1Directive 95/46/EC provided for a general obligation to notify the processing of personal data to the supervisory authorities. 2While that obligation produces administrative and financial burdens, it did not in all cases contribute to improving the protection of personal data. 3Such indiscriminate general notification obligations should therefore be abolished, and replaced by effective procedures and mechanisms which focus instead on those types of processing operations which are likely to result in a high risk to the rights and freedoms of natural persons by virtue of their nature, scope, context and purposes. 4Such types of processing operations may be those which in, particular, involve using new technologies, or are of a new kind and where no data protection impact assessment has been carried out before by the controller, or where they become necessary in the light of the time that has elapsed since the initial processing.

1The objectives and principles of Directive 95/46/EC remain sound, but it has not prevented fragmentation in the implementation of data protection across the Union, legal uncertainty or a widespread public perception that there are significant risks to the protection of natural persons, in particular with regard to online activity. 2Differences in the level of protection of the rights and freedoms of natural persons, in particular the right to the protection of personal data, with regard to the processing of personal data in the Member States may prevent the free flow of personal data throughout the Union. 3Those differences may therefore constitute an obstacle to the pursuit of economic activities at the level of the Union, distort competition and impede authorities in the discharge of their responsibilities under Union law. 4Such a difference in levels of protection is due to the existence of differences in the implementation and application of Directive 95/46/EC.

1In such cases, a data protection impact assessment should be carried out by the controller prior to the processing in order to assess the particular likelihood and severity of the high risk, taking into account the nature, scope, context and purposes of the processing and the sources of the risk. 2That impact assessment should include, in particular, the measures, safeguards and mechanisms envisaged for mitigating that risk, ensuring the protection of personal data and demonstrating compliance with this Regulation.

1This should in particular apply to large-scale processing operations which aim to process a considerable amount of personal data at regional, national or supranational level and which could affect a large number of data subjects and which are likely to result in a high risk, for example, on account of their sensitivity, where in accordance with the achieved state of technological knowledge a new technology is used on a large scale as well as to other processing operations which result in a high risk to the rights and freedoms of data subjects, in particular where those operations render it more difficult for data subjects to exercise their rights. 2A data protection impact assessment should also be made where personal data are processed for taking decisions regarding specific natural persons following any systematic and extensive evaluation of personal aspects relating to natural persons based on profiling those data or following the processing of special categories of personal data, biometric data, or data on criminal convictions and offences or related security measures. 3A data protection impact assessment is equally required for monitoring publicly accessible areas on a large scale, especially when using optic-electronic devices or for any other operations where the competent supervisory authority considers that the processing is likely to result in a high risk to the rights and freedoms of data subjects, in particular because they prevent data subjects from exercising a right or using a service or a contract, or because they are carried out systematically on a large scale. 4The processing of personal data should not be considered to be on a large scale if the processing concerns personal data from patients or clients by an individual physician, other health care professional or lawyer. 5In such cases, a data protection impact assessment should not be mandatory.

There are circumstances under which it may be reasonable and economical for the subject of a data protection impact assessment to be broader than a single project, for example where public authorities or bodies intend to establish a common application or processing platform or where several controllers plan to introduce a common application or processing environment across an industry sector or segment or for a widely used horizontal activity.

In the context of the adoption of the Member State law on which the performance of the tasks of the public authority or public body is based and which regulates the specific processing operation or set of operations in question, Member States may deem it necessary to carry out such assessment prior to the processing activities.

1Where a data protection impact assessment indicates that the processing would, in the absence of safeguards, security measures and mechanisms to mitigate the risk, result in a high risk to the rights and freedoms of natural persons and the controller is of the opinion that the risk cannot be mitigated by reasonable means in terms of available technologies and costs of implementation, the supervisory authority should be consulted prior to the start of processing activities. 2Such high risk is likely to result from certain types of processing and the extent and frequency of processing, which may result also in a realisation of damage or interference with the rights and freedoms of the natural person. 3The supervisory authority should respond to the request for consultation within a specified period. 4However, the absence of a reaction of the supervisory authority within that period should be without prejudice to any intervention of the supervisory authority in accordance with its tasks and powers laid down in this Regulation, including the power to prohibit processing operations. 5As part of that consultation process, the outcome of a data protection impact assessment carried out with regard to the processing at issue may be submitted to the supervisory authority, in particular the measures envisaged to mitigate the risk to the rights and freedoms of natural persons.

