inquiries, investigations or procedures;
avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties;
protect public security;
protect national security;
protect the rights and freedoms of others.
Article 16
Right to rectification or erasure of personal data and restriction of processing
Instead of erasure, the controller shall restrict processing where:
the accuracy of the personal data is contested by the data subject and their accuracy or inaccuracy cannot be ascertained; or
the personal data must be maintained for the purposes of evidence.
Where processing is restricted pursuant to point (a) of the first subparagraph, the controller shall inform the data subject before lifting the restriction of processing.
Member States shall provide for the controller to inform the data subject in writing of any refusal of rectification or erasure of personal data or restriction of processing and of the reasons for the refusal. Member States may adopt legislative measures restricting, wholly or partly, the obligation to provide such information to the extent that such a restriction constitutes a necessary and proportionate measure in a democratic society with due regard for the fundamental rights and legitimate interests of the natural person concerned in order to:
avoid obstructing official or legal inquiries, investigations or procedures;
avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties;
protect public security;
protect national security;
protect the rights and freedoms of others.
Member States shall provide for the controller to inform the data subject of the possibility of lodging a complaint with a supervisory authority or seeking a judicial remedy.
Article 17
Exercise of rights by the data subject and verification by the supervisory authority
Article 18
Rights of the data subject in criminal investigations and proceedings
Member States may provide for the exercise of the rights referred to in Articles 13, 14 and 16 to be carried out in accordance with Member State law where the personal data are contained in a judicial decision or record or case file processed in the course of criminal investigations and proceedings.
CHAPTER IV
Controller and processor
Article 19
Obligations of the controller
Article 20
Data protection by design and by default
Article 21
Joint controllers
Article 22
Processor
Member States shall provide for the processing by a processor to be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. That contract or other legal act shall stipulate, in particular, that the processor:
acts only on instructions from the controller;
ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
assists the controller by any appropriate means to ensure compliance with the provisions on the data subject's rights;
at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of data processing services, and deletes existing copies unless Union or Member State law requires storage of the personal data;
makes available to the controller all information necessary to demonstrate compliance with this Article;
complies with the conditions referred to in paragraphs 2 and 3 for engaging another processor.
Article 23
Processing under the authority of the controller or processor
Member States shall provide for the processor and any person acting under the authority of the controller or of the processor, who has access to personal data, not to process those data except on instructions from the controller, unless required to do so by Union or Member State law.
Article 24
Records of processing activities
Member States shall provide for controllers to maintain a record of all categories of processing activities under their responsibility. That record shall contain all of the following information:
the name and contact details of the controller and, where applicable, the joint controller and the data protection officer;
the purposes of the processing;
the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
a description of the categories of data subject and of the categories of personal data;
where applicable, the use of profiling;
where applicable, the categories of transfers of personal data to a third country or an international organisation;
an indication of the legal basis for the processing operation, including transfers, for which the personal data are intended;
where possible, the envisaged time limits for erasure of the different categories of personal data;
where possible, a general description of the technical and organisational security measures referred to in Article 29(1).
Member States shall provide for each processor to maintain a record of all categories of processing activities carried out on behalf of a controller, containing:
the name and contact details of the processor or processors, of each controller on behalf of which the processor is acting and, where applicable, the data protection officer;
the categories of processing carried out on behalf of each controller;
where applicable, transfers of personal data to a third country or an international organisation where explicitly instructed to do so by the controller, including the identification of that third country or international organisation;
where possible, a general description of the technical and organisational security measures referred to in Article 29(1).
The controller and the processor shall make those records available to the supervisory authority on request.
Article 25
Logging
Article 26
Cooperation with the supervisory authority
Member States shall provide for the controller and the processor to cooperate, on request, with the supervisory authority in the performance of its tasks on request.
Article 27
Data protection impact assessment
Article 28
Prior consultation of the supervisory authority
Member States shall provide for the controller or processor to consult the supervisory authority prior to processing which will form part of a new filing system to be created, where:
a data protection impact assessment as provided for in Article 27 indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk; or
the type of processing, in particular, where using new technologies, mechanisms or procedures, involves a high risk to the rights and freedoms of data subjects.
