Activities of Eva LICHTENBERGER related to 2012/0010(COD)
Legal basis opinions (0)
Amendments (46)
Amendment 132 #
Proposal for a directive
Article 2 – paragraph 3 – point a
Article 2 – paragraph 3 – point a
(a) in the course of an activity which falls outside the scope of Union law, in particular concerning national security;
Amendment 134 #
Proposal for a directive
Article 3 – point 1
Article 3 – point 1
(1) ‘'data subject’' means an identified natural person or a natural person who can be identified or singled out, directly or indirectly, by means reasonably likely to be used by the controller or by any other natural or legal person, in particular by reference to an identification number or other unique identifier, location data, online identifiers or to one or more factors specific to the gender, physical, physiological, genetic, mental, economic, cultural or social identity or sexual orientation of that person;
Amendment 135 #
Proposal for a directive
Article 3 – point 4 a (new)
Article 3 – point 4 a (new)
(4a) 'profiling' means any form of automated processing intended to evaluate, or generate data about, aspects relating to natural persons or to analyse or predict a natural person's performance at work, economic situation, location, health, preferences, reliability, behaviour or personality;
Amendment 136 #
Proposal for a directive
Article 3 – point 9
Article 3 – point 9
(9) ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
Amendment 139 #
Proposal for a directive
Article 4 – point a
Article 4 – point a
(a) processed fairly and lawfully and in a transparent manner in relation to the data subject;
Amendment 140 #
Proposal for a directive
Article 4 – point c
Article 4 – point c
(c) adequate, relevant, and not exlimited to the minimum necessiveary in relation to the purposes for which they are processed; they shall only be processed if, and as long as, the purposes could not be fulfilled by processing information that does not involve personal data; data held by private parties shall only be accessed to investigate or prosecute criminal offences in accordance with necessity and proportionality requirements to be defined by each Member State in its national law, subject to the relevant provisions of European Union law or public international law, and in particular the ECHR as interpreted by the European Court of Human Rights.
Amendment 144 #
Proposal for a directive
Article 4 – point d
Article 4 – point d
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
Amendment 146 #
Proposal for a directive
Article 5 – paragraph 1 – introductory part
Article 5 – paragraph 1 – introductory part
1. Member States shall provide that, as far as possible, the controller makes a clear distinction between personal data of different categories of data subjects, such as:
Amendment 147 #
Proposal for a directive
Article 5 – paragraph 1 a (new)
Article 5 – paragraph 1 a (new)
1 a. Member States shall provide specific rules on the consequences of this categorisation, taking into account the different purposes for which data are collected. These specific rules shall include conditions for collecting data, time limits for retention, possible limitations to data subject's rights of access and information and the modalities of access to data by competent authorities.
Amendment 148 #
Proposal for a directive
Article 6 – paragraph 1
Article 6 – paragraph 1
1. Member States shall ensure that, as far as possible, the different categories of personal data undergoing processing are distinguished in accordance with their degree of accuracy and reliability personal data are factually accurate, complete and, if necessary, up to date.
Amendment 149 #
Proposal for a directive
Article 6 – paragraph 2
Article 6 – paragraph 2
2. Member States shall ensure that personal data which are inaccurate, incomplete or no longer up to date are not transmitted or made available, and, as far as possible, ensure that personal data based on facts are distinguished from personal data based on personal assessments. To this end, the competent authorities shall verify the quality of personal data before they are transmitted or made available. As far as possible, in all transmissions of data, available information shall be added which enables the receiving Member State to assess the degree of accuracy, completeness, up-to- dateness and reliability. Personal data shall not be transmitted without request from a competent authority, in particular data originally held by private parties. 3. If it emerges that incorrect data have been transmitted or data have been unlawfully transmitted, the recipient must be notified without delay, in particular in cases where data has originally been held by private parties. The recipient shall be obliged to rectify the data without delay in accordance with paragraph 1 and Article 15 or to erase them in accordance with Article 16. 4. Personal data originally collected by private parties can be processed by a competent authority in so far as the provisions of Article 4, a), c), d), e) and f) are complied with.
Amendment 150 #
Proposal for a directive
Article 7
Article 7
Member States shall provide that the processing of personal data is lawful only if and to the extent that processing is necessary: (a) for the performance of a task carried out by a competent authority, based on law for the purposes set out in Article 1(1); or (b) for compliance with a legal obligation to which the controller is subject; or (c) in order to protect the vital interests of the data subject or of another person; or (d) for the prevention of an immediate and serious threat to public security and not further processed in a way that is incompatible with these purposes.
