diff --git "a/README.md" "b/README.md" --- "a/README.md" +++ "b/README.md" @@ -13,8 +13,439 @@ tags: - loss:MultipleNegativesRankingLoss base_model: intfloat/multilingual-e5-large widget: -- source_sentence: What does 'personal data breach' entail? +- source_sentence: At what specific time did the transaction of €297.21 occur? sentences: + - This should in particular apply to large-scale processing operations which aim + to process a considerable amount of personal data at regional, national or supranational + level and which could affect a large number of data subjects and which are likely + to result in a high risk, for example, on account of their sensitivity, where + in accordance with the achieved state of technological knowledge a new technology + is used on a large scale as well as to other processing operations which result + in a high risk to the rights and freedoms of data subjects, in particular where + those operations render it more difficult for data subjects to exercise their + rights. A data 4.5.2016 L 119/17 Official Journal of the European Union EN protection + impact assessment should also be made where personal data are processed for taking + decisions regarding specific natural persons following any systematic and extensive + evaluation of personal aspects relating to natural persons based on profiling + those data or following the processing of special categories of personal data, + biometric data, or data on criminal convictions and offences or related security + measures. A data protection impact assessment is equally required for monitoring + publicly accessible areas on a large scale, especially when using optic-electronic + devices or for any other operations where the competent supervisory authority + considers that the processing is likely to result in a high risk to the rights + and freedoms of data subjects, in particular because they prevent data subjects + from exercising a right or using a service or a contract, or because they are + carried out systematically on a large scale. The processing of personal data should + not be considered to be on a large scale if the processing concerns personal data + from patients or clients by an individual physician, other health care professional + or lawyer. In such cases, a data protection impact assessment should not be mandatory. + - '**Court (Civil/Criminal): Civil** + + + **Provisions:** + + + **Time of commission of the act:** + + + **Outcome (not guilty, guilty):** + + + **Rationale:** + + + **Facts:** + + The plaintiff holds credit card number ............ with the defendant banking + corporation. Based on the application for alternative networks dated 19/7/2015 + with number ......... submitted at a branch of the defendant, he was granted access + to the electronic banking service (e-banking) to conduct banking transactions + (debit, credit, updates, payments) remotely. On 30/11/2020, the plaintiff fell + victim to electronic fraud through the "phishing" method, whereby an unknown perpetrator + managed to withdraw a total amount of €3,121.75 from the aforementioned credit + card. Specifically, the plaintiff received an email at 1:35 PM on 29/11/2020 from + sender ...... with address ........, informing him that due to an impending system + change, he needed to verify the mobile phone number linked to the credit card, + urging him to complete the verification process within the next 24 hours by following + a link titled ........; otherwise, his account would be locked for security reasons. + The plaintiff read this email on the afternoon of 30 November 2020 and, believing + it was from the defendant, followed the instructions and proceeded via the provided + link to a website that was identical (a clone) to that of the defendant. On this + page, he was asked to enter the six-digit security code (.........) that had just + been sent to his mobile phone by the defendant at 3:41 PM, with the note that + it was an activation code for his ........ card at ........., which he entered. + + + Subsequently, the plaintiff received, according to his statements, a new email + (not submitted), which requested him to enter the details of the aforementioned + credit card, specifically the name of the cardholder and the card number, not + the PIN, which he also entered, convinced that he was within the online environment + of the defendant. Then, at 3:47 PM, he received a message on his mobile phone + from the defendant containing the exact same content as the one he received at + 3:41 PM, while at 3:50 PM he received a message stating that the activation of + his ......... card at ....... had been completed. Once the plaintiff read this, + he became concerned that something was not right, and immediately called (at 4:41 + PM) the defendant''s call center to inform them. There, the employees, with whom + he finally connected at 5:04 PM due to high call center volume, advised him to + delete the relevant emails, cancel his credit card, change his access passwords + for the service, and submit a dispute request regarding the conducted transactions. + The plaintiff electronically sent this request to the defendant, disputing the + detailed transactions amounting to €3,121.75, which were conducted on 30/11/2020 + during the time frame of 16:37:45-16:43:34 PM, arguing that he had neither performed + them himself nor authorized anyone else to do so. The plaintiff specifically disputed + the following transactions, as evidenced by the account activity of the disputed + credit card during the aforementioned timeframe: a) transaction number ......... + amounting to €150.62 conducted on 30/11/2020 at 4:43:34 PM, b) transaction number + ........ amounting to €293.20 conducted on 30/11/2020 at 4:42:40 PM, c) transaction + number ............ amounting to €295.21 conducted on 30/11/2020 at 4:42:10 PM, + d) transaction number .......... amounting to €299.22 conducted on 30/11/2020 + at 4:41:31 PM, e) transaction number ........ amounting to €297.21 conducted on + 30/11/2020 at 4:41:01 PM, f) transaction number ........ amounting to €299.22 + conducted on 30/11/2020 at 4:40:27 PM, g) transaction number ....... amounting + to €299.22 conducted on 30/11/2020 at 4:39:55 PM, h) transaction number ...... + amounting to €299.22 conducted on 30/11/2020 at 4:39:22 PM, i) transaction number + ......... amounting to €297.22 conducted on 30/11/2020 at 4:38:52 PM, j) transaction + number ......... amounting to €295.21 conducted on 30/11/2020 at 4:38:17 PM, and + k) transaction number ......... amounting to €296.21 conducted on 30/11/2020 at + 4:37:45 PM. In its response letter dated 21/12/2020, the defendant denied responsibility + for the costs of the aforementioned transactions, placing the entire blame on + the plaintiff for the leak of his card details and security code to the fraudulent + page. The plaintiff, completely denying any fault for the conducted transactions, + repeatedly contacted the defendant, both by phone and via email (see emails dated + 15/1/2021 and 11/2/2021), while on 2/3/2021, he electronically sent a report dated + 1/03/2021 to the Consumer Advocate’s email address, recounting the events and + requesting that the aforementioned Independent Authority intervene to have the + disputed debt canceled. In its letter with reference number ...../27.04.2021, + the aforementioned Independent Authority informed the plaintiff that the case + was outside its mediating role and was therefore archived. Subsequently, the plaintiff + sent the defendant on 5/3/2021 his extrajudicial statement dated 4/3/2021, calling + upon it to fully cancel the debt of €3,121.75 that had been unjustly incurred + against him within two days and to immediately instruct the representatives of + the collection agency working with it to cease contacting him regarding the disputed + case. The defendant sent the plaintiff a message on his mobile phone on 20/04/2021 + informing him that his case was still being processed due to lengthy operational + requirements, while on 23/04/2021, via email, it informed him that considering + their good cooperation and his efforts to keep them updated, it had reviewed his + case and decided to refund him the amounts of the transactions that were conducted + after his contact with their representatives on 30/11/2020 at 4:41 PM, totaling + €1,038.25, specifically the following: a) transaction of €150.62 conducted on + 30/11/2020 at 4:43 PM, b) transaction of €295.21 conducted on 30/11/2020 at 4:42 + PM, c) transaction of €293.20 conducted on 30/11/2020 at 4:42 PM, and d) transaction + of €299.22 conducted on 30/11/2020 at 4:41 PM. Beyond this, the defendant refused + to refund the plaintiff the amount of the remaining transactions conducted on + 30/11/2020, totaling €2,376.08 (and not €2,376.48 as incorrectly stated by the + plaintiff in his lawsuit), which the plaintiff ultimately fully paid, transferring + €2,342.77 to the defendant on 7/06/2021 and €33.31 on 15/06/2021 (see related + deposit receipts).' + - Processing should be lawful where it is necessary in the context of a contract + or the intention to enter into a contract. +- source_sentence: Where does this Regulation apply to the processing of personal + data? + sentences: + - 'Any person who, in contravention of the provisions of this law or of the provisions + of lawfully ratified multilateral international conventions on the protection + of copyright, unlawfully makes a fixation of a work or of copies, reproduces them + directly or indirectly, temporarily or permanently in any form, in whole or in + part, translates, adapts, alters or transforms them, or distributes them to the + public by sale or other means, or possesses with the intent of distributing them, + rents, performs in public, broadcasts by radio or television or any other means, + communicates to the public works or copies by any means, imports copies of a work + illegally produced abroad without the consent of the author and, in general, exploits + works, reproductions or copies being the object of copyright or acts against the + moral right of the author to decide freely on the publication and the presentation + of his work to the public without additions or deletions, shall be liable to imprisonment + of no less than a year and to a fine from 2.900-15.000 Euro. + + Without the permission of the performers: fixes their performance; directly or + indirectly, temporarily or permanently reproduces by any means and form, in whole + or in part, the fixation of their performance; distributes to the public the fixation + of their performance or possesses them with the purpose of distribution; rents + the fixation of their performance; broadcasts by radio and television by any means, + the live performance, unless such broadcasting is rebroadcasting of a legitimate + broadcasting; communicates to the public the live performance made by any means, + except radio and television broadcasting; makes available to the public, by wire + or wireless means, in such a way that members of the public may access them from + a place and at a time individually chosen by them, the fixation of their performance. + + Without the permission of phonogram producers (producers of sound recordings): + directly or indirectly, temporarily or permanently reproduces by any means and + form, in whole or in part, their phonograms; distributes to the public the above + recordings, or possesses them with the purpose of distribution; rents the said + recordings; makes available to the public, by wire or wireless means, in such + a way that members of the public may access them from a place and at a time individually + chosen by them, their phonograms; imports the said recordings produced abroad + without their consent. + + Without the permission of producers of audiovisual works (producers of visual + or sound and visual recordings): directly or indirectly, temporarily or permanently + reproduces by any means and form, in whole or in part, the original and the copies + of their films; distributes to the public the above recordings, including the + copies thereof, or possesses them with the purpose of distribution; rents the + said recordings; makes available to the public, by wire or wireless means, in + such a way that members of the public may access them from a place and at a time + individually chosen by them, the original and the copies of their films; imports + the said recordings produced abroad without