BETA

Activities of Antonio LÓPEZ-ISTÚRIZ WHITE related to 2012/0011(COD)

Legal basis opinions (0)

Amendments (180)

Amendment 100 #
Proposal for a regulation
Article 2 – paragraph 2 – point b
(b) by the Union institutions, bodies, offices and agencies;deleted
2012/11/29
Committee: JURI
Amendment 101 #
Proposal for a regulation
Article 2 – paragraph 2 – point e a (new)
(ea) by competent authorities for the purposes of producing and disseminating official statistics entrusted to them;
2012/11/29
Committee: JURI
Amendment 103 #
Proposal for a regulation
Article 2 – paragraph 2 – point e b (new)
(eb) by competent authorities for the purposes of drawing up electoral rolls.
2012/11/29
Committee: JURI
Amendment 122 #
Proposal for a regulation
Article 4 – point 13
(13) ‘main establishment’ means as regards the controller, and the place of its establishment in the Union where the main decisions as to the purposes, conditions and means of the processing of personal data are taken; if no decisions as to the purposes, conditions and means of the processing of personal data are taken in the Union, the main establishment is the place where the main processing activities in the context of the activities of an establishment of a controller in the Union take place. As regards the processor, ‘main establishment’ means the place of its central administration in the Unionrocessor, the one constituting the official seat or registered office in the Union, if that is the place where the main decisions of the institution, enterprise, or group are taken, or the latter place, if different;
2012/11/29
Committee: JURI
Amendment 123 #
Proposal for a regulation
Article 4 – point 19 a (new)
(19a) ‘official statistics’ means representative aggregate quantitative and qualitative information characterising a collective phenomenon within a given population;
2012/11/29
Committee: JURI
Amendment 125 #
Proposal for a regulation
Article 4 – point 19 b (new)
(19b) ‘electoral rolls’ means personal data, and data relating to the place of residence, of persons entitled to vote;
2012/11/29
Committee: JURI
Amendment 126 #
Proposal for a regulation
Article 4 – point 19 c (new)
(19c) ‘information society services’ means services provided at the recipient’s individual request, at a distance, and by electronic means, that is to say, the service is sent initially and received at its destination by means of electronic equipment for the processing, including digital compression, and storage of data and is transmitted, conveyed, and received entirely by wire, by radio, by optical means, or by any other electromagnetic means.
2012/11/29
Committee: JURI
Amendment 128 #
Proposal for a regulation
Article 5 – point c
(c) adequate, relevant, and limited to the minimum nenot excessaryive in relation to the purposes for which they are processed; they shall only be processed if, and as long as, the purposes could not be fulfilled by processing information that does not involve personal data;
2012/11/29
Committee: JURI
Amendment 129 #
Proposal for a regulation
Article 5 – point d
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
2012/11/29
Committee: JURI
Amendment 132 #
Proposal for a regulation
Article 5 – point e
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the data will be processed solely for historical, statistical or scientific research purposes in accordance with the rules and conditions of Article 83 and if a periodic review is carried out to assess the necessity to continue the storage, without prejudice to Article 83;
2012/11/29
Committee: JURI
Amendment 133 #
Proposal for a regulation
Article 5 – point f
(f) processed under the responsibility and liability of the controller, who shall ensure and demonstrate for each processing operation the compliance with the provisions of this Regulation.deleted
2012/11/29
Committee: JURI
Amendment 137 #
Proposal for a regulation
Article 6 – paragraph 1 – point f
(f) processing is necessary for the purposes of the legitimate interests pursued by a controller or by a third party to whom the data are to be communicated, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks.
2012/11/29
Committee: JURI
Amendment 142 #
Proposal for a regulation
Article 6 – paragraph 3 – subparagraph 2
TUnion law and the law of the Member State must meet an objective of public interest or must be necessary to protect the rights and freedoms of others, respect the essence of the right to the protection of personal data and be proportionate to the legitimate aim pursued.
2012/11/29
Committee: JURI
Amendment 145 #
Proposal for a regulation
Article 6 – paragraph 5
5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the conditions referred to in point (f) of paragraph 1 for various sectors and data processing situations, including as regards the processing of personal data related to a child.
