BETA

45 Amendments of Ewald STADLER related to 2012/0011(COD)

Proposal for a regulation
Article 3 – paragraph 3

3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where the national law of a Member State applies by virtue of public international law. This shall be without prejudice to national provisions to which the controller is subject.

2013/03/04
Committee: LIBE

Proposal for a regulation
Article 4 – paragraph 1 – point 1

(1) ‘'data subject’' means an identified natural person or a natural person who can be unequivocally identified, directly or indirectly, by means ~~reasonably likely to be used by the controller or by any other natural or legal person~~available to the controller, in particular by reference to an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person;

2013/03/04
Committee: LIBE

Proposal for a regulation
Article 4 – paragraph 1 – point 3

(3) ‘'processing’' means any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, erasure, blocking or destruction;

2013/03/04
Committee: LIBE

Proposal for a regulation
Article 4 – paragraph 1 – point 10

(10) ‘genetic data’ means ~~all data, of whatever type, concerning the characteristics of an individual~~data obtained by means of genetic testing or genetic analysis performed in connection with genetic testing regarding genetic characteristics. Genetic characteristics are hereditary information of human origin which ~~are~~is inherited or acquired during ~~early prenatal development,~~conception or up until birth;

2013/03/04
Committee: LIBE

Proposal for a regulation
Article 4 – paragraph 1 – point 11

(11) ‘'biometric data’' means any data relating to the physical, physiological or behavioural characteristics of an individual which allow their unique identification, such as facial images, or dactyloscopic data, but not signatures;

2013/03/04
Committee: LIBE

Proposal for a regulation
Article 4 – paragraph 1 – point 19 a (new)

(19a) ‘anonymising’ means altering personal data in such a manner that all the information relating to a data subject becomes impossible to connect with a particular or identifiable natural person or can only be so connected by means of a disproportionate effort in terms of time, cost and labour;

2013/03/04
Committee: LIBE

Proposal for a regulation
Article 4 – paragraph 1 – point 19 b (new)

(19b) ‘pseudonymising’ means replacing the name and other identifying features with a mark for the purpose of preventing or seriously impeding the identification of the data subject;

2013/03/04
Committee: LIBE

Proposal for a regulation
Article 4 – paragraph 1 – point 19 c (new)

(19c) ‘third party’ means a natural or legal person, authority, institution or any other entity, with the exception of the data subject, the controller, the processor and persons who are authorised to process the data under the direct responsibility of the controller or of the processor;

2013/03/04
Committee: LIBE

Proposal for a regulation
Article 5 – paragraph 1 – point a

(a) processed lawfully, fairly and in a transparent manner ~~in relation to the data subject~~;

2013/03/04
Committee: LIBE

Proposal for a regulation
Article 5 – paragraph 1 – point c

(c) adequate, relevant, and limited to the minimum necessary in relation to the purposes for which they are processed; ~~they shall only be processed if, and as long as, the purposes could not be fulfilled by processing information that does not involve personal data;~~

2013/03/04
Committee: LIBE

Proposal for a regulation
Article 5 – paragraph 1 – point d

(d) accurate and, if necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or, if this is not possible, blocked or rectified without delay;

2013/03/04
Committee: LIBE

Proposal for a regulation
Article 5 – paragraph 1 – point e

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods if statutory retention rules so require or insofar as the data will be processed solely for historical, statistical or scientific research purposes in accordance with the rules and conditions of Article 83 and if a periodic review is carried out to assess the necessity to continue the storage;

2013/03/04
Committee: LIBE

Proposal for a regulation
Article 5 – paragraph 1 – point f

(f) processed under the responsibility ~~and liability~~ of the controller, who shall ensure ~~and demonstrate~~ for each processing operation the compliance with the provisions of this Regulation.

2013/03/04
Committee: LIBE

Proposal for a regulation
Article 5 – paragraph 1 – point f a (new)

(fa) personal data shall only be processed if, and as long as, the purposes could not be fulfilled by processing information that does not involve personal data, for example pseudonymised or anonymised data;

2013/03/04
Committee: LIBE

Proposal for a regulation
Article 6 – paragraph 1 – point c

(c) ~~processing is necessary for compliance with a legal obligat~~a law or other legal provision to which the controller is subject requires or allows processing;

2013/03/04
Committee: LIBE

Proposal for a regulation
Article 6 – paragraph 1 – point f

(f) processing is necessary for the purposes of the legitimate interests pursued by a controller or an entitled third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data~~, in particular where the data subject is a child~~. This shall not apply to processing carried out by public authorities in the performance of their tasks.

2013/03/04
Committee: LIBE

Proposal for a regulation
Article 6 – paragraph 4

4. Where the purpose of further processing is not compatible with the one for which the personal data have been collected, the processing must have a legal basis at least in one of the grounds referred to in points (a) to (ef) of paragraph 1. This shall in particular apply to any change of terms and general conditions of a contract.

