Activities of Christine REVAULT D'ALLONNES BONNEFOY related to 2011/0023(COD)
Plenary speeches (2)
Use of Passenger Name Record data (EU PNR) (A8-0248/2015 - Timothy Kirkhope) FR
Use of Passenger Name Record data (EU PNR) (debate) FR
Amendments (65)
Amendment 92 #
Proposal for a directive
Recital 7
Recital 7
(7) PNR data enable law enforcement authorities to identify persons who were previously ‘"unknown’", i.e. persons previously unsuspected of involvement in sterious crimerorism and tserrorismious crime, but whom an analysis of the data suggests may be involved in such crime and who should therefore be subject to further examination by the competent authorities. By using PNR data law enforcement authorities can address the threat of terrorism and serious crime and terrorism from a different perspective than through the processing of other categories of personal data. However, in order to ensure that the processing of data of innocent and unsuspected persons remains as limited as possible, the aspects of the use of PNR data relating to the creation and application of assessment criteria should be further limited to serious crimes that are also transnational in nature, i.e. are intrinsically linked to travelling and hence the type of the data being processthe terrorist and serious crimes concerned.
Amendment 96 #
Proposal for a directive
Recital 8
Recital 8
(8) The processing of personal data must be proportionate and necessary to the specific security goal pursued by this Directive.
Amendment 111 #
Proposal for a directive
Recital 10 a (new)
Recital 10 a (new)
(10a) The purpose of this Directive is to ensure security and protect the life and safety of the public, in full respect of its fundamental freedoms, and to create a legal framework for the protection and exchange of PNR data between Member States and law enforcement authorities in charge of prevention and suppression of terrorism and serious crimes.
Amendment 114 #
Proposal for a directive
Recital 11
Recital 11
(11) Air carriers already collect and process PNR data from their passengers for their own commercial purposes. This Directive should not impose any obligation on air carriers to collect or retain any additional data from passengers or to impose any obligation on passengers to provide any data in addition to that already being provided to air carriers. For charter, private and freighted flights, PNR data should also be collected and transferred to the Passenger Information Unit of the relevant Member State.
Amendment 122 #
Proposal for a directive
Recital 12
Recital 12
(12) The definition of terrorist offences should be taken from Articles 1 to 4 of Council Framework Decision 2002/475/JHA on combating terrorism37. The definition of serous crime should be taken from Article 2 of Council Framework Decision 2002/584/JHA of 13 June 2002 onthe offences defined under national law and should include the travelling for the Epuropean Arrest Warrant and the surrender procedure between Member States38. However, Member States may exclude those minor offences for which, taking into account their respective criminal justice system, the processing of PNR data pursuant to this directive would not be in line with the principle of proportionality. The definition of serious transnational crime should be taken from Article 2 of Council Framework Decision 2002/584/JHA and the United Nations Convention on Transnational Organised Crimepose of perpetrating, planning, preparing, providing or receiving training for terrorism, in accordance with United Nations Security Council resolution 2178 and Additional Protocol on the Council of Europe Convention on the Prevention of Terrorism. The definition of serious crime applied in this Directive should be taken from Article 2 of Council Framework Decision 2002/584/JHA of 13 June 2002 on the European Arrest Warrant and the surrender procedure between Member States. __________________ 38 OJ L 190, 18.7.2002, p. 1.
Amendment 124 #
Proposal for a directive
Recital 12
Recital 12
(12) The definition of terrorist offences should be taken from Articles 1 to 4 of Council Framework Decision 2002/475/JHA on combating terrorism37. The definition of serous crime should be taken from Article 2 of Council Framework Decision 2002/584/JHA of 13 June 2002 onthe offences defined under national law and should include the travelling for the Epuropean Arrest Warrant and the surrender procedure between Member States38 . However, Member States may exclude those minor offences for which, taking into account their respective criminal justice system, the processing of PNR data pursuant to this directive would not be in line with the principle of proportionality. The definition of serious transnational crime should be taken from Article 2 of Council Framework Decision 2002/584/JHA and the United Nations Conpose of perpetrating, planning, preparing, providing or receiving training for terrorism, in accordance with United Nations Security Council resolution 2178 and Additional Protocol on the Council of Europe Convention on the Prevention onf Transnational Organised Crimeerrorism. __________________ 38 OJ L 190, 18.7.2002, p. 1.
