Activities of Josef WEIDENHOLZER related to 2012/0011(COD)
Plenary speeches (1)
Protection of individuals with regard to the processing of personal data - Processing of personal data for the purposes of crime prevention (debate) DE
Amendments (136)
Amendment 170 #
Proposal for a regulation
Article 4 – paragraph 1 – point 3 a (new)
Article 4 – paragraph 1 – point 3 a (new)
(3a) ‘profiling’ means any form of automated processing intended to evaluate certain personal aspects relating to the natural person or to analyse or predict this natural person's performance at work, economic situation, place of residence, health, personal preferences, behaviour, etc.
Amendment 218 #
Proposal for a regulation
Article 8 – paragraph 1
Article 8 – paragraph 1
1. For the purposes of this Regulation, in relation to the offering of information society services directly to a child, the processing of personal data of a child below the age of 13 years shall only be lawful if and to the extent that consent is given or authorised by the child's parent or custodian. The controller shall make reasonable efforts to obtain verifiable consent, taking into consideration available technology.
Amendment 222 #
Proposal for a regulation
Article 8 – paragraph 3
Article 8 – paragraph 3
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the methods to obtain verifiable consent referred to in paragraph 1. In doing so, the Commission shall consider specific measures for micro, small and medium- sized enterprises.
Amendment 282 #
Proposal for a regulation
Article 18 – paragraph 1
Article 18 – paragraph 1
1. The data subject shall have the right, where personal data are processed by electronic means and in a structured and commonly used format, to obtain from the controller a copy of data undergoing processing in an electronic and structured format which is commonly used and allows for further use by the data subject.
Amendment 287 #
Proposal for a regulation
Article 19 – paragraph 2
Article 19 – paragraph 2
2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object free of charge to the processing of their personal data for such marketing. This right shall be explicitly offered to the data subject in an intelligible mannerin a manner intelligible to the data subject and shall be clearly distinguishable from other information.
Amendment 300 #
Proposal for a regulation
Article 20 – paragraph 2 – point a
Article 20 – paragraph 2 – point a
a) is carried out in the course of the entering into, or performance of, a contract, where the request for the entering into or the performance of the contract, lodged by the data subject, has been satisfied or where suitable measures to safeguard the data subject's legitimate interests have been adduced, such as the right to obtain human intervention, and the right to information on the structure and architecture of the system used and the implications of profiling; or
Amendment 312 #
Proposal for a regulation
Article 20 – paragraph 3 a (new)
Article 20 – paragraph 3 a (new)
3a. Profiling ‘whether intentional or not’ shall be prohibited if the data collected could lead to discrimination against individuals and affect sensitive personal areas – such as information and data on gender, provenance, political and religious beliefs, membership of parties and clubs, sexual orientation, etc.
Amendment 319 #
Proposal for a regulation
Article 20 – paragraph 5
Article 20 – paragraph 5
5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and conditions for suitable measures to safeguard the data subject's legitimate interests referred to in paragraph 2. In doing so, the Commission should above all work closely with representatives from data protection organisations.
Amendment 353 #
Proposal for a regulation
Recital 3
Recital 3
(3) Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data seeks to harmonise the protection of fundamental rights and freedoms of natural persons in respect of processing activities and to guarantee the free flowcrossborder exchange of personal data between Member States.
Amendment 369 #
Proposal for a regulation
Recital 15
Recital 15
(15) This Regulation should not apply to processing of personal data by a natural person, which are exclusively personal or domestic, such as correspondence and the holding of addresses, and without any gainful controllers or processors who are a natural person, when the processing of data is done for purely personal or family matters that have been disclosed to them by the data subject himself or that they have received in a lawful manner. The exemption should not apply where the processing of personal data is done in pursuit of a professional or commercial objective. Also, the nature of the personal data processed and whether it is available to a indefiniterest and thus without any connection with a number of persons should be taken into account in determining whether the profcessional or commercial activityng falls within the exemption. The exemption should also not apply to controllers or processors which provide the means for processing personal data for such personal or domestic activities.
Amendment 372 #
Proposal for a regulation
Recital 17
Recital 17
(17) This Regulation should be without prejudice to the application of Directive 2000/31/EC, in particular of the liability rules of intermediary service providers in Articles 12 to 15 of that Directive 2000/31/EC.
Amendment 388 #
Proposal for a regulation
Article 35 – paragraph 1 – introductory part
Article 35 – paragraph 1 – introductory part
1. The controller and the processor shall involve the respective works council in designateing a data protection officer in any case where:
Amendment 390 #
Proposal for a regulation
Article 35 – paragraph 1 – point b
Article 35 – paragraph 1 – point b
Amendment 391 #
Proposal for a regulation
Article 35 – paragraph 5
Article 35 – paragraph 5
5. The controller or processor shall designate the data protection officer on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and ability to fulfil the tasks referred to in Article 37. The necessary level of expert knowledge shall be determined in particular according to the data processing carried out and the protection required for the personal data processed by the controller or the processor. The data protection officer must be given sufficient time and resources to carry out these tasks.
Amendment 394 #
Proposal for a regulation
Article 35 – paragraph 7
Article 35 – paragraph 7
7. The controller or the processor shall designate a data protection officer for a period of at least two years. The data protection officer may be reappointed for further terms. During and after their term of office, the data protection officer may only be dismissed, if the data protection officer no longer fulfils the conditions required for the performance of their duties. A higher level of protection against dismissal must apply for the data protection officer.
Amendment 404 #
Proposal for a regulation
Recital 24
Recital 24
(24) When using online services, individuals and households may be associated with online identifiers provided by their devices, applications, tools and protocols, such as Internet Protocol addresses or cookie identifiers. This may leave traces which, combined with unique identifiers and other information received by the servers, may be used to create profiles of the individuals and identify them. It follows that Reidentification numbers, location data, online identifierof personal data, for instance by using retained online traces for other specific factors as such need not necessarily be considered as personal data in all circumstances creation of profiles of the individuals, breaches of pseudonym and identification of the data subjects should be forbidden.
Amendment 430 #
Proposal for a regulation
Recital 29 a (new)
Recital 29 a (new)
(29a) Within the limits of this regulation Member States should ensure that children can always have access to preventive and counselling services of the information society such as online counselling on sexual abuse, problems related to drug abuse or other psychological problems without needing the consent of their parent or legal custodian.
Amendment 431 #
Proposal for a regulation
Recital 29 a (new)
Recital 29 a (new)
(29a) Workers’ personal data, especially sensitive data such as political orientation and membership of and activities in trade unions, must be protected in accordance with Articles 8, 12 and 28 of the Charter of Fundamental Rights of the European Union and Articles 8 and 11 of the European Convention on Human Rights, and may under no circumstances be used to put workers on so-called ‘blacklists’ to be passed on to other enterprises with the aim of discriminating against particular workers.
Amendment 436 #
Proposal for a regulation
Recital 31
Recital 31
(31) In order for processing to be lawful, personal data should be processed on the basis of the consent of the person concerned or some other legitimate basis, laid down by law, either in this Regulation or in other Union or Member State law as referred to in this Regulation. In case of a child or a person lacking legal capacity, the consent should be given by the data subject’s legal representative.