Amendment 152 #
Proposal for a directive
Article 7 a (new)
Article 7 a (new)
Article 7a Lawfulness of further processing 1. The further processing of personal data is only lawful if it is strictly necessary and if carried out in accordance with the principles set out in this Article. 2. Personal data may be collected by the competent authorities as part of their work for specified, explicit and legitimate purposes. Legitimate purposes are served by data collection if it is (a) for the performance of a task carried out by a competent authority, based on law for the purposes set out in Article 1(1); or (b) for compliance with a legal obligation to which the controller is subject; or (c) in order to protect the vital interests of the data subject; or (d) in order to safeguard the vital interests of another person, unless it is clearly in the legitimate interest of the data subject that the data processing does not take place; (e) for the prevention of an immediate and serious threat to public security. 3. The processing of personal data must fulfil the purpose for which they were collected. Further processing for another purpose shall be permitted in so far as it (a) serves lawful purposes (paragraph 2); (b) is necessary for this other purpose; (c) is not incompatible with the purpose for which the data were collected. 4. Personal data may be further processed for historical, statistical or scientific purposes, by way of derogation from paragraph 3, if the Member States provide for appropriate safeguards.
Amendment 154 #
Proposal for a directive
Article 8 – paragraph 2 – point a
Article 8 – paragraph 2 – point a
(a) the processing is specifically authorised by a law providing appropriate safeguards for the fundamental rights and the legitimate interests of the data subject; or
Amendment 156 #
Proposal for a directive
Article 9 – paragraph 2
Article 9 – paragraph 2
2. Automated processing of personal data intended to evaluate certain personal aspects relating to the data subject shall not be based solely oninclude or generate special categories of personal data referred to in Article 8.
Amendment 158 #
Proposal for a directive
Article 9 – paragraph 2 a (new)
Article 9 – paragraph 2 a (new)
2a. Profiling that (whether intentionally or otherwise) has the effect of discriminating against individuals on the basis of race or ethnic origin, political opinions, religion or beliefs, trade union membership, or sexual orientation, or that (whether intentionally or otherwise) result in measures which have such effect, shall be prohibited in all cases.
Amendment 161 #
Proposal for a directive
Article 11 – paragraph 1 – point f a (new)
Article 11 – paragraph 1 – point f a (new)
(fa) where the controller processes personal data as described in Article 9(1), information about the existence of processing for a measure of the kind referred to in Article 9(1) and the intended effects of such processing on the data subject;
Amendment 162 #
Proposal for a directive
Article 11 – paragraph 1 – point f b (new)
Article 11 – paragraph 1 – point f b (new)
(fb) information regarding specific security measures taken to protect personal data;
Amendment 164 #
Proposal for a directive
Article 11 – paragraph 2 a (new)
Article 11 – paragraph 2 a (new)
2a. Where the personal data are not collected from the data subject, the controller shall inform the data subject, in addition to the information referred to in paragraph 1, from which source the data originate.
Amendment 166 #
Proposal for a directive
Article 11 – paragraph 4 – introductory part
Article 11 – paragraph 4 – introductory part
4. Member States may adopt legislative measures delaying, or restricting or omitting the provision of the information to the data subject to the extent that, and as long as, such partial or complete restriction constitutes a necessary and proportionate measure in a democratic society with due regard for the legitimate interests of the person concerned, based on a concrete and individual examination of each specific case:
Amendment 167 #
Proposal for a directive
Article 11 a (new)
Article 11 a (new)
Amendment 171 #
Proposal for a directive
Article 13 – paragraph 1 – introductory part
Article 13 – paragraph 1 – introductory part
1. Member States may adopt legislative measures restricting, wholly or partly, the data subject's right of access to the extent and for the period that such partial or complete restriction constitutes a necessary and proportionate measure in a democratic society with due regard for the legitimate interests of the person concerned, based on a concrete and individual examination of each specific case:
Amendment 173 #
Proposal for a directive
Article 13 – paragraph 1 a (new)
Article 13 – paragraph 1 a (new)
1a. The legislative measures referred to in paragraph 1 must be in compliance with the Charter of Fundamental Rights of the European Union and the Convention for the Protection of Human Rights and Fundamental Freedoms, and in line with the case law of the Court of Justice of the European Union and the European Court of Human Rights.
Amendment 175 #
Proposal for a directive
Article 16 – paragraph 3 – introductory part
Article 16 – paragraph 3 – introductory part
3. Instead of erasure, the controller shall markrestrict the processing of the personal data where:
Amendment 177 #
Proposal for a directive
Article 16 – paragraph 3 a (new)
Article 16 – paragraph 3 a (new)
3a. Personal data referred to in paragraph 3 may, with the exception of storage, only be processed when necessary for purposes of proof, or the protection of vital interests of the data subject or another person.
