BETA


2017/0002(COD) Protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and the free movement of such data

Progress: Procedure completed

RoleCommitteeRapporteurShadows
Lead LIBE VOSS Axel (icon: PPE PPE), LAURISTIN Marju (icon: S&D S&D), PROCTER John (icon: ECR ECR), MLINAR Angelika (icon: ALDE ALDE), ALBRECHT Jan Philipp (icon: Verts/ALE Verts/ALE)
Committee Opinion BUDG
Committee Opinion JURI DZHAMBAZKI Angel (icon: ECR ECR) Max ANDERSSON (icon: Verts/ALE Verts/ALE), Mady DELVAUX (icon: S&D S&D), Jiří MAŠTÁLKA (icon: GUE/NGL GUE/NGL), Jens ROHDE (icon: ALDE ALDE)
Lead committee dossier:
Legal Basis:
TFEU 016-p2

Events

2022/10/14
   EC - Follow-up document
2018/11/21
   Final act published in Official Journal
Details

PURPOSE: to enhance the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies.

LEGISLATIVE ACT: Regulation (EU) 2018/1725 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC.

CONTENT: the Regulation lays down rules on the protection of individuals with regard to the processing of personal data by the Union's institutions and bodies and rules on the free movement of personal data between those institutions and bodies or to other recipients established in the Union. It aims to:

- protect the fundamental right to data protection and ensure the free movement of personal data throughout the Union;

- allow the European Data Protection Supervisor (EDPS) to monitor the application of the provisions of the Regulation to all processing operations carried out by a Union institution or body.

General principles

Personal data shall be:

- processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’). In the case of children under 13 years of age, the processing shall only be lawful if the consent is given or authorised by the holder of parental responsibility for the child;

- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 13, not be considered to be incompatible with the initial purposes;

- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);

- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;

- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;

- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

The Regulation prohibits the processing of personal data revealing racial or ethnic origin, political opinions, religion or beliefs or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning the sex life or sexual orientation of a natural person.

Transmission of personal data between Union institutions and bodies

Personal data shall be processed on the basis of the necessity for the performance of a task carried out in the public interest. The controller shall determine whether there are grounds to believe that such transmission could harm the legitimate interests of the data subject. In such cases, the controller shall demonstrably weigh the various competing interests in order to assess the proportionality of the requested transmission of personal data.

Rights of the data subject

Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing.

The Regulation provides that the legal acts adopted on the basis of the Treaties or, in matters relating to the operation of the Union institutions and bodies, internal rules laid down by the latter may restrict the exercise of the rights of the person concerned.

The internal rules shall be clear and precise acts of general application, adopted at the highest level of management of the Union institutions and bodies and published in the Official Journal of the European Union. These rules shall be foreseeable to persons subject to them, in particular when adopted by Union institutions.

In particular, any legal act or internal rule shall contain specific provisions, where relevant, as to: (i) the purposes of the processing or categories of processing; (ii) the categories of personal data; (iii) the scope of the restrictions introduced; (iv) the safeguards to prevent abuse or unlawful access or transfer; (v) the specification of the controller or categories of controllers; (vi) the storage periods and the applicable safeguards; (vii) the risks to the rights and freedoms of data subjects.

Obligations of the controller

The Regulation specifies the information obligations of the controller towards the data subject when personal data are obtained from that person, by providing information to the data subject, including information on the period of data storage, the right to lodge a complaint and international transfers of data.

Personal data must remain confidential and be subject to an obligation of professional secrecy regulated by Union law. This may apply, for example, in social security or health procedures.

Obligations of the EU institutions

The Regulation provides for an obligation for the Union institutions and bodies to inform the European Data Protection Supervisor when drawing up administrative measures and internal rules relating to the processing of personal data. It also provides for the Commission to consult the EDPS following the adoption of proposals for legislative acts and recommendations or proposals to the Council and when preparing delegated or implementing acts having an impact on the protection of rights and freedoms with regard to the processing of personal data.

ENTRY INTO FORCE: 11.12.2018. The Regulation shall apply to the processing of personal data by Eurojust from 12.12.2019.

2018/11/13
   EC - Commission response to text adopted in plenary
Documents
2018/10/24
   CSL - Draft final act
Documents
2018/10/23
   CSL - Final act signed
2018/10/23
   EP - End of procedure in Parliament
2018/10/16
   CSL - Coreper letter confirming interinstitutional agreement
2018/10/12
   EP/CSL - Act adopted by Council after Parliament's 1st reading
2018/10/12
   CSL - Council Meeting
2018/09/13
   EP - Results of vote in Parliament
2018/09/13
   EP - Decision by Parliament, 1st reading
Details

The European Parliament adopted by 527 votes to 51, with 27 abstentions, a legislative resolution on the proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC.

The European Parliament’s position adopted at first reading under the ordinary legislative procedure amended the Commission proposal as follows:

Scope : the Regulation would apply to the processing of personal data by all Union institutions, bodies, offices and agencies when carrying out activities which fall within the scope of Chapters 4 (judicial cooperation in criminal matters) and 5 (police cooperation) of Title V of Part Three of the TFEU for the purpose of the prevention, investigation, detection and prosecution of criminal offences.

However, it shall only apply to Europol or the European Public Prosecutor's Office once the legal acts establishing Europol and the European Public Prosecutor's Office have been adapted.

The Regulation shall not apply to the processing of personal data by tasks referred to in Articles 42(1), 43 and 44 of the Treaty on European Union, which implement the common security and defence policy

Transmission of personal data between Union institutions and bodies : personal data shall be processed on the basis of the necessity for the performance of a task carried out in the public interest . The controller shall determine whether there are grounds to believe that such transmission could harm the legitimate interests of the data subject.

Where the controller initiates the transmission under this Article, it shall demonstrate that the transmission of personal data is necessary for and proportionate to the purposes of the transmission.

Union institutions and bodies shall reconcile the right to the protection of personal data with the right of access to documents in accordance with Union law.

Restrictions : the Regulation provides that the legal acts adopted on the basis of the Treaties or, in matters relating to the operation of the Union institutions and bodies, internal rules laid down by the latter may restrict the exercise of the rights of the person concerned.

The internal rules shall be clear and precise acts of general application, adopted at the highest level of management of the Union institutions and bodies and published in the Official Journal of the European Union. These rules shall be foreseeable to persons subject to them, in particular when adopted by Union institutions.

In particular, any legal act or internal rule shall contain specific provisions, where relevant, as to:

the purposes of the processing or categories of processing; the categories of personal data; the scope of the restrictions introduced; the safeguards to prevent abuse or unlawful access or transfer; the specification of the controller or categories of controllers; the storage periods and the applicable safeguards taking into account the nature, scope and purposes of the processing or categories of processing; and the risks to the rights and freedoms of data subjects.

Special categories of personal data : processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited by the Regulation.

Special categories of personal data which merit higher protection shall be processed for health-related purposes only where necessary to achieve those purposes for the benefit of natural persons and society as a whole, in particular in the context of the management of health or social care services and systems. Therefore, this Regulation shall provide for harmonised conditions for the processing of special categories of personal data concerning health.

European Data Protection Supervisor (EDPS) : the amended Regulation stipulates that the European Parliament and the Council shall appoint the European Data Protection Supervisor by common accord for a term of five years, on the basis of a list drawn up by the Commission following a public call for candidates. On the basis of the list drawn up by the Commission, the competent committee of the European Parliament may decide to hold a hearing in order to enable it to express a preference.

The EDPS shall, inter alia , have the following tasks: (i) monitor and enforce the application of this Regulation by Union institutions and bodies, with the exception of the processing of personal data by the Court of Justice acting in its judicial capacity; (ii) advise, on his or her own initiative or on request, all Union institutions and bodies on legislative and administrative measures relating to the protection of natural persons' rights and freedoms with regard to the processing of personal data.

Effective judicial remedy : the Court of Justice shall have jurisdiction to hear all disputes relating to the provisions of this Regulation, including claims for damages. Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.

Prevention and detection of criminal offences (activities falling within the scope of Part Three, Title V, Chapter 4 or 5 of the TFEU) : Directive (EU) 2016/680 sets out harmonised rules for the protection and the free movement of personal data processed for the purposes of the prevention, investigation, detection or prosecution of criminal offences or execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.

In order to ensure the same level of protection for natural persons through legally enforceable rights throughout the Union, the rules for the protection and the free movement of operational personal data processed by such Union bodies, offices or agencies should be consistent with Directive (EU) 2016/680.

Documents
2018/09/12
   EP - Debate in Parliament
2017/10/25
   EP - Committee decision to enter into interinstitutional negotiations confirmed by plenary (Rule 71)
2017/10/23
   EP - Committee report tabled for plenary, 1st reading
Details

The Committee on Civil Liberties, Justice and Home Affairs adopted the report by Cornelia ERNST (GUE/NGL, DE) on the proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC.

The committee recommended that the European Parliament’s position adopted at first reading under the ordinary legislative procedure should amend the Commission proposal as follows.

Scope of the Regulation : Members stated that the Regulation shall also apply to Union agencies carrying out activities which fall within the scope of chapters 4 (judicial cooperation in criminal matters) and 5 (police cooperation) under Title V of Part Three TFEU, including where the founding acts of these Union agencies lay down a standalone data protection regime for the processing of operational personal data. Provisions relating to specific processing of operational personal data contained in the founding acts of these agencies may particularise and complement the application of this Regulation.

The provisions on the specific processing of data contained in the founding acts of the agencies shall clarify and complete the application of the Regulation.