2012/11/29
Committee: JURI
Amendment 151 #
Proposal for a regulation
Article 7 – paragraph 4
4. Consent shall not provide a legal basis for the processing, where there is a significant imbalance between the position of the data subject and the controller.deleted
2012/11/29
Committee: JURI
Amendment 161 #
Proposal for a regulation
Article 9 – paragraph 2 – point f
(f) processing is necessary for the establishment, exercise or defence of legal claims at issue in legal or administrative proceedings of any kind; or
2012/11/29
Committee: JURI
Amendment 163 #
Proposal for a regulation
Article 9 – paragraph 2 – point i
(i) processing is necessary for historical, statistical or scientific research purposes or for preliminary official or administrative investigation to determine biological parentage, subject to the conditions and safeguards referred to in Article 83; or
2012/11/29
Committee: JURI
Amendment 164 #
Proposal for a regulation
Article 9 – paragraph 2 – point j
(j) processing of data relating to criminal convictions or related security measures is carried out either under the control of official authority or when the processing is necessary for compliance with a legal or regulatory obligation to which a controller is subject, or for the performance of a task carried out for important public interest reasons, and in so far as authorised by Union law or Member State law providing for adequate safeguards. A complete register of criminal convictions, whether complete or not, shall be kept only under the control of official authority.
2012/11/29
Committee: JURI
Amendment 165 #
Proposal for a regulation
Article 9 – paragraph 3
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria, conditions and appropriate safeguards for the processing of the special categories of personal data referred to in paragraph 1 and the exemptions laid down in paragraph 2.
2012/11/29
Committee: JURI
Amendment 167 #
Proposal for a regulation
Article 11 – paragraph 1
1. The controller shall haobserve transparentcy and easily accessible policiesility criteria with regard to the processing of personal data and for the exercise of data subjects’ rights. To that end it may disseminate those criteria by framing policies to be made known to all data subjects.
2012/11/29
Committee: JURI
Amendment 168 #
Proposal for a regulation
Article 11 – paragraph 2
2. The controller shall provide any information and any communication relating to the processing of personal data to the data subject in an intelligible form, using clear and plain language, adapted to the data subject, in particular wherever possible. This last point shall be taken particularly into account for any information addressed specifically to a child.
2012/11/29
Committee: JURI
Amendment 169 #
Proposal for a regulation
Article 12 – paragraph 1
1. The controller shall establish procedures for providinge the information referred to in Article 14 and for the exercise of the rights of data subjects referred to in Article 13 and Articles 15 to 19. The controller shall provide in particular mechanisms for facilitating the request for the actions referred to in Article 13 and Articles 15 to 19. Where personal data are processed by automated means, the controller shall also provide means for requests to be made electronicallythis is deemed appropriate, the above information as a whole may be presented in the form of policies and manuals of procedures to facilitate understanding and the use of such information.
2012/11/29
Committee: JURI
Amendment 172 #
Proposal for a regulation
Article 14 – paragraph 1 – point a
(a) the identity and the contact details of the controller and, if any, of the controller’s representative and of the data protection officer;
2012/11/29
Committee: JURI
Amendment 174 #
Proposal for a regulation
Article 14 – paragraph 1 – point b
(b) the purposes of the processing for which the personal data are intended, including the contract terms and general conditions where the processing is based on point (b) of Article 6(1) and the legitimate interests pursued by the controller where the processing is based on point (f) of Article 6(1);
2012/11/29
Committee: JURI
Amendment 176 #
Proposal for a regulation
Article 14 – paragraph 1 – point c
(c) where possible, the period for which the personal data will be stored;
2012/11/29
Committee: JURI
Amendment 179 #
Proposal for a regulation
Article 14 – paragraph 1 – point e
(e) the right to lodge a complaint to the supervisory authority and the contact details of the supervisory authority;
2012/11/29
Committee: JURI
Amendment 182 #
Proposal for a regulation
Article 14 – paragraph 4 – point a
(a) in general at the time when the personal data are obtained from the data subject or as soon as possible where the above is not feasible, demands undue effort, or reduces the safeguards enjoyed by the data subject; or
2012/11/29
Committee: JURI
Amendment 186 #
Proposal for a regulation
Article 14 – paragraph 7
7. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria for categories of recipients referred to in point (f) of paragraph 1, the requirements for the notice of potential access referred to in point (g) of paragraph 1, the criteria for the further information necessary referred to in point (h) of paragraph 1 for specific sectors and situations, and the conditions and appropriate safeguards for the exceptions laid down in point (b) of paragraph 5. In doing so, the Commission shall take the appropriate measures for micro, small and medium-sized- enterprises.
