Activities of Jiří MAŠTÁLKA related to 2017/0002(COD)
Shadow opinions (1)
OPINION on the proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC
Amendments (38)
Amendment 18 #
Proposal for a regulation
Recital 18
Recital 18
(18) The Union law including the internal rules referred to in this Regulation should be clear and precise and its application should be foreseeable to persons subject to it, in accordance with the case-law of the Court of Justice of the European Union and the European Court of Human Rights.
Amendment 20 #
Proposal for a regulation
Recital 22
Recital 22
(22) When recipients established in the Union and subject to Regulation (EU) 2016/679 or Directive (EU) 2016/680, would like to have personal data transmitted to them by Union institutions and bodies, those recipients should demprovide the constrate that theoller with a reasoned request for transmission which should serve as a basis for the controller to assess whether that transmission is necessary for the attainment of their objective, is proportionate and does not go beyond what is necessary to attain that objective. Union institutions and bodies should demonstrate such necessity when they themselves initiate the transmission, in compliance with the principle of transparency.
Amendment 22 #
Proposal for a regulation
Recital 23
Recital 23
(23) Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms. Such personal data should not be processed unless processing is allowed in specific cases as set out in this Regulation. Those personal data should include personal data revealing racial or ethnic origin, whereby the use of the term ‘racial origin’ in this Regulation does not imply an acceptance by the Union of theories which attempt to determine the existence of separate human races. The processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person. In addition to the specific requirements for processing of sensitive data, the general principles and other rules of this Regulation should apply, in particular as regards the conditions for lawful processing. Derogations from the general prohibition for processing such special categories of personal data should be explicitly provided, inter alia, where the data subject gives his or her explicit consent or in respect of specific needs in particular where the processing is carried out in the course of legitimate activities by certain associations or foundations the purpose of which is to permit the exercise of fundamental freedoms.
Amendment 23 #
Proposal for a regulation
Recital 23 a (new)
Recital 23 a (new)
(23a) Special categories of personal data which merit higher protection should be processed for health-related purposes only where necessary to achieve those purposes for the benefit of natural persons and society as a whole, in particular in the context of the management of health or social care services and systems. Therefore, this Regulation should provide for harmonised conditions for the processing of special categories of personal data concerning health, in respect of specific needs, in particular where the processing of such data is carried out for certain health-related purposes by persons subject to a legal obligation of professional secrecy. Union law should provide for specific and suitable measures so as to protect the fundamental rights and the personal data of natural persons.
Amendment 25 #
Proposal for a regulation
Recital 24
Recital 24
(24) The processing of special categories of personal data may be necessary for reasons of public interest in the areas of public health without consent of the data subject. Such processing should be subject to suitable and specific measures so as to protect the rights and freedoms of natural persons. In that context, ‘public health’ should be interpreted as defined in Regulation (EC) No 1338/2008 of the European Parliament and of the Council15, namely all elements related to health, namely health status, including morbidity and disability, the determinants having an effect on that health status, health care needs, resources allocated to health care, the provision of, and universal access to, health care as well as health care expenditure and financing, and the causes of mortality. Such processing of data concerning health for reasons of public interest should not result in personal data being processed for other purposes by third parties. _________________ 15 Regulation (EC) No 1338/2008 of the European Parliament and of the Council of 16 December 2008 on Community statistics on public health and health and safety at work (OJ L 354, 31.12.2008, p. 70).
Amendment 28 #
Proposal for a regulation
Recital 37 – paragraph 1
Recital 37 – paragraph 1
Legal acts adopted on the basis of the Treaties or internal rules of Union institutions and bodies may impose restrictions concerning specific principles and the rights of information, access to and rectification or erasure of personal data, the right to data portability, confidentiality of electronic communications as well as the communication of a personal data breach to a data subject and certain related obligations of the controllers, as far as necessary and proportionate in a democratic society to safeguard public security, the prevention, investigation and prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security, including the protection of human life especially in response to natural or manmade disasters, internal security of Union institutions and bodies, other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, the keeping of public registers kept for reasons of general public interest or the protection of the data subject or the rights and freedoms of others, including social protection, public health and humanitarian purposes.
Amendment 30 #
Proposal for a regulation
Recital 37 – paragraph 2
Recital 37 – paragraph 2
Amendment 31 #
Proposal for a regulation
Recital 42
Recital 42
(42) In order to demonstrate compliance with this Regulation, controllers should maintain records of processing activities under their responsibility and processors should maintain records of categories of processing activities under their responsibility. Union institutions and bodies should be obliged to cooperate with the European Data Protection Supervisor and make their records, on request, available to it, so that they might serve for monitoring those processing operations. Union institutions and bodies should be able to establish a central register of records of their processing activities. For reasons of transparency, they should also be able to make such a register public. Data subjects should have the possibility to consult that register through the data protection officer of the controller.