Transfer of personal data between Union institutions and bodies : such a transfer shall only be possible if the data are necessary for the legitimate performance of tasks falling within the competence of the recipient. The controller shall verify the competence of the recipient and provisionally evaluate the necessity for the transfer of such data.

Transmission of personal data to recipients established in the Union : personal data may only be transmitted to recipients established in the Union and subject to the General Data Protection Regulation ( Regulation (EU) 2016/679 ) or the national rules adopted pursuant to Directive (EU) 2016/680 only if the controller demonstrates, on the basis of a reasoned request from the recipient that the transmission is proportionate and necessary for the purposes of serving the public interest such as transparency or good administration and after having demonstrably weighed the various competing interests.

Restrictions : the proposal provides that legal acts adopted on the basis of the Treaties or, for matters concerning the functioning of the Union's institutions or bodies, internal rules laid down by them may restrict the exercise of the rights of the data subject. Members proposed to delete the possibility for Union institutions, bodies, offices and agencies to restrict the exercise of data subject’s rights by way of internal rules .

It is also specified that legal acts adopted on the basis of treaties to restrict the exercise of the rights of the person concerned shall be clear and precise . Their application shall be foreseeable to persons subject to it.

In particular, any legal act shall contain specific provisions at least, where relevant, as to: (i) the purposes of the processing; (ii) the categories of personal data; (iii) the scope of the restriction introduced; (iv) the safeguards to prevent abuse or unlawful access or transfer; (v) the specification of the controller or categories of controllers; (vi) the storage periods and the applicable safeguards taking into account the nature, scope and purposes of the processing or categories of processing; (vii) the risks to the rights and freedoms of data subjects; and (viii) the right of data subjects to be informed about the restriction.

Approved certification mechanisms and codes of conduct : under the proposal, the controller should implement technical and organisational measures to ensure that processing is done in accordance with the Regulation and is able to demonstrate it.

Members inserted a provision stating that adherence to approved certification mechanisms as referred to in Article 42 of Regulation (EU) 2016/679 may be used as an element by which to demonstrate compliance with the obligations of the controller .

Adherence to an approved code of conduct may be used as an element by which to demonstrate compliance.

Register of processing activities : Union institutions and bodies shall be obliged to keep their records of processing activities in a central register and make the register publicly accessible.

Independent monitoring by the European Data Protection Supervisor (EDPS) : all institutions and bodies, including the Court of Justice, shall be subject to independent supervision by the EDPS. Members proposed that the European Parliament and the Council appoint, by common accord, the EDPS for a period of five years, on the basis of a list drawn up jointly by the European Parliament, the Council and the Commission following a public call for candidates.

The EDPS and the national supervisory authorities, acting within the scope of their respective competencies, shall cooperate in the framework of their responsibilities in order to ensure effective and coordinated control of large-scale IT systems or Union bodies, offices or agencies.

Alignment with the General Data Protection Regulation : Members tabled a number of amendments aimed at aligning this proposed Regulation with the General Data Protection Regulation in order to streamline these two texts as much as possible and to make ensure that the Union is kept to the same standards as the Member States when it comes to data protection.

The provisions introduced by the Members include the following aspects:

principles relating to the processing of operational personal data : for example, data lawfully and fairly processed, collected for specified, explicit and legitimate purposes, kept in a form that enables the data subject to be identified for no longer than not necessary, processed to ensure appropriate data security; prohibition of treatment of particular categories of data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; processing of genetic and biometric data, data relating to health or a person’s sexual life or sexual orientation; distinction between different categories of data subjects; specific processing conditions; transmission of operational personal data to other Union institutions and bodies; information to be made available or given to the data subject; the right of access of the data subject and limitations of the right of access; right of rectification or erasure; transfer of operational personal data to third countries.

Review clause : no later than 1 June 2021, and every five years thereafter, the Commission shall report on the application of the Regulation, accompanied, if necessary, by appropriate legislative proposals.

Documents
2017/10/23
   EP - Committee decision to enter into interinstitutional negotiations announced in plenary (Rule 71)
2017/10/12
   EP - Vote in committee, 1st reading
2017/10/12
   EP - Committee decision to open interinstitutional negotiations with report adopted in committee
2017/10/05
   EP - Committee opinion
Documents
2017/07/12
   EP - Amendments tabled in committee
Documents
2017/06/08
   EP - Committee draft report
Documents
2017/06/08
   CSL - Council Meeting
2017/05/31
   ESC - Economic and Social Committee: opinion, report
Documents
2017/05/07
   ES_PARLIAMENT - Contribution
Documents
2017/04/18
   PT_PARLIAMENT - Contribution
Documents
2017/04/03
   CZ_CHAMBER - Contribution
Documents
2017/04/03
   EP - Committee referral announced in Parliament, 1st reading
2017/03/15
   EDPS - Document attached to the procedure
Details

EDPS Opinion on the proposal for a regulation on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC.

Overall, the EDPS considered the proposal successful in aligning the rules for EU institutions with the General Data Protection Regulation (GDPR), while taking the specificities of the EU public sector into account. The high level of protection regarding data processing by EU institutions is generally preserved in the proposal.

The EDPS considered that the proposal should be further improved , notably regarding:

The modalities for restrictions of the person concerned: the proposal would need to be amended to the effect that only legal acts adopted on the basis of the Treaties should be able to restrict fundamental rights.

The EU legislator is called upon to ensure that the possible restrictions of the fundamental right to privacy of communications by EU institutions in their own operations follows the same standards as laid down in Union law as interpreted by the Court of Justice in this domain.

The possibility for the EU institutions to use, in certain contexts, certification mechanisms : the EDPS considered that certification mechanisms may be a very useful instrument for EU institutions and they are already being used in certain contexts, e.g. certifying compliance with generally accepted standards.

Therefore, references to the use of certification should therefore be added to the provisions on the ‘Responsibility of the controller’, ‘Data protection by design and by default’, as well as to ‘Security’.

Further recommendations : the EDPS welcomed the fact that the proposal includes a separate article dedicated to the role of the EDPS as an advisor to EU institutions. He suggested however the addition of a recital in which the Commission should reaffirm its long-standing commitment to consult the EDPS on draft proposals in an informal manner .

The EDPS also considered that the possibility to outsource the function of a Data Protection Officers is not suitable for EU institutions exercising public authority.

It is essential that the revised rules become fully applicable at the same time as the GDPR i.e. on 25 May 2018. It encouraged the EU legislator to reach agreement on the proposal as swiftly as possible so as to allow EU institutions to benefit from a reasonable transition period before the new Regulation can become applicable at the same time as the GDPR.

2017/02/28
   EP - DZHAMBAZKI Angel (ECR) appointed as rapporteur in JURI
2017/01/10
   EC - Legislative proposal published
Details

PURPOSE: to enhance the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data.

PROPOSED ACT: Regulation of the European Parliament and of the Council.

ROLE OF THE EUROPEAN PARLIAMENT: the European Parliament decides in accordance with the ordinary legislative procedure and on an equal footing with the Council.

BACKGROUND: the protection of natural persons in relation to the processing of personal data is a fundamental right. Moreover, in Article 16(2) TFEU, the Lisbon Treaty introduced a specific legal basis for adopting rules on the protection of personal data.

Regulation (EC) No 45/2001 of the European Parliament and of the Council provides natural persons with legally enforceable rights, specifies the data processing obligations of controllers within the Community institutions and bodies, and creates an independent supervisory authority, the European Data Protection Supervisor, responsible for monitoring the processing of personal data by the Union institutions and bodies.

However, it does not apply to the processing of personal data in the course of an activity of Union institutions and bodies which fall outside the scope of Union law.

Regulation (EU) 2016/679 of the European Parliament and of the Council ( General Data Protection Regulation ) and Directive (EU) 2016/680 of the European Parliament and of the Council were adopted on 27 April 2016. While the Regulation lays down general rules to protect natural persons in relation to the processing of personal data and to ensure the free movement of personal data within the Union, the Directive lays down the specific rules to protect natural persons in relation to the processing of personal data and to ensure the free movement of personal data within the Union in the fields of judicial cooperation in criminal matters and police cooperation.

Regulation (EU) 2016/679 stresses the need for the necessary adaptations of Regulation (EC) No 45/2001 in order to provide a strong and coherent data protection framework in the Union and to allow application at the same time as Regulation (EU) 2016/679.

It is in the interest of a coherent approach to personal data protection throughout the Union, and of the free movement of personal data within the Union, to align as far as possible the data protection rules for Union institutions and bodies with the data protection rules adopted for the public sector in the Member States.

CONTENT: in order to align the existing rules, which date back to 2001, with the newer and more stringent rules set out by the General Data Protection Regulation of 2016, the Commission has proposed the following:

Objective : this proposed Regulation has a two-fold objective:

to protect the fundamental right to data protection and to guarantee the free flow of personal data throughout the Union; to provide for the main tasks of the European Data Protection Supervisor (EDPS).

Scope : the proposal shall apply to the processing of personal data, by automated means or otherwise , by all Union institutions and bodies insofar as such processing is carried out in the exercise of activities all or part of which fall within the scope of Union law. The material scope of this Regulation is technologically neutral. The protection of personal data applies to the processing of personal data by automated means, as well as to manual processing if the personal data are contained or are intended to be contained in a filing system.

