(1)

The internal market is one of the Union’s most tangible achievements. By allowing people, goods, services and capital to move freely it offers new opportunities for citizens and businesses. This Regulation is a key element of the Single Market Strategy established by the communication of the Commission of 28 October 2015 entitled ‘Upgrading the Single Market: more opportunities for people and business’. That strategy has the objective of unlocking the full potential of the internal market by making it easier for citizens and businesses to move within the Union and to trade, establish themselves and expand their businesses across borders.

(2)

The communication of the Commission of 6 May 2015 entitled ‘A Digital Single Market Strategy for Europe’ recognised the role of the internet and digital technologies in transforming our lives, changing the way in which citizens and businesses access information, acquire knowledge, buy goods and services, participate in the market and work, thereby facilitating opportunities for innovation, growth and jobs. That communication, along with several resolutions adopted by the European Parliament, acknowledged that the needs of citizens and businesses in their own country and across borders could be better met by extending and integrating existing European-level portals, websites, networks, services and systems and by linking them with different national solutions, thereby creating a single digital gateway serving as a European single entry point (‘the gateway’). The communication of the Commission of 19 April 2016 entitled ‘EU eGovernment Action Plan 2016-2020 — Accelerating the digital transformation of government’ listed the gateway amongst one of its actions for 2017. The Commission’s report of 24 January 2017, entitled ‘Strengthening Citizens’ Rights in a Union of Democratic Change — EU Citizenship Report 2017’ considered the gateway to be a priority for the rights of the Union’s citizens.

(3)

The European Parliament and the Council have repeatedly called for a more comprehensive and more user-friendly package of information and assistance to help citizens and businesses navigate the internal market and to strengthen and streamline internal market tools in order to better meet the needs of citizens and businesses in their cross-border activities.

(4)

This Regulation responds to those calls by offering citizens and businesses easy access to the information, the procedures, and the assistance and problem-solving services that they need in order to exercise their rights in the internal market. The gateway could contribute to the greater transparency of rules and regulations relating to different business and life events, in areas such as travel, retirement, education, employment, healthcare, consumer rights and family rights. Furthermore, it could help improve consumers’ confidence, address the lack of knowledge about consumer protection and internal market rules and reduce compliance costs for businesses. This Regulation establishes a user-friendly, interactive gateway which, based on users’ needs, should guide them to the most appropriate services. In that context, the Commission and Member States should play an important role in achieving those objectives.

(5)

The gateway should facilitate interactions between citizens and businesses, on the one hand, and competent authorities, on the other hand, by providing access to online solutions, facilitating the day-to-day activities of citizens and businesses and minimising the obstacles encountered in the internal market. The existence of a single digital gateway providing online access to accurate and up-to-date information, to procedures and to assistance and problem-solving services could help raise the users’ awareness of the different existing online services and could save them time and expense.

(6)

This Regulation has three objectives, namely to reduce any additional administrative burden on citizens and businesses that exercise or want to exercise their internal market rights, including the free movement of citizens, in full compliance with national rules and procedures, to eliminate discrimination and to ensure the functioning of the internal market with regard to the provision of information, of procedures and of assistance and problem-solving services. Since it covers free movement of citizens, which cannot be considered to be merely incidental, this Regulation should be based on Article 21(2) and Article 114(1) of the Treaty on the Functioning of the European Union (TFEU).

(7)

In order for Union citizens and businesses to enjoy their right to free movement within the internal market, the Union should adopt specific, non-discriminatory measures allowing citizens and businesses to have easy access to sufficiently comprehensive and reliable information about their rights under Union law and to information about the applicable national rules and procedures which they need to comply with when they move to, live or study, or when they establish or carry on a business, in a Member State other than their own. Information should be considered to be sufficiently comprehensive if it includes all the information that is necessary for the users to understand what their rights and obligations are and identifies the rules that apply to them in relation to the activities they want to undertake as cross-border users. The information should be stated in a clear, concise and understandable way and be operational and well adapted to the target user group. Information on procedures should cover all foreseeable procedural steps that are relevant for the user. It is important for citizens and businesses facing complex regulatory environments, such as those active in e-commerce and the collaborative economy, that they can easily find the applicable rules and how they apply to their activities. Easy and user-friendly access to information means enabling the users to easily find the information, to easily identify which parts of the information are relevant for their particular situation and to easily understand the relevant information. The information to be provided at national level should not only concern national rules implementing Union law, but also any other national rules that apply both to non-crossborder and cross-border users.

(8)

Rules on the provision of information in this Regulation should not apply to national judicial systems, since information in that area relevant for cross-border users is already included in the e-Justice portal. In some situations covered by this Regulation, courts should be considered to be competent authorities, for instance where courts are managing business registers. In addition, the non-discrimination principle should also apply to online procedures that give access to court proceedings.

(9)

It is clear that citizens and businesses from other Member States can be at a disadvantage due to their lack of familiarity with the national rules and administrative systems, the different languages used and their lack of geographic proximity to the competent authorities in a Member State other than their own. The most efficient way to reduce the ensuing obstacles to the internal market is to enable cross-border and non-crossborder users to access information online in a language they are able to understand in order to enable them to complete procedures for compliance with national rules fully online and to offer them assistance where rules and procedures are not clear enough or where they encounter obstacles to the exercise of their rights.

(10)

A number of Union acts have aimed to provide solutions by creating sectorial one-stop shops, including points of single contact established by Directive 2006/123/EC of the European Parliament and of the Council (3) which offer online information, assistance services and access to procedures relevant for the provision of services; Product Contact Points, established by Regulation (EC) No 764/2008 of the European Parliament and of the Council (4), and Product Contact Points for Construction, established by Regulation (EU) No 305/2011 of the European Parliament and of the Council (5), which provide access to product-specific technical rules; and national assistance centres for professional qualifications, established by Directive 2005/36/EC of the European Parliament and of the Council (6), which assist professionals moving cross-border. In addition, networks have been established, such as European Consumer Centres, in order to promote the understanding of Union consumers’ rights and to assist in resolving complaints about purchases made in other Member States within the network, when travelling or shopping online. Furthermore, SOLVIT as referred to in Commission Recommendation 2013/461/EU (7) seeks to deliver fast, effective and informal solutions to individuals and businesses when their internal market rights are denied by public authorities. Finally, several information portals, such as Your Europe, in respect of the internal market, and the e-Justice portal, in relation to the area of justice, were established to inform users about Union and national rules.

(11)

As a result of the sectorial nature of those Union acts, the current provision of online information and of assistance and problem-solving services together with online procedures for citizens and businesses remains very fragmented. There are discrepancies in the availability of online information and procedures, there is a lack of quality in relation to the services and a lack of awareness regarding that information and those assistance and problem-solving services. Cross-border users also experience problems finding and accessing those services.

(12)

This Regulation should establish a single digital gateway to act as the single entry point through which citizens and businesses are able to access information about the rules and requirements that they have to comply with, by virtue of Union or national law. The gateway should simplify citizens’ and businesses’ contact with the assistance and problem-solving services established at Union or national level and make that contact more effective. The gateway should also facilitate access to and completion of online procedures. This Regulation should not affect in any way the existing rights and obligations under Union or national law within those policy areas. For the procedures listed in Annex II to this Regulation and the procedures provided for in Directives 2005/36/EC and 2006/123/EC, and in Directives 2014/24/EU (8) and 2014/25/EU (9) of the European Parliament and of the Council, this Regulation should support the use of the ‘once-only’ principle and should fully respect the fundamental right to the protection of personal data, for the purpose of the exchange of evidence between competent authorities in different Member States.

(13)

The gateway and its content should be user-centric and user-friendly. The gateway should aim to avoid overlaps and should provide links to existing services. It should allow citizens and businesses to interact with public bodies at national and Union level by providing them with the opportunity to give feedback in relation to both the services offered through the gateway and the functioning of the internal market as they experience it. The feedback tool should enable the user to point out, in a way that makes it possible for the user to remain anonymous, perceived problems, deficiencies and needs in order to encourage the continuous improvement of the quality of the services.

(14)

The success of the gateway will depend on the joint effort of the Commission and the Member States. The gateway should include a common user interface integrated into the existing Your Europe portal, to be managed by the Commission. The common user interface should provide links to information, to procedures and to assistance or problem-solving services available on portals managed by competent authorities in Member States and by the Commission. In order to facilitate the use of the gateway, the common user interface should be available in all official languages of the institutions of the Union (‘official languages of the Union’). The existing Your Europe portal and its main access webpage, adapted to the requirements of the gateway, should preserve this multilingual approach to the information provided. The functioning of the gateway should be supported by technical tools developed by the Commission in close cooperation with the Member States.

(15)

In the Charter for the electronic Points of Single Contact under Directive 2006/123/EC, which was endorsed by the Council in 2013, Member States made a voluntary commitment to take a user-centric approach in the provision of information through the points of single contact, in order to cover areas of particular importance for businesses including VAT, income taxes, social security or labour law requirements. Based on the Charter and in the light of experience with the Your Europe portal, that information should also include a description of the assistance and problem-solving services. Citizens and businesses should be able to refer to such services when they have problems understanding the information, applying that information to their situation or completing a procedure.

(16)

This Regulation should list the information areas which are relevant for citizens and businesses exercising their rights and complying with their obligations within the internal market. For those areas, sufficiently comprehensive information should be provided at national level, including at regional and local levels, and at Union level, explaining the applicable rules and obligations and the procedures to be completed by citizens and businesses in order to comply with those rules and obligations. In order to ensure the quality of the services offered, the information provided through the gateway should be clear, accurate and up-to-date, the use of complex terminology should be minimised and the use of acronyms should be limited to those which provide simplified and easily understandable terms that do not require a pre-existing knowledge of the issue or area of law. That information should be provided in such a way that users can easily understand the basic rules and requirements applicable to their situation in such areas. Users should also be informed about the absence, in certain Member States, of national rules in the information areas listed in Annex I, especially where those areas are subject to national rules in other Member States. Such information about the absence of national rules could be included in the Your Europe portal.

(17)

Wherever possible, information already collected by the Commission from the Member States under existing Union law or voluntary arrangements — such as information collected for the EURES portal, established by Regulation (EU) 2016/589 of the European Parliament and of the Council (10), the e-Justice portal, established by Council Decision 2001/470/EC (11), or the Regulated professions database, established by Directive 2005/36/EC — should be used to cover part of the information to be made accessible to citizens and businesses at Union and national level in accordance with this Regulation. Member States should not be required to provide on their national websites information which is already available in the relevant databases managed by the Commission. Where Member States already have to provide online information pursuant to other Union acts, such as Directive 2014/67/EU of the European Parliament and of the Council (12), it should be sufficient for Member States to provide links to the existing online information. Where certain policy areas have already been fully harmonised through Union law, for instance consumer rights, information provided at Union level should generally be sufficient for users to be able to understand their relevant rights or obligations. In such cases, Member States should be required only to provide additional information regarding their national administrative procedures and assistance services or any other national administrative rules if it is relevant for users. Information regarding consumer rights, for instance, should not affect contract law, but should rather inform users about their rights under Union and national law in the context of commercial transactions.

