67 Amendments of Andreas SCHWAB related to 2012/0011(COD)

Proposal for a regulation
Recital 24

(24) When using online services, individuals may be associated with online identifiers provided by their devices, applications, tools and protocols, such as Internet Protocol addresses or cookie identifiers. This may leave traces which, combined with unique identifiers and other information received by the servers, may be used to create profiles of the individuals and identify them. It follows that a study should be conducted, on a case-by-case basis and in accordance with technological developments, into whether identification numbers, location data, online identifiers or other specific factors as such ~~need no~~must necessarily be considered as personal data ~~in all circumstances~~.

2012/11/08
Committee: IMCO

Proposal for a regulation
Recital 25

(25) Consent should be given explicitly by any method appropriate ~~metho~~to the media used enabling a freely given specific and informed indication of the data subject's wishes, either by a statement or by a clear affirmative action by the data subject, ensuring that individuals are aware that they give their consent to the processing of personal data, including by ticking a box when visiting an Internet website or by any other statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of their personal data. Silence or inactivity should therefore not constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. If the data subject's consent is to be given following an electronic request, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.

2012/11/08
Committee: IMCO

Proposal for a regulation
Recital 27

(27) The main establishment of a controller in the Union should be determined according to objective criteria and should imply the effective and real exercise of management activities determining the main decisions as to the purposes, conditions and means of processing through stable arrangements. This criterion should not depend whether the processing of personal data is actually carried out at that location; the presence and use of technical means and technologies for processing personal data or processing activities do not, in themselves, constitute such main establishment and are therefore no determining criteria for a main establishment. ‘Main establishment of the controller’ means the place in the EU where personal data protection policy is determined, taking into account the dominant influence of that establishment over others, particularly in the case of a group of companies, as regards the implementation of rules on personal data protection and rules which have a bearing on data protection. The main establishment of the processor should be the place of its central administration in the Union.

2012/11/08
Committee: IMCO

Andreas SCHWAB, Lara COMI, Rafał TRZASKOWSKI, Pablo ARIAS ECHEVERRÍA

Proposal for a regulation
Recital 38

(38) The legitimate interests of a ~~controller~~data subject may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding. This would need careful assessment in particular where the data subject is a child, given that children deserve specific protection. The data subject should have the right to object the processing, on grounds relating to their particular situation and free of charge. To ensure transparency, the controller or the third parties to whom the data are sent should be obliged to explicitly inform the data subject on the legitimate interests pursued and on the right to object, and also be obliged to document these legitimate interests. Given that it is for the legislator to provide by law the legal basis for public authorities to process data, this legal ground should not apply for the processing by public authorities in the performance of their tasks.

2012/11/08
Committee: IMCO

Proposal for a regulation
Recital 48

(48) The principles of fair and transparent processing require that the data subject should be informed in particular of the existence of the processing operation and its purposes, the criteria which may be used to determine how long the data will be stored for each purpose, on the existence of the right of access, rectification or erasure and on the right to lodge a complaint. Where the data are collected from the data subject, the data subject should also be informed whether they are obliged to provide the data and of the consequences, in cases they do not provide such data.

2012/11/08
Committee: IMCO

Andreas SCHWAB, Lara COMI, Rafał TRZASKOWSKI, Pablo ARIAS ECHEVERRÍA

Proposal for a regulation
Recital 51

(51) Any person should have the right of access to data which has been collected concerning them, and to exercise this right easily, in order to be aware and verify the lawfulness of the processing. Every data subject should therefore have the right to know and obtain communication in particular for what purposes the data are processed, ~~for what period~~the criteria which may be used to determine for how long the data will be stored for each purpose, which recipients receive the data, what is the logic of the data that are undergoing the processing and what might be, at least when based on profiling, the consequences of such processing. This right should not adversely affect the rights and freedoms of others, including trade secrets or intellectual property and in particular the copyright protecting the software. However, the result of these considerations should not be that all information is refused to the data subject.

