JUS. Legal Tech Hub
Tür:EU_REGULATION
Yürürlük:25 May 2018
Otorite:Danish Data Protection Agency (Datatilsynet)
Özet
Avrupa Birliği Genel Veri Koruma Tüzüğü (GDPR), 25 Mayıs 2018 tarihinde yürürlüğe giren ve AB genelinde kişisel verilerin korunmasını düzenleyen kapsamlı bir mevzuattır. Temel düzenlemeler: - Kişisel veri işleme ilkeleri (hukuka uygunluk, şeffaflık, amaç sınırlaması, veri minimizasyonu) - Veri işleme için hukuki dayanak gerekliliği - Özel kategori verilerin korunması - İlgili kişi hakları (erişim, düzeltme, silme, taşınabilirlik, itiraz) - Veri sorumlusu ve veri işleyen yükümlülükleri - Veri Koruma Görevlisi (DPO) atama zorunluluğu - Veri ihlali bildirimi (72 saat) - Sınır ötesi veri aktarımı kuralları - 20 milyon Euro veya küresel cironun %4'üne kadar idari para cezaları
Tam Metin
# GENERAL DATA PROTECTION REGULATION (GDPR)
## REGULATION (EU) 2016/679
**Official Journal:** L 119, 4.5.2016, p. 1–88
**Entry into Force:** 24 May 2016
**Application Date:** 25 May 2018
---
## CHAPTER I - GENERAL PROVISIONS
### Article 1 - Subject-matter and objectives
1. This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.
2. This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.
3. The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.
### Article 2 - Material scope
1. This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.
2. This Regulation does not apply to the processing of personal data:
(a) in the course of an activity which falls outside the scope of Union law;
(b) by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the TEU;
(c) by a natural person in the course of a purely personal or household activity;
(d) by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences.
### Article 3 - Territorial scope
1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
(a) the offering of goods or services to such data subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
### Article 4 - Definitions
For the purposes of this Regulation:
(1) **'personal data'** means any information relating to an identified or identifiable natural person ('data subject');
(2) **'processing'** means any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
(3) **'restriction of processing'** means the marking of stored personal data with the aim of limiting their processing in the future;
(4) **'profiling'** means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person;
(5) **'pseudonymisation'** means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information;
(6) **'filing system'** means any structured set of personal data which are accessible according to specific criteria;
(7) **'controller'** means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;
(8) **'processor'** means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
(9) **'recipient'** means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed;
(10) **'third party'** means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who are authorised to process personal data;
(11) **'consent'** of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes;
(12) **'personal data breach'** means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data;
(13) **'genetic data'** means personal data relating to the inherited or acquired genetic characteristics of a natural person;
(14) **'biometric data'** means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person;
(15) **'data concerning health'** means personal data related to the physical or mental health of a natural person;
(16) **'main establishment'** means the place of central administration in the Union or the place where decisions on purposes and means of processing are taken;
(17) **'representative'** means a natural or legal person established in the Union designated by the controller or processor;
(18) **'enterprise'** means a natural or legal person engaged in an economic activity;
(19) **'group of undertakings'** means a controlling undertaking and its controlled undertakings;
(20) **'binding corporate rules'** means personal data protection policies adhered to by a controller or processor for transfers within a group of undertakings;
(21) **'supervisory authority'** means an independent public authority established by a Member State;
(22) **'cross-border processing'** means processing in more than one Member State or substantially affecting data subjects in more than one Member State;
(23) **'relevant and reasoned objection'** means an objection as to whether there is an infringement of this Regulation;
(24) **'information society service'** means a service normally provided for remuneration, at a distance, by electronic means;
(25) **'international organisation'** means an organisation and its subordinate bodies governed by public international law;
(26) **'supervisory authority concerned'** means a supervisory authority affected by the processing of personal data.
---
## CHAPTER II - PRINCIPLES
### Article 5 - Principles relating to processing of personal data
1. Personal data shall be:
(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (**'lawfulness, fairness and transparency'**);
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (**'purpose limitation'**);
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (**'data minimisation'**);
(d) accurate and, where necessary, kept up to date (**'accuracy'**);
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (**'storage limitation'**);
(f) processed in a manner that ensures appropriate security of the personal data (**'integrity and confidentiality'**).
2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (**'accountability'**).
