Recital 112 Data transfers due to important reasons of public interest Those derogations should in particular apply to data transfers required and necessary for important reasons of public interest,…
Recital 113 Transfers qualified as not repetitive and that only concern a limited number of data subjects Transfers which can be qualified as not repetitive and that only concern…
Recital 115 Rules in third countries contrary to the Regulation Some third countries adopt laws, regulations and other legal acts which purport to directly regulate the processing activities of…
Recital 116 Cooperation among supervisory authorities When personal data moves across borders outside the Union it may put at increased risk the ability of natural persons to exercise data…
Recital 94 Consultation of the supervisory authority Where a data protection impact assessment indicates that the processing would, in the absence of safeguards, security measures and mechanisms to mitigate…
Recital 97 Data protection officer Where the processing is carried out by a public authority, except for courts or independent judicial authorities when acting in their judicial capacity, where,…
Recital 98 Preparation of codes of conduct by organisations and associations Associations or other bodies representing categories of controllers or processors should be encouraged to draw up codes of…
Recital 101 General principles for international data transfers Flows of personal data to and from countries outside the Union and international organisations are necessary for the expansion of international…
Recital 82 Record of processing activities In order to demonstrate compliance with this Regulation, the controller or processor should maintain records of processing activities under its responsibility. Each controller…
Recital 83 Security of processing In order to maintain security and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in…
Recital 84 Risk evaluation and impact assessment In order to enhance compliance with this Regulation where processing operations are likely to result in a high risk to the rights…
Recital 85 Notification obligation of breaches to the supervisory authority A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or…
Recital 86 Notification of data subjects in case of data breaches The controller should communicate to the data subject a personal data breach, without undue delay, where that personal…
Recital 87 Promptness of reporting / notification It should be ascertained whether all appropriate technological protection and organisational measures have been implemented to establish immediately whether a personal data…
Recital 88 Format and procedures of the notification In setting detailed rules concerning the format and procedures applicable to the notification of personal data breaches, due consideration should be…
Recital 89 Elimination of the general reporting requirement Directive 95/46/EC provided for a general obligation to notify the processing of personal data to the supervisory authorities. While that obligation…
Recital 90 Data protection impact assessement In such cases, a data protection impact assessment should be carried out by the controller prior to the processing in order to assess…
Recital 91 Necessity of a data protection impact assessment This should in particular apply to large-scale processing operations which aim to process a considerable amount of personal data at…
Recital 74 Responsibility and liability of the controller The responsibility and liability of the controller for any processing of personal data carried out by the controller or on the…
Recital 76 Risk assessment The likelihood and severity of the risk to the rights and freedoms of the data subject should be determined by reference to the nature, scope,…
Recital 77 Risk assessment guidelines Guidance on the implementation of appropriate measures and on the demonstration of compliance by the controller or the processor, especially as regards the identification…
Recital 78 Appropriate technical and organisational measures The protection of the rights and freedoms of natural persons with regard to the processing of personal data require that appropriate technical…
Recital 62 Exceptions to the obligation to provide information However, it is not necessary to impose the obligation to provide information where the data subject already possesses the information,…
Recital 80 Designation of a representative Where a controller or a processor not established in the Union is processing personal data of data subjects who are in the Union…
Recital 63 Right of access A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that…