Amendment 126 #
Proposal for a directive
Recital 13
Recital 13
(13) PNR data should be transferred to a single designated unit (Passenger Information Unit) in the relevant Member State, so as to ensure clarity and reduce costs to air carriers and other commercial operators or non-commercial flight operators.
Amendment 141 #
Proposal for a directive
Recital 16
Recital 16
(16) The Commission supports the International Civil Aviation Organisation (ICAO) guidelines on PNR. These guidelines should thus be the basis for adopting the supported data formats for transfers of PNR data by air carriers and other commercial operators or non- commercial flight operators to Member States. This justifies that such supported data formats, as well as the relevant protocols applicable to the transfer of data from air carriers and other commercial operators or non-commercial flight operators should be adopted in accordance with the advisory procedure foreseen in Regulation (EU) No….. of the European Parliament and the Council [……………..]
Amendment 144 #
Proposal for a directive
Recital 17
Recital 17
(17) The Member States should take all necessary measures to enable air carriers and other commercial operators or non- commercial flight operators to fulfil their obligations under this Directive. Dissuasive, effective and proportionate penalties, including financial ones, should be provided for by Member States against those air carriers and other commercial operators or non-commercial flight operators failing to meet their obligations regarding the transfer of PNR data. Where there are repeated serious infringements which might undermine the basic objectives of this Directive, these penalties may include, in exceptional cases, measures such as the immobilisation, seizure and confiscation of the means of transport, or the temporary suspension or withdrawal of the operating licence. .
Amendment 153 #
Proposal for a directive
Recital 19
Recital 19
(19) Taking fully into consideration the right to the protection of personal data and the right to non-discriminat, the right to respect for private life and the right to non-discrimination in accordance with Articles 8, 7 and 21 of the Charter of Fundamental Rights of the European Union, no decision that produces an adverse legal effect on a person or seriously affects him/her should be taken only by reason of the automated processing of PNR data. Moreover, no such decision should be taken by reasonon grounds of a person’'s race or ethnic originethnic or social origin, colour, genetic features, language, religious or philosophical belief, political opinion, trade union membership, membership of a national minority, property, birth, disability, health or sexual lifeorientation.
Amendment 199 #
Proposal for a directive
Recital 28
Recital 28
Amendment 209 #
Proposal for a directive
Recital 29
Recital 29
(29) As a result of the legal and technical differences between national provisions concerning the processing of personal data, including PNR, air carriers and other commercial operators or non-commercial flight operators are and will be faced with different requirements regarding the types of information to be transmitted, as well as the conditions under which this information needs to be provided to competent national authorities. These differences may be prejudicial to effective cooperation between the competent national authorities for the purposes of preventing, detecting, investigating and prosecuting terrorist offences or serious crime.