### Article 6 - Lawfulness of processing
1. Processing shall be lawful only if and to the extent that at least one of the following applies:
(a) the data subject has given **consent** to the processing;
(b) processing is necessary for the performance of a **contract**;
(c) processing is necessary for compliance with a **legal obligation**;
(d) processing is necessary to protect the **vital interests** of the data subject or another natural person;
(e) processing is necessary for the performance of a task carried out in the **public interest**;
(f) processing is necessary for the purposes of the **legitimate interests** pursued by the controller or by a third party.
### Article 7 - Conditions for consent
1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented.
2. If consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable.
3. The data subject shall have the right to withdraw consent at any time.
4. When assessing whether consent is freely given, utmost account shall be taken of whether the performance of a contract is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
### Article 8 - Conditions applicable to child's consent
1. Where Article 6(1)(a) applies, in relation to the offer of information society services directly to a child, the processing shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if consent is given or authorised by the holder of parental responsibility.
2. Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years.
### Article 9 - Processing of special categories of personal data
1. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be **prohibited**.
2. Paragraph 1 shall not apply if one of the following applies:
(a) the data subject has given explicit consent;
(b) processing is necessary for employment, social security and social protection law;
(c) processing is necessary to protect vital interests;
(d) processing by a not-for-profit body with a political, philosophical, religious or trade union aim;
(e) processing relates to personal data manifestly made public by the data subject;
(f) processing is necessary for legal claims or judicial acts;
(g) processing is necessary for reasons of substantial public interest;
(h) processing is necessary for preventive or occupational medicine;
(i) processing is necessary for reasons of public interest in the area of public health;
(j) processing is necessary for archiving, scientific, historical research or statistical purposes.
### Article 10 - Processing of personal data relating to criminal convictions and offences
Processing of personal data relating to criminal convictions and offences shall be carried out only under the control of official authority or when authorised by Union or Member State law.
### Article 11 - Processing which does not require identification
1. If the purposes for which a controller processes personal data do not or do no longer require the identification of a data subject, the controller shall not be obliged to maintain, acquire or process additional information.
---
## CHAPTER III - RIGHTS OF THE DATA SUBJECT
### Section 1 - Transparency and modalities
### Article 12 - Transparent information, communication and modalities
1. The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
2. The controller shall facilitate the exercise of data subject rights.
3. Information shall be provided without undue delay and in any event **within one month** of receipt of the request. That period may be extended by two further months where necessary.
4. If the controller does not take action on the request, the controller shall inform the data subject without delay and at the latest within one month of the reasons for not taking action.
### Section 2 - Information and access to personal data
### Article 13 - Information to be provided where personal data are collected from the data subject
When personal data are collected from the data subject, the controller shall provide the data subject with the following information:
(a) the identity and contact details of the controller;
(b) the contact details of the data protection officer;
(c) the purposes of the processing and the legal basis;
(d) the legitimate interests pursued by the controller;
(e) the recipients or categories of recipients;
(f) where applicable, that the controller intends to transfer personal data to a third country.
### Article 14 - Information to be provided where personal data have not been obtained from the data subject
Where personal data have not been obtained from the data subject, the controller shall provide the data subject with the information referred to in Article 13 within a reasonable period, but at the latest within one month.
### Article 15 - Right of access by the data subject
1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
(a) the purposes of the processing;
(b) the categories of personal data concerned;
(c) the recipients or categories of recipient;
(d) the envisaged period for which the personal data will be stored;
(e) the existence of the right to request rectification or erasure;
(f) the right to lodge a complaint with a supervisory authority;
(g) where the personal data are not collected from the data subject, any available information as to their source;
(h) the existence of automated decision-making, including profiling.
### Section 3 - Rectification and erasure
### Article 16 - Right to rectification
The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.
### Article 17 - Right to erasure ('right to be forgotten')
1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
(a) the personal data are no longer necessary in relation to the purposes;
(b) the data subject withdraws consent;
(c) the data subject objects to the processing;
(d) the personal data have been unlawfully processed;
(e) the personal data have to be erased for compliance with a legal obligation;
(f) the personal data have been collected in relation to the offer of information society services to a child.
2. Where the controller has made the personal data public, the controller shall take reasonable steps to inform other controllers processing the data that the data subject has requested the erasure.
3. Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:
(a) for exercising the right of freedom of expression and information;
(b) for compliance with a legal obligation;
(c) for reasons of public interest in the area of public health;
(d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes;
(e) for the establishment, exercise or defence of legal claims.
