General Data Protection Regulation

CHAPTER V CHAPTER IV CHAPTER III CHAPTER II CHAPTER I Table of Contents

GDPR - Pocket Edition

persons with regard to the processing of such data should be equivalent

in all Member States. Consistent and homogenous application of

the rules for the protection of the fundamental rights and freedoms

of natural persons with regard to the processing of personal data

should be ensured throughout the Union. Regarding the processing

of personal data for compliance with a legal obligation, for the

performance of a task carried out in the public interest or in the exercise

of official authority vested in the controller, Member States should be

allowed to maintain or introduce national provisions to further specify

the application of the rules of this Regulation. In conjunction with the

general and horizontal law on data protection implementing Directive

95/46/EC, Member States have several sector-specific laws in areas that

need more specific provisions. This Regulation also provides a margin

of manoeuvre for Member States to specify its rules, including for the

processing of special categories of personal data (‘sensitive data’). To

that extent, this Regulation does not exclude Member State law that

sets out the circumstances for specific processing situations, including

determining more precisely the conditions under which the processing

of personal data is lawful.

(11) Effective protection of personal data throughout the Union requires

the strengthening and setting out in detail of the rights of data subjects

and the obligations of thosewho process and determine the processing

of personal data, as well as equivalent powers for monitoring and

ensuring compliance with the rules for the protection of personal data

and equivalent sanctions for infringements in the Member States.

(12) Article 16(2) TFEU mandates the European Parliament and the Council

to lay down the rules relating to the protection of natural persons with

regard to the processing of personal data and the rules relating to the

free movement of personal data.

(13) In order to ensure a consistent level of protection for natural persons

throughout the Union and to prevent divergences hampering the free

movement of personal data within the internal market, a Regulation

is necessary to provide legal certainty and transparency for economic

operators, including micro, small and medium-sized enterprises, and

to provide natural persons in all Member States with the same level

of legally enforceable rights and obligations and responsibilities

for controllers and processors, to ensure consistent monitoring of

the processing of personal data, and equivalent sanctions in all

Member States aswell as effective cooperationbetween the supervisory

authorities of different Member States. The proper functioning of the

internal market requires that the free movement of personal data

within the Union is not restricted or prohibited for reasons connected

with the protection of natural persons with regard to the processing of

personal data. To take account of the specific situation of micro, small

and medium-sized enterprises, this Regulation includes a derogation

for organisations with fewer than 250 employees with regard to

record-keeping. In addition, the Union institutions and bodies, and

Member States and their supervisory authorities, are encouraged to

take account of the specific needs of micro, small and medium-sized

enterprises in the application of this Regulation. The notion of micro,