2012/11/29
Committee: JURI
Amendment 187 #
Proposal for a regulation
Article 15 – paragraph 1 – introductory wording
1. The data subject shall have the right to obtain from the controller at any time, on request, confirmation as to whether or not personal data relating to the data subject are being processed. If the controller is processing a large number of files relating to the data subject, it may ask the data subject to specify in the necessary detail, before the information is supplied, which file or files, or what particular fields of activity, are covered by the data subject’s request. Where such personal data are being processed, the controller shall provide the following information:
2012/11/29
Committee: JURI
Amendment 189 #
Proposal for a regulation
Article 15 – paragraph 1 – point h
(h) the significance and envisaged consequences of such processing, at least in the case of measures referred to in Article 20.
2012/11/29
Committee: JURI
Amendment 192 #
Proposal for a regulation
Article 15 – paragraph 2
2. The data subject shall have the right to obtain from the controller communication of the personal data undergoing processing. Where the data subject makes the request in electronic form, the information shall be provided in electronic form, unless otherwise requested by the data subject.deleted
2012/11/29
Committee: JURI
Amendment 204 #
Proposal for a regulation
Article 17 – paragraph 2
2. Where the controller referred to in paragraph 1 has made theexplicitly or tacitly allowed third-party access to personal data public, it shall take all reasonable steps in proportion to its capacity, including technical measures, in relation to data for the publication of which the controller is responsible, to inform third parties which are processing such data, that a data subject requests them to erase any links to, or copy or replication of that personal data. Where the controller who has authorised a third party publication of personal data, the controller shall be considered responsible for that publicationllowed access to personal data has disappeared, has ceased to exist or for other reasons cannot be contacted by the data subject, the data subject shall have the right to obtain from third-party controllers the erasure of any links to, or copy or replication of the personal data.
2012/11/29
Committee: JURI
Amendment 207 #
Proposal for a regulation
Article 17 – paragraph 3 – point d
(d) for compliance with a legal obligation to retain the personal data by Union or Member State law to which the controller is subject under Union law; Member State laws shall meet an objective of public interest, respect the essence of the right to the protection of personal data and be proportionate to the legitimate aim pursued;
2012/11/29
Committee: JURI
Amendment 208 #
Proposal for a regulation
Article 17 – paragraph 3 – point e
(e) in the cases referred to in paragraph 4. In the cases referred to in points (a) to (d), the data subject may exercise the right to object to the establishment of links or creation of copies or replications of their personal data. The viability of this right shall be resolved in the light of all the circumstances involved in the case, whilst making efforts not to frustrate the specific basis for the retention of data.
2012/11/29
Committee: JURI
Amendment 209 #
Proposal for a regulation
Article 17 – paragraph 9
9. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying: (a) the criteria and requirements for the application of paragraph 1 for specific sectors and in specific data processing situations; (b) the conditions for deleting links, copies or replications of personal data from publicly available communication services as referred to in paragraph 2; (c) the criteria and conditions for restricting the processing of personal data referred to in paragraph 4.
2012/11/29
Committee: JURI
Amendment 210 #
Proposal for a regulation
Article 18 – paragraph 1
1. The data subject shall have the right, where personal data are processed by electronic means and in a structured and commonly used format, to obtain from the controller a copy of data undergoing processing in an electronic and structured format which is commonly used and allows for further use by the data subject. Where the format requested by the data subject differs from the processing format, the controller may impose a charge for conversion at a level which may not exceed the cost of the service provided at market prices.
2012/11/29
Committee: JURI
Amendment 212 #
Proposal for a regulation
Article 18 – paragraph 2 – subparagraph 1 a
The controller from whom the personal data are withdrawn shall delete those data, unless their continued processing is covered by another legal provision in force. Union and Member State laws may regulate cases where there is a legal obligation to store data, based on objectives of public interest proportionate to the aim pursued, and respecting the essence of the right to the protection of personal data.
2012/11/29
Committee: JURI
Amendment 216 #
Proposal for a regulation
Article 19 – paragraph 3
3. Where an objection is upheld pursuant to paragraphs 1 and 1, the controller shall inform the data subject of the compelling legitimate grounds which apply in accordance with paragraph 1 or, if he does not do so, he shall no longer use or otherwise process the personal data concerned; where the objection is upheld pursuant to paragraph 2, the controller shall no longer use or otherwise process the personal data concerned.
2012/11/29
Committee: JURI
Amendment 236 #
Proposal for a regulation
Article 20 – paragraph 5
5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and conditions for suitable measures to safeguard the data subject's legitimate interests referred to in paragraph 2.
2012/11/29
Committee: JURI
Amendment 239 #
Proposal for a regulation
Article 22 – paragraph 1
1. The controller shallmay adopt policies and implement appropriate measures to ensure and be able to demonstrate that the processing of personal data is performed in compliance with this Regulation.