their consent; broadcasts by radio + or television by any means including satellite transmission and cable retransmission, + as well as the communication to the public. + + Without the permission of radio and television organizations: rebroadcasts their + broadcasts by any means; presents their broadcasts to the public in places accessible + to the public against payment of an entrance fee; fixes their broadcasts on sound + or sound and visual recordings, regardless of whether the broadcasts are transmitted + by wire or by the air, including by cable or satellite; directly or indirectly, + temporarily or permanently reproduces by any means and form, in whole or in part, + the fixation of their broadcasts; distributes to the public the recordings containing + the fixation or their broadcasts; rents the recordings containing the fixation + of their broadcasts; makes available to the public, by wire or wireless means, + in such a way that members of the public may access them from a place and at a + time individually chosen by them, the fixation of their broadcasts. + + If the financial gain sought or the damage caused by the perpetration of an act + listed in paragraphs (1) and (2), above, is particularly great, the sanction shall + be not less than two years imprisonment and a fine of from 2 to 10 million drachmas. + If the guilty party has perpetrated any of the aforementioned acts by profession + or at a commercial scale or if the circumstances in connection with the perpetration + of the act indicate that the guilty party poses a serious threat to the protection + of copyright or related rights, the sanction shall be imprisonment of up to ten + (10) years and a fine of from 5 to 10 million drachmas, together with the withdrawal + of the trading license of the undertaking which has served as the vehicle for + the act. The act shall be likewise deemed to have been perpetrated by way of standard + practice if the guilty party has on a previous occasion been convicted of a contravention + pursuant to the provisions of the Article or for a violation of the preceding + copyright legislation and sentenced to a non-redeemable period of imprisonment. + Any infringement of copyright and related rights in the form of felony is tried + by the competent Three-member Court of Appeal for Felonies. + + Any person who did not pay the remuneration provided for by Article 18, paragraph + (3) hereof to a collecting society is punished with the sanction of paragraph + (1), (2) and (3). The same sentence is imposed on the debtor who, after the issuance + of the decision of the one-member first instance court, does not submit the declaration + under the provisions of article 18, par. 6, of this law. + + The sanctions specified in paragraph (1), above, shall be applicable likewise + to any person who: uses or distributes, or possesses with the intent to distribute, + any system or means whose sole purpose is to facilitate the unpermitted removal + or neutralization of a technical system used to protect a computer program; manufactures + or imports or distributes, or possesses with intent to distribute, equipment and + other materials utilizable for the reproduction of a work which do not conform + to the specifications determined pursuant to Article 59 of this Law; manufactures + or imports or distributes, or possesses with intent to distribute, objects which + can thwart the efficacy of the above-mentioned specifications, or engages in an + act which can have that result; reproduces or uses a work without utilizing the + equipment or without applying the systems specified pursuant to Article 60 of + this Law; distributes, or possesses with intent to distribute, a phonogram or + film without the special mark or control label specified pursuant to Article 61 + of this Law. + + Where a sentence of imprisonment is imposed with the option of redeemability, + the sum payable for the redemption shall be 10 times the sum specified as per + the case in the Penal Code. + + Where mitigating circumstances exist, the fine imposed shall not be less than + half of the minimum fine imposable as per the case under this Law. + + Any person who proceeds to authorized temporary or permanent reproduction of the + database, translation, adaptation, arrangement and any other alteration of the + database, distribution to the public of the database or of copies thereof, communication, + display or performance of the database to the public, is punished by imprisonment + of at least one (1) year and a fine of one (1) to five (5) million drachmas. + + Any person who proceeds to extraction and/or re-utilization of the whole or of + a substantial part of the contents of the database without the authorization of + the author thereof, is punished by imprisonment of at least one (1) year and a + fine of one (1) to five (5) million drachmas (article 12 of Directive 96/9). + + When the object of the infringement refers to computer software, the culpable + character of the action, as described in paragraph 1 of article 65A and under + the prerequisites provided there, is raised under the condition that the infringer + proceeds in the unreserved payment of the administrative fee and the infringement + concerns a quantity of up to 50 programs. + + When the object of infringement concerns recordings of sound in which a work protected + by copyright law has been recorded, the unreserved payment of an administrative + fee according to the stipulation of par.2 of article 65A and under the prerequisites + provided there, the culpable character of the action is raised under the condition + that the infringement concerns a quantity of up to five hundred (500) illegal + sound recording carriers. + + The payment of the administrative fee and the raising of the culpable character + of the action, do not relieve the infringers from the duty of buying off the copyright + and related rights or from the duty of compensating and paying the rest expenses + to the holders of these rights, according to the provisions of the relevant laws. + + In case of recidivism during the same financial year the administrative fee provided + for by article 65A doubles. + + ' + - "**Court (Civil/Criminal): Criminal** \n**Provisions:** \n**Time of commission\ + \ of the act:** \n**Result (not guilty, guilty):** Guilty \n**Rationale:** Declares\ + \ the defendant guilty of the following: In Athens, between the period from July\ + \ 25, 2005, to July 26, 2005, for profit and with the intent to conceal the true\ + \ origin and provide assistance to a person involved in criminal activity, he\ + \ intentionally concealed any assets and became, in any case, the beneficiary\ + \ of those assets, which originated from the aforementioned activity, namely fraud\ + \ through the manipulation of computer data, from which the damage caused is particularly\ + \ significant, the perpetrator committing professional fraud, and the circumstances\ + \ under which this act was carried out indicating that he is particularly dangerous.\ + \ He engages in activities related to money laundering from criminal activity\ + \ as a profession and is particularly dangerous. Specifically: An individual whose\ + \ identity is unknown had violated the communication codes of .... and ... with\ + \ Bank ..... (password, passport details via the Internet) within the framework\ + \ of electronic banking transactions provided by the aforementioned bank and on\ + \ June 20, 2005, July 12, 2005, and July 25, 2005, knowingly falsely presented\ + \ himself to employees of Bank ..... over the phone as the ..... beneficiary of\ + \ the ..... account at this bank, knowing the password and account number. Thus,\ + \ on June 20, 2005, he succeeded, through the appropriate employees, in changing\ + \ the phone number at the Bank to his own .... On July 12, 2005, he verified the\ + \ change of the phone number, and on July 25, 2005, he read a transfer request\ + \ to Greece for the amount of $427,620 with account number .... to a bank employee,\ + \ and by changing the password for online banking transactions and knowing the\ + \ user identity ....., he managed to convince the relevant employee to disclose\ + \ the account balance of ..... which was $629,473.04. In this way, he convinced\ + \ the relevant employee of Bank ..... to proceed with the transfer of the amount\ + \ of $427,620 from the account of ..... to Bank ...... in Greece, specifically\ + \ to the ...... account, with the transfer request made via email from the online\ + \ banking system. \n**Actual incidents:**" + - "1.This Regulation applies to the processing of personal data in the context of\ + \ the activities of an establishment of a controller or a processor in the Union,\ + \ regardless of whether the processing takes place in the Union or not. 4.5.2016\ + \ L 119/32 \n2.This Regulation applies to the processing of personal data of\ + \ data subjects who are in the Union by a controller or processor not established\ + \ in the Union, where the processing activities are related to: (a) the offering\ + \ of goods or services, irrespective of whether a payment of the data subject\ + \ is required, to such data subjects in the Union; or (b) the monitoring of their\ + \ behaviour as far as their behaviour takes place within the Union.\n3.This Regulation\ + \ applies to the processing of personal data by a controller not established in\ + \ the Union, but in a place where Member State law applies by virtue of public\ + \ international law." +- source_sentence: What is required for the effective protection of personal data + throughout the Union? + sentences: + - Effective protection of personal data throughout the Union requires the strengthening + and setting out in detail of the rights of data subjects and the obligations of + those who process and determine the processing of personal data, as well as equivalent + powers for monitoring and ensuring compliance with the rules for the protection + of personal data and equivalent sanctions for infringements in the Member States. + - The protection of natural persons with regard to the processing of personal data + by competent authorities for the purposes of the prevention, investigation, detection + or prosecution of criminal offences or the execution of criminal penalties, including + the safeguarding against and the prevention of threats to public security and + the free movement of such data, is the subject of a specific Union legal act. + This Regulation should not, therefore, apply to processing activities for those + purposes. However, personal data processed by public authorities under this Regulation + should, when used for those purposes, be governed by a more specific Union legal + act, namely Directive (EU) 2016/680 of the European Parliament and of the Council + (1). Member States may entrust competent authorities within the meaning of Directive + (EU) 2016/680 with tasks which are not necessarily carried out for the purposes + of the prevention, investigation, detection or prosecution of criminal offences + or the execution of criminal penalties, including the safeguarding against and + prevention of threats to public security, so that the processing of personal data + for those other purposes, in so far as it is within the scope of Union law, falls + within the scope of this Regulation. With regard to the processing of personal + data by those competent authorities for purposes falling within scope of this + Regulation, Member States should be able to maintain or introduce more specific + provisions to adapt the application of the rules of this Regulation. Such provisions + may determine more precisely specific requirements for the processing of personal + data by those competent authorities for those other purposes, taking into account + the constitutional, organisational and administrative structure of the respective + Member State. When the processing of personal data by private bodies falls within + the scope of this Regulation, this Regulation should provide for the possibility + for Member States under specific conditions to restrict by law certain obligations + and rights when such a restriction constitutes a necessary and proportionate measure + in a democratic society to safeguard specific important interests including public + security and the prevention, investigation, detection or prosecution of criminal + offences or the execution of criminal penalties, including