Amendment 237 #
Proposal for a directive
Article 1 – paragraph 2
Article 1 – paragraph 2
2. The PNR data collected in accordance with this Directive may be processed only for the following purposes: (a) Thepurpose of prevention, detection, investigation and prosecution of terrorist offences and serious crime according to Article 4(2)(b) and (c); and (b) The prevention, detection, investigation and prosecution of terrorist offences and serious transnational crime according to Article 4(2)(a) and (d). (2). deleted deleted
Amendment 249 #
Proposal for a directive
Article 2 – paragraph 1 – point a a (new)
Article 2 – paragraph 1 – point a a (new)
(aa) 'other commercial operator' means an undertaking, company or tour operator that may operate charter flights or book a number of seats on an airplane;
Amendment 250 #
Proposal for a directive
Article 2 – paragraph 1 – point a b (new)
Article 2 – paragraph 1 – point a b (new)
(ab) 'other non-commercial flight operator' means a private undertaking that may operate private planes or privately freighted flights;
Amendment 251 #
Proposal for a directive
Article 2 – paragraph 1 – point b
Article 2 – paragraph 1 – point b
(b) ’'international flight’' means any scheduled or non-scheduled flight by an air carrier or other commercial operator or a non-commercial flight operator planned to land on the territory of a Member State originating in a third country or to depart from the territory of a Member State with a final destination in a third country, including in both cases any transfer orchartered flights, private planes, privately freighted flights, as well as transit flights;
Amendment 258 #
Proposal for a directive
Article 2 – paragraph 1 – point c
Article 2 – paragraph 1 – point c
(c) ‘Passenger Name Record’ or 'PNR data' means a record of each passenger’s travel requirements which contains information necessary to enable reservations to be processed and controlled by the booking and participating air carriers and other commercial operators or non-commercial flight operators for each journey booked by or on behalf of any person, whether it is contained in reservation systems, Departure Control Systems (DCS) or equivalent systems providing the same functionalities;
Amendment 269 #
Proposal for a directive
Article 2 – paragraph 1 – point g
Article 2 – paragraph 1 – point g
(g) ‘'terrorist offences’' means the offences defined under national law referred to in Articles 1 to 4 of Council Framework Decision 2002/475/JHA, including the act of travelling for the purpose of perpetrating, planning, preparing, providing or receiving training for terrorism, in accordance with United Nations Security Council resolution 2178 (2014) and Additional Protocol on the Council of Europe Convention on the Prevention of Terrorism;
Amendment 280 #
Proposal for a directive
Article 2 – paragraph 1 – point i
Article 2 – paragraph 1 – point i
Amendment 329 #
Proposal for a directive
Article 3 a (new)
Article 3 a (new)
Amendment 334 #
Proposal for a directive
Article 4 – paragraph 1
Article 4 – paragraph 1
1. The PNR data transferred by the air carriers and other non-commercial flight operators, pursuant to Article 6, in relation to international flights which land on or depart from the territory of each Member State shall be collected by the Passenger Information Unit of the relevant Member State. Should the PNR data transferred by air carriers and other commercial operators or non-commercial flight operators include data beyond those listed in the Annex, the Passenger Information Unit shall delete such data immediately upon receipt.
Amendment 346 #
Proposal for a directive
Article 4 – paragraph 2 – point a
Article 4 – paragraph 2 – point a
(a) carrying out an assessment of the passengers prior to their scheduled arrival or departure from the Member State in order to identify any persons who may be involved in a terrorist offence or serious transnational crime and who require further examination by the competent authorities referred to in Article 5. In carrying out such an assessment, the Passenger Information Unit may process PNR data against pre-determined criteria, in accordance with this Directive, and may compare PNR data against relevant databases, international or national databases or national mirrors of Union databases, where they are established on the basis of Union law, on persons or objects sought or under alert, including against data stored by Europol, in accordance with Union, international and national rules applicable to such files. Member States shall ensure that any positive match resulting from such automated processing is individually reviewed by non-automated means in order to verify whether the competent authority referred to in Article 5 needs to take action;
Amendment 351 #
Proposal for a directive
Article 4 – paragraph 2 – point a
Article 4 – paragraph 2 – point a
(a) carrying out an assessment of the passengers prior to their scheduled arrival or departure from the Member State in order to identify any persons who may be involved in a terrorist offence or serious transnational crime and who require further examination by the competent authorities referred to in Article 5. In carrying out such an assessment, the Passenger Information Unit may process PNR data against pre- determined criteria. Member States shall ensure that any positive match resulting from such automated processing is individually reviewed by non-automated means in order to verify whether the competent authority referred to in Article 5 needs to take action;
Amendment 376 #
Proposal for a directive
Article 4 – paragraph 2 – point d
Article 4 – paragraph 2 – point d
(d) analysing PNR data for the purpose of updating or creating new criteria for carrying out assessments in order to identify any persons who may be involved in a terrorist offence or serious transnational crime pursuant to point (a).
Amendment 426 #
Proposal for a directive
Article 5 – paragraph 3
Article 5 – paragraph 3
3. Each Member State shall notify the list of its competent authorities to the Commission twelve months after entry into force of this Directive at the latest, and mayshall at any time update its declaration to ensure the list is up-to-date. The Commission shall publish this information, as well as any updates, in the Official Journal of the European Union.