Article 29
Security of processing
In respect of automated processing, each Member State shall provide for the controller or processor, following an evaluation of the risks, to implement measures designed to:
deny unauthorised persons access to processing equipment used for processing (‘equipment access control’);
prevent the unauthorised reading, copying, modification or removal of data media (‘data media control’);
prevent the unauthorised input of personal data and the unauthorised inspection, modification or deletion of stored personal data (‘storage control’);
prevent the use of automated processing systems by unauthorised persons using data communication equipment (‘user control’);
ensure that persons authorised to use an automated processing system have access only to the personal data covered by their access authorisation (‘data access control’);
ensure that it is possible to verify and establish the bodies to which personal data have been or may be transmitted or made available using data communication equipment (‘communication control’);
ensure that it is subsequently possible to verify and establish which personal data have been input into automated processing systems and when and by whom the personal data were input (‘input control’);
prevent the unauthorised reading, copying, modification or deletion of personal data during transfers of personal data or during transportation of data media (‘transport control’);
ensure that installed systems may, in the case of interruption, be restored (‘recovery’);
ensure that the functions of the system perform, that the appearance of faults in the functions is reported (‘reliability’) and that stored personal data cannot be corrupted by means of a malfunctioning of the system (‘integrity’).
Article 30
Notification of a personal data breach to the supervisory authority
The notification referred to in paragraph 1 shall at least:
describe the nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
describe the likely consequences of the personal data breach;
describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
Article 31
Communication of a personal data breach to the data subject
The communication to the data subject referred to in paragraph 1 shall not be required if any of the following conditions are met:
the controller has implemented appropriate technological and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in paragraph 1 is no longer likely to materialise;
it would involve a disproportionate effort. In such a case, there shall instead be a public communication or a similar measure whereby the data subjects are informed in an equally effective manner.
Article 32
Designation of the data protection officer
Article 33
Position of the data protection officer
Article 34
Tasks of the data protection officer
Member States shall provide for the controller to entrust the data protection officer at least with the following tasks:
to inform and advise the controller and the employees who carry out processing of their obligations pursuant to this Directive and to other Union or Member State data protection provisions;
to monitor compliance with this Directive, with other Union or Member State data protection provisions and with the policies of the controller in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 27;
to cooperate with the supervisory authority;
to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 28, and to consult, where appropriate, with regard to any other matter.
CHAPTER V
Transfers of personal data to third countries or international organisations
Article 35
General principles for transfers of personal data
Member States shall provide for any transfer by competent authorities of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation including for onward transfers to another third country or international organisation to take place, subject to compliance with the national provisions adopted pursuant to other provisions of this Directive, only where the conditions laid down in this Chapter are met, namely:
the transfer is necessary for the purposes set out in Article 1(1);
the personal data are transferred to a controller in a third country or international organisation that is an authority competent for the purposes referred to in Article 1(1);
where personal data are transmitted or made available from another Member State, that Member State has given its prior authorisation to the transfer in accordance with its national law;
the Commission has adopted an adequacy decision pursuant to Article 36, or, in the absence of such a decision, appropriate safeguards have been provided or exist pursuant to Article 37, or, in the absence of an adequacy decision pursuant to Article 36 and of appropriate safeguards in accordance with Article 37, derogations for specific situations apply pursuant to Article 38; and
in the case of an onward transfer to another third country or international organisation, the competent authority that carried out the original transfer or another competent authority of the same Member State authorises the onward transfer, after taking into due account all relevant factors, including the seriousness of the criminal offence, the purpose for which the personal data was originally transferred and the level of personal data protection in the third country or an international organisation to which personal data are onward transferred.