Levels of protection : new principles of transparency and of integrity and confidentiality have been incorporated into the new text. Further conditions for the lawfulness of the processing of personal data of children in relation to information society services offered directly to them. It sets 13 years as the child's minimum age for valid consent. New rules are provided for a specific level of protection on the transmission of personal data to recipients, other than Union institutions and bodies. The proposal clarifies that, where it is the controller initiating the transmission, it should demonstrate necessity and proportionality of the transmission.

Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited .

Data controller’s obligations : the proposal specifies the controller's information obligations towards the data subject where personal data are collected from the data subject, providing information to the data subject, including on the storage period, the right to lodge a complaint and in relation to international transfers.

Personal data must remain confidential subject to an obligation of professional secrecy regulated by Union law. This could apply for example in proceedings by services competent for social security or health matters.

Further modalities are provided to facilitate the exercise of the data subject's rights under this Regulation, including mechanisms to request and, if applicable, obtain, free of charge , in particular, access to and rectification or erasure of personal data and the exercise of the right to object.

Obligations for EU institutions : the proposal provides for an obligation for Union institutions and bodies to inform the EDPS when drawing up administrative measures and internal rules relating to the processing of personal data. It also provides for an obligation for the Commission to consult the EDPS following the adoption of proposals for a legislative act and of recommendations or proposals to the Council and when preparing delegated acts or implementing acts that have an impact on the protection of individuals’ rights and freedoms with regard to the processing of personal data.

Provisions are also laid down concerning the transfer of personal data to third countries or international organisations.

EDPS : specific provisions are laid down as regards the appointment of the EDPS by the European Parliament and the Council, the duration of its term of office: five years; the general conditions governing the performance of duties of the EDPS and his or her staff and the financial resources.

Documents

Votes

A8-0313/2017 - Cornelia Ernst - Am 118 13/09/2018 12:21:11.000 #

2018/09/13 Outcome: +: 527, -: 51, 0: 27
DE FR IT ES PL RO AT PT SE HU CZ BE NL BG LT GB HR SK IE FI LU LV SI CY EL DK MT EE ??
Total
82
61
54
43
45
21
18
17
18
14
15
18
21
13
8
58
10
9
7
9
6
6
8
6
16
10
5
4
2
icon: PPE PPE
173

Lithuania PPE

2

United Kingdom PPE

2
3

Finland PPE

2

Luxembourg PPE

3
5

Cyprus PPE

1

Denmark PPE

For (1)

1

Malta PPE

2

Estonia PPE

For (1)

1
icon: S&D S&D
158

Czechia S&D

3

Netherlands S&D

For (2)

2

Lithuania S&D

1

Croatia S&D

2

Slovakia S&D

2

Ireland S&D

For (1)

1

Luxembourg S&D

For (1)

1

Latvia S&D

1

Slovenia S&D

For (1)

1

Cyprus S&D

2

Malta S&D

Against (1)

3

Estonia S&D

For (1)

1
icon: ALDE ALDE
57
3

Romania ALDE

2

Austria ALDE

For (1)

1

Portugal ALDE

1

Sweden ALDE

2

United Kingdom ALDE

1

Croatia ALDE

2

Ireland ALDE

For (1)

1

Luxembourg ALDE

For (1)

1

Latvia ALDE

1

Slovenia ALDE

For (1)

1

Denmark ALDE

For (1)

1

Estonia ALDE

For (1)

Against (1)

2
icon: Verts/ALE Verts/ALE
45

Italy Verts/ALE

For (1)

1

Austria Verts/ALE

3

Hungary Verts/ALE

1

Belgium Verts/ALE

2

Lithuania Verts/ALE

For (1)

1

Croatia Verts/ALE

For (1)

1

Luxembourg Verts/ALE

For (1)

1

Latvia Verts/ALE

1

Slovenia Verts/ALE

For (1)

1

Denmark Verts/ALE

For (1)

1
icon: GUE/NGL GUE/NGL
34

France GUE/NGL

1

Italy GUE/NGL

2

Portugal GUE/NGL

3

Sweden GUE/NGL

For (1)

1

Czechia GUE/NGL

1

Netherlands GUE/NGL

3

Ireland GUE/NGL

2

Finland GUE/NGL

For (1)

1

Cyprus GUE/NGL

2

Denmark GUE/NGL

For (1)

1
icon: ENF ENF
32

Germany ENF

Abstain (1)

1

Poland ENF

2

Belgium ENF

For (1)

1

Netherlands ENF

3
icon: EFDD EFDD
30

Germany EFDD

For (1)

1

Poland EFDD

1

Czechia EFDD

Abstain (1)

1
icon: NI NI
17

Germany NI

2

France NI

For (1)

1

Poland NI

Against (1)

1

Hungary NI

Abstain (1)

3

United Kingdom NI

Abstain (1)

4

NI

For (1)

Against (1)

2
icon: ECR ECR
58

Italy ECR

2

Romania ECR

2

Sweden ECR

2

Czechia ECR

Against (1)

1

Netherlands ECR

2

Bulgaria ECR

Against (1)

1

Lithuania ECR

1

Croatia ECR

Against (1)

1

Slovakia ECR

Abstain (1)

1

Finland ECR

Against (1)

2

Cyprus ECR

1

Greece ECR

Against (1)

1
AmendmentsDossier
302 2017/0002(COD)
2017/07/12 LIBE 199 amendments...
source: 608.066
2017/07/18 JURI 103 amendments...
source: 609.293

History

(these mark the time of scraping, not the official date of the change)

