16 Amendments of Dimitrios DROUTSAS related to 2011/0011(COD)
Amendment 1846 #
Proposal for a regulation
Article 28 – paragraph 2 – introductory part
Article 28 – paragraph 2 – introductory part
2. The documentation shall contain at least the following information: (a) the name and contact details of the controller, or any joint controller or processor, and of the representative, if any; (b) the name and contact details of the data protection officer, if any; (c) the purposes of the processing, including the legitimate interests pursued by the controller where the processing is based on point (f) of Article 6(1); (d) a description of categories of data subjects and of the categories of personal data relating to them; (e) the recipients or categories of recipients of the personal data, including the controllers to whom personal data are disclosed for the legitimate interest pursued by them; (f) where applicable, transfers of data to a third country or an international organisation, including the identification of that third country or international organisation and, in case of transfers referred to in point (h) of Article 44(1), the documentation of appropriate safeguards; (g) a general indication of the time limits for erasure of the different categories of data; (h) the description of the mechanisms referred to in Article 22(3) listed in Article 14.
Amendment 1890 #
Proposal for a regulation
Article 28 – paragraph 4
Article 28 – paragraph 4
4. The obligations referred to in paragraphs 1 and 2 shall not apply to the following controllers and processors: (a) a natural person processing personal data without a commercial interest; or (b) an enterprise or an organisation employing fewer than 250 persons that is processing personal data only as an activity ancillary to its main activities.
Amendment 1908 #
Proposal for a regulation
Article 28 – paragraph 5
Article 28 – paragraph 5
Amendment 1914 #
Proposal for a regulation
Article 28 – paragraph 6
Article 28 – paragraph 6
Amendment 1930 #
Proposal for a regulation
Article 30 – paragraph 2
Article 30 – paragraph 2
2. The controller and the processor shall, following an evaluation of the risks, take the measures referred to in paragraph 1 to protect personal data against accidental or unlawful destruction or accidental loss and to prevent any unlawful forms of processing, in particular any unauthorised disclosure, dissemination or access, or alteration of personal data implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected, such as pseudonymisation, having regard to the state of the art and the costs of their implementation.
Amendment 1938 #
Proposal for a regulation
Article 30 – paragraph 3
Article 30 – paragraph 3
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purposeEuropean Data Protection Board shall be entrusted with the task of further specifying the criteria and conditions for the technical and organisational measures referred to in paragraphs 1 and 2, including the determinations of what constitutes the state of the art, for specific sectors and in specific data processing situations, in particular taking account of developments in technology and solutions for privacy by design and data protection by default, unless paragraph 4 applies, in accordance with Article 66.
Amendment 1944 #
Proposal for a regulation
Article 30 – paragraph 4
Article 30 – paragraph 4
Amendment 1954 #
Proposal for a regulation
Article 31 – paragraph 1
Article 31 – paragraph 1
1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 724 hours after having become aware of it, notify the personal data breach to the supervisory authority. The notification to the supervisory authority shall be accompanied by a reasoned justification in cases where it is not made within 724 hours.
Amendment 1989 #
Proposal for a regulation
Article 31 – paragraph 5
Article 31 – paragraph 5
5. The Commission shall be empowered to adopt, after requesting an opinion of the European Data Protection Board, delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for establishing the data breach referred to in paragraphs 1 and 2 and for the particular circumstances in which a controller and a processor is required to notify the personal data breach.
Amendment 1994 #
Proposal for a regulation
Article 31 – paragraph 6
Article 31 – paragraph 6
6. The Commission may lay down the standard format of such notification to the supervisory authority, the procedures applicable to the notification requirement and the form and the modalities for the documentation referred to in paragraph 4, including the time limits for erasure of the information contained therein. Those implementing acts shall be adopted, after requesting an opinion of the European Data Protection Board, in accordance with the examination procedure referred to in Article 87(2).
Amendment 2009 #
Proposal for a regulation
Article 32 – paragraph 5
Article 32 – paragraph 5
5. The Commission shall be empowered to adopt, after requesting an opinion of the European Data Protection Board, delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements as to the circumstances in which a personal data breach is likely to adversely affect the personal data referred to in paragraph 1.
Amendment 2013 #
Proposal for a regulation
Article 32 – paragraph 6
Article 32 – paragraph 6
6. The Commission may lay down the format of the communication to the data subject referred to in paragraph 1 and the procedures applicable to that communication. Those implementing acts shall be adopted, after requesting an opinion of the European Data Protection Board, in accordance with the examination procedure referred to in Article 87(2).
Amendment 2041 #
Proposal for a regulation
Article 33 – paragraph 2 – point d
Article 33 – paragraph 2 – point d
(d) personal data in large scale filing systems on children, geneticrocessing of special categories of data as referred to in Article 9(1), location data or , biometric data, or data on children;
Amendment 2048 #
Proposal for a regulation
Article 33 – paragraph 3
Article 33 – paragraph 3
3. The assessment shall contain at least a general description of (a) the envisaged processing operations, and their necessity and proportionality in relation to the purpose; (b) an assessment of the risks to the rights and freedoms of data subjects,; (c) the measures envisaged to address the risks, and minimise the volume of personal data which is processed; (d) safeguards, security measures and mechanisms to ensure the protection of personal data, such as pseydonymisation, and to demonstrate compliance with this Regulation, taking into account the rights and legitimate interests of data subjects and other persons concerned.
Amendment 2080 #
Proposal for a regulation
Article 33 – paragraph 6
Article 33 – paragraph 6
6. The Commission shall be empowered to adopt, after requesting an opinion of the European Data Protection Board, delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and conditions for the processing operations likely to present specific risks referred to in paragraphs 1 and 2 and the requirements for the assessment, referred to in paragraph 3, including conditions and procedures for scalability, verification and auditability. In doing so, the Commission shall consider specific measures for micro, small and medium- sized enterprises.
Amendment 2085 #
Proposal for a regulation
Article 33 – paragraph 7
Article 33 – paragraph 7