(75) The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from
personal data processing which could lead to physical, material or non-material damage, in particular: where the
processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of
confidentiality of personal data protected by professional secrecy, unauthorised reversal of pseudonymisation, or
any other significant economic or social disadvantage; where data subjects might be deprived of their rights and
freedoms or prevented from exercising control over their personal data; where personal data are processed which
reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, and
the processing of genetic data, data concerning health or data concerning sex life or criminal convictions and
offences or related security measures; where personal aspects are evaluated, in particular analysing or predicting
aspects concerning performance at work, economic situation, health, personal preferences or interests, reliability
or behaviour, location or movements, in order to create or use personal profiles; where personal data of
vulnerable natural persons, in particular of children, are processed; or where processing involves a large amount
of personal data and affects a large number of data subjects.
(76) The likelihood and severity of the risk to the rights and freedoms of the data subject should be determined by
reference to the nature, scope, context and purposes of the processing. Risk should be evaluated on the basis of
an objective assessment, by which it is established whether data processing operations involve a risk or a high
risk.
(77) Guidance on the implementation of appropriate measures and on the demonstration of compliance by the
controller or the processor, especially as regards the identification of the risk related to the processing, their
assessment in terms of origin, nature, likelihood and severity, and the identification of best practices to mitigate
the risk, could be provided in particular by means of approved codes of conduct, approved certifications,
guidelines provided by the Board or indications provided by a data protection officer. The Board may also issue
guidelines on processing operations that are considered to be unlikely to result in a high risk to the rights and
freedoms of natural persons and indicate what measures may be sufficient in such cases to address such risk.
(78) The protection of the rights and freedoms of natural persons with regard to the processing of personal data
require that appropriate technical and organisational measures be taken to ensure that the requirements of this
Regulation are met. In order to be able to demonstrate compliance with this Regulation, the controller should
adopt internal policies and implement measures which meet in particular the principles of data protection by
design and data protection by default. Such measures could consist, inter alia, of minimising the processing of
personal data, pseudonymising personal data as soon as possible, transparency with regard to the functions and
processing of personal data, enabling the data subject to monitor the data processing, enabling the controller to
create and improve security features. When developing, designing, selecting and using applications, services and
products that are based on the processing of personal data or process personal data to fulfil their task, producers
of the products, services and applications should be encouraged to take into account the right to data protection
when developing and designing such products, services and applications and, with due regard to the state of the
art, to make sure that controllers and processors are able to fulfil their data protection obligations. The principles
of data protection by design and by default should also be taken into consideration in the context of public
tenders.
(79) The protection of the rights and freedoms of data subjects as well as the responsibility and liability of controllers
and processors, also in relation to the monitoring by and measures of supervisory authorities, requires a clear
allocation of the responsibilities under this Regulation, including where a controller determines the purposes and
means of the processing jointly with other controllers or where a processing operation is carried out on behalf of
a controller.
(80) Where a controller or a processor not established in the Union is processing personal data of data subjects who
are in the Union whose processing activities are related to the offering of goods or services, irrespective of
whether a payment of the data subject is required, to such data subjects in the Union, or to the monitoring of
their behaviour as far as their behaviour takes place within the Union, the controller or the processor should
designate a representative, unless the processing is occasional, does not include processing, on a large scale, of
special categories of personal data or the processing of personal data relating to criminal convictions and
offences, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the
4.5.2016 L 119/15 Official Journal of the European Union
EN