- 1fundamental rights, Charter of Fundamental Rights, Article 16(1) (TFEU)
- 2fundamental rights, fundamental freedoms, single market, national economy
- 3harmonisation, fundamental rights, fundamental freedoms, free movement of data
- 4harmonisation, principle of proportionality, Charter of Fundamental Rights, right to appeal and a fair trial
- 5single market, free movement of data, cooperation, member states
- 6globalisation, exchange of data, technology, level of data protection
- 7legal framework, foundation of trust, single market, control of data
- 8clarification of rules, limitation of provisions, domestic law, coherence
- 9legal uncertainty, risks, level of protection, member states
- 10level of protection, public authority, fundamental rights and freedoms, special categories of personal data
- 11data subject rights, member states, sanctions, monitoring
- 12Article 16(2) TFEU, free movement of data, European Parliament, council
- 13single market, transparency, supervisory authorities, legal certainty
- 14nationality, place of residence, legal person
- 15technological neutrality, filesystem, processing, files
- 16exception, beyond the scope of EU law, common foreign policy, common security policy
- 17Regulation (EC) No 45/2001, union institutions, bodies, offices and agencies, adaptations of Regulation (EC) No 45/2001
- 18exception, exclusively personal activities, exclusively household activities
- 19domestic law, criminal prosecution, execution of sentence, protection against threats to public safety
- 20separate supervision for the judiciary, courts, judicial authorities, independence of the judiciary
- 21application of Directive 2000/31/EC, intermediary service providers, single market, free movement of services
- 22principle of an establishment, application of the GDPR, irrelevance of processing location
- 23lex loci solutionis, offer to EU citizens, irrelevance of processing location, irrelevance of establishment
- 24irrelevance of processing location, EU data subjects, monitoring of the behaviour, profiling
- 25application of the GDPR outside of the EU, diplomatic mission, consular office
- 26pseudonymous data, personal data, technical development, anonymous data
- 27exception, data of deceased persons, domestic law
- 28pseudonymisation, risk, data protection obligations, controller and processor
- 29pseudonymisation, controller, segregated storage, identifiability
- 30profiling, online identifiers, combination of unique identifiers, identifiability
- 31exception, tax authorities, customs authorities, independent administrative authorities
- 32consent, clear affirmative action, voluntariness, formal requirements
- 33constent, research purposes, ethical standards
- 34genetic data, genetic characteristics, analysis
- 35health data, health care services, Directive 2011/24/EU
- 36main establishment, controller, central administration, objective criteria
- 37enterprise group, control of the processing, controlling enterprise, controlled enterprise
- 38children, risks, guarantees, special protection
- 39data protection principles, data processing
- 40lawfulness, data processing, steps prior to entering into a contract
- 41legal basis, legislative measures, Court of Justice of the European Union, European Court of Human Rights
- 42proof of consent, Directive 93/13/EEC, content of the consent, voluntariness
- 43freely given consent, clear imbalance, examples of invalid consent
- 44legal basis, performance of a contract, contract formation
- 45processing operations based on a legal obligation, processing for the performance of public intrests or excercise of public authority, conditions governing the lawfulness of processing
- 46processing for vital interests of the data subject, rationale of public interest , existential interests of the data subject
- 47legitimate interest of the controller, the interests and fundamental rights of the data subject, reasonable expectations of the data subject, direct advertising
- 48enterprise group, legitimate interest, transfer
- 49legitimate interest, network and information security
- 50change of purpose, compatibility of the purposes, further processing
- 51processing of special categories of personal data, photos, exceptions
- 52exceptions, archiving purposes, employment law, maintenance of health and health risk monitoring
- 53special categories of personal data, processing for health-related purposes, management of health and social care services and systems
- 54special categories of personal data, public health (EC) No 1338/2008, processing without consent
- 55processing of personal data, processing of personal data by public authorities for constitutional purposes or purposes of international law, religious associations, public interest
- 56operation of the democratic system, collection of data on political affiliation by political parties, elections, purposes of public interest
- 57identification of a natural person, digital identification