(18)

This Regulation should enhance the internal market dimension of online procedures, and thereby contribute to the digitalisation of the internal market, by upholding the general principle of non-discrimination, inter alia, in relation to the access by citizens or businesses to online procedures already established at national level on the basis of Union or national law and to procedures that are to be made available fully online in accordance with this Regulation. Where a user, in a situation exclusively confined to a single Member State, is able to access and complete a procedure online in that Member State in an area covered by this Regulation, a cross-border user should also be able to access and complete that procedure online, either by using the same technical solution or an alternative, technically separate solution leading to the same outcome, without any discriminatory obstacles. Such obstacles might consist of nationally-designed solutions, such as using form fields that require national phone numbers, national prefixes for phone numbers or national postal codes, payment of fees that can only be done through systems which do not provide for cross-border payments, the lack of detailed explanations in a language understood by cross-border users, the lack of possibilities to submit electronic evidence from authorities located in another Member State and the lack of acceptance of electronic means of identification issued in other Member States. Member States should provide solutions for those obstacles.

(19)

When users are completing online procedures across borders, they should be able to receive all the relevant explanations in an official language of the Union that is broadly understood by the largest possible number of cross-border users. This does not mean that Member States are required to translate their administrative forms related to the procedure, or the output of that procedure, into that language. Member States are however encouraged to use technical solutions which would allow users to complete the procedures in as many cases as possible, in that language, while respecting the Member States’ rules on the use of languages.

(20)

The online national procedures that are relevant for cross-border users to enable them to exercise their internal market rights depend on whether they are resident or established in the Member State concerned, or want to access the procedures of that Member State while being resident or established in another Member State. This Regulation should not prevent Member States from requiring that cross-border users who are resident or established on their territory obtain a national identification number in order to get access to the online national procedures, provided this does not entail an unjustifiable additional burden or cost for those users. For cross-border users who are not resident or established in the Member State concerned, online national procedures that are not relevant for the exercise of their internal market rights, for instance enrolment in order to receive local services, such as garbage collection and parking permits, do not need to be made fully accessible online.

(21)

This Regulation should build on Regulation (EU) No 910/2014 of the European Parliament and of the Council (13), which lays down conditions under which Member States recognise certain electronic identification means for natural and legal persons subject to a notified electronic identification scheme of another Member State. Regulation (EU) No 910/2014 lays down the conditions subject to which users are permitted to use their means of electronic identification and authentication to access online public services in cross-border situations. Union institutions, bodies, offices and agencies are encouraged to accept means of electronic identification and authentication for the procedures for which they are responsible.

(22)

A number of sectorial Union acts such as Directives 2005/36/EC, 2006/123/EC, 2014/24/EU and 2014/25/EU require that procedures are made fully available online. This Regulation should require a number of other procedures of key importance to the majority of citizens and businesses exercising their rights and complying with their obligations across borders to be fully made available online.

(23)

In order to allow citizens and businesses to directly enjoy the benefits of the internal market without incurring an unnecessary additional administrative burden, this Regulation should require a full digitalisation of the user interface of certain key procedures for cross-border users, which are listed in Annex II to this Regulation. This Regulation should also lay down the criteria for determining how those procedures qualify as fully online. The obligation to make such a procedure fully available online should only apply where the procedure has been established in the Member State concerned. This Regulation should not cover the initial registration of a business activity, the procedures leading to the constitution of companies or firms as legal entities or any subsequent filing by such companies or firms, since such procedures necessitate a comprehensive approach aimed at facilitating digital solutions throughout a company’s lifecycle. When businesses establish themselves in another Member State, they are required to register with a social security scheme and an insurance scheme in order to register their employees and pay contributions to both schemes. They might need to notify their business activities, obtain permissions or register changes to their business activity. Those procedures are common for businesses operating in many sectors of the economy, and it is therefore appropriate to require that those procedures are made available online.

(24)

This Regulation should clarify what offering a procedure fully online entails. A procedure should be considered to be fully online if the user can take all steps, from access to completion, interacting with the competent authority, the ‘front office’, electronically, at a distance and through an online service. This online service should guide the user through a list of all the requirements to be fulfilled and all supporting evidence to be provided, should enable the user to provide the information and proof of compliance with all such requirements and should provide an automatic acknowledgement of receipt to the user, unless the output of the procedure is delivered immediately. This should not prevent competent authorities from contacting the users directly, where necessary in order to obtain further clarifications needed for the procedure. The output of the procedure, as set out in this Regulation, should also be provided by the competent authorities to the user in an electronic way, where possible under applicable Union and national law.

(25)

This Regulation should not affect the substance of the procedures listed in Annex II which are established at national, regional or local level and does not lay down material or procedural rules within the areas covered by Annex II, including the area of taxation. The purpose of this Regulation is to lay down the technical requirements in order to ensure that such procedures, where they have been established in the Member State concerned, are made available fully online.

(26)

This Regulation should not affect the competences of national authorities in any procedure, including the verification of the accuracy and the validity of information or evidence submitted and the verification of authenticity where evidence is submitted by means other than the technical system based on the ‘once-only’ principle. This Regulation should also not affect the procedural workflows within and between the competent authorities, the ‘back office’, whether digitalised or not. Where necessary, as part of some of the procedures for registering changes of business activities, Member States should continue to be able to require the involvement of notaries or lawyers who might want to use means of verification including videoconference or other online means that provide real-time audiovisual connection. However, such involvement should not prevent the completion of procedures for registering such changes in their entirety online.

(27)

In some cases users might be required to submit evidence to prove facts that cannot be established by online means. Such evidence could include a medical certificate, proof of being alive, proof of roadworthiness of motor vehicles or confirmation of their chassis numbers. Provided that such evidence can be submitted in electronic format, this should not constitute an exception to the principle that a procedure should be offered fully online. In other cases, it might still be necessary for users of a procedure to appear in person before a competent authority as part of an online procedure. Any such exceptions, other than those resulting from Union law, should be limited to situations which are justified by an overriding reason of public interest in the areas of public security, public health or the fight against fraud. In order to ensure transparency, Member States should share with the Commission and the other Member States information about such exceptions and the grounds on which, and circumstances in which, they can be applied. Member States should not be required to report about each individual case in which, exceptionally, physical presence was required, but should rather communicate the national provisions which provide for such cases. Best practices at national level and technical developments allowing further digitalisation in this regard should be discussed regularly in a gateway coordination group.

(28)

In cross-border situations, the procedure to register a change of address might consist of two separate procedures, one in the Member State of origin to request deregistration from the old address, and the other in the Member State of destination to request registration at the new address. Both procedures should be covered by this Regulation.

(29)

Since the digitalisation of requirements, procedures and formalities relating to the recognition of professional qualifications is already covered by Directive 2005/36/EC, this Regulation should only cover the digitalisation of the procedure to request the academic recognition of diplomas, certificates or other proof of courses completed with regard to a person wishing to begin or to continue studying, or to use an academic title outside the formalities relating to the recognition of professional qualifications.

(30)

This Regulation should not affect the social security coordination rules set out in Regulations (EC) No 883/2004 (14) and (EC) No 987/2009 (15) of the European Parliament and of the Council, which define the rights and obligations of insured persons and social security institutions, as well as the procedures applicable in the field of social security coordination.

(31)

Several networks and services have been established at Union and national level to assist citizens and businesses in their cross-border activities. It is important that those services, including existing assistance or problem-solving services established at Union level, such as the European Consumer Centres, Your Europe Advice, SOLVIT, the Intellectual Property Rights helpdesk, Europe Direct and the Enterprise Europe Network, form part of the gateway in order to ensure that all potential users can find them. The services listed in Annex III were established by binding Union acts, whilst other services operate on a voluntary basis. Services established by binding Union acts should be bound by the quality requirements laid down in this Regulation. Services operated on a voluntary basis should comply with those quality requirements if the intention is to make them accessible through the gateway. The scope and nature of those services, their governance arrangements, existing deadlines, and the voluntary, contractual or other basis on which they operate should not be altered by this Regulation. For instance, where the assistance that they provide is of an informal nature, this Regulation should not have the effect of changing such assistance into legal advice of a binding nature.

(32)

Furthermore, the Member States and the Commission should be able to add to the gateway other national assistance or problem-solving services provided by competent authorities or by private or semi-private entities, or public bodies, such as chambers of commerce or non-governmental assistance services for citizens, under the conditions laid down in this Regulation. In principle, competent authorities should be responsible for assisting citizens and businesses with any queries they have in relation to applicable rules and procedures that cannot be fully addressed by online services. However, in very specialised areas and where the service provided by private or semi-private bodies meets the users’ needs, Member States can propose to the Commission that it includes such services in the gateway, provided that those services meet all conditions laid down in this Regulation and do not duplicate the assistance or problem-solving services already included.

(33)

In order to assist users to identify the appropriate service, this Regulation should provide an assistance service finder that automatically guides users to the right service.

(34)

Compliance with a minimum list of quality requirements is essential for the success of the gateway in order to ensure that the provision of information or services is reliable, since, otherwise, the credibility of the gateway as a whole would be seriously undermined. The overarching objective of compliance is to ensure that the information or service is presented in a clear and user-friendly way. It is the responsibility of the Member States to determine how information is presented over the course of the user journey in order to meet this objective. For instance, while it is helpful for users to be informed, before launching a procedure, about the generally available means of redress when a procedure results in a negative outcome, it is much more user-friendly to provide any specific information about the possible steps to take in such a case at the end of the procedure.

(35)

The accessibility of information for cross-border users can be substantially improved where that information is made available in an official language of the Union broadly understood by the largest possible number of cross-border users. This language should in most cases be the foreign language most widely studied by users across the Union, but in some specific cases, more particularly in the case of information to be provided at local level by small municipalities close to the border of a Member State, the most suitable language may be the one used as a first language by the cross-border users in the neighbouring Member State. The translation from the official language or languages of the Member State in question into this other official language of the Union should accurately reflect the content of the information provided in the original language or languages. Translation may be limited to the information that users need in order to understand the basic rules and requirements that apply to their situation. While Member States should be encouraged to translate as much information as possible into an official language of the Union that is broadly understood by the largest possible number of cross-border users, the volume of information to be translated under this Regulation will depend on the financial resources available for this purpose, in particular those from the Union budget. The Commission should make the appropriate arrangements to ensure the efficient delivery of translations to the Member States at their request. The gateway coordination group should discuss and provide guidance on the official language or languages of the Union into which such information should be translated.

(36)

In accordance with Directive (EU) 2016/2102 of the European Parliament and of the Council (16), Member States are required to ensure that the websites of their public bodies are accessible in accordance with the principles of perceivability, operability, understandability and robustness and that they comply with the requirements laid down in that Directive. The Commission and the Member States should ensure compliance with the United Nations Convention on the Rights of Persons with Disabilities, in particular Articles 9 and 21 thereof, and, in order to foster access to information for persons with intellectual disabilities, alternatives in easy-to-read language should be provided to the greatest possible extent in accordance with the principle of proportionality. The Member States, by ratifying, and the Union, by concluding (17), that Convention, have committed themselves to taking appropriate measures to ensure access for persons with disabilities, on an equal basis with others, to new information and communication technologies and systems, including the internet, by facilitating access to information for persons with intellectual disabilities, providing alternatives in easy-to-read language to the greatest possible extent and proportionately.

