BETA

Activities of Jiří MAŠTÁLKA related to 2017/0002(COD)

Shadow opinions (1)

OPINION on the proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC
2016/11/22
Committee: JURI
Dossiers: 2017/0002(COD)
Documents: PDF(254 KB) DOC(136 KB)

Amendments (38)

Amendment 18 #
Proposal for a regulation
Recital 18
(18) The Union law including the internal rules referred to in this Regulation should be clear and precise and its application should be foreseeable to persons subject to it, in accordance with the case-law of the Court of Justice of the European Union and the European Court of Human Rights.
2017/07/18
Committee: JURI
Amendment 20 #
Proposal for a regulation
Recital 22
(22) When recipients established in the Union and subject to Regulation (EU) 2016/679 or Directive (EU) 2016/680, would like to have personal data transmitted to them by Union institutions and bodies, those recipients should demprovide the constrate that theoller with a reasoned request for transmission which should serve as a basis for the controller to assess whether that transmission is necessary for the attainment of their objective, is proportionate and does not go beyond what is necessary to attain that objective. Union institutions and bodies should demonstrate such necessity when they themselves initiate the transmission, in compliance with the principle of transparency.
2017/07/18
Committee: JURI
Amendment 22 #
Proposal for a regulation
Recital 23
(23) Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms. Such personal data should not be processed unless processing is allowed in specific cases as set out in this Regulation. Those personal data should include personal data revealing racial or ethnic origin, whereby the use of the term ‘racial origin’ in this Regulation does not imply an acceptance by the Union of theories which attempt to determine the existence of separate human races. The processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person. In addition to the specific requirements for processing of sensitive data, the general principles and other rules of this Regulation should apply, in particular as regards the conditions for lawful processing. Derogations from the general prohibition for processing such special categories of personal data should be explicitly provided, inter alia, where the data subject gives his or her explicit consent or in respect of specific needs in particular where the processing is carried out in the course of legitimate activities by certain associations or foundations the purpose of which is to permit the exercise of fundamental freedoms.
2017/07/18
Committee: JURI
Amendment 23 #
Proposal for a regulation
Recital 23 a (new)
(23a) Special categories of personal data which merit higher protection should be processed for health-related purposes only where necessary to achieve those purposes for the benefit of natural persons and society as a whole, in particular in the context of the management of health or social care services and systems. Therefore, this Regulation should provide for harmonised conditions for the processing of special categories of personal data concerning health, in respect of specific needs, in particular where the processing of such data is carried out for certain health-related purposes by persons subject to a legal obligation of professional secrecy. Union law should provide for specific and suitable measures so as to protect the fundamental rights and the personal data of natural persons.
2017/07/18
Committee: JURI
Amendment 25 #
Proposal for a regulation
Recital 24
(24) The processing of special categories of personal data may be necessary for reasons of public interest in the areas of public health without consent of the data subject. Such processing should be subject to suitable and specific measures so as to protect the rights and freedoms of natural persons. In that context, ‘public health’ should be interpreted as defined in Regulation (EC) No 1338/2008 of the European Parliament and of the Council15, namely all elements related to health, namely health status, including morbidity and disability, the determinants having an effect on that health status, health care needs, resources allocated to health care, the provision of, and universal access to, health care as well as health care expenditure and financing, and the causes of mortality. Such processing of data concerning health for reasons of public interest should not result in personal data being processed for other purposes by third parties. _________________ 15 Regulation (EC) No 1338/2008 of the European Parliament and of the Council of 16 December 2008 on Community statistics on public health and health and safety at work (OJ L 354, 31.12.2008, p. 70).
2017/07/18
Committee: JURI
Amendment 28 #
Proposal for a regulation
Recital 37 – paragraph 1
Legal acts adopted on the basis of the Treaties or internal rules of Union institutions and bodies may impose restrictions concerning specific principles and the rights of information, access to and rectification or erasure of personal data, the right to data portability, confidentiality of electronic communications as well as the communication of a personal data breach to a data subject and certain related obligations of the controllers, as far as necessary and proportionate in a democratic society to safeguard public security, the prevention, investigation and prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security, including the protection of human life especially in response to natural or manmade disasters, internal security of Union institutions and bodies, other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, the keeping of public registers kept for reasons of general public interest or the protection of the data subject or the rights and freedoms of others, including social protection, public health and humanitarian purposes.
