Activities of Lidia Joanna GERINGER DE OEDENBERG related to 2012/0011(COD)
Plenary speeches (1)
Protection of individuals with regard to the processing of personal data - Processing of personal data for the purposes of crime prevention (debate)
Legal basis opinions (0)
Amendments (26)
Amendment 92 #
Proposal for a regulation
Recital 67
Recital 67
(67) A personal data breach may, if not addressed in an adequate and timely manner, result in substantial economic loss and social harm, including identity fraud, to the individual concerned. Therefore, as soon as the controller becomes aware that such a breach has occurred, the controller should notify the breach to the supervisory authority without undue delay and, where feasible, within 724 hours. Where this cannot achieved within 724 hours, an explanation of the reasons for the delay should accompany the notification. The individuals whose personal data could be adversely affected by the breach should be notified without undue delay in order to allow them to take the necessary precautions. A breach should be considered as adversely affecting the personal data or privacy of a data subject where it could result in, for example, identity theft or fraud, physical harm, significant humiliation or damage to reputation. The notification should describe the nature of the personal data breach as well as recommendations as well as recommendations for the individual concerned to mitigate potential adverse effects. Notifications to data subjects should be made as soon as reasonably feasible, and in close cooperation with the supervisory authority and respecting guidance provided by it or other relevant authorities (e.g. law enforcement authorities). For example, the chance for data subjects to mitigate an immediate risk of harm would call for a prompt notification of data subjects whereas the need to implement appropriate measures against continuing or similar data breaches may justify a longer delay.
Amendment 106 #
Proposal for a regulation
Article 4 – point 1
Article 4 – point 1
(1) 'data subject' means an identified natural person or a naturallegal person; an identified person is a person who can be identified, directly or indirectly, by means reasonably likely to be used by the controller or by any other natural or legal person, in particular by reference to an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that persoperson, where the use of such means does not entail excessive costs, is not overly time-consuming and does not require that disproportionate actions be taken;
Amendment 115 #
Proposal for a regulation
Article 4 – point 8
Article 4 – point 8
(8) 'the data subject's consent' means any freely given specific, informed and explicit indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed;(Does not affect English version)
Amendment 138 #
Proposal for a regulation
Article 6 – paragraph 1 – point f
Article 6 – paragraph 1 – point f
f) processing is necessary for the purposes of the legitimate interests pursued by a controller, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks. This provision should also not apply to processing on the basis of one or several of the remaining grounds set out in this paragraph.
Amendment 143 #
Proposal for a regulation
Article 6 – paragraph 3 – subparagraph 2 a (new)
Article 6 – paragraph 3 – subparagraph 2 a (new)
In the case referred to in paragraph 1(f), the data controller shall clearly and separately notify the data subject of such processing. The data controller shall also indicate and publish the reasons which led him to believe that his legitimate interest took precedence over the primacy of the data subject's fundamental rights and freedoms.
Amendment 148 #
Proposal for a regulation
Article 7 – paragraph 2
Article 7 – paragraph 2
2. If the data subject's consent is to be given in the context of a written declaration which also concerns another matter, the requirement to give consent must be presented distinguishable in its appearance from this other matter. The permission of the data subject may be sought electronically, particularly in the context of information society services.
Amendment 199 #
Proposal for a regulation
Article 17 – paragraph 1 – point d a (new)
Article 17 – paragraph 1 – point d a (new)
da) there shall be no legal basis for the processing of data other than the consent of the data subject.
Amendment 246 #
Proposal for a regulation
Article 23 – paragraph 1
Article 23 – paragraph 1
1. Having regard to the state of the art, current technical knowledge and the cost of implementation, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures and procedures in such a way that the processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.
Amendment 287 #
Proposal for a regulation
Article 31 – paragraph 1 – subparagraph 1 a (new)
Article 31 – paragraph 1 – subparagraph 1 a (new)
Cases in which it is probable that a breach of personal data protection will have a negative impact on the data subject’s privacy shall be deemed serious breaches.
Amendment 289 #
Proposal for a regulation
Article 31 – paragraph 2 – subparagraph 1 a (new)
Article 31 – paragraph 2 – subparagraph 1 a (new)
The communication of a personal data breach to the data subject shall not be required if the controller has implemented appropriate protection measures, and if those measures were applied to the data concerned by the personal data breach. Such technological protection measures shall render the data unintelligible to any person who is not authorised to access it.
Amendment 292 #
Proposal for a regulation
Article 31 – paragraph 4 – subparagraph 1 a (new)
Article 31 – paragraph 4 – subparagraph 1 a (new)
The supervisory authority shall maintain a public register of reported breaches.
Amendment 405 #
Proposal for a regulation
Article 79 – paragraph 1
Article 79 – paragraph 1
1. EachThe supervisory authority competent under Article 51 shall be empowered to impose administrative sanctions in accordance with this Article.