(37)

Directive (EU) 2016/2102 does not apply to websites and mobile applications of Union institutions, bodies, offices and agencies, but the Commission should ensure that the common user interface and the webpages under its responsibility that are to be included in the gateway are accessible to persons with disabilities, meaning that they are perceivable, operable, understandable and robust. Perceivability means that information and the common user interface components must be presentable to users in ways they can perceive; operability means that the common user interface components and navigation must be operable; understandability means that information and the operation of the common user interface must be understandable; and robustness means that content must be robust enough to be interpreted reliably by a wide variety of user agents, including assistive technologies. In respect of the terms perceivable, operable, understandable and robust, the Commission is encouraged to comply with the relevant harmonised standards.

(38)

In order to facilitate the payment of fees required as part of online procedures or for the provision of assistance or problem-solving services, cross-border users should be able to use credit transfers or direct debits as specified in Regulation (EU) No 260/2012 of the European Parliament and of the Council (18) or other generally used cross-border payment means including debit or credit cards.

(39)

It is useful for users to be informed about the expected time a procedure may take. Accordingly, users should be informed about applicable deadlines or tacit approval or administrative silence arrangements or, if these are not applicable, at least of the average, estimated or indicative time that the procedure in question usually requires. Such estimates or indications should only help the users in planning their activities or any subsequent administrative steps and should have no legal effect.

(40)

This Regulation should also allow for the verification of the evidence provided in electronic format by the users, where that evidence is submitted without electronic seal or certification from the issuing competent authority, or where the technical tool established by this Regulation or another system enabling the direct exchange or verification of evidence between competent authorities of different Member States is not available. For such cases, this Regulation should provide for an effective mechanism for administrative cooperation among the competent authorities of the Member States, based on the Internal Market Information System (‘IMI’) established by Regulation (EU) No 1024/2012 of the European Parliament and of the Council (19). In such cases, the decision of a competent authority to use IMI should be voluntary, but once that authority has submitted a request for information or cooperation through IMI, the requested competent authority should be bound to cooperate and to provide a response. The request can be sent through IMI either to the competent authority issuing the evidence or to the central authority to be designated by Member States in accordance with their own administrative rules. To avoid unnecessary duplication and as Regulation (EU) 2016/1191 of the European Parliament and of the Council (20) covers part of the evidence relevant for the procedures covered by this Regulation, the cooperation arrangements for IMI laid down in Regulation (EU) 2016/1191 can also be used for the purpose of other evidence required in procedures covered by this Regulation. In order to allow Union bodies, offices or agencies to become actors within IMI, Regulation (EU) No 1024/2012 should be amended.

(41)

Online services provided by competent authorities are crucial for increasing the quality and security of the services provided to citizens and businesses. Public administrations within Member States are increasingly working towards the reuse of data, dispensing with the requirement that citizens and businesses supply the same information several times. The reuse of data should be facilitated for cross-border users in order to reduce additional burden.

(42)

In order to enable the lawful cross-border exchange of evidence and information by means of the Union-wide application of the ‘once-only’ principle, the application of this Regulation and of the ‘once-only’ principle should comply with all applicable data protection rules, including the principle of data minimisation, accuracy, storage limitation, integrity and confidentiality, necessity, proportionality and purpose limitation. Its implementation should also comply fully with the principles of security by design and of privacy by design, and should also respect the fundamental rights of individuals, including those related to fairness and transparency.

(43)

Member States should ensure that users of procedures are provided with clear information on how personal data relating to them will be processed in accordance with Articles 13 and 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council (21) and Articles 15 and 16 of Regulation (EU) 2018/1725 (22).

(44)

In order to further facilitate the use of online procedures, this Regulation should, in line with the ‘once-only’ principle, provide the basis for the creation and use of a fully operational, safe and secure technical system for the automated cross-border exchange of evidence between the actors involved in the procedure, where this is explicitly requested by citizens and businesses. Where the exchange of evidence includes personal data, the request should be considered to be explicit if it contains a freely given, specific, informed and unambiguous indication of the individual’s wish to have the relevant personal data exchanged, either by statement or by affirmative action. If the user is not the person concerned by the data, the online procedure should not affect his or her rights under Regulation (EU) 2016/679. The cross-border application of the ‘once-only’ principle should result in citizens and businesses not having to supply the same data to public authorities more than once, and that it should also be possible to use those data at the request of the user for the purposes of completing cross-border online procedures involving cross-border users. For the issuing competent authority, the obligation to use the technical system for the automated exchange of evidence between different Member States should apply only where authorities lawfully issue, in their own Member State, evidence in an electronic format that makes such an automated exchange possible.

(45)

Any cross-border exchange of evidence should have an appropriate legal basis such as Directive 2005/36/EC, 2006/123/EC, 2014/24/EU or 2014/25/EU or, for the procedures listed in Annex II, other applicable Union or national law.

(46)

It is appropriate that this Regulation lays down, as a general rule, that the cross-border automated exchange of evidence takes place at the explicit request of the user. However, this requirement should not apply where the relevant Union or national law allows for automated cross-border data exchange without an explicit user request.

(47)

The use of the technical system established by this Regulation should remain voluntary and the user should remain free to submit evidence by other means outside the technical system. The user should have the possibility to preview the evidence and the right to choose not to proceed with the exchange of evidence in cases where the user, after previewing the evidence to be exchanged, discovers that the information is inaccurate, out-of-date, or goes beyond what is necessary for the procedure in question. The data included in the preview should not be stored longer than is technically necessary.

(48)

The secure technical system that should be set up to enable the exchange of evidence under this Regulation should also give requesting competent authorities certainty that the evidence has been provided by the right issuing authority. Before accepting information provided by a user in the context of a procedure, the competent authority should be able to verify the information where it gives rise to doubts, and to conclude that it is accurate.

(49)

A number of building blocks offering basic capabilities exist that can be used to set up the technical system, such as the Connecting Europe Facility, established by Regulation (EU) No 1316/2013 of the European Parliament and of the Council (23), and the eDelivery and eID building blocks that form a part of that facility. Those building blocks consist of technical specifications, sample software and supporting services, and aim to ensure interoperability between the existing information and communication technology (ICT) systems in different Member States so that citizens, businesses and administrations, wherever they are in the Union, can benefit from seamless digital public services.

(50)

The technical system established by this Regulation should be available in addition to other systems providing mechanisms for cooperation between authorities, such as IMI, and should not affect other systems, including the system provided for in Regulation (EC) No 987/2009, the European Single Procurement Document, under Directive 2014/24/EU, the Electronic Exchange of Social Security Information, under Regulation (EC) No 987/2009, the European Professional Card, under Directive 2005/36/EC, the interconnection of national registers and the interconnection of central, commercial and company registers, under Directive (EU) 2017/1132 of the European Parliament and of the Council (24), and the interconnection of insolvency registers, under Regulation (EU) 2015/848 of the European Parliament and of the Council (25).

(51)

In order to ensure uniform conditions for the implementation of a technical system allowing for the automated exchange of evidence, implementing powers should be conferred on the Commission to lay down, in particular the technical and operational specifications of a system for the processing of a user’s request for evidence to be exchanged and for the transfer of such evidence, as well as to lay down the rules necessary to ensure the integrity and confidentiality of the transfer. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council (26).

(52)

With a view to ensuring that the technical system provides a high level of security for the cross-border application of the ‘once-only’ principle, the Commission should, when adopting implementing acts setting out the specifications for such a technical system, take due account of the standards and technical specifications drawn up by European and international standardisation organisations and bodies, in particular the European Committee for Standardisation (CEN), the European Telecommunications Standards Institute (ETSI), the International Organisation for Standardisation (ISO) and the International Telecommunication Union (ITU), as well as of the security standards referred to in Article 32 of Regulation (EU) 2016/679 and Article 22 of Regulation (EU) 2018/1725.

(53)

Where necessary in order to ensure the development, availability, maintenance, supervision, monitoring and security management of the parts of the technical system for which the Commission is responsible, the Commission should request the advice of the European Data Protection Supervisor.

(54)

The competent authorities and the Commission should ensure that the information, procedures and services for which they are responsible comply with the quality criteria. The national coordinators appointed under this Regulation and the Commission should, at regular intervals, supervise compliance with the quality and security criteria at national and Union level respectively, and address any problems that arise. The national coordinators should in addition assist the Commission in monitoring the functioning of the technical system enabling the cross-border exchange of evidence. This Regulation should afford the Commission a range of means to address any deterioration in the quality of services offered through the gateway, depending on the seriousness and persistence of such deterioration, involving, where necessary, the gateway coordination group. This should not prejudge the overall responsibility of the Commission regarding the monitoring of the compliance with this Regulation.

(55)

This Regulation should specify the main functionalities of the technical tools supporting the functioning of the gateway, in particular the common user interface, the repository for links, and the common assistance service finder. The common user interface should ensure that users can easily find information, procedures and assistance and problem-solving services on national and Union level websites. Member States and the Commission should aim to provide links to a single source of the information required for the gateway in order to avoid confusion among the users as a result of different or fully or partly duplicative sources of the same information. This should not exclude the possibility of providing links to the same information offered by local or regional competent authorities regarding different geographical areas. It should also not prevent some duplication of information where this is unavoidable or desirable, for instance where some Union rights, obligations and rules are repeated or described on national webpages to improve user-friendliness. To minimise human intervention in the updating of the links to be used by the common user interface, a direct connection between the relevant technical systems of the Member States and the repository for links should, where technically possible, be established. The common ICT support tools might use the Core Public Services Vocabulary (CPSV) to facilitate interoperability with national service catalogues and semantics. Member States should be encouraged to use the CPSV, but are free to decide to use national solutions. The information included in the repository for links should be made publicly available in open, commonly used and machine-readable format, for example by application programming interfaces (APIs), in order to enable its reuse.

(56)

The search facility of the common user interface should lead users to the information they need wherever it is on Union or national level webpages. In addition, as an alternative way to guide users to useful information, it will continue to be helpful to create links between existing and complementary websites or webpages, streamlining and grouping them together as much as possible, and to create links between webpages and websites at Union and national level providing access to online services and information.

(57)

This Regulation should also specify quality requirements for the common user interface. The Commission should ensure that the common user interface complies with those requirements, and the interface should in particular be available and accessible online through various channels, as well as being easy to use.

(58)

In order to ensure uniform conditions for the implementation of the technical solutions supporting the gateway, implementing powers should be conferred on the Commission to lay down, where necessary, the applicable standards and interoperability requirements in order to make it easier to find the information on rules and obligations, on procedures and on assistance and problem-solving services for which the Member States and Commission are responsible. Those powers should be exercised in accordance with Regulation (EU) No 182/2011.

