58 Amendments of Nils TORVALDS related to 2012/0011(COD)
Amendment 351 #
Proposal for a regulation
Title 1
Title 1
Proposal for a REGULATIONDIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection RegulationDirective) (Text with EEA relevance)
Amendment 441 #
Proposal for a regulation
Recital 34
Recital 34
Amendment 640 #
Proposal for a regulation
Recital 125
Recital 125
(125) The processing of personal data for the purposes of historical, statistical or scientific research should, in order to be lawful, also respect other relevant legislation such as on clinical trials. A research ethics committee as mentioned in Article 83 should be consistent with the principles of the World Medical Association’s Declaration of Helsinki and any national requirements in Member States.
Amendment 673 #
Proposal for a regulation
Article 2 – paragraph 2 – point d
Article 2 – paragraph 2 – point d
(d) by a natural person without any gainful interest in the course of its own exclusively personal or household activity;
Amendment 804 #
Proposal for a regulation
Article 4 – paragraph 1 – point 19 a (new)
Article 4 – paragraph 1 – point 19 a (new)
(19a) ‘data protection officer’ means a natural or legal person or a team of professionals, with the necessary professional experience and expertise required to perform the duties stemming from and outlined in this Regulation, who are employed or designated by the controller or the processor.
Amendment 983 #
Proposal for a regulation
Article 7 – paragraph 4
Article 7 – paragraph 4
Amendment 1122 #
Proposal for a regulation
Article 12 – paragraph 1
Article 12 – paragraph 1
1. The controller shall establish procedures for providing the information referred to in Article 14 and for the exercise of the rights of data subjects referred to in Article 13 and Articles 15 to 19. The controller shall provide in particular mechanisms for facilitating the request for the actions referred to in Article 13 and Articles 15 to 19. Where personal data are processed by automated means, and unless disproportionate efforts or costs arise from this, the controller shall also provide means for requests to be made electronically.
Amendment 1129 #
Proposal for a regulation
Article 12 – paragraph 2
Article 12 – paragraph 2
2. The controller shall inform the data subject without delay and, at the latest within one month of receipt of the request, whether or not any action has been taken pursuant to Article 13 and Articles 15 to 19 and shall provide the requested information. This period may be prolonged for a further month, if several data subjects exercise their rights and their cooperation is necessary to a reasonable extent to prevent an unnecessary and disproportionate effort on the part of the controller. The information shall be given in writing. Where the data subject makes the request in electronic form, the information shall be provided in electronic form if possible, unless otherwise requested by the data subject.
Amendment 1291 #
Proposal for a regulation
Article 15 – paragraph 1 – introductory part
Article 15 – paragraph 1 – introductory part
1. The data subject shall have the right to obtain from the controller at any time, on request, confirmation as to whether or not personal data relating to the data subject are being processed. Where such personal data are being processed, the controller shall provide the following information:
Amendment 1387 #
Proposal for a regulation
Article 17 – paragraph 1 – introductory part
Article 17 – paragraph 1 – introductory part
1. The data subject shall have the right to obtain from the controller the erasure of personal data relating to them and the abstention from further dissemination of such data, unless the data is kept by competent authorities or other bodies in a legal register required by national or Union legislation, especially in relation to personal data which are made available by the data subject while he or she was a child, where one of the following grounds applies:
Amendment 1499 #
Proposal for a regulation
Article 18 – paragraph 1
Article 18 – paragraph 1
1. The data subject shall have the right, where personal data are processed by electronic means and in a structured and commonly used format, to obtain from the controller a copy of data undergoing processing in an electronic and structured format which is commonly used and allows for further use by the data subject.
Amendment 1660 #
Proposal for a regulation
Article 22 – paragraph 1
Article 22 – paragraph 1
1. The controller shall adopt policies and implement appropriate measures to enWith regard to the nature of personal data being processed, the type of organization in question, and considering the state-of-the-art, the controller and processor shall, both at the time of the determination of the means of processing and at the time of the processing, implement appropriate and demonstrable technical and organizational measures and be able to demonstrate that the processing of personal data is performed in compliance with this Regulatios well as suitable privacy programmes that ensure that the processing meets the requirements of this Regulation and the protection of the rights of the data subject by design.