Amendment 439 #
Proposal for a directive
Article 5 – paragraph 6
Article 5 – paragraph 6
6. The competent authorities shall not take any decision that produces an adverse legal effect on a person or significantly affects a person only by reason of the automated processing of PNR data. Such decisions shall not be taken on the basis of a person’'s race or ethnic originethnic or social origin, colour, genetic features, language, religiousn or philosophical belief, political opinion, trade ur any other opinion, membership, health or sexual life of a national minority, property, birth, disability, or sexual orientation.
Amendment 443 #
Proposal for a directive
Article 6 – title
Article 6 – title
Obligations on air carriers and other commercial operators and non- commercial flight operators
Amendment 449 #
Proposal for a directive
Article 6 – paragraph 1
Article 6 – paragraph 1
1. Member States shall adopt the necessary measures to ensure that air carriers and other non-commercial flight operators transfer ('push') the PNR data as defined in Article 2(c) and specified in the Annex, to the extent that such data are already collected by them, to the database of the national Passenger Information Unit of the Member State on the territory of which the international flight will land or from the territory of which the flight will depart. Where the flight is code-shared between one or more air carriers, the obligation to transfer the PNR data of all passengers on the flight shall be on the air carrier that operates the flight. Where the flight has one or more stop-overs at the airports of the Member States, air carriers shall transfer the PNR data to the Passenger Information Units of all the Member States concerned.
Amendment 455 #
Proposal for a directive
Article 6 – paragraph 1 a (new)
Article 6 – paragraph 1 a (new)
Amendment 456 #
Proposal for a directive
Article 6 – paragraph 1 b (new)
Article 6 – paragraph 1 b (new)
1b. In the cases of private planes or privately freighted flights, Member States should adopt the necessary measures to ensure that non-commercial flight operators provide PNR data for all passengers
Amendment 471 #
Proposal for a directive
Article 6 – paragraph 3
Article 6 – paragraph 3
3. Member States may permit air carriers and other non-commercial flight operators to limit the transfer referred to in point (b) of paragraph 2 to updates of the transfer referred to in point (a) of paragraph 2.
Amendment 521 #
Proposal for a directive
Article 7 – paragraph 5
Article 7 – paragraph 5
5. Exceptionally, where early access is necessary to respond to a specific and actual threat related to terrorist offences or serious crime, the Passenger Information Unit of a Member State shall have the right to request the Passenger Information Unit of another Member State to provide it with PNR data of flights landing in or departing from the latter’s territory at any time. This procedure can only cover requests on the PNR data already collected and retained by the Passenger Information Unit which is requested to provide with the data, and not on the flux of data, namely the requests on future flights.
Amendment 532 #
Proposal for a directive
Article 7 – paragraph 6
Article 7 – paragraph 6
6. Exchange of information under this Article may take place using any existing channels for international law enforcement cooperation, including the secure channels provided for by Europol. The language used for the request and the exchange of information shall be the one applicable to the channel used. Member States shall, when making their notifications in accordance with Article 3(3), also inform the Commission with details of the contacts to which requests may be sent in cases of urgency. The Commission shall communicate to the Member States the notifications received.
Amendment 553 #
Proposal for a directive
Article 8 – paragraph 1 – point a
Article 8 – paragraph 1 – point a
(a) the conditions laid down in Article 13 of Council Framework Decision 2008/977/JHA are fulfilled,transfer is necessary for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties;
Amendment 557 #
Proposal for a directive
Article 8 – paragraph 1 – point a a (new)
Article 8 – paragraph 1 – point a a (new)
(aa) the receiving authority in the third country or receiving international body is responsible for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties;
Amendment 561 #
Proposal for a directive
Article 8 – paragraph 1 – point a b (new)
Article 8 – paragraph 1 – point a b (new)
(ab) the Member State from which the data were obtained has given its consent to transfer in compliance with its national law;
Amendment 564 #
Proposal for a directive
Article 8 – paragraph 1 – point a c (new)
Article 8 – paragraph 1 – point a c (new)
(ac) the third country or international body concerned ensures an adequate level of protection for the intended data processing; and
Amendment 582 #
Proposal for a directive
Article 8 – paragraph 1 – point c
Article 8 – paragraph 1 – point c
(c) the third country receiving the data agrees to transfer the data to another third country only where it is necessary for the purposes of this Directive specified in Article 1(2) and only with the express authorisation of the Member State.