Amendment 178 #
Proposal for a directive
Article 16 – paragraph 3 b (new)
Article 16 – paragraph 3 b (new)
3b. Where processing of personal data is restricted pursuant to paragraph 3, the controller shall inform the data subject before lifting the restriction.
Amendment 179 #
Proposal for a directive
Article 16 – paragraph 4
Article 16 – paragraph 4
4. Member States shall provide that the controller informs the data subject in writing of any refusal of erasure or markingrestriction of the processing, the reasons for the refusal and the possibilities of lodging a complaint to the supervisory authority and seeking a judicial remedy.
Amendment 184 #
Proposal for a directive
Article 19 – paragraph 2
Article 19 – paragraph 2
2. The controller shall implement mechanisms for ensuring that, by default, only those personal data which are necessary for the purposes of the processing are processed and are especially not collected or retained beyond the minimum necessary for those purposes, both in terms of the amount of the data and the time of their storage. In particular, those mechanisms shall ensure that by default personal data are not made accessible to an indefinite number of individuals.
Amendment 185 #
Proposal for a directive
Article 23 – paragraph 1
Article 23 – paragraph 1
1. Member States shall provide that each controller and processor maintains documentation of allAll competent authorities shall maintain detailed documentation of all processing systems and procedures under their responsibility. 1 a. Transmissions of personal data are to be logged or documented for the purposes of verification of the lawfulness of the data processing, systems andelf-monitoring and ensuring proper data integrity and security. 1 b. The logs and documents so producedures under their responsibility. must be made available to the supervisory authority upon request. The supervisory authority shall use this information only for the purpose of checking the lawfulness of the data processing and ensuring proper data integrity and security.
Amendment 186 #
Proposal for a directive
Article 23 – paragraph 2 – point d
Article 23 – paragraph 2 – point d
(d) transfers of data to a third country or an international organisation, including the identification of that third country or international organisation. and the legal basis for these transfers, including a substantive explanation in the cases referred to in Article 35 or 36 of this Directive;
Amendment 188 #
Proposal for a directive
Article 28 – paragraph 4 a (new)
Article 28 – paragraph 4 a (new)
4a. The supervisory authority shall keep a public register of the types of breaches notified.
Amendment 189 #
Proposal for a directive
Article 33 – introductory part
Article 33 – introductory part
Member States shall provide that any transfer of personal data by competent authorities that is undergoing processing or is intended for processing after transfer to a public competent authority in a third country, or to an international organisation, including further onward transfer to another public competent authority in a third country or international organisation, may take place only if:
Amendment 190 #
Proposal for a directive
Article 33 – paragraph 1 a (new)
Article 33 – paragraph 1 a (new)
Member States shall provide that further onward transfers referred to in paragraph 1 of this Article may only take place if, in addition to the conditions laid out in that paragraph: (a) the onward transfer is necessary for the same specific purpose as the original transfer; and (b) the competent authority that carried out the original transfer authorises the onward transfer.
Amendment 191 #
Proposal for a directive
Article 33 a (new)
Article 33 a (new)
Article 33a Transfers to recipients not subject to the provisions implementing this Directive Member States shall provide that transfers of personal data by competent authorities to recipients that are not subject to the provisions implementing this Directive may only take place if such transfers are: (a) provided for in national law; such laws must be in compliance with the Charter of Fundamental Rights of the European Union and the Convention for the Protection of Human Rights and Fundamental Freedoms, and be in line with the case law of the Court of Justice of the European Union and the European Court of Human Rights; or (b) necessary for the protection of the vital interests of the data subject or another person; or (c) carried out upon request of the data subject.
Amendment 193 #
Proposal for a directive
Article 35 – paragraph 1
Article 35 – paragraph 1
1. Where the Commission has taken no decision pursuant to Article 34, Member States shall provide that a transfer of personal data to a recipientcompetent public authority in a third country or an international organisation may take place where: (a) appropriate safeguards with respect to the protection of personal data have been adduced in a legally binding instrument; or (b) the controller or processor has assessed all the circumstances surrounding the transfer of personal data and concludes that appropriate safeguards exist with respect to the protection of personal data.
Amendment 194 #
Proposal for a directive
Article 35 a (new)
Article 35 a (new)
Article 35a Transfers with appropriate safeguards Where the Commission has taken no decision pursuant to Article 34, a transfer of personal data to a competent authority in a third country or an international organisation may take place where: (a) appropriate safeguards with respect to the protection of personal data have been adduced in a legally binding instrument; (b) the EDPB has assessed that the relevant controller or processor meets all legal requirements and best practices generally surrounding the transfer of personal data stipulated in this Directive, in particular regarding personal data originally collected by private parties, and has concluded that appropriate safeguards exist with respect to the protection of personal data, or (c) a specific transfer of personal data may take place in accordance with necessity and proportionality requirements defined by each Member State in its national law, subject to the relevant provisions of European Union law or public international law, and in particular the ECHR as interpreted by the European Court of Human Rights. These transfers must be documented and the documentation must be made available to the supervisory authority on request.
