BETA

83 Amendments of Sophia IN 'T VELD related to 2012/0010(COD)

Sophia IN 'T VELD

Proposal for a directive
Recital 27

(27) Every natural person should have the right not to be subject to a measure which is based ~~solely on~~on partially or fully automated processing if it produces an adverse legal effect for that person, or significantly affects them, unless authorised by law and subject to suitable measures to safeguard the data subject's legitimate interests.

2013/03/06
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Recital 30

(30) The principle of fair and transparent processing requires that the data subjects should be informed in particular of the existence of the processing operation and its purposes, its legal ground, how long the data will be stored, on the existence of the right of access, rectification or erasure and on the right to lodge a complaint. Where the data are collected from the data subject, the data subject should also be informed whether they are obliged to provide the data and of the consequences, in cases they do not provide such data.

2013/03/06
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Recital 40 a (new)

(40a) A data protection impact assessment should be carried out by the controller or processor, where the processing operations are likely to present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes, which should include in particular the envisaged measures, safeguards and mechanisms to ensure the protection of personal data and for demonstrating compliance with this Directive.

2013/03/06
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Recital 41

(41) In order to ensure effective protection of the rights and freedoms of data subjects by way of preventive actions, the controller or processor should consult with the supervisory authority in certain cases prior to the processing. Moreover, where a data protection impact assessment indicates that processing operations are likely to present a high degree of specific risks to the rights and freedoms of data subjects, the supervisory authority should be in a position to prevent, prior to the start of operations, a risky processing which is not in compliance with this Directive.

2013/03/06
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Recital 65 a (new)

(65a) Transmission of personal data to other authorities or private parties in the Union is prohibited unless the transmission is in compliance with law, and the recipient is established in a Member State, and no legitimate specific interests of the data subject prevent transmission, and the transmission is necessary in a specific case for the controller transmitting the data for either the performance of a task lawfully assigned to it, or the prevention of an immediate and serious danger to public security, or the prevention of serious harm to the rights of individuals. The controller should inform the recipient of the purpose of the processing. The recipient should also be informed of processing restrictions and ensure that they are met.

2013/03/06
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Article 2 – paragraph 3 – point b

~~(b) by the Union institutions, bodies, offices and agencies.~~deleted

2013/03/06
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Article 3 – paragraph 1 – point 1

(1) ‘'data subject’' means an identified natural person or a natural person who can be identified or singled out, directly or indirectly, alone or in combination with associated data, by means reasonably likely to be used by the controller or by any other natural or legal person, in particular by reference to a unique identifier, an identification ~~number~~code, location data, online identifiers or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or, social ~~identity~~or gender identity or sexual orientation of that person;

2013/03/06
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Article 4 – paragraph 1 – point a

(a) processed lawfully, fairly and ~~lawfully~~in a transparent manner in relation to the data subject;

2013/03/06
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Article 4 – paragraph 1 – point c

(c) adequate, relevant, and ~~not ex~~limited to the minimum necess~~ive~~ary in relation to the purposes for which they are processed; they shall only be processed if, and as long as, the purpose could not be achieved by less intrusive means;

2013/03/06
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Article 4 – paragraph 1 – point d

(d) accurate and~~, where necessary,~~ kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;

2013/03/06
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Article 4 – paragraph 1 – point e

(e) kept in a form which permits identification, or the singling out, of data subjects for no longer than it is necessary for the purposes for which the personal data are processed;

2013/03/06
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Article 4 – paragraph 1 – point f – introductory part

(f) processed under the responsibility and liability of the controller, who shall ensure and be able to demonstrate, for each processing operation, compliance with the provisions adopted pursuant to this Directive.

2013/03/06
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Article 4 – subparagraph 1 a (new)

Member States shall provide that competent authorities may only have access to personal data initially processed for purposes other than those referred to in Article 1(1) if they are specifically authorised by Union or national law which must meet the requirements set out in Article 7(1a) and must provide that: (a) access is allowed only by duly authorised staff of the competent authorities in the performance of their tasks where, in a specific case, the competent authority can demonstrate that the processing of the personal data is necessary and proportionate for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties; (b) requests for access must be in writing, reasoned and refer to the legal ground for the request; and (c) the written request must documented; and (d) appropriate safeguards are implemented to ensure the protection of fundamental rights and freedoms in relation to the processing of personal data. Those safeguards shall be without prejudice to and complementary to specific conditions of access to personal data such as judicial authorisation in accordance with national law.