2012/11/08
Committee: IMCO

Proposal for a regulation
Recital 55

(55) To further strengthen the control over their own data and their right of access, data subjects should have the right, where personal data are processed by electronic means and in a structured and commonly used format, to obtain a copy of the data concerning them also in commonly used electronic format. The data subject should also be allowed to transmit those data, which they have provided, from one automated application, such as a social network, into another one. This should apply where the data subject provided the data to the automated processing system, based on their consent or in the performance of a contract.deleted

2012/11/08
Committee: IMCO

Andreas SCHWAB, Lara COMI, Rafał TRZASKOWSKI, Pablo ARIAS ECHEVERRÍA

Proposal for a regulation
Recital 60

(60) ~~Comprehensive~~Overall responsibility and liability of the controller for any processing of personal data carried out by the controller or on the controller's behalf should be established. In particular, the controller should ensure and be obliged to demonstrate the compliance of each processing operation with this Regulation.

2012/11/08
Committee: IMCO

Proposal for a regulation
Recital 62

(62) The protection of the rights and freedoms of data subjects as well as the responsibility and liability of controllers and processor, also in relation to the monitoring by and measures of supervisory authorities, requires a clear attribution of the responsibilities under this Regulation, including where a controller determines the purposes, conditions and means of the processing jointly with other controllers or where a processing operation is carried out on behalf of a controller. Where joint and several liability applies, a processor which has made amends for damage done to the data subject concerned may bring an action against the controller for reimbursement if it has acted in conformity with the legal act binding it to the controller.

2012/11/08
Committee: IMCO

Andreas SCHWAB, Lara COMI, Rafał TRZASKOWSKI, Pablo ARIAS ECHEVERRÍA

Proposal for a regulation
Recital 65

(65) In order to demonstrate compliance with this Regulation, the controller or processor should keep a document ~~each processing operation~~ary record of all the processing systems and procedures for which they are responsible. Each controller and processor should be obliged to co-operate with the supervisory authority and make this documentation, on request, available to it, so that it might serve for monitoring those processing operations.

2012/11/08
Committee: IMCO

Proposal for a regulation
Recital 67

(67) A personal data breach may, if not addressed in an adequate and timely manner, result in substantial economic loss and social harm, including identity fraud, to the individual concerned. Therefore, as soon as the controller becomes aware that ~~such~~ a breach which would have a significant impact on the data subject has occurred, the controller should notify the breach to the supervisory authority without undue delay ~~and, where feasible, within 24 hours. Where this cannot achieved within 24 hours, an explanation of the reasons for the delay should accompany the notification~~. The individuals whose personal data could be significantly adversely affected by the breach should be notified without undue delay in order to allow them to take the necessary precautions. A breach should be considered as significantly adversely affecting the personal data or privacy of a data subject where it could result in, for example, identity theft or fraud, physical harm, significant humiliation or damage to reputation. The notification should describe the nature of the personal data breach as well as recommendations as well as recommendations for the individual concerned to mitigate potential adverse effects. Notifications to data subjects should be made as soon as reasonably feasible, and in close cooperation with the supervisory authority and respecting guidance provided by it or other relevant authorities (e.g. law enforcement authorities). For example, the chance for data subjects to mitigate an immediate risk of harm would call for a prompt notification of data subjects whereas the need to implement appropriate measures against continuing or similar data breaches may justify a longer delay.

2012/11/08
Committee: IMCO

Andreas SCHWAB, Lara COMI, Rafał TRZASKOWSKI, Pablo ARIAS ECHEVERRÍA

Proposal for a regulation
Recital 115

(115) In situations where the competent supervisory authority established in another Member State does not act or has taken insufficient measures in relation to a complaint, the data subject may request the supervisory authority in the Member State of his or her habitual residence to bring proceedings against that supervisory authority to the competent court in the other Member State. The requested supervisory authority may decide, subject to judicial review, whether it is appropriate to follow the request or not.deleted

2012/11/08
Committee: IMCO

Proposal for a regulation
Recital 118

(118) Any damage which a person may suffer as a result of unlawful processing should be compensated by the controller or processor, who may be exempted from liability if they prove that they are not responsible for the damage, in particular where he establishes fault on the part of the data subject or in case of force majeure. Where joint and several liability applies, a processor which has made amends for damage done to the data subject concerned may bring an action against the controller for reimbursement if it has acted in conformity with the legal act binding it to the controller.

