…
4.
Where the Commission decides, in accordance with the procedure referred to in Article 31(2),
that certain standard contractual clauses offer sufficient safeguards as required by paragraph 2, Member
States shall take the necessary measures to comply with the Commission’s decision.’
6
Pursuant to Article 28(3) of that directive:
‘Each authority shall in particular be endowed with:
–
investigative powers, such as powers of access to data forming the subject matter of processing
operations and powers to collect all the information necessary for the performance of its
supervisory duties,
–
effective powers of intervention, such as, for example, that of delivering opinions before
processing operations are carried out, in accordance with Article 20, and ensuring appropriate
publication of such opinions, of ordering the blocking, erasure or destruction of data, of imposing
a temporary or definitive ban on processing, of warning or admonishing the controller, or that of
referring the matter to national parliaments or other political institutions,
–
the power to engage in legal proceedings where the national provisions adopted pursuant to this
Directive have been infringed or to bring those infringements to the attention of the judicial
authorities.
…’
The GDPR
7
Directive 95/46 was repealed and replaced by Regulation (EU) 2016/679 of the European Parliament
and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing
of personal data and on the free movement of such data, and repealing Directive 95/46 (General Data
Protection Regulation) (OJ 2016 L 119, p. 1; ‘the GDPR’).
8
Recitals 6, 10, 101, 103, 104, 107 to 109, 114, 116 and 141 of the GDPR state:
‘(6)
Rapid technological developments and globalisation have brought new challenges for the
protection of personal data. The scale of the collection and sharing of personal data has increased
significantly. Technology allows both private companies and public authorities to make use of
personal data on an unprecedented scale in order to pursue their activities. Natural persons
increasingly make personal information available publicly and globally. Technology has
transformed both the economy and social life, and should further facilitate the free flow of
personal data within the Union and the transfer to third countries and international organisations,
while ensuring a high level of the protection of personal data.
…
(10)
In order to ensure a consistent and high level of protection of natural persons and to remove the
obstacles to flows of personal data within the Union, the level of protection of the rights and
freedoms of natural persons with regard to the processing of such data should be equivalent in all
Member States. Consistent and homogenous application of the rules for the protection of the
fundamental rights and freedoms of natural persons with regard to the processing of personal
data should be ensured throughout the Union. Regarding the processing of personal data for
compliance with a legal obligation, for the performance of a task carried out in the public interest
or in the exercise of official authority vested in the controller, Member States should be allowed
to maintain or introduce national provisions to further specify the application of the rules of this
Regulation. In conjunction with the general and horizontal law on data protection implementing
Directive 95/46/EC, Member States have several sector-specific laws in areas that need more
specific provisions. This Regulation also provides a margin of manoeuvre for Member States to
specify its rules, including for the processing of special categories of personal data (“sensitive