2017/07/18
Committee: JURI
Amendment 30 #
Proposal for a regulation
Recital 37 – paragraph 2
Where a restriction is not provided for in legal acts adopted on the basis of the Treaties or their internal rules, Union institutions and bodies may in a specific case impose an ad hoc restriction concerning specific principles and the rights of data subject if such a restriction respects the essence of the fundamental rights and freedoms and, in relation to a specific processing operation, is necessary and proportionate in a democratic society to safeguard one or more of the objectives mentioned in paragraph 1. The restriction should be notified to the data protection officer. All restrictions should be in accordance with the requirements set out in the Charter and in the European Convention for the Protection of Human Rights and Fundamental Freedoms.deleted
2017/07/18
Committee: JURI
Amendment 31 #
Proposal for a regulation
Recital 42
(42) In order to demonstrate compliance with this Regulation, controllers should maintain records of processing activities under their responsibility and processors should maintain records of categories of processing activities under their responsibility. Union institutions and bodies should be obliged to cooperate with the European Data Protection Supervisor and make their records, on request, available to it, so that they might serve for monitoring those processing operations. Union institutions and bodies should be able to establish a central register of records of their processing activities. For reasons of transparency, they should also be able to make such a register public. Data subjects should have the possibility to consult that register through the data protection officer of the controller.
2017/07/18
Committee: JURI
Amendment 34 #
Proposal for a regulation
Recital 44
(44) Union institutions and bodies should ensure the confidentiality of electronic communications as provided for by Article 7 of the Charter. In particular, Union institutions and bodies should ensure the security of their electronic communication networks, protect the information related to end-users’ terminal equipment accessing their publicly available websites and mobile applications in accordance with Regulation (EU) XXXX/XX [new ePrivacy Regulation] and protect the personal data in directories of users.
2017/07/18
Committee: JURI
Amendment 43 #
Proposal for a regulation
Article 2 – paragraph 1
1. This Regulation applies to the processing of personal data by all Union institutions and bodies insofar as such processing is carried out in the exercise of activities which fall, wholly or partially within the scope of Union law.
2017/07/18
Committee: JURI
Amendment 50 #
Proposal for a regulation
Article 4 – paragraph 1 – point d
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are furtherare processed, are erased or rectified without delay (‘accuracy’);
2017/07/18
Committee: JURI
Amendment 51 #
Proposal for a regulation
Article 5 – paragraph 2
2. The tasks referred to in point (a) of paragraph 1 shall be laid down in Union law. The basis for the processing referred to in point (b) of paragraph 1 shall be laid down in Union or Member State law to which the controller is subject.
2017/07/18
Committee: JURI
Amendment 56 #
Proposal for a regulation
Article 8 a (new)
Article 8a Transfer of personal data between Union institutions and bodies 1. Without prejudice to Articles 4, 5, 6 and 10, personal data shall only be transferred within or to other Union institutions or bodies if the data are necessary for the legitimate performance of tasks covered by the competence of the recipient. 2. Where the data are transferred under this Article following a request from the recipient, both the controller and the recipient shall bear the responsibility for the legitimacy of this transfer. The controller shall be required to verify the competence of the recipient and to make a provisional evaluation of the necessity for the transfer of the data. If doubts arise as to this necessity, the controller shall seek further information from the recipient. The recipient shall ensure that the necessity for the transfer of the data can be subsequently verified. 3. The recipient shall process the personal data only for the purposes for which they were transferred.
2017/07/18
Committee: JURI
Amendment 59 #
Proposal for a regulation
Article 9 – paragraph 1 – point b
(b) that it is necessary to have the data transmitted, it is proportionate to the purposes of the transmission and if there is no reason to assume that the data subject's rights and freedoms and legitimate interests might be prejudicedn particular where the transmission serves a public interest such as transparency or good administration, and it is proportionate to the purposes of the transmission.
2017/07/18
Committee: JURI
Amendment 60 #
Proposal for a regulation
Article 10 – paragraph 3
3. Personal data referred to in paragraph 1 may be processed for the purposes referred to in point (h) of paragraph 2 when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union lawor Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies.
