Activities of Amelia ANDERSDOTTER related to 2012/0011(COD)
Shadow opinions (1)
OPINION on the proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)
Amendments (218)
Amendment 172 #
Proposal for a regulation
Recital 5
Recital 5
(5) Rapid technological developments and globalisation have brought new challenges for the protection of personal data. The scale of data sharing and collectiong has increased spectacularly. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities. Individuals increasingly make personal information available publicly and globally. Technology has transformed both the economy and social life, and requires to furtherimproved legal safeguards which will facilitate the free flow of data within the Union and the transfer to third countries and international organisations, while ensuring an high level of the protection of personal data.
Amendment 175 #
Proposal for a regulation
Recital 7
Recital 7
(7) The objectives and principles of Directive 95/46/EC remain sound, but ithis has not prevented fragmentation in the way data protection is implemented across the Union, legal uncertainty and a widespread public perception that there are significant risks for the protection of individuals associated notably with online activity. Differences in the level of protection of the rights and freedoms of individuals, notably to the right to the protection of personal data, with regard to the processing of personal data afforded in the Member States may prevent the free flow of personal data throughout the Union and inevitably lead to breaches of the fundamental rights to privacy and data protection. These differences may therefore constitute an obstacle to the pursuit of economic activities at the level of the Union, distort competition and impede authorities in the discharge of their responsibilities under Union law. This difference in levels of protection is due to the existence of differences in the implementation and application of Directive 95/46/EC.
Amendment 176 #
Proposal for a regulation
Recital 8
Recital 8
(8) In order to ensure consistent and high level of protection of individuals and to remove the obstacles to flows of personal data, the level of protection of the rights and freedoms of individuals with regard to the processing of such data should be equivalent in all Member States and identical where possible. Consistent and homogenous application of the rules for the protection of the fundamental rights and freedoms of natural persons with regard to the processing of personal data should be ensured throughout the Union.
Amendment 178 #
Proposal for a regulation
Recital 9
Recital 9
(9) Effective protection of personal data throughout the Union requires strengthening and detailing the rights of data subjects and the obligations of those who process and determine the processing of personal data, but also equivalent powers and technical and operational capacity for monitoring and ensuring compliance with the rules for the protection of personal data and equivalent sanctions for offenders in the Member States.
Amendment 180 #
Proposal for a regulation
Recital 11
Recital 11
(11) In order to ensure a consistent level of protection for individuals throughout the Union and to prevent divergences hampering the free movement of data within the internal market, a Regulation is necessary to provide legal certainty and transparency for economic operators, including micro, small and medium-sized enterprises, and to provide individuals in all Member States with the same level of legally enforceable rights and obligations and responsibilities for controllers and processors, to ensure consistent monitoring of the processing of personal data, and equivalent sanctions in all Member States as well as effective co-operation by the supervisory authorities of different Member States. TWhere demonstrably necessary and without undermining either protection of personal data or single market principles, to take account of the specific situation of micro, small and medium-sized enterprises, this Regulation includes a number of derogations. In addition, the Union institutions and bodies, Member States and their supervisory authorities are encouraged to take account of the specific needs of micro, small and medium-sized enterprises in the application of this Regulation. The notion of micro, small and medium-sized enterprises should draw upon Commission Recommendation 2003/361/EC of 6 May 2003 concerning the definition of micro, small and medium- sized enterprises.
Amendment 185 #
Proposal for a regulation
Recital 14
Recital 14
(14) This Regulation does not address issues of protection of fundamental rights and freedoms or the free flow of data related to activities which fall outside the scope of Union law, nor does it cover the processing of personal data by the Union institutions, bodies, offices and agencies, which are subject to Regulation (EC) No 45/200145, or the processing of personal data by the Member States when carrying out activities in relation to the common foreign and security policy of the Union.
Amendment 186 #
Proposal for a regulation
Recital 16
Recital 16
(16) The protection of individuals with regard to the processing of personal data by competent public authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data, is subject of a specific legal instrument at Union level. Therefore, this Regulation should not apply to the processing activities for those purposes. However, data processed by public authorities under this Regulation when used for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties should be governed by the more specific legal instrument at Union level (Directive XX/YYY).
Amendment 187 #
Proposal for a regulation
Recital 17
Recital 17
(17) The liability limitations of the Directive on Electronic Commerce 2000/31/EC are horizontal in nature and therefore apply to relevant activities of all information society service providers. This Regulation establishes the rules for the processing of personal data while the Directive on Electronic Commerce sets out the conditions by which an information service provider is liable for third party infringements of the law. In the interest of legal certainty for European citizens and businesses, the clear and distinct roles of the two instruments need to be consistently respected. This Regulation should be without prejudice to the application of Directive 2000/31/EC, in particular of the liability rules of intermediary service providers in Articles 12 to 15 of that Directive.
Amendment 188 #
Proposal for a regulation
Recital 21
Recital 21
(21) In order to determine whether a processing activity can be considered to ‘'monitor the behaviour’' of data subjects, it should be ascertained whether individuals are tracked onwith the internet withntion to use, or potential of subsequent use of, data processing techniques which consist of applying a ‘'profile’ to an individual', particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.
Amendment 189 #
Proposal for a regulation
Recital 23
Recital 23
(23) The principles of protection should apply to any information concerning an identified or identifiable person. To determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the individual. The principles of data protection should not apply to data rendered anonymous in such a way that the data subject is no longer identifiable taking full account of the technological "state of the art" and technological trends.
Amendment 192 #
Proposal for a regulation
Recital 24
Recital 24
(24) When using online services, individuals may be associated with one or more online identifiers provided by their devices, applications, tools and protocols, such as Internet Protocol addresses or, cookie identifiers. This may leave traces which, combined with unique identifiers and other information received by the servers, may be used to create profi, or other unique identifiers. Since these identifiers leave traces and can be used to singles of the individuals and identify them. It follows that identification numbers, locationut natural persons, this Regulation should be applicable to processing involving such data, ounliness these identifiers or other specific factors as such need not necessarilydemonstrably do not relate to natural persons, such as for example the IP addresses of web servers and thus cannot be considered as 'personal data in all circumstances' as defined in Article 4(2).
Amendment 195 #
Proposal for a regulation
Recital 25
Recital 25
(25) Consent should be given explicitly by any appropriate method enabling a freely given specific and informed indication of the data subject's wishes, either by a statement or by a clear affirmative action by the data subject, ensuring that individuals are aware that they give their consent to the processing of personal data, including by ticking a box when visiting an Internet website or by any other statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of their personal data. Silence or inactivityInformed consent should be facilitated insofar as possible by user-friendly information about the types of processing to be carried out. Silence, mere use of a service, or inactivity, such as not un- ticking pre-ticked boxes, should therefore not constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. If the data subject's consent is to be given following an electronic request, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
Amendment 203 #
Proposal for a regulation
Recital 27
Recital 27
(27) The main establishment of a controller in the Union should be determined according to objective criteria and should imply the effective and real exercise of management activities determining the main decisions as to the purposes, conditions and means of processing through stable arrangements. This criterion should not depend whether the processing of personal data is actually carried out at that location; the presence and use of technical means and technologies for processing personal data or processing activities do not, in themselves, constitute such main establishment and are therefore not determining criteria for a main establishment. The main establishment of the processor should be the place of its central administration in the Union.
Amendment 205 #
Proposal for a regulation
Recital 29
Recital 29
(29) Children deserve specific protection of their personal data, as they may be less aware of risks, consequences, safeguards and their rights in relation to the processing of personal data. To determine when an individual is a child, this Regulation should take over the definition laid down by the UN Convention on the Rights of the Child. No reference to child protection in this Regulation should be understood as an implicit instruction that protection of personal data of adults should be treated with less care than would have been the case if the reference was not included.
Amendment 210 #
Proposal for a regulation
Recital 32
Recital 32
(32) Where processing is based on the data subject's consent, the controller should have the burden of proving that the data subject has given the consent to the processing operation. In particular in the context of a written declaration on another matter, safeguards should ensure that the data subject is aware that and to what extent consent is given. To comply with the principle of data minimisation, this burden of proof should not be understood as requiring positive identification of data subjects unless necessary.
Amendment 211 #
Proposal for a regulation
Recital 33
Recital 33
(33) In order to ensure free consent, it should be clarified that consent does not provide a valid legal ground where the individual has no genuine and free choice and is subsequently not able to refuse or withdraw consent without detriment. Consent should also not provide a legal basis for data processing when the data subject has no access to different equivalent services. Default settings such as pre-ticked boxes, silence, or the simple use of a service do not imply consent. Consent can only be obtained for processing that is lawful and thus not excessive in relation to the purpose. Disproportional data processing cannot be legitimised though obtaining consent.
Amendment 217 #
Proposal for a regulation
Recital 34
Recital 34
(34) Consent should not provide a valid legal ground for the processing of personal data, where there is a clear imbalance between the data subject and the controller. This is especially the case where the data subject is in a situation of dependence from the controller, among others, where personal data are processed by the employer of employees’' personal data in the employment context, or where a controller has a substantial market power with respect to certain products or services and where these products or services are offered on condition of consent to the processing of personal data, or where a unilateral and non- essential change in terms of service gives a data subject no option other than accept the change or abandon an online resource in which they have invested significant time. Where the controller is a public authority, there would be an imbalance only in the specific data processing operations where the public authority can impose an obligation by virtue of its relevant public powers and the consent cannot be deemed as freely given, taking into account the interest of the data subject.
Amendment 218 #
Proposal for a regulation
Recital 36
Recital 36
(36) Where processing is carried out in compliance with a legal obligation to which the controller is subject or where processing is necessary for the performance of a task carried out in the public interest or in the exercise of an official authority, the processing should have a legal basis in Union law, or in a Member State law which meets the requirements of the Charter of Fundamental Rights of the European Union for any limitation of the rights and freedoms. It is also for Union or national law to determine whether the controller performing a task carried out in the public interest or in the exercise of official authority should be a public administration or another natural or legal person governed by public law, or by private law such as a professional association.