- 58principle of transparency, information provided in electronic form, worthiness of protection of children
- 59modalities, exercise of the rights of the data subject, electronic applications
- 60the data subject be informed, notification of profiling activities, consequences of withholding data, pictograms in electronic form
- 61time of collection, collection from a third party, notice on further processing
- 62furstration of the duty for provide information
- 63right to information, information requirements
- 64identity verification of the data subject, retain data for the sole purpose potential requests
- 65right of rectification, right to be forgotten, revocation of consent, lawful retention of the personal data
- 66right to be forgotten, consideration of the technology available, appropriate measures
- 67restriction of processing, methods
- 68right to receive the data, data portability, data transmitted directly from one controller to another
- 69right to object, demonstration of a compelling legitimate interest
- 70direct advertising, profiling, right to object, explicit notification
- 71automated processing, profiling, explicit consent, profiling based on special categories of personal data
- 72profiling, policy guideline of the European Data Protection Board
- 73restrictions of certain rights and principles, Charter and European Convention for the Protection of Human Rights and Fundamental Freedoms
- 74responsibility, liability, evidence
- 75risks, rights and freedoms, likelihood and severity the damage
- 76likelihood and severity the damage, risk, objective assessment
- 77guidance on the implementation of appropriate measures, identification of the risk, guidelines of the board
- 78technical and organisational measures, data protection by design, data protection by default, state of the art
- 79protection of the rights and freedoms, responsibility and liability, monitoring and other measures of the supervisory authorities, clear allocation of the responsibilities
- 80establishment in the union, representative
- 81commissioned data processing, processing activities, security of the processing, technical and organisational measures, DPA
- 82record of processing activities, cooperation with the supervisory authority, demonstrability, audits
- 83security of the processing, technical and organisational measures, risk assessment, encryption
- 84risk evaluation, data protection impact assessment, rights and freedoms of natural persons, high risk
- 85data protection violation, discrimination, identity theft, reporting obligation
- 86notification, data subject, high risk, rights and freedoms of natural persons
- 87notification, high risk, severity of the violation
- 88notification, data subject, detailed, identity fraud
- 89notification, reporting obligation, elimination, rights and freedoms of natural persons
- 90data protection impact assessement, measures
- 91data protection impact assessement, physician, patients
- 92data protection impact assessement, authorities, processing platform, economical aspects
- 93data protection impact assessement, authorities, public bodies, processing operation
- 94consultation of the supervisory authority, safeguards, risk mitigation, high risk
- 95commissioned data processing, obligation to support of the processor, data protection impact assessement, consultation of the supervisory authority
- 96consultation of the supervisory authority, legislation, legislative preparations, regulatory measures
- 97data protection officer, expert knowledge, independence, core activities
- 98associations, organisations, micro-enterprises, codes of conduct
- 99consultation, stakeholders, statement, data subject
- 100certification, certification procedure, data protection certification, transparency
- 101international data transfers, international organisation, cooperation
- 102international agreement, level of protection
- 103appropriate level of protection, uniform application of law, international organisation
- 104adequacy decision, constitutionality, human rights, national defence
- 105international commitments, International agreements, international organisation
- 106level of protection, adequacy decisions, periodic review
- 107appropriate level of data protection, Commission, international organisation
- 108appropriate safeguards, adequacy decision, binding corporate rules
- 109standard data protection clauses, fundamental rights, fundamental freedoms
- 110binding corporate rules, BCR, international data transfer
- 111international data transfer, explicit consent, enforcement of legal claims, legitimate interest
- 112international data transfer, exception, public interest
- 113compelling legitimate interests, transfer, country of final destination
- 114Commission decision, adequacy, third country, current level of data protection
- 115third countries, administrative authorities, agreement
- 116supervisory authorities, preventative powers, remedial powers, cross-border cooperation