2012/11/29
Committee: JURI
Amendment 240 #
Proposal for a regulation
Article 22 – paragraph 2 – introductory wording
2. The measures provided for in paragraph 1 shall in particular includeclude, in the cases and in accordance with the rules set out in this chapter:
2012/11/29
Committee: JURI
Amendment 242 #
Proposal for a regulation
Article 22 – paragraph 2 – point e
(e) designating a data protection officer pursuant to Article 35(1), or the obligation and maintenance of certification in accordance with the certification policies defined by the Commission.
2012/11/29
Committee: JURI
Amendment 243 #
Proposal for a regulation
Article 22 – paragraph 4
4. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of specifying any further criteria and requirements for appropriate measures referred to in paragraph 1 other than those already referred to in paragraph 2, the conditions for the verification and auditing mechanisms referred to in paragraph 3 and as regards the criteria for proportionality under paragraph 3, and considering specific measures for micro, small and medium-sized-enterprises.
2012/11/29
Committee: JURI
Amendment 244 #
Proposal for a regulation
Article 23 – paragraph 1
1. Having regard to the state of the art and the cost of implementation, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures and procedures appropriate to the activities and their purposes, in such a way that the processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.
2012/11/29
Committee: JURI
Amendment 247 #
Proposal for a regulation
Article 23 – paragraph 2
2. The controller shall implement mechanisms for ensuring that, by default, only those personal data are processed which are neot excessaryive for each specific purpose of the processing and are especially not collected or retained beyond the minimum necessary forin proportion to those purposes, both in terms of the amount of the data and the time of their storage. In particular, those mechanisms shall ensure that by default personal data are not made accessible to an indefinite number of individuals.
2012/11/29
Committee: JURI
Amendment 249 #
Proposal for a regulation
Article 23 – paragraph 3
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of specifying any further criteria and requirements for appropriate measures and mechanisms referred to in paragraph 1 and 2, in particular for data protection by design requirements applicable across sectors, products and services.
2012/11/29
Committee: JURI
Amendment 251 #
Proposal for a regulation
Article 23 – paragraph 4
4. The Commission may lay down technical standards for the requirements laid down in paragraph 1 and 2. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 87(2).deleted
2012/11/29
Committee: JURI
Amendment 253 #
Proposal for a regulation
Article 24
Where a controller determines the purposes, conditions and means of the processing of personal data jointly with others, the joint controllers shall determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the procedures and mechanisms for exercising the rights of the data subject, by means of an arrangement between them. To ensure that data subjects may exercise their right to object to this arrangement, it must be documented and data subjects must have been notified in advance; otherwise, the above rights may be exercised in full in relation to any of the controllers, who shall be responsible for ensuring that the conditions laid down by law are fully complied with.
2012/11/29
Committee: JURI
Amendment 257 #
Proposal for a regulation
Article 25 – paragraph 2 – point b
(b) an enterprise employing fewer than 250 persons, unless the processing carried out by that enterprise is considered high risk by the supervisory authorities, taking account of its characteristics, the type of data or the number of people affected; or
2012/11/29
Committee: JURI
Amendment 260 #
Proposal for a regulation
Article 26 – paragraph 2 – introductory wording
2. The carrying out of processing by a processor shall be governed by a contract or other legal act binding the processor to the controller, which shall be documented in a form of which a record can be kept, and stipulating in particular that the processor shall:
2012/11/29
Committee: JURI
Amendment 262 #
Proposal for a regulation
Article 26 – paragraph 3
3. The controller and the processor shall document in writing the controller's instructions and the processor's obligations referred to in paragraph 2.deleted
2012/11/29
Committee: JURI
Amendment 264 #
Proposal for a regulation
Article 26 – paragraph 4
4. If a processor processes personal data other than as instructed by the controller, the processor shall be considered to be a controller in respect of that processing and shall be subject to the rules on joint controllers laid down in Article 24, without prejudice to the responsibility which the controller may have occurred in relation to compliance with their obligations.
2012/11/29
Committee: JURI
Amendment 265 #
Proposal for a regulation
Article 26 – paragraph 5
5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the responsibilities, duties and tasks in relation to a processor in line with paragraph 1, and conditions which allow facilitating the processing of personal data within a group of undertakings, in particular for the purposes of control and reporting.
2012/11/29
Committee: JURI
Amendment 266 #
Proposal for a regulation
Article 28 – paragraph 1
1. Each controller and processor and, if any, the controller's representative, shall maintain documentationensure that they are in a position duly to inform the authorities which so request of all processing operations under its responsibility.
