39 Amendments of Françoise CASTEX related to 2012/0011(COD)
Amendment 86 #
Proposal for a regulation
Recital 55
Recital 55
(55) To further strengthen the control over their own data and their right of access, data subjects should have the right, where personal data are processed by electronic means and in a structured and commonly used format, to obtain a copy ofto obtain the data concerning them also in commonly used electronic format. The data subject should also be allowed to transmit those data, which they have provided, from one automated application, such as a social network, into another one. This should apply where the data subject provided the data to the automated processing system, based on their consent or in the performance of a contract.
Amendment 93 #
Proposal for a regulation
Recital 67
Recital 67
(67) A personal data breach may, if not addressed in an adequate and timely manner, result in substantial economic loss and social harm, including identity fraud, to the individual concerned. Therefore, as soon as the controller becomes aware that such a breach has occurred, the controller should notify the breach to the supervisory authority without undue delay and, where feasible, within 724 hours. Where this cannot achieved within 724 hours, an explanation of the reasons for the delay should accompany the notification. The individuals whose personal data could be adversely affected by the breach should be notified without undue delay in order to allow them to take the necessary precautions. A breach should be considered as adversely affecting the personal data or privacy of a data subject where it could result in, for example, identity theft or fraud, physical harm, significant humiliation or damage to reputation. The notification should describe the nature of the personal data breach as well as recommendations as well as recommendations for the individual concerned to mitigate potential adverse effects. Notifications to data subjects should be made as soon as reasonably feasible, and in close cooperation with the supervisory authority and respecting guidance provided by it or other relevant authorities (e.g. law enforcement authorities). For example, the chance for data subjects to mitigate an immediate risk of harm would call for a prompt notification of data subjects whereas the need to implement appropriate measures against continuing or similar data breaches may justify a longer delay.
Amendment 94 #
Proposal for a regulation
Recital 82
Recital 82
(82) The Commission may equally recognise that a third country, or a territory or a processing sector within a third country, or an international organisation offers no adequate level of data protection. Consequently the transfer of personal data to that third country should be prohibited. The prohibition shall also apply to those countries for which the European Commission has already judged the lack of adequacy. In that case, provision should be made for consultations between the Commission and such third countries or international organisations.
Amendment 98 #
Proposal for a regulation
Recital 129
Recital 129
(129) In order to fulfil the objectives of this Regulation, namely to protect the fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data and to ensure the free movement of personal data within the Union, the power to adopt acts in accordance with Article 290 of the Treaty on the Functioning of the European Union should be delegated to the Commission. In particular, delegated acts should be adopted in respect of lawfulness of processing; specifying the criteria and conditions in relation to the consent of a child; processing of special categories of data; specifying the criteria and conditions for manifestly excessive requests and fees for exercising the rights of the data subject; criteria and requirements for the information to the data subject and in relation to the right of access; the right to be forgotten and to erasure; measures based on profiling; criteria and requirements in relation to the responsibility of the controller and to data protection by design and by default; a processor; criteria and requirements for the documentation and the security of processing; criteria and requirements for establishing a personal data breach and for its notification to the supervisory authority, and on the circumstances where a personal data breach is likely to adversely affect the data subject; the criteria and conditions for processing operations requiring a data protection impact assessment; the criteria and requirements for determining a high degree of specific risks which require prior consultation; designation and tasks of the data protection officer; codes of conduct; criteria and requirements for certification mechanisms; criteria and requirements for transfers by way of binding corporate rules; transfer derogations; administrative sanctions; processing for health purposes; processing in the employment context and processing for historical, statistical and scientific research purposes. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level. The Commission, when preparing and drawing-up delegated acts, should ensure a simultaneous, timely and appropriate transmission of relevant documents to the European Parliament and Council.