(59)

This Regulation should also clearly allocate the responsibility regarding the development, availability, maintenance and security of the ICT applications supporting the gateway between the Commission and Member States. As part of their maintenance tasks, the Commission and the Member States should regularly monitor the proper functioning of those ICT applications.

(60)

In order to develop the full potential of the different areas of information, the procedures and the assistance and problem-solving services that should be included in the gateway, target audiences’ awareness of their existence and operation needs to be improved significantly. Their inclusion in the gateway should make it much easier for users to find the information, the procedures and the assistance and problem-solving services that they need, even when they are not familiar with any of them. In addition, coordinated promotional activities will be needed to ensure that citizens and businesses across the Union become aware of the existence of the gateway and of the advantages it offers. Such promotional activities should include search engine optimisation and other online awareness raising actions, since they are the most cost-effective and have the potential to reach the largest possible target audience. For maximum efficiency, those promotional activities should be coordinated within the framework of the gateway coordination group and Member States should adjust their promotional efforts so that there is a common brand reference in all relevant contexts, with a possibility of co-branding the gateway with national initiatives.

(61)

All Union institutions, bodies and agencies should be encouraged to promote the gateway by including its logo and links to it on all relevant webpages for which they are responsible.

(62)

The name by which the gateway is to be known and promoted to the general public should be ‘Your Europe’. The common user interface should be prominent and easy to find, particularly on relevant Union and national webpages. The logo of the gateway should be visible on relevant Union and national websites.

(63)

In order to obtain adequate information for measuring and improving the performance of the gateway, this Regulation should require the competent authorities and the Commission to collect and analyse the data related to the use of the different information areas, procedures and services offered through the gateway. The collection of user statistics, such as data relating to the number of visits to specific webpages, the number of users within a Member State compared to the number of users from other Member States, the search terms used, the most visited webpages, the referral webpages, or the number, origin and subject matter of requests for assistance should improve the functioning of the gateway by helping to identify the audience, to develop promotional activities and to improve the quality of the services offered. The collection of such data should take into account the annual eGovernment Benchmarking done by the Commission in order to avoid any duplication.

(64)

In order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission to lay down uniform rules on the method of collecting and exchanging user statistics. Those powers should be exercised in accordance with Regulation (EU) No 182/2011.

(65)

The quality of the gateway depends on the quality of Union and national services provided through the gateway. Therefore, the quality of the information, procedures, assistance and problem-solving services available through the gateway should also be regularly monitored through a user feedback tool that asks users to assess and give feedback on the coverage and quality of the information, procedure or assistance and problem-solving service which they have used. This feedback should be collected in a common tool to which the Commission, the competent authorities and the national coordinators should have access. In order to ensure uniform conditions for implementation of this Regulation in relation to the common functionalities of user feedback tools and the detailed arrangements for the collection and sharing of the user feedback, implementing powers should be conferred on the Commission. Those powers should be exercised in accordance with Regulation (EU) No 182/2011. The Commission should publish, in anonymised form, online summary overviews of the problems emerging from the information, the main user statistics and the main user feedback collected in accordance with this Regulation.

(66)

In addition, the gateway should include a feedback tool that enables users to signal, voluntarily and anonymously, any problems and difficulties that they encountered while exercising their internal market rights. This tool should be considered only to be complementary to the complaint handling mechanisms, since it cannot offer a personalised response to users. The received input should be combined with aggregated information from assistance and problem-solving services about the cases that they have handled in order to produce an overview of the internal market as perceived by its users and to identify problem areas for possible future action in order to improve the functioning of the internal market. That overview should be linked to existing reporting tools, such as the Single Market Scoreboard.

(67)

The right of Member States to decide who should carry out the role of the national coordinator should be unaffected by this Regulation. Member States should be able to adapt the functions and responsibilities of their national coordinators in relation to the gateway to their internal administrative structures. Member States should be able to appoint additional national coordinators to carry out the tasks under this Regulation alone or jointly with others, with responsibility for a division of the administration or a geographic region, or in accordance with other criteria. Member States should inform the Commission of the identity of the single national coordinator that they have appointed for contacts with the Commission.

(68)

The gateway coordination group composed of the national coordinators and chaired by the Commission should be set up with a view to facilitating the application of this Regulation, in particular by exchanging best practices and working together to improve the consistency of the presentation of information as required by this Regulation. The work of the gateway coordination group should take into account the objectives set out in the annual work programme, which the Commission should submit to it for consideration. The annual work programme should take the form of guidelines or recommendations, which are not binding for Member States. The Commission, upon the request of the European Parliament, can decide to invite Parliament to send experts to attend meetings of the gateway coordination group.

(69)

This Regulation should clarify which parts of the gateway are to be financed through the Union budget and which parts are to be the responsibility of the Member States. The Commission should assist the Member States in identifying reusable ICT building blocks and financing available through various Union level funds and programmes that can contribute to covering the costs for ICT adaptations and developments needed at national level to comply with this Regulation. The budget required for the implementation of this Regulation should be compatible with the applicable Multiannual Financial Framework.

(70)

Member States are encouraged to coordinate, exchange and collaborate more with one another in order to increase their strategic, operational, research and development capacities in the area of cybersecurity, in particular through the implementation of the network and information security, as referred to in Directive (EU) 2016/1148 of the European Parliament and of the Council (27), to strengthen the security and resilience of their public administration and services. Member States are encouraged to increase the security of transactions and to ensure a sufficient level of confidence in electronic means by using the eIDAS framework laid down by Regulation (EU) No 910/2014 and in particular adequate assurance levels. Member States can take measures in accordance with Union law to safeguard cybersecurity and to prevent identity fraud or other forms of fraud.

(71)

Where the application of this Regulation entails the processing of personal data, it should be carried out in accordance with Union law on the protection of personal data, in particular Regulation (EU) 2016/679 and Regulation (EU) 2018/1725. Directive (EU) 2016/680 of the European Parliament and of the Council (28) should also apply in the context of this Regulation. As provided for in Regulation (EU) 2016/679, Member States can maintain or introduce further conditions, including limitations, with regard to the processing of data concerning health, and they can also provide for more specific rules on the processing of employees’ personal data in the context of employment.

(72)

This Regulation should promote and facilitate the streamlining of governance arrangements for the services covered by the gateway. For this purpose, the Commission should, in close cooperation with the Member States, review the existing governance arrangements and adapt them where necessary, in order to avoid duplication and inefficiencies.

(73)

The objective of this Regulation is to ensure that users who operate in other Member States have online access to comprehensive, reliable, accessible and understandable Union and national information on rights, rules and obligations, to online procedures that are fully transactional cross-border and to assistance and problem-solving services. As that objective cannot be sufficiently achieved by the Member States, but can rather, by reason of the scale and effects of this Regulation, be better achieved at Union level, the Union may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union. In accordance with the principle of proportionality as set out in that Article, this Regulation does not go beyond what is necessary in order to achieve that objective.

(74)

In order for the Member States and the Commission to develop and implement the necessary tools to give effect to this Regulation, certain of its provisions should apply from two years after its entry into force. Municipal authorities should be given until four years after the entry into force of this Regulation to implement the requirement to provide information regarding the rules, procedures and assistance and problem-solving services within their responsibility. The provisions of this Regulation regarding procedures to be offered fully online, the cross-border access to online procedures and the technical system for the cross-border automated exchange of evidence in accordance with the ‘once-only’ principle should be implemented by five years after the entry into force of this Regulation at the latest.

(75)

This Regulation respects the fundamental rights and observes the principles recognised in particular by the Charter of Fundamental Rights of the European Union, and should be implemented in accordance with those rights and principles.

(76)

The European Data Protection Supervisor was consulted in accordance with Article 28(2) of Regulation (EC) No 45/2001 of the European Parliament and of the Council (29) and delivered an opinion on 1 August 2017 (30),

(1)

The protection of natural persons in relation to the processing of personal data is a fundamental right. Article 8(1) of the Charter of Fundamental Rights of the European Union (the ‘Charter’) and Article 16(1) of the Treaty on the Functioning of the European Union (TFEU) provide that everyone has the right to the protection of personal data concerning him or her. This right is also guaranteed under Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms.

(2)

Regulation (EC) No 45/2001 of the European Parliament and of the Council (3) provides natural persons with legally enforceable rights, specifies the data processing obligations of controllers within the Community institutions and bodies, and creates an independent supervisory authority, the European Data Protection Supervisor, responsible for monitoring the processing of personal data by the Union institutions and bodies. However, it does not apply to the processing of personal data in the course of an activity of Union institutions and bodies which fall outside the scope of Union law.

(3)

Regulation (EU) 2016/679 of the European Parliament and of the Council (4) and Directive (EU) 2016/680 of the European Parliament and of the Council (5) were adopted on 27 April 2016. While the Regulation lays down general rules to protect natural persons with regard to the processing of personal data and to ensure the free movement of personal data within the Union, the Directive lays down the specific rules to protect natural persons with regard to the processing of personal data and to ensure the free movement of personal data within the Union in the fields of judicial cooperation in criminal matters and police cooperation.

(4)

Regulation (EU) 2016/679 provides for the adaptation of Regulation (EC) No 45/2001 in order to ensure a strong and coherent data protection framework in the Union and to allow its application in parallel with Regulation (EU) 2016/679.

(5)

It is in the interest of a coherent approach to personal data protection throughout the Union, and of the free movement of personal data within the Union, to align as far as possible the data protection rules for Union institutions, bodies, offices and agencies with the data protection rules adopted for the public sector in the Member States. Whenever the provisions of this Regulation follow the same principles as the provisions of Regulation (EU) 2016/679, those two sets of provisions should, under the case law of the Court of Justice of the European Union (the ‘Court of Justice’), be interpreted homogeneously, in particular because the scheme of this Regulation should be understood as equivalent to the scheme of Regulation (EU) 2016/679.

(6)

Persons whose personal data are processed by Union institutions and bodies in any context whatsoever, for example, because they are employed by those institutions and bodies, should be protected. This Regulation should not apply to the processing of personal data of deceased persons. This Regulation does not cover the processing of personal data which concerns legal persons and in particular undertakings established as legal persons, including the name and the form of the legal person and the contact details of the legal person.

(7)

In order to prevent creating a serious risk of circumvention, the protection of natural persons should be technologically neutral and should not depend on the techniques used.

(8)

This Regulation should apply to the processing of personal data by all Union institutions, bodies, offices and agencies. It should apply to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system. Files or sets of files, as well as their cover pages, which are not structured according to specific criteria should not fall within the scope of this Regulation.

(9)

In Declaration No 21 on the protection of personal data in the fields of judicial cooperation in criminal matters and police cooperation, annexed to the final act of the intergovernmental conference which adopted the Treaty of Lisbon, the conference acknowledged that specific rules on the protection of personal data and on the free movement of personal data in the fields of judicial cooperation in criminal matters and police cooperation based on Article 16 TFEU could prove necessary because of the specific nature of those fields. A distinct Chapter of this Regulation containing general rules should therefore apply to the processing of operational personal data, such as personal data processed for the purposes of a criminal investigation by Union bodies, offices or agencies when carrying out activities in the fields of judicial cooperation in criminal matters and police cooperation.