2012/11/08
Committee: IMCO

Andreas SCHWAB, Lara COMI, Rafał TRZASKOWSKI, Pablo ARIAS ECHEVERRÍA

Proposal for a regulation
Recital 129

(129) In order to fulfil the objectives of this Regulation, namely to protect the fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data and to ensure the free movement of personal data within the Union, the power to adopt acts in accordance with Article 290 of the Treaty on the Functioning of the European Union should be delegated to the Commission. In particular, delegated acts should be adopted in respect of lawfulness of processing; specifying the criteria and conditions in relation to the consent of a child; processing of special categories of data; ~~specifying the criteria and conditions for manifestly excessive requests and fees for exercising the rights of the data subject;~~ criteria and requirements for the information to the data subject and in relation to the right of access; the right to be forgotten and to erasure; measures based on profiling; criteria and requirements in relation to the responsibility of the controller ~~and to data protection by design and by default~~; a processor; criteria and requirements for the documentation ~~and the security of processing~~; criteria and requirements for establishing a personal data breach and for its notification to the supervisory authority, and on the circumstances where a personal data breach is likely to adversely affect the data subject; the criteria and conditions for processing operations requiring a data protection impact assessment; the criteria and requirements for determining a high degree of specific risks which require prior consultation; designation and tasks of the data protection officer; codes of conduct; criteria and requirements for certification mechanisms; criteria and requirements for transfers by way of binding corporate rules; transfer derogations; ~~administrative sanctions;~~ processing for health purposes; processing in the employment context and processing for historical, statistical and scientific research purposes. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level. The Commission, when preparing and drawing-up delegated acts, should ensure a simultaneous, timely and appropriate transmission of relevant documents to the European Parliament and Council.

2012/11/08
Committee: IMCO

Andreas SCHWAB, Lara COMI, Rafał TRZASKOWSKI, Pablo ARIAS ECHEVERRÍA

Proposal for a regulation
Recital 130

(130) In order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission for: specifying standard forms in relation to the processing of personal data of a child; ~~standard procedures and forms for exercising the rights of data subjects;~~ standard forms for the information to the data subject; standard forms and procedures in relation to the right of access; ~~the right to data portability;~~ standard forms in relation to the responsibility of the controller ~~to data protection by design and by default and to~~in respect of the documentation; specific requirements for the security of processing; the standard format and the procedures for the notification of a personal data breach to the supervisory authority and the communication of a personal data breach to the data subject; standards and procedures for a data protection impact assessment; forms and procedures for prior authorisation and prior consultation; technical standards and mechanisms for certification; the adequate level of protection afforded by a third country or a territory or a processing sector within that third country or an international organisation; disclosures not authorized by Union law; mutual assistance; joint operations; decisions under the consistency mechanism. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by the Member States of the Commission's exercise of implementing powers46. In this context, the Commission should consider specific measures for micro, small and medium-sized enterprises.

2012/11/08
Committee: IMCO

Andreas SCHWAB, Lara COMI, Rafał TRZASKOWSKI, Pablo ARIAS ECHEVERRÍA

Proposal for a regulation
Recital 131

(131) The examination procedure should be used for the adoption of specifying standard forms in relation to the consent of a child; standard procedures and forms for exercising the rights of data subjects; standard forms for the information to the data subject; standard forms and procedures in relation to the right of access; ~~the right to data portability;~~ standard forms in relation to the responsibility of the controller ~~to data protection by design and by default and to~~in respect of the documentation; specific requirements for the security of processing; the standard format and the procedures for the notification of a personal data breach to the supervisory authority and the communication of a personal data breach to the data subject; standards and procedures for a data protection impact assessment; forms and procedures for prior authorisation and prior consultation; technical standards and mechanisms for certification; ~~the adequate level of protection afforded by a third country or a territory or a processing sector within that third country or an international organisation;~~ disclosures not authorized by Union law; mutual assistance; joint operations; decisions under the consistency mechanism, given that those acts are of general scope.

