BETA

52 Amendments of Kinga GÁL related to 2012/0011(COD)

Amendment 413 #
Proposal for a regulation
Recital 25
(25) Consent should be given explicitunambiguously by any appropriate method enabling a freely given specific and informed indication of the data subject’s wishes, either by a statement or by a clear affirmative action by the data subject, ensuring that individuals are aware that they give their consent to the processing of personal data, including by ticking a box when visiting an Internet website or by any other statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of their personal data. Silence or inactivity should therefore not constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. If the data subject’s consent is to be given following an electronic request, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided. The information provided in order for children to express the consent should be given in a clear and age-appropriate language, in a way that it would be easy to understand for a child above the age of 13.
2013/03/04
Committee: LIBE
Amendment 425 #
Proposal for a regulation
Recital 29
(29) Children deserve specific protection of their personal data, as they may be less aware of risks, consequences, safeguards and their rights in relation to the processing of personal data and they are also vulnerable consumers. To determine when an individual is a child, this Regulation should take over the definition laid down by the UN Convention on the Rights of the Child. In particular, child-friendly language should be used to ensure the right of consent for children above the age of 13.
2013/03/04
Committee: LIBE
Amendment 427 #
Proposal for a regulation
Recital 29
(29) Children deserve specific protection of their personal data, as they may be less aware of risks, consequences, safeguards and their rights in relation to the processing of personal data. To determine when an individual isSuch protection is particularly important in the context of social networks. For the purpose of this regulation a child should be defined as an individual under the age of 18. Where data processing is based on the data subject’s consent in relation to the offering of information society services directly to a child, this Re regulation should take differentiate between children abover the definition laid down by the UN Convention on the Rights ofage of 13 and children under the age of 13 who require a higher level of protection to the extent that consent is given or authorised by the Cchild’s parent or custodian.
2013/03/04
Committee: LIBE
Amendment 458 #
Proposal for a regulation
Recital 38
(38) The legitimate interests of a controller or the third party to which the data have been transferred may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding. This would need careful assessment in particular where the data subject is a child, given that children deserve specific protection. The data subject should have the right to object the processing, on grounds relating to their particular situation and free of charge. To ensure transparency, the controller should be obliged to explicitly inform the data subject on the legitimate interests pursued and on the right to object, and also be obliged to document these legitimate interests. Given that it is for the legislator to provide by law the legal basis for public authorities to process data, this legal ground should not apply for the processing by public authorities in the performance of their tasks.
2013/03/04
Committee: LIBE
Amendment 496 #
Proposal for a regulation
Recital 53
(53) Any person should have the right to have personal data concerning them rectified and a ‘the right to be forgotten’have such personal data erased where the retention of such data is not in compliance with this Regulation. In particular, data subjects should have the right that their personal data are erased and no longer processed, where the data are no longer necessary in relation to the purposes for which the data are collected or otherwise processed, where data subjects have withdrawn their consent for processing or where they object to the processing of personal data concerning them or where the processing of their personal data otherwise does not comply with this Regulation. This right is particularly relevant, when the data subject has given their consent as a child, when not being fully aware of the risks involved by the processing, and later wants to remove such personal data especially on the Internet. However, the further retention of the data should be allowed where it is necessary for historical, statistical and scientific research purposes, for rheasons of public interlth purposest in the area of public healthaccordance with Article 81, for exercising the right of freedom of expression, when required by law or where there is a reason to restrict the processing of the data instead of erasing them. Also, the right to erasure should not apply when the retention of personal data is necessary for the performance of a contract with the data subject, or when there is a regulatory requirement to retain this data, or for the prevention of financial crime.
2013/03/04
Committee: LIBE
Amendment 524 #
Proposal for a regulation
Recital 62
(62) The protection of the rights and freedoms of data subjects as well as the responsibility and liability of controllers and processor, also in relation to the monitoring by and measures of supervisory authorities, requires a clear attribution of the responsibilities under this Regulation, including where a controller determines the purposes, conditions and means of the processing jointly with other controllers or where a processing operation is carried out on behalf of a controller.
2013/03/04
Committee: LIBE
Amendment 532 #
Proposal for a regulation
Recital 65
(65) In order to demonstrate compliance with this Regulation, the controller or processor should document each processing operation under its responsibility. Each controller and processor should be obliged to co-operate with the supervisory authority and make this documentation, on request, available to it, so that it might serve for monitoring those processing operations.