(10)

Directive (EU) 2016/680 sets out harmonised rules for the protection and the free movement of personal data processed for the purposes of the prevention, investigation, detection or prosecution of criminal offences or execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. In order to ensure the same level of protection for natural persons through legally enforceable rights throughout the Union and to prevent divergences hampering the exchange of personal data between Union bodies, offices or agencies when carrying out activities which fall within the scope of Chapter 4 or Chapter 5 of Title V of Part Three TFEU and competent authorities, the rules for the protection and the free movement of operational personal data processed by such Union bodies, offices or agencies should be consistent with Directive (EU) 2016/680.

(11)

The general rules of the Chapter of this Regulation on the processing of operational personal data should apply without prejudice to the specific rules applicable to the processing of operational personal data by Union bodies, offices and agencies when carrying out activities falling within the scope of Chapter 4 or Chapter 5 of Title V of Part Three TFEU. Such specific rules should be regarded as lex specialis to the provisions in the Chapter of this Regulation on the processing of operational personal data (lex specialis derogat legi generali). In order to reduce legal fragmentation, specific data protection rules applicable to the processing of operational personal data by Union bodies, offices or agencies when carrying out activities falling within the scope of Chapter 4 or Chapter 5 of Title V of Part Three TFEU should be consistent with the principles underpinning the Chapter of this Regulation on the processing of operational personal data, as well as with the provisions of this Regulation relating to independent supervision, remedies, liability and penalties.

(12)

The Chapter of this Regulation on the processing of operational personal data should apply to Union bodies, offices and agencies when carrying out activities which fall within the scope of Chapter 4 or Chapter 5 of Title V of Part Three TFEU, whether they exercise such activities as their main or ancillary tasks, for the purposes of the prevention, detection, investigation or prosecution of criminal offences. However, it should not apply to Europol or to the European Public Prosecutor’s Office until the legal acts establishing Europol and the European Public Prosecutor’s Office are amended with a view to rendering the Chapter of this Regulation on the processing of operational personal data, as adapted, applicable to them.

(13)

The Commission should conduct a review of this Regulation, in particular the Chapter of this Regulation on the processing of operational personal data. The Commission should also conduct a review of other legal acts adopted on the basis of the Treaties which regulate the processing of operational personal data by Union bodies, offices or agencies when carrying out activities which fall within the scope of Chapter 4 or Chapter 5 of Title V of Part Three TFEU. After such a review, in order to ensure uniform and consistent protection of natural persons with regard to the processing of personal data, the Commission should be able to make any appropriate legislative proposals, including any necessary adaptations of the Chapter of this Regulation on the processing of operational personal data, with a view to applying it to Europol and to the European Public Prosecutor’s Office. The adaptations should take into account provisions relating to independent supervision, remedies, liability and penalties.

(14)

The processing of administrative personal data, such as staff data, by Union bodies, offices or agencies carrying out activities which fall within the scope of Chapter 4 or Chapter 5 of Title V of Part Three TFEU should be covered by this Regulation.

(15)

This Regulation should apply to the processing of personal data by Union institutions, bodies, offices or agencies carrying out activities which fall within the scope of Chapter 2 of Title V of the Treaty on European Union (TEU). This Regulation should not apply to the processing of personal data by missions referred to in Articles 42(1), 43 and 44 TEU, which implement the common security and defence policy. Where appropriate, relevant proposals should be put forward to further regulate the processing of personal data in the field of the common security and defence policy.

(16)

The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information, should be considered to be information on an identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person, to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments. The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.

(17)

The application of pseudonymisation to personal data can reduce the risks to the data subjects concerned and help controllers and processors to meet their data protection obligations. The explicit introduction of ‘pseudonymisation’ in this Regulation is not intended to preclude any other measures of data protection.

(18)

Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.

(19)

Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided. At the same time, the data subject should have the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal. In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation. It is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection. Therefore, data subjects should be allowed to give their consent to certain areas of scientific research when in keeping with recognised ethical standards for scientific research. Data subjects should have an opportunity to give their consent only to certain areas of research or parts of research projects to the extent allowed by the intended purpose.

(20)

Any processing of personal data should be lawful and fair. It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used. That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed. Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing. In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data. The personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review. Every reasonable step should be taken to ensure that personal data which are inaccurate are rectified or deleted. Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing and for preventing its unauthorised disclosure when it is transmitted.

(21)

In accordance with the principle of accountability, where Union institutions and bodies transmit personal data within the same Union institution or body and the recipient is not part of the controller, or to other Union institutions or bodies, they should verify whether such personal data are required for the legitimate performance of tasks within the competence of the recipient. In particular, following a recipient’s request for transmission of personal data, the controller should verify the existence of a relevant ground for lawfully processing personal data and the competence of the recipient. The controller should also make a provisional evaluation of the necessity of the transmission of the data. If doubts arise as to this necessity, the controller should seek further information from the recipient. The recipient should ensure that the necessity of the transmission of the data can be subsequently verified.

(22)

In order for processing to be lawful, personal data should be processed on the basis of the necessity for the performance of a task carried out in the public interest by Union institutions and bodies or in the exercise of their official authority, the necessity for compliance with a legal obligation to which the controller is subject or some other legitimate basis under this Regulation, including the consent of the data subject concerned, the necessity for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. Processing of personal data for the performance of tasks carried out in the public interest by the Union institutions and bodies includes the processing of personal data necessary for the management and functioning of those institutions and bodies. The processing of personal data should also be regarded to be lawful where it is necessary to protect an interest which is essential for the life of the data subject or that of another natural person. Processing of personal data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on another legal basis. Some types of processing may serve both important grounds of public interest and the vital interests of the data subject, as for instance when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread, or in situations of humanitarian emergencies, in particular in situations of natural and man-made disasters.

(23)

The Union law referred to in this Regulation should be clear and precise and its application should be foreseeable to persons subject to it, in accordance with the requirements set out in the Charter and the European Convention for the Protection of Human Rights and Fundamental Freedoms.

(24)

The internal rules referred to in this Regulation should be clear and precise acts of general application intended to produce legal effects vis-à-vis data subjects. They should be adopted at the highest level of management of the Union institutions and bodies, within their competencies and in matters relating to their operation. They should be published in the Official Journal of the European Union. The application of those rules should be foreseeable to persons subject to them in accordance with the requirements set out in the Charter and the European Convention for the Protection of Human Rights and Freedoms. Internal rules may take the form of decisions, in particular when adopted by Union institutions.

(25)

The processing of personal data for purposes other than those for which the personal data were initially collected should be allowed only where the processing is compatible with the purposes for which the personal data were initially collected. In such a case, no legal basis separate from that which allowed the collection of the personal data is required. If the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, Union law may determine and specify the tasks and purposes for which the further processing should be regarded as compatible and lawful. Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes should be considered to be compatible lawful processing operations. The legal basis provided by Union law for the processing of personal data may also provide a legal basis for further processing. In order to ascertain whether a purpose of further processing is compatible with the purpose for which the personal data are initially collected, the controller, after having met all the requirements for the lawfulness of the original processing, should take into account, inter alia: any link between those purposes and the purposes of the intended further processing; the context in which the personal data have been collected, in particular the reasonable expectations of data subjects based on their relationship with the controller as to their further use; the nature of the personal data; the consequences of the intended further processing for data subjects; and the existence of appropriate safeguards in both the original and intended further processing operations.

(26)

Where processing is based on the data subject’s consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation. In particular in the context of a written declaration on another matter, safeguards should ensure that the data subject is aware of the fact that and the extent to which consent is given. In accordance with Council Directive 93/13/EEC (6), a declaration of consent pre-formulated by the controller should be provided in an intelligible and easily accessible form, using clear and plain language and it should not contain unfair terms. For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended. Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.

(27)

Children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. Such specific protection should, in particular, apply to creating personality profiles and to the collection of personal data with regard to children when services are offered directly to a child on websites of Union institutions and bodies, such as interpersonal communication services or online selling of tickets, and the processing of personal data is based on consent.

(28)

When recipients established in the Union other than Union institutions and bodies would like to have personal data transmitted to them by Union institutions and bodies, those recipients should demonstrate that it is necessary to have the data transmitted to these recipients either for the performance of their task carried out in the public interest or in the exercise of official authority vested in them. Alternatively, those recipients should demonstrate that the transmission is necessary for a specific purpose in the public interest and the controller should establish whether there is any reason to assume that the data subject’s legitimate interests might be prejudiced. In such cases, the controller should demonstrably weigh the various competing interests in order to assess the proportionality of the requested transmission of personal data. The specific purpose in the public interest could relate to the transparency of Union institutions and bodies. Furthermore, Union institutions and bodies should demonstrate such necessity when they themselves initiate a transmission, in compliance with the principle of transparency and good administration. The requirements laid down in this Regulation for transmissions to recipients established in the Union other than Union institutions and bodies should be understood as supplementary to the conditions for lawful processing.

(29)

Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection, as the context of their processing could create significant risks to the fundamental rights and freedoms. Such personal data should not be processed unless the specific conditions set out in this Regulation are met. Those personal data should include personal data revealing racial or ethnic origin, whereby the use of the term ‘racial origin’ in this Regulation does not imply an acceptance by the Union of theories which attempt to determine the existence of separate human races. The processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person. In addition to the specific requirements for processing of sensitive data, the general principles and other rules of this Regulation should apply, in particular as regards the conditions for lawful processing. Derogations from the general prohibition for processing such special categories of personal data should be explicitly provided, inter alia, where the data subject gives his or her explicit consent or in respect of specific needs, in particular where the processing is carried out in the course of legitimate activities by certain associations or foundations the purpose of which is to permit the exercise of fundamental freedoms.

(30)

Special categories of personal data which merit higher protection should be processed for health-related purposes only where necessary to achieve those purposes for the benefit of natural persons and society as a whole, in particular in the context of the management of health or social care services and systems. Therefore, this Regulation should provide for harmonised conditions for the processing of special categories of personal data concerning health, in respect of specific needs, in particular where the processing of such data is carried out for certain health-related purposes by persons subject to a legal obligation of professional secrecy. Union law should provide for specific and suitable measures so as to protect fundamental rights and the personal data of natural persons.

(31)

The processing of special categories of personal data may be necessary for reasons of public interest in the areas of public health without consent of the data subject. Such processing should be subject to suitable and specific measures so as to protect the rights and freedoms of natural persons. In that context, ‘public health’ should be interpreted as defined in Regulation (EC) No 1338/2008 of the European Parliament and of the Council (7), namely all elements related to health, namely health status, including morbidity and disability, the determinants having an effect on that health status, healthcare needs, resources allocated to healthcare, the provision of, and universal access to, healthcare as well as healthcare expenditure and financing, and the causes of mortality. Such processing of data concerning health for reasons of public interest should not result in personal data being processed for other purposes.