Amendment 34 #
Proposal for a regulation
Recital 44
Recital 44
(44) Union institutions and bodies should ensure the confidentiality of electronic communications as provided for by Article 7 of the Charter. In particular, Union institutions and bodies should ensure the security of their electronic communication networks, protect the information related to end-users’ terminal equipment accessing their publicly available websites and mobile applications in accordance with Regulation (EU) XXXX/XX [new ePrivacy Regulation] and protect the personal data in directories of users.
Amendment 43 #
Proposal for a regulation
Article 2 – paragraph 1
Article 2 – paragraph 1
1. This Regulation applies to the processing of personal data by all Union institutions and bodies insofar as such processing is carried out in the exercise of activities which fall, wholly or partially within the scope of Union law.
Amendment 50 #
Proposal for a regulation
Article 4 – paragraph 1 – point d
Article 4 – paragraph 1 – point d
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are furtherare processed, are erased or rectified without delay (‘accuracy’);
Amendment 51 #
Proposal for a regulation
Article 5 – paragraph 2
Article 5 – paragraph 2
2. The tasks referred to in point (a) of paragraph 1 shall be laid down in Union law. The basis for the processing referred to in point (b) of paragraph 1 shall be laid down in Union or Member State law to which the controller is subject.
Amendment 56 #
Proposal for a regulation
Article 8 a (new)
Article 8 a (new)
Amendment 59 #
Proposal for a regulation
Article 9 – paragraph 1 – point b
Article 9 – paragraph 1 – point b
(b) that it is necessary to have the data transmitted, it is proportionate to the purposes of the transmission and if there is no reason to assume that the data subject's rights and freedoms and legitimate interests might be prejudicedn particular where the transmission serves a public interest such as transparency or good administration, and it is proportionate to the purposes of the transmission.
Amendment 60 #
Proposal for a regulation
Article 10 – paragraph 3
Article 10 – paragraph 3
3. Personal data referred to in paragraph 1 may be processed for the purposes referred to in point (h) of paragraph 2 when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union lawor Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies.
Amendment 65 #
Proposal for a regulation
Article 25 – paragraph 1 – introductory part
Article 25 – paragraph 1 – introductory part
1. Legal acts adopted on the basis of the Treaties or, in matters relating to the operation of the Union institutions and bodies, internal rules laid down by the latter may restrict the application of Articles 14 to 22, 34 and 38, as well as Article 4 in so far as its provisions correspond to the rights and obligations provided for in Articles 14 to 22, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:
Amendment 66 #
Proposal for a regulation
Article 25 – paragraph 1 a (new)
Article 25 – paragraph 1 a (new)
1a. In particular, any legal act referred to in paragraph 1 shall contain specific provisions at least, where relevant, as to : (a) the purposes of the processing or categories of processing; (b) the categories of personal data; (c) the scope of the restriction introduced; (d) the safeguards to prevent abuse or unlawful access or transfer; (e) the specification of the controller or categories of controllers; (f) the storage periods and the applicable safeguards taking into account the nature, scope and purposes of the processing or categories of processing; (g) the risks to the rights and freedoms of data subjects; and (h) the right of data subjects to be informed about the restriction, unless that may be prejudicial to the purpose of the restriction.
Amendment 68 #
Proposal for a regulation
Article 25 – paragraph 2
Article 25 – paragraph 2
Amendment 70 #
Proposal for a regulation
Article 25 – paragraph 3
Article 25 – paragraph 3
3. Where personal data are processed for scientific or historical research purposes or statistical purposes, Union law, which may include internal rules, may provide for derogations from the rights referred to in Articles 17, 18, 20 and 23 subject to the conditions and safeguards referred to in Article 13 in so far as such rights are likely to render impossible or seriously impair the achievement of the specific purposes, and such derogations are necessary for the fulfilment of those purposes.
Amendment 71 #
Proposal for a regulation
Article 25 – paragraph 4
Article 25 – paragraph 4
4. Where personal data are processed for archiving purposes in the public interest, Union law, which may include internal rules, may provide for derogations from the rights referred to in Articles 17, 18, 20, 21, 22 and 23 subject to the conditions and safeguards referred to in Article 13 in so far as such rights are likely to render impossible or seriously impair the achievement of the specific purposes, and such derogations are necessary for the fulfilment of those purposes.
Amendment 73 #
Proposal for a regulation
Article 25 – paragraph 5
Article 25 – paragraph 5
Amendment 74 #
Proposal for a regulation
Article 25 – paragraph 6
Article 25 – paragraph 6
6. If a restriction is imposed pursuant to paragraphs 1 or 2, the data subject shall be informed, in accordance with Union law, of the principal reasons on which the application of the restriction is based and of his or her right to lodge a complaint with the European Data Protection Supervisor.