Amendment 594 #
Proposal for a directive
Article 8 – paragraph 1 a (new)
Article 8 – paragraph 1 a (new)
Member States shall transfer PNR to competent government authorities of third countries only under terms consistent with this Directive and only upon ascertaining that the use that the recipient intends to make of the PNR is consistent with those terms.
Amendment 599 #
Proposal for a directive
Article 8 – paragraph 1 b (new)
Article 8 – paragraph 1 b (new)
Any such transfer of data from one third country to another shall take place pursuant to an express understanding incorporating data privacy protections comparable to those applied to PNR by Member States as provided for in this Directive.
Amendment 601 #
Proposal for a directive
Article 8 – paragraph 1 c (new)
Article 8 – paragraph 1 c (new)
Where a Member State is aware that PNR data relating to a citizen or a resident of a Member State are being transferred to a third country, the competent authorities of the Member State concerned shall be informed of the matter at the earliest appropriate opportunity.
Amendment 603 #
Proposal for a directive
Article 8 – paragraph 1 d (new)
Article 8 – paragraph 1 d (new)
When PNR data is being transferred to a third country pursuant to this Directive, the safeguards set out in paragraphs 1 to 1c shall be complied with.
Amendment 604 #
Proposal for a directive
Article 8 – paragraph 1 e (new)
Article 8 – paragraph 1 e (new)
Transfer of PNR data to the country of origin of persons who have requested or who were found to be in need of international protection shall be prohibited.
Amendment 605 #
Proposal for a directive
Article 8 a (new)
Article 8 a (new)
Amendment 619 #
Proposal for a directive
Article 9 – paragraph 1
Article 9 – paragraph 1
1. Member States shall ensure that the PNR data provided by the air carriers and other non-commercial flight operators to the Passenger Information Unit are retained in a database at the Passenger Information Unit for a period of 30 days after their transfer to the Passenger Information Unit of the first Member State on whose territory the international flight is landing or departing.
Amendment 669 #
Proposal for a directive
Article 9 – paragraph 4 a (new)
Article 9 – paragraph 4 a (new)
4a. The result of the processing referred to in Article 4(2)(a) shall be kept by the Passenger Information Unit only as long as necessary to inform the competent authorities of a positive match. Where the result of an automated processing has, further to individual review by non- automated means as referred to in Article 4(2)(a) last subparagraph, proven to be negative, it may, however, be stored so as to avoid future 'false' positive matches for as long as the underlying data have not yet been deleted in accordance with paragraph 1.
Amendment 676 #
Proposal for a directive
Article 10 – title
Article 10 – title
Penalties against air carriers and non- commercial flight operators
Amendment 681 #
Proposal for a directive
Article 10 – paragraph 1
Article 10 – paragraph 1
Member States shall ensure, in conformity with their national law, that dissuasive, effective and proportionate penalties, including financial penalties, are provided for against air carriers and other non- commercial flight operators which, do not transmit the data required under this Directive, to the extent that they are already collected by the them, or do not do so in the required format or otherwise infringe the national provisions adopted pursuant to this Directive.
Amendment 697 #
Proposal for a directive
Article 11 – paragraph 3
Article 11 – paragraph 3
3. Any processing of PNR data revealing a person’'s race or ethnic originethnic or social origin, colour, genetic features, language, religiousn or philosophical belief, political opinion, trade ur any other opinion, membership, health or sexual life of a national minority, property, birth, disability, or sexual orientation shall be prohibited. In the event that PNR data revealing such information are received by the Passenger Information Unit they shall be deleted immediately.
Amendment 715 #
Proposal for a directive
Article 11 – paragraph 7
Article 11 – paragraph 7
7. Without prejudice to Article 10, Member States shall adopt suitable measures to ensure the full implementation of the provisions of this Directive and shall in particular lay down effective, proportionate and dissuasive penalties to be imposed in case of infringements of the provisions adopted pursuant to this Directive, whether these infringements were voluntary or the result of negligent or reckless acts.