docs/7/docs/0/url
/oeil/spdoc.do?i=30325&j=0&l=en
docs/8
date
2022-10-14T00:00:00
docs
type
Follow-up document
body
EC
docs/8
date
2017-04-04T00:00:00
docs
url: http://www.connefof.europarl.europa.eu/connefof/app/exp/COM(2017)0008 title: COM(2017)0008
type
Contribution
body
CZ_CHAMBER
docs/9
date
2017-04-03T00:00:00
docs
url: https://connectfolx.europarl.europa.eu/connefof/app/exp/COM(2017)0008 title: COM(2017)0008
type
Contribution
body
CZ_CHAMBER
docs/9
date
2017-05-08T00:00:00
docs
url: http://www.connefof.europarl.europa.eu/connefof/app/exp/COM(2017)0008 title: COM(2017)0008
type
Contribution
body
ES_PARLIAMENT
docs/10
date
2017-05-07T00:00:00
docs
url: https://connectfolx.europarl.europa.eu/connefof/app/exp/COM(2017)0008 title: COM(2017)0008
type
Contribution
body
ES_PARLIAMENT
docs/10
date
2017-04-19T00:00:00
docs
url: http://www.connefof.europarl.europa.eu/connefof/app/exp/COM(2017)0008 title: COM(2017)0008
type
Contribution
body
PT_PARLIAMENT
docs/11
date
2017-04-18T00:00:00
docs
url: https://connectfolx.europarl.europa.eu/connefof/app/exp/COM(2017)0008 title: COM(2017)0008
type
Contribution
body
PT_PARLIAMENT
links/Research document/url
Old
http://www.europarl.europa.eu/thinktank/en/document.html?reference=EPRS_BRI(2017)608754
New
https://www.europarl.europa.eu/thinktank/en/document/EPRS_BRI(2017)608754
committees/0/rapporteur
  • name: ERNST Cornelia date: 2017-03-09T00:00:00 group: European United Left - Nordic Green Left abbr: GUE/NGL
docs/0
date
2017-03-15T00:00:00
docs
summary
type
Document attached to the procedure
body
EDPS
docs/0
date
2017-03-15T00:00:00
docs
summary
type
Document attached to the procedure
body
EDPS
docs/1/docs/0/url
Old
https://dm.eesc.europa.eu/EESCDocumentSearch/Pages/redresults.aspx?k=(documenttype:AC)(documentnumber:0689)(documentyear:2017)(documentlanguage:EN)
New
https://dmsearch.eesc.europa.eu/search/public?k=(documenttype:AC)(documentnumber:0689)(documentyear:2017)(documentlanguage:EN)
docs/2/docs/0/url
Old
http://www.europarl.europa.eu/sides/getDoc.do?type=COMPARL&mode=XML&language=EN&reference=PE605.954
New
https://www.europarl.europa.eu/doceo/document/LIBE-PR-605954_EN.html
docs/3/docs/0/url
Old
http://www.europarl.europa.eu/sides/getDoc.do?type=COMPARL&mode=XML&language=EN&reference=PE608.066
New
https://www.europarl.europa.eu/doceo/document/LIBE-AM-608066_EN.html
docs/4/docs/0/url
Old
http://www.europarl.europa.eu/sides/getDoc.do?type=COMPARL&mode=XML&language=EN&reference=PE605.974&secondRef=02
New
https://www.europarl.europa.eu/doceo/document/JURI-AD-605974_EN.html
events/1/type
Old
Committee referral announced in Parliament, 1st reading/single reading
New
Committee referral announced in Parliament, 1st reading
events/2/type
Old
Vote in committee, 1st reading/single reading
New
Vote in committee, 1st reading
events/4
date
2017-10-23T00:00:00
type
Committee report tabled for plenary, 1st reading
body
EP
docs
url: https://www.europarl.europa.eu/doceo/document/A-8-2017-0313_EN.html title: A8-0313/2017
summary
events/4
date
2017-10-23T00:00:00
type
Committee report tabled for plenary, 1st reading/single reading
body
EP
docs
url: http://www.europarl.europa.eu/doceo/document/A-8-2017-0313_EN.html title: A8-0313/2017
summary
events/5
date
2018-09-12T00:00:00
type
Debate in Parliament
body
EP
docs
url: http://www.europarl.europa.eu/sides/getDoc.do?secondRef=TOC&language=EN&reference=20180912&type=CRE title: Debate in Parliament
events/5
date
2017-10-23T00:00:00
type
Committee decision to enter into interinstitutional negotiations announced in plenary (Rule 71)
body
EP
events/6
date
2017-10-25T00:00:00
type
Committee decision to enter into interinstitutional negotiations confirmed by plenary (Rule 71)
body
EP
events/7
date
2018-09-12T00:00:00
type
Debate in Parliament
body
EP
docs
url: http://www.europarl.europa.eu/sides/getDoc.do?secondRef=TOC&language=EN&reference=20180912&type=CRE title: Debate in Parliament
events/7
date
2018-09-13T00:00:00
type
Decision by Parliament, 1st reading/single reading
body
EP
docs
url: http://www.europarl.europa.eu/doceo/document/TA-8-2018-0348_EN.html title: T8-0348/2018
summary
events/7/docs/0/url
Old
http://www.europarl.europa.eu/sides/getDoc.do?secondRef=TOC&language=EN&reference=20180912&type=CRE
New
https://www.europarl.europa.eu/doceo/document/CRE-8-2017-09-12-TOC_EN.html
events/9
date
2018-09-13T00:00:00
type
Decision by Parliament, 1st reading
body
EP
docs
url: https://www.europarl.europa.eu/doceo/document/TA-8-2018-0348_EN.html title: T8-0348/2018
summary
procedure/Legislative priorities/0/title
Old
Joint Declaration 2018
New
Joint Declaration 2018-19
procedure/Notes
  • 25/10/2017: Decision to enter into interinstitutional negotiations confirmed by plenary (Rule 69c)
docs/7/body
EC
events/4/docs/0/url
Old
http://www.europarl.europa.eu/sides/getDoc.do?type=REPORT&mode=XML&reference=A8-2017-0313&language=EN
New
http://www.europarl.europa.eu/doceo/document/A-8-2017-0313_EN.html
events/7/docs/0/url
Old
http://www.europarl.europa.eu/sides/getDoc.do?type=TA&language=EN&reference=P8-TA-2018-0348
New
http://www.europarl.europa.eu/doceo/document/TA-8-2018-0348_EN.html
committees/0
type
Responsible Committee
body
EP
associated
False
committee_full
Civil Liberties, Justice and Home Affairs
committee
LIBE
rapporteur
name: ERNST Cornelia date: 2017-03-09T00:00:00 group: European United Left - Nordic Green Left abbr: GUE/NGL
shadows
committees/0
type
Responsible Committee
body
EP
associated
False
committee_full
Civil Liberties, Justice and Home Affairs
committee
LIBE
date
2017-03-09T00:00:00
rapporteur
name: ERNST Cornelia group: European United Left - Nordic Green Left abbr: GUE/NGL
shadows
committees/2
type
Committee Opinion
body
EP
associated
False
committee_full
Legal Affairs
committee
JURI
rapporteur
name: DZHAMBAZKI Angel date: 2017-02-28T00:00:00 group: European Conservatives and Reformists abbr: ECR
committees/2
type
Committee Opinion
body
EP
associated
False
committee_full
Legal Affairs
committee
JURI
date
2017-02-28T00:00:00
rapporteur
name: DZHAMBAZKI Angel group: European Conservatives and Reformists abbr: ECR
activities
  • date: 2017-01-10T00:00:00 docs: url: http://www.europarl.europa.eu/RegData/docs_autres_institutions/commission_europeenne/com/2017/0008/COM_COM(2017)0008_EN.pdf title: COM(2017)0008 type: Legislative proposal published celexid: CELEX:52017PC0008:EN body: EC commission: DG: url: http://ec.europa.eu/info/departments/justice-and-consumers_en title: Justice and Consumers Commissioner: JOUROVÁ Věra type: Legislative proposal published
  • date: 2017-04-03T00:00:00 body: EP type: Committee referral announced in Parliament, 1st reading/single reading committees: body: EP responsible: False committee_full: Budgets committee: BUDG body: EP responsible: False committee: JURI date: 2017-02-28T00:00:00 committee_full: Legal Affairs rapporteur: group: ECR name: DZHAMBAZKI Angel body: EP shadows: group: EPP name: VOSS Axel group: S&D name: LAURISTIN Marju group: ECR name: PROCTER John group: ALDE name: MLINAR Angelika group: Verts/ALE name: ALBRECHT Jan Philipp responsible: True committee: LIBE date: 2017-03-09T00:00:00 committee_full: Civil Liberties, Justice and Home Affairs rapporteur: group: GUE/NGL name: ERNST Cornelia
  • date: 2017-06-08T00:00:00 body: CSL type: Council Meeting council: Justice and Home Affairs (JHA) meeting_id: 3546
  • date: 2017-10-12T00:00:00 body: unknown type: Committee decision to open interinstitutional negotiations with report adopted in committee
  • date: 2017-10-12T00:00:00 body: EP type: Vote in committee, 1st reading/single reading committees: body: EP responsible: False committee_full: Budgets committee: BUDG body: EP responsible: False committee: JURI date: 2017-02-28T00:00:00 committee_full: Legal Affairs rapporteur: group: ECR name: DZHAMBAZKI Angel body: EP shadows: group: EPP name: VOSS Axel group: S&D name: LAURISTIN Marju group: ECR name: PROCTER John group: ALDE name: MLINAR Angelika group: Verts/ALE name: ALBRECHT Jan Philipp responsible: True committee: LIBE date: 2017-03-09T00:00:00 committee_full: Civil Liberties, Justice and Home Affairs rapporteur: group: GUE/NGL name: ERNST Cornelia
  • body: EP docs: url: http://www.europarl.europa.eu/sides/getDoc.do?type=REPORT&mode=XML&reference=A8-2017-0313&language=EN type: Committee report tabled for plenary, 1st reading/single reading title: A8-0313/2017 type: Committee report tabled for plenary, 1st reading/single reading committees: body: EP responsible: False committee_full: Budgets committee: BUDG body: EP responsible: False committee: JURI date: 2017-02-28T00:00:00 committee_full: Legal Affairs rapporteur: group: ECR name: DZHAMBAZKI Angel body: EP shadows: group: EPP name: VOSS Axel group: S&D name: LAURISTIN Marju group: ECR name: PROCTER John group: ALDE name: MLINAR Angelika group: Verts/ALE name: ALBRECHT Jan Philipp responsible: True committee: LIBE date: 2017-03-09T00:00:00 committee_full: Civil Liberties, Justice and Home Affairs rapporteur: group: GUE/NGL name: ERNST Cornelia date: 2017-10-23T00:00:00
  • date: 2018-09-12T00:00:00 body: EP type: Debate in plenary scheduled
  • date: 2018-09-13T00:00:00 body: EP type: Vote in plenary scheduled
commission
  • body: EC dg: Justice and Consumers commissioner: JOUROVÁ Věra
committees/0
type
Responsible Committee
body
EP
associated
False
committee_full
Civil Liberties, Justice and Home Affairs
committee
LIBE
date
2017-03-09T00:00:00
rapporteur
name: ERNST Cornelia group: European United Left - Nordic Green Left abbr: GUE/NGL
shadows
committees/0
body
EP
responsible
False
committee_full
Budgets
committee
BUDG
committees/1
type
Committee Opinion
body
EP
associated
False
committee_full
Budgets
committee
BUDG
opinion
False
committees/1
body
EP
responsible
False
committee
JURI
date
2017-02-28T00:00:00
committee_full
Legal Affairs
rapporteur
group: ECR name: DZHAMBAZKI Angel
committees/2
type
Committee Opinion
body
EP
associated
False
committee_full
Legal Affairs
committee
JURI
date
2017-02-28T00:00:00
rapporteur
name: DZHAMBAZKI Angel group: European Conservatives and Reformists abbr: ECR
committees/2
body
EP
shadows
responsible
True
committee
LIBE
date
2017-03-09T00:00:00
committee_full
Civil Liberties, Justice and Home Affairs
rapporteur
group: GUE/NGL name: ERNST Cornelia
council
  • body: CSL type: Council Meeting council: Justice and Home Affairs (JHA) meeting_id: 3641 url: http://register.consilium.europa.eu/content/out?lang=EN&typ=SET&i=SMPL&ROWSPP=25&RESULTSET=1&NRROWS=500&DOC_LANCD=EN&ORDERBY=DOC_DATE+DESC&CONTENTS=3641*&MEET_DATE=12/10/2018 date: 2018-10-12T00:00:00
  • body: CSL type: Council Meeting council: Justice and Home Affairs (JHA) meeting_id: 3546 url: http://register.consilium.europa.eu/content/out?lang=EN&typ=SET&i=SMPL&ROWSPP=25&RESULTSET=1&NRROWS=500&DOC_LANCD=EN&ORDERBY=DOC_DATE+DESC&CONTENTS=3546*&MEET_DATE=08/06/2017 date: 2017-06-08T00:00:00
docs
  • date: 2017-03-15T00:00:00 docs: url: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:C:2017:164:TOC title: OJ C 164 24.05.2017, p. 0002 title: N8-0028/2017 summary: EDPS Opinion on the proposal for a regulation on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC. Overall, the EDPS considered the proposal successful in aligning the rules for EU institutions with the General Data Protection Regulation (GDPR), while taking the specificities of the EU public sector into account. The high level of protection regarding data processing by EU institutions is generally preserved in the proposal. The EDPS considered that the proposal should be further improved , notably regarding: The modalities for restrictions of the person concerned: the proposal would need to be amended to the effect that only legal acts adopted on the basis of the Treaties should be able to restrict fundamental rights. The EU legislator is called upon to ensure that the possible restrictions of the fundamental right to privacy of communications by EU institutions in their own operations follows the same standards as laid down in Union law as interpreted by the Court of Justice in this domain. The possibility for the EU institutions to use, in certain contexts, certification mechanisms : the EDPS considered that certification mechanisms may be a very useful instrument for EU institutions and they are already being used in certain contexts, e.g. certifying compliance with generally accepted standards. Therefore, references to the use of certification should therefore be added to the provisions on the ‘Responsibility of the controller’, ‘Data protection by design and by default’, as well as to ‘Security’. Further recommendations : the EDPS welcomed the fact that the proposal includes a separate article dedicated to the role of the EDPS as an advisor to EU institutions. He suggested however the addition of a recital in which the Commission should reaffirm its long-standing commitment to consult the EDPS on draft proposals in an informal manner . The EDPS also considered that the possibility to outsource the function of a Data Protection Officers is not suitable for EU institutions exercising public authority. It is essential that the revised rules become fully applicable at the same time as the GDPR i.e. on 25 May 2018. It encouraged the EU legislator to reach agreement on the proposal as swiftly as possible so as to allow EU institutions to benefit from a reasonable transition period before the new Regulation can become applicable at the same time as the GDPR. type: Document attached to the procedure body: EDPS
  • date: 2017-05-31T00:00:00 docs: url: https://dm.eesc.europa.eu/EESCDocumentSearch/Pages/redresults.aspx?k=(documenttype:AC)(documentnumber:0689)(documentyear:2017)(documentlanguage:EN) title: CES0689/2017 type: Economic and Social Committee: opinion, report body: ESC
  • date: 2017-06-08T00:00:00 docs: url: http://www.europarl.europa.eu/sides/getDoc.do?type=COMPARL&mode=XML&language=EN&reference=PE605.954 title: PE605.954 type: Committee draft report body: EP