Article 36
Transfers on the basis of an adequacy decision
When assessing the adequacy of the level of protection, the Commission shall, in particular, take account of the following elements:
the rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data, as well as the implementation of such legislation, data protection rules, professional rules and security measures, including rules for the onward transfer of personal data to another third country or international organisation, which are complied with in that country or international organisation, case-law, as well as effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data are transferred;
the existence and effective functioning of one or more independent supervisory authorities in the third country or to which an international organisation is subject, with responsibility for ensuring and enforcing compliance with data protection rules, including adequate enforcement powers, for assisting and advising data subjects in exercising their rights and for cooperation with the supervisory authorities of the Member States; and
the international commitments the third country or international organisation concerned has entered into, or other obligations arising from legally binding conventions or instruments as well as from its participation in multilateral or regional systems, in particular in relation to the protection of personal data.
On duly justified imperative grounds of urgency, the Commission shall adopt immediately applicable implementing acts in accordance with the procedure referred to in Article 58(3).
Article 37
Transfers subject to appropriate safeguards
In the absence of a decision pursuant to Article 36(3), Member States shall provide that a transfer of personal data to a third country or an international organisation may take place where:
appropriate safeguards with regard to the protection of personal data are provided for in a legally binding instrument; or
the controller has assessed all the circumstances surrounding the transfer of personal data and concludes that appropriate safeguards exist with regard to the protection of personal data.
Article 38
Derogations for specific situations
In the absence of an adequacy decision pursuant to Article 36, or of appropriate safeguards pursuant to Article 37, Member States shall provide that a transfer or a category of transfers of personal data to a third country or an international organisation may take place only on the condition that the transfer is necessary:
in order to protect the vital interests of the data subject or another person;
to safeguard legitimate interests of the data subject, where the law of the Member State transferring the personal data so provides;
for the prevention of an immediate and serious threat to public security of a Member State or a third country;
in individual cases for the purposes set out in Article 1(1); or
in an individual case for the establishment, exercise or defence of legal claims relating to the purposes set out in Article 1(1).
Article 39
Transfers of personal data to recipients established in third countries
By way of derogation from point (b) of Article 35(1) and without prejudice to any international agreement referred to in paragraph 2 of this Article, Union or Member State law may provide for the competent authorities referred to in point (7)(a) of Article 3, in individual and specific cases, to transfer personal data directly to recipients established in third countries only if the other provisions of this Directive are complied with and all of the following conditions are fulfilled:
the transfer is strictly necessary for the performance of a task of the transferring competent authority as provided for by Union or Member State law for the purposes set out in Article 1(1);
the transferring competent authority determines that no fundamental rights and freedoms of the data subject concerned override the public interest necessitating the transfer in the case at hand;
the transferring competent authority considers that the transfer to an authority that is competent for the purposes referred to in Article 1(1) in the third country is ineffective or inappropriate, in particular because the transfer cannot be achieved in good time;
the authority that is competent for the purposes referred to in Article 1(1) in the third country is informed without undue delay, unless this is ineffective or inappropriate;
the transferring competent authority informs the recipient of the specified purpose or purposes for which the personal data are only to be processed by the latter provided that such processing is necessary.
Article 40
International cooperation for the protection of personal data
In relation to third countries and international organisations, the Commission and Member States shall take appropriate steps to:
develop international cooperation mechanisms to facilitate the effective enforcement of legislation for the protection of personal data;
provide international mutual assistance in the enforcement of legislation for the protection of personal data, including through notification, complaint referral, investigative assistance and information exchange, subject to appropriate safeguards for the protection of personal data and other fundamental rights and freedoms;
engage relevant stakeholders in discussion and activities aimed at furthering international cooperation in the enforcement of legislation for the protection of personal data;
promote the exchange and documentation of personal data protection legislation and practice, including on jurisdictional conflicts with third countries.