2012/11/08
Committee: IMCO

Proposal for a regulation
Recital 139

(139) In view of the fact that, as underlined by the Court of Justice of the European Union, the right to the protection of personal data is not an absolute right, but must be considered in relation to its function in society and be balanced with other frights enshrined in the Charter of Fundamental rRights of the European Union, in accordance with the principle of proportionality, this Regulation respects all fundamental rights and observes the principles recognised in the Charter of Fundamental Rights of the European Union as enshrined in the Treaties, notably the right to respect for private and family life, home and communications, the right to the protection of personal data, the freedom of thought, conscience and religion, the freedom of expression and information, the freedom to conduct a business, the right to an effective remedy and to a fair trial as well as cultural, religious and linguistic diversity.

2012/11/08
Committee: IMCO

Andreas SCHWAB, Lara COMI, Rafał TRZASKOWSKI, Pablo ARIAS ECHEVERRÍA

Proposal for a regulation
Article 2 – paragraph 2 – point d

d) by a natural person without any gainful interest in the course of its own exclusively personal or household activity and on condition that no personal data are made accessible to an indefinite number of people;

2012/11/08
Committee: IMCO

Proposal for a regulation
Article 4 – paragraph 1 – point 2 a (new)

(2 a) 'Anonymous data' means any data that has been collected, altered or otherwise processed in such a way that it can no longer be attributed to a data subject or that such attribution would require a disproportionate amount of time, cost and effort; anonymous data shall not be considered personal data.

2012/11/08
Committee: IMCO

Proposal for a regulation
Article 4 – paragraph 1 – point 13

(13) ‘main establishment’ means ~~as regards~~ the location as designated by the undertaking or group of undertakings, whether controller~~, the place of its establishment in the Union where the main decisions as to~~ or processor, on the basis of, but not limited to, the following optional objective criteria: (1) the location of the pEur~~poses, conditions and means of the processing of personal data are taken; if no decisions as to the purposes, conditions and means of~~opean headquarters of a group of undertakings; (2) the location of the entity within a group of undertakings with delegated data protection responsibilities; (3) the location of the entity within the pgrocessing of personal data are taken in the Union, the main establishment is the place where the main processing activities in the context of the activities of an establishment of a controller in the Union take place. As regards the processor, ‘main establishment’ means the place of its central administrup which is best placed in terms of management functions and administrative responsibilities to deal with and enforce the rules as set out in this Regulation; or (4) the location where effective and real management activities are exercised determining the data processing through stable arrangements. The competent authority shall be informed by the undertaking or group of undertakings of the designation inof the ~~Union~~main establishment;

2012/11/08
Committee: IMCO

Proposal for a regulation
Article 6 – paragraph 1 – point f

f) processing is necessary for the purposes of the legitimate interests pursued by a controller or by a third party or third parties to whom the data are communicated, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks.

2012/11/08
Committee: IMCO

Proposal for a regulation
Article 6 – paragraph 5

~~5. The Commission shall be empowered to adopt~~ delegated acts in accordance with Article 86 for the purpose of further specifying the conditions referred to in point (f) of paragraph 1 for various sectors and data processing situations, including as regards the processing of personal data related to a child.

2012/11/08
Committee: IMCO

Andreas SCHWAB, Lara COMI, Rafał TRZASKOWSKI, Pablo ARIAS ECHEVERRÍA

Proposal for a regulation
Article 7 – paragraph 4 a (new)

4a. The legislation of the Member State in which a person lacking the legal capacity to act resides shall apply when determining the conditions under which consent is given or authorised by that person.

