[ParlTrack]

Proposal for a regulation
Title 1

Proposal for a ~~REGULATION~~DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection ~~Regulation~~Directive) (Text with EEA relevance)

2013/03/04
Committee: LIBE

Nils TORVALDS

Proposal for a regulation
Recital 34

(34) Consent should not provide a valid legal ground for the processing of personal data, where there is a clear imbalance between the data subject and the controller. This is especially the case where the data subject is in a situation of dependence from the controller, among others, where personal data are processed by the employer of employees’ personal data in the employment context. Where the controller is a public authority, there would be an imbalance only in the specific data processing operations where the public authority can impose an obligation by virtue of its relevant public powers and the consent cannot be deemed as freely given, taking into account the interest of the data subject.deleted

2013/03/04
Committee: LIBE

Nils TORVALDS

Proposal for a regulation
Recital 125

(125) The processing of personal data for the purposes of historical, statistical or scientific research should, in order to be lawful, also respect other relevant legislation such as on clinical trials. A research ethics committee as mentioned in Article 83 should be consistent with the principles of the World Medical Association’s Declaration of Helsinki and any national requirements in Member States.

2013/03/04
Committee: LIBE

Nils TORVALDS

Proposal for a regulation
Article 2 – paragraph 2 – point d

(d) by a natural person ~~without any gainful interest~~ in the course of its own exclusively personal or household activity;

2013/03/04
Committee: LIBE

Nils TORVALDS

Proposal for a regulation
Article 4 – paragraph 1 – point 19 a (new)

(19a) ‘data protection officer’ means a natural or legal person or a team of professionals, with the necessary professional experience and expertise required to perform the duties stemming from and outlined in this Regulation, who are employed or designated by the controller or the processor.

2013/03/04
Committee: LIBE

Nils TORVALDS

Proposal for a regulation
Article 7 – paragraph 4

~~4. Consent shall not provide a legal basis for the processing, where there is a significant imbalance between the position of the data subject and the controller.~~deleted

2013/03/04
Committee: LIBE

Nils TORVALDS

Proposal for a regulation
Article 12 – paragraph 1

1. The controller shall establish procedures for providing the information referred to in Article 14 and for the exercise of the rights of data subjects referred to in Article 13 and Articles 15 to 19. The controller shall provide in particular mechanisms for facilitating the request for the actions referred to in Article 13 and Articles 15 to 19. Where personal data are processed by automated means, and unless disproportionate efforts or costs arise from this, the controller shall also provide means for requests to be made electronically.

2013/03/04
Committee: LIBE

Nils TORVALDS

Proposal for a regulation
Article 12 – paragraph 2

2. The controller shall inform the data subject without delay and, at the latest within one month of receipt of the request, whether or not any action has been taken pursuant to Article 13 and Articles 15 to 19 and shall provide the requested information. This period may be prolonged ~~for a further month~~, if several data subjects exercise their rights and their cooperation is necessary to a reasonable extent to prevent an unnecessary and disproportionate effort on the part of the controller. The information shall be given in writing. Where the data subject makes the request in electronic form, the information shall be provided in electronic form if possible, unless otherwise requested by the data subject.

2013/03/04
Committee: LIBE

Nils TORVALDS

Proposal for a regulation
Article 15 – paragraph 1 – introductory part

1. The data subject shall have the right to obtain from the controller ~~at any time~~, on request, confirmation as to whether or not personal data relating to the data subject are being processed. Where such personal data are being processed, the controller shall provide the following information:

2013/03/06
Committee: LIBE

Nils TORVALDS

Proposal for a regulation
Article 17 – paragraph 1 – introductory part

1. The data subject shall have the right to obtain from the controller the erasure of personal data relating to them and the abstention from further dissemination of such data, unless the data is kept by competent authorities or other bodies in a legal register required by national or Union legislation, especially in relation to personal data which are made available by the data subject while he or she was a child, where one of the following grounds applies:

2013/03/06
Committee: LIBE

Nils TORVALDS

Proposal for a regulation
Article 18 – paragraph 1

1. The data subject shall have the right, where personal data are processed by electronic means and in a structured and commonly used format, to obtain from the controller a copy of data undergoing processing ~~in an electronic and structured format which is commonly used and allows for further use by the data subject~~.