2013/03/06
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Article 5 – paragraph 1 – introductory part

1. Member States shall provide that~~, as far as possible,~~ the controller makes a clear distinction between personal data of different categories of data subjects, such as:

2013/03/06
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Article 5 – paragraph 1 – point d

(d) third parties to the criminal offence, such as persons who might be called on to testify in investigations in connection with criminal offences or subsequent criminal proceedings, or a person who can provide information on criminal offences, or a contact or associate to one of the persons mentioned in (a) and (b); ~~and~~

2013/03/06
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Article 5 – paragraph 1 – point e

~~(e) persons who do not fall within any of the categories referred to above.~~deleted

2013/03/06
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Article 7 a (new)

Article 7a Member States shall prohibit the processing of personal data of other persons than those referred to in paragraph 1 when such processing is done for preventive purposes or in order to have data available for possible further use, unless: (a) the purpose is indispensable for a legitimate, well-defined and specific purpose; (b) the processing is strictly limited to a period not exceeding the time needed for the specific data processing operation; (c) any further use for other purposes is prohibited; (d) the controller is able to demonstrate the fulfilment of the requirements set out in (a) and (b) of this paragraph; and (e) the purpose cannot be achieved by less intrusive means.

2013/03/06
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Article 9 – paragraph 1

1. Member States shall provide that every data subject has the right not to be subject to a measures which produces a~~n adverse~~ legal effect ~~for the data subject~~concerning this natural person, or significantly affects themis natural person, and which ~~are~~is based ~~solely on~~on partially or fully automated processing of personal data intended to evaluate certain personal aspects relating to th~~e data subject shall be prohibited unless authorised by a law which also lays down measures to safeguard the data subject's legitimate interests~~is natural person.

2013/03/06
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Article 9 – paragraph 1 a (new)

1a. Subject to the other provisions of this Directive, a natural person may be subjected to a measure of the kind referred to in paragraph 1 only if the processing is expressly authorized by a Union or Member State law which also lays down suitable measures to safeguard the data subject's legitimate interest.

2013/03/06
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Article 11 – paragraph 5

5. Member States ~~may determine categories of data processing which may wholly or partly fall under the exemptions of~~shall provide that the controller shall assess, in each specific case, by means of a concrete and individual examination, whether a partial or complete restriction for one of the reasons referred to in paragraph 4 applies.

2013/03/06
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Article 12 – paragraph 1 – point g a (new)

(ga) the significance and envisaged consequences of such processing, at least in the case of the measures referred to in Article 9.

2013/03/06
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Article 13 – paragraph 1 – introductory part

1. Member States may adopt legislative measures restricting, wholly or partly, the data subject's right of access to the extent that such partial or complete restriction constitutes a necessary and proportionate measure in a democratic society with due regard for the fundamental rights and legitimate interests of the person concerned:

2013/03/06
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Article 13 – paragraph 2 a (new)

2a. Member States shall apply the exemptions of paragraphs 1 and 2 in a restrictive way, allowing the right of access to be applied to the fullest in each specific restrictive measure. The exceptions set out in paragraph 1 shall not be applied in a general way, but shall be invoked specifically and accompanied by a reasoned justification.

2013/03/08
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Article 13 – paragraph 2 b (new)

2b. Member States shall provide that the controller assesses, in each specific case, by means of an individual, concrete and reasoned examination whether a partial or complete restriction on the basis of paragraph 1 or 2 applies.

2013/03/08
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Article 14 – paragraph 1

1. Member States shall provide for the right of the data subject to request, at all times, in particular in cases referred to in Article 13, that the supervisory authority checks the lawfulness of the processing.