2012/11/08
Committee: IMCO

Proposal for a regulation
Article 8 – paragraph 1

1. For the purposes of this Regulation, in relation to the offering of ~~information society~~goods or services directly to a child, the processing of personal data of a child below the age of 13 years shall only be lawful if and to the extent that consent is given or authorised by the child'’s parent or ~~custodian~~legal representative. The controller shall make reasonable efforts to obtain verifiable consent, taking into consideration available technology.

2012/11/08
Committee: IMCO

Proposal for a regulation
Article 11 – paragraph 2

2. The controller shall provide any information and any communication relating to the processing of personal data to the data subject in an intelligible form, using clear and plain language, ~~adapted to the data subject,~~ in particular for any information addressed specifically to a child.

2012/11/08
Committee: IMCO

Proposal for a regulation
Article 12 – paragraph 5

~~5. The Commission shall be empowered to adopt~~ delegated ~~acts in accordance with Article 86 for the purpose of further specifying the criteria and conditions for the manifestly excessive requests and the fees referred to in paragraph 4.~~

2012/11/08
Committee: IMCO

Andreas SCHWAB, Lara COMI, Rafał TRZASKOWSKI, Pablo ARIAS ECHEVERRÍA

Proposal for a regulation
Article 12 – paragraph 6

6. The Commission may lay down standard forms and specifying standard procedures for the communication referred to in paragraph 2, including the electronic format. In doing so, the Commission shall take the appropriate measures for micro, small and medium- sized-enterprises. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 87(2).deleted

2012/11/08
Committee: IMCO

Proposal for a regulation
Article 14 – paragraph 1 – point c

c) the criteria for determining the period for which the personal data will be stored for each purpose;

2012/11/08
Committee: IMCO

Andreas SCHWAB, Lara COMI, Rafał TRZASKOWSKI, Pablo ARIAS ECHEVERRÍA

Proposal for a regulation
Article 14 – paragraph 1 – point g

g) where applicable, that the controller intends to transfer to a third country or international organisation and on the ~~level of protection afforded by that third country or international organisation by refer~~existence or absence tof an adequacy decision by the Commission;

2012/11/08
Committee: IMCO

Andreas SCHWAB, Lara COMI, Rafał TRZASKOWSKI, Pablo ARIAS ECHEVERRÍA

Proposal for a regulation
Article 14 – paragraph 1 – point h

h) any further information which the controller considers necessary to guarantee fair processing in respect of the data subject, having regard to the specific circumstances in which the personal data are collected.

2012/11/08
Committee: IMCO

Proposal for a regulation
Article 15 – paragraph 2

2. The data subject shall have the right to obtain from the controller communication of the personal data undergoing processing. Where the data subject makes the request in electronic form, the information shall be provided in electronic form, unless otherwise requested by the data subject. The controller shall use all reasonable measures to verify the identity of a data subject requesting access to data.

2012/11/08
Committee: IMCO

Proposal for a regulation
Article 17 – paragraph 2 a (new)

2a. The controller referred to in paragraph 1 shall inform the data subject of the action taken in response to their request by the third parties referred to in paragraph 2.

2012/11/08
Committee: IMCO

Proposal for a regulation
Article 18

Article 18 Right to data portability 1. The data subject shall have the right, where personal data are processed by electronic means and in a structured and commonly used format, to obtain from the controller a copy of data undergoing processing in an electronic and structured format which is commonly used and allows for further use by the data subject. 2. Where the data subject has provided the personal data and the processing is based on consent or on a contract, the data subject shall have the right to transmit those personal data and any other information provided by the data subject and retained by an automated processing system, into another one, in an electronic format which is commonly used, without hindrance from the controller from whom the personal data are withdrawn. 3. The Commission may specify the electronic format referred to in paragraph 1 and the technical standards, modalities and procedures for the transmission of personal data pursuant to paragraph 2. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 87(2).deleted

2012/11/08
Committee: IMCO

Andreas SCHWAB, Lara COMI, Rafał TRZASKOWSKI, Pablo ARIAS ECHEVERRÍA

Proposal for a regulation
Article 21 – paragraph 2

2. In particular, any legislative measure referred to in paragraph 1 shall contain specific provisions at least as to the aim of the processing, the objectives to be pursued by the processing and the determination of the controller.