Amendment 716 #
Proposal for a directive
Article 11 – paragraph 7 a (new)
Article 11 – paragraph 7 a (new)
7a. PNR data must be monitored, sampled and audited in line with a single European statutory code of practice applicable in all Member States, which must be developed jointly by the Member States' supervisory authorities, ensuring tight controls of the work of operators and the practical implementation of this Directive, and will form part of each Member State's review process.
Amendment 722 #
Proposal for a directive
Article 11 b (new)
Article 11 b (new)
Amendment 724 #
Proposal for a directive
Article 11 c (new)
Article 11 c (new)
Article 11c Right of access for the data subject Member States shall provide for the right of the data subject to obtain from the Passenger Information Unit a copy of the PNR data undergoing processing. Where the data subject makes the request in electronic form, the information shall be provided in electronic form, unless otherwise requested by the data subject.
Amendment 726 #
Proposal for a directive
Article 11 d (new)
Article 11 d (new)
Article 11d Right to rectification and completion 1. Member States shall provide for the right of the data subject to obtain from the Passenger Information Unit the rectification or the completion of personal data relating to him or her which are inaccurate or incomplete, in particular by way of a completing or corrective statement. 2. Member States shall provide that the Passenger Information Unit informs the data subject in writing, with a reasoned justification, of any refusal of rectification or completion, on the reasons for the refusal and on the possibilities of lodging a complaint with the supervisory authority and seeking a judicial remedy. 3. Member States shall provide that the Passenger Information Unit shall communicate any rectification carried out to each recipient to whom the data have been disclosed, unless to do so proves impossible or involves a disproportionate effort. 4. Member States shall provide that the Passenger Information Unit communicates the rectification of inaccurate personal data to the third party from whom the inaccurate personal data originate.
Amendment 727 #
Proposal for a directive
Article 11 e (new)
Article 11 e (new)
Amendment 728 #
Proposal for a directive
Article 11 f (new)
Article 11 f (new)
Amendment 729 #
Proposal for a directive
Article 11 g (new)
Article 11 g (new)
Article 11g Keeping of records 1. Member States shall ensure that records are kept of at least the following processing operations: collection, alteration, consultation, disclosure, combination or erasure. The records of consultation and disclosure shall show in particular the purpose, date and time of such operations and as far as possible the identification of the person who consulted or disclosed PNR data, and the identity of the recipients of such data. 2. The records shall be used solely for the purposes of verification of the lawfulness of the data processing, self-monitoring and for ensuring data integrity and data security, or for purposes of auditing, either by the Data Protection Officer or by the supervisory authority. 3. The Member State shall ensure that the Passenger Information Unit shall make the records available, on request, to the supervisory authority.
Amendment 730 #
Proposal for a directive
Article 11 h (new)
Article 11 h (new)
Amendment 731 #
Proposal for a directive
Article 11 i (new)
Article 11 i (new)
Article 11i Right to judicial remedy 1. Without prejudice to any available administrative remedy, including the right to lodge a complaint with a supervisory authority, Member States shall provide for the right of every natural person to a judicial remedy if they consider that that their rights laid down in provisions adopted pursuant to this Directive have been infringed as a result of the processing of their personal data in non- compliance with these provisions. 2. Member States shall ensure that final decisions by the court referred to in this Article will be enforced.
Amendment 732 #
Proposal for a directive
Article 11 j (new)
Article 11 j (new)
Article 11j Liability and the right to compensation Member States shall provide that any person who has suffered damage, including non-pecuniary damage, as a result of an unlawful processing operation or of an action incompatible with the provisions adopted pursuant to this Directive shall have the right to claim compensation for the damage suffered.
Amendment 733 #
Proposal for a directive
Article 11 k (new)
Article 11 k (new)
Article 11k Penalties for non-compliance Member States shall lay down the rules on penalties, applicable to infringements of the provisions adopted pursuant to this Directive and shall take all measures necessary to ensure that they are implemented. The penalties provided for must be effective, proportionate and dissuasive.