2013/03/08
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Article 14 – paragraph 3

3. When the right referred to in paragraph 1 is exercised, the supervisory authority shall inform the data subject at least that all necessary verifications by the supervisory authority have taken place, and of the result as regards the lawfulness of the processing in question. The supervisory authority shall also inform the data subject of the conditions of his or her right to seek a judicial remedy.

2013/03/08
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Article 15 – paragraph 1

1. Member States shall provide for the right of the data subject to obtain from the controller the rectification or completion of personal data relating to them which are inaccurate or incomplete. The data subject shall have the right to obtain ~~completion of~~rectification or completion of inaccurate or incomplete personal data, in particular by way of a corrective or completing statement.

2013/03/08
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Article 15 – paragraph 1 a (new)

1a. Member States shall ensure that if a controller refuses the rectification or completion of personal data, the burden of proof of the necessity and proportionality of this refusal lies with the controller.

2013/03/08
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Article 16 – paragraph 1

1. Member States shall provide for the right of the data subject to obtain from the controller the erasure of personal data relating to them and the abstention from further dissemination of such data where the processing does not comply with the provisions adopted pursuant to Articles 4 (a) to (e), 7 and 8 of this Directive.

2013/03/08
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Article 16 – paragraph 3 – introductory part

3. Instead of erasure, the controller shall mark and restrict the processing of the personal data where:

2013/03/08
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Article 16 – paragraph 3 a (new)

3a. The personal data referred to in paragraph 3 may only be processed for purposes of proof. The processing of contested personal data for the purposes of proof is only allowed on the condition that the markation is maintained as long as the accuracy of the personal data is contested.

2013/03/08
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Article 16 – paragraph 3 b (new)

3b. Where processing of personal data is marked and restricted pursuant to paragraph 3, the controller shall inform the data subject before lifting the markation of, and restriction on, the processing of this personal data.

2013/03/08
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Article 16 – paragraph 4 a (new)

4a. The controller shall communicate any erasure or markation carried out to each recipient to whom the data have been disclosed.

2013/03/08
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Article 18 – paragraph 1

1. Member States shall provide that the controller adopts policies and implements appropriate measures to ensure and be able to demonstrate, for each processing operation, that the processing of personal data is performed in compliance with the provisions adopted pursuant to this Directive.

2013/03/08
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Article 19 – paragraph 1

1. Member States shall provide that, having regard to the state of the art and the cost of implementation, the controller shall implement, both at the time of the determination of the means for processing and at the time of the processing itself, appropriate technical and organisational measures and procedures in such a way that the processing will meet the requirements of provisions adopted pursuant to this Directive and ensure the protection of the rights of the data subject.

2013/03/08
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Article 19 – paragraph 2

2. The controller shall implement mechanisms for ensuring that, by default, only those personal data which are necessary for ~~the~~each specific purposes of the processing are processed.

2013/03/08
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Article 19 – paragraph 2 a (new)

2a. The controller shall implement mechanisms for ensuring that personal data are not collected or retained beyond the minimum necessary for those purposes, both in terms of the volume of the data and the time during which they are stored. Those mechanisms shall, by default, ensure that the access to personal data is limited.

2013/03/08
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Article 20 – paragraph 1

Member States shall provide that where a controller determines the purposes, conditions and means of the processing of personal data jointly with others, the joint controllers must determine the respective responsibilities for compliance with the provisions adopted pursuant to this Directive, in particular as regards the procedures and mechanisms for exercising the rights of the data subject, by means of a written arrangement ~~between them~~or a legal act.

2013/03/08
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Article 20 – paragraph 1 a (new)

Member States shall provide that the data subject may exercise his or her rights in respect of, and against, each of the joint controllers.

2013/03/08
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Article 21 – paragraph 1

1. Member States shall provide that where a processing operation is carried out on behalf of a controller, the controller ~~must~~shall choose a processor providing sufficient guarantees to implement appropriate technical and organisational measures and procedures in such a way that the processing will meet the requirements of the provisions adopted pursuant to this Directive and ensure the protection of the rights of the data subject, in particular in respect of the technical security measures and organizational measures governing the processing to be carried out and to ensure compliance with those measures.