2012/11/08
Committee: IMCO

Proposal for a regulation
Article 22 – title

ROverall principle of responsibility of the controller.

2012/11/08
Committee: IMCO

Proposal for a regulation
Article 23 – paragraph 2

2. The controller shall implement mechanisms for ensuring that, by default, only those personal data are collected for purposes which are defined, explicit and legitimate and only those personal data are processed which are necessary for each specific purpose of the processing and are especially not collected or retained beyond the minimum necessary for those purposes, both in terms of the amount of the data and the time of their storage. In particular, those mechanisms shall ensure that by default personal data are not made accessible to an indefinite number of individuals.

2012/11/08
Committee: IMCO

Proposal for a regulation
Article 23 – paragraph 3

~~3. The Commission shall be empowered to adopt~~ delegated acts in accordance with Article 86 for the purpose of specifying any further criteria and requirements for appropriate measures and mechanisms referred to in paragraph 1 and 2, in particular for data protection by design requirements applicable across sectors, products and services.

2012/11/08
Committee: IMCO

Proposal for a regulation
Article 23 – paragraph 4

4. The Commission may lay down technical standards for the requirements laid down in paragraph 1 and 2. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 87(2).deleted

2012/11/08
Committee: IMCO

Proposal for a regulation
Article 28 – paragraph 1

1. Each controller and processor and, if any, the controller's representative, shall maintain documentation of all processing ~~operation~~systems and procedures under its responsibility.

2012/11/08
Committee: IMCO

Proposal for a regulation
Article 28 – paragraph 2 – introductory part

2. The documentation shall contain ~~at least~~ the following information:

2012/11/08
Committee: IMCO

Proposal for a regulation
Article 28 – paragraph 2 – point d

d~~) a description of categories of data subjects and of the categories of personal data relating to them;~~eleted

2012/11/08
Committee: IMCO

Proposal for a regulation
Article 28 – paragraph 2 – point e

~~e) the recipients or categories of recipients of the personal data, including the controllers to whom personal data are disclosed for the legitimate interest pursued by them;~~deleted

2012/11/08
Committee: IMCO

Proposal for a regulation
Article 28 – paragraph 2 – point g

~~g) a general indication of the time limits for erasure of the different categories of data;~~deleted

2012/11/08
Committee: IMCO

Proposal for a regulation
Article 30 – paragraph 3

~~3. The Commission shall be empowered to adopt~~ delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and conditions for the technical and organisational measures referred to in paragraphs 1 and 2, including the determinations of what constitutes the state of the art, for specific sectors and in specific data processing situations, in particular taking account of developments in technology and solutions for privacy by design and data protection by default, unless paragraph 4 applies.

2012/11/08
Committee: IMCO

Proposal for a regulation
Article 31 – paragraph 1

1. In the case of a personal data breach which significantly affects the data subject, the controller shall, without undue delay ~~and, where feasible, not later than 24 hours~~ after having become aware of it, notify the personal data breach to the supervisory authority. ~~The notification to the supervisory authority shall be accompanied by a reasoned justification in cases where it is not made within 24 hours.~~

2012/11/08
Committee: IMCO

Proposal for a regulation
Article 33 – paragraph 2 – introductory part

2. The following processing operations ~~in particular~~ present specific risks referred to in paragraph 1:

2012/11/08
Committee: IMCO

Proposal for a regulation
Article 33 – paragraph 4

4. The controller shall seek the views of data subjects or their representatives on the intended processing, without prejudice to the protection of commercial or public interests or the security of the processing operations.deleted

2012/11/08
Committee: IMCO

Proposal for a regulation
Article 51 – paragraph 1 a (new)

1a. In the event of a complaint by a data subject or a body, organisation or association referred to in Article 73(2), the supervisory authority responsible shall be that of the Member State in which the complaint was made. That authority shall be competent to take action on the complaint. It shall also be competent to supervise the controller’s processing activities or those of a processor, without prejudice to paragraph 2.