### Article 18 - Right to restriction of processing
1. The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
(a) the accuracy of the personal data is contested by the data subject;
(b) the processing is unlawful and the data subject opposes the erasure;
(c) the controller no longer needs the personal data for the purposes of the processing;
(d) the data subject has objected to processing pending verification.
### Article 19 - Notification obligation regarding rectification or erasure of personal data or restriction of processing
The controller shall communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort.
### Article 20 - Right to data portability
1. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance.
2. In exercising the right to data portability, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
### Section 4 - Right to object and automated individual decision-making
### Article 21 - Right to object
1. The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her.
2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing.
### Article 22 - Automated individual decision-making, including profiling
1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
2. Paragraph 1 shall not apply if the decision:
(a) is necessary for entering into, or performance of, a contract;
(b) is authorised by Union or Member State law;
(c) is based on the data subject's explicit consent.
---
## CHAPTER IV - CONTROLLER AND PROCESSOR
### Section 1 - General obligations
### Article 24 - Responsibility of the controller
1. Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation.
### Article 25 - Data protection by design and by default
1. The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.
### Article 26 - Joint controllers
1. Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. They shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation.
### Article 27 - Representatives of controllers or processors not established in the Union
1. Where Article 3(2) applies, the controller or the processor shall designate in writing a representative in the Union.
### Article 28 - Processor
1. Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures.
2. Processing by a processor shall be governed by a contract or other legal act that is binding on the processor with regard to the controller.
### Article 29 - Processing under the authority of the controller or processor
The processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process those data except on instructions from the controller.
### Article 30 - Records of processing activities
1. Each controller shall maintain a record of processing activities under its responsibility. That record shall contain:
(a) the name and contact details of the controller;
(b) the purposes of the processing;
(c) a description of the categories of data subjects and of the categories of personal data;
(d) the categories of recipients;
(e) transfers to third countries or international organisations;
(f) time limits for erasure;
(g) a general description of the technical and organisational security measures.
### Article 31 - Cooperation with the supervisory authority
The controller and the processor and, where applicable, their representatives, shall cooperate, on request, with the supervisory authority.
### Section 2 - Security of personal data
### Article 32 - Security of processing
1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
### Article 33 - Notification of a personal data breach to the supervisory authority
1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, **not later than 72 hours** after having become aware of it, notify the personal data breach to the supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
### Article 34 - Communication of a personal data breach to the data subject
1. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.
### Section 3 - Data protection impact assessment and prior consultation
### Article 35 - Data protection impact assessment
1. Where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.
### Article 36 - Prior consultation
1. The controller shall consult the supervisory authority prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk.
### Section 4 - Data protection officer
### Article 37 - Designation of the data protection officer
1. The controller and the processor shall designate a data protection officer in any case where:
(a) the processing is carried out by a public authority or body;
(b) the core activities of the controller or the processor consist of processing operations which require regular and systematic monitoring of data subjects on a large scale; or
(c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data.
### Article 38 - Position of the data protection officer
1. The controller and the processor shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.
2. The controller and processor shall support the data protection officer in performing the tasks by providing resources necessary to carry out those tasks.
3. The controller and processor shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks. The data protection officer shall not be dismissed or penalised by the controller or the processor for performing his tasks.
### Article 39 - Tasks of the data protection officer
1. The data protection officer shall have at least the following tasks:
(a) to inform and advise the controller or the processor and the employees;
(b) to monitor compliance with this Regulation;
(c) to provide advice where requested as regards the data protection impact assessment;
(d) to cooperate with the supervisory authority;
(e) to act as the contact point for the supervisory authority.
---
## CHAPTER V - TRANSFERS OF PERSONAL DATA TO THIRD COUNTRIES OR INTERNATIONAL ORGANISATIONS
### Article 44 - General principle for transfers
Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if the conditions laid down in this Chapter are complied with.
### Article 45 - Transfers on the basis of an adequacy decision
1. A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection.
### Article 46 - Transfers subject to appropriate safeguards
1. In the absence of an adequacy decision, a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards.
2. The appropriate safeguards may be provided by:
(a) a legally binding and enforceable instrument between public authorities;
(b) binding corporate rules;
(c) standard data protection clauses adopted by the Commission;
(d) standard data protection clauses adopted by a supervisory authority;
(e) an approved code of conduct;
(f) an approved certification mechanism.