Amendment 195 #
Proposal for a directive
Article 35 b (new)
Article 35 b (new)
Article 35b Transfer of personal data originating in other Member States 1. Member States shall provide that any transfer by competent authorities of personal data transmitted or provided by the responsible authorities of another Member State, including further onward transfer to a third country or international organisation, may take place only if: (a) the recipient in the third country or the receiving international body is responsible for the prevention of risk or the investigation, detection or prosecution of criminal offences or the execution of criminal penalties; (b) the Member State from which the data were transferred has given its consent to transfer in compliance with its national law, and (c) in cases covered by paragraph 3 of Article 34(a) and Article 35(b) and (c), the Member State from which the data were transferred also considers that, in compliance with its national law, appropriate safeguards exist in respect of the protection of the data transferred. 2. Onward transfer without prior consent in accordance with paragraph 1(b) shall be permitted only if transfer of the data is essential for the prevention of an immediate and serious threat to public security of a Member State or a third State or to essential interests of a Member State and the prior consent cannot be obtained in good time. The authority responsible for giving consent shall be informed without delay. 3. By way of derogation from point (c) of paragraph 1, onward transfer of personal data may take place if the national law of the Member State transferring the data so provides on the grounds of: (a) the compelling and legitimate interests of the data subject; or (b) important public interests. 4. Personal data may be forwarded to private parties only under the conditions set out in paragraph 1 of Article 7(b)
Amendment 196 #
Proposal for a directive
Article 36 – introductory part
Article 36 – introductory part
By way of derogation from Articles 34 and 35, Member States shall provide that a transfer of personal data to a competent public authority in a third country or an international organisation may take place only on condition that the controller has obtained prior authorisation in accordance with paragraph 1a and:
Amendment 197 #
Proposal for a directive
Article 36 – paragraph 1 a (new)
Article 36 – paragraph 1 a (new)
Member States shall provide that prior to carrying out a transfer based on paragraph 1, the controller shall obtain prior authorisation from the supervisory authority, in order to ensure the compliance of the transfer with the provisions adopted pursuant to this Directive and to in particular to mitigate the risk involved for the data subject.
Amendment 198 #
Proposal for a directive
Article 36 – paragraph 1 b (new)
Article 36 – paragraph 1 b (new)
Member States shall provide that when any of the derogations in paragraph 1 is invoked, the controller shall: (a) only transfer the amount of personal data strictly necessary to achieve the aim of the transfer; and (b) document these transfers, including the date and time of the transfer, information about the recipient authority, the justification for the transfer and the data transferred. This documentation shall be made available to the supervisory authority on request.
Amendment 199 #
Proposal for a directive
Article 36 a (new)
Article 36 a (new)
Amendment 200 #
Proposal for a directive
Article 41 – paragraph 1
Article 41 – paragraph 1
1. Member States shall provide that the members of the supervisory authority must be appointed either by the parliament or the government of the Member State concerned.
Amendment 201 #
Proposal for a directive
Article 46 – paragraph 1 a (new)
Article 46 – paragraph 1 a (new)
Member States shall provide that each supervisory authority shall have the investigative power to obtain from the controller or the processor: (a) access to all personal data and to all information necessary for the performance of its duties; (b) access to any of its premises, including to any data processing equipment and means, where there are reasonable grounds for presuming that an activity in violation of this Directive is being carried out there. The powers referred to in point (b) shall be exercised in conformity with Union law and Member State law.
Amendment 202 #
Proposal for a directive
Article 46 – paragraph 1 b (new)
Article 46 – paragraph 1 b (new)
Member States shall provide that each supervisory authority shall have the power to bring violations of this Regulation to the attention of the judicial authorities and to engage in legal proceedings.
Amendment 203 #
Proposal for a directive
Article 47
Article 47
Member States shall provide that each supervisory authority draws up an annual report on its activities. The report shall be presented to the national parliament, and be made available to the Commission and, the European Data Protection Board, and the public. It shall include information on the extent to which competent authorities in their jurisdiction have accessed data held by private parties to investigate or prosecute criminal offences.
Amendment 204 #
Proposal for a directive
Article 49 – paragraph 1 – point a
Article 49 – paragraph 1 – point a
(a) advise the CommissEuropean Institutions on any issue related to the protection of personal data in the Union, including on any proposed amendment of this Directive;