Amendment 437 #
Proposal for a regulation
Recital 32
Recital 32
(32) Where processing is based on the data subject’s consent, the controller should have the burden of proving that the data subject has given the consent to the processing operation. In particular in the context of a written declaration on another matter, safeguards should ensure that the data subject is aware that and to what extent consent is given. Similar to civil law terms (Directive 93/13/EEC) written declarations (privacy policies) should be as clear and transparent as possible given the form of processing. They should not contain hidden or disadvantageous clauses, such as the right to forward personal data to other controllers or secondary use of personal data. To encourage controllers to provide proper information, partly illegal clauses should be fully void.
Amendment 448 #
Proposal for a regulation
Recital 34
Recital 34
(34) Consent should not provide a valid legal ground for the processing of personal data, where there is a clear imbalance between the data subject and the controller. This is especially the case where the data subject is in a situation of dependence from the controller, among others, where personal data are processed by the employer of employees' personal data in the employment context. Where the controller is a public authority, there would beis an imbalance only in the specific data processing operations where the public authority can impose an obligation by virtue of its relevant public powers and the consent cannot be deemed as freely given, taking into account the interest of the data subject.
Amendment 563 #
Proposal for a regulation
Recital 75
Recital 75
(75) Where the processing is carried out in the public sector or where, in the private sector, processing is carried out by a large enterprisen enterprise which has at least 50 staff or which processes the data of at least 250 data subjects, or where its core activities, regardless of the size of the enterprise, involve processing operations which require regular and systematic monitoring, a person should assist the controller or processor to monitor internal compliance with this Regulation. Such data protection officers, whether or not an employee of the controller, should be in a position to perform their duties and tasks independently. In order to ensure the independence of data protection officers, they should enjoy special protection against dismissal and discrimination in the performance of their duties, which should be comparable with national provisions on the protection of employees’ representatives. They should be appointed only with the consent of the representatives of the business's employees. In addition, data protection officers should have opportunities for further training and in-service training at the expense of the controller or of the contracted processor.
Amendment 569 #
Proposal for a regulation
Recital 76
Recital 76
(76) Associations or other bodies representing categories of controllers should be encouraged, with the consent of the representatives of the business's employees, to draw up codes of conduct, within the limits of this Regulation, so as to facilitate the effective application of this Regulation, taking account of the specific characteristics of the processing carried out in certain sectors.
Amendment 612 #
Proposal for a regulation
Recital 112
Recital 112
(112) Any body, organisation or association which aims to protects the rights and interests of data subjects in relation to the protection of their data and is constituted according to the law of a Member State should have the right to lodge a complaint with a supervisory authority or exercise the right to a judicial remedy on behalf of data subjects, or to lodge, independently(...) or to lodge, independently of a data subject’s complaint, an own complaint where it considers that a violation of this regulation has occurred. The Commission should promote collective enforcement of the rights of a data subject’s complaint, an own complaint where it considers that a personal data breach hand as far as feasible within its budget provide funding for such bodies, organisations or as soccurrediations.
Amendment 625 #
Proposal for a regulation
Recital 121
Recital 121
(121) TWhe processing of personal data solely for journalistic purposes, or for the purposes of artistic or liternever necessary, expression should qualify for exempemptions or derogations from the requirements of certain provisions of this Regulation for the processing of personal data should be possible in order to reconcile the right to the protection of personal data with the right to freedom of expression, and notably the right to receive and impart information, as guaranteed in particular by Article 11 of the Charter of Fundamental Rights of the European Union. This should apply in particular to processing of personal data in the audiovisual field and in news archives and press libraries. In accordance with the Protocol on the system of public broadcasting in the Member States annexed Treaty on European Union, the Treaties establishing the European Communities and certain related acts, the competence of Member States to define and organize Public Service Broadcasting shall also be respected in the field of data protection. Therefore, Member States should adopt legislative measures, which should lay down exemptions and derogations which are necessary for the purpose of balancing these fundamental rights. Such exemptions and derogations should be adopted by the Member States on general principles, on the rights of the data subject, on controller and processor, on the transfer of data to third countries or international organisations, on the independent supervisory authorities and on co-operation and consistency. This should not, however, lead Member States to lay down exemptions from the other provisions of this Regulation. In order to take account of the importance of the right to freedom of expression in every democratic society, it is necessary to interpret notions relating to that freedom, such as journalism, broadly. Therefore, Member States should classify activities as ‘journalistic’ for the purpose of the exemptions and derogations to be laid down under this Regulation if the object of these activities is the disclosure to the public of information, opinions or ideas, irrespective of the medium which is used to transmit them. They should not be limited to media undertakings and may be undertaken for profit-making or for non- profit making purposes.
Amendment 635 #
Proposal for a regulation
Recital 124
Recital 124
(124) The general principles on the protection of individuals with regard to the processing of personal data should also be applicable to the employment context. Therefore, in orderMember States should be able to regulate the processing of employees’ personal data in the employment context, Member States should be able, within the limits of this Regulation, to adopt by law specific rules for in accordance with the rules and minimum standards set out in this Regulation. Where a statutory basis is provided in the Member State in question for the regulation of employment matters by agreement between employee representatives and the management of the undertaking or the controlling undertaking of a group of undertakings (collective agreement) or under Directive 2009/38/EC of the European Parliament and of the Council of 6 May 2009 on the establishment of a European Works Council or a procedure in Community- scale undertakings and Community-scale groups of undertakings for the purposes of informing and consulting employees, the processing of personal data in thean employment sector. context should also be regulated by such an agreement, if the rules and minimum standards set out in this Regulation are not undercut.
Amendment 648 #
Proposal for a regulation
Recital 128
Recital 128
Amendment 669 #
Proposal for a regulation
Article 2 – paragraph 2 – point b
Article 2 – paragraph 2 – point b
Amendment 677 #
Proposal for a regulation
Article 2 – paragraph 2 – point d
Article 2 – paragraph 2 – point d
(d) by a natural person without any gainful interest in the course of its own exclusively personal or household activityrivate or household activities unless personal data is published. Further processing of such personal data for other purposes must be based on the data subjects’ consent. The exemption should not apply where the processing of personal data is done in pursuit of a professional or commercial objective. The rights of third parties have especially to be taken into account with usage of sensible data;
Amendment 719 #
Proposal for a regulation
Article 4 – paragraph 1 – point 1
Article 4 – paragraph 1 – point 1
(1) ‘data subject’ means an identified natural person or a natural personindividual or household or an individual who can be identified or singled out, directly or indirectly, by means reasonably likelypossible to be used by the controller or by any other natural or legal person, in particular by reference to an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person or household;
Amendment 759 #
Proposal for a regulation
Article 4 – paragraph 1 – point 8
Article 4 – paragraph 1 – point 8
(8) ‘the data subject’s consent’ means any freely given specific, informed and explicit indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed- prior declaration of will (‘voluntatis declaratio’) - by which the data subject signifies his or her specific, informed and unambiguous agreement to the processing of personal data;
Amendment 799 #
Proposal for a regulation
Article 4 – paragraph 1 – point 18
Article 4 – paragraph 1 – point 18
(18) ‘childminors’ means any person below the age of 18 years;
Amendment 853 #
Proposal for a regulation
Article 6 – paragraph 1 – point a
Article 6 – paragraph 1 – point a
(a) the data subject has given consent to the processing of their personal data for one or more specific purposes;
Amendment 875 #
Proposal for a regulation
Article 6 – paragraph 1 – point f
Article 6 – paragraph 1 – point f
(f) points (a) to (e) do not apply, but processing is necessary for the purposes of thepredominant legitimate interests pursued by a controller, except where such and these interests are overridden bying the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks.
