Recital 119 Organisation of several supervisory authorities of a Member State Where a Member State establishes several supervisory authorities, it should establish by law mechanisms for ensuring the effective…
Recital 120 Features of supervisory authorities Each supervisory authority should be provided with the financial and human resources, premises and infrastructure necessary for the effective performance of their tasks,…
Recital 121 Independence of the supervisory authorities The general conditions for the member or members of the supervisory authority should be laid down by law in each Member State…
Recital 102 International agreements for an appropriate level of data protection This Regulation is without prejudice to international agreements concluded between the Union and third countries regulating the transfer…
Recital 103 Appropriate level of data protection based on an adequacy decision The Commission may decide with effect for the entire Union that a third country, a territory or…
Recital 104 Criteria for an adequacy decision In line with the fundamental values on which the Union is founded, in particular the protection of human rights, the Commission should,…
Recital 105 Consideration of international agreements for an adequacy decision Apart from the international commitments the third country or international organisation has entered into, the Commission should take account…
Recital 106 Monitoring and periodic review of the level of data protection The Commission should monitor the functioning of decisions on the level of protection in a third country,…
Recital 107 Amendment, revocation and suspension of adequacy decisions The Commission may recognise that a third country, a territory or a specified sector within a third country, or an…
Recital 108 Appropriate safeguards In the absence of an adequacy decision, the controller or processor should take measures to compensate for the lack of data protection in a third…
Recital 109Standard data protection clauses The possibility for the controller or processor to use standard data-protection clauses adopted by the Commission or by a supervisory authority should prevent controllers…
Recital 110Binding corporate rules A group of undertakings, or a group of enterprises engaged in a joint economic activity, should be able to make use of approved binding corporate…
Recital 111 Exceptions for certain cases of international transfers Provisions should be made for the possibility for transfers in certain circumstances where the data subject has given his or…
Recital 112 Data transfers due to important reasons of public interest Those derogations should in particular apply to data transfers required and necessary for important reasons of public interest,…
Recital 113 Transfers qualified as not repetitive and that only concern a limited number of data subjects Transfers which can be qualified as not repetitive and that only concern…
Recital 114Safeguarding of enforceability of rights and obligations in the absence of an adequacy decision In any case, where the Commission has taken no decision on the adequate level…
Recital 115 Rules in third countries contrary to the Regulation Some third countries adopt laws, regulations and other legal acts which purport to directly regulate the processing activities of…
Recital 116 Cooperation among supervisory authorities When personal data moves across borders outside the Union it may put at increased risk the ability of natural persons to exercise data…
Recital 85 Notification obligation of breaches to the supervisory authority A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or…
Recital 86 Notification of data subjects in case of data breaches The controller should communicate to the data subject a personal data breach, without undue delay, where that personal…
Recital 87 Promptness of reporting / notification It should be ascertained whether all appropriate technological protection and organisational measures have been implemented to establish immediately whether a personal data…
Recital 88 Format and procedures of the notification In setting detailed rules concerning the format and procedures applicable to the notification of personal data breaches, due consideration should be…
Recital 89 Elimination of the general reporting requirement Directive 95/46/EC provided for a general obligation to notify the processing of personal data to the supervisory authorities. While that obligation…
Recital 90 Data protection impact assessement In such cases, a data protection impact assessment should be carried out by the controller prior to the processing in order to assess…
Recital 91 Necessity of a data protection impact assessment This should in particular apply to large-scale processing operations which aim to process a considerable amount of personal data at…