11
GDPR - Pocket Edition
persons with regard to the processing of such data should be equivalent
in all Member States. Consistent and homogenous application of
the rules for the protection of the fundamental rights and freedoms
of natural persons with regard to the processing of personal data
should be ensured throughout the Union. Regarding the processing
of personal data for compliance with a legal obligation, for the
performance of a task carried out in the public interest or in the exercise
of official authority vested in the controller, Member States should be
allowed to maintain or introduce national provisions to further specify
the application of the rules of this Regulation. In conjunction with the
general and horizontal law on data protection implementing Directive
95/46/EC, Member States have several sector-specific laws in areas that
need more specific provisions. This Regulation also provides a margin
of manoeuvre for Member States to specify its rules, including for the
processing of special categories of personal data (‘sensitive data’). To
that extent, this Regulation does not exclude Member State law that
sets out the circumstances for specific processing situations, including
determining more precisely the conditions under which the processing
of personal data is lawful.
(11) Effective protection of personal data throughout the Union requires
the strengthening and setting out in detail of the rights of data subjects
and the obligations of thosewho process and determine the processing
of personal data, as well as equivalent powers for monitoring and
ensuring compliance with the rules for the protection of personal data
and equivalent sanctions for infringements in the Member States.
(12) Article 16(2) TFEU mandates the European Parliament and the Council
to lay down the rules relating to the protection of natural persons with
regard to the processing of personal data and the rules relating to the
free movement of personal data.
(13) In order to ensure a consistent level of protection for natural persons
throughout the Union and to prevent divergences hampering the free
movement of personal data within the internal market, a Regulation
is necessary to provide legal certainty and transparency for economic
operators, including micro, small and medium-sized enterprises, and
to provide natural persons in all Member States with the same level
of legally enforceable rights and obligations and responsibilities
for controllers and processors, to ensure consistent monitoring of
the processing of personal data, and equivalent sanctions in all
Member States aswell as effective cooperationbetween the supervisory
authorities of different Member States. The proper functioning of the
internal market requires that the free movement of personal data
within the Union is not restricted or prohibited for reasons connected
with the protection of natural persons with regard to the processing of
personal data. To take account of the specific situation of micro, small
and medium-sized enterprises, this Regulation includes a derogation
for organisations with fewer than 250 employees with regard to
record-keeping. In addition, the Union institutions and bodies, and
Member States and their supervisory authorities, are encouraged to
take account of the specific needs of micro, small and medium-sized
enterprises in the application of this Regulation. The notion of micro,