Amendment 734 #
Proposal for a directive
Article 11 l (new)
Article 11 l (new)
Article 11l Notification of a personal data breach to the supervisory authority 1. Member States shall provide that in the case of a personal data breach, the Passenger Information Unit, without undue delay and, where feasible, not later than 24 hours, the personal data breach to the supervisory authority. The Passenger Information Unit shall provide, on request, to the supervisory authority a reasoned justification in cases of any delay. 2. The notification referred to in paragraph 1 shall at least: (a) describe the nature of the personal data breach including the categories and number of data subjects concerned and the categories and number of data records concerned; (b) communicate the identity and contact details of the Data Protection Officer referred to in Article 3a (new) or other contact point where more information can be obtained; (c) recommend measures to mitigate the possible adverse effects of the personal data breach; (d) describe the possible consequences of the personal data breach; (e) describe the measures proposed or taken by the Passenger Information Unit to address the personal data breach and mitigate its effects. In case all information cannot be provided without undue delay, the Passenger Information Unit can complete the notification in a second phase. 4. Member States shall provide that the Passenger Information Unit documents any personal data breaches, comprising the facts surrounding the breach, its effects and the remedial action taken. This documentation must be sufficient to enable the supervisory authority to verify compliance with this Article. The documentation shall only include the information necessary for that purpose. 5. The supervisory authority shall keep a public register of the types of breaches notified.
Amendment 735 #
Proposal for a directive
Article 11 m (new)
Article 11 m (new)
Article 11m Communication of a personal data breach to the data subject 1. Member States shall provide that when the personal data breach is likely to adversely affect the protection of the personal data and/or the privacy of the data subject, the Passenger Information Unit shall, after the notification referred to in Article 11l (new), communicate the personal data breach to the data subject without undue delay. 2. The communication to the data subject referred to in paragraph 1 shall be comprehensive and use clear and plain language. It shall describe the nature of the personal data breach and contain at least the information and the recommendations provided for in points (b), (c) and (d) of Article 11l (new) and information about the rights of the data subject, including redress. 3. The communication of a personal data breach to the data subject shall not be required if the Passenger Information Unit demonstrates to the satisfaction of the supervisory authority that it has implemented appropriate technological protection measures, and that those measures were applied to the PNR data concerned by the personal data breach. Such technological protection measures shall render the data unintelligible to any person who is not authorised to access it. 4. The communication to the data subject may be delayed or restricted, in a specific case, to the extent that such a delay or restriction constitutes a necessary and proportionate measure: (a) to avoid obstructing official or legal inquiries, investigations or procedures; (b) to protect public security; (c) to protect the rights and freedoms of others.
Amendment 748 #
Proposal for a directive
Article 12 a (new)
Article 12 a (new)
Article 12a Duties of the national supervisory authority 1. Member States shall provide that the supervisory authority: (a) monitors and ensures the application of the provisions adopted pursuant to this Directive and its implementing measures; (b) hears complaints lodged by any data subject, investigates, to the extent appropriate, the matter and informs the data subject of the progress and the outcome of the complaint within a reasonable period, in particular where further investigation or coordination with another supervisory authority is necessary; (c) checks the lawfulness of the data processing; (d) conducts investigations, inspections and audits, either on its own initiative or on the basis of a complaint, and informs the data subject concerned, if the data subject has addressed a complaint, of the outcome of the investigations within a reasonable period; (e) monitors relevant developments, insofar as they have an impact on the protection of personal data, in particular the development of information and communication technologies; 2. The supervisory authority shall, upon request, advise any data subject in exercising the rights laid down in provisions adopted pursuant to this Directive, and, if appropriate, co-operate with supervisory authorities in other Member States to this end. 3. For complaints referred to in point (b) of paragraph 1, the supervisory authority shall provide a complaint submission form, which can be completed electronically, without excluding other means of communication. 4. Member States shall provide that the performance of the duties of the supervisory authority shall be free of charge for the data subject. 5. Where requests are manifestly excessive, in particular due to their repetitive character, the supervisory authority may charge a reasonable fee. Such a fee shall not exceed the costs of taking the action requested. The supervisory authority shall bear the burden of proving the manifestly excessive character of the request.
Amendment 750 #
Proposal for a directive
Article 12 b (new)
Article 12 b (new)