BETA

44 Amendments of Jan MULDER related to 2012/0011(COD)

Amendment 377 #
Proposal for a regulation
Recital 20
(20) In order to ensure that individuals are not deprived of the protection to which they are entitled under this Regulation, the processing of personal data of data subjects residing in the Union by a controller not established in the Union should be subject to this Regulation where the processing activities are related to the offering of goods or (free)services to such data subjects, or to the monitoring of the behaviour of such data subjects.
2013/03/04
Committee: LIBE
Amendment 379 #
Proposal for a regulation
Recital 21
(21) In order to determine whether a processing activity can be considered to ‘monitor the behaviour’ of data subjects, it should be ascertained whether individuals are tracked, regardless onf the internetorigins of the data, with data processing techniques which consist of applying a ‘profile’ to an individual, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.
2013/03/04
Committee: LIBE
Amendment 383 #
Proposal for a regulation
Recital 23
(23) The principles of protection should apply to any information concerning an identified or identifiable person. To determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the individual. The principles of data protection should not apply to data rendered anonymous in such a way that the data subject is no longer identifiable as for example data that has been anonymised for the purpose of medical research.
2013/03/04
Committee: LIBE
Amendment 399 #
Proposal for a regulation
Recital 24
(24) When using online serservices or devices, individuals may be associated with online identifiers provided by their devices, applications, tools and protocols, such as Internet Protocol addresses or cookie identifiers. This may leave traces which, combined with unique identifiers and other information received by the servers, may be used to create profiles of the individuals and identify them. It follows that identification numbers, location data, online identifiers or other specific factors as such need not necessarily be considered as personal data in all circumstances.
2013/03/04
Committee: LIBE
Amendment 407 #
Proposal for a regulation
Recital 25
(25) Consent should be given explicitly by any appropriate method enabling a freely given specific and informed indication of the data subject’s wishes, either by a statement or by a clear affirmative action by the data subject, ensuring that individuals are aware that they give their consent to the processing of personal data, including by ticking a box when visiting an Internet website or by any other statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of their personal data. Silence or inactivityUser-friendly information about the types of processing that will be carried out should facilitate informed consent. Silence, inactivity such as not changing opt-in by default settings, should therefore not constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. If the data subject's consent is to be given following an electronic request, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
2013/03/04
Committee: LIBE
Amendment 422 #
Proposal for a regulation
Recital 27
(27) TIf a controller or a processor has multiple establishments in the Union, including but not limited to cases where the controller or the processor is part of a group of undertakings, the main establishment of a controller in the Union for the purposes of this Regulation should be determined according to objective criteria and should imply the effective and real exercise of management activities determining the main decisions as to the purposes, conditions and means of processing through stable arrangements. This criterion should not depend whether the processing of personal data is actually carried out at that location; the presence and use of technical means and technologies for processing personal data or processing activities do not, in themselves, constitute such main establishment and are therefore not determining criteria for a main establishment. The main establishment of the processor should be the place of its central administration in the Union.
2013/03/04
Committee: LIBE
Amendment 445 #
Proposal for a regulation
Recital 34
(34) Consent should not as a rule provide a valid legal ground for the processing of personal data, where there is a clear imbalance between the data subject and the controller. This which is especifically the case where the data subject is in a situation of dependence from the controller, among others, where personal data are processed by the employer of employees’ personal data in the employment context. Where the controller is a public authority, there would be an imbalance only in the specific data processing operations where the public authority can impose an obligation by virtue of its relevant public powers and the consent cannot be deemed as freely given, taking into account the interest of the data subject.
2013/03/04
Committee: LIBE
Amendment 462 #
Proposal for a regulation
Recital 39 a (new)
(39a) The processing of personal data for direct marketing purposes should constitute a legitimate interest, if the controller has obtained the personal data of the data subject in the context of the sale of a product or service and that the personal data are used for direct marketing of the data controllers own similar products.
2013/03/04
Committee: LIBE
Amendment 477 #
Proposal for a regulation
Recital 47
(47) Modalities should be provided for facilitating the data subject’s exercise of their rights provided by this Regulation, including mechanisms to request, free of charge, in particular access to data, rectification, erasure and to exercise the right to object. The controller should be obliged to respond to requests of the data subject within a fixedreasonable deadline and give reasons, in case he does not comply with the data subject’s request.
