Activities of Giles CHICHESTER related to 2012/0011(COD)
Shadow opinions (1)
OPINION on the proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)
Amendments (34)
Amendment 202 #
Proposal for a regulation
Recital 27
Recital 27
(27) The main establishment of a controller in the Union, including a controller that is also a processor, should be determined according to objective criteria and should imply the effective and real exercise of management activities determining the main decisions as to the purposes, conditions and means of processing through stable arrangements. This criterion should not depend whether the processing of personal data is actually carried out at that location; the presence and use of technical means and technologies for processing personal data or processing activities do not, in themselves, constitute such main establishment and are therefore no determining criteria for a main establishment. The main establishment of the processor that is not also a controller should be the place of its central administration in the Union.
Amendment 333 #
Proposal for a regulation
Article 4 – paragraph 1 – point 3 a (new)
Article 4 – paragraph 1 – point 3 a (new)
(3a) 'anonymous data' shall mean information that has never related to a data subject or has been collected, altered or otherwise processed so that it cannot be attributed to a data subject.
Amendment 339 #
Proposal for a regulation
Article 4 – paragraph 1 – point 8
Article 4 – paragraph 1 – point 8
(8) ‘'the data subject's consent’' means any freely given specific, informed and explicit indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processedorm of statement or conduct by the data subject indicating assent to the data processing proposed. Silence or inactivity does not in itself indicate acceptance;
Amendment 341 #
Proposal for a regulation
Article 4 – paragraph 1 – point 9
Article 4 – paragraph 1 – point 9
(9) ‘'personal data breach’' means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;, which is likely to adversely affect the protection of the personal data or privacy of the data subject.
Amendment 347 #
Proposal for a regulation
Article 4 – paragraph 1 – point 13
Article 4 – paragraph 1 – point 13
(13) ‘'main establishment’' means as regards the location as designated by the undertaking or group of undertakings, whether controller, the place of its establishment in the Union where the main decisions as or processor, subject to the consistency mechanism set out in Article 57, on the basis of, but not limited to, the purposes, conditions and means of the processing of personal data are taken; if no decisions as to the purposes, conditions and means of the processing of personal data are taken in the Union, the main establishment is the place where the main processing activities in the context of the activities of an establishment of a controller in the Union take place. As regards the processor, ‘main establishment’ means the place of its central administrfollowing optional objective criteria: (1) the location of the European headquarters of a group of undertakings; (2) the location of the entity within a group of undertakings with delegated data protection responsibilities; (3) the location of the entity within the group which is best placed in terms of management functions and administrative responsibilities to deal with and enforce the rules as set out in this Regulation; or (4) the location where effective and real management activities are exercised determining the data processing through stable arrangements. The competent authority shall be informed by the undertaking or group of undertakings of the designation inof the Union;main establishment.
Amendment 397 #
Proposal for a regulation
Article 7 – paragraph 3
Article 7 – paragraph 3
3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Where the processing of personal data is an essential element to the controllers' ability to provide adequate security in the provision of a service to the data subject, the withdrawal of consent can lead to the termination of the service.
Amendment 441 #
Proposal for a regulation
Article 12 – paragraph 4
Article 12 – paragraph 4
4. The information and the actions taken on requests referred to in paragraph 1 shall be free of charge. Where requests are manifestly excessive, in particular because ofowing to their high volume, complexity or their repetitive character, the controller may charge an appropriate, not for profit, fee for providing the information or taking the action requested, or the controller may notdecline to take the action requested. In that case, the controller shall bear the burden of proving the manifestly excessive character of the request.
Amendment 462 #
Proposal for a regulation
Article 14 – paragraph 5 – point b
Article 14 – paragraph 5 – point b
(b) the data are not collected from the data subject and the provision of such information proves impossible or would involve a disproportionate effort and generate excessive administrative burden, especially when the processing is carried out by a SME as defined in EU recommendation 2003/361; or
Amendment 487 #
Proposal for a regulation
Article 17 – paragraph 1 – point d
Article 17 – paragraph 1 – point d
Amendment 513 #
Proposal for a regulation
Article 18 – paragraph 3
Article 18 – paragraph 3
3. The Commission may specify the electronic format referred to in paragraph 1 and the technical standards, modalities and procedures for the transmission of personal data pursuant to paragraph 2. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2) shall be determined by the controller by reference to harmonised industry standards, or where these are not already defined, shall be developed by industry stakeholders through standardisation bodies.