2013/03/08
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Article 21 – paragraph 2

2. Member States shall provide that the carrying out of processing by a processor must be governed by a legal act binding the processor to the controller and stipulating in particular that the processor shall: (a) act only on instructions from the controller~~, in particular, where the transfer of the personal data used is prohibited.~~ s; (b) employ only staff who have agreed to be bound by an obligation of confidentiality or are under a statutory obligation of confidentiality; (c) take all required measures pursuant to Article 28; (d) engage another processor only with the permission of the controller and therefore inform the controller of the intention to engage another processor in such a timely fashion that the controller has the possibility to object; (e) insofar as it is possible given the nature of the processing, adopt in agreement with controller the necessary technical and organisational requirements for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III; (f) assist the controller in ensuring compliance with the obligations pursuant to Articles 28 to 32; (g) hand all results over to the controller after the end of the processing and not otherwise process the personal data; (h) make available to the controller and the supervisory authority all the information necessary to verify compliance with the obligations laid down in this Article; (i) take into account the principle of data protection by design and default.

2013/03/08
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Article 21 – paragraph 2 a (new)

2a. The controller and the processor need to be able to demonstrate compliance with the obligations as referred to in paragraph 2.

2013/03/08
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Article 21 – paragraph 3

3. If a processor ~~processes personal data other than as instructed by the controller~~is instructed by the controller to make certain independent decisions regarding the personal data, the processor shall be considered to be a controller in respect of that processing and shall be subject to the rules on joint controllers laid down in Article 20.

2013/03/08
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Article 22 – paragraph 1 a (new)

Where the processor is or becomes the determining part in relation to the purposes, means, or methods of data processing or does not act exclusively on the instructions, it shall be considered as a joint controller pursuant to Article 20.

2013/03/08
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Article 23 – paragraph 2 – point a

(a) the name and contact details of the controller~~, or~~ and its data protection officer, and those of any joint controller or processor;

2013/03/08
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Article 23 – paragraph 2 – point d

(d) transfers of data to a third country or an international organisation, including the identification of the requesting competent authority of at third country or international organisation. and the legal grounds on which the data are transferred;

2013/03/08
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Article 23 – paragraph 2 – point d a (new)

(da) the time limits for erasure of the different categories of data;

2013/03/08
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Article 24 – paragraph 1

1. Member States shall ensure that records are kept of at least the following processing operations: collection, alteration, consultation, disclosure, combination or erasure. The records of consultation and disclosure shall show in particular the purpose, date and time of such operations and as far as possible the identification of the person who consulted or disclosed personal data, and the identity of the recipients of such data.

2013/03/08
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Article 24 – paragraph 1 a (new)

1a. The controller and the processor shall make the records available to the supervisory authority upon request.

2013/03/08
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Article 25 a (new)

Article 25a Data protection impact assessment 1. Member States shall ensure that, where processing operations present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes, the controller or the processor acting on the controller's behalf shall carry out an assessment of the impact of the envisaged or current processing operations on the protection of personal data, prior to new processing operations or the earliest as possible in case of existing processing operations. 2. In particular the following processing operations are likely to present such specific risks as referred to in paragraph 1: (a) processing of personal data in large scale filing systems for the purposes of the prevention, detection, investigation or prosecution of criminal offences and the execution of criminal penalties; (b) processing of special categories of personal data within the meaning of Article 8, of personal data related to children and of biometric data for the purposes of the prevention, detection, investigation or prosecution of criminal offences and the execution of criminal penalties. (c) an evaluation of personal aspects relating to a natural person or for analysing or predicting in particular the natural person's behaviour, which is based on automated processing and potentially resulting in measures that produce legal effects concerning the individual or significantly affects the individual; (d) monitoring publicly accessible areas, especially when using optic-electronic devices (video surveillance); or (e) other processing operations for which the consultation of the supervisory authority is required pursuant to Article 26(1). 3. The assessment shall contain at least a general description of the envisaged processing operations, an assessment of the risks to the rights and freedoms of data subjects, the measures envisaged to address those risks, safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate the compliance with the provisions adopted pursuant to this Directive, taking into account the rights and legitimate interests of the data subjects and other persons concerned. 4. Member States shall provide that the controller consults the public on the intended processing, without prejudice to the protection of the public interests or the security of the processing operations. 5. Without prejudice to the protection of the public interests or the security of the processing operations, the assessment shall be made easily accessible to the public. 6. The Commission shall be empowered to adopt, in consultation with the European Data Protection Board, delegated acts in accordance with Article 56 for the purpose of specifying further the criteria and conditions for the processing operations likely to present specific risks referred to in paragraphs 1 and 2 and the requirements for the assessment referred to in paragraph 3, including conditions for scalability, verification and audit ability.