Amendment 220 #
Proposal for a regulation
Recital 38
Recital 38
Amendment 223 #
Proposal for a regulation
Recital 40
Recital 40
(40) The processing of personal data for other purposes should be only allowed where the processing is compatible with those purposes for which the data have been initially collected, in particular where the processing is necessary for historical, statistical or scientific research purposes. Where the other purpose is not compatible with the initial one for which the data are collected, the controller should obtain the consent of the data subject for this other purpose or should base the processing on another legitimate ground for lawful processing, in particular where provided by Union law or the law of the Member State to which the controller is subject. In any case, the application of the principles set out by this Regulation and in particular the information of the data subject on those other purposes should be ensured.
Amendment 227 #
Proposal for a regulation
Recital 41
Recital 41
(41) Personal data which are, by their nature, particularly sensitive and vulnerable in relation to fundamental rights or privacy, deserve specific protection. Such data should not be processed, unless the data subject gives his explicit and informed consent. However, derogations from this prohibition should be explicitly provided for in respect of specific needs, in particular where the processing is carried out in the course of legitimate activities by certain associations or foundations the purpose of which is to permit the exercise of fundamental freedoms of the data subjects in question.
Amendment 229 #
Proposal for a regulation
Recital 42
Recital 42
(42) Derogating from the prohibition on processing sensitive categories of data should also be allowed if done by a law, and subject to suitable safeguards, so as to protect personal data and other fundamental rights, where grounds of public interest so justify and in particular for health purposes, including public health and social protection and the management of health-care services, especially in order to ensure the quality and cost-effectiveness of the procedures used for settling claims for benefits and services in the health insurance system, or for historical, statistical and scientific research purposes.
Amendment 230 #
Proposal for a regulation
Recital 45
Recital 45
(45) If the data processed by a controller do not permit the controller to identify a natural person, nothing in this Regulation may be construed by the data controller should not beas an obligedation to acquire additional information in order to identify the data subject for the sole purpose of complying with any provision of this Regulation. In case of a request for access, the controller should be entitled to ask the data subject for further information to enable the data controller to locate the personal data which that person seeks. If it is possible for the data subject to provide such data, controllers should not be able to invoke a lack of information to refuse an access request.
Amendment 232 #
Proposal for a regulation
Recital 47
Recital 47
(47) Modalities should be provided for facilitating the data subject's exercise of their rights provided by this Regulation, including mechanisms to requestobtain, free of charge, in particular access to data, rectification, erasure and to exercise the right to object. The controller should be obliged to respond to requests of the data subject within a fixed deadline and give reasons, in case he does cannot comply with the data subject's request.
Amendment 234 #
Proposal for a regulation
Recital 49
Recital 49
(49) The information in relation to the processing of personal data relating to the data subject should be given to them at the time of collection, or, where the data are not collected from the data subject, within a reasonable period, depending on the circumstances of the case. Where data can be legitimately disclosed to another recipient according to the provisions of this Regulation, such as after the data subject's consent, the data subject should be informed when the data are first disclosed to the recipient.
Amendment 235 #
Proposal for a regulation
Recital 50
Recital 50
(50) However, it is not necessary to impose this obligation where the data subject already disposes of this information, or where the recording or disclosure of the data is expressly laid down by law, or where the provision of information to the data subject proves impossible or would involve disproportionate efforts. The latter could be particularly the case where processing is for historical, statistical or scientific research purposes; in this regard, the number of data subjects, the age of the data, and any compensatory measures adopted may be taken into consideration.
Amendment 237 #
Proposal for a regulation
Recital 51
Recital 51
(51) Any person should have the right of access to data which has been collected concerning them, and to exercise this right easily, in order to be aware and verify the lawfulness of the processing. Every data subject should therefore have the right to know and obtain communication in particular for what purposes the data are processed, for what period, which recipients receive the data, what is the logic of the data that are undergoing the processing and what might be, at least when based on profiling, the consequences of such processing. This right should not adversely affect the rights and freedoms of others, including trade secrets or intellectual property and in particular, such as in relation to the copyright protecting the software. However, the result of these considerations should not be that all information is refused to the data subject.
Amendment 239 #
Proposal for a regulation
Recital 52
Recital 52
(52) The controller should use all reasonable measures to verify the idauthenticity of a data subject thataccess requests access, in particular in the context of online services and online identifiers. A controller should not retain personal data for the unique purpose of being able to react to potential requests.
Amendment 240 #
Proposal for a regulation
Recital 53
Recital 53
(53) Any person should have the right to have personal data concerning them rectified and a ‘right to be forgotten’ where the retention of such data is not in compliance with this Regulationerased. In particular, data subjects should have the right that their personal data are erased and no longer processed, where the data are no longer necessary in relation to the purposes for which the data are collected or otherwise processed, where data subjects have withdrawn their consent for processing or where they object to the processing of personal data concerning them or where the processing of their personal data otherwise does not comply with this Regulation. This right is particularly relevant, when the data subject has given their consent as a child, when not being fully aware of the risks involved by the processing, and later wants to remove such personal data especially on the Internet. However, the further retention of the data shouldmay be allowed where it is necessary for historical, statistical and scientific research purposes, for reasons of public interest in the area of public health, for exercising the right of freedom of expression, when required by law or where there is a reason to restrict the processing of the data instead of erasing them.
Amendment 241 #
Proposal for a regulation
Recital 54
Recital 54
(54) To strengthen the ‘'right to be forgotten’erasure' in the online environment, ithe right to erasure should also be extended in such a way that a controller who has made the personal data public should be obliged to inform third parties which are processing such data that aof the data subject's requests them to erase any links to, or copies or replications of that personal data. To ensure this information, the controller should take all reasonable steps, including technical measures, in relation to data for the publication of which the controller is responsible. In relation to a third party publication of personal data, t for erasure. The controller should be considered responsible for the publication, where the controller has authorised the publication by the third party.
Amendment 242 #
Proposal for a regulation
Recital 55
Recital 55
(55) To further strengthen the control over their own data and their right of access, data subjects should have the right, where personal data are processed by electronic means and in a structured and commonly used format, to obtain a copy of the data concerning them also in commonly used electronic format, to obtain, free of charge, a copy of the data concerning them also in an electronic, interoperable and structured format which is commonly used. The data subject should also be allowed to transmit those data, which they have provided, from one automated application, such as a social network, into another one. This should apply where the data subject providedProviders of information society services should not make the transfer of those data to the automated processing system, based on their consent or in the performance of a contramandatory for the provision of their services. Social networks should be encouraged as much as possible to store data in a way which permits efficient data portability for data subjects.
Amendment 243 #
Proposal for a regulation
Recital 57
Recital 57
(57) Where personal data are processed for the purposes of direct marketing, the data subject should have the right to object to such processing in advance, free of charge and in a manner that can be easily and effectively invoked.
Amendment 245 #
Proposal for a regulation
Recital 58
Recital 58
(58) Every natural person should have the right not to be subject to a measure which is based on profiling by means of automated processing. However, any such measure should be allowed when expressly authorised by law, carried out in the course of entering or performance of a contract, or when the data subject has given his consent. In any case, such processing should be subject to suitable safeguards, including specific information of the data subject and the right to obtain human intervention and that such measure should not concern a child. Specifically, such processing should never, whether intentionally or not, lead to the discrimination of data subjects on the basis of race or ethnic origin, political opinions, religion or beliefs, trade union membership, or sexual orientation. Given the risk of discrimination, such processing should not be used in order to predict very rare characteristics.
Amendment 247 #
Proposal for a regulation
Recital 59
Recital 59
(59) Restrictions on specific principles and on the rights of information, access, rectification and erasure or on the right to data portability, the right to object, measures based on profiling, as well as on the communication of a personal data breach to a data subject and on certain related obligations of the controllers may be imposed by Union or Member State law, as far as strictly necessary and proportionate in a democratic society to safeguard public security, including the protection of human life especially in response to natural or man made disasters, the prevention, investigation and prosecution of criminal offences or of breaches of ethics for regulated professions, other public interests of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, or the protection of the data subject or the rights and freedoms of others. Those restrictions should be in compliance with requirements set out by the Charter of Fundamental Rights of the European Union, and by the European Convention for the Protection of Human Rights and Fundamental Freedoms. Any such measure should be notified to the Data Protection Board for an opinion which, if negative, should result in a referral to the Commission with view to starting an infringement procedure before the European Court of Justice.
Amendment 248 #
Proposal for a regulation
Recital 60
Recital 60
(60) Comprehensive responsibility and liability of the controller for any processing of personal data carried out by the controller or on the controller's behalf should be established in order to ensure accountability. In particular, the controller should ensure and be obliged to demonstrate the compliance of each processing operation with this Regulation. Otherwise unnecessary data processing may not be justified on the basis of the need to respect this obligation.
Amendment 249 #
Proposal for a regulation
Recital 61
Recital 61
(61) The protection of the rights and freedoms of data subjects with regard to the processing of personal data require that appropriate technical and organiszational measures are taken, both at the time of the design of the processing and its underlying technologies as well as at the time of the processing itself, to ensure that the requirements of this Regulation are met. In order to ensure and demonstrate compliance with this Regulation, the controller should adopt internal policies and implement appropriate measures, which meet in particular the principles of data protection by design and data protection by default. Data protection by design is the process by which data protection and privacy are integrated in the development of products and services through both technical and organisational measures. Data protection by default means that products and services are by default configured in a way that limits the processing and especially the disclosure of personal data. In particular, personal data should not be disclosed to an unlimited number of persons by default.
Amendment 251 #
Proposal for a regulation
Recital 61 a (new)
Recital 61 a (new)
(61a) The present Regulation aims at encouraging enterprises to develop internal programmes that would identify the processing operations likely to present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes, and to put in place appropriate personal data protection safeguards and develop innovative data protection-by-design solutions and data protection enhancing techniques. Enterprises would then demonstrate publically and pro-actively their compliance with the provisions and spirit of this Regulation and thus increase the trust of the European citizens. Corporate accountability on personal data protection cannot however exempt an enterprise from any obligation laid down in this Regulation.