Amendment 1670 #
Proposal for a regulation
Article 22 – paragraph 2 – introductory part
Article 22 – paragraph 2 – introductory part
2. The measures provided for in paragraph 1 shall in particular include:clude, but not be limited to,
Amendment 1672 #
Proposal for a regulation
Article 22 – paragraph 2 – point a
Article 22 – paragraph 2 – point a
(a) keeping the documentation pursuant to Article 28management oversight of the processing of personal data to ensure the existence, implementation and effectiveness of the technical and organizational measures outlined in paragraph 1;
Amendment 1674 #
Proposal for a regulation
Article 22 – paragraph 2 – point b
Article 22 – paragraph 2 – point b
(b) implementing the data security requirements laid down in Article 30the existence of proper policies, instructions or other guidelines to direct the processing of data in a way that complies with this Regulation, as well as procedures and enforcement to make such policies, instructions or guidelines effective;
Amendment 1676 #
Proposal for a regulation
Article 22 – paragraph 2 – point c
Article 22 – paragraph 2 – point c
(c) performing a data protection impact assessment pursuant to Article 33the existence of proper planning and procedures which ensure compliance with this Regulation and which address potentially risky processing of personal data prior to the start of the processing of data;
Amendment 1677 #
Proposal for a regulation
Article 22 – paragraph 2 – point d
Article 22 – paragraph 2 – point d
(d) complying with the requirements for prior authorisation or prior consultation of the supervisory authority pursuant to Article 34(1) and (2)the existence of appropriate documentation of data processing that enables compliance with the obligations arising from this Regulation;
Amendment 1681 #
Proposal for a regulation
Article 22 – paragraph 2 – point e
Article 22 – paragraph 2 – point e
(e) designatingthe existence of a data protection officer pursuant to Article 35(1)., as outlined in Article 4, or other staff supported with adequate resources to oversee the implementation of measures defined in this Article and to monitor compliance with this Regulation. The sufficient organizational independence of the data protection officer or other staff shall be ensured;
Amendment 1684 #
Proposal for a regulation
Article 22 – paragraph 2 – point e a (new)
Article 22 – paragraph 2 – point e a (new)
(ea) the existence of proper awareness and training of the staff participating in the processing of data and the related decision-making;
Amendment 1697 #
Proposal for a regulation
Article 22 – paragraph 3
Article 22 – paragraph 3
3. The controller shall implement mechanisms to ensure the verification of the effectiveness of the measures referred to in paragraphs 1 and 2. If proportionate, this verification shall be carried out by independent internal or external auditorsor processor shall, upon request by the competent data protection authority, demonstrate the existence of technical and organizational measures in line with those referred to in paragraphs 1 and 2.
Amendment 1706 #
Proposal for a regulation
Article 22 – paragraph 4
Article 22 – paragraph 4
4. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of specifying any further criteria and requirements for appropriate measures referred to in paragraph 1 other than those already referred to in paragraph 2, the conditions for the verification and auditing mechanisms referA group of undertakings may apply joint technical and organizational measureds to in paragraph 3 and as regards the criteria for proportionality under paragraph 3, and considering specific measures for micro, small and medium-sized-enterprisesmeet the obligations arising from this Regulation.
Amendment 1733 #
Proposal for a regulation
Article 23 – paragraph 3
Article 23 – paragraph 3
Amendment 2094 #
Proposal for a regulation
Article 34 – paragraph 1
Article 34 – paragraph 1
Amendment 2151 #
Proposal for a regulation
Article 35 – paragraph 1 – introductory part
Article 35 – paragraph 1 – introductory part
1. The controller and the processor shall, unless such tasks are already being carried out, designate a data protection officer as outlined in Article 4 in any case where:
Amendment 2187 #
Proposal for a regulation
Article 35 – paragraph 2
Article 35 – paragraph 2
2. In the cases referred to in point (b) of paragraph 1, a group of undertakings may appoint a singlejoint data protection officer.
Amendment 2200 #
Proposal for a regulation
Article 35 – paragraph 3
Article 35 – paragraph 3
3. Where the controller or the processor is a public authority or body, the data protection officer or officers may be designated for several of its entities, taking account of the organisational structure of the public authority or body.