2013/03/08
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Article 26 – paragraph 2

2. Member States may provide that the supervisory authority shall establishes a list of the processing operations which are subject to prior consultation pursuant to p~~aragraph 1~~oint (b) of paragraph 1. The supervisory authority shall publicly communicate that list and forward it to the European Data Protection Board. The European Data Protection Board shall work on the convergence of those lists.

2013/03/08
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Article 26 – paragraph 2 a (new)

2a. Member States ensure that the controller or processor shall provide the supervisory authority with the data protection impact assessment provided for in Article 25a and, on request, with any other information to allow the supervisory authority to make an assessment of the compliance of the processing and in particular of the risks for the protection of personal data of the data subject and of the related safeguards.

2013/03/08
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Article 26 – paragraph 2 b (new)

2b. Member States shall consult the supervisory authority in the preparation of a legislative measure to be adopted by the national parliament or of a measure based on such a legislative measure, which defines the nature of the processing, in order to ensure the compliance of the intended processing under this Directive, and in particular to mitigate the risks involved for the data subjects.

2013/03/08
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Article 27 – paragraph 1

1. Member States shall provide that the controller and the processor implements appropriate technical and organisational measures and procedures to ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected, having regard to the state of the art and the cost of their implementation.

2013/03/08
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Article 27 – paragraph 2 a (new)

2a. Member States shall provide that processors may be appointed only if they guarantee and are able to demonstrate that they observe the requisite technical and organisational measures under paragraph 1 and comply with the instructions under Article 21(2)(a). The competent authority shall monitor the processor in those respects.

2013/03/08
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Article 28 – paragraph 5

5. The Commission shall be empowered to adopt, after requesting an opinion of the European Data Protection Board, delegated acts in accordance with Article 56 for the purpose of specifying further the criteria and requirements for establishing the data breach referred to in paragraphs 1 and 2 and for the particular circumstances in which a controller and a processor is required to notify the personal data breach.

2013/03/08
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Article 28 a (new)

Article 28a The supervisory authority shall keep a public register of the types, scope and numbers of the breaches notified.

2013/03/08
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Article 29 – paragraph 3 a (new)

3a. Without prejudice to the controller's obligation to notify the personal data breach to the data subject, if the controller has not already communicated the personal data breach to the data subject, the supervisory authority, having considered the likely adverse effects of the breach, may require it to do so.

2013/03/08
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Article 30 – paragraph 2 a (new)

2a. Member States shall provide that the controller or the processor ensures that any other professional duties of the data protection officer are compatible with that person's tasks and duties as data protection officer and do not result in a conflict of interests.

2013/03/08
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Article 30 – paragraph 2 b (new)

2b. The data protection officer shall be appointed for a period of at least four years. The data protection officer may be reappointed for further terms. During the term of office, the data protection officer may only be dismissed from that function, if he or she no longer fulfils the conditions required for the performance of his or her duties, in particular ensuring the compliance with the provisions of this Directive.

2013/03/08
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Article 31 – paragraph 2

2. The controller or processor shall ensure that the data protection officer ~~is provided with the means to perform duties and tasks referred to under Article 32 effectively and~~performs the duties and tasks independently, and does not receive any instructions as regards the exercise of the function. The data protection officer shall directly report to the management of the controller or the processor.

2013/03/08
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Article 31 – paragraph 2 a (new)

2a. The controller or the processor shall support the data protection officer in performing the tasks and shall provide all means, including staff, premises, equipment and any other resources necessary to carry out the duties and referred to in Article 32, and to maintain his or her professional knowledge.