the safeguarding against + and the prevention of threats to public security. This is relevant for instance + in the framework of anti-money laundering or the activities of forensic laboratories. + - In order to ensure consistent monitoring and enforcement of this Regulation throughout + the Union, the supervisory authorities should have in each Member State the same + tasks and effective powers, including powers of investigation, corrective powers + and sanctions, and authorisation and advisory powers, in particular in cases of + complaints from natural persons, and without prejudice to the powers of prosecutorial + authorities under Member State law, to bring infringements of this Regulation + to the attention of the judicial authorities and engage in legal proceedings. + Such powers should also include the power to impose a temporary or definitive + limitation, including a ban, on processing. Member States may specify other tasks + related to the protection of personal data under this Regulation. The powers of + supervisory authorities should be exercised in accordance with appropriate procedural + safeguards set out in Union and Member State law, impartially, fairly and within + a reasonable time. In particular each measure should be appropriate, necessary + and proportionate in view of ensuring compliance with this Regulation, taking + into account the circumstances of each individual case, respect the right of every + person to be heard before any individual measure which would affect him or her + adversely is taken and avoid superfluous costs and excessive inconveniences for + the persons concerned. Investigatory powers as regards access to premises should + be exercised in accordance with specific requirements in Member State procedural + law, such as the requirement to obtain a prior judicial authorisation. Each legally + binding measure of the supervisory authority should be in writing, be clear and + unambiguous, indicate the supervisory authority which has issued the measure, + the date of issue of the measure, bear the signature of the head, or a member + of the supervisory authority authorised by him or her, give the reasons for the + measure, and refer to the right of an effective remedy. This should not preclude + additional requirements pursuant to Member State procedural law. The adoption + of a legally binding decision implies that it may give rise to judicial review + in the Member State of the supervisory authority that adopted the decision. +- source_sentence: How long can the period for providing information be extended for? + sentences: + - "1.The controller shall take appropriate measures to provide any information referred\ + \ to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34\ + \ relating to processing to the data subject in a concise, transparent, intelligible\ + \ and easily accessible form, using clear and plain language, in particular for\ + \ any information addressed specifically to a child. The information shall be\ + \ provided in writing, or by other means, including, where appropriate, by electronic\ + \ means. When requested by the data subject, the information may be provided orally,\ + \ provided that the identity of the data subject is proven by other means. 4.5.2016\ + \ L 119/39 \n2.The controller shall facilitate the exercise of data subject rights\ + \ under Articles 15 to 22. In the cases referred to in Article 11(2), the controller\ + \ shall not refuse to act on the request of the data subject for exercising his\ + \ or her rights under Articles 15 to 22, unless the controller demonstrates that\ + \ it is not in a position to identify the data subject.\n3.The controller shall\ + \ provide information on action taken on a request under Articles 15 to 22 to\ + \ the data subject without undue delay and in any event within one month of receipt\ + \ of the request. That period may be extended by two further months where necessary,\ + \ taking into account the complexity and number of the requests. The controller\ + \ shall inform the data subject of any such extension within one month of receipt\ + \ of the request, together with the reasons for the delay. Where the data subject\ + \ makes the request by electronic form means, the information shall be provided\ + \ by electronic means where possible, unless otherwise requested by the data subject.\n\ + 4.If the controller does not take action on the request of the data subject, the\ + \ controller shall inform the data subject without delay and at the latest within\ + \ one month of receipt of the request of the reasons for not taking action and\ + \ on the possibility of lodging a complaint with a supervisory authority and seeking\ + \ a judicial remedy.\n5.Information provided under Articles 13 and 14 and any\ + \ communication and any actions taken under Articles 15 to 22 and 34 shall be\ + \ provided free of charge. Where requests from a data subject are manifestly unfounded\ + \ or excessive, in particular because of their repetitive character, the controller\ + \ may either: (a) charge a reasonable fee taking into account the administrative\ + \ costs of providing the information or communication or taking the action requested;\ + \ or (b) refuse to act on the request. The controller shall bear the burden of\ + \ demonstrating the manifestly unfounded or excessive character of the request.\n\ + 6.Without prejudice to Article 11, where the controller has reasonable doubts\ + \ concerning the identity of the natural person making the request referred to\ + \ in Articles 15 to 21, the controller may request the provision of additional\ + \ information necessary to confirm the identity of the data subject.\n7.The information\ + \ to be provided to data subjects pursuant to Articles 13 and 14 may be provided\ + \ in combination with standardised icons in order to give in an easily visible,\ + \ intelligible and clearly legible manner a meaningful overview of the intended\ + \ processing. Where the icons are presented electronically they shall be machine-readable.\n\ + 8.The Commission shall be empowered to adopt delegated acts in accordance with\ + \ Article 92 for the purpose of determining the information to be presented by\ + \ the icons and the procedures for providing standardised icons. Section 2 Information\ + \ and access to personal data" + - The processing of personal data to the extent strictly necessary and proportionate + for the purposes of ensuring network and information security, i.e. the ability + of a network or an information system to resist, at a given level of confidence, + accidental events or unlawful or malicious actions that compromise the availability, + authenticity, integrity and confidentiality of stored or transmitted personal + data, and the security of the related services offered by, or accessible via, + those networks and systems, by public authorities, by computer emergency response + teams (CERTs), computer security incident response teams (CSIRTs), by providers + of electronic communications networks and services and by providers of security + technologies and services, constitutes a legitimate interest of the data controller + concerned. This could, for example, include preventing unauthorised access to + electronic communications networks and malicious code distribution and stopping + ‘denial of service’ attacks and damage to computer and electronic communication + systems. - '1.Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural @@ -74,591 +505,132 @@ widget: 4.Member States may maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health.' - - '1) ''personal data'' means any information relating to an identified or identifiable - natural person (''data subject''); an identifiable natural person is one who can - be identified, directly or indirectly, in particular by reference to an identifier - such as a name, an identification number, location data, an online identifier - or to one or more factors specific to the physical, physiological, genetic, mental, - economic, cultural or social identity of that natural person; - - (2) ‘processing’ means any operation or set of operations which is performed on - personal data or on sets of personal data, whether or not by automated means, - such as collection, recording, organisation, structuring, storage, adaptation - or alteration, retrieval, consultation, use, disclosure by transmission, dissemination - or otherwise making available, alignment or combination, restriction, erasure - or destruction; - - (3) ‘restriction of processing’ means the marking of stored personal data with - the aim of limiting their processing in the future; - - (4) ‘profiling’ means any form of automated processing of personal data consisting - of the use of personal data to evaluate certain personal aspects relating to a - natural person, in particular to analyse or predict aspects concerning that natural - person''s performance at work, economic situation, health, personal preferences, - interests, reliability, behaviour, location or movements; - - (5) ‘pseudonymisation’ means the processing of personal data in such a manner - that the personal data can no longer be attributed to a specific data subject - without the use of additional information, provided that such additional information - is kept separately and is subject to technical and organisational measures to - ensure that the personal data are not attributed to an identified or identifiable - natural person; - - (6) ‘filing system’ means any structured set of personal data which are accessible - according to specific criteria, whether centralised, decentralised or dispersed - on a functional or geographical basis; - - (7) ‘controller’ means the natural or legal person, public authority, agency or - other body which, alone or jointly with others, determines the purposes and means - of the processing of personal data; where the purposes and means of such processing - are determined by Union or Member State law, the controller or the specific criteria - for its nomination may be provided for by Union or Member State law; - - (8) ‘processor’ means a natural or legal person, public authority, agency or other - body which processes personal data on behalf of the controller; - - (9) ‘recipient’ means a natural or legal person, public authority, agency or another - body, to which the personal data are disclosed, whether a third party or not. - However, public authorities which may receive personal data in the framework of - a particular inquiry in accordance with Union or Member State law shall not be - regarded as recipients; the processing of those data by those public authorities - shall be in compliance with the applicable data protection rules according to - the purposes of the processing; - - (10) ‘third party’ means a natural or legal person, public authority, agency or - body other than the data subject, controller, processor and persons who, under - the direct authority of the controller or processor, are authorised to process - personal data; - - (11) ‘consent’ of the data subject means any freely given, specific, informed - and unambiguous indication of the data subject''s wishes by which he or she, by - a statement or by a clear affirmative action, signifies agreement to the processing - of personal data relating to him or her; - - (12) ‘personal data breach’ means a breach of security leading to the accidental - or unlawful destruction, loss, alteration, unauthorised disclosure of, or access - to, personal data transmitted, stored or otherwise processed; - - (13) ‘genetic data’ means personal data relating to the inherited or acquired - genetic characteristics of a natural person which give unique information about - the physiology or the health of that natural person and which result, in particular, - from an analysis of a biological sample from the natural person in question; - - (14) ‘biometric data’ means personal data resulting from specific technical processing - relating to the physical, physiological or behavioural characteristics of a natural - person, which allow or confirm the unique identification of that natural person, - such as facial images or dactyloscopic data; - - (15) ‘data concerning health’ means personal data related to the physical or mental - health of a natural person, including the provision of health care services, which - reveal information about his or her health status; - - (16) ‘main