2013/03/04
Committee: LIBE
Amendment 601 #
Proposal for a regulation
Recital 99
(99) While this Regulation applies also to the activities of national courts, the competence of the supervisory authorities should not cover the processing of personal data when courts are acting in their judicial capacity, in order to safeguard the independence of judges in the performance of their judicial tasks. However, this exemption should be strictly limited to genuine judicial activities in court cases and not apply to other activities where judges might be involved in, in accordance with national law.deleted
2013/03/04
Committee: LIBE
Amendment 611 #
Proposal for a regulation
Recital 112
(112) Any body, organisation or association which aims to protects the rights and interests of data subjects in relation to the protection of their data and is constituted according to the law of a Member State should have the right to lodge a complaint with a supervisory authority or exercise the right to a judicial remedy on behalf of data subjects, or. Every person has the right to lodge, independently of a data subject's complaint, an own complaint where it considers that a personal data breach has occurred.
2013/03/04
Committee: LIBE
Amendment 618 #
Proposal for a regulation
Recital 115
(115) In situations where the competent supervisory authority established in another Member State does not act or has taken insufficient measures in relation to a complaint, the data subject may request the supervisory authority in the Member State of his or her habitual residence to bring proceedings against that supervisory authority to the competent court in the other Member State. The requested supervisory authority may decide, subject to judicial review, whether it is appropriate to follow the request or not.deleted
2013/03/04
Committee: LIBE
Amendment 748 #
Proposal for a regulation
Article 4 – paragraph 1 – point 5
(5) ‘controller’ means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes, conditions and means of the processing of personal data; where the purposes, conditions and means of processing are determined by Union law or Member State law, the controller or the specific criteria for his nomination may be designated by Union law or by Member State law;
2013/03/04
Committee: LIBE
Amendment 1013 #
Proposal for a regulation
Article 8 – paragraph 1
1. For the purposes of this Regulation, in relation to the offering of information society services directly to a child, the processing of personal data of a child below the age of 13 years shall only be lawful if and to the extent that consent is given or authorised by the child's parent or custodian, without prejudice of Article 6(1). The controller shall make reasonable efforts to obtain verifiable consentprovide notice and obtain meaningful, verifiable consent (e.g. by obtaining the consent from the email address of the parent or the custodian), taking into consideration available technology.
2013/03/04
Committee: LIBE
Amendment 1015 #
Proposal for a regulation
Article 8 – paragraph 1 a (new)
1a. The information provided in order to express the consent should be given in a clear and age-appropriate language, in a way that would be easy to understand for the child above the age of 13 years.
2013/03/04
Committee: LIBE
Amendment 1018 #
Proposal for a regulation
Article 8 – paragraph 1 b (new)
1b. The methods to obtain meaningful consent shall not lead to additional processing of personal data of the child concerned.
2013/03/04
Committee: LIBE
Amendment 1176 #
Proposal for a regulation
Article 14 – paragraph 1 – introductory part
1. Where personal data relating to a data subject are collected, the controller shall provide the data subject with at least the following information:. The following paragraphs do not apply to small enterprises in the course of their own activity and for data which is strictly and exclusively for their internal use.
2013/03/04
Committee: LIBE
Amendment 1180 #
Proposal for a regulation
Article 14 – paragraph 1 – point a
(a) the identity and the contact details of the controller and, if any, of the controller's representative and of the data protection officer;
2013/03/04
Committee: LIBE
Amendment 1189 #
Proposal for a regulation
Article 14 – paragraph 1 – point b
(b) the purposes of the processing for which the personal data are intended, including the contract terms and general conditions where the processing is based on point (b) of Article 6(1) and the legitimate interests pursued by the controller where the processing is based on point (f) of Article 6(1);
2013/03/06
Committee: LIBE
Amendment 1193 #
Proposal for a regulation
Article 14 – paragraph 1 – point c
(c) the period for which the personal data will be stordeleted;
2013/03/06
Committee: LIBE
Amendment 1201 #
Proposal for a regulation
Article 14 – paragraph 1 – point d
(d) the existence of the right to request from the controller access to and rectification or erasure of the personal data concerning the data subject orand to object to the processing of such personal data;
2013/03/06
Committee: LIBE
Amendment 1203 #
Proposal for a regulation
Article 14 – paragraph 1 – point e
(e) the right to lodge a complaint to the supervisory authority and the contact details of the supervisory authority;deleted
2013/03/06
Committee: LIBE
Amendment 1215 #
Proposal for a regulation
Article 14 – paragraph 1 – point h
(h) any further information necessary to guarantee fair processing in respect of the data subject, having regard to the specific circumstances in which the personal data are collecdeleted.
2013/03/06
Committee: LIBE
Amendment 1222 #
Proposal for a regulation
Article 14 – paragraph 2
2. Where the personal data are collected from the data subject, the controller shall inform the data subject, in addition to the information referred to in paragraph 1, whether the provision of personal data is obligatory or voluntary, as well as the possible consequences of failure to provide such data.