2012/11/29
Committee: JURI
Amendment 269 #
Proposal for a regulation
Article 28 – paragraph 2 – introductory wording
2. TheEnterprises or organisations which do not have a data protection officer or sufficient valid certification shall hold the statutory model documentation for all processing operations under their responsibility. This documentation shall contain at least the following information:
2012/11/29
Committee: JURI
Amendment 271 #
Proposal for a regulation
Article 28 – paragraph 2 – point b
(b) the name and contact details of the data protection officer, if any;deleted
2012/11/29
Committee: JURI
Amendment 274 #
Proposal for a regulation
Article 28 – paragraph 2 – point g
(g) a general indication of the time limits for erasure of the different categories of data, wherever possible;
2012/11/29
Committee: JURI
Amendment 276 #
Proposal for a regulation
Article 28 – paragraph 4 – introductory wording
4. The obligations referred to in paragraphs 1 and 2 shall not apply to the following controllers and processors:
2012/11/29
Committee: JURI
Amendment 277 #
Proposal for a regulation
Article 28 – paragraph 5
5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the documentation referred to in paragraph 1, to take account of in particular the responsibilities of the controller and the processor and, if any, the controller's representative.
2012/11/29
Committee: JURI
Amendment 278 #
Proposal for a regulation
Article 28 – paragraph 6
6. The Commission mayshall lay down standard forms for the documentation referred to in paragraph 12. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 87(2).
2012/11/29
Committee: JURI
Amendment 279 #
Proposal for a regulation
Article 29 – paragraph 1
1. The controller and, where appropriate, the processor and, if any, the representative of the controller, shall co-operate, on request, with the supervisory authority in the performance of its duties, in particular by providing the information referred to in point (a) of Article 53(2) and by granting access as provided in point (b) of that paragraph.
2012/11/29
Committee: JURI
Amendment 280 #
Proposal for a regulation
Article 29 – paragraph 2
2. In response to the supervisory authority's exercise of its powers under Article 53(2), the controller, either in person or through his representative and the processor shall reply to the supervisory authority within a reasonable period to be specified by the supervisory authority. The reply shall include a description of the measures taken and the results achieved, in response to the remarks of the supervisory authority.
2012/11/29
Committee: JURI
Amendment 281 #
Proposal for a regulation
Article 30 – paragraph 3
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and conditions for the technical and organisational measures referred to in paragraphs 1 and 2, including the determinations of what constitutes the state of the art, for specific sectors and in specific data processing situations, in particular taking account of developments in technology and solutions for privacy by design and data protection by default, unless paragraph 4 applies.
2012/11/29
Committee: JURI
Amendment 282 #
Proposal for a regulation
Article 30 – paragraph 4 – subparagraph 1
The Commission may adopt, where necessary, implementing acts for specifying the requirements laid down in paragraphs 1 and 2 to various situations, in particular to: (a) prevent any unauthorised access to personal data; (b) prevent any unauthorised disclosure, reading, copying, modification, erasure or removal of personal data; (c) ensure the verification of the lawfulness of processing operations.deleted
2012/11/29
Committee: JURI
Amendment 283 #
Proposal for a regulation
Article 31 – paragraph 1
1. In the case of a personal data breach, the controller shall without undue delay and such as to constitute a serious risk to personal data privacy, wthere feasible, not lat controller tshan 24 hours after having become aware of it,ll without undue delay notify the personal data breach to the supervisory authority. The notification to the supervisory authority shall be accompanied by a reasoned justification in cases where it is not made within 24 hours.
2012/11/29
Committee: JURI
Amendment 288 #
Proposal for a regulation
Article 31 – paragraph 2
2. Pursuant to point (f) of Article 26(2), the processor shall alert and inform the controller immediately after the establishment of a personal data breach referred to in paragraph 1.
2012/11/29
Committee: JURI
Amendment 290 #
Proposal for a regulation
Article 31 – paragraph 3 – introductory wording
3. The notification referred to in paragraph 1 must at least: must contain the details necessary to enable the supervisory authority to assess the gravity of the incidents and their consequences and, if necessary recommend that action be taken, that is to say:
2012/11/29
Committee: JURI
Amendment 291 #
Proposal for a regulation
Article 31 – paragraph 4
4. The controller shall document any personal data breaches referred to in paragraph 1 of this article, comprising the facts surrounding the breach, its effects and the remedial action taken. This documentation must enable the supervisory authority to verify compliance with this Article. The documentation shall only include the information necessary for that purposeWithout prejudice to the above, the controller or, where appropriate the processor, shall keep records of previous breaches and their consequences not referred to in paragraph 1 but relating to the use of personal data, and make them available to the supervisory authorities, who may wish to receive copies thereof on a regular basis.