Amendment 906 #
Proposal for a regulation
Article 6 – paragraph 1 a (new)
Article 6 – paragraph 1 a (new)
Amendment 910 #
Proposal for a regulation
Article 6 – paragraph 1 b (new)
Article 6 – paragraph 1 b (new)
1b. Predominant legitimate interests which are overriding the interests of data subjects as referred to in point (f) of paragraph 1 are generally not: (a) the assessment of creditworthiness; (b) direct marketing; (c) processing for the sole purpose of additional financial gain within a contractual relationship; (d) processing that cannot be reasonably expected by the data subject or is significantly disadvantageous.
Amendment 917 #
Proposal for a regulation
Article 6 – paragraph 2
Article 6 – paragraph 2
Amendment 924 #
Proposal for a regulation
Article 6 – paragraph 3 – subparagraph 1 – introductory part
Article 6 – paragraph 3 – subparagraph 1 – introductory part
3. The basis of the processing referred to in points (c) and (e) of paragraph 1 and point (g) of Article 9(2), must be provided for in:
Amendment 925 #
Proposal for a regulation
Article 6 – paragraph 3 – subparagraph 1 – point b
Article 6 – paragraph 3 – subparagraph 1 – point b
(b) the law of the Member State, including collective employment agreements, to which the controller is subject.
Amendment 937 #
Proposal for a regulation
Article 6 – paragraph 3 – subparagraph 2
Article 6 – paragraph 3 – subparagraph 2
Amendment 941 #
Proposal for a regulation
Article 6 – paragraph 4
Article 6 – paragraph 4
Amendment 962 #
Proposal for a regulation
Article 6 – paragraph 5
Article 6 – paragraph 5
Amendment 972 #
Proposal for a regulation
Article 7 – paragraph 2
Article 7 – paragraph 2
2. If the data subject's consent is to be given in the context of a written declaration which also concerns another matter, the requirement to give consent musgiven through consent to a written declaration by the controller such declarations must: (a) use as plain, short and transparent language as reasonably possible and be well-structured; (b) not contain clauses that cannot be presented distinguishable in its appearance from this other matterasonably expected or are significantly disadvantageous; and (c) be interpreted in favour of the data subject if unclear or contradictory. Clauses which are partly in violation of this regulation are fully void.
Amendment 975 #
Proposal for a regulation
Article 7 – paragraph 2 a (new)
Article 7 – paragraph 2 a (new)
2a. The consent shall be reaffirmed after two years, failing which it shall expire.
Amendment 1003 #
Proposal for a regulation
Article 7 a (new)
Article 7 a (new)
Article 7a Service providers shall not make their offer dependent to the consent for data processing that is not necessary for the service provided.
Amendment 1009 #
Proposal for a regulation
Article 8 – paragraph 1
Article 8 – paragraph 1
1. For the purposes of this Regulation, in relation to the offering of information society services directly to a child, the processing of personal data of a child below the age of 136 years shall only be lawful if and to the extent that consent is given or authorised by the child's parent or custodianlegal representative. The controller shall make reasonable efforts to obtain verifiable consent, taking into consideration available technology. The methods to obtain verifiable consent shall not lead to the further processing of personal data which would otherwise not be necessary.
Amendment 1021 #
Proposal for a regulation
Article 8 – paragraph 2 a (new)
Article 8 – paragraph 2 a (new)
2a. Paragraph 1 shall not apply where the information society services offered directly to a child are solely preventive or counselling services for young people in difficult situations.
Amendment 1028 #
Proposal for a regulation
Article 8 – paragraph 3
Article 8 – paragraph 3
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the methods to obtain verifiable consent referred to in paragraph 1. In doing so, the Commission shall consider specific measures for micro, small and medium- sized enterprises.
Amendment 1044 #
Proposal for a regulation
Article 9 – paragraph 1
Article 9 – paragraph 1
1. The processing of personal data, revealing race or ethnic origin, political opinions, religion or beliefs, trade-union membershipmembership of or activity in a trade union, and the processing of genetic data or data concerning health or sex life or criminal convictions or related security measures shall be prohibited.
Amendment 1054 #
Proposal for a regulation
Article 9 – paragraph 2 – point b
Article 9 – paragraph 2 – point b
(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller in the field of employment law, including collective wage agreements, in so far as it is authorised by Union law or Member State law providing for adequate safeguards;
Amendment 1108 #
Proposal for a regulation
Article 11 – paragraph 1
Article 11 – paragraph 1
1. The controller shall have transparentplain, short, transparent, well-structured and easily accessible policies with regard to the processing of personal data and for the exercise of data subjects‘' rights.
Amendment 1132 #
Proposal for a regulation
Article 12 – paragraph 2
Article 12 – paragraph 2
2. The controller shall inform the data subject without delay and, at the latest within one month of receipt of the request, whether or not any action has been taken pursuant to Article 13 and Articles 15 to 19 and shall provide the requested information. This period may be prolonged for a further month, if several data subjects exercise their rights and their cooperation is necessary to a reasonable extent to prevent an unnecessary and disproportionate effort on the part of the controller. The information shall be givenprovided in writing. Where the data subject makes the request in electronic form, the information shall be provided in electronic form, unless otherwise or in electronic form, however requested by the data subject.
Amendment 1136 #
Proposal for a regulation
Article 12 – paragraph 3
Article 12 – paragraph 3
3. If the controller refuses to take action on the request of the data subject, the controller shall inform the data subject of the reasons for the refusal, all facts which lead to the refusal and on the possibilities of lodging a complaint to the supervisory authority and seeking a judicial remedy.
Amendment 1143 #
Proposal for a regulation
Article 12 – paragraph 4
Article 12 – paragraph 4
4. The information and the actions taken on requests referred to in paragraph 1 shall be free of charge. Where requests are manifestly excessive, in particular because of their repetitive character, the controller may charge a fee for providing the information or taking the action requested, or the controller may not take the action requested. In that case, the controller shall bear the burden of proving the manifestly excessive character of the request.