(32)

If the personal data processed by a controller do not permit the controller to identify a natural person, the data controller should not be obliged to acquire additional information in order to identify the data subject for the sole purpose of complying with any provision of this Regulation. However, the controller should not refuse to take additional information provided by the data subject in order to support the exercise of his or her rights. Identification should include the digital identification of a data subject, for example through an authentication mechanism such as the same credentials, used by the data subject to log in to the online service offered by the data controller.

(33)

The processing of personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes should be subject to appropriate safeguards for the rights and freedoms of the data subject pursuant to this Regulation. Those safeguards should ensure that technical and organisational measures are in place in order to ensure, in particular, the principle of data minimisation. The further processing of personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes is to be carried out when the controller has assessed the feasibility to fulfil those purposes by processing data which do not permit or no longer permit the identification of data subjects, provided that appropriate safeguards exist (such as, for instance, pseudonymisation of the data). Union institutions and bodies should provide for appropriate safeguards for the processing of personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in Union law, which may include internal rules adopted by Union institutions and bodies in matters relating to their operation.

(34)

Modalities should be provided for facilitating the exercise of the data subject’s rights under this Regulation, including mechanisms to request and, if applicable, obtain, free of charge, in particular, access to and rectification or erasure of personal data and the exercise of the right to object. The controller should also provide means for requests to be made electronically, especially where personal data are processed by electronic means. The controller should be obliged to respond to requests from the data subject without undue delay and at the latest within one month and to give reasons where the controller does not intend to comply with any such requests.

(35)

The principles of fair and transparent processing require that the data subject be informed of the existence of the processing operation and its purposes. The controller should provide the data subject with any further information necessary to ensure fair and transparent processing taking into account the specific circumstances and context in which the personal data are processed. Furthermore, the data subject should be informed of the existence of profiling and the consequences of such profiling. Where the personal data are collected from the data subject, the data subject should also be informed whether he or she is obliged to provide the personal data and of the consequences, where he or she does not provide such data. That information may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner, a meaningful overview of the intended processing. Where the icons are presented electronically, they should be machine-readable.

(36)

The information in relation to the processing of personal data relating to the data subject should be given to him or her at the time of collection from the data subject, or, where the personal data are obtained from another source, within a reasonable period, depending on the circumstances of the case. Where personal data can be legitimately disclosed to another recipient, the data subject should be informed when the personal data are first disclosed to the recipient. Where the controller intends to process the personal data for a purpose other than that for which they were collected, the controller should provide the data subject prior to that further processing with information on that other purpose and other necessary information. Where the origin of the personal data cannot be provided to the data subject because various sources have been used, general information should be provided.

(37)

A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing. This includes the right for data subjects to have access to data concerning their health, for example the data in their medical records containing information such as diagnoses, examination results, assessments by treating physicians and any treatment or interventions provided. Every data subject should therefore have the right to know and obtain communication in particular with regard to the purposes for which the personal data are processed, where possible the period for which the personal data are processed, the recipients of the personal data, the logic involved in any automatic personal data processing and, at least when based on profiling, the consequences of such processing. That right should not adversely affect the rights or freedoms of others, including trade secrets or intellectual property and in particular the copyright protecting the software. However, the result of those considerations should not be a refusal to provide all information to the data subject. Where the controller processes a large quantity of information concerning the data subject, the controller should be able to request that, before the information is delivered, the data subject specify the information or processing activities to which the request relates.

(38)

A data subject should have the right to have personal data concerning him or her rectified and a ‘right to be forgotten’ where the retention of such data infringes this Regulation or Union law to which the controller is subject. A data subject should have the right to have his or her personal data erased and no longer processed where the personal data are no longer necessary in relation to the purposes for which they are collected or otherwise processed, where a data subject has withdrawn his or her consent or objects to the processing of personal data concerning him or her, or where the processing of his or her personal data does not otherwise comply with this Regulation. That right is relevant in particular where the data subject has given his or her consent as a child and is not fully aware of the risks involved by the processing, and later wants to remove such personal data, especially on the internet. The data subject should be able to exercise that right notwithstanding the fact that he or she is no longer a child. However, the further retention of the personal data should be lawful where it is necessary, for exercising the right of freedom of expression and information, for compliance with a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, on the grounds of public interest in the area of public health, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, or for the establishment, exercise or defence of legal claims.

(39)

To strengthen the right to be forgotten in the online environment, the right to erasure should also be extended in such a way that a controller who has made the personal data public should be obliged to inform the controllers which are processing such personal data to erase any links to, or copies or replications of those personal data. In doing so, that controller should take reasonable steps, taking into account available technology and the means available to the controller, including technical measures, to inform the controllers which are processing the personal data of the data subject’s request.

(40)

Methods by which to restrict the processing of personal data could include, inter alia, temporarily moving the selected data to another processing system, making the selected personal data unavailable to users, or temporarily removing published data from a website. In automated filing systems, the restriction of processing should in principle be ensured by technical means in such a manner that the personal data are not subject to further processing operations and cannot be changed. The fact that the processing of personal data is restricted should be clearly indicated in the system.

(41)

To further strengthen the control over his or her own data, where the processing of personal data is carried out by automated means, the data subject should also be allowed to receive personal data concerning him or her which he or she has provided to a controller in a structured, commonly used, machine-readable and interoperable format, and to transmit it to another controller. Data controllers should be encouraged to develop interoperable formats that enable data portability. That right should apply where the data subject provided the personal data on the basis of his or her consent or the processing is necessary for the performance of a contract. It should therefore not apply where the processing of the personal data is necessary for compliance with a legal obligation to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of an official authority vested in the controller. The data subject’s right to transmit or receive personal data concerning him or her should not create an obligation for the controllers to adopt or maintain processing systems which are technically compatible. Where, in a certain set of personal data, more than one data subject is concerned, the right to receive the personal data should be without prejudice to the rights and freedoms of other data subjects in accordance with this Regulation. Furthermore, that right should not prejudice the right of the data subject to obtain the erasure of personal data and the limitations of that right as set out in this Regulation and should, in particular, not imply the erasure of personal data concerning the data subject which have been provided by him or her for the performance of a contract to the extent that and for as long as the personal data are necessary for the performance of that contract. Where technically feasible, the data subject should have the right to have the personal data transmitted directly from one controller to another.

(42)

Where personal data might lawfully be processed because processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, a data subject should, nevertheless, be entitled to object to the processing of any personal data relating to his or her particular situation. It should be for the controller to demonstrate that its compelling legitimate interest overrides the interests or the fundamental rights and freedoms of the data subject.

(43)

The data subject should have the right not to be subject to a decision, which may include a measure, evaluating personal aspects relating to him or her which is based solely on automated processing and which produces legal effects concerning him or her or similarly significantly affects him or her, such as e-recruiting practices without any human intervention. Such processing includes ‘profiling’ that consists of any form of automated processing of personal data evaluating the personal aspects relating to a natural person, in particular to analyse or predict aspects concerning the data subject’s performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, where it produces legal effects concerning him or her or similarly significantly affects him or her.

However, decision-making based on such processing, including profiling, should be allowed where expressly authorised by Union law. In any case, such processing should be subject to suitable safeguards, which should include specific information to the data subject and the right to obtain human intervention, to express his or her point of view, to obtain an explanation of the decision reached after such assessment and to challenge the decision. Such measure should not concern a child. In order to ensure fair and transparent processing in respect of the data subject, taking into account the specific circumstances and context in which the personal data are processed, the controller should use appropriate mathematical or statistical procedures for the profiling, implement technical and organisational measures appropriate to ensure, in particular, that factors which result in inaccuracies in personal data are corrected and the risk of errors is minimised, secure personal data in a manner that takes account of the potential risks involved for the interests and rights of the data subject. and prevent, inter alia, discriminatory effects on natural persons on the basis of racial or ethnic origin, political opinion, religion or beliefs, trade union membership, genetic or health status or sexual orientation, or processing that results in measures having such an effect. Automated decision-making and profiling based on special categories of personal data should be allowed only under specific conditions.

(44)

Legal acts adopted on the basis of the Treaties or internal rules adopted by Union institutions and bodies in matters relating to their operation may impose restrictions concerning specific principles and the rights of information, access to and rectification or erasure of personal data, the right to data portability, confidentiality of electronic communications data as well as the communication of a personal data breach to a data subject and certain related obligations of the controllers, as far as necessary and proportionate in a democratic society to safeguard public security and for the prevention, investigation and prosecution of criminal offences or the execution of criminal penalties. This includes safeguarding against and the prevention of threats to public security, protection of human life especially in response to natural or manmade disasters, internal security of Union institutions and bodies, other important objectives of general public interest of the Union or of a Member State, in particular the objectives of the Common Foreign and Security Policy of the Union or an important economic or financial interest of the Union or of a Member State, and keeping of public registers for reasons of general public interest or the protection of the data subject or the rights and freedoms of others, including social protection, public health and humanitarian purposes.

(45)

The responsibility and liability of the controller for any processing of personal data carried out by the controller or on the controller’s behalf should be established. In particular, the controller should be obliged to implement appropriate and effective measures and be able to demonstrate the compliance of processing activities with this Regulation, including the effectiveness of the measures. Those measures should take into account the nature, scope, context and purposes of the processing and the risk to the rights and freedoms of natural persons.

(46)

The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage, in particular: where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage; where data subjects might be deprived of their rights and freedoms or prevented from exercising control over their personal data; where personal data are processed which reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, and the processing of genetic data, data concerning health or data concerning sex life or criminal convictions and offences or related security measures; where personal aspects are evaluated, in particular analysing or predicting aspects concerning performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, in order to create or use personal profiles; where personal data of vulnerable natural persons, in particular of children, are processed; or where processing involves a large amount of personal data and affects a large number of data subjects.

(47)

The likelihood and severity of the risk to the rights and freedoms of the data subject should be determined by reference to the nature, scope, context and purposes of the processing. Risk should be evaluated on the basis of an objective assessment, by which it is established whether data processing operations involve a risk or a high risk.

(48)

The protection of the rights and freedoms of natural persons with regard to the processing of personal data require that appropriate technical and organisational measures be taken to ensure that the requirements of this Regulation are met. In order to be able to demonstrate compliance with this Regulation, the controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default. Such measures could consist, inter alia, of minimising the processing of personal data, pseudonymising personal data as soon as possible, transparency with regard to the functions and processing of personal data, enabling the data subject to monitor the data processing, enabling the controller to create and improve security features. The principles of data protection by design and by default should also be taken into consideration in the context of public tenders.

(49)

Regulation (EU) 2016/679 provides for controllers to demonstrate compliance by adherence to approved certification mechanisms. Likewise, Union institutions and bodies should be able to demonstrate compliance with this Regulation by obtaining certification in accordance with Article 42 of Regulation (EU) 2016/679.

(50)

The protection of the rights and freedoms of data subjects as well as the responsibility and liability of controllers and processors requires a clear allocation of the responsibilities under this Regulation, including where a controller determines the purposes and means of the processing jointly with other controllers or where a processing operation is carried out on behalf of a controller.