  • date: 2017-07-12T00:00:00 docs: url: http://www.europarl.europa.eu/sides/getDoc.do?type=COMPARL&mode=XML&language=EN&reference=PE608.066 title: PE608.066 type: Amendments tabled in committee body: EP
  • date: 2017-10-05T00:00:00 docs: url: http://www.europarl.europa.eu/sides/getDoc.do?type=COMPARL&mode=XML&language=EN&reference=PE605.974&secondRef=02 title: PE605.974 committee: JURI type: Committee opinion body: EP
  • date: 2018-10-16T00:00:00 docs: title: GEDA/A/(2018)008163 type: Coreper letter confirming interinstitutional agreement body: CSL
  • date: 2018-10-24T00:00:00 docs: url: http://register.consilium.europa.eu/content/out?lang=EN&typ=SET&i=ADV&RESULTSET=1&DOC_ID=[%n4]%2F18&DOC_LANCD=EN&ROWSPP=25&NRROWS=500&ORDERBY=DOC_DATE+DESC title: 00031/2018/LEX type: Draft final act body: CSL
  • date: 2018-11-13T00:00:00 docs: url: /oeil/spdoc.do?i=30325&j=0&l=en title: SP(2018)724 type: Commission response to text adopted in plenary
  • date: 2017-04-04T00:00:00 docs: url: http://www.connefof.europarl.europa.eu/connefof/app/exp/COM(2017)0008 title: COM(2017)0008 type: Contribution body: CZ_CHAMBER
  • date: 2017-05-08T00:00:00 docs: url: http://www.connefof.europarl.europa.eu/connefof/app/exp/COM(2017)0008 title: COM(2017)0008 type: Contribution body: ES_PARLIAMENT
  • date: 2017-04-19T00:00:00 docs: url: http://www.connefof.europarl.europa.eu/connefof/app/exp/COM(2017)0008 title: COM(2017)0008 type: Contribution body: PT_PARLIAMENT
events
  • date: 2017-01-10T00:00:00 type: Legislative proposal published body: EC docs: url: http://www.europarl.europa.eu/RegData/docs_autres_institutions/commission_europeenne/com/2017/0008/COM_COM(2017)0008_EN.pdf title: COM(2017)0008 url: https://eur-lex.europa.eu/smartapi/cgi/sga_doc?smartapi!celexplus!prod!DocNumber&lg=EN&type_doc=COMfinal&an_doc=2017&nu_doc=0008 title: EUR-Lex summary: PURPOSE: to enhance the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data. PROPOSED ACT: Regulation of the European Parliament and of the Council. ROLE OF THE EUROPEAN PARLIAMENT: the European Parliament decides in accordance with the ordinary legislative procedure and on an equal footing with the Council. BACKGROUND: the protection of natural persons in relation to the processing of personal data is a fundamental right. Moreover, in Article 16(2) TFEU, the Lisbon Treaty introduced a specific legal basis for adopting rules on the protection of personal data. Regulation (EC) No 45/2001 of the European Parliament and of the Council provides natural persons with legally enforceable rights, specifies the data processing obligations of controllers within the Community institutions and bodies, and creates an independent supervisory authority, the European Data Protection Supervisor, responsible for monitoring the processing of personal data by the Union institutions and bodies. However, it does not apply to the processing of personal data in the course of an activity of Union institutions and bodies which fall outside the scope of Union law. Regulation (EU) 2016/679 of the European Parliament and of the Council ( General Data Protection Regulation ) and Directive (EU) 2016/680 of the European Parliament and of the Council were adopted on 27 April 2016. While the Regulation lays down general rules to protect natural persons in relation to the processing of personal data and to ensure the free movement of personal data within the Union, the Directive lays down the specific rules to protect natural persons in relation to the processing of personal data and to ensure the free movement of personal data within the Union in the fields of judicial cooperation in criminal matters and police cooperation. Regulation (EU) 2016/679 stresses the need for the necessary adaptations of Regulation (EC) No 45/2001 in order to provide a strong and coherent data protection framework in the Union and to allow application at the same time as Regulation (EU) 2016/679. It is in the interest of a coherent approach to personal data protection throughout the Union, and of the free movement of personal data within the Union, to align as far as possible the data protection rules for Union institutions and bodies with the data protection rules adopted for the public sector in the Member States. CONTENT: in order to align the existing rules, which date back to 2001, with the newer and more stringent rules set out by the General Data Protection Regulation of 2016, the Commission has proposed the following: Objective : this proposed Regulation has a two-fold objective: to protect the fundamental right to data protection and to guarantee the free flow of personal data throughout the Union; to provide for the main tasks of the European Data Protection Supervisor (EDPS). Scope : the proposal shall apply to the processing of personal data, by automated means or otherwise , by all Union institutions and bodies insofar as such processing is carried out in the exercise of activities all or part of which fall within the scope of Union law. The material scope of this Regulation is technologically neutral. The protection of personal data applies to the processing of personal data by automated means, as well as to manual processing if the personal data are contained or are intended to be contained in a filing system. Levels of protection : new principles of transparency and of integrity and confidentiality have been incorporated into the new text. Further conditions for the lawfulness of the processing of personal data of children in relation to information society services offered directly to them. It sets 13 years as the child's minimum age for valid consent. New rules are provided for a specific level of protection on the transmission of personal data to recipients, other than Union institutions and bodies. The proposal clarifies that, where it is the controller initiating the transmission, it should demonstrate necessity and proportionality of the transmission. Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited . Data controller’s obligations : the proposal specifies the controller's information obligations towards the data subject where personal data are collected from the data subject, providing information to the data subject, including on the storage period, the right to lodge a complaint and in relation to international transfers. Personal data must remain confidential subject to an obligation of professional secrecy regulated by Union law. This could apply for example in proceedings by services competent for social security or health matters. Further modalities are provided to facilitate the exercise of the data subject's rights under this Regulation, including mechanisms to request and, if applicable, obtain, free of charge , in particular, access to and rectification or erasure of personal data and the exercise of the right to object. Obligations for EU institutions : the proposal provides for an obligation for Union institutions and bodies to inform the EDPS when drawing up administrative measures and internal rules relating to the processing of personal data. It also provides for an obligation for the Commission to consult the EDPS following the adoption of proposals for a legislative act and of recommendations or proposals to the Council and when preparing delegated acts or implementing acts that have an impact on the protection of individuals’ rights and freedoms with regard to the processing of personal data. Provisions are also laid down concerning the transfer of personal data to third countries or international organisations. EDPS : specific provisions are laid down as regards the appointment of the EDPS by the European Parliament and the Council, the duration of its term of office: five years; the general conditions governing the performance of duties of the EDPS and his or her staff and the financial resources.
  • date: 2017-04-03T00:00:00 type: Committee referral announced in Parliament, 1st reading/single reading body: EP
  • date: 2017-10-12T00:00:00 type: Vote in committee, 1st reading/single reading body: EP
  • date: 2017-10-12T00:00:00 type: Committee decision to open interinstitutional negotiations with report adopted in committee body: EP
  • date: 2017-10-23T00:00:00 type: Committee report tabled for plenary, 1st reading/single reading body: EP docs: url: http://www.europarl.europa.eu/sides/getDoc.do?type=REPORT&mode=XML&reference=A8-2017-0313&language=EN title: A8-0313/2017 summary: The Committee on Civil Liberties, Justice and Home Affairs adopted the report by Cornelia ERNST (GUE/NGL, DE) on the proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC. The committee recommended that the European Parliament’s position adopted at first reading under the ordinary legislative procedure should amend the Commission proposal as follows. Scope of the Regulation : Members stated that the Regulation shall also apply to Union agencies carrying out activities which fall within the scope of chapters 4 (judicial cooperation in criminal matters) and 5 (police cooperation) under Title V of Part Three TFEU, including where the founding acts of these Union agencies lay down a standalone data protection regime for the processing of operational personal data. Provisions relating to specific processing of operational personal data contained in the founding acts of these agencies may particularise and complement the application of this Regulation. The provisions on the specific processing of data contained in the founding acts of the agencies shall clarify and complete the application of the Regulation. Transfer of personal data between Union institutions and bodies : such a transfer shall only be possible if the data are necessary for the legitimate performance of tasks falling within the competence of the recipient. The controller shall verify the competence of the recipient and provisionally evaluate the necessity for the transfer of such data. Transmission of personal data to recipients established in the Union : personal data may only be transmitted to recipients established in the Union and subject to the General Data Protection Regulation ( Regulation (EU) 2016/679 ) or the national rules adopted pursuant to Directive (EU) 2016/680 only if the controller demonstrates, on the basis of a reasoned request from the recipient that the transmission is proportionate and necessary for the purposes of serving the public interest such as transparency or good administration and after having demonstrably weighed the various competing interests. Restrictions : the proposal provides that legal acts adopted on the basis of the Treaties or, for matters concerning the functioning of the Union's institutions or bodies, internal rules laid down by them may restrict the exercise of the rights of the data subject. Members proposed to delete the possibility for Union institutions, bodies, offices and agencies to restrict the exercise of data subject’s rights by way of internal rules . It is also specified that legal acts adopted on the basis of treaties to restrict the exercise of the rights of the person concerned shall be clear and precise . Their application shall be foreseeable to persons subject to it. In particular, any legal act shall contain specific provisions at least, where relevant, as to: (i) the purposes of the processing; (ii) the categories of personal data; (iii) the scope of the restriction introduced; (iv) the safeguards to prevent abuse or unlawful access or transfer; (v) the specification of the controller or categories of controllers; (vi) the storage periods and the applicable safeguards taking into account the nature, scope and purposes of the processing or categories of processing; (vii) the risks to the rights and freedoms of data subjects; and (viii) the right of data subjects to be informed about the restriction. Approved certification mechanisms and codes of conduct : under the proposal, the controller should implement technical and organisational measures to ensure that processing is done in accordance with the Regulation and is able to demonstrate it. Members inserted a provision stating that adherence to approved certification mechanisms as referred to in Article 42 of Regulation (EU) 2016/679 may be used as an element by which to demonstrate compliance with the obligations of the controller . Adherence to an approved code of conduct may be used as an element by which to demonstrate compliance. Register of processing activities : Union institutions and bodies shall be obliged to keep their records of processing activities in a central register and make the register publicly accessible. Independent monitoring by the European Data Protection Supervisor (EDPS) : all institutions and bodies, including the Court of Justice, shall be subject to independent supervision by the EDPS. Members proposed that the European Parliament and the Council appoint, by common accord, the EDPS for a period of five years, on the basis of a list drawn up jointly by the European Parliament, the Council and the Commission following a public call for candidates. The EDPS and the national supervisory authorities, acting within the scope of their respective competencies, shall cooperate in the framework of their responsibilities in order to ensure effective and coordinated control of large-scale IT systems or Union bodies, offices or agencies. Alignment with the General Data Protection Regulation : Members tabled a number of amendments aimed at aligning this proposed Regulation with the General Data Protection Regulation in order to streamline these two texts as much as possible and to make ensure that the Union is kept to the same standards as the Member States when it comes to data protection. The provisions introduced by the Members include the following aspects: principles relating to the processing of operational personal data : for example, data lawfully and fairly processed, collected for specified, explicit and legitimate purposes, kept in a form that enables the data subject to be identified for no longer than not necessary, processed to ensure appropriate data security; prohibition of treatment of particular categories of data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; processing of genetic and biometric data, data relating to health or a person’s sexual life or sexual orientation; distinction between different categories of data subjects; specific processing conditions; transmission of operational personal data to other Union institutions and bodies; information to be made available or given to the data subject; the right of access of the data subject and limitations of the right of access; right of rectification or erasure; transfer of operational personal data to third countries. Review clause : no later than 1 June 2021, and every five years thereafter, the Commission shall report on the application of the Regulation, accompanied, if necessary, by appropriate legislative proposals.