2013/03/08
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Article 32 – paragraph 1 – point a

(a) to inform and advise the controller or the processor of their obligations in accordance with the provisions adopted pursuant to this Directive, in particular with regards to technical and organisational measures and procedures, and to document this activity and the responses received;

2013/03/08
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Article 32 – paragraph 1 – point h a (new)

(ha) to monitor the performance of the data protection impact assessment by the controller or processor;

2013/03/08
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Article 32 a (new)

Article 32a BOARD RESPONSABILITY 1. The controller and the processor shall designate a board member responsible for data protection. 2. The board member referred to in paragraph 1 shall bear the final responsibility for the compliance with the provisions of this Directive as implemented by Member State law.

2013/03/08
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Article 33 – paragraph 1 – point a

(a) the specific transfer is necessary for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties; and

2013/03/08
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Article 33 – paragraph 1 – point a a (new)

(aa) the data are transferred to a controller in a third country or international organisation that is a public authority competent for the purposes referred in Article 1(1);

2013/03/08
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Article 33 – paragraph 1 – point a b (new)

(ab) the conditions laid down in this Chapter are complied with by the controller and the processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation;

2013/03/08
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Article 33 – paragraph 1 – point b

(b) the ~~conditions laid down in this Chapter~~other provisions adopted pursuant to this Directive are complied with by the controller and processor.; and

2013/03/08
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Article 33 – paragraph 1 – point b a (new)

(ba) the level of protection of the personal data guaranteed by this Directive is not undermined.

2013/03/08
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Article 34 – paragraph 2 – point b

(b) the existence and effective functioning of one or more independent supervisory authorities in the third country or international organisation in question responsible for ensuring compliance with the data protection rules, including sufficient sanctioning powers, for assisting and advising the data subject in exercising their rights and for co-operation with the supervisory authorities of the Union and of Member States; and

2013/03/08
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Article 35 – paragraph 1 – introductory part

1. ~~Where~~ the Commission has taken no decision pursuant to Article 34, Member States shall provide that a transfer of personal data to a recipient in a third country or an international organisation may only take place where:

2013/03/08
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Article 35 – paragraph 1 – point a

(a) appropriate safeguards with respect to the protection of personal data have been adduced in a legally binding instrument; orand

2013/03/08
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Article 35 – paragraph 1 – point a a (new)

(aa) the supervisory authority gave prior authorisation for the transfer.

2013/03/08
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Article 35 – paragraph 1 – point b

(b) the controller or processor has assessed all the circumstances surrounding the transfer of personal data and concludes that appropriate safeguards exist with respect to the protection of personal data.deleted

2013/03/08
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Article 35 – paragraph 2

1. The decision for transfers under paragraph 1(b) must be made by duly authorised staff. These transfers must be documented and the documentation must be made available to the supervisory authority on request. deleted Or. en (wrong numbering of the paragraphs in the Commission document)

2013/03/08
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Article 36

~~By way of derogation from~~ Articles 34 and 35, Member States shall provide that a transfer of personal data to a third country or an international organisation may take place only on condition that: (a) the transfer is necessary in order to protect the vital interests of the data subject or another person; or (b) the transfer is necessary to safeguard legitimate interests of the data subject where the law of the Member State transferring the personal data so provides; or (c) the transfer of the data is essential for the prevention of an immediate and serious threat to public security of a Member State or a third country; or (d) the transfer is necessary in individual cases for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties; or (e) the transfer is necessary in individual cases for the establishment, exercise or defence of legal claims relating to the prevention, investigation, detection or prosecution of a specific criminal offence or the execution of a specific criminal penalty.6 deleted Derogations

2013/03/08
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Article 38 a (new)

Chapter Va Article 38a 1. Member States shall ensure that the controller does not transmit personal data to a natural or legal person not subject to the provisions adopted pursuant to this Directive, unless: (a) the transmission complies with Union or national law; and (b) the recipient is established in a Member State of the European Union; and (c) no legitimate specific interests of the data subject prevent transmission; and (d) the transmission is necessary in a specific case for the controller transmitting the personal data for: (i) the performance of a task lawfully assigned to it; or (ii) the prevention of an immediate and serious danger to public security; or (iii) the prevention of serious harm to the rights of individuals. 2. The controller shall inform the recipient of the purpose for which the personal data may exclusively be processed. 3. The controller shall inform the recipient of processing restrictions and ensure that these restrictions are met.