Amendment 1163 #
Proposal for a regulation
Article 12 – paragraph 6
Article 12 – paragraph 6
6. The Commission may lay down standard forms and specifying standard procedures for the communication referred to in paragraph 2, including the electronic format. In doing so, the Commission shall take the appropriate measures for micro, small and medium-sized enterprises. Those implementing acts shall be adopted after adopting an opinion of the European Data Protection Board, in accordance with the examination procedure referred to in Article 87(2). If the Commission invokes its prerogatives under Article 10 of Regulation 2012/1025 it shall ensure adequate representation of micro, small and medium sized enterprises, consumer groups and agreement of the European Data Protection Board with the use of these industry standards for the purposes of this Regulation.
Amendment 1186 #
Proposal for a regulation
Article 14 – paragraph 1 – point b
Article 14 – paragraph 1 – point b
(b) the purposes of the processing for which theeach category of personal data are intended, including the contract terms and general conditions where the processing is based on point (b) of Article 6(1) and the predominant legitimate interests pursued by the controller where the processing is based on point (f) of Article 6(1);
Amendment 1197 #
Proposal for a regulation
Article 14 – paragraph 1 – point c
Article 14 – paragraph 1 – point c
(c) the period for which theeach category of personal data will be stored;
Amendment 1207 #
Proposal for a regulation
Article 14 – paragraph 1 – point f
Article 14 – paragraph 1 – point f
(f) the recipients or categories of recipients of theeach category of personal data;
Amendment 1230 #
Proposal for a regulation
Article 14 – paragraph 3
Article 14 – paragraph 3
3. Where the personal data are not collected from the data subject, the controller shall inform the data subject, in addition to the information referred to in paragraph 1, from which source theeach category of personal data originate.
Amendment 1234 #
Proposal for a regulation
Article 14 – paragraph 4 – introductory part
Article 14 – paragraph 4 – introductory part
4. The controller shall provide the information referred to in paragraphs 1, 2 and 3 in tangible form:
Amendment 1236 #
Proposal for a regulation
Article 14 – paragraph 4 – point a a (new)
Article 14 – paragraph 4 – point a a (new)
(aa) After a request by a data subject or a body, organization or association referred to in Article 73(2);
Amendment 1247 #
Proposal for a regulation
Article 14 – paragraph 5 – point b
Article 14 – paragraph 5 – point b
(b) the data are not collected from the data subject and the provision of such information proves impossible or would involve a disproportionate effort and the controller has published the information for anyone to retrieve; or
Amendment 1252 #
Proposal for a regulation
Article 14 – paragraph 5 – point d
Article 14 – paragraph 5 – point d
(d) the data are not collected from the data subject and the provision of such information will impair the rights and freedoms of others, as defined in Union law or Member State law in accordance with Article 21.
Amendment 1259 #
Proposal for a regulation
Article 14 – paragraph 5 – point d a (new)
Article 14 – paragraph 5 – point d a (new)
(da) the data are collected by a natural person bound by professional or other equivalent secrecy obligations in the pursuit of their professional activities; or
Amendment 1265 #
Proposal for a regulation
Article 14 – paragraph 5 – point d b (new)
Article 14 – paragraph 5 – point d b (new)
(db) the right to media freedom requires the protection of information sources.
Amendment 1278 #
Proposal for a regulation
Article 14 – paragraph 7
Article 14 – paragraph 7
Amendment 1298 #
Proposal for a regulation
Article 15 – paragraph 1 a (new)
Article 15 – paragraph 1 a (new)
1a. There shall be no right to obtain information when the data was collected by a natural person bound by professional or other equivalent secrecy obligations in the pursuit of their professional activities.
Amendment 1301 #
Proposal for a regulation
Article 15 – paragraph 1 – point a
Article 15 – paragraph 1 – point a
(a) the purposes of the processing for each category of personal data and the legal basis for the processing operation;
Amendment 1302 #
Proposal for a regulation
Article 15 – paragraph 1 – point b
Article 15 – paragraph 1 – point b
(b) theeach categories of personal data concerned;
Amendment 1305 #
Proposal for a regulation
Article 15 – paragraph 1 – point c
Article 15 – paragraph 1 – point c
(c) the recipients orif known the individual recipients otherwise the categories of recipients to whom the personal data are to be or have been disclosed, in particular to recipients in third countries;
Amendment 1310 #
Proposal for a regulation
Article 15 – paragraph 1 – point d
Article 15 – paragraph 1 – point d
(d) the period for which theeach category of personal data will be stored;
Amendment 1334 #
Proposal for a regulation
Article 15 – paragraph 2
Article 15 – paragraph 2
2. The data subject shall have the right to obtain from the controller communicationa full copy of theall personal data undergoing processing. Where the data subject makes the request in electronic form, t and all relating data (e.g. meta data) as it is kept by the controller. The information and all data shall be provided in writing or in electronic form, unless otherwise requested by the data subject.
Amendment 1355 #
Proposal for a regulation
Article 15 – paragraph 3
Article 15 – paragraph 3
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the communication to the data subject of the content of the personal data referred to in point (g) of paragraph 1first access request in each year shall be free of charge; a controller may charge a fee of 20 EUR for the response to additional access request, unless it was later found that the data was used illegally. The controller may charge its own cost for repetitive requests which are manifestly abusive.
Amendment 1367 #
Proposal for a regulation
Article 15 – paragraph 4
Article 15 – paragraph 4
4. The Commission may specify standard forms and procedures for requesting and granting access to the information referred to in paragraph 1, including procedures for verification of the identity of the data subject and communicating the personal data to the data subject, taking into account the specific features and necessities of various sectors and data processing situations. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
Amendment 1418 #
Proposal for a regulation
Article 17 – paragraph 2
Article 17 – paragraph 2
2. Where the controller referred to in paragraph 1 has made the personal data public or transferred such data to known recipients, it shall take all reasonable steps, including technical measures, in relation to data for the publication of which the controller is responsible, to inform third parties which are processing such data, that a data subject requests them to erase any links to, or copy or replication of that personal data. Where the controller has authorised a third party publication of personal data, the controller shall be considered responsible for that publication.
Amendment 1485 #
Proposal for a regulation
Article 17 – paragraph 9 – point a
Article 17 – paragraph 9 – point a
(a) the criteria and requirements for theonditions for deleting links, copies or applications of paragraph 1 for specific sectors and in specific data processing situationsersonal data from publicly available communication services as referred to in paragraph 2;
Amendment 1486 #
Proposal for a regulation
Article 17 – paragraph 9 – point b
Article 17 – paragraph 9 – point b
(b) the criteria and conditions for deleting links, copies or replications of personal data from publicly available communication services asrestricting the processing of personal data referred to in paragraph 24;
Amendment 1487 #
Proposal for a regulation
Article 17 – paragraph 9 – point c
Article 17 – paragraph 9 – point c
Amendment 1502 #
Proposal for a regulation
Article 18 – paragraph 1
Article 18 – paragraph 1
1. The data subject shall have the right, where personal data are processed by electronic means and in a structured and commonly used format, to obtain from the controller a copy of data undergoing processing in an electronic and structured format which is commonly used and allows for further use by the data subject.