2013/03/04
Committee: LIBE
Amendment 502 #
Proposal for a regulation
Recital 54
(54) To strengthen the ‘right to be forgotten’ in the online environment, the right to erasure should also be extended in such a way that a controller who has made the personal data public should be obliged to informwhere possible, taking into account the specific context in which the data was publicized and the responsibilities of the data subject and processor, to erase personal data made public. The processor should inform where this is possible third parties which are processing such data that a data subject requests them to erase any links to, or copies or replications of that personal data. To ensure this information, the controller should take all reasonable steps, including technical measures, in relation to data for the publication of which the controller is responsible. In relation to a third party publication of personal data, the controller should be considered responsible for the publication, where the controller has authorised the publication by the third party.
2013/03/04
Committee: LIBE
Amendment 505 #
Proposal for a regulation
Recital 55
(55) To further strengthen the control over their own data and their right of access, data subjects should have the right, where personal data are processed by electronic means and in a structured and commonly used format, to obtain a copy of the data concerning them also in commonly used electronic format. The data subject should also be allowed to transmit those data, which they have provided, from one automated application, such as a social network, into another one. Data controllers should be encouraged to develop interoperable formats that enable data portability. This should apply where the data subject provided the data to the automated processing system, based on their consent or in the performance of a contract.
2013/03/04
Committee: LIBE
Amendment 528 #
Proposal for a regulation
Recital 65
(65) Each controller and processor should be obliged to co-operate with the supervisory authority. In order to demonstrate compliance with this Regulation, the controller or processor should document each processing operation. Each controller and processor should be obligs if one of the processing operations as mentioned in Article 33(2) is be being executed; tohe co-operate with the supervisory authorityntroller or processor should and make thisavailable documentation, on request, available to it by the DPA , so that it might serve for monitoring those processing operations.
2013/03/04
Committee: LIBE
Amendment 536 #
Proposal for a regulation
Recital 67
(67) A personal data breach may, if not addressed in an adequate and timely manner, result in substantial economic loss and social harm, including identity fraud, to the individual concerned. Therefore, as soon as the controller becomes aware that such a breach has occurred, the controller should notify the breach to the supervisory authority without undue delay and, w. The re feasible, within 24 hours. Where this cannot achieved within 24 hours, an explanation of the reasons for the delay should accompany the notificationsponsibility hereof should rest with the controller. The individuals with whose personal data could be adversely affected by the breach should be notified without undue delay in order to allow them to take the necessary precautions. A breach should be considered as adversely affecting the personal data or privacy of a data subject where it could result in, for example, identity theft or fraud, physical harm, significant humiliation or damage to reputation. The notification should describe the nature of the personal data breach as well as recommendations as well as recommendations for the individual concerned to mitigate potential adverse effects. Notifications to data subjects should be made as soon as reasonably feasible, and in close cooperation with the supervisory authority and respecting guidance provided by it or other relevant authorities (e.g. law enforcement authorities). For example, the chance for data subjects to mitigate an immediate risk of harm would call for a prompt notification of data subjects whereas the need to implement appropriate measures against continuing or similar data breaches may justify a longer delay.
2013/03/04
Committee: LIBE
Amendment 543 #
Proposal for a regulation
Recital 70
(70) Directive 95/46/EC provided for a general obligation to notify processing of personal data to the supervisory authorities. While t allowing the Member States to exempt processing, which was unlikely to pose risks to the data subjects, from this regulation. This obligation produces administrative and financial burdens, and it did not in all cases contribute to improving the protection of personal data. Therefore such indiscriminate general notification obligation should be abolished, and replaced by effective procedures and mechanism which focus instead on those processing operations which are likely to present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes. In such cases, a data protection impact assessment should be carried out by the controller or processor prior to the processing, which should include in particular the envisaged measures, safeguards and mechanisms for ensuring the protection of personal data and for demonstrating the compliance with this Regulation.
2013/03/04
Committee: LIBE
Amendment 560 #
Proposal for a regulation
Recital 75
(75) Where the processing is carried out in the public sector or where, in the private sector, processing is carried out by a large enterprise, or where its core activities, regardless of the size of the enterprise, involve processing operations which require regular and systematic monitoring, a person or a team of professionals should assist the controller or processor to monitor internal compliance with this Regulation. Such data protection officers, whether or not an employee of the controller, should be in a position to perform their duties and tasks independently. However, final responsibility should stay with the management of an organization.
2013/03/04
Committee: LIBE
Amendment 571 #
Proposal for a regulation
Recital 77
(77) In order to enhance transparency and compliance with this Regulation, the establishment of certification mechanisms, data protection seals and standardised marks should be encouraged, allowing data subjects to quickly assess the level of data protection of relevant products and services.