establishment’ means: (a) as regards a controller with establishments - in more than one Member State, the place of its central administration in the - Union, unless the decisions on the purposes and means of the processing of personal - data are taken in another establishment of the controller in the Union and the - latter establishment has the power to have such decisions implemented, in which - case the establishment having taken such decisions is to be considered to be the - main establishment; (b) as regards a processor with establishments in more than - one Member State, the place of its central administration in the Union, or, if - the processor has no central administration in the Union, the establishment of - the processor in the Union where the main processing activities in the context - of the activities of an establishment of the processor take place to the extent - that the processor is subject to specific obligations under this Regulation; - - (17) ‘representative’ means a natural or legal person established in the Union - who, designated by the controller or processor in writing pursuant to Article - 27, represents the controller or processor with regard to their respective obligations - under this Regulation; - - (18) ‘enterprise’ means a natural or legal person engaged in an economic activity, - irrespective of its legal form, including partnerships or associations regularly - engaged in an economic activity; - - (19) ‘group of undertakings’ means a controlling undertaking and its controlled - undertakings; - - (20) ‘binding corporate rules’ means personal data protection policies which are - adhered to by a controller or processor established on the territory of a Member - State for transfers or a set of transfers of personal data to a controller or - processor in one or more third countries within a group of undertakings, or group - of enterprises engaged in a joint economic activity; - - (21) ‘supervisory authority’ means an independent public authority which is established - by a Member State pursuant to Article 51; - - (22) ‘supervisory authority concerned’ means a supervisory authority which is - concerned by the processing of personal data because: (a) the controller or processor - is established on the territory of the Member State of that supervisory authority; - (b) data subjects residing in the Member State of that supervisory authority are - substantially affected or likely to be substantially affected by the processing; - or (c) a complaint has been lodged with that supervisory authority; - - (23) ‘cross-border processing’ means either: (a) processing of personal data which - takes place in the context of the activities of establishments in more than one - Member State of a controller or processor in the Union where the controller or - processor is established in more than one Member State; or (b) processing of personal - data which takes place in the context of the activities of a single establishment - of a controller or processor in the Union but which substantially affects or is - likely to substantially affect data subjects in more than one Member State. - - (24) ‘relevant and reasoned objection’ means an objection to a draft decision - as to whether there is an infringement of this Regulation, or whether envisaged - action in relation to the controller or processor complies with this Regulation, - which clearly demonstrates the significance of the risks posed by the draft decision - as regards the fundamental rights and freedoms of data subjects and, where applicable, - the free flow of personal data within the Union; - - (25) ‘information society service’ means a service as defined in point (b) of - Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the - Council (1); - - (26) ‘international organisation’ means an organisation and its subordinate bodies - governed by public international law, or any other body which is set up by, or - on the basis of, an agreement between two or more countries.' - - Any processing of personal data should be lawful and fair. It should be transparent - to natural persons that personal data concerning them are collected, used, consulted - or otherwise processed and to what extent the personal data are or will be processed. - The principle of transparency requires that any information and communication - relating to the processing of those personal data be easily accessible and easy - to understand, and that clear and plain language be used. That principle concerns, - in particular, information to the data subjects on the identity of the controller - and the purposes of the processing and further information to ensure fair and - transparent processing in respect of the natural persons concerned and their right - to obtain confirmation and communication of personal data concerning them which - are being processed. Natural persons should be made aware of risks, rules, safeguards - and rights in relation to the processing of personal data and how to exercise - their rights in relation to such processing. In particular, the specific purposes - for which personal data are processed should be explicit and legitimate and determined - at the time of the collection of the personal data. The personal data should be - adequate, relevant and limited to what is necessary for the purposes for which - they are processed. This requires, in particular, ensuring that the period for - which the personal data are stored is limited to a strict minimum. Personal data - should be processed only if the purpose of the processing could not reasonably - be fulfilled by other means. In order to ensure that the personal data are not - kept longer than necessary, time limits should be established by the controller - for erasure or for a periodic review. Every reasonable step should be taken to - ensure that personal data which are inaccurate are rectified or deleted. Personal - data should be processed in a manner that ensures appropriate security and confidentiality - of the personal data, including for preventing unauthorised access to or use of - personal data and the equipment used for the processing. -- source_sentence: In what situations could providing information to the data subject - be considered impossible or involve a disproportionate effort? +- source_sentence: Under what circumstances does the provision of information prove + impossible or involve a disproportionate effort? sentences: - - '1.The controller shall consult the supervisory authority prior to processing - where a data protection impact assessment under Article 35 indicates that the - processing would result in a high risk in the absence of measures taken by the - controller to mitigate the risk. - - 2.Where the supervisory authority is of the opinion that the intended processing - referred to in paragraph 1 would infringe this Regulation, in particular where - the controller has insufficiently identified or mitigated the risk, the supervisory - authority shall, within period of up to eight weeks of receipt of the request - for consultation, provide written advice to the controller and, where applicable - to the processor, and may use any of its powers referred to in Article 58. That - period may be extended by six weeks, taking into account the complexity of the - intended processing. The supervisory authority shall inform the controller and, - where applicable, the processor, of any such extension within one month of receipt - of the request for consultation together with the reasons for the delay. Those - periods may be suspended until the supervisory authority has obtained information - it has requested for the purposes of the consultation. - - 3.When consulting the supervisory authority pursuant to paragraph 1, the controller - shall provide the supervisory authority with: (a) where applicable, the respective - responsibilities of the controller, joint controllers and processors involved - in the processing, in particular for processing within a group of undertakings; - (b) the purposes and means of the intended processing; (c) the measures and - safeguards provided to protect the rights and freedoms of data subjects pursuant - to this Regulation; (d) where applicable, the contact details of the data protection - officer; 4.5.2016 L 119/54 (e) the data protection impact assessment provided - for in Article 35; and (f) any other information requested by the supervisory - authority. - - 4.Member States shall consult the supervisory authority during the preparation - of a proposal for a legislative measure to be adopted by a national parliament, - or of a regulatory measure based on such a legislative measure, which relates - to processing. - - 5.Notwithstanding paragraph 1, Member State law may require controllers to consult - with, and obtain prior authorisation from, the supervisory authority in relation - to processing by a controller for the performance of a task carried out by the - controller in the public interest, including processing in relation to social - protection and public health' - - "1.The Member States, the supervisory authorities, the Board and the Commission\ - \ shall encourage, in particular at Union level, the establishment of data protection\ - \ certification mechanisms and of data protection seals and marks, for the purpose\ - \ of demonstrating compliance with this Regulation of processing operations by\ - \ controllers and processors. The specific needs of micro, small and medium-sized\ - \ enterprises shall be taken into account. 4.5.2016 L 119/58 \n2.In addition\ - \ to adherence by controllers or processors subject to this Regulation, data protection\ - \ certification mechanisms, seals or marks approved pursuant to paragraph 5 of\ - \ this Article may be established for the purpose of demonstrating the existence\ - \ of appropriate safeguards provided by controllers or processors that are not\ - \ subject to this Regulation pursuant to Article 3 within the framework of personal\ - \ data transfers to third countries or international organisations under the terms\ - \ referred to in point (f) of Article 46(2). Such controllers or processors shall\ - \ make binding and enforceable commitments, via contractual or other legally binding\ - \ instruments, to apply those appropriate safeguards, including with regard to\ - \ the rights of data subjects.\n3.The certification shall be voluntary and available\ - \ via a process that is transparent.\n4.A certification pursuant to this Article\ - \ does not reduce the responsibility of the controller or the processor for compliance\ - \ with this Regulation and is without prejudice to the tasks and powers of the\ - \ supervisory authorities which are competent pursuant to Article 55 or 56\n5.A\ - \ certification pursuant to this Article shall be issued by the certification\ - \ bodies referred to in Article 43 or by the competent supervisory authority,\ - \ on the basis of criteria approved by that competent supervisory authority pursuant\ - \ to Article 58(3) or by the Board pursuant to Article 63. Where the criteria\ - \ are approved by the Board, this may result in a common certification, the European\ - \ Data Protection Seal.\n6.The controller or processor which submits its processing\ - \ to the certification mechanism shall provide the certification body referred\ - \ to in Article 43, or where applicable, the competent supervisory authority,\ - \ with all information and access to its processing activities which are necessary\ - \ to conduct the certification procedure.\n7.Certification shall be issued to\ - \ a controller or processor for a maximum period of three years and may be renewed,\ - \ under the same conditions, provided that the relevant requirements continue\ - \ to be met. Certification shall be withdrawn, as applicable, by the certification\ - \ bodies referred to in Article 43 or by the competent supervisory authority where\ - \ the requirements for the certification are not or are no longer met.