Amendment 519 #
Proposal for a regulation
Article 19 – paragraph 3 a (new)
Article 19 – paragraph 3 a (new)
3a. Where pseudonymous data are processed based on Article 6(1)(g), the data subject shall have the right to object free of charge to the processing. This right shall be explicitly offered to the data subject in an intelligible manner and shall be clearly distinguishable from other information.
Amendment 521 #
Proposal for a regulation
Article 20 – title
Article 20 – title
Measures based on profilautomated processing
Amendment 525 #
Proposal for a regulation
Article 20 – paragraph 1
Article 20 – paragraph 1
1. Every natural person shall have the right not to be subject to a measure which produces legal effects concerning this natural person or significantly affects this natural person, and which is based solely on automated processing intended to evaluate certain personal aspects relating to this natural person or to analyse or predict in particular the natural person's performance at work, economic situation, location, health, personal preferences, reliability or behaviourA data subject shall not be subject to a decision which is unfair or discriminatory, and which is based solely on automated processing intended to evaluate certain personal aspects relating to this data subject.
Amendment 533 #
Proposal for a regulation
Article 20 – paragraph 2
Article 20 – paragraph 2
Amendment 549 #
Proposal for a regulation
Article 20 – paragraph 3
Article 20 – paragraph 3
Amendment 554 #
Proposal for a regulation
Article 20 – paragraph 4
Article 20 – paragraph 4
Amendment 558 #
Proposal for a regulation
Article 20 – paragraph 5
Article 20 – paragraph 5
Amendment 592 #
Proposal for a regulation
Article 23 – paragraph 1
Article 23 – paragraph 1
1. Having regard to the state of the art and the cost of implementation, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures and procedures in such a way that the processing will Where required, mandatory measures may be adopted to ensure that categories of goods or services are designed and have default settings meeting the requirements of this Regulation relating to the protection of individuals with regard to the processing of personal data. Such measures shall be based on standardisation pursuant to [Regulation .../2012 of the European Parliameent the requirements of this Reguland of the Council on European standardisation, and ensure the protection of the rights of the data subject. mending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Decision 87/95/EEC and Decision No 1673/2006/EC].
Amendment 598 #
Proposal for a regulation
Article 23 – paragraph 2
Article 23 – paragraph 2
2. The controller shall implement mechanisms for ensuring that, by default, only thoseUntil such time as mandatory measures have been adopted peursonal data are processed which are necessary for each specific purpose of the processing and are especially not collected or retained beyond the minimum necessary for those purposes, both uant to paragraph 1, Member States shall ensure that no mandatory design or default requirements are imposed on goods or services relating terms of the amount of the data and the time of their storage. In particular, those mechanisms shall ensure that by default personal data are not made accessible to ao the protection of individuals with regard to the processing of personal data which could impede the placing of equipment on the market and the free circulation of such goods and services in iandefinite number of individual between Member States.
Amendment 603 #
Proposal for a regulation
Article 23 – paragraph 3
Article 23 – paragraph 3
Amendment 606 #
Proposal for a regulation
Article 23 – paragraph 4
Article 23 – paragraph 4
Amendment 614 #
Proposal for a regulation
Article 26 – paragraph 1
Article 26 – paragraph 1
1. Where a processing operation is to be carried out on behalf of a controller and which involves the processing of data that would permit the processor to reasonably identify the data subject, the controller shall choose a processor providing sufficient guarantees to implement appropriate technical and organisational measures and procedures in such a way that the processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject, in particular in respect of the technical security measures and organizational measures governing the processing to be carried out and shall ensure compliance with those measures. The controller remains solely responsible for ensuring compliance with the requirements of this Regulation.
Amendment 643 #
Proposal for a regulation
Article 28 – paragraph 1
Article 28 – paragraph 1
1. Each controller and processor and, if any, the controller's representative, shall maintain documentation of all processing operationsthe main categories of processing under its responsibility.