Amendment 1530 #
Proposal for a regulation
Article 19 – paragraph 1
Article 19 – paragraph 1
1. The data subject shall have the right to object, on grounds relating to their particular situation, at any time to the processing of personal data which is based on points (d), (e) and (f) of Article 6(1), unless the controller demonstrates compelling legitimate grounds for the processing which override the interests or fundamental rights and freedoms of the data subject.
Amendment 1536 #
Proposal for a regulation
Article 19 – paragraph 2
Article 19 – paragraph 2
2. WhereProcessing of personal data are processed for direct marketing purposes, the data subject shall have the right to object free of charge to the processing of their personal data for such marketing shall require the explicit consent of the data subject. The data shall not be given to third parties. A withdrawal of consent shall be possible at all times and free of charge. This right shall be explicitly offered to the data subject in an intelligible manner and shall be clearly distinguishable from other information.
Amendment 1552 #
Proposal for a regulation
Article 20 – paragraph 1
Article 20 – paragraph 1
1. Every natural person shall have the right not to be subject to a measure which produces legal effects concerning this natural person or significrelevantly affects this natural person, and which is based solelyprimarily based on automated processing intended to evaluate certain personal aspects relating to this natural person or to analyse or predict in particular the natural person's performance at work, economic situation, location, health, personal preferences, reliability or behaviour.
Amendment 1582 #
Proposal for a regulation
Article 20 – paragraph 2 – point c
Article 20 – paragraph 2 – point c
(c) is based on the data subject's consent, subject to the conditions laid down in Article 7 and to suitable safeguards. The controller has to implement effective protection against possible discrimination resulting from measures described in paragraph 1. Such measures must be based on scientifically recognized mathematic-statistical procedures.
Amendment 1599 #
Proposal for a regulation
Article 20 – paragraph 3
Article 20 – paragraph 3
3. Automated processing of personal data intended to evaluate certain personal aspects relating to a natural person shall not be based soleprimarily on the special categories of personal data referred to in Article 9.
Amendment 1611 #
Proposal for a regulation
Article 20 – paragraph 4
Article 20 – paragraph 4
4. In the cases referred to in paragraph 2, the information to be provided by the controller under Article 14 shall include information as to the existence of processing for a measure of the kind referred to in paragraph 1, meaningful information about the logic used and the envisaged effects of such processing on the data subject.
Amendment 1618 #
Proposal for a regulation
Article 20 – paragraph 5 a (new)
Article 20 – paragraph 5 a (new)
5a. In case of a child, profiling shall never be allowed, regardless of a possible consent given by the child's parent or legal representative.
Amendment 1623 #
Proposal for a regulation
Article 21 – paragraph 1 – introductory part
Article 21 – paragraph 1 – introductory part
1. Union or Member State law may restrict by way of a legislative measure the scope of the obligations and rights provided for in points (a) to (e) of Article 5 and Articles 11 to 20 and Article 32, when such a restriction constitutes a necessary and proportionate measure in a democratic society to safeguard:
Amendment 1638 #
Proposal for a regulation
Article 21 – paragraph 1 – point d
Article 21 – paragraph 1 – point d
Amendment 1640 #
Proposal for a regulation
Article 21 – paragraph 1 – point e
Article 21 – paragraph 1 – point e
Amendment 1642 #
Proposal for a regulation
Article 21 – paragraph 1 – point f
Article 21 – paragraph 1 – point f
Amendment 1731 #
Proposal for a regulation
Article 23 – paragraph 2 a (new)
Article 23 – paragraph 2 a (new)
2a. Products and services which are distributed in the EEA and inherently used to also process personal data shall be designed to enable controllers and processors, including controllers and processors which fall under Article 2(2)(d), to use them in compliance with this regulation. Products and services which are especially customized for distribution in the EEA shall additionally be set to default settings in compliance with paragraph 2, if reasonable possible. This duty applies to manufacturers of finished products and providers of services. Any person who, by putting his name, trade mark or other distinguishing feature on the product or service presents himself as its manufacturer, shall be deemed to be the manufacturer. If the manufacture cannot be determined or held accountable, this duty also applies to the person who imported products into the EEA for distribution in the course of his business or distributes such services in the EEA.
Amendment 1765 #
Proposal for a regulation
Article 25 – paragraph 2 – point b
Article 25 – paragraph 2 – point b
(b) an enterprise employing fewer than 250 persons or processing the data of fewer than 250 data subjects; or
Amendment 2152 #
Proposal for a regulation
Article 35 – paragraph 1 – introductory part
Article 35 – paragraph 1 – introductory part
1. The controller and the processor shall designate at least one data protection officer after obtaining the approval of the representatives of the business's employees in any case where:
Amendment 2172 #
Proposal for a regulation
Article 35 – paragraph 1 – point b
Article 35 – paragraph 1 – point b
(b) the processing is carried out by an enterprise employing 250 persons or more;
Amendment 2175 #
Proposal for a regulation
Article 35 – paragraph 1 – point b a (new)
Article 35 – paragraph 1 – point b a (new)
(ba) the collection and processing of data relate to at least 250 data subjects per year;
Amendment 2195 #
Proposal for a regulation
Article 35 – paragraph 2
Article 35 – paragraph 2
2. In the case referred to in point (b) of paragraph 1, a group of undertakings may appoint a singlchief data protection officer provided it is ensured that a data protection officer is easily accessible from each works location, and that there is at least one data protection officer per Member State.
Amendment 2213 #
Proposal for a regulation
Article 35 – paragraph 5
Article 35 – paragraph 5
5. The controller or processor shall, after obtaining the approval of the representatives of the business's employees, designate the data protection officer on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and ability to fulfil the tasks referred to in Article 37. The necessary level of expert knowledge shall be determined in particular according to the data processing carried out and the protection required for the personal data processed by the controller or the processor. The controller or processor shall ensure that the data protection officer has the opportunity for further training and in-service training at their expense.
Amendment 2231 #
Proposal for a regulation
Article 35 – paragraph 7
Article 35 – paragraph 7
7. The controller or the processor shall, after obtaining the approval of the representatives of the business's employees, designate a data protection officer for a period of at least two years. The data protection officer may be reappointed for further terms. During their term of office, the data protection officer may only be dismissed, if the data protection officer no longer fulfils the conditions required for the performance of their duties. Notwithstanding the above, the data protection officer shall enjoy special protection against discrimination and dismissal, similar to the protection afforded to employees’ representatives under national law, and may not be disadvantaged for carrying out his duties.
Amendment 2237 #
Proposal for a regulation
Article 35 – paragraph 8
Article 35 – paragraph 8
8. The data protection officer may be employed by the controller or processor, or fulfil his or her tasks on the basis of a service contract.
Amendment 2267 #
Proposal for a regulation
Article 36 – paragraph 2
Article 36 – paragraph 2
2. The controller or processor shall ensure that the data protection officer performs the duties and tasks independently and does not receive any instructions as regards the exercise of the function. The data protection officer shall directly report to the management of the controller or the processor and to the representatives of the business's employees.