\n8.The\ - \ Board shall collate all certification mechanisms and data protection seals and\ - \ marks in a register and shall make them publicly available by any appropriate\ - \ means." - - However, it is not necessary to impose the obligation to provide information where - the data subject already possesses the information, where the recording or disclosure - of the personal data is expressly laid down by law or where the provision of information - to the data subject proves to be impossible or would involve a disproportionate - effort. The latter could in particular be the case where processing is carried - out for archiving purposes in the public interest, scientific or historical research - purposes or statistical purposes. In that regard, the number of data subjects, - the age of the data and any appropriate safeguards adopted should be taken into - consideration. -- source_sentence: What is the data subject provided with prior to further processing - of personal data? - sentences: - - '1.Where personal data relating to a data subject are collected from the data - subject, the controller shall, at the time when personal data are obtained, provide - the data subject with all of the following information: (a) the identity and - the contact details of the controller and, where applicable, of the controller''s + - The processing of personal data for archiving purposes in the public interest, + scientific or historical research purposes or statistical purposes should be subject + to appropriate safeguards for the rights and freedoms of the data subject pursuant + to this Regulation. Those safeguards should ensure that technical and organisational + measures are in place in order to ensure, in particular, the principle of data + minimisation. The further processing of personal data for archiving purposes in + the public interest, scientific or historical research purposes or statistical + purposes is to be carried out when the controller has assessed the feasibility + to fulfil those purposes by processing data which do not permit or no longer permit + the identification of data subjects, provided that appropriate safeguards exist + (such as, for instance, pseudonymisation of the data). Member States should provide + for appropriate safeguards for the processing of personal data for archiving purposes + in the public interest, scientific or historical research purposes or statistical + purposes. Member States should be authorised to provide, under specific conditions + and subject to appropriate safeguards for data subjects, specifications and derogations + with regard to the information requirements and rights to rectification, to erasure, + to be forgotten, to restriction of processing, to data portability, and to object + when processing personal data for archiving purposes in the public interest, scientific + or historical research purposes or statistical purposes. The conditions and safeguards + in question may entail specific procedures for data subjects to exercise those + rights if this is appropriate in the light of the purposes sought by the specific + processing along with technical and organisational measures aimed at minimising + the processing of personal data in pursuance of the proportionality and necessity + principles. The processing of personal data for scientific purposes should also + comply with other relevant legislation such as on clinical trials. + - The data subject should have the right not to be subject to a decision, which + may include a measure, evaluating personal aspects relating to him or her which + is based solely on automated processing and which produces legal effects concerning + him or her or similarly significantly affects him or her, such as automatic refusal + of an online credit application or e-recruiting practices without any human intervention. + Such processing includes ‘profiling’ that consists of any form of automated processing + of personal data evaluating the personal aspects relating to a natural person, + in particular to analyse or predict aspects concerning the data subject's performance + at work, economic situation, health, personal preferences or interests, reliability + or behaviour, location or movements, where it produces legal effects concerning + him or her or similarly significantly affects him or her. However, decision-making + based on such processing, including profiling, should be allowed where expressly + authorised by Union or Member State law to which the controller is subject, including + for fraud and tax-evasion monitoring and prevention purposes conducted in accordance + with the regulations, standards and recommendations of Union institutions or national + oversight bodies and to ensure the security and reliability of a service provided + by the controller, or necessary for the entering or performance of a contract + between the data subject and a controller, or when the data subject has given + his or her explicit consent. In any case, such processing should be subject to + suitable safeguards, which should include specific information to the data subject + and the right to obtain human intervention, to express his or her point of view, + to obtain an explanation of the decision reached after such assessment and to + challenge the decision. Such measure should not concern a child. In order to ensure + fair and transparent processing in respect of the data subject, taking into account + the specific circumstances and context in which the personal data are processed, + the controller should use appropriate mathematical or statistical procedures for + the profiling, implement technical and organisational measures appropriate to + ensure, in particular, that factors which result in inaccuracies in personal data + are corrected and the risk of errors is minimised, secure personal data in a manner + that takes account of the potential risks involved for the interests and rights + of the data subject and that prevents, inter alia, discriminatory effects on natural + persons on the basis of racial or ethnic origin, political opinion, religion or + beliefs, trade union membership, genetic or health status or sexual orientation, + or that result in measures having such an effect. Automated decision-making and + profiling based on special categories of personal data should be allowed only + under specific conditions. + - '1.Where personal data have not been obtained from the data subject, the controller + shall provide the data subject with the following information: (a) the identity + and the contact details of the controller and, where applicable, of the controller''s representative; (b) the contact details of the data protection officer, where applicable; (c) the purposes of the processing for which the personal data are - intended as well as the legal basis for the processing; 4.5.2016 L 119/40 (d) where - the processing is based on point (f) of Article 6(1), the legitimate interests - pursued by the controller or by a third party; (e) the recipients or categories - of recipients of the personal data, if any; (f) where applicable, the fact that - the controller intends to transfer personal data to a third country or international + intended as well as the legal basis for the processing; (d) the categories of + personal data concerned; (e) the recipients or categories of recipients of the + personal data, if any; 4.5.2016 L 119/41 (f) where applicable, that the controller + intends to transfer personal data to a recipient in a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the - means by which to obtain a copy of them or where they have been made available. - - 2.In addition to the information referred to in paragraph 1, the controller shall, - at the time when personal data are obtained, provide the data subject with the - following further information necessary to ensure fair and transparent processing: - (a) the period for which the personal data will be stored, or if that is not - possible, the criteria used to determine that period; (b) the existence of the - right to request from the controller access to and rectification or erasure of - personal data or restriction of processing concerning the data subject or to object - to processing as well as the right to data portability; (c) where the processing - is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence - of the right to withdraw consent at any time, without affecting the lawfulness - of processing based on consent before its withdrawal; (d) the right to lodge - a complaint with a supervisory authority; (e) whether the provision of personal - data is a statutory or contractual requirement, or a requirement necessary to - enter into a contract, as well as whether the data subject is obliged to provide - the personal data and of the possible consequences of failure to provide such - data; (f) the existence of automated decision-making, including profiling, referred - to in Article 22(1) and (4) and, at least in those cases, meaningful information - about the logic involved, as well as the significance and the envisaged consequences - of such processing for the data subject. - - 3.Where the controller intends to further process the personal data for a purpose - other than that for which the personal data were collected, the controller shall + means to obtain a copy of them or where they have been made available. + + 2.In addition to the information referred to in paragraph 1, the controller shall + provide the data subject with the following information necessary to ensure fair + and transparent processing in respect of the data subject: (a) the period for + which the personal data will be stored, or if that is not possible, the criteria + used to determine that period; (b) where the processing is based on point (f) + of Article 6(1), the legitimate interests pursued by the controller or by a third + party; (c) the existence of the right to request from the controller access to + and rectification or erasure of personal data or restriction of processing concerning + the data subject and to object to processing as well as the right to data portability; + (d) where processing is based on point (a) of Article 6(1) or point (a) of Article + 9(2), the existence of the right to withdraw consent at any time, without affecting + the lawfulness of processing based on consent before its withdrawal; (e) the + right to lodge a complaint with a supervisory authority; (f) from which source + the personal data originate, and if applicable, whether it came from publicly + accessible sources; (g) the existence of automated decision-making, including + profiling, referred to in Article 22(1) and (4) and, at least in those cases, + meaningful information about the logic involved, as well as the significance and + the envisaged consequences of such processing for the data subject. + + 3.The controller shall provide the information referred to in paragraphs 1 and + 2: (a) within a reasonable period after obtaining the personal data, but at the + latest within one month, having regard to the specific circumstances in which + the personal data are processed; (b) if the personal data are to be used for + communication with the data subject, at the latest at the time of the first communication + to that data subject; or (c) if a disclosure to another recipient is envisaged, + at the latest when the personal data are first disclosed. + + 4.Where the controller intends to further process the personal data for a purpose + other than that for which the personal data were obtained, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 2 - 4.Paragraphs 1, 2 and 3 shall not apply where and insofar as the data subject - already has the information.' - - This Regulation respects and does not prejudice the status under existing constitutional - law of churches and religious associations or communities in the Member States, - as recognised in Article 17 TFEU. - - '1) ''personal data'' means any information relating to an identified or identifiable - natural person (''data subject''); an identifiable natural person is one who can - be identified, directly or indirectly, in particular by reference to an identifier - such as a name, an identification number, location data, an online identifier - or to one or more factors specific to the physical, physiological, genetic, mental, - economic, cultural or social identity of that natural person; - - (2) ‘processing’ means any operation or set of operations which is performed on - personal data or on sets of personal data, whether or not by automated means, - such as collection, recording, organisation, structuring, storage, adaptation - or alteration, retrieval, consultation, use, disclosure by transmission, dissemination - or otherwise making available, alignment or combination, restriction, erasure - or destruction; - - (3) ‘restriction of processing’ means the