Amendment 255 #
Proposal for a regulation
Recital 63
Recital 63
(63) Where a controller not established in the Union is processing personal data of data subjects residing in the Union whose processing activities are related to the offering of goods or services to such data subjects, or to the monitoring their behaviour, the controller should designate a representative, unless the controller is established in a third country ensuring an adequate level of protection, or the controller is a small or medium sized enterprisen enterprise processing data on a small number of data subjects or a public authority or body or where the controller is only occasionally offering goods or services to such data subjects. The representative should act on behalf of the controller and may be addressed by any supervisory authority.
Amendment 259 #
Proposal for a regulation
Recital 66
Recital 66
(66) In order to maintain security and to prevent processing in breach of this Regulation, the controller or processor should evaluate the risks inherent to the processing and implement measures to mitigate those risks. These measures should ensure an appropriate level of security, taking into account the state of the art and the costs of their implementation in relation to the risks and the nature of the personal data to be protected. When establishing technical standards and organisational measures to ensure security of processing, the Commission should promote technological neutrality, interoperability and innovation should be promoted, and, where appropriate, cooperate with third countries should be encouraged.
Amendment 264 #
Proposal for a regulation
Recital 70 a (new)
Recital 70 a (new)
(70a) Directive 2002/58/EC sets out personal data breach notification obligations for the processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks in the Union. Where providers of publicly available electronic communications services provide other services, they are subject to the breach notification obligations of this Regulation.
Amendment 266 #
Proposal for a regulation
Recital 76
Recital 76
(76) Associations or other bodies representing categories of controllers should be encouraged to draw up codes of conduct, within the limits of this Regulation, so as to facilitate the effective application of this Regulation, taking account of the specific characteristics of the processing carried out in certain sectors. Such codes should make compliance easier for industry.
Amendment 267 #
Proposal for a regulation
Recital 77
Recital 77
(77) In order to enhance transparency and compliance with this Regulation, the establishment of certification mechanisms, data protection seals and marks should be encouraged, allowing data subjects to quickly, reliably and verifiably assess the level of data protection of relevant products and services.
Amendment 270 #
Proposal for a regulation
Recital 79
Recital 79
(79) This Regulation is without prejudice to international agreements concluded between the Union and third countries regulating the transfer of personal data including appropriate safeguards for the data subjects ensuring an equivalent level of protection for the fundamental rights of citizens.
Amendment 271 #
Proposal for a regulation
Recital 80
Recital 80
(80) The Commission may decide with effect for the entire Union that certain third countries, or a territory or a processing sector within a third country, or an international organisation, offer an adequate level of data protection, thus providing legal certainty and uniformity throughout the Union as regards the third countries or international organisations which are considered to provide such level of protection. In these cases, transfers of personal data to these countries may take place without needing to obtain any further authorisation. The Commission may also decide, having given notice and a complete justification to the third country, to revoke such a decision.
Amendment 272 #
Proposal for a regulation
Recital 82
Recital 82
Amendment 273 #
Proposal for a regulation
Recital 83
Recital 83
Amendment 275 #
Proposal for a regulation
Recital 87
Recital 87
(87) These derogations should in particular apply to data transfers required and necessary for the protection of important grounds of public interest, for example in cases of international data transfers between competition authorities, tax or customs administrations, financial supervisory authorities, between services competent for social security matters, or to competent authorities for the prevention, investigation, detection and prosecution of criminal offences. Transferring personal data for such important grounds of public interest should only be used for occasional transfers. In each and every case, a careful assessment of all circumstances of the transfer needs to be carried out.
Amendment 276 #
Proposal for a regulation
Recital 88
Recital 88
Amendment 277 #
Proposal for a regulation
Recital 89
Recital 89
(89) In any case, where the Commission has taken no decision on the adequate level of data protection in a third country, the controller or processor should make use of solutions that provide data subjects with a legally binding guarantee that they will continue to benefit from the fundamental rights and safeguards as regards processing of their data in the Union once this data has been transferred. This guarantee will include financial indemnification in cases of loss or unauthorised access or processing of the data and an obligation, regardless of local legislation, to provide full details of all access to the data by public authorities in the third country.
Amendment 278 #
Proposal for a regulation
Recital 90
Recital 90
(90) Some third countries enact laws, regulations and other legislative instruments which purport to directly regulate data processing activities of natural and legal persons under the jurisdiction of the Member States. The extraterritorial application of these laws, regulations and other legislative instruments mayust, by default, be considered to be in breach of international law and may impede the attainment of the protection of individuals guaranteed in the Union by this Regulation. . Transfers should only be allowed where the conditions of this Regulation for a transfer to third countries are met. This may inter alia be the case where the disclosure is necessary for an important ground of public interest recognised in Union law or in a Member State law to which the controller is subject. The conditions under which an important ground of public interest exists should be further specified by the Commission in a delegated act. The mere existence of legislation in a country which would even theoretically, regardless of its application, permit extra-territorial access to European citizens' data, is a sufficient reason to revoke recognition of adequacy of that data protection regime or any equivalent bilateral arrangement of that country.
Amendment 280 #
Proposal for a regulation
Recital 92
Recital 92
(92) The establishment of supervisory authorities in Member States, exercising their functions with complete independence, is an essential component of the protection of individuals with regard to the processing of their personal data. Member States may establish more than one supervisory authority, to reflect their constitutional, organisational and administrative structure. Independence shall be understood as not having direct or indirect political involvement in selection of leadership and having adequate financial personal and legal resources to carry out its role fully.
Amendment 281 #
Proposal for a regulation
Recital 94
Recital 94
(94) Each supervisory authority should be provided with the adequate financial and human resources, paying particular attention to ensuring adequate technical skills of staff, premises and infrastructure, which is are necessary for the effective performance of their tasks, including for the tasks related to mutual assistance and co-operation with other supervisory authorities throughout the Union.
Amendment 282 #
Proposal for a regulation
Recital 95
Recital 95
(95) The general conditions for the members of the supervisory authority should be laid down by law in each Member State and should in particular provide that those members should be either appointed by the parliament or the government of the Member State taking due care to minimise the possibility of political interference, and include rules on the personal qualification of the members, the avoidance of conflicts of interest and the position of those members.
Amendment 284 #
Proposal for a regulation
Recital 97
Recital 97
(97) Where the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union takes place in more than one Member State, one single supervisory authority should be competent for monitoring the activities of the controller or processor throughout the Union and taking the related decisions, in order to increase the consistent application, provide legal certainty and reduce administrative burden for such controllers and processors. When carrying out these activities, this supervisory authority should take appropriate steps to cooperate with its counterparts in other Member States where there are data subjects likely to be affected by the processing operations, involving the European Data Protection Board where appropriate, including by carrying out joint investigations. Appropriate mechanisms should be put in place to ensure that smaller supervisory authorities have the financial, administrative and human resources capacity to deal with any extra burdens that this places on them.
Amendment 286 #
Proposal for a regulation
Recital 98 a (new)
Recital 98 a (new)
(98a) Where such processing is the subject of a complaint lodged by a data subject, the competent authority, providing such one-stop shop, should be the supervisory authority of the Member State in which the data subject has its main residence. Where data subjects lodge similar complaints against such processing with supervisory authorities in different Member States, the competent authority should be the first seized.
Amendment 287 #
Proposal for a regulation
Recital 104
Recital 104
(104) Each supervisory authority should have the right to participate in joint operations between supervisory authorities. The requested supervisory authority should be obliged to respond to the request in a defined time period. The European Data Protection Board should be able to coordinate such activities, where the concerned supervisory authorities so wish. Each supervisory authority should have the right to participate in joint operations between supervisory authorities. The requested supervisory authority should be obliged to respond to the request in a defined time period.
Amendment 289 #
Proposal for a regulation
Recital 107
Recital 107
(107) In order to ensure compliance with this Regulation, the Commission may adopt an opinion on this matter, or in urgent cases a decision, requiring the supervisory authority to suspend its draft measure.
Amendment 290 #
Proposal for a regulation
Recital 110
Recital 110
(110) At Union level, a European Data Protection Board should be set up. It should replace the Working Party on the Protection of Individuals with Regard to the Processing of Personal Data established by Directive 95/46/EC. It should consist of a head of a supervisory authority of each Member State and of the European Data Protection Supervisor. The Commission should participate in its activities. The European Data Protection Board should contribute to the consistent application of this Regulation throughout the Union, including by advising the Commissinstitutions of the European Union and promoting co-operation of the supervisory authorities throughout the Union, including the coordination of joint operations. The European Data Protection Board should act independently when exercising its tasks.
Amendment 291 #
Proposal for a regulation
Recital 118
Recital 118
(118) Any damage which a person may suffer as a result of unlawful processing should be compensated by the controller or processor, who may be exempted from liability if they prove that they are not responsible for the damage, in particular where he establishes that the balance of fault is on the part of the data subject or in case of force majeure.
Amendment 293 #
Proposal for a regulation
Recital 121
Recital 121
(121) The processing of personal data solely for journalistic purposes, or for the purposes of artistic or literary expression should qualify for exemption from the requirements of certain provisions of this Regulation in order to reconcile the right to the protection of personal data with the right to freedom of expression, and notably the right to receive and impart information, as guaranteed in particular by Article 11 of the Charter of Fundamental Rights of the European Union. This should apply in particular to processing of personal data in the audiovisual field and in news archives and press libraries. Therefore, Member States should adopt legislative measures, which should lay down exemptions and derogations which are necessary for the purpose of balancing these fundamental rights. Such exemptions and derogations should be adopted by the Member States on general principles, on the rights of the data subject, on controller and processor, on the transfer of data to third countries or international organisations, on the independent supervisory authorities and on co-operation and consistency. This should not, however, lead Member States to lay down exemptions from the other provisions of this Regulation. In order to take account of the importance of the right to freedom of expression in every democratic society, it is necessary to interpret notions relating to that freedom, such as journalism, broadly. Therefore, Member States should classify activities as ‘"journalistic’" for the purpose of the exemptions and derogations to be laid down under this Regulation if the object of these activities is the analysis and disclosure to the public of information, opinions or ideas, irrespective of the medium which is used to transmit them. They should not be limited to media undertakings and may be undertaken for profit-making or for non- profit making purposes.