Amendment 75 #
Proposal for a regulation
Article 25 – paragraph 7
Article 25 – paragraph 7
7. If a restriction imposed pursuant to paragraphs 1 or 2 is relied upon to deny access to the data subject, the European Data Protection Supervisor shall, when investigating the complaint, only inform him or her of whether the data have been processed correctly and, if not, whether any necessary corrections have been made.
Amendment 76 #
Proposal for a regulation
Article 25 – paragraph 8
Article 25 – paragraph 8
8. Provision of the information referred to in paragraphs 6 and 7 and in Article 46(2) may be deferred, omitted or denied if it would cancel the effect of the restriction imposed pursuant to paragraph 1 or 2.
Amendment 78 #
Proposal for a regulation
Article 31 – paragraph 5
Article 31 – paragraph 5
5. Union institutions and bodies may decide toshall keep their records of processing activities in a central register. In this case, they may also decide toThey shall make the register publicly accessible.
Amendment 80 #
Proposal for a regulation
Article 31 – paragraph 5 a (new)
Article 31 – paragraph 5 a (new)
5a. Data subjects shall be able to consult the central register referred to in paragraph 5 through the data protection officer of the controller.
Amendment 81 #
Proposal for a regulation
Chapter IV – section 2 – title
Chapter IV – section 2 – title
SECURITY OF PERSONAL DATA AND CONFIDENTIALITY OF ELECTRONIC COMMUNICATIONS
Amendment 82 #
Proposal for a regulation
Article 34 – paragraph 1
Article 34 – paragraph 1
Amendment 84 #
Amendment 85 #
Proposal for a regulation
Article 36
Article 36
Amendment 86 #
Article 38a Confidentiality of electronic communications Union institutions and bodies shall ensure the confidentiality of electronic communications, in particular by securing their electronic communication networks.
Amendment 87 #
Proposal for a regulation
Article 38 b (new)
Article 38 b (new)
Article 38b Directories of users 1. Personal data contained in directories of users and access to such directories shall be limited to what is strictly necessary for the specific purposes of the directory. 2. Union institutions and bodies shall take all the necessary measures to prevent personal data contained in those directories, regardless of whether they are accessible to the public or not, from being used for direct marketing purposes.
Amendment 89 #
Proposal for a regulation
Article 42 – paragraph 1
Article 42 – paragraph 1
1. Following tWhen adoption ofng proposals for a legislative act and of recommendations or proposals to the Council pursuant to Article 218 TFEU and when preparing delegated acts or implementing acts, which have an impact on on legislative and administrative measures relating to the protection of individualnatural persons’ rights and freedoms with regard to the processing of personal data, the Commission shall consult the European Data Protection Supervisor.
Amendment 92 #
Proposal for a regulation
Article 44 – paragraph 4
Article 44 – paragraph 4
4. The data protection officer mayshall be a staff member of the Union institution or body, or fulfil the tasks on the basis of a service contract.
Amendment 94 #
Proposal for a regulation
Article 46 – paragraph 1 – point g a (new)
Article 46 – paragraph 1 – point g a (new)
(ga) ensure that the rights and freedoms of data subjects are not adversely affected by processing operations.
Amendment 99 #
Proposal for a regulation
Article 54 – paragraph 1
Article 54 – paragraph 1
1. The European Parliament and the Council shall appoint the European Data Protection Supervisor by common accord for a term of five years, on the basis of a list drawn up byjointly by the European Parliament, the Council and the Commission following a public call for candidates. The call for candidates shall enable all interested parties throughout the Union to submit their applications. The list of candidates drawn up by the Commission shall be public. On the ba and shall consist of the list drawn up by the Commission, tat least five candidates. The competent committee of the European Parliament may decide to hold a hearing of the listed candidates in order to enable it to express a preference.
Amendment 100 #
Proposal for a regulation
Article 54 – paragraph 2
Article 54 – paragraph 2
2. The list drawn up byjointly by the European Parliament, the Council and the Commission from which the European Data Protection Supervisor shall be chosen shall be made up of persons whose independence is beyond doubt and who are acknowledged as having expert knowledge in data protection as well as the experience and skills required to perform the duties of European Data Protection Supervisor, for example because they belong or have belonged to the supervisory authorities established under Article 41 of Regulation (EU) 2016/679.
Amendment 104 #
Proposal for a regulation
Article 72 a (new)
Article 72 a (new)
Article 72a Review of Union legal acts By 25 May 2021, the Commission shall review other legal acts adopted on the basis of the Treaties which regulate processing of personal data, in particular by agencies established under Chapters 4 and 5 of Title V of Part Three TFEU, in order to assess the need to align them with this Regulation and to make, where appropriate, the necessary proposals to amend those acts in order to ensure a consistent approach to the protection of personal data within the scope of this Regulation.