CHAPTER V CHAPTER IV CHAPTER III CHAPTER II CHAPTER I Table of Contents

13

GDPR - Pocket Edition

this Regulation should, when used for those purposes, be governed by

a more specific Union legal act, namely Directive (EU) 2016/680 of the

European Parliament and of the Council (7). Member States may entrust

competent authorities within the meaning of Directive (EU) 2016/680

with tasks which are not necessarily carried out for the purposes of the

prevention, investigation, detection or prosecution of criminal offences

or the execution of criminal penalties, including the safeguarding

against and prevention of threats to public security, so that the

processing of personal data for those other purposes, in so far as it is

within the scope of Union law, falls within the scope of this Regulation.

With regard to the processing of personal data by those competent

authorities for purposes falling within scope of this Regulation,

Member States should be able to maintain or introduce more specific

provisions to adapt the application of the rules of this Regulation. Such

provisions may determine more precisely specific requirements for the

processing of personal data by those competent authorities for those

other purposes, taking into account the constitutional, organisational

and administrative structure of the respective Member State. When the

processing of personal data by private bodies falls within the scope

of this Regulation, this Regulation should provide for the possibility

for Member States under specific conditions to restrict by law certain

obligations and rights when such a restriction constitutes a necessary

andproportionatemeasure inademocratic society to safeguard specific

important interests including public security and the prevention,

investigation, detection or prosecution of criminal offences or the

execution of criminal penalties, including the safeguarding against and

the prevention of threats to public security. This is relevant for instance

in the framework of anti-money laundering or the activities of forensic

laboratories.

(20) While this Regulation applies, inter alia, to the activities of courts and

other judicial authorities, Union or Member State law could specify the

processing operations and processing procedures in relation to the

processing of personal data by courts and other judicial authorities.

The competence of the supervisory authorities should not cover the

processing of personal data when courts are acting in their judicial

capacity, in order to safeguard the independence of the judiciary in

the performance of its judicial tasks, including decision-making. It

should be possible to entrust supervision of such data processing

operations to specific bodies within the judicial system of the Member

State, which should, in particular ensure compliance with the rules of

this Regulation, enhance awareness among members of the judiciary

of their obligations under this Regulation and handle complaints in

relation to such data processing operations.

(21) This Regulation is without prejudice to the application of Directive

2000/31/EC of the European Parliament and of the Council (8), in

particular of the liability rules of intermediary service providers in

Articles 12 to 15 of that Directive. That Directive seeks to contribute

to the proper functioning of the internal market by ensuring the free

movement of information society services between Member States.

(22) Any processing of personal data in the context of the activities of an

establishment of a controller or a processor in the Union should be