Amendment 99 #
Proposal for a regulation
Recital 130
Recital 130
(130) In order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission for: specifying standard forms in relation to the processing of personal data of a child; standard procedures and forms for exercising the rights of data subjects; standard forms for the information to the data subject; standard forms and procedures in relation to the right of access; the right to data portability; standard forms in relation to the responsibility of the controller to data protection by design and by default and to the documentation; specific requirements for the security of processing; the standard format and the procedures for the notification of a personal data breach to the supervisory authority and the communication of a personal data breach to the data subject; standards and procedures for a data protection impact assessment; forms and procedures for prior authorisation and prior consultation; technical standards and mechanisms for certification; the adequate level of protection afforded by a third country or a territory or a processing sector within that third country or an international organisation; disclosures not authorized by Union law; mutual assistance; joint operations; decisions under the consistency mechanism. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by the Member States of the Commission's exercise of implementing powers46 . In this context, the Commission should consider specific measures for micro, small and medium-sized enterprises.
Amendment 104 #
Proposal for a regulation
Article 3 a (new)
Article 3 a (new)
Article 3a This Regulation applies to the processing of personal data of data subjects not residing in the Union by a controller or processor established in the Union, through their economic activities in a third country(ies).
Amendment 136 #
Proposal for a regulation
Article 6 – paragraph 1 – point f
Article 6 – paragraph 1 – point f
(f) processing is necessary for the purposes of the legitimate interests pursued by a controller, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks. It shall also not apply to processing that can be based on one or several of the other grounds in this paragraph.
Amendment 141 #
Proposal for a regulation
Article 6 – paragraph 1 – subparagraph 1 a (new)
Article 6 – paragraph 1 – subparagraph 1 a (new)
The EDPB should set up a list of common criteria to be met for further processing to be considered compatible with the one for which personal data have been originally collected.
Amendment 146 #
Proposal for a regulation
Article 6 a (new)
Article 6 a (new)
Article 6a The data will not be used against the data subject in a disciplinary hearing, or to blacklist, vet or bar him or her from employment.
Amendment 157 #
Proposal for a regulation
Article 8 – paragraph 1
Article 8 – paragraph 1
1. For the purposes of this Regulation, in relation to the offering of information society services directly to a child, the processing of personal data of a child below the age of 13 years shall only be lawful if and to the extent that consent is given or authorised by the child's parent or custodian. The controller shall make reasonable efforts to obtain verifiable consent, taking into consideration available technology. The methods to obtain verifiable consent shall not lead to the further processing of personal data which would otherwise not be necessary.
Amendment 160 #
Proposal for a regulation
Article 9 – paragraph 1
Article 9 – paragraph 1
1. The processing of personal data, revealing race or ethnic origin, political opinions, religion or beliefs, trade-union membership and activities, and the processing of genetic data or data concerning health or sex life or criminal convictions or related security measures shall be prohibited. In particular, this would include safeguards to prevent the blacklisting of workers, for example in relation to their trade union activities or health and safety representative roles.
Amendment 181 #
Proposal for a regulation
Article 14 – paragraph 3
Article 14 – paragraph 3
3. Where the personal data are not collected from the data subject, the controller shall inform the data subject, in addition to the information referred to in paragraph 1, from which source the personal data originate. This would include data sourced from a third party illegally and passed on to the controller.
Amendment 184 #
Proposal for a regulation
Article 14 – paragraph 5 – point b
Article 14 – paragraph 5 – point b
Amendment 193 #
Proposal for a regulation
Article 15 – paragraph 2
Article 15 – paragraph 2
2. The data subject shall have the right to obtain from the controller communication of the personal data undergoing processing. Where the data subject makes the request in electronic form, the information shall be provided in electronic form, unless otherwise requested by the data subject. The controller shall verify the identity of a data subject requesting access to data within the limits of Articles 5 to 10 of this Regulation.
Amendment 286 #
Proposal for a regulation
Article 31 – paragraph 1
Article 31 – paragraph 1
1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 724 hours after having become aware of it, notify the personal data breach to the supervisory authority. The notification to the supervisory authority shall be accompanied by a reasoned justification in cases where it is not made within 724 hours.
Amendment 366 #
Proposal for a regulation
Article 51 – paragraph 1 – subparagraph 1 a (new)
Article 51 – paragraph 1 – subparagraph 1 a (new)
Each authority shall be competent within its territory for the processing activities taking place in the context of the activities of an establishment of the controller or processor, or affecting its residents;
Amendment 367 #
Proposal for a regulation
Recital 15
Recital 15
(15) This Regulation should not apply to processing of personal data by a natural person, which are exclusively personal or domestic, such as correspondence and the holding of addresses, and without any gainful interest and thus without any connection with a professional or commercial activity. This exemption should not apply to such personal or domestic activities, where the natural person makes personal data of other natural persons accessible to an indefinite number of individuals. The exemption should also not apply to controllers or processors which provide the means for processing personal data for such personal or domestic activities.