Amendment 2207 #
Proposal for a regulation
Article 35 – paragraph 4
Article 35 – paragraph 4
4. In cases other than those referred to in paragraph 1, the controller or processor or associations and other bodies representing categories of controllers or processors may designate a data protection officer or officers.
Amendment 2212 #
Proposal for a regulation
Article 35 – paragraph 5
Article 35 – paragraph 5
5. The controller or processor shall designate the data protection officer or data protection officers on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and ability to fulfil the tasks referred to in Article 37. The necessary level of expert knowledge shall be determined in particular according to the data processing carried out and the protection required for the personal data processed by the controller or the processor.
Amendment 2218 #
Proposal for a regulation
Article 35 – paragraph 6
Article 35 – paragraph 6
6. The controller or the processor shall ensure that any other professional duties of the data protection officer or data protection officers are compatible with the person's or persons' tasks and duties as data protection officer and do not result in a conflict of interests.
Amendment 2220 #
Proposal for a regulation
Article 35 – paragraph 7
Article 35 – paragraph 7
Amendment 2241 #
Proposal for a regulation
Article 35 – paragraph 9
Article 35 – paragraph 9
9. The controller or the processor shall communicatmake available the name and contact details of the data protection officer to the supervisory authority and to the public.
Amendment 2244 #
Proposal for a regulation
Article 35 – paragraph 10
Article 35 – paragraph 10
10. Data subjects shall have the right to contact the data protection officer or data protection officers on all issues related to the processing of the data subject's data and to request exercising the rights under this Regulation.
Amendment 2247 #
Proposal for a regulation
Article 35 – paragraph 11
Article 35 – paragraph 11
Amendment 2256 #
Proposal for a regulation
Article 36 – paragraph 1
Article 36 – paragraph 1
1. The controller or the processor shall ensure that the data protection officer isor officers are properly and in a timely manner involved in all issues which relate to the protection of personal data.
Amendment 2264 #
Proposal for a regulation
Article 36 – paragraph 2
Article 36 – paragraph 2
2. The controller or processor shall ensure that thedata protection officer or data protection officers shall performs their duties and tasks independently and does not receive any instructions as regards the exercise of the function. The data protection officer shall directly report to the management of the controller or the processor.
Amendment 2275 #
Proposal for a regulation
Article 36 – paragraph 3
Article 36 – paragraph 3
3. The controller or the processor shall support the data protection officer in performing the tasks and shall provide staff, premises, equipment and any other resources necessaryby providing appropriate means to carry out the duties and tasks referred to in Article 37.
Amendment 2290 #
Proposal for a regulation
Article 37 – paragraph 1 – introductory part
Article 37 – paragraph 1 – introductory part
1. The controller or the processor shall entrust the data protection officer or data protection officers at least with the following tasks:
Amendment 2292 #
Proposal for a regulation
Article 37 – paragraph 1 – point a
Article 37 – paragraph 1 – point a
(a) to inform and advise the controller or the processor of their obligations pursuant to this Regulation and to document this activity and the responses received;
Amendment 2296 #
Proposal for a regulation
Article 37 – paragraph 1 – point b
Article 37 – paragraph 1 – point b
(b) to monitor the implementation and application of the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, the training of staff involved in the processing operations, and the related audits as outlined in Article 22;
Amendment 2302 #
Proposal for a regulation
Article 37 – paragraph 1 – point c
Article 37 – paragraph 1 – point c
(c) to monitor the implementation and application of this Regulation, in particular as to the requirements related to data protection by design, data protection by default and data security and to the information of data subjects and their requests in exercising their rights undercompliance with this Regulation;
Amendment 2303 #
Proposal for a regulation
Article 37 – paragraph 1 – point d
Article 37 – paragraph 1 – point d
Amendment 2306 #
Proposal for a regulation
Article 37 – paragraph 1 – point e
Article 37 – paragraph 1 – point e
Amendment 2309 #
Proposal for a regulation
Article 37 – paragraph 1 – point f
Article 37 – paragraph 1 – point f
Amendment 2315 #
Proposal for a regulation
Article 37 – paragraph 1 – point g
Article 37 – paragraph 1 – point g
Amendment 2318 #
Proposal for a regulation
Article 37 – paragraph 1 – point h
Article 37 – paragraph 1 – point h
Amendment 2323 #
Proposal for a regulation
Article 37 – paragraph 2
Article 37 – paragraph 2
Amendment 2849 #
Proposal for a regulation
Article 79 – paragraph 1
Article 79 – paragraph 1
1. Each supervisory authority shall be empowered to impose warnings or administrative sanctions in accordance with this Article.