2012/11/29
Committee: JURI
Amendment 293 #
Proposal for a regulation
Article 31 – paragraph 5
5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for establishing the data breach referred to in paragraphs 1 and 2 and for the particular circumstances in which a controller and a processor is required to notify the personal data breach.
2012/11/29
Committee: JURI
Amendment 294 #
Proposal for a regulation
Article 31 – paragraph 6
6. The Commission may lay down the standard format of such notifications to the supervisory authority, the procedures applicable to the notification requirement and the form and the modalities for the documentation referred to inin accordance with paragraph 43, including the time limits for erasure of the information contained thereinand of the register of breaches and their consequences. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 87(2).
2012/11/29
Committee: JURI
Amendment 295 #
Proposal for a regulation
Article 32 – paragraph 4 – subparagraph 1 a
Those concerned shall not be notified in cases where this could clearly obstruct current investigations or hinder or delay measures to resolve the security breach. More detailed provision for such eventualities may be made under EU law and Member State legislation, the objective being at all times to uphold the public interest and comply with the spirit of data protection law.
2012/11/29
Committee: JURI
Amendment 296 #
Proposal for a regulation
Article 32 – paragraph 5
5. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements as to the circumstances in which a personal data breach is likely to adversely affect the personal data referred to in paragraph 1.
2012/11/29
Committee: JURI
Amendment 297 #
Proposal for a regulation
Article 33 – paragraph 1
1. Where processing operations present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes, the controller or the processor acting on the controller's behalf, if they have not recruited a data protection officer for their organisation or obtained adequate and valid certification for the processing of high- risk data, shall carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.
2012/11/29
Committee: JURI
Amendment 300 #
Proposal for a regulation
Article 33 – paragraph 6
6. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and conditions for the processing operations likely to present specific risks referred to in paragraphs 1 and 2 and the requirements for the assessment referred to in paragraph 3, including conditions for scalability, verification and auditability. In doing so, the Commission shall consider specific measures for micro, small and medium- sized enterprises.
2012/11/29
Committee: JURI
Amendment 301 #
Proposal for a regulation
Article 34 – paragraph 1
1. The controller or the processor as the case may be shall, if they have not recruited a data protection officer for their organisation or obtained or adequate and valid certification for the processing of high-risk data, obtain an authorisation from the supervisory authority prior to the processing of personal data, in order to ensure the compliance of the intended processing with this Regulation and in particular to mitigate the risks involved for the data subjects where a controller or processor adopts contractual clauses as provided for in point (d) of Article 42(2) or does not provide for the appropriate safeguards in a legally binding instrument as referred to in Article 42(5) for the transfer of personal data to a third country or an international organisation.
2012/11/29
Committee: JURI
Amendment 302 #
Proposal for a regulation
Article 34 – paragraph 2 – introductory wording
2. The controller or processor acting on the controller's behalf shall, if they have not recruited a data protection officer for their organisation or obtained or adequate and valid certification for the processing of high-risk data, consult the supervisory authority prior to the processing of personal data in order to ensure the compliance of the intended processing with this Regulation and in particular to mitigate the risks involved for the data subjects where:
2012/11/29
Committee: JURI
Amendment 303 #
Proposal for a regulation
Article 34 – paragraph 7
7. Member States shall consult the supervisory authority in the preparation of a legislative measure to be adopted by the national parliament or of a measure based on such a legislative measure, which defines the nature of the processing, in order to ensure the compliance of the intended processing with this Regulation and in particular to mitigate the risks involved for the data subjects.deleted
2012/11/29
Committee: JURI
Amendment 304 #
Proposal for a regulation
Article 35 – paragraph 1 – introductory wording
1. The controller and the processor shallmay designate a data protection officer in any case where:
2012/11/29
Committee: JURI
Amendment 307 #
Proposal for a regulation
Article 35 – paragraph 1 – point a
(a) the processing is carried out by a public authority or body; ordeleted
2012/11/29
Committee: JURI
Amendment 309 #
Proposal for a regulation
Article 35 – paragraph 1 – point b
(b) the processing is carried out by an enterprise employing 250 persons or more; ordeleted
2012/11/29
Committee: JURI
Amendment 312 #
Proposal for a regulation
Article 35 – paragraph 1 – point c
(c) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects.deleted
2012/11/29
Committee: JURI
Amendment 314 #
Proposal for a regulation
Article 35 – paragraph 2
2. In the case referred to in point (b) of paragraph 1, aA group of undertakings may appoint a single data protection officer.