Amendment 294 #
Proposal for a regulation
Recital 121 a (new)
Recital 121 a (new)
(121a) This Regulation allows the principle of public access to official documents to be taken into account when applying the provisions set out in this Regulation. Personal data in documents held by a public authority or a public body may be disclosed by this authority or body in accordance with Member State legislation to which the public authority or public body is subject. Such legislation shall reconcile the right to the protection of personal data with the principle of public access to official documents.
Amendment 296 #
Proposal for a regulation
Recital 126
Recital 126
(126) Scientific research for the purposes of this Regulation should include fundamental research, applied research, and privately funded research in the meaning of Article 13 of the Charter of Fundamental Rights of the European Union and in addition should take into account the Union's objective under Article 179(1) of the Treaty on the Functioning of the European Union of achieving a European Research Area. It should not include market research.
Amendment 310 #
Proposal for a regulation
Article 2 – paragraph 2 – point a
Article 2 – paragraph 2 – point a
Amendment 311 #
Proposal for a regulation
Article 2 – paragraph 2 – point b
Article 2 – paragraph 2 – point b
Amendment 320 #
Proposal for a regulation
Article 2 – paragraph 2 a (new)
Article 2 – paragraph 2 a (new)
2a. Subject to the rules in this Regulation, the European Parliament and the Council, and the Commission where this is provided for in this Regulation, may adopt specific rules further clarifying the rules in this Regulation with regards to specific areas or to processing by specific entities. Within a period of one year from the coming into force of this Regulation, the European Parliament and the Council shall adopt such specific subsidiary rules with regard to the processing of personal data by: (a) by providers of publicly available electronic communications services, both generally and as concerns the preservation of communications data for purposes of law enforcement; (b) by the Union institutions, bodies, offices and agencies.
Amendment 322 #
Proposal for a regulation
Article 3 – paragraph 2 – point a
Article 3 – paragraph 2 – point a
(a) the offering of goods or services to such data subjects in the Union, irrespective of whether a payment of the data subject is required; or
Amendment 323 #
Proposal for a regulation
Article 4 – paragraph 1 – point 1
Article 4 – paragraph 1 – point 1
(1) ‘'data subject’' means an identified natural person or a natural person who can be identified or singled out, directly or indirectly, by means reasonably likely to be used by the controller or by any other natural or legal person, in particular by reference to an identification number or other unique identifier, location data, online identifier or to one or more factors specific to the gender, physical, physiological, genetic, mental, economic, cultural or social identity or sexual orientation of that person;
Amendment 332 #
Proposal for a regulation
Article 4 – paragraph 1 – point 3 a (new)
Article 4 – paragraph 1 – point 3 a (new)
(3a) 'profiling' means any form of automated processing intended to evaluate, or generate data about, aspects relating to natural persons or to analyse or predict a natural person's performance at work, economic situation, location, health, preferences, reliability, behaviour or personality;
Amendment 343 #
Proposal for a regulation
Article 4 – paragraph 1 – point 9
Article 4 – paragraph 1 – point 9
(9) ‘'personal data breach’' means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
Amendment 348 #
Proposal for a regulation
Article 4 – paragraph 1 – point 13
Article 4 – paragraph 1 – point 13
(13) ‘'main establishment’' means as regards the controller, the place of its establishment in the Union where the main decisions as to the purposes, conditions and means of the processing of personal data are taken or the place of its establishment which exercises dominant influence over other establishments of the controller; if no decisions as to the purposes, conditions and means of the processing of personal data are taken in the Union, the main establishment is the place where the main processing activities in the context of the activities of an establishment of a controller in the Union take place. As regards the processor, ‘'main establishment’' means the place of its central administration in the Union;
Amendment 369 #
Proposal for a regulation
Article 6 – paragraph 1 – point f
Article 6 – paragraph 1 – point f
Amendment 370 #
Proposal for a regulation
Article 6 – paragraph 1 – point f
Article 6 – paragraph 1 – point f
(f) processing is necessary for the purposes of the legitimate interests pursued by a controller in adequacy with points (a) to (e) of the same paragraph, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks.
Amendment 386 #
Proposal for a regulation
Article 6 – paragraph 3 a (new)
Article 6 – paragraph 3 a (new)
3a. In the case referred to in point (f) of paragraph 1, the controller shall inform the data subject about this explicitly and separately. The controller shall also publish the reasons for believing that its interests override the interests or fundamental rights and freedoms of the data subject.
Amendment 387 #
Proposal for a regulation
Article 6 – paragraph 4
Article 6 – paragraph 4
Amendment 389 #
Proposal for a regulation
Article 6 – paragraph 5
Article 6 – paragraph 5
Amendment 392 #
Proposal for a regulation
Article 7 – paragraph 1
Article 7 – paragraph 1
1. The controller shall in all cases bear the burden of proof for the data subject's purpose-specific, informed and explicit consent to the processing of their personal data for specified purposes.
Amendment 394 #
Proposal for a regulation
Article 7 – paragraph 1 a (new)
Article 7 – paragraph 1 a (new)
1a. The freely given specific, informed and explicit consent of the data subject for the processing of his/her personal data cannot be differentiated or categorised according to the type of the personal data in question.
Amendment 398 #
Proposal for a regulation
Article 7 – paragraph 3
Article 7 – paragraph 3
3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. The withdrawal of consent terminates the relationship with the controller.
Amendment 402 #
Proposal for a regulation
Article 8 – paragraph 1
Article 8 – paragraph 1
1. For the purposes of this Regulation, in relation to the offering of information society services directly to a child, the processing of personal data of a child below the age of 13 years shall only be lawful if and to the extent that consent is given or authorised by the child's parent or custodian. The controller shall make reasonable efforts to obtain verifiable consent, taking into consideration available technology.
Amendment 406 #
Proposal for a regulation
Article 8 – paragraph 3
Article 8 – paragraph 3
Amendment 409 #
Proposal for a regulation
Article 9 – paragraph 1
Article 9 – paragraph 1
1. The processing of personal data, revealing race or ethnic origin, political opinions, religion or philosophical beliefs, trade-union membership, and the processing of genetic data or data concerning health or sex life or criminal convictions, criminal offences and matters which have not led to a conviction, or related security measures shall be prohibited.
Amendment 412 #
Proposal for a regulation
Article 9 – paragraph 2 – point a
Article 9 – paragraph 2 – point a
(a) the data subject has given consent to the processing of those personal data, subject to the conditions laid down in Articles 7 and 8, except where Union law or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject; or
Amendment 414 #
Proposal for a regulation
Article 9 – paragraph 2 – point b
Article 9 – paragraph 2 – point b
(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller in the field of employment law in so far as it is authorised by Union law or Member State law providing for adequate safeguards for the fundamental rights and the interests of the data subject; or
Amendment 416 #
Proposal for a regulation
Article 9 – paragraph 2 – point g
Article 9 – paragraph 2 – point g
(g) processing is necessary for the performance of a task carried out in the public interest, on the basis of Union law, or Member State law which shall provide for suitable measures to safeguard the data subject's fundamental rights and legitimate interests; or
Amendment 422 #
Proposal for a regulation
Article 9 – paragraph 2 – point j
Article 9 – paragraph 2 – point j
(j) processing of data relating to criminal convictions, criminal offences and matters which have not led to a conviction, or related security measures is carried out either under the control of official authority or when the processing is necessary for compliance with a legal or regulatory obligation to which a controller is subject, or for the performance of a task carried out for important public interest reasons, and in so far as authorised by Union law or Member State law providing for adequate safeguards for the fundamental rights of the data subject. A complete register of criminal convictions shall be kept only under the control of official authority.
Amendment 425 #
Proposal for a regulation
Article 9 – paragraph 3
Article 9 – paragraph 3
Amendment 433 #
Proposal for a regulation
Article 10 – paragraph 1
Article 10 – paragraph 1
If the data processed by a controller do not permit the controller to identify a natural person, the controller shall not be obliged to acquire additional information in order to identify the data subject for the sole purpose of complying with any provision of this Regulation.
Amendment 442 #
Proposal for a regulation
Article 12 – paragraph 5
Article 12 – paragraph 5
Amendment 445 #
Proposal for a regulation
Article 13
Article 13
The controller shall communicate any rectification or erasure carried out in accordance with Articles 16 and 17 to each recipient to whom the data have been disclosed, unless this proves impossible or involves a disproportionate effort.
Amendment 446 #
Proposal for a regulation
Article 14 – paragraph 1 – point b
Article 14 – paragraph 1 – point b
(b) the specific purposes of the processing for which the personal data are intended as well as information regarding the actual processing of personal data, including the contract terms and general conditions where the processing is based on point (b) of Article 6(1) and the legitimate interests pursued by the controller, as well as the reasons why the controller thinks that this interest overrides the interests or fundamental rights and freedoms of the data subject, where the processing is based on point (f) of Article 6(1);
Amendment 447 #
Proposal for a regulation
Article 14 – paragraph 1 – point c
Article 14 – paragraph 1 – point c
(c) the period for which the personal data will be stored, when it is feasible to name a precise period;
Amendment 453 #
Proposal for a regulation
Article 14 – paragraph 1 – point e
Article 14 – paragraph 1 – point e
(e) the right to lodge a complaint to the supervisory authority and the contact details ofs well as the information needed to contact the supervisory authority;
Amendment 454 #
Proposal for a regulation
Article 14 – paragraph 1 – point f
Article 14 – paragraph 1 – point f
(f) the recipients or categories of recipients of the personal data;
Amendment 455 #
Proposal for a regulation
Article 14 – paragraph 1 – point g a (new)
Article 14 – paragraph 1 – point g a (new)
(ga) where the controller processes personal data as described in Article 20(1), information about the existence of processing for a measure of the kind referred to in Article 20(1) and the intended effects of such processing on the data subject;
Amendment 456 #
Proposal for a regulation
Article 14 – paragraph 1 – point g b (new)
Article 14 – paragraph 1 – point g b (new)
(gb) information regarding specific security measures taken to protect personal data;
Amendment 457 #
Proposal for a regulation
Article 14 – paragraph 1 – point h
Article 14 – paragraph 1 – point h
(h) any furtheradditional information necessary to guarantee fair processing ion respectbehalf of the data subject, havtaking regard tointo account the specific circumstances in which the personal data are collected.
