35 Amendments of Paul RÜBIG related to 2012/0011(COD)
Amendment 165 #
Proposal for a regulation
Title 1
Title 1
Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of individualnatural and legal persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (Text with EEA relevance)
Amendment 168 #
Proposal for a regulation
Recital 1
Recital 1
(1) The protection of natural and legal persons in relation to the processing of personal data is a fundamental right. Article 8(1) of the Charter of Fundamental Rights of the European Union and Article 16(1) of the Treaty lay down that everyone has the right to the protection of personal data concerning him or her.
Amendment 169 #
Proposal for a regulation
Recital 2
Recital 2
(2) The processing of personal data is designed to serve man; the principles and rules on the protection of individualnatural and legal persons with regard to the processing of their personal data should, whatever the nationality or residence of natural persons or the domicile of legal persons, respect their fundamental rights and freedoms, notably their right to the protection of personal data. It should contribute to the accomplishment of an area of freedom, security and justice and of an economic union, to economic and social progress, the strengthening and the convergence of the economies within the internal market, and the well-being of individuals.
Amendment 177 #
Proposal for a regulation
Recital 8
Recital 8
(8) In order to ensure consistent and high level of protection of individuals and to remove the obstacles to flows of personal data, the level of protection of the rights and freedoms of individuals with regard to the processing of such data should be equivalent in all Member States. Consistent and homogenous application of the rules for the protection of the fundamental rights and freedoms of natural and legal persons with regard to the processing of personal data should be ensured throughout the Union.
Amendment 183 #
Proposal for a regulation
Recital 12
Recital 12
(12) The protection afforded by this Regulation concerns natural persons, whatever their nationality or place of residence, in relation to the processing of personal data. With regard to the processing of data which concern legal persons and in particular undertakings established as legal persons, including the name and the form of the legal person and the contact details of the legal person, the protection of this Regulation should notalso be claimed by any person. This should also apply where the name of the legal person contains the names of one or more natural persons.
Amendment 184 #
Proposal for a regulation
Recital 13
Recital 13
(13) The protection of individualnatural and legal persons should be technologically neutral and not depend on the techniques used; otherwise this would create a serious risk of circumvention. The protection of individuals should apply to processing of personal data by automated means as well as to manual processing, if the data are contained or are intended to be contained in a filing system. Files or sets of files as well as their cover pages, which are not structured according to specific criteria, should not fall within the scope of this Regulation.
Amendment 196 #
Proposal for a regulation
Recital 25
Recital 25
(25) Consent should be given explicitly by any appropriate method enabling a freely given specific and informed indication of the data subject's wishes, either by a statement or by a cleaother affirmative action by the data subject, ensuring that individuals are aware that they give their consent to the processing of personal data, including by ticking a box when visiting an Internet website or by any other statement or conduct, such as by means of appropriate browser settings, which clearly indicates in this context the data subject's acceptance of the proposed processing of their personal data. Silence or inactivity should therefore not constitute consentcan also constitute valid consent, if a data protection impact assessment does not consider that explicit consent is required. Consent should cover all processing activities carried out for the same purpose or purposes. If the data subject's consent is to be given following an electronic request, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
Amendment 208 #
Proposal for a regulation
Recital 32
Recital 32
Amendment 214 #
Proposal for a regulation
Recital 34
Recital 34
(34) Consent should not provide a valid legal ground for the processing of personal data, where there is a clear imbalance between the data subject and the controller. This is especially the case where the data subject is in a situation of dependence from the controller, among others, where personal data are processed by the employer of employees' personal data in the employment context. Where the controller is a public authority, there would be an imbalance only in the specific data processing operations where the public authority can impose an obligation by virtue of its relevant public powers and the consent cannot be deemed as freely given, taking into account the interest of the data subjectn it has not been given freely.