Amendment 646 #
Proposal for a regulation
Article 28 – paragraph 2 – introductory part
Article 28 – paragraph 2 – introductory part
2. The core documentation shall contain at least the following information:
Amendment 694 #
Proposal for a regulation
Article 33 – paragraph 1
Article 33 – paragraph 1
1. Where processing operations present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes, the controller or the processor acting on the controller's behalf shall carry out an assessment of the impact of the envisaged processing operations on the protection of personal data, unless the activities concerned do not present a risk to the privacy of the data subject.
Amendment 710 #
Proposal for a regulation
Article 33 – paragraph 5
Article 33 – paragraph 5
5. Where the controller is a public authority or body or where the data is processed by another body which has been entrusted with the responsibility of delivering public service tasks, and where the processing results from a legal obligation pursuant to point (c) of Article 6(1) providing for rules and procedures pertaining to the processing operations and regulated by Union law, paragraphs 1 to 4 shall not apply, unless Member States deem it necessary to carry out such assessment prior to the processing activities.
Amendment 739 #
Proposal for a regulation
Article 35 – paragraph 5
Article 35 – paragraph 5
5. The controller or processor shallmay designate the data protection officer on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and ability to fulfil the tasks referred to in Article 37. The necessary level of expert knowledge shall be determined in particular according to the data processing carried out and the protection required for the personal data processed by the controller or the processor.
Amendment 775 #
Proposal for a regulation
Article 42 – paragraph 1
Article 42 – paragraph 1
1. Where the Commission has taken no decision pursuant to Article 41, a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has adduced appropriate safeguards with respect to the protection of personal data in a legally binding instrument, and where appropriate pursuant to an impact assessment, where the controller or processor has ensured that the recipient of data in a third country maintains high standards of data protection.
Amendment 870 #
Proposal for a regulation
Article 79 – paragraph 2
Article 79 – paragraph 2
2. The administrative sanction shall be in each individual case effective, proportionate and dissuasive. The amount of the administrative fine shall be fixed with due regard to the nature, gravity and duration of the breach, the sensitivity of the data in issue, the intentional or negligent character of the infringement, the degree of harm or risk of harm created by the violation, the degree of responsibility of the natural or legal person and of previous breaches by this person, the technical and organisational measures and procedures implemented pursuant to Article 23 and the degree of co-operation with the supervisory authority in order to remedy the breach. Where appropriate, the data protection authority shall also be empowered to require that a data protection officer is appointed if the body, organisation or association has opted not to do so.
Amendment 871 #
Proposal for a regulation
Article 79 – paragraph 2 a (new)
Article 79 – paragraph 2 a (new)
(2a) Aggravating factors that support administrative fines at the upper limits established in paragraphs 4 to 6 shall include in particular: (i) repeated violations committed in reckless disregard of applicable law; (ii) refusal to co-operate with or obstruction of an enforcement process; (iii) violations that are deliberate, serious and likely to cause substantial damage; (iv) a data protection impact assessment has not been undertaken; (v) a data protection officer has not been appointed.
Amendment 872 #
Proposal for a regulation
Article 79 – paragraph 2 b (new)
Article 79 – paragraph 2 b (new)
(2b) Mitigating factors which support administrative fines at the lower limits established in paragraphs 4 to 6 shall include: (i) measures having been taken by the natural or legal person to ensure compliance with relevant obligations; (ii) genuine uncertainty as to whether the activity constituted a violation of the relevant obligations; (iii) immediate termination of the violation upon knowledge; (iv) co-operation with any enforcement processes; (v) a data protection impact assessment has been undertaken; (vi) a data protection officer has been appointed.
Amendment 893 #
Proposal for a regulation
Article 83 – paragraph 1 – introductory part
Article 83 – paragraph 1 – introductory part
1. Within the limits of this Regulation, personal data may be processed for historical, statistical or scientific research purposes only if:
Amendment 896 #
Proposal for a regulation
Article 83 – paragraph 1 – point a
Article 83 – paragraph 1 – point a
(a) these purposes cannot be otherwise fulfillreasonably be achieved by processing data which does not permit or not any longer permit the identification of the data subject;
Amendment 901 #
Proposal for a regulation
Article 83 – paragraph 1 a (new)
Article 83 – paragraph 1 a (new)
(1a) Further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible under point (b) of Article 5(1) provided that the processing: (a) is subject to the conditions and safeguards of this Article; and (b) complies with all other relevant legislation.