CHAPTER VI
Independent supervisory authorities
Article 41
Supervisory authority
Article 42
Independence
Article 43
General conditions for the members of the supervisory authority
Member States shall provide for each member of their supervisory authorities to be appointed by means of a transparent procedure by:
Article 44
Rules on the establishment of the supervisory authority
Each Member State shall provide by law for all of the following:
the establishment of each supervisory authority;
the qualifications and eligibility conditions required to be appointed as a member of each supervisory authority;
the rules and procedures for the appointment of the member or members of each supervisory authority;
the duration of the term of the member or members of each supervisory authority of not less than four years, except for the first appointment after 6 May 2016, part of which may take place for a shorter period where that is necessary to protect the independence of the supervisory authority by means of a staggered appointment procedure;
whether and, if so, for how many terms the member or members of each supervisory authority is eligible for reappointment;
the conditions governing the obligations of the member or members and staff of each supervisory authority, prohibitions on actions, occupations and benefits incompatible therewith during and after the term of office and rules governing the cessation of employment.
Article 45
Competence
Article 46
Tasks
Each Member State shall provide, on its territory, for each supervisory authority to:
monitor and enforce the application of the provisions adopted pursuant to this Directive and its implementing measures;
promote public awareness and understanding of the risks, rules, safeguards and rights in relation to processing;
advise, in accordance with Member State law, the national parliament, the government and other institutions and bodies on legislative and administrative measures relating to the protection of natural persons' rights and freedoms with regard to processing;
promote the awareness of controllers and processors of their obligations under this Directive;
upon request, provide information to any data subject concerning the exercise of their rights under this Directive and, if appropriate, cooperate with the supervisory authorities in other Member States to that end;
deal with complaints lodged by a data subject, or by a body, organisation or association in accordance with Article 55, and investigate, to the extent appropriate, the subject-matter of the complaint and inform the complainant of the progress and the outcome of the investigation within a reasonable period, in particular if further investigation or coordination with another supervisory authority is necessary;
check the lawfulness of processing pursuant to Article 17, and inform the data subject within a reasonable period of the outcome of the check pursuant to paragraph 3 of that Article or of the reasons why the check has not been carried out;
cooperate with, including by sharing information, and provide mutual assistance to other supervisory authorities, with a view to ensuring the consistency of application and enforcement of this Directive;
conduct investigations on the application of this Directive, including on the basis of information received from another supervisory authority or other public authority;
monitor relevant developments insofar as they have an impact on the protection of personal data, in particular the development of information and communication technologies;
provide advice on the processing operations referred to in Article 28; and
contribute to the activities of the Board.
Article 47
Powers
Each Member State shall provide by law for each supervisory authority to have effective corrective powers such as, for example:
to issue warnings to a controller or processor that intended processing operations are likely to infringe the provisions adopted pursuant to this Directive;
to order the controller or processor to bring processing operations into compliance with the provisions adopted pursuant to this Directive, where appropriate, in a specified manner and within a specified period, in particular by ordering the rectification or erasure of personal data or restriction of processing pursuant to Article 16;
to impose a temporary or definitive limitation, including a ban, on processing.
Article 48
Reporting of infringements
Member States shall provide for competent authorities to put in place effective mechanisms to encourage confidential reporting of infringements of this Directive.
Article 49
Activity reports
Each supervisory authority shall draw up an annual report on its activities, which may include a list of types of infringement notified and types of penalties imposed. Those reports shall be transmitted to the national parliament, the government and other authorities as designated by Member State law. They shall be made available to the public, the Commission and the Board.
CHAPTER VII
Cooperation
Article 50
Mutual assistance
The requested supervisory authority shall not refuse to comply with the request unless:
it is not competent for the subject-matter of the request or for the measures it is requested to execute; or
compliance with the request would infringe this Directive or Union or Member State law to which the supervisory authority receiving the request is subject.