Amendment 246 #
Proposal for a regulation
Recital 58
Recital 58
(58) Every natural or legal person should have the right not to be subject to a measure which is based on profiling by means of automated processing. However, such measure should be allowed when expressly authorised by law, carried out in the course of entering or performance of a contract, or when the data subject has given his consent. In any case, such processing should be subject to suitable safeguards, including specific information of the data subject and the right to obtain human intervention and that such measure should not concern a child.
Amendment 262 #
Proposal for a regulation
Recital 67
Recital 67
(67) A personal data breach may, if not addressed in an adequate and timely manner, result in substantial economic loss and social harm, including identity fraud, to the individual concerned. Therefore, as soon as the controller becomes aware that such a breach has occurred, the controller should notify the breach to the supervisory authority without undue delay and, where feasible, within 24 hours. Where this cannot achieved within 24 hours, an explanation of the reasons for the delay should accompany the notification. The individualPersons whose personal data could be adversely affected by the breach should be notified without undue delay in order to allow them to take the necessary precautions. A breach should be considered as adversely affecting the personal data or privacy of a data subject where it could result in, for example, identity theft or fraud, physical harm, significant humiliation or damage to reputation. The notification should describe the nature of the personal data breach as well as recommendations as well as recommendations for the individual concerned to mitigate potential adverse effects. Notifications to data subjects should be made as soon as reasonably feasible, and in close cooperation with the supervisory authority and respecting guidance provided by it or other relevant authorities (e.g. law enforcement authorities). For example, the chance for data subjects to mitigate an immediate risk of harm would call for a prompt notification of data subjects whereas the need to implement appropriate measures against continuing or similar data breaches may justify a longer delay.
Amendment 268 #
Proposal for a regulation
Recital 78
Recital 78
(78) Cross-border flows of personal data are necessary for the expansion of international trade and international co- operation. The increase in these flows has raised new challenges and concerns with respect to the protection of personal data. However, when personal data are transferred from the Union to third countries or to international organisations, the level of protection of individualnatural and legal persons guaranteed in the Union by this Regulation should not be undermined. In any event, transfers to third countries may only be carried out in full compliance with this Regulation.
Amendment 279 #
Proposal for a regulation
Recital 90
Recital 90
(90) Some third countries enact laws, regulations and other legislative instruments which purport to directly regulate data processing activities of natural and legal persons under the jurisdiction of the Member States. The extraterritorial application of these laws, regulations and other legislative instruments may be in breach of international law and may impede the attainment of the protection of individualnatural and legal persons guaranteed in the Union by this Regulation. Transfers should only be allowed where the conditions of this Regulation for a transfer to third countries are met. This may inter alia be the case where the disclosure is necessary for an important ground of public interest recognised in Union law or in a Member State law to which the controller is subject. The conditions under which an important ground of public interest exists should be further specified by the Commission in a delegated act.
Amendment 283 #
Proposal for a regulation
Recital 96
Recital 96
(96) The supervisory authorities should monitor the application of the provisions pursuant to this Regulation and contribute to its consistent application throughout the Union, in order to protect natural and legal persons in relation to the processing of their personal data and to facilitate the free flow of personal data within the internal market. For these purposes, the supervisory authorities shall co-operate with each other and the Commission.
Amendment 298 #
Proposal for a regulation
Recital 129
Recital 129
(129) In order to fulfil the objectives of this Regulation, namely to protect the fundamental rights and freedoms of natural and legal persons and in particular their right to the protection of personal data and to ensure the free movement of personal data within the Union, the power to adopt acts in accordance with Article 290 of the Treaty on the Functioning of the European Union should be delegated to the Commission. In particular, delegated acts should be adopted in respect of lawfulness of processing; specifying the criteria and conditions in relation to the consent of a child; processing of special categories of data; specifying the criteria and conditions for manifestly excessive requests and fees for exercising the rights of the data subject; criteria and requirements for the information to the data subject and in relation to the right of access; the right to be forgotten and to erasure; measures based on profiling; criteria and requirements in relation to the responsibility of the controller and to data protection by design and by default; a processor; criteria and requirements for the documentation and the security of processing; criteria and requirements for establishing a personal data breach and for its notification to the supervisory authority, and on the circumstances where a personal data breach is likely to adversely affect the data subject; the criteria and conditions for processing operations requiring a data protection impact assessment; the criteria and requirements for determining a high degree of specific risks which require prior consultation; designation and tasks of the data protection officer; codes of conduct; criteria and requirements for certification mechanisms; criteria and requirements for transfers by way of binding corporate rules; transfer derogations; administrative sanctions; processing for health purposes; processing in the employment context and processing for historical, statistical and scientific research purposes. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level. The Commission, when preparing and drawing-up delegated acts, should ensure a simultaneous, timely and appropriate transmission of relevant documents to the European Parliament and Council.