2013/03/06
Committee: LIBE

Nils TORVALDS

Proposal for a regulation
Article 22 – paragraph 1

1. ~~The controller shall adopt policies and implement appropriate measures to en~~With regard to the nature of personal data being processed, the type of organization in question, and considering the state-of-the-art, the controller and processor shall, both at the time of the determination of the means of processing and at the time of the processing, implement appropriate and demonstrable technical and organizational measures a~~nd be able to demonstrate that the processing of personal data is performed in compliance with this Regulatio~~s well as suitable privacy programmes that ensure that the processing meets the requirements of this Regulation and the protection of the rights of the data subject by design.

2013/03/06
Committee: LIBE

Nils TORVALDS

Proposal for a regulation
Article 22 – paragraph 2 – introductory part

2. The measures provided for in paragraph 1 shall in ~~particular include:~~clude, but not be limited to,

2013/03/06
Committee: LIBE

Nils TORVALDS

Proposal for a regulation
Article 22 – paragraph 2 – point a

(a) ~~keeping the documentation pursuant to Article 28~~management oversight of the processing of personal data to ensure the existence, implementation and effectiveness of the technical and organizational measures outlined in paragraph 1;

2013/03/06
Committee: LIBE

Nils TORVALDS

Proposal for a regulation
Article 22 – paragraph 2 – point b

(b) ~~implementing the data security requirements laid down in Article 30~~the existence of proper policies, instructions or other guidelines to direct the processing of data in a way that complies with this Regulation, as well as procedures and enforcement to make such policies, instructions or guidelines effective;

2013/03/06
Committee: LIBE

Nils TORVALDS

Proposal for a regulation
Article 22 – paragraph 2 – point c

(c) ~~performing a data protection impact assessment pursuant to Article 33~~the existence of proper planning and procedures which ensure compliance with this Regulation and which address potentially risky processing of personal data prior to the start of the processing of data;

2013/03/06
Committee: LIBE

Nils TORVALDS

Proposal for a regulation
Article 22 – paragraph 2 – point d

(d) ~~complying with the requirements for prior authorisation or prior consultation of the supervisory authority pursuant to Article 34(1) and (2)~~the existence of appropriate documentation of data processing that enables compliance with the obligations arising from this Regulation;

2013/03/06
Committee: LIBE

Nils TORVALDS

Proposal for a regulation
Article 22 – paragraph 2 – point e

(e) ~~designating~~the existence of a data protection officer ~~pursuant to Article 35(1).~~, as outlined in Article 4, or other staff supported with adequate resources to oversee the implementation of measures defined in this Article and to monitor compliance with this Regulation. The sufficient organizational independence of the data protection officer or other staff shall be ensured;

2013/03/06
Committee: LIBE

Nils TORVALDS

Proposal for a regulation
Article 22 – paragraph 2 – point e a (new)

(ea) the existence of proper awareness and training of the staff participating in the processing of data and the related decision-making;

2013/03/06
Committee: LIBE

Nils TORVALDS

Proposal for a regulation
Article 22 – paragraph 3

3. The controller shall implement mechanisms to ensure the verification of the effectiveness of the measures referred to in paragraphs 1 and 2. If proportionate, this verification shall be carried out by independent internal or external auditorsor processor shall, upon request by the competent data protection authority, demonstrate the existence of technical and organizational measures in line with those referred to in paragraphs 1 and 2.

2013/03/06
Committee: LIBE

Nils TORVALDS

Proposal for a regulation
Article 22 – paragraph 4

4. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of specifying any further criteria and requirements for appropriate measures referred to in paragraph 1 other than those already referred to in paragraph 2, the conditions for the verification and auditing mechanisms referA group of undertakings may apply joint technical and organizational measureds to ~~in paragraph 3 and as regards the criteria for proportionality under paragraph 3, and considering specific measures for micro, small and medium-sized-enterprises~~meet the obligations arising from this Regulation.

2013/03/06
Committee: LIBE

Nils TORVALDS

Proposal for a regulation
Article 23 – paragraph 3

~~3. The Commission shall be empowered to adopt~~ delegated acts in accordance with Article 86 for the purpose of specifying any further criteria and requirements for appropriate measures and mechanisms referred to in paragraph 1 and 2, in particular for data protection by design requirements applicable across sectors, products and services.