Amendment 459 #
Proposal for a regulation
Article 14 – paragraph 3
Article 14 – paragraph 3
3. Where the personal data are not collected from the data subject, the controller shall inform the data subject, in addition to the information referred to in paragraph 1, from which source the personal data originate, except where the data originates from a publicly available source.
Amendment 465 #
Proposal for a regulation
Article 14 – paragraph 8
Article 14 – paragraph 8
8. The Commission mayshall lay down standard forms for providing the information referred to in paragraphs 1 to 3, taking into account the specific characteristics and needs of various sectors and data processing situations where necessary, as well as the needs of the relevant stakeholders, including the possible use of layered notices. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
Amendment 466 #
Proposal for a regulation
Article 15 – paragraph 1 – introductory part
Article 15 – paragraph 1 – introductory part
1. The data subject shall have the right to obtain from the controller at any time, on request, in clear and plain language, confirmation as to whether or not personal data relating to the data subject are being processed, and as to whether the controller takes measures in respect of the data subject that are based on profiles as referred to in Article 20(1). This shall also apply to data which only permit singling out, where the data subject can verifiably authentify him/herself. Where such personal data are being processed, and/or such measures are taken, the controller shall provide the following information:
Amendment 468 #
Proposal for a regulation
Article 15 – paragraph 1 – point c
Article 15 – paragraph 1 – point c
(c) the recipients or categories of recipients to whom the personal data are to be or have been disclosed, in particular tocluding all recipients in third countries;
Amendment 471 #
Proposal for a regulation
Article 15 – paragraph 1 – point f
Article 15 – paragraph 1 – point f
(f) the right to lodge a complaint to the supervisory authority and the contact detailsinformation of the supervisory authority;
Amendment 473 #
Proposal for a regulation
Article 15 – paragraph 1 – point h a (new)
Article 15 – paragraph 1 – point h a (new)
(ha) in the case of measures based on profiles, meaningful information about the logic about the logic used in the profiling;
Amendment 474 #
Proposal for a regulation
Article 15 – paragraph 1 – point h b (new)
Article 15 – paragraph 1 – point h b (new)
Amendment 478 #
Proposal for a regulation
Article 16 – paragraph 1
Article 16 – paragraph 1
The data subject shall haves the right to obtain from the controller the rectification of personal data relating to them which are inaccurate. The data subject shall haves the right to obtain completion of incomplete personal data, including by way of supplementing a corrective statement.
Amendment 479 #
Proposal for a regulation
Article 17 – title
Article 17 – title
Right to be forgotten and to erasure
Amendment 482 #
Proposal for a regulation
Article 17 – paragraph 1 – introductory part
Article 17 – paragraph 1 – introductory part
1. The data subject shall haves the right to obtain from the controller the erasure of personal data relating to them and the abstention from further dissemination of such data, especiallyincluding in relation to personal data which are made available by the data subject while he or she was a child, where one of the following grounds applies:
Amendment 484 #
Proposal for a regulation
Article 17 – paragraph 1 – point b
Article 17 – paragraph 1 – point b
(b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or when the storage period consented to has expired, and where there isare no other legal grounds for the processing of the data;
Amendment 490 #
Proposal for a regulation
Article 17 – paragraph 2
Article 17 – paragraph 2
Amendment 494 #
Proposal for a regulation
Article 17 – paragraph 3 – introductory part
Article 17 – paragraph 3 – introductory part
3. The controller shall carry out the erasure without delay and regardless of the effort required, except to the extent that the retention of the personal data is necessary:
Amendment 498 #
Proposal for a regulation
Article 17 – paragraph 3 – point d
Article 17 – paragraph 3 – point d
(d) for compliance with a legal obligation to retain the personal data by Union or Member State law to which the controller is subject; Member State laws shall meet an objective ofrequire justification with respect to the public interest, respect the essencprinciple of the right to the protection of personal data and be proportionate to the legitimate aim pursued;
Amendment 504 #
Proposal for a regulation
Article 18 – paragraph 1
Article 18 – paragraph 1
1. The data subject shall haves the right, where personal data are processed by electronic means and in a structured and commonly used format, to obtain from the controller a copy of data undergoing processing in an electronic, interoperable and structured format which is commonly used and allows for further use by the data subject.
Amendment 507 #
Proposal for a regulation
Article 18 – paragraph 2
Article 18 – paragraph 2
2. Where the data subject has provided the personal data and the processing is based on consent or on a contract, the data subject shall have the right to transmit those personal data and any other information provided by the data subject and retained by an automated processing system, into another one, in an electronic format which is commonly used, without hindrance from the controller from whom the personal data are withdrawn.
Amendment 509 #
Proposal for a regulation
Article 18 – paragraph 2 a (new)
Article 18 – paragraph 2 a (new)
2a. This right is without prejudice to the obligation to delete data when they are no longer necessary under Article 5(e).
Amendment 517 #
Proposal for a regulation
Article 19 – paragraph 1
Article 19 – paragraph 1
1. The data subject shall haves the right to object, on grounds relating to their particular situation, at any time to the processing of personal data which is based on points (d), (e) and (fe) of Article 6(1), unless the controller demonstrates compelling legitimate grounds for the processing which override the interests or fundamental rights and freedoms of the data subject.
Amendment 518 #
Proposal for a regulation
Article 19 – paragraph 2
Article 19 – paragraph 2
2. Where personal data are processed for direct marketing purposes or where processing is based on Article 6(1)(f), the data subject shall have the right to object free of charge to the processing of their personal data for such marketing. This right shall be explicitly offered to the data subject in an intelligible manner, using clear and plain language, adapted to the data subject, in particular for any information addressed specifically to a child, and shall be clearly distinguishable from other information.
Amendment 527 #
Proposal for a regulation
Article 20 – paragraph 1
Article 20 – paragraph 1
1. Every natural person shall have the right, both off-line and online, not to be subject to a measure which produces legal effects concerning this natural person or significantly affects this natural person, and which is based solely on automated processing intended to evaluate certain personal aspects relating to this natural person or to analyse or predict in particular the natural person's performance at work, economic situation, location, health, personal preferences, reliability or behaviour.
Amendment 535 #
Proposal for a regulation
Article 20 – paragraph 2 – introductory part
Article 20 – paragraph 2 – introductory part
2. Subject to the other provisions of this Regulation, including paragraphs (3) and (4), a person may be subjected to a measure of the kind referred to in paragraph 1 only if the processing:
Amendment 538 #
Proposal for a regulation
Article 20 – paragraph 2 – point a
Article 20 – paragraph 2 – point a
(a) is carried out in the course ofnecessary for the entering into, or performance of, a contract, where the request for the entering into or the performance of the contract, lodged by the data subject, has been satisfied or where suitable measures to safeguard the data subject's legitimate interests have been adduced, such as the right to obtain humanincluding the right to be provided with meaningful information about the logic used in the profiling, and the right to obtain human intervention, including an explanation of the decision reached after such intervention; or
Amendment 541 #
Proposal for a regulation
Article 20 – paragraph 2 – point b
Article 20 – paragraph 2 – point b
(b) is expressly authorized by a Union or Member State law which also lays down suitable measures to safeguard the data subject's legitimate interests, and which protects the data subjects against possible discrimination resulting from measures described in paragraph 1; or
Amendment 545 #
Proposal for a regulation
Article 20 – paragraph 2 – point c
Article 20 – paragraph 2 – point c
(c) is based on the data subject's consent, subject to the conditions laid down in Article 7 and to suitable safeguards, including effective protection against possible discrimination resulting from measures described in paragraph 1.
Amendment 550 #
Proposal for a regulation
Article 20 – paragraph 3
Article 20 – paragraph 3
3. Automated processing of personal data intended to evaluate certain personal aspects relating to a natural person shall not be based solely oninclude or generate any data that fall under the special categories of personal data referred to in Article 9, except when falling under the exceptions listed in Article 9(2).
Amendment 551 #
Proposal for a regulation
Article 20 – paragraph 3 a (new)
Article 20 – paragraph 3 a (new)
3a. Profiling that (whether intentionally or otherwise) has the effect of discriminating against individuals on the basis of race or ethnic origin, political opinions, religion or beliefs, trade union membership, or sexual orientation, or that (whether intentionally or otherwise) result in measures which have such effect, shall be prohibited.
Amendment 552 #
Proposal for a regulation
Article 20 – paragraph 3 b (new)
Article 20 – paragraph 3 b (new)
3b. Automated processing of personal data intended to evaluate certain personal aspects relating to a natural person shall not be used to identify or individualise children.
Amendment 555 #
Proposal for a regulation
Article 20 – paragraph 4
Article 20 – paragraph 4
4. In the cases referred to in paragraph 2, the information to be provided by the controller under Article 14 and 15 shall include information as to the existence of processing for a measure of the kind referred to in paragraph 1 and the envisaged effects of such processing on the data subject, as well as the access to the logic underpinning the data undergoing processing.
Amendment 560 #
Proposal for a regulation
Article 20 – paragraph 5
Article 20 – paragraph 5
5. TWithin six months of the coming into force of this Regulation, the Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and conditions for suitable measures to safeguard the data subject's' legitimate interests referred to in paragraph 2. The Commission shall consult representatives of data subjects and the Data Protection Board on its proposals before issuing them.
Amendment 561 #
Proposal for a regulation
Article 21 – paragraph 1 – introductory part
Article 21 – paragraph 1 – introductory part
1. Union or Member State law may restrict by way of a legislative measure the scope of the obligations and rights provided for in points (a) to (e) of Article 5 and Articles 11 to 2019 and Article 32, when such a restriction constitutes a necessary and proportionate measure in a democratic society to safeguard:
Amendment 564 #
Proposal for a regulation
Article 21 – paragraph 1 – point c
Article 21 – paragraph 1 – point c
(c) other important public interests of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation matters and the protection of market stability and integrity;
Amendment 565 #
Proposal for a regulation
Article 21 – paragraph 1 – point e
Article 21 – paragraph 1 – point e
Amendment 567 #
Proposal for a regulation
Article 21 – paragraph 2
Article 21 – paragraph 2
2. In particular, any legislative measure referred to in paragraph 1 must comply with the standards of necessity and proportionality and shall contain specific provisions at least as to: (a) the objectives to be pursued by the processing and; (b) the determination of the controller; (c) the specific purposes and means of processing; (d) the categories of persons authorised to process the data; (e) the procedure to be followed for the processing; (f) the safeguards against any arbitrary interferences by public authorities; (g) the right of data subjects to be informed about the restriction.