2013/03/06
Committee: LIBE
Amendment 1238 #
Proposal for a regulation
Article 14 – paragraph 4 – point b
(b) where the personal data are not collected from the data subject, at the time of the recording or within a reasonable period after the collection, having regard to the specific circumstances in which the data are collected or otherwise processed, or, if a disclosure to another recipient is envisaged, and at the latest when the data are first disclosed; or, if the data shall be used for communication with the person concerned, at the latest at the time of the first communication to that person.
2013/03/06
Committee: LIBE
Amendment 1248 #
Proposal for a regulation
Article 14 – paragraph 5 – point b
(b) the data are not collected from the data subject or the data processes do not allow the verification of identity and the provision of such information proves impossible or would involve a disproportionate effort such as by generating excessive administrative burden, especially when the processing is carried out by a SME; or
2013/03/06
Committee: LIBE
Amendment 1250 #
Proposal for a regulation
Article 14 – paragraph 5 – point c
(c) the data are not collected from the data subject and recording or disclosure is expressly laid down by law; or
2013/03/06
Committee: LIBE
Amendment 1253 #
Proposal for a regulation
Article 14 – paragraph 5 – point d
(d) the data are not collected from the data subject and the provision of such information will impair the rights and freedoms of others, as defined in Union law or Member State law in accordance with Article 21.; or
2013/03/06
Committee: LIBE
Amendment 1262 #
Proposal for a regulation
Article 14 – paragraph 5 – point d a (new)
(da) the data originates from publicly available sources; or
2013/03/06
Committee: LIBE
Amendment 1266 #
Proposal for a regulation
Article 14 – paragraph 5 – point d b (new)
(db) the data must be kept secret in accordance with legislation or by virtue of their nature, particularly because of a legitimate overriding interest of a third party.
2013/03/06
Committee: LIBE
Amendment 1268 #
Proposal for a regulation
Article 14 – paragraph 5 – point d c (new)
(dc) the data are processed in the exercise of his profession by, or are entrusted or become known to, a person who is subject to an obligation of professional secrecy regulated by the State or to a statutory obligation of secrecy.
2013/03/06
Committee: LIBE
Amendment 1279 #
Proposal for a regulation
Article 14 – paragraph 7
7. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria for categories of recipients referred to in point (f) of paragraph 1, the requirements for the notice of potential access referred to in point (g) of paragraph 1, the criteria for the further information necessary referred to in point (h) of paragraph 1 for specific sectors and situations, and the conditions and appropriate safeguards for the exceptions laid down in point (b) of paragraph 5. In doing so, the Commission shall take the appropriate measures for micro, small and medium-sized- enterprises.
2013/03/06
Committee: LIBE
Amendment 1296 #
Proposal for a regulation
Article 15 – paragraph 1 – introductory part
1. TOnly the data subject shall have the right to obtain from the controller at any time, on request, confirmation as to whether or not personal data relating to the data subject are being processed unless this request is manifestly excessive according to 12 (4). Where such personal data are being processed, the controller shall - so far as the data subject has not received - provide the following information:
2013/03/06
Committee: LIBE
Amendment 1311 #
Proposal for a regulation
Article 15 – paragraph 1 – point d
(d) if known the period for which the personal data will be stored;
2013/03/06
Committee: LIBE
Amendment 1324 #
Proposal for a regulation
Article 15 – paragraph 2
2. The data subject shall have the right to obtain from the controller communication of the personal data undergoing processing. Where the data subject makes the request in electronic form, the information shall be provided in electronic form, unless otherwise requested by the data subject.deleted
2013/03/06
Committee: LIBE
Amendment 1357 #
Proposal for a regulation
Article 15 – paragraph 3
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the communication to the data subject of the contentdata subject shall have the right, where personal data are processed by electronic means and in a structured and commonly used format, to obtain from the controller a copy of data which were provided by the data subject itself and that undergoing processing in an electronic and structured format which is commonly used and allows for further use by the data subject. This right shall not restrict rights of others as trade secrets or intellectual property rights. This does not apply on the processing of anonymised and pseudonymised data, insofar as the data subject is not sufficiently identifiable ofn the personal data referbasis of such data or identification would required to in point (g) of paragraph 1he controller to undo the process of pseudonymisation.
2013/03/06
Committee: LIBE
Amendment 1358 #
Proposal for a regulation
Article 15 – paragraph 3 a (new)
3a. There shall be no right to information where: (a) data are involved which a person bound by professional secrecy is required to protect; (b) data must be kept secret in accordance with legislation or by virtue of their nature, particularly because of the overriding interest of a third party; (c) the public entity responsible has ascertained in relation to the entity responsible that disclosure of the data would endanger public safety or order; (d) data comprise trade secrets.