  • date: 2018-09-12T00:00:00 type: Debate in Parliament body: EP docs: url: http://www.europarl.europa.eu/sides/getDoc.do?secondRef=TOC&language=EN&reference=20180912&type=CRE title: Debate in Parliament
  • date: 2018-09-13T00:00:00 type: Results of vote in Parliament body: EP docs: url: https://oeil.secure.europarl.europa.eu/oeil/popups/sda.do?id=30325&l=en title: Results of vote in Parliament
  • date: 2018-09-13T00:00:00 type: Decision by Parliament, 1st reading/single reading body: EP docs: url: http://www.europarl.europa.eu/sides/getDoc.do?type=TA&language=EN&reference=P8-TA-2018-0348 title: T8-0348/2018 summary: The European Parliament adopted by 527 votes to 51, with 27 abstentions, a legislative resolution on the proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC. The European Parliament’s position adopted at first reading under the ordinary legislative procedure amended the Commission proposal as follows: Scope : the Regulation would apply to the processing of personal data by all Union institutions, bodies, offices and agencies when carrying out activities which fall within the scope of Chapters 4 (judicial cooperation in criminal matters) and 5 (police cooperation) of Title V of Part Three of the TFEU for the purpose of the prevention, investigation, detection and prosecution of criminal offences. However, it shall only apply to Europol or the European Public Prosecutor's Office once the legal acts establishing Europol and the European Public Prosecutor's Office have been adapted. The Regulation shall not apply to the processing of personal data by tasks referred to in Articles 42(1), 43 and 44 of the Treaty on European Union, which implement the common security and defence policy Transmission of personal data between Union institutions and bodies : personal data shall be processed on the basis of the necessity for the performance of a task carried out in the public interest . The controller shall determine whether there are grounds to believe that such transmission could harm the legitimate interests of the data subject. Where the controller initiates the transmission under this Article, it shall demonstrate that the transmission of personal data is necessary for and proportionate to the purposes of the transmission. Union institutions and bodies shall reconcile the right to the protection of personal data with the right of access to documents in accordance with Union law. Restrictions : the Regulation provides that the legal acts adopted on the basis of the Treaties or, in matters relating to the operation of the Union institutions and bodies, internal rules laid down by the latter may restrict the exercise of the rights of the person concerned. The internal rules shall be clear and precise acts of general application, adopted at the highest level of management of the Union institutions and bodies and published in the Official Journal of the European Union. These rules shall be foreseeable to persons subject to them, in particular when adopted by Union institutions. In particular, any legal act or internal rule shall contain specific provisions, where relevant, as to: the purposes of the processing or categories of processing; the categories of personal data; the scope of the restrictions introduced; the safeguards to prevent abuse or unlawful access or transfer; the specification of the controller or categories of controllers; the storage periods and the applicable safeguards taking into account the nature, scope and purposes of the processing or categories of processing; and the risks to the rights and freedoms of data subjects. Special categories of personal data : processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited by the Regulation. Special categories of personal data which merit higher protection shall be processed for health-related purposes only where necessary to achieve those purposes for the benefit of natural persons and society as a whole, in particular in the context of the management of health or social care services and systems. Therefore, this Regulation shall provide for harmonised conditions for the processing of special categories of personal data concerning health. European Data Protection Supervisor (EDPS) : the amended Regulation stipulates that the European Parliament and the Council shall appoint the European Data Protection Supervisor by common accord for a term of five years, on the basis of a list drawn up by the Commission following a public call for candidates. On the basis of the list drawn up by the Commission, the competent committee of the European Parliament may decide to hold a hearing in order to enable it to express a preference. The EDPS shall, inter alia , have the following tasks: (i) monitor and enforce the application of this Regulation by Union institutions and bodies, with the exception of the processing of personal data by the Court of Justice acting in its judicial capacity; (ii) advise, on his or her own initiative or on request, all Union institutions and bodies on legislative and administrative measures relating to the protection of natural persons' rights and freedoms with regard to the processing of personal data. Effective judicial remedy : the Court of Justice shall have jurisdiction to hear all disputes relating to the provisions of this Regulation, including claims for damages. Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered. Prevention and detection of criminal offences (activities falling within the scope of Part Three, Title V, Chapter 4 or 5 of the TFEU) : Directive (EU) 2016/680 sets out harmonised rules for the protection and the free movement of personal data processed for the purposes of the prevention, investigation, detection or prosecution of criminal offences or execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. In order to ensure the same level of protection for natural persons through legally enforceable rights throughout the Union, the rules for the protection and the free movement of operational personal data processed by such Union bodies, offices or agencies should be consistent with Directive (EU) 2016/680.
  • date: 2018-10-12T00:00:00 type: Act adopted by Council after Parliament's 1st reading body: EP/CSL
  • date: 2018-10-23T00:00:00 type: Final act signed body: CSL
  • date: 2018-10-23T00:00:00 type: End of procedure in Parliament body: EP
  • date: 2018-11-21T00:00:00 type: Final act published in Official Journal summary: PURPOSE: to enhance the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies. LEGISLATIVE ACT: Regulation (EU) 2018/1725 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC. CONTENT: the Regulation lays down rules on the protection of individuals with regard to the processing of personal data by the Union's institutions and bodies and rules on the free movement of personal data between those institutions and bodies or to other recipients established in the Union. It aims to: - protect the fundamental right to data protection and ensure the free movement of personal data throughout the Union; - allow the European Data Protection Supervisor (EDPS) to monitor the application of the provisions of the Regulation to all processing operations carried out by a Union institution or body. General principles Personal data shall be: - processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’). In the case of children under 13 years of age, the processing shall only be lawful if the consent is given or authorised by the holder of parental responsibility for the child; - collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 13, not be considered to be incompatible with the initial purposes; - adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’); - accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay; - kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; - processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. The Regulation prohibits the processing of personal data revealing racial or ethnic origin, political opinions, religion or beliefs or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning the sex life or sexual orientation of a natural person. Transmission of personal data between Union institutions and bodies Personal data shall be processed on the basis of the necessity for the performance of a task carried out in the public interest. The controller shall determine whether there are grounds to believe that such transmission could harm the legitimate interests of the data subject. In such cases, the controller shall demonstrably weigh the various competing interests in order to assess the proportionality of the requested transmission of personal data. Rights of the data subject Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing. The Regulation provides that the legal acts adopted on the basis of the Treaties or, in matters relating to the operation of the Union institutions and bodies, internal rules laid down by the latter may restrict the exercise of the rights of the person concerned. The internal rules shall be clear and precise acts of general application, adopted at the highest level of management of the Union institutions and bodies and published in the Official Journal of the European Union. These rules shall be foreseeable to persons subject to them, in particular when adopted by Union institutions. In particular, any legal act or internal rule shall contain specific provisions, where relevant, as to: (i) the purposes of the processing or categories of processing; (ii) the categories of personal data; (iii) the scope of the restrictions introduced; (iv) the safeguards to prevent abuse or unlawful access or transfer; (v) the specification of the controller or categories of controllers; (vi) the storage periods and the applicable safeguards; (vii) the risks to the rights and freedoms of data subjects. Obligations of the controller The Regulation specifies the information obligations of the controller towards the data subject when personal data are obtained from that person, by providing information to the data subject, including information on the period of data storage, the right to lodge a complaint and international transfers of data. Personal data must remain confidential and be subject to an obligation of professional secrecy regulated by Union law. This may apply, for example, in social security or health procedures. Obligations of the EU institutions The Regulation provides for an obligation for the Union institutions and bodies to inform the European Data Protection Supervisor when drawing up administrative measures and internal rules relating to the processing of personal data. It also provides for the Commission to consult the EDPS following the adoption of proposals for legislative acts and recommendations or proposals to the Council and when preparing delegated or implementing acts having an impact on the protection of rights and freedoms with regard to the processing of personal data. ENTRY INTO FORCE: 11.12.2018. The Regulation shall apply to the processing of personal data by Eurojust from 12.12.2019. docs: title: Regulation 2018/1725 url: https://eur-lex.europa.eu/smartapi/cgi/sga_doc?smartapi!celexplus!prod!CELEXnumdoc&lg=EN&numdoc=32018R1725 title: OJ L 295 21.11.2018, p. 0039 url: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:L:2018:295:TOC
other
  • body: EC dg: url: http://ec.europa.eu/info/departments/justice-and-consumers_en title: Justice and Consumers commissioner: JOUROVÁ Věra
procedure/Legislative priorities
  • title: Joint Declaration 2018 url: https://oeil.secure.europarl.europa.eu/oeil/popups/thematicnote.do?id=2063000&l=en
  • title: Joint Declaration 2017 url: https://oeil.secure.europarl.europa.eu/oeil/popups/thematicnote.do?id=2062000&l=en
procedure/Notes
  • 25/10/2017: Decision to enter into interinstitutional negotiations confirmed by plenary (Rule 69c)
procedure/dossier_of_the_committee
Old
LIBE/8/08983
New
  • LIBE/8/08983
procedure/final
title
Regulation 2018/1725
url
https://eur-lex.europa.eu/smartapi/cgi/sga_doc?smartapi!celexplus!prod!CELEXnumdoc&lg=EN&numdoc=32018R1725
procedure/instrument
Old
Regulation
New
  • Regulation
  • Repealing Regulation (EC) No 45/2001 1999/0153(COD) Repealing Decision No 1247/2002/EC 2001/2150(ACI)
procedure/legislative_priorities
    procedure/stage_reached
    Old
    Awaiting Parliament 1st reading / single reading / budget 1st stage
    New
    Procedure completed
    procedure/subject
    Old
    • 1.20.09 Protection of privacy and data protection
    • 8.40 Institutions of the Union
    • 8.40.08 Agencies and bodies of the EU
    New
    1.20.09
    Protection of privacy and data protection
    8.40
    Institutions of the Union
    8.40.08
    Agencies and bodies of the EU
    procedure/summary
    • Repealing Decision No 1247/2002/EC
    • Repealing Regulation (EC) No 45/2001
    activities/5/docs/0/text
    • The Committee on Civil Liberties, Justice and Home Affairs adopted the report by Cornelia ERNST (GUE/NGL, DE) on the proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC.