Amendment 386 #
Proposal for a regulation
Recital 23
Recital 23
(23) The principles of protection should apply to any information concerning an identified or identifiable person, including after their death. To determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the individual. The principles of data protection should not apply to data rendered anonymous in such a way that the data subject is no longer identifiable.
Amendment 400 #
Proposal for a regulation
Article 77 – paragraph 1
Article 77 – paragraph 1
1. Any person who has suffered material or immaterial damage as a result of an unlawful processing operation, including blacklisting, or of an action incompatible with this Regulation shall have the right to receive compensation from the controller or the processor for the damage suffered and for any injury to feeling.
Amendment 403 #
Proposal for a regulation
Article 78 – paragraph 2 a (new)
Article 78 – paragraph 2 a (new)
2a. Any person or enterprise that is known to have infringed the provisions of this Regulation, for example by illegally accessing employees' personal data to blacklist them or bar them from employment, should be excluded from receiving Union grants and funding and from taking part in calls for tender for other public procurement contracts at Union, national or public authority level until all legal proceedings are proven to be completed and all compensation has been paid in full to any victims.
Amendment 423 #
Proposal for a regulation
Article 79 – paragraph 6 – point a a (new)
Article 79 – paragraph 6 – point a a (new)
(aa) uses employees' or potential employees' personal data to blacklist them, vet them or bar them from access to future employment;
Amendment 459 #
Proposal for a regulation
Recital 39 a (new)
Recital 39 a (new)
(39a) The prevention or limitation of damages on the side of the data controller, such as civil damages and remedies, should constitute a legitimate interest. Direct marketing should not constitute a legitimate interest.
Amendment 490 #
Proposal for a regulation
Recital 53
Recital 53
(53) Any person should have the right to have personal data concerning them rectified and a ‘right to be forgottenerasure’ where the retention of such data is not in compliance with this Regulation. In particular, data subjects should have the right that their personal data are erased and no longer processed, where the data are no longer necessary in relation to the purposes for which the data are collected or otherwise processed, where data subjects have withdrawn their consent for processing or where they object to the processing of personal data concerning them or where the processing of their personal data otherwise does not comply with this Regulation. This right is particularly relevant, when the data subject has given their consent as a child, when not being fully aware of the risks involved by the processing, and later wants to remove such personal data especially on the Internet. However, the further retention of the data should be allowed where it is necessary for historical, statistical and scientific research purposes, for reasons of public interest in the area of public health, for exercising the right of freedom of expression, when required by law or where there is a reason to restrict the processing of the data instead of erasing them.
Amendment 501 #
Proposal for a regulation
Recital 54
Recital 54
(54) To strengthen the ‘right to be forgottenerasure’ in the online environment, the right to erasure should also be extended in such a way that a controller who has made the personal data public should be obliged to inform third parties which are processing such data that a data subject requests them to erase any links to, or copies or replications of that personal data. To ensure this information, the controller should take all reasonable steps, including technical measures, in relation to data for the publication of which the controller is responsible. In relation to a third party publication of personal data, the controller should be considered responsible for the publication, where the controller has authorised the publication by the third party.
Amendment 507 #
Proposal for a regulation
Recital 56
Recital 56
(56) In cases where personal data might lawfully be processed to protect the vital interests of the data subject, or on grounds of public interest, or official authority or the legitimate interests of a controller, any data subject should nevertheless be entitled to object to the processing of any data relating to them. The burden of proof should be on the controller to demonstrate that their legitimate interests may override the interests or the fundamental rights and freedoms of the data subject.
Amendment 509 #
Proposal for a regulation
Recital 57
Recital 57
(57) Where personal data are processed for the purposes of direct marketingbased on the legitimate interests of the data controller, the data subject should have the right to object to such processing in advance, free of charge and in a manner that can be easily and effectively invoked..