### Article 47 - Binding corporate rules
1. Binding corporate rules shall be legally binding and apply to and be enforced by every member within the group of undertakings.
### Article 49 - Derogations for specific situations
1. In the absence of an adequacy decision or of appropriate safeguards, a transfer may take place only if one of the following conditions is met:
(a) the data subject has explicitly consented to the proposed transfer;
(b) the transfer is necessary for the performance of a contract;
(c) the transfer is necessary for important reasons of public interest;
(d) the transfer is necessary for the establishment, exercise or defence of legal claims;
(e) the transfer is necessary in order to protect the vital interests of the data subject;
(f) the transfer is made from a register intended to provide information to the public.
---
## CHAPTER VI - INDEPENDENT SUPERVISORY AUTHORITIES
### Article 51 - Supervisory authority
1. Each Member State shall provide for one or more independent public authorities to be responsible for monitoring the application of this Regulation.
### Article 52 - Independence
1. Each supervisory authority shall act with complete independence in performing its tasks and exercising its powers.
### Article 57 - Tasks
1. Each supervisory authority shall on its territory:
(a) monitor and enforce the application of this Regulation;
(b) promote public awareness and understanding;
(c) advise the national parliament, the government, and other institutions and bodies;
(d) promote the awareness of controllers and processors of their obligations;
(e) provide information to data subjects concerning the exercise of their rights;
(f) handle complaints lodged by a data subject.
### Article 58 - Powers
1. Each supervisory authority shall have all of the following investigative powers:
(a) to order the controller and the processor to provide any information;
(b) to carry out investigations in the form of data protection audits;
(c) to carry out a review on certifications;
(d) to notify the controller or the processor of an alleged infringement;
(e) to obtain access to any premises of the controller and the processor.
2. Each supervisory authority shall have all of the following corrective powers:
(a) to issue warnings to a controller or processor;
(b) to issue reprimands to a controller or processor;
(c) to order the controller or processor to comply with the data subject's requests;
(d) to order the controller or processor to bring processing operations into compliance;
(e) to order the controller to communicate a personal data breach to the data subject;
(f) to impose a temporary or definitive limitation including a ban on processing;
(g) to order the rectification or erasure of personal data;
(h) to withdraw a certification;
(i) to impose an administrative fine;
(j) to order the suspension of data flows to a recipient in a third country.
---
## CHAPTER VIII - REMEDIES, LIABILITY AND PENALTIES
### Article 77 - Right to lodge a complaint with a supervisory authority
1. Every data subject shall have the right to lodge a complaint with a supervisory authority if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.
### Article 78 - Right to an effective judicial remedy against a supervisory authority
1. Each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them.
### Article 79 - Right to an effective judicial remedy against a controller or processor
1. Each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed.
### Article 82 - Right to compensation and liability
1. Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.
### Article 83 - General conditions for imposing administrative fines
1. Each supervisory authority shall ensure that the imposition of administrative fines shall in each individual case be effective, proportionate and dissuasive.
4. Infringements of the following provisions shall be subject to administrative fines up to **10,000,000 EUR**, or in the case of an undertaking, up to **2% of the total worldwide annual turnover** of the preceding financial year:
(a) the obligations of the controller and the processor;
(b) the obligations of the certification body;
(c) the obligations of the monitoring body.
5. Infringements of the following provisions shall be subject to administrative fines up to **20,000,000 EUR**, or in the case of an undertaking, up to **4% of the total worldwide annual turnover** of the preceding financial year:
(a) the basic principles for processing, including conditions for consent;
(b) the data subjects' rights;
(c) the transfers of personal data to a recipient in a third country;
(d) any obligations pursuant to Member State law;
(e) non-compliance with an order by the supervisory authority.
### Article 84 - Penalties
1. Member States shall lay down the rules on other penalties applicable to infringements of this Regulation in particular for infringements which are not subject to administrative fines pursuant to Article 83.
---
## CHAPTER XI - FINAL PROVISIONS
### Article 94 - Repeal of Directive 95/46/EC
1. Directive 95/46/EC is repealed with effect from 25 May 2018.
### Article 99 - Entry into force and application
1. This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.
2. It shall apply from **25 May 2018**.
This Regulation shall be binding in its entirety and directly applicable in all Member States.
---
**Source:** Official Journal of the European Union, L 119, 4.5.2016
**EUR-Lex:** https://eur-lex.europa.eu/eli/reg/2016/679/oj