2017/07/18
Committee: JURI
Amendment 65 #
Proposal for a regulation
Article 25 – paragraph 1 – introductory part
1. Legal acts adopted on the basis of the Treaties or, in matters relating to the operation of the Union institutions and bodies, internal rules laid down by the latter may restrict the application of Articles 14 to 22, 34 and 38, as well as Article 4 in so far as its provisions correspond to the rights and obligations provided for in Articles 14 to 22, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:
2017/07/18
Committee: JURI
Amendment 66 #
Proposal for a regulation
Article 25 – paragraph 1 a (new)
1a. In particular, any legal act referred to in paragraph 1 shall contain specific provisions at least, where relevant, as to : (a) the purposes of the processing or categories of processing; (b) the categories of personal data; (c) the scope of the restriction introduced; (d) the safeguards to prevent abuse or unlawful access or transfer; (e) the specification of the controller or categories of controllers; (f) the storage periods and the applicable safeguards taking into account the nature, scope and purposes of the processing or categories of processing; (g) the risks to the rights and freedoms of data subjects; and (h) the right of data subjects to be informed about the restriction, unless that may be prejudicial to the purpose of the restriction.
2017/07/18
Committee: JURI
Amendment 68 #
Proposal for a regulation
Article 25 – paragraph 2
2. Where a restriction is not provided for by a legal act adopted on the basis of the Treaties or by an internal rule in accordance with paragraph 1, the Union institutions and bodies may restrict the application of Articles 14 to 22, 34 and 38, as well as Article 4 in so far as its provisions correspond to the rights and obligations provided for in Articles 14 to 22, if such a restriction respects the essence of the fundamental rights and freedoms, in relation to a specific processing operation, and is a necessary and proportionate measure in a democratic society to safeguard one or more of the objectives referred to in paragraph 1. The restriction shall be notified to the competent data protection officer.deleted
2017/07/18
Committee: JURI
Amendment 70 #
Proposal for a regulation
Article 25 – paragraph 3
3. Where personal data are processed for scientific or historical research purposes or statistical purposes, Union law, which may include internal rules, may provide for derogations from the rights referred to in Articles 17, 18, 20 and 23 subject to the conditions and safeguards referred to in Article 13 in so far as such rights are likely to render impossible or seriously impair the achievement of the specific purposes, and such derogations are necessary for the fulfilment of those purposes.
2017/07/18
Committee: JURI
Amendment 71 #
Proposal for a regulation
Article 25 – paragraph 4
4. Where personal data are processed for archiving purposes in the public interest, Union law, which may include internal rules, may provide for derogations from the rights referred to in Articles 17, 18, 20, 21, 22 and 23 subject to the conditions and safeguards referred to in Article 13 in so far as such rights are likely to render impossible or seriously impair the achievement of the specific purposes, and such derogations are necessary for the fulfilment of those purposes.
2017/07/18
Committee: JURI
Amendment 73 #
Proposal for a regulation
Article 25 – paragraph 5
5. Internal rules referred to in paragraphs 1, 3 and 4 shall be sufficiently clear and precise and subject to appropriate publication.deleted
2017/07/18
Committee: JURI
Amendment 74 #
Proposal for a regulation
Article 25 – paragraph 6
6. If a restriction is imposed pursuant to paragraphs 1 or 2, the data subject shall be informed, in accordance with Union law, of the principal reasons on which the application of the restriction is based and of his or her right to lodge a complaint with the European Data Protection Supervisor.
2017/07/18
Committee: JURI
Amendment 75 #
Proposal for a regulation
Article 25 – paragraph 7
7. If a restriction imposed pursuant to paragraphs 1 or 2 is relied upon to deny access to the data subject, the European Data Protection Supervisor shall, when investigating the complaint, only inform him or her of whether the data have been processed correctly and, if not, whether any necessary corrections have been made.
2017/07/18
Committee: JURI
Amendment 76 #
Proposal for a regulation
Article 25 – paragraph 8
8. Provision of the information referred to in paragraphs 6 and 7 and in Article 46(2) may be deferred, omitted or denied if it would cancel the effect of the restriction imposed pursuant to paragraph 1 or 2.
2017/07/18
Committee: JURI
Amendment 78 #
Proposal for a regulation
Article 31 – paragraph 5
5. Union institutions and bodies may decide toshall keep their records of processing activities in a central register. In this case, they may also decide toThey shall make the register publicly accessible.
2017/07/18
Committee: JURI
Amendment 80 #
Proposal for a regulation
Article 31 – paragraph 5 a (new)
5a. Data subjects shall be able to consult the central register referred to in paragraph 5 through the data protection officer of the controller.