2013/03/08
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Article 45 – paragraph 6

6. ~~Where requests are vexatious, in particular due to their repetitive character, t~~The supervisory authority may ~~charge a fee or not~~only refuse to take the action required by the data subject when the request is flagrantly excessive. The supervisory authority shall bear the burden of proving of the ~~vexatious~~flagrantly excessive character of the request.

2013/03/08
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Article 46 – paragraph 1

Member States shall provide that each supervisory authority must in particular be endowed with: (a) investigative powers, such as powers of access to data forming the subject matter of processing operations and powers to collect all the information necessary for the performance of its supervisory duties; (b) effective powers of intervention, such as the delivering of opinions before processing is carried out, and ensuring appropriate publication of such opinions, ordering the restriction, erasure or destruction of data, imposing a temporary or definitive ban on processing, warning or admonishing the controller, or referring the matter to national parliaments or other political institutions ; (c) the power to engage in legal proceedings where the provisions adopted pursuant to this Directive have been infringed or to bring this infringement to the attention of the judicial authorities.deleted

2013/03/08
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Article 46 – paragraph 1 a (new)

1. Member States shall provide that each supervisory authority has the power: (a) to notify the controller or the processor of an alleged breach of the provisions governing the processing of personal data, and, where appropriate, order the controller or the processor to remedy that breach, in a specific manner, in order to improve the protection of the data subject; (b) to order the controller to comply with the data subject's requests to exercise his or her rights under this Directive, including those provided by Articles 12 to 17 where such requests have been refused in breach of those provisions; (c) to order the controller or the processor to provide information pursuant to Article 10(1) and (2) and Articles 11, 28 and 29; (d) to ensure compliance with opinions on prior consultations referred to in Article 26; (e) to warn or admonish the controller or the processor; (f) to order the rectification, erasure or destruction of all data when they have been processed in breach of the provisions adopted pursuant to this Directive and the notification of such actions to third parties to whom the data have been disclosed; (g) to impose a temporary or definitive ban on processing; (h) to suspend data flows to a recipient in a third country or to an international organisation; (i) to inform national parliaments, the government or other public institutions as well as the public on the matter. 2. Each supervisory authority shall have the investigative power to obtain from the controller or the processor: (a) access to all personal data, all documents and to all information necessary for the performance of its supervisory duties; (b) access to any of its premises, including to any data processing equipment and means, in accordance with national law, where there are reasonable grounds for presuming that an activity in violation of the provisions adopted pursuant to this Directive is being carried out there, without prejudice to a judicial authorisation if required by national law. 3. Without prejudice to Article 43, Member States shall provide that no additional secrecy requirements shall be issued to the requests of supervisory authorities. 4. Member States may provide that additional security screening in line with national law is required for access to information classified at a level similar to EU CONFIDENTIAL or higher. If no additional security screening is required under the law of the Member State of the supervisory authority, this must be recognised by all other Member States. 5. Each supervisory authority shall have the power to bring violations of the provisions adopted pursuant to this Directive to the attention of the judicial authorities and to engage in legal proceedings and bring an action to the competent court pursuant to Article 53(2). 6. Each supervisory authority shall have the power to impose penalties in respect of administrative offences.

2013/03/08
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Article 46 a (new)

Article 46a Whistleblower The Commission shall bring forward a legislative proposal for the purpose of specifying the conditions and criteria to guarantee the legal protection of whistleblowers, reporting non-compliance with the provisions of this Directive by a controller or a processor, within one year after the entry into force of this Directive.

2013/03/08
Committee: LIBE

Sophia IN 'T VELD

Proposal for a directive
Article 47 – paragraph 1

Member States shall provide that each supervisory authority draws up an annual report on its activities. The report shall be made available to the public, the national parliament, the Commission and the European Data Protection Board.

2013/03/08
Committee: LIBE