2013/03/06
Committee: LIBE

Nils TORVALDS

Proposal for a regulation
Article 34 – paragraph 1

1. The controller or the processor as the case may be shall obtain an authorisation from the supervisory authority prior to the processing of personal data, in order to ensure the compliance of the intended processing with this Regulation and in particular to mitigate the risks involved for the data subjects where a controller or processor adopts contractual clauses as provided for in point (d) of Article 42(2) or does not provide for the appropriate safeguards in a legally binding instrument as referred to in Article 42(5) for the transfer of personal data to a third country or an international organisation.deleted

2013/03/06
Committee: LIBE

Nils TORVALDS

Proposal for a regulation
Article 35 – paragraph 1 – introductory part

1. The controller and the processor shall, unless such tasks are already being carried out, designate a data protection officer as outlined in Article 4 in any case where:

2013/03/06
Committee: LIBE

Nils TORVALDS

Proposal for a regulation
Article 35 – paragraph 2

2. In the cases referred to in ~~point (b) of~~ paragraph 1, a group of undertakings may appoint a ~~single~~joint data protection officer.

2013/03/06
Committee: LIBE

Nils TORVALDS

Proposal for a regulation
Article 35 – paragraph 3

3. Where the controller or the processor is a public authority or body, the data protection officer or officers may be designated for several of its entities, taking account of the organisational structure of the public authority or body.

2013/03/06
Committee: LIBE

Nils TORVALDS

Proposal for a regulation
Article 35 – paragraph 4

4. In cases other than those referred to in paragraph 1, the controller or processor or associations and other bodies representing categories of controllers or processors may designate a data protection officer or officers.

2013/03/06
Committee: LIBE

Nils TORVALDS

Proposal for a regulation
Article 35 – paragraph 5

5. The controller or processor shall designate the data protection officer or data protection officers on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and ability to fulfil the tasks referred to in Article 37. The necessary level of expert knowledge shall be determined in particular according to the data processing carried out and the protection required for the personal data processed by the controller or the processor.

2013/03/06
Committee: LIBE

Nils TORVALDS

Proposal for a regulation
Article 35 – paragraph 6

6. The controller or the processor shall ensure that any other professional duties of the data protection officer or data protection officers are compatible with the person's or persons' tasks and duties as data protection officer and do not result in a conflict of interests.

2013/03/06
Committee: LIBE

Nils TORVALDS

Proposal for a regulation
Article 35 – paragraph 7

7. The controller or the processor shall designate a data protection officer for a period of at least two years. The data protection officer may be reappointed for further terms. During their term of office, the data protection officer may only be dismissed, if the data protection officer no longer fulfils the conditions required for the performance of their duties.deleted

2013/03/06
Committee: LIBE

Nils TORVALDS

Proposal for a regulation
Article 35 – paragraph 9

9. The controller or the processor shall ~~communicat~~make available the name and contact details of the data protection officer to the supervisory authority and to the public.

2013/03/06
Committee: LIBE

Nils TORVALDS

Proposal for a regulation
Article 35 – paragraph 10

10. Data subjects shall have the right to contact the data protection officer or data protection officers on all issues related to the processing of the data subject's data and to request exercising the rights under this Regulation.

2013/03/06
Committee: LIBE

Nils TORVALDS

Proposal for a regulation
Article 35 – paragraph 11

~~11. The Commission shall be empowered to adopt~~ delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the core activities of the controller or the processor referred to in point (c) of paragraph 1 and the criteria for the professional qualities of the data protection officer referred to in paragraph 5.

2013/03/06
Committee: LIBE

Nils TORVALDS

Proposal for a regulation
Article 36 – paragraph 1

1. The controller or the processor shall ensure that the data protection officer isor officers are properly and in a timely manner involved in ~~all~~ issues which relate to the protection of personal data.

2013/03/06
Committee: LIBE

Nils TORVALDS

Proposal for a regulation
Article 36 – paragraph 2

2. The ~~controller or processor shall ensure that the~~data protection officer or data protection officers shall performs their duties and tasks independently ~~and does not receive any instructions as regards the exercise of the function. The data protection officer shall directly report to the management of the controller or the processor~~.

2013/03/06
Committee: LIBE

Nils TORVALDS

Proposal for a regulation
Article 36 – paragraph 3

3. The controller or the processor shall support the data protection officer in performing the tasks ~~and shall provide staff, premises, equipment and any other resources necessary~~by providing appropriate means to carry out the duties and tasks referred to in Article 37.