Amendment 569 #
Proposal for a regulation
Article 21 – paragraph 2 a (new)
Article 21 – paragraph 2 a (new)
2a. Legislative measures referred to in paragraph 1 shall not impose obligations on private controllers to retain data additional to those strictly necessary for the original purpose.
Amendment 570 #
Proposal for a regulation
Article 21 – paragraph 2 b (new)
Article 21 – paragraph 2 b (new)
2b. Legislative measures referred to in paragraph 1 shall be notified to the European Data Protection Board for opinion. If the European Data Protection Board considers that the notified measure does not comply with the requirements of paragraph 2, it shall inform the Commission. The Commission shall then consider launching the procedure established under Article 258 of the Treaty on the Functioning of the European Union.
Amendment 581 #
Proposal for a regulation
Article 22 – paragraph 2 – point d
Article 22 – paragraph 2 – point d
(d) complying with the requirements for prior authorisation or prior consultation of the supervisory authority pursuant toas stated by Article 34(1) and (2);
Amendment 585 #
Proposal for a regulation
Article 22 – paragraph 2 – point e a (new)
Article 22 – paragraph 2 – point e a (new)
(ea) establishing and documenting the measures referred to in Article 11.
Amendment 587 #
Proposal for a regulation
Article 22 – paragraph 3 a (new)
Article 22 – paragraph 3 a (new)
3a. The controller shall make public a summary of the measures referred to in paragraphs 1 and 2.
Amendment 590 #
Proposal for a regulation
Article 22 – paragraph 4
Article 22 – paragraph 4
4. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of specifying any further criteria and requirements for appropriate measures referred to in paragraph 1 other than those already referred to in paragraph 2, the conditions for the verification and auditing mechanisms referred to in paragraph 3 and as regards the criteria for proportionality under paragraph 3, and considering specific measures for micro, small and medium-sized-enterprises.
Amendment 591 #
Proposal for a regulation
Article 23 – title
Article 23 – title
Data protection by designfault and by defaultsign
Amendment 593 #
Proposal for a regulation
Article 23 – paragraph 1
Article 23 – paragraph 1
1. Having regard to the state of the art and the cost of implementation, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures and procedures in such a way that the processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject. This shall include both: (a) technical measures relating to the technical design and architecture of the product or service; and (b) organisational measures which relate to operational policies of the controller. Where a controller has carried out a data protection impact assessment pursuant to Article 33, the results of this shall be taken into account when developing the measures referred to in points (a) and (b) of this paragraph.
Amendment 599 #
Proposal for a regulation
Article 23 – paragraph 2
Article 23 – paragraph 2
2. The controller shall implement mechanisms for ensuring that, by default, only those personal data are processed which are necessary for each specific purpose of the processing and are especially not collected or retained beyond the minimum necessary for those purposes, both in terms of the amount of the data and the time of their storage. This shall be ensured using technical and/or organisational measures, as appropriate. In particular, those mechanisms shall ensure that by default personal data are not made accessible to an indefinite number of individuals and that data subjects can control the distribution of their personal data.
Amendment 605 #
Proposal for a regulation
Article 23 – paragraph 3
Article 23 – paragraph 3
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of specifying any further criteria and requirements for appropriate measures and mechanisms referred to in paragraph 1 and 2, in particular for the requirements of data protection by design requirementsthat are applicable across sectors, products and services.
Amendment 608 #
Proposal for a regulation
Article 23 – paragraph 4
Article 23 – paragraph 4
4. The Commission may lay downspecify technical standards for the requirements laid down in paragraphs 1 and 2. ThoseSuch implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
Amendment 611 #
Proposal for a regulation
Article 25 – paragraph 2 – point a
Article 25 – paragraph 2 – point a
Amendment 612 #
Proposal for a regulation
Article 25 – paragraph 2 – point b
Article 25 – paragraph 2 – point b
(b) an enterprise employing fewer than 250 personprocessing personal data relating to less than 250 data subjects; or
Amendment 613 #
Proposal for a regulation
Article 25 – paragraph 4
Article 25 – paragraph 4
4. The designation of a representative by the controller shall be without prejudice to legal actions which could be initiated taken against the controller itself.
Amendment 634 #
Proposal for a regulation
Article 26 – paragraph 2 – point h a (new)
Article 26 – paragraph 2 – point h a (new)
(ha) take into account the principle of data protection by design.
Amendment 638 #
Proposal for a regulation
Article 26 – paragraph 5
Article 26 – paragraph 5
Amendment 648 #
Proposal for a regulation
Article 28 – paragraph 2 – point c
Article 28 – paragraph 2 – point c
(c) the purposes of the processing, including the legitimate interests pursued by the controller where the processing is based on point (f) of Article 6(1);
Amendment 657 #
Proposal for a regulation
Article 28 – paragraph 4 – point b
Article 28 – paragraph 4 – point b
(b) an enterprise or an organisation employing fewer than 250 personprocessing personal data relating to less than 250 data subjects that is processing personal data only as an activity ancillary to its main activities.
Amendment 667 #
Proposal for a regulation
Article 30 – paragraph 2
Article 30 – paragraph 2
2. The controller and the processor shall, following an evaluation of the risks, take the measures referred to in paragraph 1 to protect personal data against accidental or unlawful destruction or accidental loss and to prevent any unlawful forms of processing, in particular any unauthorised disclosure, dissemination or access, or alteration of personal data. Where a controller has carried a data protection impact assessment pursuant to Article 33, the results of this assessment shall be taken into account in the evaluation of the risks.
Amendment 680 #
Proposal for a regulation
Article 31 – paragraph 4 a (new)
Article 31 – paragraph 4 a (new)
4a. The supervisory authority shall keep a public register of the types of breaches notified.
Amendment 683 #
Proposal for a regulation
Article 32 – paragraph 1
Article 32 – paragraph 1
1. When the personal data breach is likely to adversely or seriously affect the protection of the personal data or privacy of the data subject, the controller shall, after the notification referred to in Article 31, communicate the personal data breach to the data subject without undue delay.
Amendment 684 #
Proposal for a regulation
Article 32 – paragraph 2
Article 32 – paragraph 2
2. The communication to the data subject referred to in paragraph 1 shall describe the nature of the personal data breach and contain at least the information and the recommendations provided for in points (ba) andto (ce) of Article 31(3).
Amendment 688 #
Proposal for a regulation
Article 32 – paragraph 5
Article 32 – paragraph 5
5. The Commission shall be empowered to adopt, after consulting the European Data Protection Board, delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements as to the circumstances in which a personal data breach is likely to adversely affect the personal data referred to in paragraph 1.
Amendment 698 #
Proposal for a regulation
Article 33 – paragraph 2 – point a
Article 33 – paragraph 2 – point a
(a) a systematic and extensive evaluation of personal aspects relating to a natural person or for analysing or predicting in particular the natural person's economic situation, location, health, personal preferences, reliability or behaviour, which is based on automated processing and on which measures are based that produce legal effects concerning the individual or significantly affect the individual, including any further processing operation of the kind referred to in Article 20(1) of this Regulation;
Amendment 701 #
Proposal for a regulation
Article 33 – paragraph 2 – point b
Article 33 – paragraph 2 – point b
(b) information on sex life, health, race and ethnic origin or for the provision of health care, epidemiological researches, or surveys of mental or infectious diseases, where the data are processed for taking measures or decisions regarding specific individuals on a large scale;
Amendment 702 #
Proposal for a regulation
Article 33 – paragraph 2 – point c
Article 33 – paragraph 2 – point c
(c) monitoring publicly accessible areas, especially when using optic-electronic devices (video surveillance) on a large scale;
Amendment 703 #
Proposal for a regulation
Article 33 – paragraph 2 – point d
Article 33 – paragraph 2 – point d
(d) personal data in large scale filing systems on children, genetic data or biometric data;
Amendment 705 #
Proposal for a regulation
Article 33 – paragraph 3
Article 33 – paragraph 3
3. The assessment shall contain at least a general description of the envisaged processing operations, an assessment of the risks to the rights and freedoms of data subjects, including in particular the risk of discrimination being embedded in or reinforced by the operation, the measures envisaged to address the risks, safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation, taking into account the rights and legitimate interests of data subjects and other persons concerned.
Amendment 708 #
Proposal for a regulation
Article 33 – paragraph 4
Article 33 – paragraph 4
4. The controller shall seekinquire for the views of data subjects or their representatives on the intended processing, without prejudice to the protection of commercial or public interests or the security of the processing operations.
Amendment 714 #
Proposal for a regulation
Article 33 – paragraph 7
Article 33 – paragraph 7
7. TSubject to the previous provisions, within six months of the coming into force of this Regulation, the Commission mayshall specify standards and procedures for carrying out and verifying and auditing the assessment referred to in paragraph 3. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
Amendment 717 #
Proposal for a regulation
Article 34 – paragraph 1
Article 34 – paragraph 1
1. The controller or the processor as the case may be shall obtain an authorisation from the supervisory authority prior to the processing of personal data, in order to ensure the compliance of the intended processing with this Regulation and in particular to mitigate the risks involved for the data subjects: (a) where a controller performs any processing operation of the kind referred to in Article 20(1) of this Regulation in relation to minors; (b) where a controller or processor adopts contractual clauses as provided for in point (d) of Article 42(2) o; (c) where a controller does not provide for the appropriate safeguards in a legally binding instrument as referred to in Article 42(5) for the transfer of personal data to a third country or an international organisation; (d) where a controller or processor transfers personal to a third country or an international organisation based on the derogations in Article 44; (e) where a controller performs processing operations referred to in Article 81(3) or Article 83(3).
