Activities of Patrick BREYER related to 2022/0085(COD)
Shadow opinions (1)
OPINION on the proposal for a regulation of the European Parliament and of the Council laying down measures for a high common level of cybersecurity at the institutions, bodies, offices and agencies of the Union
Amendments (11)
Amendment 20 #
Proposal for a regulation
Recital 22
Recital 22
(22) All personal data processed under this Regulation should be processed in accordance with data protection legislation including Regulation (EU) 2018/1725 of the European Parliament and of the Council.7 , including its rules on international transfers.7 This Regulation should be without prejudice to the application of existing EU legislation governing the processing of personal data, including the tasks and competences of the European Data Protection Supervisor. All cybersecurity systems and services involved in the prevention, detection, and response to cyber threats should be compliant with the current data protection and privacy framework, and should take relevant technical and organisational safeguards to ensure this compliance in an accountable way. _________________ 7 Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39).
Amendment 27 #
Proposal for a regulation
Article 4 – paragraph 5
Article 4 – paragraph 5
5. Each Union institution, body and agency shall appoint a Local Cybersecurity Officer or an equivalent function who shall act as its single point of contact regarding all aspects of cybersecurity. The Local Cybersecurity Officer shall cooperate with the data protection officer designated in accordance with Article 43 of Regulation (EU) 2018/1725, when dealing with overlapping activities applying data protection by design and by default to cybersecurity measures, selecting cybersecurity measures that involve protection of personal data, integrated risk management, and integrated security incident handling;
Amendment 28 #
Proposal for a regulation
Article 9 – paragraph 3 – subparagraph 1 – point k a (new)
Article 9 – paragraph 3 – subparagraph 1 – point k a (new)
(k a) the European Data Protection Supervisor (EDPS).
Amendment 31 #
Proposal for a regulation
Article 12 – paragraph 2 – point e a (new)
Article 12 – paragraph 2 – point e a (new)
(e a) inform without undue delay the European Data Protection Supervisor when it has indications that an infringement by the EU Institutions of the obligations laid down in this Regulation entails unlawful processing of personal data;
Amendment 32 #
Proposal for a regulation
Article 12 – paragraph 2 – point e b (new)
Article 12 – paragraph 2 – point e b (new)
(e b) work in close cooperation with the European Data Protection Supervisor when addressing incidents resulting in personal data breaches or in breach of confidentiality of electronic communications.
Amendment 34 #
Proposal for a regulation
Article 12 – paragraph 7 a (new)
Article 12 – paragraph 7 a (new)
7 a. CERT-EU shall inform the EDPS when addressing significant vulnerabilities, significant incidents or major attacks that have the potential to result in personal data breaches and/or in the breach of confidentiality of electronic communications.
Amendment 36 #
Proposal for a regulation
Chapter V – title
Chapter V – title
V COOPERATION AND REPORTING OBLIGATIONS, PERSONAL DATA
Amendment 38 #
Proposal for a regulation
Article 18 – paragraph 3
Article 18 – paragraph 3
3. The processing of personal data carried out under this Regulation shall be subject to Regulation (EU) 2018/1725 of the European Parliament and of the Council. The Commission shall, by [1 year after the entering into force of this legislation], adopt a Delegated Act to specify which personal data processing activities are permitted under this Regulation, including the purpose of the processing, categories of personal data, categories of data subjects, conditions for data processing, maximum retention periods, definition of the data controllers and processors, retention periods, and recipients in case of transmission.It shall limit the processing of personal data to what is strictly necessary and keep it as targeted as possible, excluding the indiscriminate retention of traffic or content data. The Commission shall amend the Delegated Act when it identifies significant changes in the necessity, specific purposes and entities involved in processing personal data for the purposes of this Regulation. Or. en (Exercise of the delegation, see Article 24a)
Amendment 47 #
Proposal for a regulation
Article 19 – paragraph 3
Article 19 – paragraph 3
3. CERT-EU may only exchange incident-specific information which reveals the identity of the Union institution, body or agency affected by the incident with the consentauthorization of that entity. CERT-EU may only exchange incident-specific information which reveals the identity of the target of the cybersecurity incident with the consentauthorization of the entity affected by the incident.
Amendment 58 #
Proposal for a regulation
Article 24 a (new)
Article 24 a (new)
Amendment 59 #
Proposal for a regulation
Annex II – paragraph 1 – point 2 a (new)
Annex II – paragraph 1 – point 2 a (new)
(2 a) the use of encryption at rest, encryption in transit as well as end-to-end encryption wherever possible;