2012/11/29
Committee: JURI
Amendment 316 #
Proposal for a regulation
Article 35 – paragraph 4
4. In cases other than those referred to in paragraph 1, tThe controller or processor or associations and other bodies representing categories of controllers or processors may designate a data protection officer.
2012/11/29
Committee: JURI
Amendment 317 #
Proposal for a regulation
Article 35 – paragraph 5
5. The controller or processor shall designate the data protection officer on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and ability to fulfil the tasks referred to in Article 37, in accordance with strict professional standards. The necessary level of expert knowledge shall be determined in particular according to the data processing carried out and the protection required for the personal data processed by the controller or the processor.
2012/11/29
Committee: JURI
Amendment 318 #
Proposal for a regulation
Article 35 – paragraph 7
7. The controller or the processor shall designate a data protection officer for a period of at least two years. The data protection officer may be reappointed for further terms. During their term of office, the data protection officer may only be dismissed, if the data protection officer no longer fulfils the conditions required for the performance of their duties or for serious failure in this connection.
2012/11/29
Committee: JURI
Amendment 319 #
Proposal for a regulation
Article 35 – paragraph 11
11. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the core activities of the controller or the processor referred to in point (c) of paragraph 1 and the criteria for the professional qualities of the data protection officer referred to in paragraph 5.
2012/11/29
Committee: JURI
Amendment 320 #
Proposal for a regulation
Article 36 – paragraph 2
2. The controller or processor shall ensure that the data protection officer performs the duties and tasks independently and does not accordance with the provisions of this Regulation, without being able to receive any instructions as regards the exercise of the functionffecting the functions specifically relating to his post. The data protection officer shall directly report to the management of the controller or the processor.
2012/11/29
Committee: JURI
Amendment 321 #
Proposal for a regulation
Article 36 – paragraph 3
3. The controller or the processor shall support the data protection officer in performing the tasks and, when necessary, shall provide staff, premises, equipment and any other resources necessary to carry out the duties and tasks referred to in Article 37.
2012/11/29
Committee: JURI
Amendment 322 #
Proposal for a regulation
Article 37 – paragraph 1 – point a
(a) to inform and advise the controller or the processor of their obligations pursuant to this Regulation and to document this activity and the responses received;
2012/11/29
Committee: JURI
Amendment 323 #
Proposal for a regulation
Article 37 – paragraph 1 – point d
(d) to ensure that the documentation referred to in Article 28 is maintaindeleted;
2012/11/29
Committee: JURI
Amendment 324 #
Proposal for a regulation
Article 37 – paragraph 1 – point f
f) to monitor the performance of the data protection impact assessment by the controller or processor and the application for prior authorisation or prior consultation, if required pursuant Articles 33 and 34;deleted
2012/11/29
Committee: JURI
Amendment 325 #
Proposal for a regulation
Article 37 – paragraph 2
2. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for tasks,he certification, status, powers and resource and status of the data protection officer referred to in paragraph 1.
2012/11/29
Committee: JURI
Amendment 326 #
Proposal for a regulation
Article 38 – paragraph 1 – introductory wording
1. The Member States, the supervisory authorities and the Commission shall encourage participation in the drawing up of codes of conduct intended to contribute to the proper application of this Regulation, taking account of the specific features of the various data processing sectors, in particular in relation to:
2012/11/29
Committee: JURI
Amendment 328 #
Proposal for a regulation
Article 38 – paragraph 4
4. The Commission may adopt implementing acts for deciding that the codes of conduct and amendments or extensions to existing codes of conduct submitted to it pursuant to paragraph 3 have general validity within the Union. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 87(2).deleted
2012/11/29
Committee: JURI
Amendment 329 #
Proposal for a regulation
Article 38 – paragraph 5
5. The Commission shall ensure appropriate publicity for the codes which have been decided as having general validity in accordance with paragraph 4.deleted
2012/11/29
Committee: JURI
Amendment 330 #
Proposal for a regulation
Article 39 – paragraph 1
1. The Member States and the Commission shall encourage, in particular at European level, the establishment of data protection certification mechanismpolicies and of data protection seals and marks, allowing data subjects to quickly assess the level of data protection provided by controllers and processors. The data protection certifications mechanism policies shall contribute to the proper application of this Regulation, and to achieving the actions and benefits mentioned therein, taking account of the specific features of the various sectors and different processing operations. Certification policies at Union level shall be designed by the European Data Protection Board with the involvement of other stakeholders, and shall be officially approved by the Commission. These policies shall not just be aimed at the institutions but especially at operators in the field. The certification policies shall address the specific needs of actors in different sectors of activity, with particular regard to the needs of micro, small and medium- sized enterprises, and to the key aspect of cost containment so that they can become an effective instrument. The acquisition, renewal and loss of certificates will involve the consequences laid down throughout this Directive.