2013/03/06
Committee: LIBE
Amendment 1376 #
Proposal for a regulation
Article 16 – paragraph 1 a (new)
Paragraph 1 shall not apply to pseudonymous data.
2013/03/06
Committee: LIBE
Amendment 1603 #
Proposal for a regulation
Article 20 – paragraph 3 a (new)
3a. In any case, children should not be subject to measures of profiling, as referred to in paragraph 1.
2013/03/06
Committee: LIBE
Amendment 1750 #
Proposal for a regulation
Article 24 – paragraph 1
Where a controller determines the purposes, conditions and means of the processing of personal data jointly with others, the joint controllers shall determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the procedures and mechanisms for exercising the rights of the data subject, by means of an arrangement between them.
2013/03/06
Committee: LIBE
Amendment 1778 #
Proposal for a regulation
Article 26 – paragraph 2 – introductory part
2. The carrying out of processing by a processor shall be governed by a contract or other legal act binding the processor to the controller and stipulating in particular that the processor shall. The controller and the processor shall be free to determine respective roles and responsibilities with respect to the requirements of this Regulation and shall provide for the following:
2013/03/06
Committee: LIBE
Amendment 1784 #
Proposal for a regulation
Article 26 – paragraph 2 – point d
(d) enlist another processor only with the prior permission of the controller;deleted
2013/03/06
Committee: LIBE
Amendment 1788 #
Proposal for a regulation
Article 26 – paragraph 2 – point e
(e) insofar as this is possible given the nature of the processing, create in agreement with the controller the necessary technical and organisational requirements for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III;deleted
2013/03/06
Committee: LIBE
Amendment 1792 #
Proposal for a regulation
Article 26 – paragraph 2 – point f
(f) assist the controller in ensuring compliance with the obligations pursuant to Articles 30 to 34;deleted
2013/03/06
Committee: LIBE
Amendment 1796 #
Proposal for a regulation
Article 26 – paragraph 2 – point g
(g) hand over all results to the controller after the end of the processing and not process the personal data otherwise;deleted
2013/03/06
Committee: LIBE
Amendment 1804 #
Proposal for a regulation
Article 26 – paragraph 2 – point h
(h) make available to the controller and the supervisory authority on request all information necessary to control compliance with the obligations laid down in this Article.
2013/03/06
Committee: LIBE
Amendment 2593 #
Proposal for a regulation
Article 51 – paragraph 3
3. The supervisory authority shall not be competent to supervise processing operations of courts acting in their judicial capacity.deleted
2013/03/06
Committee: LIBE
Amendment 2632 #
Proposal for a regulation
Article 53 – paragraph 3
3. Each supervisory authority shall have the power to bring violations of this Regulation to the attention of the judicial authorities and to engage in legal proceedings, in particular pursuant to Article 74(4) and Article 75(2).
2013/03/06
Committee: LIBE
Amendment 2790 #
Proposal for a regulation
Article 73 – paragraph 3
3. Independently of a data subject's complaint, any body, organisation or association referred to in paragraph 2person shall have the right to lodge a complaint with a supervisory authority in any Member State, if it considers that a personal data breach has occurred.
2013/03/06
Committee: LIBE
Amendment 2800 #
Proposal for a regulation
Article 74 – paragraph 4
(4) A data subject which is concerned by a decision of a supervisory authority in another Member State than where the data subject has its habitual residence, may request the supervisory authority of the Member State where it has its habitual residence to bring proceedings on its behalf against the competent supervisory authority in the other Member State.deleted
2013/03/06
Committee: LIBE
Amendment 2813 #
Proposal for a regulation
Article 76 – paragraph 1
1. Any body, organisation or association referred to in Article 73(2) shall have the right to exercise the rights referred to in Articles 74 and 75 on behalf of one or more data subjects.deleted
2013/03/06
Committee: LIBE
Amendment 2825 #
Proposal for a regulation
Article 77 – paragraph 1
1. Any person who has suffered damage as a result of an unlawful processing operation or of an action incompatible with this Regulation shall have the right to receive compensation from the controller or the processor for the damage suffered.
2013/03/06
Committee: LIBE
Amendment 2830 #
Proposal for a regulation
Article 77 – paragraph 2
2. Where more than one controller or processor is involved in the processing, each controller or processor shall be jointly and severally liable for the entire amount of the damage, notwithstanding the contractual agreement they might have concluded according to Article 24.
2013/03/06
Committee: LIBE
Amendment 2837 #
Proposal for a regulation
Article 77 – paragraph 3
3. The controller or the processor may be exempted from this liability, in whole or in part, if the controller or the processor proves that they are not responsible for the event giving rise to the damage.
2013/03/06
Committee: LIBE