Amendment 539 #
Proposal for a regulation
Recital 67
Recital 67
(67) A personal data breach may, if not addressed in an adequate and timely manner, result in substantial economic loss and social harm, including identity fraud, to the individual concerned. Therefore, as soon as the controller becomes aware that such a breach has occurredof a breach adversely affecting the personal data or privacy of a data subject, the controller should notify theat breach to the supervisory authority without undue delay and, where feasible, within 724 hours. Where this cannot achievedsuch notification is not possible within 724 hours, an explanation of the reasons for the delay should accompany the notification. The individuals whose personal data could be adversely affected by thesimilar breaches should be notified thereof without undue delay in order to allow themfor them to be able to take the necessary precautions. A breach should be considered as adversely affecting the personal data or privacy of a data subject where it could result in, for example, identity theft or fraud, physical harm, significant humiliation or damage to reputation. The notification should describe the nature of the personal data breach as well as recommendations as well as recommendations for the individual concerned to mitigate potential adverse effects. Notifications to data subjects should be made as soon as reasonably feasible, and in close cooperation with the supervisory authority and respecting guidance provided by it or other relevant authorities (e.g. law enforcement authorities). For example, the chancepossibility for data subjects to mitigate an immediate risk of harm would call for a prompt notification of data subjects whereas the need to implement appropriate measures against continuing or similar data breaches may be an argument to justify a longer delay.
Amendment 718 #
Proposal for a regulation
Article 4 – paragraph 1 – point 1
Article 4 – paragraph 1 – point 1
(1) ‘data subject’ means an identified natural person or aor identifiable natural person who can be identified, directly or indirectly, by technically available means reasonably likely to be used by the controller or by any other natural or legal person, in particular by reference to an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that persowhere the use of such means does not entail excessive costs, is not overly time-consuming and does not require complex actions to be taken;
Amendment 760 #
Proposal for a regulation
Article 4 – paragraph 1 – point 8
Article 4 – paragraph 1 – point 8
(8) ‘the data subject’s consent’ means any freely given specific, and informed and explicit indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed. The permission of the data subject may also be sought electronically, particularly in the context of information society services;
Amendment 885 #
Proposal for a regulation
Article 6 – paragraph 1 – point f
Article 6 – paragraph 1 – point f
(f) processing is necessary for the purposes of the legitimate interests pursued by a controller, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data,personal data require particular safeguarding by virtue of the overriding interests of protecting data subjects in connection with their fundamental rights and freedoms. This shall apply in particular where the data subject is a child. ThisIt shall not apply to processing carried out by public authorities in the performance of their tasks. Exemption from the scope of this provision may also be based on one or more of the other grounds set out in this paragraph.
Amendment 926 #
Proposal for a regulation
Article 6 – paragraph 3 – subparagraph 1 – point b a (new)
Article 6 – paragraph 3 – subparagraph 1 – point b a (new)
(ba) In the case referred to in paragraph 1(f), the data controller should clearly and separately notify the data subject of such processing. Upon an express request from the data subject, the data controller should also justify the reasons why he decided that the legitimate interest pursued outweighs the overriding interest of protecting the data subject's fundamental rights and freedoms.
Amendment 973 #
Proposal for a regulation
Article 7 – paragraph 2
Article 7 – paragraph 2
2. If the data subject's consent is to be given in the context of a written declaration which also concerns another matter, the requirement to give consent must be presented distinguishable in its appearance from this other matter. The permission of the data subject may be sought electronically, particularly in the context of information society services.
Amendment 1398 #
Proposal for a regulation
Article 17 – paragraph 1 – point c
Article 17 – paragraph 1 – point c
(c) the data subject has effectively objectsed to the processing of personal data pursuant to Article 19;
Amendment 1402 #
Proposal for a regulation
Article 17 – paragraph 1 – point d a (new)
Article 17 – paragraph 1 – point d a (new)
(da) there is no legal basis for the processing of the data other than the consent of the data subject.
Amendment 1421 #
Proposal for a regulation
Article 17 – paragraph 2
Article 17 – paragraph 2
2. Where the controller referred to in paragraph 1 has made the personal data public, it shall take all reasonable steps, including technical measures, in relation to data for the publication of which the controller is responsible, to inform third parties which are processing such data,. Third parties shall be considered to be subjects who, at the time the request is submitted, the controller is reasonably likely to be able identify and inform that a data subject requests them to erase any links to, or copy or replication of that personal data. Where the controller has authorised a third party publication of personal data, the controller shall be considered responsible for that publication.
Amendment 1423 #
Proposal for a regulation
Article 17 – paragraph 2 a (new)
Article 17 – paragraph 2 a (new)
2a. The obligation to inform referred to in paragraph 2 should be considered to have been exercised as soon as the controller has informed the third parties which he has identified of a request for the erasure of the data of the relevant subject in a form corresponding to the original publication of that data, or in some other form ensuring the effective receipt of such information.
Amendment 1551 #
Proposal for a regulation
Article 20 – paragraph 1
Article 20 – paragraph 1
1. Every natural person shall have the right not to be subject to a measure which produces legal effects concerning this natural person or significantly adversely affects this natural person, and which is based solely on automated processing intended to evaluate certain personal aspects relating to this natural person or to analyse or predict in particular the natural person's performance at work, economic situation, location, health, personal preferences, reliability or behaviour.
Amendment 1576 #
Proposal for a regulation
Article 20 – paragraph 2 – point b
Article 20 – paragraph 2 – point b
(b) is expressly authorized by a Union or Member State law which also lays down suitable measures to safeguard the data subject's legitimate interests; or
Amendment 1718 #
Proposal for a regulation
Article 23 – paragraph 1
Article 23 – paragraph 1
1. Having regard to the stlate of the art andst technological developments, the cost of their implementation and the current state of the art, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures and procedures in such a way that the processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.
Amendment 2852 #
Proposal for a regulation
Article 79 – paragraph 1
Article 79 – paragraph 1
1. EachThe competent supervisory authority in accordance with Article 51 shall be empowered to impose administrative sanctions in accordance with this Article.