2012/11/08
Committee: IMCO

Proposal for a regulation
Article 51 – paragraph 2

2. ~~Where the processing of personal data takes place i~~In the context of the activities of ~~an establishment of~~ a controller or a processor ~~in the Union, and the controller or processor is~~ established in more than one Member State, the supervisory authority of the Member State where the main establishment of the controller or processor is situated shall be competent for the supervision of the processing activities of the controller or the processor in all Member States~~, without prejudice~~. This supervisory authority shall be obliged to cooperate with the other supervisory authorities and with the Commission, pursuant to the provisions of Chapter VII of this Regulation.

2012/11/08
Committee: IMCO

Proposal for a regulation
Article 59 – paragraph 4

4. Where the supervisory authority concerned intends not to follow the opinion of the Commission, it shall inform the Commission and the European Data Protection Board thereof within the period referred to in paragraph 1 and provide a justification. ~~In this case the draft measure shall not be adopted for one further month.~~

2012/11/08
Committee: IMCO

Proposal for a regulation
Article 62 – paragraph 2

2. On duly justified imperative grounds of urgency relating to the interests of data subjects in the cases referred to in point (a) of paragraph 1, the Commission shall adopt immediately applicable implementing acts in accordance with the procedure referred to in Article 87(3). Those acts shall remain in force for a period not exceeding 12 months.deleted

2012/11/08
Committee: IMCO

Proposal for a regulation
Article 73 – paragraph 2

2. Any body, organisation or association which aims to protect data subjects’ rights and interests concerning the protection of their personal data and has been properly constituted according to the law of a Member State shall have the right to lodge a complaint with a supervisory authority in any Member State on behalf of one or more data subjects if it considers that a data subject’s rights under this Regulation have been infringed as a result of the processing of personal data.deleted

2012/11/08
Committee: IMCO

Proposal for a regulation
Article 74 – paragraph 4

4. A data subject which is concerned by a decision of a supervisory authority in another Member State than where the data subject has its habitual residence, may request the supervisory authority of the Member State where it has its habitual residence to bring proceedings on its behalf against the competent supervisory authority in the other Member State.deleted

2012/11/08
Committee: IMCO

Proposal for a regulation
Article 76 – paragraph 1

~~1. Any body, organisation or association referred to in Article 73(2) shall have the right to exercise the rights referred to in Articles 74 and 75 on behalf of one or more data subjects.~~deleted

2012/11/08
Committee: IMCO

Proposal for a regulation
Article 79 – paragraph 2

2. The administrative sanction shall be in each individual case effective, proportionate and dissuasive. The amount of the administrative fine shall be fixed with due regard to the nature, gravity and duration of the breach, the intentional or negligent character of the infringement, the particular categories of personal data, the degree of responsibility of the natural or legal person and of previous breaches by this person, the technical and organisational measures and procedures implemented pursuant to Article 23 and the degree of co-operation with the supervisory authority in order to remedy the breach.

2012/11/08
Committee: IMCO

Proposal for a regulation
Article 79 – paragraph 3 – introductory part

3. ~~In case of a first and non-intentional non-compliance with this Regulation, a warning in writing may be given and no sanction imposed, where:~~The supervisory authority may give a written warning without imposing a sanction. The supervisory authority may impose a fine of up to EUR 1 000 000 for repeated, deliberate breaches or, in the case of a company, of up to 2 % of its annual worldwide turnover.