Article 51
Tasks of the Board
The Board established by Regulation (EU) 2016/679 shall perform all of the following tasks in relation to processing within the scope of this Directive:
advise the Commission on any issue related to the protection of personal data in the Union, including on any proposed amendment of this Directive;
examine, on its own initiative, on request of one of its members or on request of the Commission, any question covering the application of this Directive and issue guidelines, recommendations and best practices in order to encourage consistent application of this Directive;
draw up guidelines for supervisory authorities concerning the application of measures referred to in Article 47(1) and (3);
issue guidelines, recommendations and best practices in accordance with point (b) of this subparagraph for establishing personal data breaches and determining the undue delay referred to in Article 30(1) and (2) and for the particular circumstances in which a controller or a processor is required to notify the personal data breach;
issue guidelines, recommendations and best practices in accordance with point (b) of this subparagraph as to the circumstances in which a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons as referred to in Article 31(1);
review the practical application of the guidelines, recommendations and best practices;
provide the Commission with an opinion for the assessment of the adequacy of the level of protection in a third country, a territory or one or more specified sectors within a third country, or an international organisation, including for the assessment whether such a third country, territory, specified sector, or international organisation no longer ensures an adequate level of protection;
promote the cooperation and the effective bilateral and multilateral exchange of information and best practices between the supervisory authorities;
promote common training programmes and facilitate personnel exchanges between the supervisory authorities and, where appropriate, with the supervisory authorities of third countries or with international organisations;
promote the exchange of knowledge and documentation on data protection law and practice with data protection supervisory authorities worldwide.
With regard to point (g) of the first subparagraph, the Commission shall provide the Board with all necessary documentation, including correspondence with the government of the third country, with the territory or specified sector within that third country, or with the international organisation.
CHAPTER VIII
Remedies, liability and penalties
Article 52
Right to lodge a complaint with a supervisory authority
Article 53
Right to an effective judicial remedy against a supervisory authority
Article 54
Right to an effective judicial remedy against a controller or processor
Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 52, Member States shall provide for the right of a data subject to an effective judicial remedy where he or she considers that his or her rights laid down in provisions adopted pursuant to this Directive have been infringed as a result of the processing of his or her personal data in non-compliance with those provisions.
Article 55
Representation of data subjects
Member States shall, in accordance with Member State procedural law, provide for the data subject to have the right to mandate a not-for-profit body, organisation or association which has been properly constituted in accordance with Member State law, has statutory objectives which are in the public interest and is active in the field of protection of data subject's rights and freedoms with regard to the protection of their personal data to lodge the complaint on his or her behalf and to exercise the rights referred to in Articles 52, 53 and 54 on his or her behalf.
Article 56
Right to compensation
Member States shall provide for any person who has suffered material or non-material damage as a result of an unlawful processing operation or of any act infringing national provisions adopted pursuant to this Directive to have the right to receive compensation for the damage suffered from the controller or any other authority competent under Member State law.
Article 57
Penalties
Member States shall lay down the rules on penalties applicable to infringements of the provisions adopted pursuant to this Directive and shall take all measures necessary to ensure that they are implemented. The penalties provided for shall be effective, proportionate and dissuasive.
CHAPTER IX
Implementing acts
Article 58
Committee procedure
CHAPTER X
Final provisions
Article 59
Repeal of Framework Decision 2008/977/JHA
Article 60
Union legal acts already in force
The specific provisions for the protection of personal data in Union legal acts that entered into force on or before 6 May 2016 in the field of judicial cooperation in criminal matters and police cooperation, which regulate processing between Member States and the access of designated authorities of Member States to information systems established pursuant to the Treaties within the scope of this Directive, shall remain unaffected.
Article 61
Relationship with previously concluded international agreements in the field of judicial cooperation in criminal matters and police cooperation
International agreements involving the transfer of personal data to third countries or international organisations which were concluded by Member States prior to 6 May 2016 and which comply with Union law as applicable prior to that date shall remain in force until amended, replaced or revoked.
Article 62
Commission reports
Article 63
Transposition
When Member States adopt those provisions, they shall contain a reference to this Directive or shall be accompanied by such a reference on the occasion of their official publication. Member States shall determine how such reference is to be made.
Article 64
Entry into force
This Directive shall enter into force on the day following that of its publication in the Official Journal of the European Union.
Article 65
Addressees
This Directive is addressed to the Member States.