Amendment 2858 #
Proposal for a regulation
Article 79 – paragraph 2
Article 79 – paragraph 2
2. The administrative sanction shall be in each individual case effective, proportionate and dissuasive. The amount of the administrative fine shall be fixed with due regard tobased on the nature, gravity and duration of the breach, the intentional or negligent character of the infringement, the degree of responsibility of the natural or legal person and of previous breaches by this person, the technical and organisational measures and procedures implemented pursuant to Article 23 and the degree of co-operation with the supervisory authority in order to remedy the breach.
Amendment 2878 #
Proposal for a regulation
Article 79 – paragraph 3 – introductory part
Article 79 – paragraph 3 – introductory part
3. In case of a first and non-intentional non-compliance with this Regulation, a warning in writing may be given and no sanction imposed, where: (a) a natural person is processing personal data without a commercial interest; or (b) an enterprise or an organisation employing fewer than 250 persons is processing personal data only as an activity ancillary to its main activities.
Amendment 2891 #
Proposal for a regulation
Article 79 – paragraph 4 – introductory part
Article 79 – paragraph 4 – introductory part
4. The supervisory authority shall impose a fine up to 250 000 EUR, or in case of an enterprise up to 0,5 % of its annual worldwide turnover,, based on the gravity of the breach, impose a fine or a warning to anyone who, intentionally or negligently:
Amendment 2904 #
Proposal for a regulation
Article 79 – paragraph 5 – introductory part
Article 79 – paragraph 5 – introductory part
5. The supervisory authority shall impose a fine up to 500 000 EUR, or in case of an enterprise up to 1 % of its annual worldwide turnover,, based on the gravity of the breach, impose a fine or a warning to anyone who, intentionally or negligently:
Amendment 2924 #
Proposal for a regulation
Article 79 – paragraph 6 – introductory part
Article 79 – paragraph 6 – introductory part
6. The supervisory authority shall impose a fine up to 1 000 000 EUR or, in case of an enterprise up to 2 % of its annual worldwide turnover,, based on the gravity of the breach, impose a fine or warning to anyone who, intentionally or negligently:
Amendment 2960 #
Proposal for a regulation
Article 80 – paragraph 1 a (new)
Article 80 – paragraph 1 a (new)
1a. In order to reconcile the right to the protection of personal data with the principle of public access to official documents, personal data in documents held by a public authority or a public body may be disclosed by this authority or body in accordance with Member State legislation regarding public access to official documents.
Amendment 2963 #
Proposal for a regulation
Article 80 – paragraph 2
Article 80 – paragraph 2
Amendment 3002 #
Proposal for a regulation
Article 82 – paragraph 1
Article 82 – paragraph 1
1. Within the limits of this Regulation, Member States may adopt by law or by collective agreements specific rules regulating the processing of employees‘ personal data in the employment context, in particular for the purposes of the recruitment, the performance of the contract of employment, including discharge of obligations laid down by law or by collective agreements, management, planning and organisation of work, health and safety at work, and for the purposes of the exercise and enjoyment, on an individual or collective basis, of rights and benefits related to employment, and for the purpose of the termination of the employment relationship.
Amendment 3059 #
Proposal for a regulation
Article 83 – paragraph 1 – point b a (new)
Article 83 – paragraph 1 – point b a (new)
(ba) in case data is to be processed for scientific research purposes, the proposed scientific research project has received a favourable opinion from an independent research ethics committee.
Amendment 3067 #
Proposal for a regulation
Article 83 – paragraph 1 a (new)
Article 83 – paragraph 1 a (new)
1a. The data subject has given his or her consent for the processing of data for historical, statistical and scientific research. For the purposes of historical, statistical and scientific research, a one- time consent is enough and there is no need for explicit consent to be given each time by the data subject, or a need to notify the data subject, separately before the processing of data related to research purposes.
Amendment 3109 #
Proposal for a regulation
Article 86
Article 86