30 Amendments of Adam BIELAN related to 2012/0011(COD)
Amendment 163 #
Proposal for a regulation
Article 4 – paragraph 1 – point 1
Article 4 – paragraph 1 – point 1
(1) ‘data subject’ means an identified natural person or an identifiable natural person who can be identifieduniquely, directly or indirectly, by means reasonably likely to be used by the controller or by any other natural or legal person, in particular by reference to an name, identification number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. If identification requires a disproportionate amount of time, effort or material resources, the natural living person shall not be considered identifiable;
Amendment 168 #
Proposal for a regulation
Article 4 – paragraph 1 – point 3 – point a (new)
Article 4 – paragraph 1 – point 3 – point a (new)
a) 'anonymous data' shall mean information that has never related to a data subject or has been collected, altered or otherwise processed so that it cannot be attributed to a data subject.
Amendment 171 #
Proposal for a regulation
Article 4 – paragraph 1 – point 3 a (new)
Article 4 – paragraph 1 – point 3 a (new)
(3 a) 'pseudonymous data' means any personal data that has been collected, altered or otherwise processed so that it of itself cannot be attributed to a data subject without the use of additional data which is subject to separate and distinct technical and organisational controls to ensure such non attribution, or that such attribution would require a disproportionate amount of time, expense and effort
Amendment 175 #
Proposal for a regulation
Article 4 – paragraph 1 – point 8
Article 4 – paragraph 1 – point 8
(8) ‘the data subject's consent’ means any freely given specific, informed and explicit indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processedorm of statement or conduct by the data subject indicating assent to the data processing proposed. Silence or inactivity does not in itself indicate acceptance;
Amendment 178 #
Proposal for a regulation
Article 4 – paragraph 1 – point 9
Article 4 – paragraph 1 – point 9
(9) ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;, which is likely to adversely affect the protection of the personal data or privacy of the data subject.
Amendment 180 #
Proposal for a regulation
Article 4 – paragraph 1 – point 13
Article 4 – paragraph 1 – point 13
(13) ‘'main establishment’' means as regards the location as designated by the undertaking or group of undertakings, whether controller, the place of its establishment in the Union where the main decisions as or processor, subject to the consistency mechanism set out in Article 57, on the basis of, but not limited to, the purposes, conditions and means of the processing of personal data are taken; if no decisions as to the purposes, conditions and means of the processing of personal data are taken in the Union, the main establishment is the place where the main processing activities in the context of the activities of an establishment of a controller in the Union take place. As regards the processor, ‘main establishment’ means the place of its central administrfollowing optional objective criteria: (1) the location of the European headquarters of a group of undertakings; (2) the location of the entity within a group of undertakings with delegated data protection responsibilities; (3) the location of the entity within the group which is best placed in terms of management functions and administrative responsibilities to deal with and enforce the rules as set out in this Regulation; or (4) the location where effective and real management activities are exercised determining the data processing through stable arrangements. The competent authority shall be informed by the undertaking or group of undertakings of the designation inof the Union;main establishment.
Amendment 196 #
Proposal for a regulation
Article 6 – paragraph 1 – point f a (new)
Article 6 – paragraph 1 – point f a (new)
(f a) processing is necessary for fraud detection and prevention purposes according to applicable financial regulation or established industry, or professional body, codes of practice.
Amendment 198 #
Proposal for a regulation
Article 6 – paragraph 1 – point f b (new)
Article 6 – paragraph 1 – point f b (new)
(f b) only pseudonymous data is processed.
Amendment 255 #
Proposal for a regulation
Article 14 – paragraph 5 – point b
Article 14 – paragraph 5 – point b
(b) the data are not collected from the data subject and the provision of such information proves impossible or would involve a disproportionate effort and generate excessive administrative burden, especially when the processing is carried out by a SME as defined in EU recommendation 2003/361; or
Amendment 264 #
Proposal for a regulation
Article 17 – title
Article 17 – title
Right to be forgotten and to erasure
Amendment 266 #
Proposal for a regulation
Article 17 – paragraph 1 a (new)
Article 17 – paragraph 1 a (new)
1 a. The right to erasure shall not apply when the retention of personal data is necessary for the performance of a contract between an organisation and the data subject, or when there is a regulatory requirement to retain this data, or for fraud prevention purposes;
Amendment 267 #
Proposal for a regulation
Article 17 – paragraph 1 – point a
Article 17 – paragraph 1 – point a
Amendment 270 #
Proposal for a regulation
Article 17 – paragraph 1 – point b
Article 17 – paragraph 1 – point b
(b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or when the storage period consented to has expired, and where there is no other legal ground for the processing of the data;
Amendment 272 #
Proposal for a regulation
Article 17 – paragraph 1 – point d
Article 17 – paragraph 1 – point d
Amendment 289 #
Proposal for a regulation
Article 19 – paragraph 3 a (new)
Article 19 – paragraph 3 a (new)
3 a. Where pseudonymous data are processed based on Article 6(1)(g), the data subject shall have the right to object free of charge to the processing. This right shall be explicitly offered to the data subject in an intelligible manner and shall be clearly distinguishable from other information.