2012/11/08
Committee: IMCO

Proposal for a regulation
Article 79 – paragraph 3 – point a

~~a) a natural person is processing personal data without a commercial interest; or~~deleted

2012/11/08
Committee: IMCO

Proposal for a regulation
Article 79 – paragraph 3 – point b

~~b) an enterprise or an organisation employing fewer than 250 persons is processing personal data only as an activity ancillary to its main activities.~~deleted

2012/11/08
Committee: IMCO

Proposal for a regulation
Article 79 – paragraph 4

4. The supervisory authority shall impose a fine up to 250 000 EUR, or in case of an enterprise up to 0,5 % of its annual worldwide turnover, to anyone who, intentionally or negligently: a) does not provide the mechanisms for requests by data subjects or does not respond promptly or not in the required format to data subjects pursuant to Articles 12(1) and (2); b) charges a fee for the information or for responses to the requests of data subjects in violation of Article 12(4).deleted

2012/11/08
Committee: IMCO

Proposal for a regulation
Article 79 – paragraph 5

~~5. [...]~~deleted

2012/11/08
Committee: IMCO

Proposal for a regulation
Article 79 – paragraph 6

~~6. [...]~~deleted

2012/11/08
Committee: IMCO

Proposal for a regulation
Article 79 – paragraph 7

~~7. The Commission shall be empowered to adopt~~ delegated acts in accordance with Article 86 for the purpose of updating the amounts of the administrative fines referred to in paragraphs 4, 5 and 6, taking into account the criteria referred to in paragraph 2.

2012/11/08
Committee: IMCO

Proposal for a regulation
Article 86 – paragraph 2

2. The ~~delegation of power~~power to adopt delegated acts referred to in ~~Article 6(5),~~ Article 8(3), Article 9(3), ~~Article 12(5),~~ Article 14(7), Article 15(3), Article 17(9), Article 20(6), Article 22(4), Article 23(3), Article 26(5), Article 28(5), ~~Article 30(3),~~ Article 31(5), Article 32(5), Article 33(6), Article 34(8), Article 35(11), Article 37(2), Article 39(2), Article 43(3), Article 44(7), ~~Article 79(6),~~ Article 81(3), Article 82(3) and Article 83(3) shall be conferred on the Commission for an indeterminate period of time from the date of entry into force of this Regulation.

2012/11/08
Committee: IMCO

Proposal for a regulation
Article 86 – paragraph 3

3. The delegation of power referred to in ~~Article 6(5),~~ Article 8(3), Article 9(3), ~~Article 12(5),~~ Article 14(7), Article 15(3), Article 17(9), Article 20(6), Article 22(4), Article 23(3), Article 26(5), Article 28(5), ~~Article 30(3),~~ Article 31(5), Article 32(5), Article 33(6), Article 34(8), Article 35(11), Article 37(2), Article 39(2), Article 43(3), Article 44(7), ~~Article 79(6),~~ Article 81(3), Article 82(3) and Article 83(3) may be revoked at any time by the European Parliament or by the Council. A decision of revocation shall put an end to the delegation of power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force.

2012/11/08
Committee: IMCO

Proposal for a regulation
Article 86 – paragraph 5

5. A delegated act adopted pursuant to ~~Article 6(5),~~ Article 8(3), Article 9(3), ~~Article 12(5),~~ Article 14(7), Article 15(3), Article 17(9), Article 20(6), Article 22(4), Article 23(3), Article 26(5), Article 28(5), ~~Article 30(3),~~ Article 31(5), Article 32(5), Article 33(6), Article 34(8), Article 35(11), Article 37(2), Article 39(2), Article 43(3), Article 44(7), ~~Article 79(6),~~ Article 81(3), Article 82(3) and Article 83(3) shall enter into force only if no objection has been expressed either by the European Parliament or the Council within a period of two months of notification of that act to the European Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by two months at the initiative of the European Parliament or the Council.

2012/11/08
Committee: IMCO