(51)

To ensure compliance with the requirements of this Regulation in respect of the processing to be carried out by the processor on behalf of the controller, when entrusting a processor with processing activities, the controller should use only processors providing sufficient guarantees, in particular in terms of expert knowledge, reliability and resources, to implement technical and organisational measures which meet the requirements of this Regulation, including for the security of processing. The adherence of processors other than Union institutions and bodies to an approved code of conduct or an approved certification mechanism can be used as an element to demonstrate compliance with the obligations of the controller. The carrying-out of processing by a processor other than a Union institution or body should be governed by a contract, or, in case of Union institutions and bodies acting as processors, by a contract or other legal act under Union law, binding the processor to the controller, setting out the subject matter and duration of the processing, the nature and purposes of the processing, the type of personal data and categories of data subjects, taking into account the specific tasks and responsibilities of the processor in the context of the processing to be carried out and the risk to the rights and freedoms of the data subject. The controller and processor should be able to choose to use an individual contract or standard contractual clauses which are adopted either directly by the Commission or by the European Data Protection Supervisor and then adopted by the Commission. After the completion of the processing on behalf of the controller, the processor should, at the choice of the controller, return or delete the personal data, unless there is a requirement to store that personal data under Union or Member State law to which the processor is subject.

(52)

In order to demonstrate compliance with this Regulation, controllers should maintain records of processing activities under their responsibility and processors should maintain records of categories of processing activities under their responsibility. Union institutions and bodies should be obliged to cooperate with the European Data Protection Supervisor and make their records available to it on request, so that they might serve for monitoring those processing operations. Unless it is not appropriate taking into account the size of a Union institution or body, Union institutions and bodies should be able to establish a central register of records of their processing activities. For reasons of transparency, they should also be able to make such a register public.

(53)

In order to maintain security and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption. Those measures should ensure an appropriate level of security, including confidentiality, taking into account the state of the art and the costs of implementation in relation to the risks and the nature of the personal data to be protected. In assessing data security risk, consideration should be given to the risks that are presented by personal data processing, such as accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed which may in particular lead to physical, material or non-material damage.

(54)

Union institutions and bodies should ensure the confidentiality of electronic communications provided for by Article 7 of the Charter. In particular, Union institutions and bodies should ensure the security of their electronic communications networks. They should protect the information related to the terminal equipment of users accessing their publicly available websites and mobile applications, in accordance with the Directive 2002/58/EC of the European Parliament and of the Council (8). They should also protect the personal data stored in directories of users.

(55)

A personal data breach could, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons. Therefore, as soon as the controller becomes aware that a personal data breach has occurred, the controller should notify that personal data breach to the European Data Protection Supervisor without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the controller is able to demonstrate, in accordance with the accountability principle, that the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where such notification cannot be achieved within 72 hours, it should be accompanied by the reasons for the delay and information can be provided in phases without further undue delay. Where such delay is justified, less sensitive or less specific information on the breach should be released as early as possible, rather than fully resolving the underlying incident before notifying.

(56)

The controller should communicate to the data subject a personal data breach, without undue delay, where that personal data breach is likely to result in a high risk to the rights and freedoms of the natural person in order to allow him or her to take the necessary precautions. The communication should describe the nature of the personal data breach as well as recommendations for the natural person concerned to mitigate potential adverse effects. Such communications to data subjects should be made as soon as reasonably feasible and in close cooperation with the European Data Protection Supervisor, respecting guidance provided by it or by other relevant authorities such as law-enforcement authorities.

(57)

Regulation (EC) No 45/2001 provides for a general obligation on a controller to notify the processing of personal data to the data protection officer. Unless it is not appropriate taking into account the size of the Union institution or body, the data protection officer is to keep a register of notified processing operations. Besides this general obligation, effective procedures and mechanisms should be put in place to monitor processing operations that are likely to result in a high risk to the rights and freedoms of natural persons by virtue of their nature, scope, context and purposes. Such procedures should, in particular, also be in place where types of processing operations involve using new technologies, or are of a new kind in relation to which no data protection impact assessment has been carried out before by the controller, or where they become necessary in the light of the time that has elapsed since the initial processing. In such cases, a data protection impact assessment should be carried out by the controller prior to the processing in order to assess the particular likelihood and severity of the high risk, taking into account the nature, scope, context and purposes of the processing and the sources of the risk. That impact assessment should include, in particular, the measures, safeguards and mechanisms envisaged for mitigating that risk, ensuring the protection of personal data and demonstrating compliance with this Regulation.

(58)

Where a data protection impact assessment indicates that the processing would, in the absence of safeguards, security measures and mechanisms to mitigate the risk, result in a high risk to the rights and freedoms of natural persons and the controller is of the opinion that the risk cannot be mitigated by reasonable means in terms of available technologies and costs of implementation, the European Data Protection Supervisor should be consulted prior to the start of processing activities. Such high risk is likely to result from certain types of processing and the extent and frequency of processing, which could result also in a realisation of damage or interference with the rights and freedoms of the natural person. The European Data Protection Supervisor should respond to the request for consultation within a specified period. However, the absence of a reaction of the European Data Protection Supervisor within that period should be without prejudice to any intervention of the European Data Protection Supervisor in accordance with his or her tasks and powers laid down in this Regulation, including the power to prohibit processing operations. As part of that consultation process, it should be possible to submit the outcome of a data protection impact assessment carried out with regard to the processing at issue to the European Data Protection Supervisor, in particular the measures envisaged to mitigate the risk to the rights and freedoms of natural persons.

(59)

The European Data Protection Supervisor should be informed of administrative measures and consulted on internal rules adopted by Union institutions and bodies in matters relating to their operation when they provide for the processing of personal data, lay down conditions for restricting the rights of data subjects or provide appropriate safeguards for data subject rights, in order to ensure that the intended processing complies with this Regulation, in particular as regards mitigating the risks involved for the data subject.

(60)

Regulation (EU) 2016/679 established the European Data Protection Board as an independent body of the Union with legal personality. The Board should contribute to the consistent application of Regulation (EU) 2016/679 and Directive (EU) 2016/680 throughout the Union, including by advising the Commission. At the same time, the European Data Protection Supervisor should continue to exercise his or her supervisory and advisory functions in respect of all Union institutions and bodies, on his or her own initiative or upon request. In order to ensure consistency of data protection rules throughout the Union, when preparing proposals or recommendations, the Commission should endeavour to consult the European Data Protection Supervisor. A consultation by the Commission should be obligatory following the adoption of legislative acts or during the preparation of delegated acts and implementing acts as defined in Article 289, 290 and 291 TFEU and following the adoption of recommendations and proposals relating to agreements with third countries and international organisations as provided for in Article 218 TFEU which have an impact on the right to protection of personal data. In such cases, the Commission should be obliged to consult the European Data Protection Supervisor, except where the Regulation (EU) 2016/679 provides for mandatory consultation of the European Data Protection Board, for example on adequacy decisions or delegated acts on standardised icons and requirements for certification mechanisms. Where the act in question is of particular importance for the protection of rights and freedoms of natural persons with regard to the processing of personal data, the Commission should be able, in addition, to consult the European Data Protection Board. In those cases, the European Data Protection Supervisor should, as a member of the European Data Protection Board, coordinate his or her work with the latter with a view to issuing a joint opinion. The European Data Protection Supervisor, and where applicable, the European Data Protection Board should provide their written advice within eight weeks. That time-frame should be shorter in urgent cases or where otherwise appropriate, for example when the Commission is preparing delegated and implementing acts.

(61)

In accordance with Article 75 of Regulation (EU) 2016/679, the European Data Protection Supervisor should provide the secretariat of the European Data Protection Board.

(62)

In all Union institutions and bodies a data protection officer should ensure that the provisions of this Regulation are applied and should advise controllers and processors on fulfilling their obligations. That officer should be a person with expert knowledge of data protection law and practices, which should be determined in particular according to the data processing operations carried out by the controller or the processor and the protection required for the personal data involved. Such data protection officers should be in a position to perform their duties and tasks in an independent manner.

(63)

When personal data are transferred from the Union institutions and bodies to controllers, processors or other recipients in third countries or to international organisations, the level of protection of natural persons ensured in the Union by this Regulation should be guaranteed. The same guarantees should apply in cases of onward transfers of personal data from the third country or international organisation to controllers, processors in the same or another third country or international organisation. In any event, transfers to third countries and international organisations may only be carried out in full compliance with this Regulation and respecting the fundamental rights and freedoms enshrined in the Charter. A transfer could take place only if, subject to the other provisions of this Regulation, the conditions laid down in the provisions of this Regulation relating to the transfer of personal data to third countries or international organisations are complied with by the controller or processor.

(64)

The Commission can decide, under Article 45 of Regulation (EU) 2016/679 or under Article 36 of Directive (EU) 2016/680, that a third country, a territory or specified sector within a third country or an international organisation offers an adequate level of data protection. In such cases, transfers of personal data to that third country or international organisation by a Union institution or body can take place without the need to obtain any further authorisation.

(65)

In the absence of an adequacy decision, the controller or processor should take measures to compensate for the lack of data protection in a third country by way of appropriate safeguards for the data subject. Such appropriate safeguards can consist of making use of standard data protection clauses adopted by the Commission, standard data protection clauses adopted by the European Data Protection Supervisor or contractual clauses authorised by the European Data Protection Supervisor. Where the processor is not a Union institution or body those appropriate safeguards can also consist of binding corporate rules, codes of conduct and certification mechanisms used for international transfers under Regulation (EU) 2016/679. Those safeguards should ensure compliance with data protection requirements and the rights of the data subjects appropriate to processing within the Union, including the availability of enforceable data subject rights and of effective legal remedies, including to obtain effective administrative or judicial redress and to claim compensation, in the Union or in a third country. They should relate in particular to compliance with the general principles relating to personal data processing, the principles of data protection by design and by default. Transfers may also be carried out by Union institutions and bodies to public authorities or bodies in third countries or to international organisations with corresponding duties or functions, including on the basis of provisions to be inserted into administrative arrangements, such as a memorandum of understanding, providing for enforceable and effective rights for data subjects. Authorisation by the European Data Protection Supervisor should be obtained when the safeguards are provided for in administrative arrangements that are not legally binding.

(66)

The possibility for the controller or processor to use standard data-protection clauses adopted by the Commission or by the European Data Protection Supervisor should prevent controllers or processors neither from including the standard data-protection clauses in a wider contract, such as a contract between the processor and another processor, nor from adding other clauses or additional safeguards provided that they do not contradict, directly or indirectly, the standard contractual clauses adopted by the Commission or by the European Data Protection Supervisor or prejudice the fundamental rights or freedoms of the data subjects. Controllers and processors should be encouraged to provide additional safeguards via contractual commitments that supplement standard data-protection clauses.

(67)

Some third countries adopt laws, regulations and other legal acts which purport to directly regulate the processing activities of Union institutions and bodies. This may include judgments of courts or tribunals or decisions of administrative authorities in third countries requiring a controller or processor to transfer or disclose personal data, and which are not based on an international agreement in force between the requesting third country and the Union. The extraterritorial application of those laws, regulations and other legal acts may be in breach of international law and may impede the attainment of the protection of natural persons ensured in the Union by this Regulation. Transfers should only be allowed where the conditions of this Regulation for a transfer to third countries are met. This may be the case, inter alia, where disclosure is necessary for an important ground of public interest recognised in Union law.