Amendment 304 #
Proposal for a regulation
Article 1 – paragraph 1
Article 1 – paragraph 1
1. This Regulation lays down rules relating to the protection of individualnatural and legal persons with regard to the processing of personal data and rules relating to the free movement of personal data.
Amendment 305 #
Proposal for a regulation
Article 1 – paragraph 2
Article 1 – paragraph 2
2. This Regulation protects the fundamental rights and freedoms of natural and legal persons, and in particular their right to the protection of personal data.
Amendment 306 #
Proposal for a regulation
Article 1 – paragraph 3
Article 1 – paragraph 3
3. The free movement of personal data within the Union shall neither be restricted nor prohibited for reasons connected with the protection of individualnatural and legal persons with regard to the processing of personal data.
Amendment 325 #
Proposal for a regulation
Article 4 – paragraph 1 – point 1
Article 4 – paragraph 1 – point 1
(1) 'data subject' means an identified natural or legal person or a natural or legal person who can be identified, directly or indirectly, by means reasonably likely to be used by the controller or by any other natural or legal person, in particular by reference to an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person;
Amendment 395 #
Proposal for a regulation
Article 7 – paragraph 1 a (new)
Article 7 – paragraph 1 a (new)
1a. Unless another form of consent is determined to be proportionate by such an impact assessment, consent shall be captured in a specific, informed and explicit statement or other clear affirmative action.
Amendment 401 #
Proposal for a regulation
Article 7 – paragraph 4
Article 7 – paragraph 4
4. Consent shall not provide a legal basis for the processing, where there is a significant imbalance between the position of the data subject and the controllern it has not been given freely.
Amendment 430 #
Proposal for a regulation
Article 10 – paragraph 1
Article 10 – paragraph 1
If the data processed by a controller do not permit the controller to identify a natural or legal person, the controller shall not be obliged to acquire additional information in order to identify the data subject for the sole purpose of complying with any provision of this Regulation.
Amendment 522 #
Proposal for a regulation
Article 20 – paragraph 1
Article 20 – paragraph 1
Amendment 534 #
Proposal for a regulation
Article 20 – paragraph 2 – introductory part
Article 20 – paragraph 2 – introductory part
2. Subject to the other provisions of this Regulation, a person may be subjected to a measure of the kind referred to in paragraph 1 onlymeasure which produces legal effects concerning a person or significantly affects this person, and which is intended to evaluate certain personal aspects relating to this person or to analyse or predict in particular the person's performance at work, economic situation, location, health, personal preferences, reliability or behaviour shall only be lawful if the processing:
Amendment 546 #
Proposal for a regulation
Article 20 – paragraph 2 – point c
Article 20 – paragraph 2 – point c
(c) is based on the data subject's consent, subject to the conditions laid down in Article 7 and to suitable safeguards, Article 15 and Article 16.
Amendment 601 #
Proposal for a regulation
Article 23 – paragraph 2
Article 23 – paragraph 2
2. The controller shall implement mechanisms for ensuring that, by default, only those personal data are processed which are necessary for each specific purpose of the processing and are especially not collected or retained beyond the minimum necessary for those purposes, both in terms of the amount of the data and the time of their storage. In particular, those mechanisms shall ensure that by default personal data are not made accessible to an indefinite number of individualnatural persons.