Amendment 676 #
Proposal for a regulation
Article 2 – paragraph 2 – point d
Article 2 – paragraph 2 – point d
(d) by a natural person without any gainful interest in the course of its own exclusively personal or household activity, unless personal data of other natural persons is made accessible to an indefinite number of individuals;
Amendment 1004 #
Proposal for a regulation
Article 7 a (new)
Article 7 a (new)
Article 7a Consent should only be obtainable for processing which is lawful and, therefore, not disproportionate to its purpose. Consent shall not constitute a valid legal basis when it is intended to enable the controller to scan the list of contacts of the person concerned for the purpose of collecting the personal data of third persons.
Amendment 1245 #
Proposal for a regulation
Article 14 – paragraph 5 – point b
Article 14 – paragraph 5 – point b
Amendment 1382 #
Proposal for a regulation
Article 17 – title
Article 17 – title
Right to be forgotten and to erasure
Amendment 1404 #
Proposal for a regulation
Article 17 – paragraph 1 a (new)
Article 17 – paragraph 1 a (new)
1a. The heirs of a deceased person are entitled to have the data processor putting an end to the publication of their data.
Amendment 1501 #
Proposal for a regulation
Article 18 – paragraph 1
Article 18 – paragraph 1
1. The data subject shall have the right, where personal data are processed by electronic means and in a structured and commonly used format, to obtain from the controller a copy of data undergoing processing in an electronic, interoperable and structured format which is commonly used and allows for further use by the data subject.
Amendment 1515 #
Proposal for a regulation
Article 18 – paragraph 2 a (new)
Article 18 – paragraph 2 a (new)
2a. In exercising his or her right to portability, the data subject must inform the controller from whom the data are withdrawn that he or she also wants the data to be erased, in accordance with the provisions of Article 17.
Amendment 1562 #
Proposal for a regulation
Article 20 – paragraph 2 – point a
Article 20 – paragraph 2 – point a
(a) is carried out in the course of thenecessary for entering into, or performance of, a contract, where the request for the entering into or the performance of the contract, lodged by the data subject, has been satisfied or where suitable measures to safeguard the data subject's legitimate interests have been adduced, such as the right to obtain human intervention; or
Amendment 1593 #
Proposal for a regulation
Article 20 – paragraph 2 a (new)
Article 20 – paragraph 2 a (new)
2a. In the employment sphere, the processing or use of data for the purposes of the permanent surveillance or profiling of employees, the drawing-up and dissemination of black lists of employees, the monitoring of performance or conduct or the preparation of a dismissal on grounds of illness shall be prohibited; job applicants’ data shall enjoy the same protection.
Amendment 1758 #
Proposal for a regulation
Article 25 – paragraph 2 – point b
Article 25 – paragraph 2 – point b
(b) an enterprise employing fewer than 250 persons that is processing personal data only as an activity ancillary to its main activities and if processing is not carried out on special categories of personal data as referred to in Article 9(1); or
Amendment 2167 #
Proposal for a regulation
Article 35 – paragraph 1 – point b
Article 35 – paragraph 1 – point b
(b) the processing is carried out by an enterprise employing 250 persons or more; or , or an enterprise processes personal data as its main activity or processing is carried out on special categories of personal data as referred to in Article 9 (1);
Amendment 2841 #
Proposal for a regulation
Article 78 – paragraph 2 a (new)
Article 78 – paragraph 2 a (new)
2a. Member States shall lay down rules on penalties that are effective and dissuasive in preventing any abuse of the fundamental right to the protection of personal data as enshrined in the Charter of Fundamental Rights, including legal provisions outlawing as a criminal offence the use of personal data to blacklist workers, vet them or bar them from future employment.
Amendment 2843 #
Proposal for a regulation
Article 78 – paragraph 2 b (new)
Article 78 – paragraph 2 b (new)
2b. Member States shall ensure that persons or companies found to be taking part in blacklisting will be excluded from receiving EU grants and funding and from taking part in calls for tender for other public procurement contracts at EU, national or public authority level until all legal proceedings are proven to be completed, all compensation has been paid in full to any victims and there is reliable proof that this criminal culture has been removed from the organisation.