Amendment 2277 #
Proposal for a regulation
Article 36 – paragraph 3
Article 36 – paragraph 3
3. The controller or the processor shall support the data protection officer in performing the tasks and shall provide staff, premises, equipment, training and any other resources necessary to carry out the duties and tasks referred to in Article 37.
Amendment 2321 #
Proposal for a regulation
Article 37 – paragraph 1 – point h a (new)
Article 37 – paragraph 1 – point h a (new)
(ha) to inform and consult the representatives of the business's employees about employee data.
Amendment 2357 #
Proposal for a regulation
Article 39
Article 39
1. The Member States and the Commission shall encourage, in particular at European level, the establishment of data protection certification mechanisms and of data protection seals and marks, allowing data subjects to quickly assess the level of data protection provided by controllers and processors. The data protection certifications mechanisms shall contribute to the proper application of this Regulation, taking account of the specific features of the various sectors and different processing operations. 2. The Commission shall be emcontroller and the processor shall enrol in a certification system of an accredited control body in any case where: (a) an enterprise processing personal data relating to fewer than 500 data subjects per year, or processing special categories of personal data as referred to in Article 9 (1); or (b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects. Other controllers and processors as well as products and services can equally undergo certification. 2. The controller and the processor must undergo certification before the first processing of personal data, or when it first falls under paragraph 1 and must be subsequently recertified at least every year. They must inform data subjects about the certification. 3. Certificates must be acquired by an accredited control body at the main establishment of the controller, processor, producer or supplier, or in the member state in which the representative is situated. 3a. The control body shall have the investigative powered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the data protection certification mechanisms referred to in paragraph 1, including conditions for granting and withdrawal, and requirements for recognition within the Union and in third countriesobtain from the enrolled controller or the processor: (a) access to all personal data and to all information necessary for the performance of its duties; (b) full access to any of its premises, including to any data processing equipment and means. 3b. Certificates must reasonably assure that the controller, processor, service or product is in compliance with all aspects of this regulation. A product, service or processor used by the controller or processor must not be taken into account in the certification process if it is itself holding a valid certificate. 3c. Certificates may be found invalid by the competent authority or the control body if the controller, processor, product or service is found to be incompliant with this regulation. 3d. The Commission may lay down technical standards for certification mechanisms and data protection seals and marks and mechanisms to promote and recognize certification mechanisms and data protection seals and marks. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 87(2). control body must inform the competent supervisory authority about acquired and revoked certificates in an electronic form. It must also inform the supervisory authority about any potential violation of this regulation is has found during the certification procedure. 3e. The Commission shall be empowered to adopt delegated acts after Consulting the European Data Protection Board and in accordance with Article 86, which define the exact frequency, control procedures and content of controls taking into account the different risks of processing operations, controllers, processors, products and services as well as the details of certificates.
Amendment 2379 #
Proposal for a regulation
Article 39 a (new)
Article 39 a (new)
Article 39a Accredited Control Body 1. Supervisory authorities shall accredit a control body only if there is proof that the control body: (a) has a sufficiently qualified and experienced staff; (b) has sufficient expertise, equipment, infrastructure and financial strength; (c) is impartial and free from any conflict of interests regarding its duties; and (d) has its main establishment in the Member State. 2. Supervisory authorities shall revoke accreditation if there are reasons to believe that the control body does not fulfil the criteria referred to in paragraph 1, especially if it has repeatedly violated obligations under this regulation. 3. Supervisory authorities shall permanently monitor accredited control bodies. Section 2 of Chapter IV shall apply correspondingly to control bodies. 4. The Commission shall be empowered to adopt delegated acts after Consulting the European Data Protection Board and in accordance with Article 86, which define the details of the accreditation process and minimal standards for control bodies.
Amendment 2380 #
Proposal for a regulation
Article 39 b (new)
Article 39 b (new)
Article 39b Register 1. Each supervisory authority shall establish a public electronic register in which all valid and invalid certificates which have been issued in the Member State can be viewed by the public. 2. Control bodies must be enabled to submit the necessary information electronic format. 3. The supervisory authority is responsible for rectifying and monitoring the register. 4. The Commission shall be empowered to adopt delegated acts after consulting the European Data Protection Board and in accordance with Article 86, which define the details of the operation of such registers and electronic formats which shall be used by control bodies.
Amendment 2381 #
Proposal for a regulation
Article 39 c (new)
Article 39 c (new)
Amendment 2417 #
Proposal for a regulation
Article 42 – paragraph 1
Article 42 – paragraph 1
1. Where the Commission has taken no decision pursuant to Article 41, a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has adduced appropriate safeguards with respect to the protection of personal data in a legally binding instrument. These appropriate safeguards shall: (a) guarantee the observance of the principles of personal data processing as established in Article 5; (b) guarantee data subject rights as established in Chapter III. A consultation of the responsible data protection authority in such cases is mandatory.
Amendment 2441 #
Proposal for a regulation
Article 42 – paragraph 3
Article 42 – paragraph 3
Amendment 2462 #
Proposal for a regulation
Article 42 – paragraph 5
Article 42 – paragraph 5
5. Where the appropriate safeguards with respect to the protection of personal data are not provided for in a legally binding instrument, the controller or processor shall obtain prior authorisation for the transfer, or a set of transfers, or for provisions to be inserted into administrative arrangements providing the basis for such transfer. Such authorisation by the supervisory authority shall be in accordance with point (a) of Article 34(1). If the transfer is related to processing activities which concern data subjects in another Member State or other Member States, or substantially affect the free movement of personal data within the Union, the supervisory authority shall apply the consistency mechanism referred to in Article 57. Authorisations by a supervisory authority on the basis of Article 26(2) of Directive 95/46/EC shall remain valid, until amended, replaced or repealed by that supervisory authority.
Amendment 2474 #
Proposal for a regulation
Article 43 – paragraph 1 – point b a (new)
Article 43 – paragraph 1 – point b a (new)
(ba) have been drawn up after consent has been given by the representatives of the firm’s employees and the data protection officer at the place where the branch of the firm is located;
Amendment 2529 #
Proposal for a regulation
Article 44 a (new)
Article 44 a (new)
Article 44a Disclosures not authorized by Union law 1. No judgment of a court or tribunal and no decision of an administrative authority of a third country requiring a controller or processor to disclose personal data shall be recognized or be enforceable in any manner, without prejudice to a mutual assistance treaty or an international agreement in force between the requesting third country and the Union or a Member State. 2. Where a judgment of a court or tribunal or a decision of an administrative authority of a third country requests a controller or processor to disclose personal data, the controller or processor and, if any, the controller's representative, shall notify the supervisory authority of the request without undue delay and must obtain prior authorisation for the transfer by the supervisory authority. 3. The supervisory authority shall assess the compliance of the requested disclosure with the Regulation and in particular whether the disclosure is necessary and legally required in accordance with Article 44(1)(d) and (e) and (5). 4. The supervisory authority shall inform the competent national authority of the request. The controller or processor shall also inform the data subject of the request and of the authorisation by the supervisory authority. 5. The Commission may lay down the standard format of the notifications to the supervisory authority referred to in paragraph 2 and the information of the data subject referred to in paragraph 4 as well as the procedures applicable to the notification and information. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).