Amendment 699 #
Proposal for a regulation
Article 33 – paragraph 2 – point a
Article 33 – paragraph 2 – point a
(a) a systematic and extensive evaluation of personal aspects relating to a natural or legal person or for analysing or predicting in particular the natural person's economic situation, location, health, personal preferences, reliability or behaviour, which is based on automated processing and on which measures are based that produce legal effects concerning the individual or significantly affect the individual;
Amendment 772 #
Proposal for a regulation
Article 41 – paragraph 5
Article 41 – paragraph 5
5. The Commission may decide that a third country, or a territory or a processing sector within that third country, or an international organisation does not ensure an adequate level of protection within the meaning of paragraph 2 of this Article, in particular in cases where the relevant legislation, both general and sectoral, in force in the third country or international organisation, does not guarantee effective and enforceable rights including effective administrative and judicial redress for data subjects, in particular for those data subjects residing in the Union whose personal data are being transferred. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2), or, in cases of extreme urgency for individualnatural or legal persons with respect to their right to personal data protection, in accordance with the procedure referred to in Article 87(3).
Amendment 805 #
Proposal for a regulation
Article 46 – paragraph 1
Article 46 – paragraph 1
1. Each Member State shall provide that one or more public authorities are responsible for monitoring the application of this Regulation and for contributing to its consistent application throughout the Union, in order to protect the fundamental rights and freedoms of natural and legal persons in relation to the processing of their personal data and to facilitate the free flow of personal data within the Union. For these purposes, the supervisory authorities shall co-operate with each other and the Commission.
Amendment 812 #
Proposal for a regulation
Article 52 – paragraph 1 – point f
Article 52 – paragraph 1 – point f
(f) be consulted by Member State institutions and bodies on legislative and administrative measures relating to the protection of individualnatural and legal persons' rights and freedoms with regard to the processing of personal data;
Amendment 850 #
Proposal for a regulation
Article 67 – paragraph 1 – subparagraph 1
Article 67 – paragraph 1 – subparagraph 1
The European Data Protection Board shall regularly and timely inform the Commission about the outcome of its activities. It shall draw up an annual report on the situation regarding the protection of natural and legal persons with regard to the processing of personal data in the Union and in third countries.
Amendment 852 #
Proposal for a regulation
Article 73 – paragraph 2
Article 73 – paragraph 2
2. Any body, organisation or association which aims to protect data subjects’ rights and interests concerning the protection of their personal data and has been properly constituted according to the law of a Member State shall have the right to lodge a complaint with a supervisory authority in any Member State on behalf of one or more data subjects from among its membership if it considers that a data subject’s rights under this Regulation have been infringed as a result of the processing of personal data and it has minimum funding of EUR 80 000 and representative membership with a corresponding membership structure.
Amendment 854 #
Proposal for a regulation
Article 75 – paragraph 1
Article 75 – paragraph 1
1. Without prejudice to any available administrative remedy, including the right to lodge a complaint with a supervisory authority as referred to in Article 73, every natural and legal person shall have the right to a judicial remedy if they consider that their rights under this Regulation have been infringed as a result of the processing of their personal data in non-compliance with this Regulation.
Amendment 858 #
Proposal for a regulation
Article 76 – paragraph 1
Article 76 – paragraph 1
1. Any body, organisation or association referred to in Article 73(2) shall have the right to exercise the rights referred to in Articles 74 and 75 on behalf of one or more data subjects from among its membership.
Amendment 911 #
Proposal for a regulation
Article 85 – paragraph 1
Article 85 – paragraph 1
1. Where in a Member State, churches and religious associations or communities apply, at the time of entry into force of this Regulation, comprehensive rules relating to the protection of individualnatural and legal persons with regard to the processing of personal data, such rules may continue to apply, provided that they are brought in line with the provisions of this Regulation.