(68)

Provision should be made in specific situations for the possibility for transfers in certain circumstances where the data subject has given his or her explicit consent, where the transfer is occasional and necessary in relation to a contract or a legal claim, regardless of whether in a judicial procedure or whether in an administrative or any out-of-court procedure, including procedures before regulatory bodies. Provision should also be made for the possibility for transfers where important grounds of public interest laid down by Union law so require or where the transfer is made from a register established by law and intended for consultation by the public or persons having a legitimate interest. In the latter case, such a transfer should not involve the entirety of the personal data or entire categories of the data contained in the register, unless authorised by Union law, and, when the register is intended for consultation by persons having a legitimate interest, the transfer should be made only at the request of those persons or, if they are to be the recipients, taking into full account the interests and fundamental rights of the data subject.

(69)

Those derogations should in particular apply to data transfers required and necessary for important reasons of public interest, for example in cases of international data exchange between Union institutions and bodies and competition authorities, tax or customs administrations, financial supervisory authorities and services competent for social security matters or for public health, for example in the case of contact tracing for contagious diseases or in order to reduce and/or eliminate doping in sport. A transfer of personal data should also be regarded as lawful where it is necessary to protect an interest which is essential for the data subject’s or another person’s vital interests, including physical integrity or life, if the data subject is incapable of giving consent. In the absence of an adequacy decision, Union law may, for important reasons of public interest, expressly set limits to the transfer of specific categories of data to a third country or an international organisation. Any transfer to an international humanitarian organisation of personal data of a data subject who is physically or legally incapable of giving consent, with a view to accomplishing a task incumbent under the Geneva Conventions or to complying with international humanitarian law applicable in armed conflicts, could be considered to be necessary for an important reason of public interest or because it is in the vital interest of the data subject.

(70)

In any case, where the Commission has taken no decision on the adequate level of data protection in a third country, the controller or processor should make use of solutions that provide data subjects with enforceable and effective rights as regards the processing of their data in the Union once those data have been transferred so that that they will continue to benefit from fundamental rights and safeguards.

(71)

When personal data moves across borders outside the Union it may put at increased risk the ability of natural persons to exercise data protection rights, in particular to protect themselves from the unlawful use or disclosure of that information. At the same time, national supervisory authorities and the European Data Protection Supervisor can be unable to pursue complaints or conduct investigations relating to the activities outside their jurisdiction. Their efforts to work together in the cross-border context can also be hampered by insufficient preventive or remedial powers, inconsistent legal regimes, and practical obstacles like resource constraints. Therefore, closer cooperation between the European Data Protection Supervisor and national supervisory authorities should be promoted to help the exchange of information with their international counterparts.

(72)

The establishment in Regulation (EC) No 45/2001 of the European Data Protection Supervisor, who is empowered to perform his or her tasks and exercise his or her powers with complete independence, is an essential component of the protection of natural persons with regard to the processing of their personal data. This Regulation should further strengthen and clarify his or her role and independence. The European Data Protection Supervisor should be a person whose independence is beyond doubt and who is acknowledged as having the experience and skills required to perform the duties of European Data Protection Supervisor, for example because he or she has belonged to one of the supervisory authorities established under Article 51 of Regulation (EU) 2016/679.

(73)

In order to ensure consistent monitoring and enforcement of data protection rules throughout the Union, the European Data Protection Supervisor should have the same tasks and effective powers as the national supervisory authorities, including powers of investigation, corrective powers and sanctions, and authorisation and advisory powers, in particular in cases of complaints from natural persons, powers to bring infringements of this Regulation to the attention of the Court of Justice and powers to engage in legal proceedings in accordance with the primary law. Such powers should also include the power to impose a temporary or definitive limitation, including a ban, on processing. In order to avoid superfluous costs and excessive inconveniencies for the persons concerned who might be adversely affected, each measure of the European Data Protection Supervisor should be appropriate, necessary and proportionate in view of ensuring compliance with this Regulation, should take into account the circumstances of each individual case and respect the right of every person to be heard before any individual measure concerned is taken. Each legally binding measure of the European Data Protection Supervisor should be in writing, be clear and unambiguous, indicate the date of issue of the measure, bear the signature of the European Data Protection Supervisor, give the reasons for the measure, and refer to the right to an effective remedy.

(74)

The supervisory competence of the European Data Protection Supervisor should not cover the processing of personal data by the Court of Justice when acting in its judicial capacity, in order to safeguard the independence of the Court in the performance of its judicial tasks, including decision-making. For such processing operations, the Court should establish independent supervision, in accordance with Article 8(3) of the Charter, for example through an internal mechanism.

(75)

The decisions of the European Data Protection Supervisor regarding exemptions, guarantees, authorisations and conditions relating to data processing operations, as defined in this Regulation, should be published in the activities report. Independently of the publication of an annual activities report, the European Data Protection Supervisor can publish reports on specific subjects.

(76)

The European Data Protection Supervisor should comply with Regulation (EC) No 1049/2001 of the European Parliament and of the Council (9).

(77)

The national supervisory authorities monitor the application of Regulation (EU) 2016/679 and contribute to its consistent application throughout the Union, in order to protect natural persons in relation to the processing of their personal data and to facilitate the free flow of personal data within the internal market. In order to increase consistency in the application of data protection rules applicable in Member States and of data protection rules applicable to Union institutions and bodies, the European Data Protection Supervisor should cooperate effectively with the national supervisory authorities.

(78)

In certain instances, Union law provides for a model of coordinated supervision, shared between the European Data Protection Supervisor and the national supervisory authorities. The European Data Protection Supervisor is also the supervisory authority of Europol and for these purposes, a specific model of cooperation with the national supervisory authorities has been established through a cooperation board with an advisory function. In order to improve the effective supervision and enforcement of substantive data protection rules, a single, coherent model of coordinated supervision should be introduced in the Union. The Commission should therefore make legislative proposals where appropriate with a view to amending Union legal acts providing for a model of coordinated supervision, in order to align them with the coordinated supervision model of this Regulation. The European Data Protection Board should serve as a single forum for ensuring effective coordinated supervision in all areas.

(79)

Every data subject should have the right to lodge a complaint with the European Data Protection Supervisor, and the right to an effective judicial remedy before the Court of Justice in accordance with the Treaties, if the data subject considers that his or her rights under this Regulation are infringed or where the European Data Protection Supervisor does not act on a complaint, partially or wholly rejects or dismisses a complaint or does not act where such action is necessary to protect the rights of the data subject. The investigation following a complaint should be carried out, subject to judicial review, to the extent that is appropriate in the specific case. The European Data Protection Supervisor should inform the data subject of the progress and the outcome of the complaint within a reasonable period. If the case requires further coordination with a national supervisory authority, intermediate information should be given to the data subject. In order to facilitate the submission of complaints, the European Data Protection Supervisor should take measures such as providing a complaint submission form which can also be completed electronically, without excluding other means of communication.

(80)

Any person who has suffered material or non-material damage as a result of an infringement of this Regulation should have the right to receive compensation from the controller or processor for the damage suffered, subject to the conditions provided for in the Treaties.

(81)

In order to strengthen the supervisory role of the European Data Protection Supervisor and the effective enforcement of this Regulation, the European Data Protection Supervisor should, as a sanction of last resort, have the power to impose administrative fines. The fines should aim at sanctioning the Union institution or body — rather than individuals — for non-compliance with this Regulation, to deter future violations of this Regulation and to foster a culture of personal data protection within the Union institutions and bodies. This Regulation should indicate the infringements subject to administrative fines and the upper limits and criteria for setting the associated fines. The European Data Protection Supervisor should determine the amount of the fine in each individual case, by taking into account all relevant circumstances of the specific situation, with due regard to the nature, gravity and duration of the infringement, its consequences and the measures taken to ensure compliance with the obligations under this Regulation and to prevent or mitigate the consequences of the infringement. When imposing an administrative fine on a Union institution or body, the European Data Protection Supervisor should consider the proportionality of amount of the fine. The administrative procedure for the imposition of fines on Union institutions and bodies should respect the general principles of Union law as interpreted by the Court of Justice.

(82)

Where a data subject considers that his or her rights under this Regulation are infringed, he or she should have the right to mandate a not-for-profit body, organisation or association which is constituted in accordance with Union law or the law of a Member State, has statutory objectives which are in the public interest and is active in the field of the protection of personal data to lodge a complaint on his or her behalf with the European Data Protection Supervisor. Such a body, organisation or association should also be able to exercise the right to a judicial remedy on behalf of data subjects or exercise the right to receive compensation on behalf of data subjects.

(83)

An official or other servant of the Union who fails to comply with the obligations in this Regulation should be liable to disciplinary or other action, in accordance with the rules and procedures laid down in the Staff Regulations of Officials of the European Union and the Conditions of Employment of Other Servants of the Union, laid down in Council Regulation (EEC, Euratom, ECSC) No 259/68 (10) (‘Staff Regulations’).

(84)

In order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and the Council (11). The examination procedure should be used for the adoption of standard contractual clauses between controllers and processors and between processors, for the adoption of a list of processing operations requiring prior consultation of the European Data Protection Supervisor by controllers processing personal data for the performance of a task carried out in the public interest, and for the adoption of standard contractual clauses providing appropriate safeguards for international transfers.

(85)

The confidential information which the Union and national statistical authorities collect for the production of official European and official national statistics should be protected. European statistics should be developed, produced and disseminated in accordance with the statistical principles set out in Article 338(2) TFEU. Regulation (EC) No 223/2009 of the European Parliament and of the Council (12) provides further specifications on statistical confidentiality for European statistics.

(86)

Regulation (EC) No 45/2001 and Decision No 1247/2002/EC of the European Parliament, of the Council and of the Commission (13) should be repealed. The references to the repealed Regulation and Decision should be construed as references to this Regulation.

(87)

In order to safeguard the full independence of the members of the independent supervisory authority, the terms of office of the current European Data Protection Supervisor and the current Assistant Supervisor should not be affected by this Regulation. The current Assistant Supervisor should remain in place until the end of his term of office, unless one of the conditions for the premature end of term of the European Data Protection Supervisor laid down in this Regulation is met. The relevant provisions of this Regulation should apply to the Assistant Supervisor until the end of his term of office.

(88)

In accordance with the principle of proportionality, it is necessary and appropriate for the achievement of the basic objective of ensuring an equivalent level of protection of natural persons with regard to the processing of personal data and the free flow of personal data throughout the Union to lay down rules on processing of personal data in Union institutions and bodies. This Regulation does not go beyond what is necessary in order to achieve the objectives pursued in accordance with Article 5(4) of the TEU.

(89)

The European Data Protection Supervisor was consulted in accordance with Article 28(2) of Regulation (EC) No 45/2001 and delivered an opinion on 15 March 2017 (14),