Each Member State shall provide, on its territory, for each supervisory authority to: monitor and enforce the application of the provisions adopted pursuant to this Directive and its implementing measures; promote public awareness and understanding of the risks, rules, safeguards and rights in relation to processing; advise, in accordance with Member State law, the national parliament, the government and other institutions and bodies on legislative and administrative measures relating to the protection of natural persons' rights and freedoms with regard to processing; promote the awareness of controllers and processors of their obligations under this Directive; upon request, provide information to any data subject concerning the exercise of their rights under this Directive and, if appropriate, cooperate with the supervisory authorities in other Member States to that end; deal with complaints lodged by a data subject, or by a body, organisation or association in accordance with Article55, and investigate, to the extent appropriate, the subject-matter of the complaint and inform the complainant of the progress and the outcome of the investigation within a reasonable period, in particular if further investigation or coordination with another supervisory authority is necessary; check the lawfulness of processing pursuant to Article 17, and inform the data subject within a reasonable period of the outcome of the check pursuant to paragraph 3 of that Article or of the reasons why the check has not been carried out; cooperate with, including by sharing information, and provide mutual assistance to other supervisory authorities, with a view to ensuring the consistency of application and enforcement of this Directive; conduct investigations on the application of this Directive, including on the basis of information received from another supervisory authority or other public authority; monitor relevant developments insofar as they have an impact on the protection of personal data, in particular the development of information and communication technologies; provide advice on the processing operations referred to in Article 28; and. 4. La Cour de justice de l'Union europenne considre dans un arrt du 5 juin 2019 que le service de Skype SkypeOut est un service de communications lectroniques. The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from data processing which could lead to physical, material or non-material damage, in particular: where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of data protected by professional secrecy, unauthorised reversal of pseudonymisation or any other significant economic or social disadvantage; where data subjects might be deprived of their rights and freedoms or from exercising control over their personal data; where personal data are processed which reveal racial or ethnic origin, political opinions, religion or philosophical beliefs or trade union membership; where genetic data or biometric data are processed in order to uniquely identify a person or where data concerning health or data concerning sex life and sexual orientation or criminal convictions and offences or related security measures are processed; where personal aspects are evaluated, in particular analysing and predicting aspects concerning performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, in order to create or use personal profiles; where personal data of vulnerable natural persons, in particular children, are processed; or where processing involves a large amount of personal data and affects a large number of data subjects. Certaines obligations prvues par la directive sont identiques celles prvues par le RGPD: Dautres obligations sont spcifiques la directive Police-Justice: En raison de la spcificit du champ dapplication de la directive Police-Justice, des droits prsents dans le RGPD ne se retrouvent pas dans la directive (cest le cas, par exemple, du droit la portabilit) ou peuvent tre assortis de limitations. 3. The processor shall notify the controller without undue delay after becoming aware of a personal data breach. (16). La directive Police-Justice compose, avec le RGPD, le paquet europen relatif la protection des donnes personnelles. However, where such processing complies with the Union law applicable prior to the date of entry into force of this Directive, the requirements of this Directive concerning the prior consultation of the supervisory authority should not apply to the processing operations already under way on that date given that those requirements, by their very nature, are to be met prior to the processing. During their term of office, that duty of professional secrecy shall in particular apply to reporting by natural persons of infringements of this Directive. En savoir plus sur la gestion de vos donnes et vos droits, Commission Nationale de l'Informatique et des Liberts. 4. Those rules should apply in addition to the other rules of this Directive, in particular those on the lawfulness of processing and Chapter V. Where personal data move across borders it may put at increased risk the ability of natural persons to exercise data protection rights to protect themselves from the unlawful use or disclosure of those data. Member States shall provide for the transmitting competent authority not to apply conditions pursuant to paragraph 3 to recipients in other Member States or to agencies, offices and bodies established pursuant to Chapters 4 and 5 of Title V of the TFEU other than those applicable to similar transmissions of data within the Member State of the transmitting competent authority. Member States shall, where two or more controllers jointly determine the purposes and means of processing, provide for them to be joint controllers. Personal data shall not be transferred if the transferring competent authority determines that fundamental rights and freedoms of the data subject concerned override the public interest in the transfer set out in points (d) and (e) of paragraph 1. Such personal data should not be processed, unless processing is subject to appropriate safeguards for the rights and freedoms of the data subject laid down by law and is allowed in cases authorised by law; where not already authorised by such a law, the processing is necessary to protect the vital interests of the data subject or of another person; or the processing relates to data which are manifestly made public by the data subject. Nous l'expliquions dans cet article, avec le RGPD et la directive Police-Justice, la surveillance biomtrique est pour l'heure strictement illgale. Le 21 octobre 2022, la CNIL accueille les autorits administratives et publiques . They shall be made available to the public, the Commission and the Board. Rules on the establishment of the supervisory authority. For the processing of personal data by a recipient that is not a competent authority or that is not acting as such within the meaning of this Directive and to which personal data are lawfully disclosed by a competent authority, Regulation (EU) 2016/679 should apply. Application Date. 1. A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned. Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms. Policies. In addition to the information referred to in paragraph 1, Member States shall provide by law for the controller to give to the data subject, in specific cases, the following further information to enable the exercise of his or her rights: the period for which the personal data will be stored, or, where that is not possible, the criteria used to determine that period; where applicable, the categories of recipients of the personal data, including in third countries or international organisations; where necessary, further information, in particular where the personal data are collected without the knowledge of the data subject. The Commission should monitor the functioning of decisions on the level of protection in a third country, a territory or a specified sector within a third country, or an international organisation. Member States shall provide for the controller to ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data. La directive Police-Justice a ainsi largement vocation sappliquer en matire pnale et, en particulier, aux activits menes par la police par exemple dans le cadre de la prvention et de la constatation de certaines infractions loccasion des dplacements des passagers (traitement API-PNR France) ou encore aux traitements permettant la gestion des mesures dapplication des peines prononces par lautorit judiciaire. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be allowed only where strictly necessary, subject to appropriate safeguards for the rights and freedoms of the data subject, and only: where authorised by Union or Member State law; to protect the vital interests of the data subject or of another natural person; or. 2. The notification referred to in paragraph 1 shall at least: describe the nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned; communicate the name and contact details of the data protection officer or other contact point where more information can be obtained; describe the likely consequences of the personal data breach; describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects. 1. When taking police action and if practical, safe, and tactically feasible, members shall: 1.1.1. An international agreement referred to in paragraph 1 shall be any bilateral or multilateral international agreement in force between Member States and third countries in the field of judicial cooperation in criminal matters and police cooperation. 5. In accordance with the principle of proportionality as set out in that Article, this Directive does not go beyond what is necessary in order to achieve those objectives.