      The committee recommended that the European Parliament’s position adopted at first reading under the ordinary legislative procedure should amend the Commission proposal as follows.

      Scope of the Regulation: Members stated that the Regulation shall also apply to Union agencies carrying out activities which fall within the scope of chapters 4 (judicial cooperation in criminal matters) and 5 (police cooperation) under Title V of Part Three TFEU, including where the founding acts of these Union agencies lay down a standalone data protection regime for the processing of operational personal data. Provisions relating to specific processing of operational personal data contained in the founding acts of these agencies may particularise and complement the application of this Regulation.

      The provisions on the specific processing of data contained in the founding acts of the agencies shall clarify and complete the application of the Regulation.

      Transfer of personal data between Union institutions and bodies: such a transfer shall only be possible if the data are necessary for the legitimate performance of tasks falling within the competence of the recipient. The controller shall verify the competence of the recipient and provisionally evaluate the necessity for the transfer of such data.

      Transmission of personal data to recipients established in the Union: personal data may only be transmitted to recipients established in the Union and subject to the General Data Protection Regulation (Regulation (EU) 2016/679) or the national rules adopted pursuant to Directive (EU) 2016/680 only if the controller demonstrates, on the basis of a reasoned request from the recipient that the transmission is proportionate and necessary for the purposes of serving the public interest such as transparency or good administration and after having demonstrably weighed the various competing interests.

      Restrictions: the proposal provides that legal acts adopted on the basis of the Treaties or, for matters concerning the functioning of the Union's institutions or bodies, internal rules laid down by them may restrict the exercise of the rights of the data subject. Members proposed to delete the possibility for Union institutions, bodies, offices and agencies to restrict the exercise of data subject’s rights by way of internal rules

      It is also specified that legal acts adopted on the basis of treaties to restrict the exercise of the rights of the person concerned shall be clear and precise. Their application shall be foreseeable to persons subject to it.

      In particular, any legal act shall contain specific provisions at least, where relevant, as to: (i)  the purposes of the processing; (ii) the categories of personal data; (iii) the scope of the restriction introduced; (iv) the safeguards to prevent abuse or unlawful access or transfer; (v) the specification of the controller or categories of controllers; (vi) the storage periods and the applicable safeguards taking into account the nature, scope and purposes of the processing or categories of processing; (vii) the risks to the rights and freedoms of data subjects; and (viii) the right of data subjects to be informed about the restriction.

      Approved certification mechanisms and codes of conduct: under the proposal, the controller should implement technical and organisational measures to ensure that processing is done in accordance with the Regulation and is able to demonstrate it.

      Members inserted a provision stating that adherence to approved certification mechanisms as referred to in Article 42 of Regulation (EU) 2016/679 may be used as an element by which to demonstrate compliance with the obligations of the controller.

      Adherence to an approved code of conduct may be used as an element by which to demonstrate compliance.

      Register of processing activities: Union institutions and bodies shall be obliged to keep their records of processing activities in a central register and make the register publicly accessible.

      Independent monitoring by the European Data Protection Supervisor (EDPS): all institutions and bodies, including the Court of Justice, shall be subject to independent supervision by the EDPS. Members proposed that the European Parliament and the Council appoint, by common accord, the EDPS for a period of five years, on the basis of a list drawn up jointly by the European Parliament, the Council and the Commission following a public call for candidates.

      The EDPS and the national supervisory authorities, acting within the scope of their respective competencies, shall cooperate in the framework of their responsibilities in order to ensure effective and coordinated control of large-scale IT systems or Union bodies, offices or agencies.

      Alignment with the General Data Protection Regulation: Members tabled a number of amendments aimed at aligning this proposed Regulation with the General Data Protection Regulation in order to streamline these two texts as much as possible and to make ensure that the Union is kept to the same standards as the Member States when it comes to data protection.

      The provisions introduced by the Members include the following aspects:

      • principles relating to the processing of operational personal data: for example, data lawfully and fairly processed, collected for specified, explicit and legitimate purposes, kept in a form that enables the data subject to be identified for no longer than not necessary, processed to ensure appropriate data security;
      • prohibition of treatment of particular categories of data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; processing of genetic and biometric data, data relating to health or a person’s sexual life or sexual orientation;
      • distinction between different categories of data subjects;
      • specific processing conditions;
      • transmission of operational personal data to other Union institutions and bodies;
      • information to be made available or given to the data subject;
      • the right of access of the data subject and limitations of the right of access; right of rectification or erasure;
      • transfer of operational personal data to third countries.