Amendment 722 #
Proposal for a regulation
Article 34 – paragraph 2 – introductory part
Article 34 – paragraph 2 – introductory part
2. The controller or processor acting on the controller's behalf shall consult the supervisory authority prior to the processing of any personal data in order to ensure the compliance of the intended processing with this Regulation and in particular to mitigate the risks involved for the data subjects where:
Amendment 723 #
Proposal for a regulation
Article 34 – paragraph 2 – point a
Article 34 – paragraph 2 – point a
(a) a data protection impact assessment as provided for in Article 33 indicates that processing operations are by virtue of their nature, their scope or their purposes, likely to present a high degree of specific risks, including in particular the risk that the operations may have a discriminatory impact; or
Amendment 724 #
Proposal for a regulation
Article 34 – paragraph 2 – point a a (new)
Article 34 – paragraph 2 – point a a (new)
(aa) The supervisory authority shall seek the views of representatives of the data subjects and of the Data Protection Board on the intended processing;
Amendment 728 #
Proposal for a regulation
Article 34 – paragraph 3 a (new)
Article 34 – paragraph 3 a (new)
(3a) Where the supervisory authority is of the opinion that the intended processing may pose a risk of discriminatory treatment of data subjects, it shall order that the actual effects of the processing shall be monitored for such effects, and that it shall be provided with all the necessary information to assess this, at regular intervals.
Amendment 736 #
Proposal for a regulation
Article 35 – paragraph 1 – point b
Article 35 – paragraph 1 – point b
(b) the processing is carried out by an enterprise employing 250 persons or moreprocessing personal data relating to more than 250 data subjects a year; or
Amendment 756 #
Proposal for a regulation
Article 37 – paragraph 1 – point c
Article 37 – paragraph 1 – point c
(c) to monitor the implementation and application of this Regulation, in particular as to the requirements related to data protection by design, and data protection by default and data security and toccording to Article 23, data security according to Articles 30 to 32, and the information of data subjects and their requests in exercising their rights according to Articles 11 to 20 under this Regulation;
Amendment 757 #
Proposal for a regulation
Article 37 – paragraph 1 – point d
Article 37 – paragraph 1 – point d
(d) to ensure that the full documentation referred to in Article 28 is maintained;
Amendment 758 #
Proposal for a regulation
Article 37 – paragraph 1 – point e
Article 37 – paragraph 1 – point e
(e) to monitorsupervise the documentation, notification and communication of personal data breaches pursuant to Articles 31 and 32;
Amendment 759 #
Proposal for a regulation
Article 37 – paragraph 1 – point g
Article 37 – paragraph 1 – point g
(g) to monitorsupervise the response to requests from the supervisory authority, and, within the sphere of the data protection officer's competence, co-operating with the supervisory authority at the latter's request or on the data protection officer's own initiative;
Amendment 764 #
Proposal for a regulation
Article 40 – paragraph 1
Article 40 – paragraph 1
Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation may only take place if,shall be prohibited unless subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation.
Amendment 766 #
Proposal for a regulation
Article 41 – paragraph 1
Article 41 – paragraph 1
1. A transfer may take place where the Commission has decided that the third country, or a territory or a processing sector within that third country, or the international organisation in question ensures an adequate level of protection. Such transfer shall not require any further authorisation. Such decisions shall not affect the level of protection under this Regulation.
Amendment 767 #
Proposal for a regulation
Article 41 – paragraph 2 – point a
Article 41 – paragraph 2 – point a
(a) the rule of law, relevant legislation in force, both general and sectoral, including concerning public security, defence, national security and criminal law, as well as the implementation of this legislation, the professional rules and security measures which are complied with in that country or by that international organisation, as well as effective and enforceable rights including effective administrative and judicial redress for data subjects, in particular for those data subjects residing in the Union whose personal data are being transferred;
Amendment 768 #
Proposal for a regulation
Article 41 – paragraph 2 – point a a (new)
Article 41 – paragraph 2 – point a a (new)
(aa) The Commission shall request the European Data Protection Board to provide an opinion on the adequacy of the level of protection. To this end, the Commission shall provide the European Data Protection Board with all necessary documentation, including correspondence with the government of the third country or the international organisation;
Amendment 769 #
Proposal for a regulation
Article 41 – paragraph 3
Article 41 – paragraph 3
3. The Commission may decide that a third country, or a territory or a processing sector within that third country, or an international organisation ensures an adequate level of protection within the meaning of paragraph 2, taking the opinion of the European Data Protection Board into utmost account. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
Amendment 770 #
Proposal for a regulation
Article 41 – paragraph 4 a (new)
Article 41 – paragraph 4 a (new)
(4a) The Commission shall, on an ongoing basis, monitor developments that could affect the fulfilment of the elements listed in paragraph 2 in third countries and international organisations concerning which a decision pursuant to paragraph 3 has been adopted.
Amendment 771 #
Proposal for a regulation
Article 41 – paragraph 4 b (new)
Article 41 – paragraph 4 b (new)
(4b) If the Commission has grounds to believe, either because of the monitoring pursuant to paragraph 4a or any other source, that a country or international organisation concerning which a decision pursuant to paragraph 3 has been adopted no longer provides an adequate level of protection within the meaning of paragraph 2, it shall review this decision.
Amendment 773 #
Proposal for a regulation
Article 41 – paragraph 6
Article 41 – paragraph 6
6. Where the Commission decides pursuant to paragraph 5, any transfer of personal data to the third country, or a territory or a processing sector within that third country, or the international organisation in question shall be prohibited, without prejudice to Articles 42 tounless it is subject to adequate safeguards pursuant to Articles 42 or falls under the derogations in Article 44. At the appropriate time, the Commission shall enter into consultations with the third country or international organisation with a view to remedying the situation resulting from the Decision made pursuant to paragraph 5 of this Article.
Amendment 776 #
Proposal for a regulation
Article 42 – paragraph 1
Article 42 – paragraph 1
1. Where the Commission has taken no decision pursuant to Article 41, a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has adduced appropriate safeguards with respect to the protection of personal data in a legally binding instrument. These safeguards shall, at least, guarantee the observance of the principles of personal data processing as established in Article 5 and guarantee data subject rights as established in Chapter III.
Amendment 783 #
Proposal for a regulation
Article 42 – paragraph 3
Article 42 – paragraph 3
Amendment 785 #
Proposal for a regulation
Article 42 – paragraph 4
Article 42 – paragraph 4
4. Where a transfer is based on contractual clauses as referred to in point (d) of paragraph 2 of this Article tThe controller or processor shall obtain prior authorisation of the contractual clauses according to point (a) of Article 34(1) from the supervisory authority for transfers according to this Article. If the transfer is related to processing activities which concern data subjects in another Member State or other Member States, or substantially affect the free movement of personal data within the Union, the supervisory authority shall apply the consistency mechanism referred to in Article 57.
Amendment 789 #
Proposal for a regulation
Article 42 – paragraph 5
Article 42 – paragraph 5
5. Where the appropriate safeguards with respect to the protection of personal data are not provided for in a legally binding instrument, the controller or processor shall obtain prior authorisation for the transfer, or a set of transfers, or for provisions to be inserted into administrative arrangements providing the basis for such transfer. Such authorisation by the supervisory authority shall be in accordance with point (a) of Article 34(1). If the transfer is related to processing activities which concern data subjects in another Member State or other Member States, or substantially affect the free movement of personal data within the Union, the supervisory authority shall apply the consistency mechanism referred to in Article 57. Authorisations by a supervisory authority on the basis of Article 26(2) of Directive 95/46/EC shall remain valid, until amended, replaced or repealed by that supervisory authority.
Amendment 792 #
Proposal for a regulation
Article 43 – paragraph 1 – point b
Article 43 – paragraph 1 – point b
(b) expressly confer enforceable rights on data subjects and are transparent for data subjects;
Amendment 794 #
Proposal for a regulation
Article 43 – paragraph 2 – point d
Article 43 – paragraph 2 – point d
(d) the general data protection principles, in particular purpose limitation, data minimisation, limited retention periods, data quality, legal basis for the processing, processing of sensitive personal data; measures to ensure data security; and the requirements for onward transfers to organisations which are not bound by the policies;
Amendment 795 #
Proposal for a regulation
Article 43 – paragraph 3
Article 43 – paragraph 3
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for binding corporate rules within the meaning of this Article, in particular as regards the criteria for their approval, including transparency for data subjects, the application of points (b), (d), (e) and (f) of paragraph 2 to binding corporate rules adhered to by processors and on further necessary requirements to ensure the protection of personal data of the data subjects concerned.
Amendment 797 #
Proposal for a regulation
Article 44 – paragraph 1 – point g
Article 44 – paragraph 1 – point g
(g) the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, to the extent that the conditions laid down in Union or Member State law for consultation are fulfilled in the particular case; or and the controller or processor has obtained prior authorisation for the transfer or set of transfers by the supervisory authority in accordance with Article 34;
Amendment 798 #
Proposal for a regulation
Article 44 – paragraph 1 – point h
Article 44 – paragraph 1 – point h
Amendment 800 #
Proposal for a regulation
Article 44 – paragraph 3
Article 44 – paragraph 3
Amendment 801 #
Proposal for a regulation
Article 44 – paragraph 4
Article 44 – paragraph 4
4. Points (b), (c) and (hc) of paragraph 1 shall not apply to activities carried out by public authorities in the exercise of their public powers.
Amendment 802 #
Proposal for a regulation
Article 44 – paragraph 5
Article 44 – paragraph 5
5. The public interest referred to in point (d) of paragraph 1 must be recognised in Union law or in the law of the Member State to which the controller is subject. This derogation shall only be used for occasional transfers. In each and every case, a careful assessment of all circumstances of the transfer needs to be carried out.
