13
GDPR - Pocket Edition
this Regulation should, when used for those purposes, be governed by
a more specific Union legal act, namely Directive (EU) 2016/680 of the
European Parliament and of the Council (7). Member States may entrust
competent authorities within the meaning of Directive (EU) 2016/680
with tasks which are not necessarily carried out for the purposes of the
prevention, investigation, detection or prosecution of criminal offences
or the execution of criminal penalties, including the safeguarding
against and prevention of threats to public security, so that the
processing of personal data for those other purposes, in so far as it is
within the scope of Union law, falls within the scope of this Regulation.
With regard to the processing of personal data by those competent
authorities for purposes falling within scope of this Regulation,
Member States should be able to maintain or introduce more specific
provisions to adapt the application of the rules of this Regulation. Such
provisions may determine more precisely specific requirements for the
processing of personal data by those competent authorities for those
other purposes, taking into account the constitutional, organisational
and administrative structure of the respective Member State. When the
processing of personal data by private bodies falls within the scope
of this Regulation, this Regulation should provide for the possibility
for Member States under specific conditions to restrict by law certain
obligations and rights when such a restriction constitutes a necessary
andproportionatemeasure inademocratic society to safeguard specific
important interests including public security and the prevention,
investigation, detection or prosecution of criminal offences or the
execution of criminal penalties, including the safeguarding against and
the prevention of threats to public security. This is relevant for instance
in the framework of anti-money laundering or the activities of forensic
laboratories.
(20) While this Regulation applies, inter alia, to the activities of courts and
other judicial authorities, Union or Member State law could specify the
processing operations and processing procedures in relation to the
processing of personal data by courts and other judicial authorities.
The competence of the supervisory authorities should not cover the
processing of personal data when courts are acting in their judicial
capacity, in order to safeguard the independence of the judiciary in
the performance of its judicial tasks, including decision-making. It
should be possible to entrust supervision of such data processing
operations to specific bodies within the judicial system of the Member
State, which should, in particular ensure compliance with the rules of
this Regulation, enhance awareness among members of the judiciary
of their obligations under this Regulation and handle complaints in
relation to such data processing operations.
(21) This Regulation is without prejudice to the application of Directive
2000/31/EC of the European Parliament and of the Council (8), in
particular of the liability rules of intermediary service providers in
Articles 12 to 15 of that Directive. That Directive seeks to contribute
to the proper functioning of the internal market by ensuring the free
movement of information society services between Member States.
(22) Any processing of personal data in the context of the activities of an
establishment of a controller or a processor in the Union should be