The processor should assist the controller, where necessary and upon request, in ensuring compliance with the obligations deriving from the carrying out of data protection impact assessments and from prior consultation of the supervisory authority.

A consultation of the supervisory authority should also take place in the course of the preparation of a legislative or regulatory measure which provides for the processing of personal data, in order to ensure compliance of the intended processing with this Regulation and in particular to mitigate the risk involved for the data subject.

1Where the processing is carried out by a public authority, except for courts or independent judicial authorities when acting in their judicial capacity, where, in the private sector, processing is carried out by a controller whose core activities consist of processing operations that require regular and systematic monitoring of the data subjects on a large scale, or where the core activities of the controller or the processor consist of processing on a large scale of special categories of personal data and data relating to criminal convictions and offences, a person with expert knowledge of data protection law and practices should assist the controller or processor to monitor internal compliance with this Regulation. 2In the private sector, the core activities of a controller relate to its primary activities and do not relate to the processing of personal data as ancillary activities. 3The necessary level of expert knowledge should be determined in particular according to the data processing operations carried out and the protection required for the personal data processed by the controller or the processor. 4Such data protection officers, whether or not they are an employee of the controller, should be in a position to perform their duties and tasks in an independent manner.

1Associations or other bodies representing categories of controllers or processors should be encouraged to draw up codes of conduct, within the limits of this Regulation, so as to facilitate the effective application of this Regulation, taking account of the specific characteristics of the processing carried out in certain sectors and the specific needs of micro, small and medium enterprises. 2In particular, such codes of conduct could calibrate the obligations of controllers and processors, taking into account the risk likely to result from the processing for the rights and freedoms of natural persons.

When drawing up a code of conduct, or when amending or extending such a code, associations and other bodies representing categories of controllers or processors should consult relevant stakeholders, including data subjects where feasible, and have regard to submissions received and views expressed in response to such consultations.

The right of rectification is the right to obtain from the controller the rectification without delay of inaccurate or incomplete personal data. To exercise the right of rectification, the data subject usually has to write to the controller of the processing operation. By way of illustration, if you need to change your personal address or if you find that information about you is inaccurate, you should exercise your right of rectification by contacting the controller who holds these data.

Data retention refers to all obligations on the part of controllers to retain personal data for certain purposes. To limit how long you keep personal data is part of data minimisation. The rule of thumb is "as long as necessary, as short as possible", although sometimes legal rules may impose fixed periods. Data that are no longer retained cannot fall into the wrong hands, nor be abused, meaning that defining and enforcing limited conservation periods helps to protect the people whose data are processed.

The right of an individual to inspect all personal data relating to them held by a data controller in an intelligible and, as far as is practicable, permanent format.

An individual

The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

Restriction of processing means the marking of stored personal data with the aim of limiting their processing in the future. This right can only be exercised where- - their accuracy is contested by the data subject, enabling though the controller to verify the accuracy, including the completeness of the data; - or the processing is unlawful and the data subject opposes their erasure and demands their restriction of processing instead. - or the controller no longer needs them for the accomplishment of its tasks but they have to be maintained for purposes of proof; - or the data subject has objected to processing to Article 23(1) pending the verification whether the legitimate grounds of the controller override those of the data subject. Personal data restricted can only be processed with the data subject's consent, for purposes of proof, or for the protection of the rights of a third party, or for reasons of important public interest of the Union or of a Member State.

A security patch is software that corrects errors in computer software code. Security patches are issued by software companies to address vulnerabilities discovered in the company’s product.  Vulnerabilities can also be found in the aftermath of a cyberattacker exploiting a vulnerability of an operating system – a vulnerability the software manufacturer was not previously aware of.  Applying security patches that respond to the latest threats, enhances device security.

Personal data containing information relating to an individual’s; racial and ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health, sexual life, or criminal history.