2013/03/06
Committee: LIBE

Nils TORVALDS

Proposal for a regulation
Article 37 – paragraph 1 – introductory part

1. The controller or the processor shall entrust the data protection officer or data protection officers at least with the following tasks:

2013/03/06
Committee: LIBE

Nils TORVALDS

Proposal for a regulation
Article 37 – paragraph 1 – point a

(a) to inform and advise the controller or the processor of their obligations pursuant to this Regulation ~~and to document this activity and the responses received~~;

2013/03/06
Committee: LIBE

Nils TORVALDS

Proposal for a regulation
Article 37 – paragraph 1 – point b

(b) to monitor the implementation and application of the policies of the controller or processor in relation to the protection of personal data~~, including the assignment of responsibilities, the training of staff involved in the processing operations, and the related audits~~ as outlined in Article 22;

2013/03/06
Committee: LIBE

Nils TORVALDS

Proposal for a regulation
Article 37 – paragraph 1 – point c

(c) to monitor the implementation and application of this Regulation, in particular as to the requirements related to data protection by design, data protection by default and data security and to the information of data subjects and their requests in exercising their rights undercompliance with this Regulation;

2013/03/06
Committee: LIBE

Nils TORVALDS

Proposal for a regulation
Article 37 – paragraph 1 – point d

~~(d) to ensure that the documentation referred to in Article 28 is maintain~~deleted;

2013/03/06
Committee: LIBE

Nils TORVALDS

Proposal for a regulation
Article 37 – paragraph 1 – point e

~~(e) to monitor the documentation, notification and communication of personal data breaches pursuant to Articles 31 and 32;~~deleted

2013/03/06
Committee: LIBE

Nils TORVALDS

Proposal for a regulation
Article 37 – paragraph 1 – point f

(f) to monitor the performance of the data protection impact assessment by the controller or processor and the application for prior authorisation or prior consultation, if required pursuant Articles 33 and 34;deleted

2013/03/06
Committee: LIBE

Nils TORVALDS

Proposal for a regulation
Article 37 – paragraph 1 – point g

(g) to monitor the response to requests from the supervisory authority, and, within the sphere of the data protection officer's competence, co-operating with the supervisory authority at the latter's request or on the data protection officer's own initiative;deleted

2013/03/06
Committee: LIBE

Nils TORVALDS

Proposal for a regulation
Article 37 – paragraph 1 – point h

~~(h) to act as the contact point for the supervisory authority on issues related to the processing and consult with the supervisory authority, if appropriate, on his/her own initiative.~~deleted

2013/03/06
Committee: LIBE

Nils TORVALDS

Proposal for a regulation
Article 37 – paragraph 2

~~2. The Commission shall be empowered to adopt~~ delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for tasks, certification, status, powers and resources of the data protection officer referred to in paragraph 1.

2013/03/06
Committee: LIBE

Nils TORVALDS

Proposal for a regulation
Article 79 – paragraph 1

1. Each supervisory authority shall be empowered to impose warnings or administrative sanctions in accordance with this Article.

2013/03/06
Committee: LIBE

Nils TORVALDS

Proposal for a regulation
Article 79 – paragraph 2

2. The administrative sanction shall be in each individual case effective, proportionate and dissuasive. The amount of the administrative fine shall be ~~fixed with due regard to~~based on the nature, gravity and duration of the breach, the intentional or negligent character of the infringement, the degree of responsibility of the natural or legal person and of previous breaches by this person, the technical and organisational measures and procedures implemented pursuant to Article 23 and the degree of co-operation with the supervisory authority in order to remedy the breach.

2013/03/06
Committee: LIBE

Nils TORVALDS

Proposal for a regulation
Article 79 – paragraph 3 – introductory part

3. In case of a first and non-intentional non-compliance with this Regulation, a warning in writing may be given and no sanction imposed, where: (a) a natural person is processing personal data without a commercial interest; or (b) an enterprise or an organisation employing fewer than 250 persons is processing personal data only as an activity ancillary to its main activities.

2013/03/06
Committee: LIBE

Nils TORVALDS

Proposal for a regulation
Article 79 – paragraph 4 – introductory part

4. The supervisory authority shall ~~impose a fine up to 250 000 EUR, or in case of an enterprise up to 0,5 % of its annual worldwide turnover,~~, based on the gravity of the breach, impose a fine or a warning to anyone who, intentionally or negligently:

2013/03/06
Committee: LIBE

Nils TORVALDS

Proposal for a regulation
Article 79 – paragraph 5 – introductory part

5. The supervisory authority shall ~~impose a fine up to 500 000 EUR, or in case of an enterprise up to 1 % of its annual worldwide turnover,~~, based on the gravity of the breach, impose a fine or a warning to anyone who, intentionally or negligently:

2013/03/06
Committee: LIBE

Nils TORVALDS

Proposal for a regulation
Article 79 – paragraph 6 – introductory part

6. The supervisory authority shall ~~impose a fine up to 1 000 000 EUR or, in case of an enterprise up to 2 % of its annual worldwide turnover,~~, based on the gravity of the breach, impose a fine or warning to anyone who, intentionally or negligently:

2013/03/06
Committee: LIBE

Nils TORVALDS

Proposal for a regulation
Article 80 – paragraph 1 a (new)

1a. In order to reconcile the right to the protection of personal data with the principle of public access to official documents, personal data in documents held by a public authority or a public body may be disclosed by this authority or body in accordance with Member State legislation regarding public access to official documents.