Amendment 2553 #
Proposal for a regulation
Article 47 – paragraph 5
Article 47 – paragraph 5
5. Each Member State shall ensure that the supervisory authority is provided with the adequate human, technical and financial resources, premises and infrastructure necessary for the effective performance of its duties and powers, including those to be carried out in the context of mutual assistance, co-operation and participation in the European Data Protection Board. Member States shall ensure that the supervisory authorities are provided with at least one member for each 200 000 citizens or 100 members, whichever is less. At least one in five members must have a legal degree.
Amendment 2572 #
Proposal for a regulation
Article 49 a (new)
Article 49 a (new)
Article 49a The rules and procedures under which supervisory authorities are exercising their duties and powers in relation to data subjects, controllers and processors shall be in line with Article 6 ECHR.
Amendment 2631 #
Proposal for a regulation
Article 53 – paragraph 2 – subparagraph 1 – point b
Article 53 – paragraph 2 – subparagraph 1 – point b
(b) access to any of its premises, including to any data processing equipment and means, where there are reasonable grounds for presuming that an activity in violation of this Regulation is being carried out there.
Amendment 2782 #
Proposal for a regulation
Article 73 – paragraph 2
Article 73 – paragraph 2
2. Any body, organisation or association which aims to protect data subjects’ rights and interests concerning the protection of their personal data and has been properly constituted according to the law of a Member State, in particular employees’ representatives, shall have the right to lodge a complaint with a supervisory authority in any Member State on behalf of one or more data subjects if it considers that a data subject’s rights under this Regulation have been infringed as a result of the processing of personal data.
Amendment 2806 #
Proposal for a regulation
Article 74 – paragraph 5 a (new)
Article 74 – paragraph 5 a (new)
5a. Member States shall provide that no party of proceedings against the supervisory authority referred to in this Article is legally entitled to have its accrued costs compensated by any of the other parties, unless the claim is obviously frivolous.
Amendment 2821 #
Proposal for a regulation
Article 77 – paragraph 1
Article 77 – paragraph 1
1. Any person who has suffered damage as a result of an unlawful processing operation or of an action incompatible with this Regulation shall have the right to receive compensation from the controller or the processor for the damage suffered. It is in the responsibility of the processor to prove that the damage was not caused by him.
Amendment 2845 #
Proposal for a regulation
Article 79 – paragraph 6 a (new)
Article 79 – paragraph 6 a (new)
6a. The supervisory authority shall seize all profits from a controller or processor which directly result from an intentional or grossly negligent breach of this regulation.
Amendment 2889 #
Proposal for a regulation
Article 79 – paragraph 4
Article 79 – paragraph 4
4. The supervisory authority shall impose a fine up to 250 000 EUR, or in case of an enterprise up to 0,51 % of its annual worldwide turnover, whatever is higher to anyone who, intentionally or negligently: (a) does not provide the mechanisms for requests by data subjects or does not respond promptly or not in the required format to data subjects pursuant to infringes Articles 12(1) and (2); (b) charges a fee for the information or for responses to the requests of data subjects in violation of Article 12(4).
Amendment 2902 #
Proposal for a regulation
Article 79 – paragraph 5 – introductory part
Article 79 – paragraph 5 – introductory part
5. The supervisory authority shall impose a fine up to 500 000 EUR, or in case of an enterprise up to 12 % of its annual worldwide turnover whatever is higher,, to anyone who, intentionally or negligently: (a) does not provide the information, or does provide incomplete information, or does not provide the information in a sufficiently transparent manner, to the data subject pursuant to Article 11, Article 12(3) and Article 14; (b) does not provide access for the data subject or does not rectify personal data pursuant to Articles 15 and 16 or does not communicate the relevant information to a recipient pursuant to Article 13; (c) does not comply with the right to be forgotten or to erasure, or fails to put mechanisms in place to ensure that the time limits are observed or does not take all necessary steps to inform third parties that a data subjects requests to erase any links to, or copy or replication of the personal data pursuant Article 17; (d) does not provide a copy of the personal data in electronic format or hinders the data subject to transmit the personal data to another application in violation of Article 18; (e) does not or not sufficiently determine the respective responsibilities with co- controllers pursuant to Article 24; (f) does not or not sufficiently maintain the documentation pursuant to Article 28, Article 31(4), and Article 44(3); (g) does not comply, in cases where special categories of data are not involved, pursuant to Articles 80, 82 and 83 with rules in relation to freedom of expression or with rules on the processing in the employment context or with the conditions for processing for historical, statistical and scientific research purposes, infringes Articles 11, 12(3) and (4), 13, 14, 15, 16,17, 18, 24, 28, 31(4), 44(3), 80, 82, 83.
Amendment 2922 #
Proposal for a regulation
Article 79 – paragraph 6
Article 79 – paragraph 6
6. The supervisory authority shall impose a fine up tothat shall not exceed 1 000 000 EUR or, in case of an enterprise up to 25 % of its annual worldwide turnover, to anyone who, intentionally or negligently: (a) processes personal data without any or sufficient legal basis for the processing or does not comply with the conditions for consent pursuant to Articles 6, 7 and 8; (b) processes special categories of data in violation of Articles 9 and 81; (c) does not comply with an objection or the requirement pursuant to Article 19; (d) does not comply with the conditions in relation to measures based on profiling pursuant to Article 20; (e) does not adopt internal policies or does not implement appropriate measures for ensuring and demonstrating compliance pursuant to Articles 22, 23 and 30; (f) does not designate a representative pursuant to Article 25; (g) processes or instructs the processing of personal data in violation of the obligations in relation to processing on behalf of a controller pursuant to Articles 26 and 27; (h) does not alert on or notify a personal data breach or does not timely or completely notify the data breach to the supervisory authority or to the data subject pursuant to Articles 31 and 32; (i) does not carry out a data protection impact assessment pursuant or processes personal data without prior authorisation or prior consultation of the supervisory authority pursuant to Articles 33 and 34; (j) does not designate a data protection officer or does not ensure the conditions for fulfilling the tasks pursuant to Articles 35, 36 and 37; (k) misuses a data protection seal or mark in the meaning of Article 39; (l) carries out or instructs a data transfer to a third country or an international organisation that is not allowed by an adequacy decision or by appropriate safeguards or by a derogation pursuant to Articles 40 to 44; (m) does not comply with an order or a temporary or definite ban on processing or the suspension of data flows by the supervisory authority pursuant to Article 53(1); (n) does not comply with the obligations to assist or respond or provide relevant information to, or access to premises by, the supervisory authority pursuant to Article 28(3), Article 29, Article 34(6) and Article 53(2); (o) does not comply with the rules for safeguarding professional secrecy pursuant to Article 84 whatever is higher, to anyone who intentionally or negligently infringes the provisions of this Regulation other than those referred to in paragraphs 4 and 5.
