6 Amendments of Maria GRAPINI related to 2017/0002(COD)
Amendment 72 #
Proposal for a regulation
Recital 14
Recital 14
(14) Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided. At the same time, it should only be possible for the electronic request to be completed and processed after the person concerned has been informed clearly and precisely of the purpose for its being processed.
Amendment 73 #
Proposal for a regulation
Recital 15
Recital 15
(15) Any processing of personal data should be lawful and fair and done for clear and well-defined purposes. . It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used. That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed. Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing. In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data. The personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review. Every reasonable step should be taken to ensure that personal data which are inaccurate are rectified or deleted. Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to, disclosure during the transmission of, or use of personal data and the equipment used for the processing.
Amendment 75 #
Proposal for a regulation
Recital 17
Recital 17
(17) In order for processing to be lawful, personal data should be processed on the basis of the necessity of performance of a task carried out in the public interest by Union institutions and bodies or in the exercise of their official authority, the necessity for compliance with the legal obligation to which the controller is subject or some other legitimate basis as referred to in this Regulation, including the consent of the data subject concerned or the necessity for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. Processing of personal data for the performance of tasks carried out in the public interest by the Union institutions and bodies includes the processing of personal data necessary for the management and functioning of those institutions and bodies. The processing of personal data should also be regarded to be lawful where it is necessary to protect an interest which is essential for the life of the data subject or that of another natural person. Processing of personal data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on another legal basis, or where the processing is necessary to protect the life, physical integrity or health of the person concerned in the event of that person being physically or legally unable to give consent. Some types of processing may serve both important grounds of public interest and the vital interests of the data subject as for instance when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread or in situations of humanitarian emergencies, in particular in situations of natural and man-made disasters.
Amendment 80 #
Proposal for a regulation
Recital 20
Recital 20
(20) Where processing is based on the data subject's consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation. In particular in the context of a written declaration on another matter, safeguards should ensure that the data subject is aware of the fact that and the extent to which consent is given. In accordance with Council Directive 93/13/EEC14 a declaration of consent pre- formulated by the controller should be provided in an intelligible and easily accessible form, using clear and plain language and it should not contain unfair terms. For consent to be informed, the data subject should be aware at least of the identity of the controller and, the purposes of the processing for which the personal data are intended and the categories of recipients of the data, and be informed on the right of access and of intervention in respect of the data. Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment. _________________ 14 Council Directive 93/13/EEC of 5 April 1993 on unfair terms in consumer contracts (OJ J 95, 21.4.1993, p.29).
Amendment 82 #
Proposal for a regulation
Recital 21
Recital 21
(21) Children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. Data concerning children should be handled with particular care, as the risks relating to it are less well less known to children than to adults. Such specific protection should, in particular, apply to creating personality profiles and the collection of personal data with regard to children when using services offered directly to a child on websites of Union institutions and bodies, such as interpersonal communication services or online selling of tickets and when the processing of personal data is based on consent.
Amendment 86 #
Proposal for a regulation
Recital 27
Recital 27
(27) Modalities should be provided for facilitating the exercise of the data subject's rights under this Regulation, including mechanisms to request and, if applicable, obtain, free of charge, in particular, access to and rectification or erasure of personal data, without its being adversely affected, and the exercise of the right to object. The controller should also provide means for requests to be made electronically, especially where personal data are processed by electronic means. The controller should be obliged to respond to requests from the data subject without undue delay and at the latest within one month and to give reasons where the controller does not intend to comply with any such requests, in an electronic communication or by post, in accordance with the relevant legal provisions. .