2017/07/18
Committee: JURI
Amendment 81 #
Proposal for a regulation
Chapter IV – section 2 – title
SECURITY OF PERSONAL DATA AND CONFIDENTIALITY OF ELECTRONIC COMMUNICATIONS
2017/07/18
Committee: JURI
Amendment 82 #
Proposal for a regulation
Article 34 – paragraph 1
Union institutions and bodies shall ensure the confidentiality of electronic communications, in particular by securing their electronic communication networks.deleted
2017/07/18
Committee: JURI
Amendment 84 #
Union institutions and bodies shall protect the information related to end–users’ terminal equipment accessing their publicly available websites and mobile applications in accordance with Regulation (EU) XX/XXXX [new ePrivacy Regulation], in particular Article 8 thereof.deleted
2017/07/18
Committee: JURI
Amendment 85 #
Proposal for a regulation
Article 36
Article 36 Directories of users 1. directories of users and access to such directories shall be limited to what is strictly necessary for the specific purposes of the directory. 2. take all the necessary measures to prevent personal data contained in those directories, regardless of whether they are accessible to the public or not, from being used for direct marketing purposes.deleted Personal data contained in Union institutions and bodies shall
2017/07/18
Committee: JURI
Amendment 86 #
Article 38a Confidentiality of electronic communications Union institutions and bodies shall ensure the confidentiality of electronic communications, in particular by securing their electronic communication networks.
2017/07/18
Committee: JURI
Amendment 87 #
Proposal for a regulation
Article 38 b (new)
Article 38b Directories of users 1. Personal data contained in directories of users and access to such directories shall be limited to what is strictly necessary for the specific purposes of the directory. 2. Union institutions and bodies shall take all the necessary measures to prevent personal data contained in those directories, regardless of whether they are accessible to the public or not, from being used for direct marketing purposes.
2017/07/18
Committee: JURI
Amendment 89 #
Proposal for a regulation
Article 42 – paragraph 1
1. Following tWhen adoption ofng proposals for a legislative act and of recommendations or proposals to the Council pursuant to Article 218 TFEU and when preparing delegated acts or implementing acts, which have an impact on on legislative and administrative measures relating to the protection of individualnatural persons’ rights and freedoms with regard to the processing of personal data, the Commission shall consult the European Data Protection Supervisor.
2017/07/18
Committee: JURI
Amendment 92 #
Proposal for a regulation
Article 44 – paragraph 4
4. The data protection officer mayshall be a staff member of the Union institution or body, or fulfil the tasks on the basis of a service contract.
2017/07/18
Committee: JURI
Amendment 94 #
Proposal for a regulation
Article 46 – paragraph 1 – point g a (new)
(ga) ensure that the rights and freedoms of data subjects are not adversely affected by processing operations.
2017/07/18
Committee: JURI
Amendment 99 #
Proposal for a regulation
Article 54 – paragraph 1
1. The European Parliament and the Council shall appoint the European Data Protection Supervisor by common accord for a term of five years, on the basis of a list drawn up byjointly by the European Parliament, the Council and the Commission following a public call for candidates. The call for candidates shall enable all interested parties throughout the Union to submit their applications. The list of candidates drawn up by the Commission shall be public. On the ba and shall consist of the list drawn up by the Commission, tat least five candidates. The competent committee of the European Parliament may decide to hold a hearing of the listed candidates in order to enable it to express a preference.
2017/07/18
Committee: JURI
Amendment 100 #
Proposal for a regulation
Article 54 – paragraph 2
2. The list drawn up byjointly by the European Parliament, the Council and the Commission from which the European Data Protection Supervisor shall be chosen shall be made up of persons whose independence is beyond doubt and who are acknowledged as having expert knowledge in data protection as well as the experience and skills required to perform the duties of European Data Protection Supervisor, for example because they belong or have belonged to the supervisory authorities established under Article 41 of Regulation (EU) 2016/679.
2017/07/18
Committee: JURI
Amendment 104 #
Proposal for a regulation
Article 72 a (new)
Article 72a Review of Union legal acts By 25 May 2021, the Commission shall review other legal acts adopted on the basis of the Treaties which regulate processing of personal data, in particular by agencies established under Chapters 4 and 5 of Title V of Part Three TFEU, in order to assess the need to align them with this Regulation and to make, where appropriate, the necessary proposals to amend those acts in order to ensure a consistent approach to the protection of personal data within the scope of this Regulation.
2017/07/18
Committee: JURI