2013/03/04
Committee: LIBE
Amendment 588 #
Proposal for a regulation
Recital 88
(88) Transfers which cannot be qualified as frequent or massive, could also be possible for the purposes of the legitimate interests pursued by the controller or the processor, when they have assessed all the circumstances surrounding the data transfer. For instance this would be the case if the purposes of processing forare historical, statistical andor scientific research purposes, the legitimate expectations of society for an increase of knowledge should be taken into consideration.
2013/03/04
Committee: LIBE
Amendment 607 #
Proposal for a regulation
Recital 110
(110) At Union level, a European Data Protection Board should be set up. It should replace the Working Party on the Protection of Individuals with Regard to the Processing of Personal Data established by Directive 95/46/EC. It should consist of a head of a supervisory authority of each Member State and of the European Data Protection Supervisor. The Commission should participate in its activities. The European Data Protection Board should contribute to the consistent application of this Regulation throughout the Union, including by advising the Commission and promoting co-operation of the supervisory authorities throughout the Union. The European Data Protection Board should act independently when exercising its tasks.
2013/03/04
Committee: LIBE
Amendment 646 #
Proposal for a regulation
Recital 127 a (new)
(127a) The obligation to inform the data subject about the purposes of the processing, the right to erasure, the right to data portability, the right to objection, the obligation to take measures to ensure compliance as well as the prohibition to transfer data to countries outside the Union, should not apply to the processing of information relating to the professional capacity of an individual, such as such individual’s employer, job title, function, business address, business phone or fax number, business e-mail address or other organizational details. However, data subjects should have the right to request from the controller not to have such professional information disclosed to third parties.
2013/03/04
Committee: LIBE
Amendment 649 #
Proposal for a regulation
Recital 128
(128) This Regulation respects and does not prejudice the status under national law of churches and religious associations or communities in the Member States, as recognised in Article 17 of the Treaty on the Functioning of the European Union. As a consequence, where a church in a Member State applies, at the time of entry into force of this Regulation, comprehensive rules relating to the protection of individuals with regard to the processing of personal data, these existing rules should continue to apply if they are brought in line with this Regulation. Such churches and religious associations should be required to provide for the establishment of a completely independent supervisory authority.
2013/03/04
Committee: LIBE
Amendment 768 #
Proposal for a regulation
Article 4 – paragraph 1 – point 9
(9) ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
2013/03/04
Committee: LIBE
Amendment 833 #
Proposal for a regulation
Article 5 – paragraph 1 – point e
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the data will be processed solely for historical, statistical or scientific research purposes in accordance with the rules and conditions of Article 83 and if a periodic review is carried out to assess the necessity to continue the storage as well as for dispute resolution purposes;
2013/03/04
Committee: LIBE
Amendment 844 #
Proposal for a regulation
Article 5 – paragraph 1 – point f
(f) processed under the responsibility and liability of the controller, who shall be able to ensure and demonstrate for eachits processing operations the compliance with the provisions of this Regulation.
2013/03/04
Committee: LIBE
Amendment 949 #
Proposal for a regulation
Article 6 – paragraph 4
4. Where the purpose of furtherPersonal data may not be processed further if the intended purpose for which the personal data will be processinged is inot compatible with the one for which the personal data have been collected, the processing must have a legal basis at least in one of the grounds referred to in points. The data controller must assess the compatibility of the purposes in taking into account: (a) the affiliation between the intended and original processing purposes; (ab) to (e) of paragraph 1. This shall in particular apply to any change of terms and generhe nature of the data concerned; (c) the consequences of the intended processing for the data subjects or third parties; (d) the ways and means used for the original condillections of a contractthe data; (e) any adequate safeguards the data controller has provided.
2013/03/04
Committee: LIBE
Amendment 950 #
Proposal for a regulation
Article 6 – paragraph 4 a (new)
4a. Further processing of personal data for historical, statistical and scientific purposes shall not be considered as incompatible when the data controller has provided all necessary precautions to ensure that the personal data can only be further processed for these specific purposes.
2013/03/04
Committee: LIBE
Amendment 953 #
Proposal for a regulation
Article 6 – paragraph 4 b (new)
4b. Further processing of personal data is prohibited if the processing is not compatible with any legal, professional or other binding obligation of secrecy.
2013/03/04
Committee: LIBE
Amendment 965 #
Proposal for a regulation
Article 6 – paragraph 5
5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the conditions referred to in point (f) of paragraph 1 for various sectors and data processing situations, including as regards the processing of personal data related to a child.
2013/03/04
Committee: LIBE
Amendment 990 #
Proposal for a regulation
Article 7 – paragraph 4
4. Consent shall not as a rule provide a legal basis for the processing, of personal data in case where there is a significant imbalance in terms of dependence between the position of the data subject and the controller.