- 117supervisory authorities, member states, powers
- 118supervision, supervisory authorities, control mechanisms
- 119supervisory authorities, member state
- 120supervisory authorities
- 121independence of the supervisory authorities, members of the supervisory authorities act with integrity
- 122tasks and powers of the supervisory authorities
- 123monitoring of the application of the GDPR by the supervisory authorities, cooperation of Commission and supervisory authorities
- 124processing in several member states
- 125leading supervisory authority
- 126joint decisions of the supervisory authorities
- 127information to the lead supervisory authorities, procedure concerning national data processing
- 128responsibility regarding processing in the public interest
- 129identical authority of supervisory authorities in all member states, tasks of the supervisory authorities
- 130cooperation of the authorities when a complaint has been lodged
- 131amicable settlement with the controller
- 132public relation activities by supervisory authorities, specific measures for awareness-raising
- 133mutual assistance of the supervisory authorities , mutual assistance between authorities
- 134joint operations of the supervisory authorities, participation
- 135coherency mechanism, mutual assistance of the supervisory authorities
- 136opinions of the Data Protection Board, disputes between supervisory authorities
- 137provisional measures, urgent need to act, protection of the rights and freedoms of data subjects
- 138mutual assistance of the supervisory authorities, application of the coherency mechanism
- 139European Data Protection Board, entity
- 140assistance for the European Data Protection Board, Secretariat of the Protection Supervisor
- 141submission of complaints, lodge a judicial remedy
- 142support of a data subject with the submission of a complaint, class action lawsuits, Representative of the data subject
- 143judicial remedies, annulment of decisions of the boar
- 144dependent and related court proceedings, prevention of contradictory court rulings
- 145plaintiff, choice of court
- 146damages, relief from liability, recourse proceedings
- 147specific rules on jurisdiction, judicial remedy
- 148appropriate measures and penalties, reprimand and disproportionate burden, fines
- 149infringements of national rules, criminal sanctions
- 150criteria for establishing administrative fines, harmonisation of administrative penalties, administrative fines imposed on persons
- 151adaptation of administrative fines, Denmark and Estonia
- 152serious infringements, sanctions, harmonisation
- 153rules governing freedom of expression and information, journalistic, academic, artistic or literary purposes
- 154general public and public interest, principle of public access to official documents
- 155specific provisions for data processing in context of an employment relationship, collective agreements, works council agreement
- 156processing for purposes in the public interest, appropriate safeguards, rights and freedoms of the data subjec
- 157register, correlation of information, research results
- 158archiving purposes, deceased persons, public interest
- 159scientific research purposes, technological development and studies, public interest
- 160historical research purposes, deceased persons, genealogy
- 161clinical studies, research purposes, Science, Regulation (EU) No 536/2014
- 162statistical purposes, aggregation, rights and freedoms, confidentiality
- 163statistical purposes, union authorities, member states, Article 338(2) TFEU, Regulation (EG) Nr. 223/2009
- 164supervisory authorities, powers, national provisions, obligation to confidentiality
- 165Article 17 TFEU, status of churches and religious associations or communities
- 166Article 290 TFEU, delegated legislative acts, Commission
- 167Commission, implementing powers, Regulation (EU) No 182/2011
- 168standard contractual clauses, inspection procedure, third country, implementing acts
- 169implementing acts, adequate level of protection
- 170proportionality, principle of subsidiarity, equivalent level of protection
- 171repeal of Directive 95/46/EC, transitional provisions
- 172European Data Protection Supervisor: consultation and opinion
- 173coherence with Directive 2002/58/EC, adaptation of Directive 2002/58/EC
GDPR Recital 47
1The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. 2Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller. 3At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. 4The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing. 5Given that it is for the legislator to provide by law for the legal basis for public authorities to process personal data, that legal basis should not apply to the processing by public authorities in the performance of their tasks. 6The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. 7The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.