marking of stored personal data with - the aim of limiting their processing in the future; - - (4) ‘profiling’ means any form of automated processing of personal data consisting - of the use of personal data to evaluate certain personal aspects relating to a - natural person, in particular to analyse or predict aspects concerning that natural - person''s performance at work, economic situation, health, personal preferences, - interests, reliability, behaviour, location or movements; - - (5) ‘pseudonymisation’ means the processing of personal data in such a manner - that the personal data can no longer be attributed to a specific data subject - without the use of additional information, provided that such additional information - is kept separately and is subject to technical and organisational measures to - ensure that the personal data are not attributed to an identified or identifiable - natural person; - - (6) ‘filing system’ means any structured set of personal data which are accessible - according to specific criteria, whether centralised, decentralised or dispersed - on a functional or geographical basis; - - (7) ‘controller’ means the natural or legal person, public authority, agency or - other body which, alone or jointly with others, determines the purposes and means - of the processing of personal data; where the purposes and means of such processing - are determined by Union or Member State law, the controller or the specific criteria - for its nomination may be provided for by Union or Member State law; - - (8) ‘processor’ means a natural or legal person, public authority, agency or other - body which processes personal data on behalf of the controller; - - (9) ‘recipient’ means a natural or legal person, public authority, agency or another - body, to which the personal data are disclosed, whether a third party or not. - However, public authorities which may receive personal data in the framework of - a particular inquiry in accordance with Union or Member State law shall not be - regarded as recipients; the processing of those data by those public authorities - shall be in compliance with the applicable data protection rules according to - the purposes of the processing; - - (10) ‘third party’ means a natural or legal person, public authority, agency or - body other than the data subject, controller, processor and persons who, under - the direct authority of the controller or processor, are authorised to process - personal data; - - (11) ‘consent’ of the data subject means any freely given, specific, informed - and unambiguous indication of the data subject''s wishes by which he or she, by - a statement or by a clear affirmative action, signifies agreement to the processing - of personal data relating to him or her; - - (12) ‘personal data breach’ means a breach of security leading to the accidental - or unlawful destruction, loss, alteration, unauthorised disclosure of, or access - to, personal data transmitted, stored or otherwise processed; - - (13) ‘genetic data’ means personal data relating to the inherited or acquired - genetic characteristics of a natural person which give unique information about - the physiology or the health of that natural person and which result, in particular, - from an analysis of a biological sample from the natural person in question; - - (14) ‘biometric data’ means personal data resulting from specific technical processing - relating to the physical, physiological or behavioural characteristics of a natural - person, which allow or confirm the unique identification of that natural person, - such as facial images or dactyloscopic data; - - (15) ‘data concerning health’ means personal data related to the physical or mental - health of a natural person, including the provision of health care services, which - reveal information about his or her health status; - - (16) ‘main establishment’ means: (a) as regards a controller with establishments - in more than one Member State, the place of its central administration in the - Union, unless the decisions on the purposes and means of the processing of personal - data are taken in another establishment of the controller in the Union and the - latter establishment has the power to have such decisions implemented, in which - case the establishment having taken such decisions is to be considered to be the - main establishment; (b) as regards a processor with establishments in more than - one Member State, the place of its central administration in the Union, or, if - the processor has no central administration in the Union, the establishment of - the processor in the Union where the main processing activities in the context - of the activities of an establishment of the processor take place to the extent - that the processor is subject to specific obligations under this Regulation; - - (17) ‘representative’ means a natural or legal person established in the Union - who, designated by the controller or processor in writing pursuant to Article - 27, represents the controller or processor with regard to their respective obligations - under this Regulation; - - (18) ‘enterprise’ means a natural or legal person engaged in an economic activity, - irrespective of its legal form, including partnerships or associations regularly - engaged in an economic activity; - - (19) ‘group of undertakings’ means a controlling undertaking and its controlled - undertakings; - - (20) ‘binding corporate rules’ means personal data protection policies which are - adhered to by a controller or processor established on the territory of a Member - State for transfers or a set of transfers of personal data to a controller or - processor in one or more third countries within a group of undertakings, or group - of enterprises engaged in a joint economic activity; - - (21) ‘supervisory authority’ means an independent public authority which is established - by a Member State pursuant to Article 51; - - (22) ‘supervisory authority concerned’ means a supervisory authority which is - concerned by the processing of personal data because: (a) the controller or processor - is established on the territory of the Member State of that supervisory authority; - (b) data subjects residing in the Member State of that supervisory authority are - substantially affected or likely to be substantially affected by the processing; - or (c) a complaint has been lodged with that supervisory authority; - - (23) ‘cross-border processing’ means either: (a) processing of personal data which - takes place in the context of the activities of establishments in more than one - Member State of a controller or processor in the Union where the controller or - processor is established in more than one Member State; or (b) processing of personal - data which takes place in the context of the activities of a single establishment - of a controller or processor in the Union but which substantially affects or is - likely to substantially affect data subjects in more than one Member State. - - (24) ‘relevant and reasoned objection’ means an objection to a draft decision - as to whether there is an infringement of this Regulation, or whether envisaged - action in relation to the controller or processor complies with this Regulation, - which clearly demonstrates the significance of the risks posed by the draft decision - as regards the fundamental rights and freedoms of data subjects and, where applicable, - the free flow of personal data within the Union; - - (25) ‘information society service’ means a service as defined in point (b) of - Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the - Council (1); - - (26) ‘international organisation’ means an organisation and its subordinate bodies - governed by public international law, or any other body which is set up by, or - on the basis of, an agreement between two or more countries.' -- source_sentence: What type of data may be processed for purposes related to point - (h) of paragraph 2? - sentences: - - '1.Processing of personal data revealing racial or ethnic origin, political opinions, - religious or philosophical beliefs, or trade union membership, and the processing - of genetic data, biometric data for the purpose of uniquely identifying a natural - person, data concerning health or data concerning a natural person''s sex life - or sexual orientation shall be prohibited. - - 2.Paragraph 1 shall not apply if one of the following applies: (a) the data subject - has given explicit consent to the processing of those personal data for one or - more specified purposes, except where Union or Member State law provide that the - prohibition referred to in paragraph 1 may not be lifted by the data subject; - (b) processing is necessary for the purposes of carrying out the obligations - and exercising specific rights of the controller or of the data subject in the - field of employment and social security and social protection law in so far as - it is authorised by Union or Member State law or a collective agreement pursuant - to Member State law providing for appropriate safeguards for the fundamental rights - and the interests of the data subject; (c) processing is necessary to protect - the vital interests of the data subject or of another natural person where the - data subject is physically or legally incapable of giving consent; (d) processing - is carried out in the course of its legitimate activities with appropriate safeguards - by a foundation, association or any other not-for-profit body with a political, - philosophical, religious or trade union aim and on condition that the processing - relates solely to the members or to former members of the body or to persons who - have regular contact with it in connection with its purposes and that the personal - data are not disclosed outside that body without the consent of the data subjects; - (e) processing relates to personal data which are manifestly made public by the - data subject; (f) processing is necessary for the establishment, exercise or - defence of legal claims or whenever courts are acting in their judicial capacity; - (g) processing is necessary for reasons of substantial public interest, on the - basis of Union or Member State law which shall be proportionate to the aim pursued, - respect the essence of the right to data protection and provide for suitable and - specific measures to safeguard the fundamental rights and the interests of the - data subject; (h) processing is necessary for the purposes of preventive or occupational - medicine, for the assessment of the working capacity of the employee, medical - diagnosis, the provision of health or social care or treatment or the management - of health or social care systems and services on the basis of Union or Member - State law or pursuant to contract with a health professional and subject to the - conditions and safeguards referred to in paragraph 3; (i) processing is necessary - for reasons of public interest in the area of public health, such as protecting - against serious cross-border threats to health or ensuring high standards of quality - and safety of health care and of medicinal products or medical devices, on the - basis of Union or Member State law which provides for suitable and specific measures - to safeguard the rights and freedoms of the data subject, in particular professional - secrecy; 4.5.2016 L 119/38 (j) processing is necessary for archiving purposes - in the public interest, scientific or historical research purposes or statistical - purposes in accordance with Article 89(1) based on Union or Member State law which - shall be proportionate to the aim pursued, respect the essence of the right to - data protection and provide for suitable and specific measures to safeguard the - fundamental rights and the interests of the data subject. - - 3.Personal data referred to in paragraph 1 may be processed for the purposes referred - to in point (h) of paragraph 2 when those data are processed by or under the responsibility - of a professional subject to the obligation of professional secrecy under Union - or Member State law or rules established by national competent bodies or by another - person also subject to an obligation of secrecy under Union or Member State law - or rules established by national competent bodies. - - 4.Member States may maintain or introduce further conditions, including limitations, - with regard to the processing of genetic data, biometric