Amendment 290 #
Proposal for a regulation
Article 20 – title
Article 20 – title
Measures based on profilautomated processing
Amendment 294 #
Proposal for a regulation
Article 20 – paragraph 1
Article 20 – paragraph 1
1. Every natural person shall have the right not to be subject to a measure which produces legal effects concerning this natural person or significantly affects this natural person, and which is based solely on automated processing intended to evaluate certain personal aspects relating to this natural person or to analyse or predict in particular the natural person's performance at work, economic situation, location, health, personal preferences, reliability or behaviourA data subject shall not be subject to a decision which is unfair or discriminatory, and which is based solely on automated processing intended to evaluate certain personal aspects relating to this data subject.
Amendment 295 #
Proposal for a regulation
Article 20 – paragraph 2
Article 20 – paragraph 2
Amendment 309 #
Proposal for a regulation
Article 20 – paragraph 3
Article 20 – paragraph 3
Amendment 314 #
Proposal for a regulation
Article 20 – paragraph 4
Article 20 – paragraph 4
Amendment 317 #
Proposal for a regulation
Article 20 – paragraph 5
Article 20 – paragraph 5
Amendment 324 #
Proposal for a regulation
Article 23 – paragraph 1
Article 23 – paragraph 1
1. Having regard to the state of the art and the cost of implementation, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures and procedures in such a way that the processing will Where required, mandatory measures may be adopted to ensure that categories of goods or services are designed and have default settings meeting the requirements of this Regulation relating to the protection of individuals with regard to the processing of personal data. Such measures shall be based on standardisation pursuant to [Regulation .../2012 of the European Parliameent the requirements of this Reguland of the Council on European standardisation, and ensure the protection of the rights of the data subjectmending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Decision 87/95/EEC and Decision No 1673/2006/EC].
Amendment 328 #
Proposal for a regulation
Article 23 – paragraph 2
Article 23 – paragraph 2
2. The controller shall implement mechanisms for ensuring that, by default, only thoseUntil such time as mandatory measures have been adopted peursonal data are processed which are necessary for each specific purpose of the processing and are especially not collected or retained beyond the minimum necessary for those purposes, both uant to paragraph 1, Member States shall ensure that no mandatory design or default requirements are imposed on goods or services relating terms of the amount of the data and the time of their storage. In particular, those mechanisms shall ensure that by default personal data are not made accessible to ao the protection of individuals with regard to the processing of personal data which could impede the placing of equipment on the market and the free circulation of such goods and services in iandefinite number of individual between Member States.
Amendment 330 #
Proposal for a regulation
Article 23 – paragraph 3
Article 23 – paragraph 3
Amendment 332 #
Proposal for a regulation
Article 23 – paragraph 4
Article 23 – paragraph 4
Amendment 338 #
Proposal for a regulation
Article 28 – paragraph 1
Article 28 – paragraph 1
1. Each controller and processor and, if any, the controller's representative, shall maintain documentation of all processing operationsthe main categories of processing under its responsibility.
Amendment 340 #
Proposal for a regulation
Article 28 – paragraph 2 – introductory part
Article 28 – paragraph 2 – introductory part
2. The core documentation shall contain at least the following information:
Amendment 341 #
Proposal for a regulation
Article 28 – paragraph 2 – point c
Article 28 – paragraph 2 – point c
(c) the purposes of the processing, including the legitimate interests pursued by the controller where the processing is based on point (f) of Article 6(1);generic purposes of processing.
Amendment 344 #
Proposal for a regulation
Article 28 – paragraph 2 – point f
Article 28 – paragraph 2 – point f
(f) where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or an international organisation and, in case of transfers referred to in point (h) of Article 44(1), the documentation of appropriata reference to the safeguards employed;
Amendment 360 #
Proposal for a regulation
Article 31 – paragraph 1
Article 31 – paragraph 1
1. In the case of a personal data breach, the controller shall, without undue delay and, where feasible, not later than 24 hours after having become aware of it, notify the personal data breach to the supervisory authority. The notification to the supervisory authority shall be accompanied by a reasoned justification in cases where it is not made within 24 hours, notify the personal data breach to the supervisory authority.