2013/03/08
Committee: LIBE

Nils TORVALDS

Proposal for a regulation
Article 80 – paragraph 2

2. Each Member State shall notify to the Commission those provisions of its law which it has adopted pursuant to paragraph 1 by the date specified in Article 91(2) at the latest and, without delay, any subsequent amendment law or amendment affecting them.deleted

2013/03/08
Committee: LIBE

Nils TORVALDS

Proposal for a regulation
Article 82 – paragraph 1

1. Within the limits of this Regulation, Member States may adopt by law or by collective agreements specific rules regulating the processing of employees‘ personal data in the employment context, in particular for the purposes of the recruitment, the performance of the contract of employment, including discharge of obligations laid down by law or by collective agreements, management, planning and organisation of work, health and safety at work, and for the purposes of the exercise and enjoyment, on an individual or collective basis, of rights and benefits related to employment, and for the purpose of the termination of the employment relationship.

2013/03/08
Committee: LIBE

Nils TORVALDS

Proposal for a regulation
Article 83 – paragraph 1 – point b a (new)

(ba) in case data is to be processed for scientific research purposes, the proposed scientific research project has received a favourable opinion from an independent research ethics committee.

2013/03/08
Committee: LIBE

Nils TORVALDS, Eija-Riitta KORHOLA

Proposal for a regulation
Article 83 – paragraph 1 a (new)

1a. The data subject has given his or her consent for the processing of data for historical, statistical and scientific research. For the purposes of historical, statistical and scientific research, a one- time consent is enough and there is no need for explicit consent to be given each time by the data subject, or a need to notify the data subject, separately before the processing of data related to research purposes.

2013/03/08
Committee: LIBE

Nils TORVALDS

Proposal for a regulation
Article 86

~~1. The power to adopt~~ delegated acts is conferred on the Commission subject to the conditions laid down in this Article. 2. The delegation of power referred to in Article 6(5), Article 8(3), Article 9(3), Article 12(5), Article 14(7), Article 15(3), Article 17(9), Article 20(6), Article 22(4), Article 23(3), Article 26(5), Article 28(5), Article 30(3), Article 31(5), Article 32(5), Article 336), Article 34(8), Article 35(11), Article 37(2), Article 39(2), Article 43(3), Article 44(7), Article 79(6), Article 81(3), Article 82(3) and Article 83(3) shall be conferred on the Commission for an indeterminate period of time from the date of entry into force of this Regulation. 3. The delegation of power referred to in Article 6(5), Article 8(3), Article 9(3), Article 12(5), Article 14(7), Article 15(3), Article 17(9), Article 20(6), Article 22(4), Article 23(3), Article 26(5), Article 28(5), Article 30(3), Article 31(5), Article 32(5), Article 33(6), Article 34(8), Article 35(11), Article 37(2), Article 39(2), Article 43(3), Article 44(7), Article 79(6), Article 81(3), Article 82(3) and Article 83(3) may be revoked at any time by the European Parliament or by the Council. A decision of revocation shall put an end to the delegation of power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force. 4. As soon as it adopts a delegated act, the Commission shall notify it simultaneously to the European Parliament and to the Council. 5. A delegated act adopted pursuant to Article 6(5), Article 8(3), Article 9(3), Article 12(5), Article 14(7), Article 15(3), Article 17(9), Article 20(6), Article 22(4), Article 23(3), Article 26(5), Article 28(5), Article 30(3), Article 31(5), Article 32(5), Article 33(6), Article 34(8), Article 35(11), Article 37(2), Article 39(2), Article 43(3), Article 44(7), Article 79(6), Article 81(3), Article 82(3) and Article 83(3) shall enter into force only if no objection has been expressed either by the European Parliament or the Council within a period of two months of notification of that act to the European Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by two months at the initiative of the European Parliament or the Council.

2013/03/08
Committee: LIBE

58 Amendments of Nils TORVALDS related to 2012/0011(COD)

ParlTrack - 2011-2024