Amendment 803 #
Proposal for a regulation
Article 44 – paragraph 6
Article 44 – paragraph 6
Amendment 804 #
Proposal for a regulation
Article 44 a (new)
Article 44 a (new)
Article 44 a Disclosures not authorised by Union law 1. No judgment of a court or tribunal and no decision of an administrative authority of a third country requiring a controller or processor to disclose personal data shall be recognised or be enforceable in any manner, without prejudice to a mutual assistance treaty or an international agreement in force between the requesting third country and the Union or a Member State. 2. Where a judgment of a court or tribunal or a decision of an administrative authority of a third country requests a controller or processor to disclose personal data, the controller or processor and, if any, the controller's representative, shall notify the supervisory authority of the request without undue delay and must obtain prior authorisation for the transfer by the supervisory authority in accordance with point (d) of Article 34(1). 3. The supervisory authority shall assess the compliance of the requested disclosure with the Regulation and in particular whether the disclosure is necessary and legally required in accordance with points (d) and (e) of paragraph 1 and paragraph 5 of Article 44. 4. The supervisory authority shall inform the competent national authority of the request. The controller or processor shall also inform the data subject of the request and of the authorisation by the supervisory authority. 5. The Commission may lay down the standard format of the notifications to the supervisory authority referred to in paragraph 2 and the information of the data subject referred to in paragraph 4 as well as the procedures applicable to the notification and information. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
Amendment 807 #
Proposal for a regulation
Article 48 – paragraph 1
Article 48 – paragraph 1
1. Member States shall provide that the members of the supervisory authority must be appointed either by the parliament or the government of the Member State concerned.
Amendment 813 #
Proposal for a regulation
Article 52 – paragraph 1 – point j a (new)
Article 52 – paragraph 1 – point j a (new)
(ja) develop guidelines on the use of enforcement powers, where necessary coordinated at the level of the European Data Protection Board.
Amendment 821 #
Proposal for a regulation
Article 56 – paragraph 2
Article 56 – paragraph 2
2. In cases where data subjects in several Member States are likely to be affected by processing operations, a supervisory authority of each of those Member States shall have the right to participate in the joint investigative tasks or joint operations, as appropriate. The competent supervisory authority shall invite the supervisory authority of each of those Member States to take part in the respective joint investigative tasks or joint operations and respond to the request of a supervisory authority to participate in the operations without delay.
Amendment 831 #
Proposal for a regulation
Article 58 – paragraph 2 – point f a (new)
Article 58 – paragraph 2 – point f a (new)
(fa) permits processing for research purposes in accordance with Article 81(3) and/or Article 83(3). permits processing for research purposes in accordance with Article 81(3) and/or Article 83(3).
Amendment 834 #
Proposal for a regulation
Article 58 – paragraph 6
Article 58 – paragraph 6
6. The chair of the European Data Protection Board shall immediatwithout undue delay electronically inform the members of the European Data Protection Board and the Commission of any relevant information which has been communicated to it, using a standardised format. The chair of the European Data Protection Board shall provide translations of relevant information, where necessary.
Amendment 836 #
Proposal for a regulation
Article 58 – paragraph 7
Article 58 – paragraph 7
7. The European Data Protection Board shall issue an opinion on the matter, if the European Data Protection Board so decides by simple majority of its members or any supervisory authority or the Commission so requests within one week after the relevant information has been provided according to paragraph 5. The opinion shall be adopted within onetwo months by simple majority of the members of the European Data Protection Board. The chair of the European Data Protection Board shall inform, without undue delay, the supervisory authority referred to, as the case may be, in paragraphs 1 and 3, the Commission and the supervisory authority competent under Article 51 of the opinion and make it public.
Amendment 839 #
Proposal for a regulation
Article 59 – paragraph 2
Article 59 – paragraph 2
2. Where the Commission has adopted an opinion in accordance with paragraph 1, the supervisory authority concerned shall take utmost account of the Commission's opinion and inform the Commission and the European Data Protection Board whether it intends to maintain or amend its draft measure.
Amendment 844 #
Proposal for a regulation
Article 62 – paragraph 1 – subparagraph 1 – point a
Article 62 – paragraph 1 – subparagraph 1 – point a
Amendment 846 #
Proposal for a regulation
Article 66 – paragraph 1 – point a
Article 66 – paragraph 1 – point a
(a) advise the CommissEuropean Institutions on any issue related to the protection of personal data in the Union, including on any proposed amendment of this Regulation;
Amendment 848 #
Proposal for a regulation
Article 66 – paragraph 1 – point e
Article 66 – paragraph 1 – point e
(e) promote the co-operation and the effective bilateral and multilateral exchange of information and practices between the supervisory authorities, including the coordination of joint operations and other common activities, where it so decides upon request of one or several supervisory authorities;
Amendment 853 #
Proposal for a regulation
Article 73 – paragraph 3
Article 73 – paragraph 3
3. Independently of a data subject's complaint, any body, organisation or association referred to in paragraph 2 shall have the right to lodge a complaint with a supervisory authority in any Member State, if it considers that a personal data breach has occurred or when it considers that a controller has breached its obligations under Article 23.
Amendment 856 #
Proposal for a regulation
Article 75 – paragraph 2
Article 75 – paragraph 2
2. Proceedings against a controller or a processor shall becan be whether brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought, or before the courts of the Member State where the data subject has its habitual residence, unless the controller is a public authority of a Member State acting in the exercise of its public powers.
Amendment 859 #
Proposal for a regulation
Article 76 – paragraph 1
Article 76 – paragraph 1
1. Any body, organisation or association referred to in Article 73(2) shall have the right to exercise the rights referred to in Articles 74, 75 and 757 on behalf of one or more data subjects.
Amendment 860 #
Proposal for a regulation
Article 77 – paragraph 1
Article 77 – paragraph 1
1. Any person who has suffered damagemonetary damage or non-monetary damages such as distress or time loss as a result of an unlawful processing operation or of an action incompatible with this Regulation shall have the right to receive compensation from the controller or the processor for the damage suffered.
Amendment 863 #
Proposal for a regulation
Article 77 – paragraph 2
Article 77 – paragraph 2
2. Where more than one controller or processor is involved in the processing, each controller or processor shall be jointly and severally liable for the entire amount of the damage. In the case of a group of undertakings, the entire group shall be liable as a single economic entity.
Amendment 876 #
Proposal for a regulation
Article 79 – paragraph 6 – introductory part
Article 79 – paragraph 6 – introductory part
6. The supervisory authority shall impose a fine up to 1 000 000 EUR or, in case of an enterprise up to 25 % of its annual worldwide turnover, to anyone who, intentionally or negligently:
Amendment 877 #
Proposal for a regulation
Article 80 – paragraph 1
Article 80 – paragraph 1
1. Member States shall provide for exemptions or derogations from the provisions on the general principles in Chapter II, the rights of the data subject in Chapter III, on controller and processor in Chapter IV, on the transfer of personal data to third countries and international organisations in Chapter V, the independent supervisory authorities in Chapter VI and on co-operation and consistency in Chapter VII for the processing of personal data carried out solely for journalistic purposes or the purpose of artistic or literary expressionwhenever this is necessary in order to reconcile the right to the protection of personal data with the rules governing freedom of expression.
Amendment 879 #
Proposal for a regulation
Article 80 – paragraph 1 a (new)
Article 80 – paragraph 1 a (new)
(1a) The European Data Protection Board shall issue guidance on when such exemptions or derogations may be necessary, after consultation with representatives of the press, authors and artists, data subjects and relevant civil society organisations.
Amendment 880 #
Proposal for a regulation
Article 80 a (new)
Article 80 a (new)
Article 80 a Processing of personal data and the principle of public access to official documents Personal data in documents held by a public authority or a public body may be disclosed by this authority or body in accordance with Member State legislation regarding public access to official documents, which reconciles the right to the protection of personal data with the principle of public access to official documents.
Amendment 882 #
Proposal for a regulation
Article 81 – paragraph 1 – introductory part
Article 81 – paragraph 1 – introductory part
1. Within the limits ofout prejudice to this Regulation and in accordance with point (h) of Article 9(2), processing of personal data concerning health must be on the basis of Union law or Member State law which shall provide for suitable and specific measures to safeguard the data subject's legitimate interests, and be necessary for:
Amendment 891 #
Proposal for a regulation
Article 83 – paragraph 1 – introductory part
Article 83 – paragraph 1 – introductory part
1. Within the limits of this Regulation, personal data not falling within the categories of data covered by Articles 8 and 9 of the Regulation may be processed for historical, statistical or scientific research purposes only if:
Amendment 898 #
Proposal for a regulation
Article 83 – paragraph 1 – point a a (new)
Article 83 – paragraph 1 – point a a (new)
(aa) Subject only to the exception in paragraph (3), data falling within the categories of data covered by Articles 8 and 9 of the Regulation may be processed for historical, statistical or scientific research only with the consent of the data subjects, given in accordance with Article 4(8).
Amendment 900 #
Proposal for a regulation
Article 83 – paragraph 1 – point b a (new)
Article 83 – paragraph 1 – point b a (new)
(ba) Member States may by law provide for exceptions to the requirement of consent for research, stipulated in paragraph (2), with regard to research that serves exceptionally high public interests, if that research cannot possibly be carried out otherwise. The data in question shall be anonymised or pseudonymised to the highest possible standards, and all possible measures shall be taken to prevent re-identification of the data subjects. Such processing shall be subject to prior authorisation of the relevant national supervisory authority or authorities, in accordance with Article 34(1) of this Regulation, and to the Consistency Mechanism provided for in Chapter VII, Section 2, of this Regulation.
Amendment 904 #
Proposal for a regulation
Article 83 – paragraph 2 – introductory part
Article 83 – paragraph 2 – introductory part
2. Bodies conducting historical, statistical or scientific research may publish or otherwise publicly disclose personal data only if:with the consent of the data subjects, given in accordance with Article 4(8).
Amendment 908 #
Proposal for a regulation
Article 83 a (new)
Article 83 a (new)
Amendment 909 #
Proposal for a regulation
Article 84 – paragraph 1
Article 84 – paragraph 1
1. Within the limits ofout prejudice to this Regulation, Member States may adopt specific rules to set out the investigative powers by the supervisory authorities laid down in Article 53(2) in relation to controllers or processors that are subjects under national law or rules established by national competent bodies to an obligation of professional secrecy or other equivalent obligations of secrecy, where this is necessary and proportionate to reconcile the right of the protection of personal data with the obligation of secrecy. These rules shall only apply with regard to personal data which the controller or processor has received from or has obtained in an activity covered by this obligation of secrecy.
Amendment 912 #
Proposal for a regulation
Article 85 – paragraph 2
Article 85 – paragraph 2
2. Churches and religious associations which apply comprehensive rules in accordance with paragraph 1 shall provide for the establishment ofbe subject to supervision by an independent supervisory authority in accordance with Chapter VI of this Regulation.