data or data concerning - health.' - - '1.The data protection officer shall have at least the following tasks: (a) to - inform and advise the controller or the processor and the employees who carry - out processing of their obligations pursuant to this Regulation and to other Union - or Member State data protection provisions; (b) to monitor compliance with this - Regulation, with other Union or Member State data protection provisions and with - the policies of the controller or processor in relation to the protection of personal - data, including the assignment of responsibilities, awareness-raising and training - of staff involved in processing operations, and the related audits; (c) to provide - advice where requested as regards the data protection impact assessment and monitor - its performance pursuant to Article 35; (d) to cooperate with the supervisory - authority; (e) to act as the contact point for the supervisory authority on issues - relating to processing, including the prior consultation referred to in Article - 36, and to consult, where appropriate, with regard to any other matter. - - 2.The data protection officer shall in the performance of his or her tasks have - due regard to the risk associated with processing operations, taking into account - the nature, scope, context and purposes of processing. Section 5 Codes of conduct - and certification' - - Processing should be lawful where it is necessary in the context of a contract - or the intention to enter into a contract. -- source_sentence: What may impede authorities in the discharge of their responsibilities - under Union law? - sentences: - - '1.The controller and the processor shall designate a data protection officer - in any case where: (a) the processing is carried out by a public authority or - body, except for courts acting in their judicial capacity; (b) the core activities - of the controller or the processor consist of processing operations which, by - virtue of their nature, their scope and/or their purposes, require regular and - systematic monitoring of data subjects on a large scale; or (c) the core activities - of the controller or the processor consist of processing on a large scale of special - categories of data pursuant to Article 9 and personal data relating to criminal - convictions and offences referred to in Article 10 - - 2.A group of undertakings may appoint a single data protection officer provided - that a data protection officer is easily accessible from each establishment. - - 3.Where the controller or the processor is a public authority or body, a single - data protection officer may be designated for several such authorities or bodies, - taking account of their organisational structure and size. - - 4.In cases other than those referred to in paragraph 1, the controller or processor - or associations and other bodies representing categories of controllers or processors - may or, where required by Union or Member State law shall, designate a data protection - officer. The data protection officer may act for such associations and other bodies - representing controllers or processors. - - 5.The data protection officer shall be designated on the basis of professional - qualities and, in particular, expert knowledge of data protection law and practices - and the ability to fulfil the tasks referred to in Article 39 - - 6.The data protection officer may be a staff member of the controller or processor, - or fulfil the tasks on the basis of a service contract. - - 7.The controller or the processor shall publish the contact details of the data - protection officer and communicate them to the supervisory authority.' - - This Regulation is without prejudice to international agreements concluded between - the Union and third countries regulating the transfer of personal data including - appropriate safeguards for the data subjects. Member States may conclude international - agreements which involve the transfer of personal data to third countries or international - organisations, as far as such agreements do not affect this Regulation or any - other provisions of Union law and include an appropriate level of protection for - the fundamental rights of the data subjects. - - The objectives and principles of Directive 95/46/EC remain sound, but it has not - prevented fragmentation in the implementation of data protection across the Union, - legal uncertainty or a widespread public perception that there are significant - risks to the protection of natural persons, in particular with regard to online - activity. Differences in the level of protection of the rights and freedoms of - natural persons, in particular the right to the protection of personal data, with - regard to the processing of personal data in the Member States may prevent the - free flow of personal data throughout the Union. Those differences may therefore - constitute an obstacle to the pursuit of economic activities at the level of the - Union, distort competition and impede authorities in the discharge of their responsibilities - under Union law. Such a difference in levels of protection is due to the existence - of differences in the implementation and application of Directive 95/46/EC. + 5.Paragraphs 1 to 4 shall not apply where and insofar as: (a) the data subject + already has the information; (b) the provision of such information proves impossible + or would involve a disproportionate effort, in particular for processing for archiving + purposes in the public interest, scientific or historical research purposes or + statistical purposes, subject to the conditions and safeguards referred to in + Article 89(1) or in so far as the obligation referred to in paragraph 1 of this + Article is likely to render impossible or seriously impair the achievement of + the objectives of that processing. In such cases the controller shall take appropriate + measures to protect the data subject''s rights and freedoms and legitimate interests, + including making the information publicly available; (c) obtaining or disclosure + is expressly laid down by Union or Member State law to which the controller is + subject and which provides appropriate measures to protect the data subject''s + legitimate interests; or (d) where the personal data must remain confidential + subject to an obligation of professional secrecy regulated by Union or Member + State law, including a statutory obligation of secrecy. 4.5.2016 L 119/42' pipeline_tag: sentence-similarity library_name: sentence-transformers metrics: @@ -688,49 +660,49 @@ model-index: type: dim_1024 metrics: - type: cosine_accuracy@1 - value: 0.30985915492957744 + value: 0.3354673495518566 name: Cosine Accuracy@1 - type: cosine_accuracy@3 - value: 0.31498079385403327 + value: 0.3405889884763124 name: Cosine Accuracy@3 - type: cosine_accuracy@5 - value: 0.34699103713188223 + value: 0.3725992317541613 name: Cosine Accuracy@5 - type: cosine_accuracy@10 - value: 0.37836107554417414 + value: 0.41357234314980795 name: Cosine Accuracy@10 - type: cosine_precision@1 - value: 0.30985915492957744 + value: 0.3354673495518566 name: Cosine Precision@1 - type: cosine_precision@3 - value: 0.30900554844216815 + value: 0.33418693982074266 name: Cosine Precision@3 - type: cosine_precision@5 - value: 0.30115236875800255 + value: 0.3261203585147247 name: Cosine Precision@5 - type: cosine_precision@10 - value: 0.2694622279129321 + value: 0.2996798975672215 name: Cosine Precision@10 - type: cosine_recall@1 - value: 0.03936027574360421 + value: 0.0398374526951408 name: Cosine Recall@1 - type: cosine_recall@3 - value: 0.11544349976954149 + value: 0.11613369449549121 name: Cosine Recall@3 - type: cosine_recall@5 - value: 0.17456487753074904 + value: 0.1745427554610417 name: Cosine Recall@5 - type: cosine_recall@10 - value: 0.2548212686119806 + value: 0.26082122731297214 name: Cosine Recall@10 - type: cosine_ndcg@10 - value: 0.33364818903542787 + value: 0.3620561774122382 name: Cosine Ndcg@10 - type: cosine_mrr@10 - value: 0.32174181452350414 + value: 0.34860069507956787 name: Cosine Mrr@10 - type: cosine_map@100 - value: 0.3968421394024028 + value: 0.4292335776181432 name: Cosine Map@100 - task: type: information-retrieval @@ -740,49 +712,49 @@ model-index: type: dim_768 metrics: - type: cosine_accuracy@1 - value: 0.3072983354673495 + value: 0.32842509603072984 name: Cosine Accuracy@1 - type: cosine_accuracy@3 - value: 0.31049935979513443 + value: 0.3361075544174136 name: Cosine Accuracy@3 - type: cosine_accuracy@5 - value: 0.3444302176696543 + value: 0.36299615877080665 name: Cosine Accuracy@5 - type: cosine_accuracy@10 - value: 0.37451984635083224 + value: 0.4039692701664533 name: Cosine Accuracy@10 - type: cosine_precision@1 - value: 0.3072983354673495 + value: 0.32842509603072984 name: Cosine Precision@1 - type: cosine_precision@3 - value: 0.3060179257362356 + value: 0.32863849765258213 name: Cosine Precision@3 - type: cosine_precision@5 - value: 0.29795134443021765 + value: 0.3199743918053777 name: Cosine Precision@5 - type: cosine_precision@10 - value: 0.26677336747759284 + value: 0.2928297055057618 name: Cosine Precision@10 - type: cosine_recall@1 - value: 0.03940235994624546 + value: 0.03923116896195945 name: Cosine Recall@1 - type: cosine_recall@3 - value: 0.11527075559959522 + value: 0.1147561273639918 name: Cosine Recall@3 - type: cosine_recall@5 - value: 0.17393586357387436 + value: 0.17206648000872884 name: Cosine Recall@5 - type: cosine_recall@10 - value: 0.2544826642178083 + value: 0.25514859248143046 name: Cosine Recall@10 - type: cosine_ndcg@10 - value: 0.3310954692046881 + value: 0.35462738075585315 name: Cosine Ndcg@10 - type: cosine_mrr@10 - value: 0.3188075422230347 + value: 0.3415119504908234 name: Cosine Mrr@10 - type: cosine_map@100 - value: 0.3944113472988561 + value: 0.4227568005919578 name: Cosine Map@100 - task: type: information-retrieval @@ -792,49 +764,49 @@ model-index: type: dim_512 metrics: - type: cosine_accuracy@1 - value: 0.3047375160051216 + value: 0.33162612035851474 name: Cosine Accuracy@1 - type: cosine_accuracy@3 - value: 0.31049935979513443 + value: 0.3405889884763124 name: Cosine Accuracy@3 - type: cosine_accuracy@5 - value: 0.34507042253521125 + value: 0.3681177976952625 name: Cosine Accuracy@5 - type: cosine_accuracy@10 - value: 0.3719590268886043 + value: 0.4039692701664533 name: Cosine Accuracy@10 - type: cosine_precision@1 - value: 0.3047375160051216 + value: 0.33162612035851474 name: Cosine Precision@1 - type: cosine_precision@3 - value: 0.30431071276141697 + value: 0.3322663252240717 name: Cosine Precision@3 - type: cosine_precision@5 - value: 0.29756722151088344 + value: 0.3250960307298335 name: Cosine Precision@5 - type: cosine_precision@10 - value: 0.2661331626120359 + value: 0.29769526248399486 name: Cosine Precision@10 - type: cosine_recall@1 - value: 0.03902184942619328 + value: 0.038588929588341196 name: Cosine Recall@1 - type: cosine_recall@3 - value: 0.11440062517351587 + value: 0.11297571247042615 name: Cosine Recall@3 - type: cosine_recall@5 - value: 0.17317031567103489 + value: 0.17031603260342357 name: Cosine Recall@5 - type: cosine_recall@10 - value: 0.2526764166009778 + value: 0.2554519940509474 name: Cosine Recall@10 - type: cosine_ndcg@10 - value: 0.3300149893720946 + value: 0.3580070743078956 name: Cosine Ndcg@10 - type: cosine_mrr@10 - value: 0.31690623539215046 + value: 0.3444845842733163 name: Cosine Mrr@10 - type: cosine_map@100 - value: 0.39281877553256617 + value: 0.42093121870079336 name: Cosine Map@100 - task: type: information-retrieval @@ -844,49 +816,49 @@ model-index: type: dim_256 metrics: - type: cosine_accuracy@1 - value: 0.29577464788732394 + value: 0.3213828425096031 name: Cosine Accuracy@1 - type: cosine_accuracy@3 - value: 0.3047375160051216 + value: 0.32842509603072984 name: Cosine Accuracy@3 - type: cosine_accuracy@5 - value: 0.33098591549295775 + value: 0.3559539052496799 name: Cosine Accuracy@5 - type: cosine_accuracy@10 - value: 0.3585147247119078 + value: 0.38988476312419973 name: Cosine Accuracy@10 - type: cosine_precision@1 - value: 0.29577464788732394 + value: 0.3213828425096031 name: Cosine Precision@1 - type: cosine_precision@3 - value: 0.2968416559965856 + value: 0.32159624413145543 name: Cosine Precision@3 - type: cosine_precision@5 - value: 0.2898847631241997 + value: 0.31459667093469906 name: Cosine Precision@5 - type: cosine_precision@10 - value: 0.25845070422535216 + value: 0.28732394366197184 