2013/03/04
Committee: LIBE
Amendment 1326 #
Proposal for a regulation
Article 15 – paragraph 2
2. The data subject shall have the right to obtain from the controller communication of the personal data undergoing processing. Where the data subject makes the request in electronic form, the information shall be provided in electronic form, unless otherwise requested by the data subject.
2013/03/06
Committee: LIBE
Amendment 1328 #
Proposal for a regulation
Article 15 – paragraph 2
2. To verify the lawfulness of the processing the data subject shall have the right to obtain from the controller communication of the personal data undergoing processing. Where the data subject makes the request in electronic form, the information shall be provided in electronic form, unless otherwise requested by the data subject.
2013/03/06
Committee: LIBE
Amendment 1628 #
Proposal for a regulation
Article 21 – paragraph 1 – point a a (new)
(aa) national security;
2013/03/06
Committee: LIBE
Amendment 1653 #
Proposal for a regulation
Article 22 – title
Responsibility and accountability of the controller
2013/03/06
Committee: LIBE
Amendment 1655 #
Proposal for a regulation
Article 22 – paragraph 1
1. The controller shall adopt policies and implement appropriate measures to ensure and be able to demonstrate in a transparent manner that the processing of personal data is performed in compliance with this Regulation. Accountability will always remain with the management.
2013/03/06
Committee: LIBE
Amendment 1689 #
Proposal for a regulation
Article 22 – paragraph 3
3. The controller shall implement mechanisms to ensure the verification of the effectiveness of the measures referred to in paragraphs 1 and 2. If proportionate, this verification shall be carried out by independent internal or external auditors.
2013/03/06
Committee: LIBE
Amendment 1756 #
Proposal for a regulation
Article 25 – paragraph 2 – point b
(b) an enterprise employing fewer than 250 persons; ordeleted
2013/03/06
Committee: LIBE
Amendment 1823 #
Proposal for a regulation
Article 27 – paragraph 1
The processor and any person acting under the authority of the controller or of the processor who has access to personal data shall keep the personal data confidential and not process them except on instructions from the controller, unless required to do so by Union or Member State law.
2013/03/06
Committee: LIBE
Amendment 2143 #
Proposal for a regulation
Article 35 – paragraph 1
1. The controller and the processor shall designate a data protection officer or attract sufficient external advice in any case where: (a) the processing is carried out by a public authority or body; or (b) the processing is carried out by an enterprise employing 250 persons or more; or (c) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects. The data protection officer can already be employed by the enterprise and fulfil his duties part time and will report to the board of an enterprise, organization or public authority which bears ultimate responsibility and is accountable.
2013/03/06
Committee: LIBE
Amendment 2159 #
Proposal for a regulation
Article 35 – paragraph 1 – point a a (new)
(aa) where risks as mentioned in Article 33(2) are not negligible even though the company's main activity is not data processing;
2013/03/06
Committee: LIBE
Amendment 2161 #
Proposal for a regulation
Article 35 – paragraph 1 – point b
(b) the processing is carried out by an enterprise employing 250 persons or more; ordeleted
2013/03/06
Committee: LIBE
Amendment 2189 #
Proposal for a regulation
Article 35 – paragraph 2
2. In the case referred to in point (b) of paragraph 1, aA group of undertakings may appoint a single data protection officer.
2013/03/06
Committee: LIBE
Amendment 2238 #
Proposal for a regulation
Article 35 – paragraph 9
9. The controller or the processor shall communicate the name and contact details of the data protection officer to the supervisory authority and to the public.deleted
2013/03/06
Committee: LIBE
Amendment 2261 #
Proposal for a regulation
Article 36 – paragraph 2
2. The controller or processor shall ensure that the data protection officer performs the duties and tasks independently and does not receive any instructions as regards the exercise of the function. The data protection officer shall directly report to the management of the controller or the processor which is responsible for protecting personal data in accordance with this regulation.
2013/03/06
Committee: LIBE
Amendment 2613 #
Proposal for a regulation
Article 52 – paragraph 2 a (new)
2a. The supervisory authority shall not disclose information provided to it, where such disclosure could adversely affect the rights and freedoms of others, including the controller or processor. This shall apply particularly to: (a) information related to the economic interests and trade secrets of the controller or processor; (b) the security measures taken in accordance with Article 30; and (c) information which Union or Member State law has designated as confidential.
2013/03/06
Committee: LIBE
Amendment 2879 #
Proposal for a regulation
Article 79 – paragraph 3 – point b
(b) an enterprise or an organisation employing fewer than 250 persons is processing personal data only as an activity ancillary to its main activities.deleted
2013/03/06
Committee: LIBE