2013/03/04
Committee: LIBE

Proposal for a regulation
Article 7 – paragraph 3

3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. In accordance with the principle of good faith, withdrawal of consent shall not be permitted when the consent is required for the completion of a contract.

2013/03/04
Committee: LIBE

Proposal for a regulation
Article 7 – paragraph 4

4. Consent shall not provide a legal basis for the processing, where there is a significant imbalance between the position of the data subject and the controller. In this connection the interests of the data subjects shall be taken into account.

2013/03/04
Committee: LIBE

Proposal for a regulation
Article 9 – paragraph 2 – point d

(d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other non-profit-seeking body with a political, philosophical, religious or trade- union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the data are not disclosed ~~outside that body~~to third parties without the consent of the data subjects;

2013/03/04
Committee: LIBE

Proposal for a regulation
Article 9 – paragraph 2 – point h

(h) processing of data concerning health is necessary ~~for health purposes and~~ subject to the conditions and safeguards referred to in Article 81 for the purposes referred to there or for the completion of contracts related thereto;

2013/03/04
Committee: LIBE

Proposal for a regulation
Article 9 – paragraph 2 – point j a (new)

(ja) For the purposes of conformity with compliance rules, persons subject to such rules shall be entitled to process data to the extent necessary for the implementation of the compliance rules.

2013/03/04
Committee: LIBE

Proposal for a regulation
Article 10 – title

Proce~~ssing not allowing identification~~dure for automated processing

2013/03/04
Committee: LIBE

Proposal for a regulation
Article 10

If the data processed by a controller do not permit the controller to identify a natural person, the controller shall not be obliged to acquire additional information in order to identify the data subject for the sole purpose of complying with any provision of this Regulation.deleted

2013/03/04
Committee: LIBE

Proposal for a regulation
Article 10

~~If the data~~1. The establishment of a common procedure for automated processeding by several data controller ~~do not permit the controller to identify a natural person, the~~s shall be permissible provided that this procedure is appropriate taking into account the legitimate interests of the data subjects and the duties or business purposes of the participating data controllers and each of these data controllers at least has full control over the processing of the data he or she has collected. Several data controllers may also have full control over all data in a joint automated processing procedure. 2. The data controllers shall ~~not be obliged to acquire additional information in order to identify the data subject for the sole~~ensure that the lawfulness of the joint procedure can be monitored. To that end they shall specify in writing: (a) the reason and purpose for the joint automated data processing procedure; (b) all participating data controllers and their purposes; (c) third parties to whom data is transmitted; (d) type of data; (e) the technical and organisational measures and procedures required. 3. The data subject of a data processing procedure may assert his or her rights vis- à-vis each data controller. If that data controller does not have full control over the data, he or she shall be required to pass on the request of the data subject to the controller who collected the data. The data subject shall be informed about the transmission of his or her request to the data controller. The data subject’s right to be informed shall extend to all data controllers and all purposes of ~~complying with any provision~~the joint data processing procedure. 4. The data controllers shall be jointly and severally liable for the compliance of the whole automated data processing procedure with the data protection requirements of this Rregulation.

2013/03/04
Committee: LIBE

Proposal for a regulation
Article 15 – paragraph 3

3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the communication to the data subject of the cParagraphs 1 and 2 shall not apply where: (a) the data are stored only because they cannot be deleted on account of statutory, statutes-based or contractual periods for which they are required to be kept; (b) the data serve solely to provide a data backup or to monitor data protection, and providing information would involve a disproportionate effort; (c) the data must be kept secret in accordance with legislation or by virtue of their nature, particularly because of the overriding legal interest of a third party; (d) the data storage is necessary solely for purposes of academic or scientific research and providing information would involve a disproportionate effort; (e) the data have been derived from generally accessible sources and notification would be disproportionate on account of the ~~personal data referred to in point (g) of paragraph 1.~~ large number of cases concerned; (f) notification would seriously jeopardise the commercial objectives or other fundamental rights and freedoms of the controller, unless the interest in notification outweighs the risk.

2013/03/06
Committee: LIBE

Proposal for a regulation
Article 15 – paragraph 4

4. The Commission may specify standard forms and procedures for requesting and granting access to the information referred to in paragraph 1, including for verification of the identity of the data subject and communicating the personal data to the data subject, taking into account the specific features and necessities of various sectors and data processing situations. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).deleted

2013/03/06
Committee: LIBE

Proposal for a regulation
Article 17 – paragraph 4 – introductory part

4. Instead of erasure, the controller shall ~~restrict processing of~~block personal data where:

2013/03/06
Committee: LIBE

Proposal for a regulation
Article 17 – paragraph 4 – point d a (new)

(da) for technical reasons, erasure would be impossible or would involve disproportionate efforts.

2013/03/06
Committee: LIBE

Proposal for a regulation
Article 17 – paragraph 9

~~9. The Commission shall be empowered to adopt~~ delegated acts in accordance with Article 86 for the purpose of further specifying: (a) the criteria and requirements for the application of paragraph 1 for specific sectors and in specific data processing situations; (b) the conditions for deleting links, copies or replications of personal data from publicly available communication services as referred to in paragraph 2; (c) the criteria and conditions for restricting the processing of personal data referred to in paragraph 4.