name: Cosine Precision@10 - type: cosine_recall@1 - value: 0.03692836080135826 + value: 0.03683491421575636 name: Cosine Recall@1 - type: cosine_recall@3 - value: 0.1089192018057998 + value: 0.10829890857523781 name: Cosine Recall@3 - type: cosine_recall@5 - value: 0.16530160845995479 + value: 0.16421046118001698 name: Cosine Recall@5 - type: cosine_recall@10 - value: 0.24162273030445708 + value: 0.2447394908113676 name: Cosine Recall@10 - type: cosine_ndcg@10 - value: 0.31951819898251643 + value: 0.34585160474489407 name: Cosine Ndcg@10 - type: cosine_mrr@10 - value: 0.3073963985935813 + value: 0.3334143751397268 name: Cosine Mrr@10 - type: cosine_map@100 - value: 0.377358622211706 + value: 0.40656810490109624 name: Cosine Map@100 - task: type: information-retrieval @@ -896,49 +868,49 @@ model-index: type: dim_128 metrics: - type: cosine_accuracy@1 - value: 0.2765685019206146 + value: 0.2874519846350832 name: Cosine Accuracy@1 - type: cosine_accuracy@3 - value: 0.2887323943661972 + value: 0.2919334186939821 name: Cosine Accuracy@3 - type: cosine_accuracy@5 - value: 0.31882202304737517 + value: 0.3207426376440461 name: Cosine Accuracy@5 - type: cosine_accuracy@10 - value: 0.3501920614596671 + value: 0.36299615877080665 name: Cosine Accuracy@10 - type: cosine_precision@1 - value: 0.2765685019206146 + value: 0.2874519846350832 name: Cosine Precision@1 - type: cosine_precision@3 - value: 0.2787025181391378 + value: 0.28638497652582157 name: Cosine Precision@3 - type: cosine_precision@5 - value: 0.27413572343149806 + value: 0.2796414852752881 name: Cosine Precision@5 - type: cosine_precision@10 - value: 0.24916773367477596 + value: 0.260179257362356 name: Cosine Precision@10 - type: cosine_recall@1 - value: 0.03462627857091171 + value: 0.03347207506231567 name: Cosine Recall@1 - type: cosine_recall@3 - value: 0.10222485929387912 + value: 0.09769125063098655 name: Cosine Recall@3 - type: cosine_recall@5 - value: 0.15567435868523452 + value: 0.14652568796520726 name: Cosine Recall@5 - type: cosine_recall@10 - value: 0.23219859983003413 + value: 0.2200069729736681 name: Cosine Recall@10 - type: cosine_ndcg@10 - value: 0.3054184027921396 + value: 0.3121618176452898 name: Cosine Ndcg@10 - type: cosine_mrr@10 - value: 0.29051937889966023 + value: 0.29988542365302884 name: Cosine Mrr@10 - type: cosine_map@100 - value: 0.36208318391000843 + value: 0.37222007780985544 name: Cosine Map@100 - task: type: information-retrieval @@ -948,49 +920,49 @@ model-index: type: dim_64 metrics: - type: cosine_accuracy@1 - value: 0.25480153649167736 + value: 0.25096030729833546 name: Cosine Accuracy@1 - type: cosine_accuracy@3 - value: 0.2605633802816901 + value: 0.2560819462227913 name: Cosine Accuracy@3 - type: cosine_accuracy@5 - value: 0.2906530089628681 + value: 0.2900128040973111 name: Cosine Accuracy@5 - type: cosine_accuracy@10 - value: 0.323303457106274 + value: 0.32970550576184376 name: Cosine Accuracy@10 - type: cosine_precision@1 - value: 0.25480153649167736 + value: 0.25096030729833546 name: Cosine Precision@1 - type: cosine_precision@3 - value: 0.25480153649167736 + value: 0.2507469056764831 name: Cosine Precision@3 - type: cosine_precision@5 - value: 0.25006402048655574 + value: 0.24788732394366192 name: Cosine Precision@5 - type: cosine_precision@10 - value: 0.23079385403329064 + value: 0.23604353393085786 name: Cosine Precision@10 - type: cosine_recall@1 - value: 0.031011767980561305 + value: 0.0281516535128601 name: Cosine Recall@1 - type: cosine_recall@3 - value: 0.09100224310580617 + value: 0.08222758111049663 name: Cosine Recall@3 - type: cosine_recall@5 - value: 0.13823759538062028 + value: 0.12591556967755266 name: Cosine Recall@5 - type: cosine_recall@10 - value: 0.21011380307216662 + value: 0.19940598657336947 name: Cosine Recall@10 - type: cosine_ndcg@10 - value: 0.28022682237950125 + value: 0.27958348757665724 name: Cosine Ndcg@10 - type: cosine_mrr@10 - value: 0.266841960856045 + value: 0.2645008942544151 name: Cosine Mrr@10 - type: cosine_map@100 - value: 0.3332689262079475 + value: 0.33353078928131286 name: Cosine Map@100 --- @@ -1044,9 +1016,9 @@ from sentence_transformers import SentenceTransformer model = SentenceTransformer("sentence_transformers_model_id") # Run inference sentences = [ - 'What may impede authorities in the discharge of their responsibilities under Union law?', - 'The objectives and principles of Directive 95/46/EC remain sound, but it has not prevented fragmentation in the implementation of data protection across the Union, legal uncertainty or a widespread public perception that there are significant risks to the protection of natural persons, in particular with regard to online activity. Differences in the level of protection of the rights and freedoms of natural persons, in particular the right to the protection of personal data, with regard to the processing of personal data in the Member States may prevent the free flow of personal data throughout the Union. Those differences may therefore constitute an obstacle to the pursuit of economic activities at the level of the Union, distort competition and impede authorities in the discharge of their responsibilities under Union law. Such a difference in levels of protection is due to the existence of differences in the implementation and application of Directive 95/46/EC.', - 'This Regulation is without prejudice to international agreements concluded between the Union and third countries regulating the transfer of personal data including appropriate safeguards for the data subjects. Member States may conclude international agreements which involve the transfer of personal data to third countries or international organisations, as far as such agreements do not affect this Regulation or any other provisions of Union law and include an appropriate level of protection for the fundamental rights of the data subjects.', + 'Under what circumstances does the provision of information prove impossible or involve a disproportionate effort?', + "1.Where personal data have not been obtained from the data subject, the controller shall provide the data subject with the following information: (a) the identity and the contact details of the controller and, where applicable, of the controller's representative; (b) the contact details of the data protection officer, where applicable; (c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing; (d) the categories of personal data concerned; (e) the recipients or categories of recipients of the personal data, if any; 4.5.2016 L 119/41 (f) where applicable, that the controller intends to transfer personal data to a recipient in a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means to obtain a copy of them or where they have been made available.\n2.In addition to the information referred to in paragraph 1, the controller shall provide the data subject with the following information necessary to ensure fair and transparent processing in respect of the data subject: (a) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period; (b) where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party; (c) the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject and to object to processing as well as the right to data portability; (d) where processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal; (e) the right to lodge a complaint with a supervisory authority; (f) from which source the personal data originate, and if applicable, whether it came from publicly accessible sources; (g) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.\n3.The controller shall provide the information referred to in paragraphs 1 and 2: (a) within a reasonable period after obtaining the personal data, but at the latest within one month, having regard to the specific circumstances in which the personal data are processed; (b) if the personal data are to be used for communication with the data subject, at the latest at the time of the first communication to that data subject; or (c) if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed.\n4.Where the controller intends to further process the personal data for a purpose other than that for which the personal data were obtained, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 2\n5.Paragraphs 1 to 4 shall not apply where and insofar as: (a) the data subject already has the information; (b) the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the conditions and safeguards referred to in Article 89(1) or in so far as the obligation referred to in paragraph 1 of this Article is likely to render impossible or seriously impair the achievement of the objectives of that processing. In such cases the controller shall take appropriate measures to protect the data subject's rights and freedoms and legitimate interests, including making the information publicly available; (c) obtaining or disclosure is expressly laid down by Union or Member State law to which the controller is subject and which provides appropriate measures to protect the data subject's legitimate interests; or (d) where the personal data must remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law, including a statutory obligation of secrecy. 4.5.2016 L 119/42", + "The data subject should have the right not to be subject to a decision, which may include a measure, evaluating personal aspects relating to him or her which is based solely on automated processing and which produces legal effects concerning him or her or similarly significantly affects him or her, such as automatic refusal of an online credit application or e-recruiting practices without any human intervention. Such processing includes ‘profiling’ that consists of any form of automated processing of personal data evaluating the personal aspects relating to a natural person, in particular to analyse or predict aspects concerning the data subject's performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, where it produces legal effects concerning him or her or similarly significantly affects him or her. However, decision-making based on such processing, including profiling, should be allowed where expressly authorised by Union or Member State law to which the controller is subject, including for fraud and tax-evasion monitoring and prevention purposes conducted in accordance with the regulations, standards and recommendations of Union institutions or national oversight bodies and to ensure the security and reliability of a service provided by the controller, or necessary for the entering or performance of a contract between the data subject and a controller, or when the data subject has given his or her explicit consent. In any case, such processing should be subject to suitable safeguards, which should include specific information to the data subject and the right to obtain human intervention, to express his or her point of view, to obtain an explanation of the decision reached after such assessment and to challenge the decision. Such measure should not concern a child. In order to ensure fair and transparent processing in respect of the data subject, taking into account the specific circumstances and context in which the personal data are processed, the controller should use appropriate mathematical or statistical procedures for the profiling, implement technical and organisational measures appropriate to ensure, in particular, that factors which result in inaccuracies in personal data are corrected and the risk of errors is minimised, secure personal data in a manner that takes account of the potential risks involved for the interests and rights of the data subject and that prevents, inter alia, discriminatory effects on natural persons on the basis of racial or ethnic origin, political opinion, religion or beliefs, trade union membership, genetic or health status or sexual orientation, or that result in measures having such an effect. Automated decision-making and profiling based on special categories of personal data should be allowed only under specific conditions.", ] embeddings = model.encode(sentences) print(embeddings.shape) @@ -1055,9 +1027,9 @@ print(embeddings.shape) # Get the similarity scores for the embeddings similarities = model.similarity(embeddings, embeddings) print(similarities) -# tensor([[1.0000, 0.5388, 0.3874], -# [0.5388, 1.0000, 0.6300], -# [0.3874, 0.6300, 1.0000]]) +# tensor([[1.0000, 0.6029, 0.5138], +# [0.6029, 1.0000, 0.7210], +# [0.5138, 0.7210, 1.0000]]) ```