      Review clause: no later than 1 June 2021, and every five years thereafter, the Commission shall report on the application of the Regulation, accompanied, if necessary, by appropriate legislative proposals.

    activities/6
    date
    2018-09-12T00:00:00
    body
    EP
    type
    Debate in plenary scheduled
    activities/7
    date
    2018-09-13T00:00:00
    body
    EP
    type
    Vote in plenary scheduled
    links/Research document
    url
    http://www.europarl.europa.eu/thinktank/en/document.html?reference=EPRS_BRI(2017)608754
    title
    Briefing
    activities/3/type
    Old
    Committee decision to open interinstitutional negotiations after 1st reading in Parliament
    New
    Committee decision to open interinstitutional negotiations with report adopted in committee
    activities/5
    date
    2017-10-23T00:00:00
    docs
    url: http://www.europarl.europa.eu/sides/getDoc.do?type=REPORT&mode=XML&reference=A8-2017-0313&language=EN type: Committee report tabled for plenary, 1st reading/single reading title: A8-0313/2017
    body
    EP
    committees
    type
    Committee report tabled for plenary, 1st reading/single reading
    procedure/stage_reached
    Old
    Awaiting committee decision
    New
    Awaiting Parliament 1st reading / single reading / budget 1st stage
    activities/3
    date
    2017-10-12T00:00:00
    body
    unknown
    type
    Committee decision to open interinstitutional negotiations after 1st reading in Parliament
    activities/4
    date
    2017-10-12T00:00:00
    body
    EP
    type
    Vote in committee, 1st reading/single reading
    committees
    activities/0/commission/0
    DG
    Commissioner
    JOUROVÁ Věra
    other/0
    body
    EC
    dg
    commissioner
    JOUROVÁ Věra
    activities/0
    date
    2017-01-10T00:00:00
    docs
    url: http://www.europarl.europa.eu/RegData/docs_autres_institutions/commission_europeenne/com/2017/0008/COM_COM(2017)0008_EN.pdf celexid: CELEX:52017PC0008:EN type: Legislative proposal published title: COM(2017)0008
    body
    EC
    commission
    type
    Legislative proposal published
    activities/0/body
    Old
    EP
    New
    EC
    activities/0/commission
      activities/0/date
      Old
      2017-10-24T00:00:00
      New
      2017-01-10T00:00:00
      activities/0/docs
      • url: http://www.europarl.europa.eu/RegData/docs_autres_institutions/commission_europeenne/com/2017/0008/COM_COM(2017)0008_EN.pdf title: COM(2017)0008 type: Legislative proposal published celexid: CELEX:52017PC0008:EN
      activities/0/type
      Old
      Indicative plenary sitting date, 1st reading/single reading
      New
      Legislative proposal published
      procedure/legislative_priorities
        activities/2
        date
        2017-06-08T00:00:00
        body
        CSL
        type
        Council Meeting
        council
        Justice and Home Affairs (JHA)
        meeting_id
        3546
        activities/3
        date
        2017-10-24T00:00:00
        body
        EP
        type
        Indicative plenary sitting date, 1st reading/single reading
        activities/0/docs/0/celexid
        CELEX:52017PC0008:EN
        activities/0/docs/0/celexid
        CELEX:52017PC0008:EN
        activities/1
        date
        2017-04-03T00:00:00
        body
        EP
        type
        Committee referral announced in Parliament, 1st reading/single reading
        committees
        procedure/dossier_of_the_committee
        LIBE/8/08983
        procedure/stage_reached
        Old
        Preparatory phase in Parliament
        New
        Awaiting committee decision
        committees/2/date
        2017-03-09T00:00:00
        committees/2/rapporteur
        • group: GUE/NGL name: ERNST Cornelia
        committees/2/shadows
        • group: EPP name: VOSS Axel
        • group: S&D name: LAURISTIN Marju
        • group: ECR name: PROCTER John
        • group: ALDE name: MLINAR Angelika
        • group: Verts/ALE name: ALBRECHT Jan Philipp
        committees/1/date
        2017-02-28T00:00:00
        committees/1/rapporteur
        • group: ECR name: DZHAMBAZKI Angel
        activities/0/docs/0/celexid
        CELEX:52017PC0008:EN
        activities/0/docs/0/celexid
        CELEX:52017PC0008:EN
        activities/0/docs/0/text
        • PURPOSE: to enhance the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data.

          PROPOSED ACT: Regulation of the European Parliament and of the Council.

          ROLE OF THE EUROPEAN PARLIAMENT: the European Parliament decides in accordance with the ordinary legislative procedure and on an equal footing with the Council.

          BACKGROUND: the protection of natural persons in relation to the processing of personal data is a fundamental right. Moreover, in Article 16(2) TFEU, the Lisbon Treaty introduced a specific legal basis for adopting rules on the protection of personal data.

          Regulation (EC) No 45/2001 of the European Parliament and of the Council provides natural persons with legally enforceable rights, specifies the data processing obligations of controllers within the Community institutions and bodies, and creates an independent supervisory authority, the European Data Protection Supervisor, responsible for monitoring the processing of personal data by the Union institutions and bodies.

          However, it does not apply to the processing of personal data in the course of an activity of Union institutions and bodies which fall outside the scope of Union law.

          Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation) and Directive (EU) 2016/680 of the European Parliament and of the Council were adopted on 27 April 2016. While the Regulation lays down general rules to protect natural persons in relation to the processing of personal data and to ensure the free movement of personal data within the Union, the Directive lays down the specific rules to protect natural persons in relation to the processing of personal data and to ensure the free movement of personal data within the Union in the fields of judicial cooperation in criminal matters and police cooperation.

          Regulation (EU) 2016/679 stresses the need for the necessary adaptations of Regulation (EC) No 45/2001 in order to provide a strong and coherent data protection framework in the Union and to allow application at the same time as Regulation (EU) 2016/679.

          It is in the interest of a coherent approach to personal data protection throughout the Union, and of the free movement of personal data within the Union, to align as far as possible the data protection rules for Union institutions and bodies with the data protection rules adopted for the public sector in the Member States.

          CONTENT: in order to align the existing rules, which date back to 2001, with the newer and more stringent rules set out by the General Data Protection Regulation of 2016, the Commission has proposed the following:

          Objective: this proposed Regulation has a two-fold objective:

          • to protect the fundamental right to data protection and to guarantee the free flow of personal data throughout the Union;
          • to provide for the main tasks of the European Data Protection Supervisor (EDPS).

          Scope: the proposal shall apply to the processing of personal data, by automated means or otherwise, by all Union institutions and bodies insofar as such processing is carried out in the exercise of activities all or part of which fall within the scope of Union law. The material scope of this Regulation is technologically neutral. The protection of personal data applies to the processing of personal data by automated means, as well as to manual processing if the personal data are contained or are intended to be contained in a filing system.

          Levels of protection: new principles of transparency and of integrity and confidentiality have been incorporated into the new text. Further conditions for the lawfulness of the processing of personal data of children in relation to information society services offered directly to them. It sets 13 years as the child's minimum age for valid consent.  New rules are provided for a specific level of protection on the transmission of personal data to recipients, other than Union institutions and bodies. The proposal clarifies that, where it is the controller initiating the transmission, it should demonstrate necessity and proportionality of the transmission.

          Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.

          Data controller’s obligations: the proposal specifies the controller's information obligations towards the data subject where personal data are collected from the data subject, providing information to the data subject, including on the storage period, the right to lodge a complaint and in relation to international transfers.

          Personal data must remain confidential subject to an obligation of professional secrecy regulated by Union law. This could apply for example in proceedings by services competent for social security or health matters.

          Further modalities are provided to facilitate the exercise of the data subject's rights under this Regulation, including mechanisms to request and, if applicable, obtain, free of charge, in particular, access to and rectification or erasure of personal data and the exercise of the right to object.

          Obligations for EU institutions: the proposal provides for an obligation for Union institutions and bodies to inform the EDPS when drawing up administrative measures and internal rules relating to the processing of personal data. It also provides for an obligation for the Commission to consult the EDPS following the adoption of proposals for a legislative act and of recommendations or proposals to the Council and when preparing delegated acts or implementing acts that have an impact on the protection of individuals’ rights and freedoms with regard to the processing of personal data.

          Provisions are also laid down concerning the transfer of personal data to third countries or international organisations.

          EDPS: specific provisions are laid down as regards the appointment of the EDPS by the European Parliament and the Council, the duration of its term of office: five years; the general conditions governing the performance of duties of the EDPS and his or her staff and the financial resources.

        activities
        • date: 2017-01-10T00:00:00 docs: url: http://www.europarl.europa.eu/RegData/docs_autres_institutions/commission_europeenne/com/2017/0008/COM_COM(2017)0008_EN.pdf celexid: CELEX:52017PC0008:EN type: Legislative proposal published title: COM(2017)0008 body: EC commission: type: Legislative proposal published
        committees
        • body: EP responsible: False committee_full: Budgets committee: BUDG
        • body: EP responsible: False committee_full: Legal Affairs committee: JURI
        • body: EP responsible: True committee_full: Civil Liberties, Justice and Home Affairs committee: LIBE
        links
        other
          procedure
          reference
          2017/0002(COD)
          instrument
          Regulation
          legal_basis
          Treaty on the Functioning of the EU TFEU 016-p2
          stage_reached
          Preparatory phase in Parliament
          summary
          subtype
          Legislation
          title
          Protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and the free movement of such data
          type
          COD - Ordinary legislative procedure (ex-codecision procedure)
          subject