Amendment 2944 #
Proposal for a regulation
Article 79 – paragraph 7
Article 79 – paragraph 7
Amendment 2952 #
Proposal for a regulation
Article 80 – paragraph 1
Article 80 – paragraph 1
1. Member States shall provide for exemptions or derogations from the provisions on the general principles in Chapter II, the rights of the data subject in Chapter III, on controller and processor in Chapter IV, on the transfer of personal data to third countries and international organisations in Chapter V, the independent supervisory authorities in Chapter VI and on co-operation and consistency in Chapter VII forentireties of chapters Chapter II, Chapter III, Chapter IV, Chapter V, Chapter VI and Chapter VII in order to reconcile the right to the processingtection of personal data carried out solely for journalistic purposes or the purpose of artistic or literary expression in order to reconcile the right to the protection of personal data with the rules governing freedom of expressionwith the rules governing freedom of expression in accordance with the Charter of Fundamental Rights of the European Union and its referral to the ECHR.
Amendment 3006 #
Proposal for a regulation
Article 82 – paragraph 1
Article 82 – paragraph 1
1. Within the limits ofIn accordance with this Regulation, Member States may adopt by law – by enacting legal provisions – specific rules regulating the processing of employees' personal data in the employment context, in particular, but not exclusively, for the purposes of the recruitment and applications for posts within a group of undertakings, the performance of the contract of employment, including discharge of obligations laid down by law orand by collective agreements, company agreements and wage agreements, management, planning and organisation of work, health and safety at work, and for the purposes of the exercise and enjoyment, on an individual or collective basis, of rights and benefits related to employment, and for the purpose of the termination of the employment relationship. It shall not be permissible to provide a level of protection lower than that afforded by this regulation The right of the Member States to lay down protective provisions on the processing of personal data in the context of employment which are more favourable to employees shall be unaffected. Without prejudice to the other provisions of this regulation, the legal provisions of the Member States referred to in paragraph 1 shall at the minimum include the following minimum standards:
Amendment 3011 #
Proposal for a regulation
Article 82 – paragraph 1 a (new)
Article 82 – paragraph 1 a (new)
1a. Profiling in connection with employment shall not be permitted.
Amendment 3015 #
Proposal for a regulation
Article 82 – paragraph 1 b (new)
Article 82 – paragraph 1 b (new)
1b. Workers' personal data, especially sensitive data such as political orientation and membership of and activities in trade unions, may under no circumstances be used to put workers on so-called 'blacklists', and to vet or bar them from future employment. The processing, the use in the employment context, the drawing-up and passing-on of blacklists of employees shall be prohibited. Member States shall conduct checks and adopt adequate sanctions in accordance with Article 79(6) to ensure effective implementation of this paragraph.
Amendment 3018 #
Proposal for a regulation
Article 82 – paragraph 1 c (new)
Article 82 – paragraph 1 c (new)
1c. Surveillance to monitor the performance of employees shall be prohibited.
Amendment 3020 #
Proposal for a regulation
Article 82 – paragraph 1 d (new)
Article 82 – paragraph 1 d (new)
1d. Processing of data on employees without the employees’ knowledge shall not be permitted. The private and intimate life of employees shall always be respected.
Amendment 3022 #
Proposal for a regulation
Article 82 – paragraph 1 e (new)
Article 82 – paragraph 1 e (new)
1e. Open optical electronic surveillance and/or open acoustic electronic surveillance of parts of the business premises which are not accessible to the public and are predominantly used for purposes of an employee’s private life, particularly in sanitary facilities, changing rooms, rooms where breaks are spent and bedrooms, shall not be permitted. Open optical electronic surveillance and/or open acoustic electronic surveillance of publicly accessible parts of the business premises or parts which are not accessible to the public and are not predominantly used for purposes of an employee’s private life, such as entry halls, foyers, offices, workshops or the like, shall be permitted only to the extent that it is absolutely necessary for the safety/security of the employee and of the business. Surveillance of public parts of the business should not include surveillance of the employee in his place of work, except insofar as this is unavoidable. Before surveillance is performed, the employee shall be informed when and for how long the surveillance devices will be operated. Recordings of the surveillance shall be deleted after a short time, at the latest one month after the surveillance has taken place. Secret surveillance shall always be prohibited.
Amendment 3024 #
Proposal for a regulation
Article 82 – paragraph 1 f (new)
Article 82 – paragraph 1 f (new)
1f. If undertakings collect or process personal data in connection with statutory medical examinations and/or aptitude tests, they must, in advance, inform the applicant or employee of the purpose for which the data are to be used, and subsequently communicate the data to them together with the findings, and explain them. Collection of data for the purpose of genetic testing and analyses shall be prohibited. Collection and processing of personal data as part of medical examinations and/or aptitude tests must be necessary for the protection of health at work and preventive health care with reference to the employment relationship. The employer may not have direct access to the data. Data concerning applicants shall be treated in the same way as data concerning employees. Collection of health data in preparation for dismissal on health grounds shall be prohibited.
Amendment 3026 #
Proposal for a regulation
Article 82 – paragraph 1 g (new)
Article 82 – paragraph 1 g (new)
1g. Legal provisions may be laid down, particularly by means of collective agreements, stipulating whether and to what extent the telephone, e-mail, Internet and other telecommunications services may also be used for private purposes. Private use may also be permitted by an employment contract. If private use is permitted, processing of traffic data collected with reference to it shall only be permitted for the preservation of data security, to ensure the proper functioning of telecommunications networks and telecommunications services, and to levy charges, after the employee has been informed. Furthermore, the content of private e-mails shall not be analysed.
Amendment 3028 #
Proposal for a regulation
Article 82 – paragraph 1 h (new)
Article 82 – paragraph 1 h (new)
1h. Collection and processing of information/data concerning employees or applicants via social networks which are not specifically job application portals shall be prohibited.
Amendment 3030 #
Proposal for a regulation
Article 82 – paragraph 1 i (new)
Article 82 – paragraph 1 i (new)
1i. Data on employees which are inaccurate, whose accuracy is contested by employees or which have been collected by unauthorised means may not be used.
Amendment 3031 #
Proposal for a regulation
Article 82 – paragraph 1 j (new)
Article 82 – paragraph 1 j (new)
1j. Employees who have refused unauthorised examinations or requests for information or have given false answers to them, or who have objected to unauthorised collection/use of data on employees may not be disadvantaged.
Amendment 3032 #
Proposal for a regulation
Article 82 – paragraph 1 k (new)
Article 82 – paragraph 1 k (new)
1k. Without prejudice to rights to information and codetermination pursuant to domestic labour law, the workplace representation and European Works Council shall have the following rights: (a) the right to be consulted on the appointment of the business’s data protection officer (Article 35(7)); (b) the right to be consulted and informed regularly by the business’s data protection officer; (c) the right to representation of employees concerned before a regular national court (Article 73) and the right to bring a class action (Article 75); (d) the right to be consulted on the formulation of binding corporate rules (Article 43).
Amendment 3101 #
Proposal for a regulation
Article 85
Article 85