2013/03/06
Committee: LIBE

Proposal for a regulation
Article 17 – paragraph 9 – point c

(c) the criteria and conditions for ~~restricting the processing of~~blocking personal data referred to in paragraph 4.

2013/03/06
Committee: LIBE

Proposal for a regulation
Article 20 – paragraph 1

1. Every natural person shall have the right not to be subject to a measure which produces legal effects concerning this natural person or ~~significantly affect~~places this natural person at a legal disadvantage, and which is based solely on automated processing intended to evaluate certain personal aspects relating to this natural person or to analyse or predict in particular the natural person's performance at work, economic situation, location, health, personal preferences, reliability or behaviour.

2013/03/06
Committee: LIBE

Proposal for a regulation
Article 22 – paragraph 1

1. The controller shall adopt policies and implement appropriate measures to ensure ~~and be able to demonstrate~~ that the processing of personal data is performed in compliance with this Regulation.

2013/03/06
Committee: LIBE

Proposal for a regulation
Article 23 – paragraph 1

1. Having regard to the risk, the type of data requiring protection, the state of the art and the cost of implementation, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures and procedures in such a way that the processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.

2013/03/06
Committee: LIBE

Proposal for a regulation
Article 26 – paragraph 1

1. Where a processing operation is to be carried out on behalf of a controller, the controller shall choose a processor providing sufficient guarantees to implement appropriate technical and organisational measures and procedures in such a way that the processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject, in particular in respect of the technical security measures and organizational measures governing the processing to be carried out ~~and~~; the controller shall also ensure ~~compliance with those measures~~that those measures have been complied with.

2013/03/06
Committee: LIBE

Proposal for a regulation
Article 26 – paragraph 2 – point f

(f) ~~assist the controller in ensuring compliance with the obligations pursuant to A~~Does not affect English text. The German original corrects ‘den Auftragsverarbeiter’ (the processor) to ‘den für die Verarbeitung Verantwortlic~~les 30 to 34;~~hen’ (the data controller).

2013/03/06
Committee: LIBE

Proposal for a regulation
Article 26 – paragraph 2 – point g

(g) ~~hand over~~return all results to the controller after the end of the processing and ~~not process the personal data otherwise~~erase stored data;

2013/03/06
Committee: LIBE

Proposal for a regulation
Article 26 – paragraph 4

4. If a processor processes personal data other than as instructed by the controller, the processor shall be considered to be a controller in respect of that processing and shall be subject to the rules on joint controllers laid down in Article 24.deleted

2013/03/06
Committee: LIBE

Proposal for a regulation
Article 26 – paragraph 5

~~5. The Commission shall be empowered to adopt~~ delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the responsibilities, duties and tasks in relation to a processor in line with paragraph 1, and conditions which allow facilitating the processing of personal data within a group of undertakings, in particular for the purposes of control and reporting.

2013/03/06
Committee: LIBE

Proposal for a regulation
Article 35 – paragraph 1 – point b

(b) the processing is carried out by an enterprise employing 250 persons or more;

2013/03/06
Committee: LIBE

Proposal for a regulation
Article 35 – paragraph 1 – point c

(c) the core activities of the controller or the processor consist of processing operations ~~which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subject~~for transfer, anonymised transfer, market research or opinion polling purposes.

2013/03/06
Committee: LIBE

Proposal for a regulation
Article 36 – paragraph 2

2. The controller or processor shall ensure that the data protection officer performs the duties and tasks independently and does not receive any instructions as regards the exercise of the function. The data protection officer shall directly report to the management of the controller or the processorDoes not affect English version.. German original replaces ‘Leitung’ with ‘Geschäftsführung’, both meaning ‘management’.

2013/03/06
Committee: LIBE

Proposal for a regulation
Article 44 – paragraph 1 – point h a (new)

(ha) if an appropriate level of data protection pursuant to Article 41 or 42 does not exist, transfer or a category of transfer of personal data to a third country or to an international organisation or authority is permissible only if the transfer takes place to comply with a statutory obligation or authorisation, a requirement pertaining to supervision or another legislative provision to which the controller is subject.

2013/03/06
Committee: LIBE

Proposal for a regulation
Article 79 – paragraph 4 – introductory part

4. The supervisory authority shall impose a fine up to 250.0 000 EUR ~~or, in case of an enterprise up to 0,5 % of its annual worldwide turnover,~~ to anyone who, intentionally or negligently:

2013/03/06
Committee: LIBE

Proposal for a regulation
Article 79 – paragraph 6 – introductory part

6. The supervisory authority shall impose a fine up to 1.000.000 EUR or, in case of a breach with intent to make a profit by an enterprise, up to 2 % of its annual worldwide turnover, to anyone who, intentionally or negligently:

2013/03/06
Committee: LIBE