2012/11/29
Committee: JURI
Amendment 331 #
Proposal for a regulation
Article 41 – paragraph 1
1. A transfer may take place where the Commission has decided that the third country, or a territory or a processing sector within that third country, or the international organisation in question ensures an adequate level of protection. Such transfer shall not require any furtherspecific authorisation.
2012/11/29
Committee: JURI
Amendment 332 #
Proposal for a regulation
Article 41 – paragraph 2 – point a
a) the level of penetration and consolidation of the rule of law, relevant legislation in force, both general and sectoral, including concerning public security, defence, national security and criminal law, the professional rules and security measures which are complied with in the field of the protection of personal data in that country or by that international organisation, as well as access to justice and the effectiveness and enforceableility of rights, including effectivethe right to action and redress in both administrative and judicial redress for data subjectmatters, in particular for those data subjects residing in the Union whose personal data are being transferred;
2012/11/29
Committee: JURI
Amendment 333 #
Proposal for a regulation
Article 41 – paragraph 6
6. Where the Commission decides pursuant to paragraph 5, any transfer of personal data to the third country, or a territory or a processing sector within that third country, or the international organisation in question shall be prohibited, without prejudice torestricted under the terms of Articles 42 to 44. At the appropriate time, the Commission shall enter into consultations with the third country or international organisation with a view to remedying the situation resulting from the Decision made pursuant to paragraph 5 of this Article.
2012/11/29
Committee: JURI
Amendment 336 #
Proposal for a regulation
Article 42 – paragraph 2 – point d
d) contractual clauses between the controller or processor and the recipient of the data authorised by a supervisory authority in accordance with paragraph 4.
2012/11/29
Committee: JURI
Amendment 337 #
Proposal for a regulation
Article 42 – paragraph 4
4. Where a transfer is based on contractual clauses as referred to in point (d) of paragraph 2 of this Article and no data protection officer has been designated and no sufficient or applicable official certification is available, the controller or processor shall obtain prior authorisation of the contractual clauses according to point (a) of Article 34(1) from the supervisory authority. If the transfer is related to processing activities which concern data subjects in another Member State or other Member States, or substantially affect the free movement of personal data within the Union, the supervisory authority shall apply the consistency mechanism referred to in Article 57.
2012/11/29
Committee: JURI
Amendment 338 #
Proposal for a regulation
Article 42 – paragraph 5
5. Where the appropriate safeguards with respect to the protection of personal data are not provided for in a legally binding instrument and no data protection officer has been designated and no sufficient or applicable official certification is available, the controller or processor shall obtain prior authorisation for the transfer, or a set of transfers, or for provisions to be inserted into administrative arrangements providing the basis for such transfer. Such authorisation by the supervisory authority shall be in accordance with point (a) of Article 34(1). If the transfer is related to processing activities which concern data subjects in another Member State or other Member States, or substantially affect the free movement of personal data within the Union, the supervisory authority shall apply the consistency mechanism referred to in Article 57. Authorisations by a supervisory authority on the basis of Article 26(2) of Directive 95/46/EC shall remain valid, until amended, replaced or repealed by that supervisory authority.
2012/11/29
Committee: JURI
Amendment 340 #
Proposal for a regulation
Article 43 – paragraph 4
4. The Commission may specify the format and procedures for the exchange of information by electronic means between controllers, processors and supervisory authorities for binding corporate rules within the meaning of this Article. Those implementing acts shall be adopted in accordance with the examination procedure set out in Article 87(2).
2012/11/29
Committee: JURI
Amendment 342 #
Proposal for a regulation
Article 44 – paragraph 1 – point e
e) the transfer is necessary for the establishment, exercise or defence of legal or administrative claims; or
2012/11/29
Committee: JURI
Amendment 343 #
Proposal for a regulation
Article 44 – paragraph 6
6. The controller or processor shall document the assessment as well as the appropriate safeguards adduced referred to in point (h) of paragraph 1 of this Article in the documentation referred to in Article 28, and where appropriate in accordance with that rule, and shall inform the supervisory authority of the transfer.
2012/11/29
Committee: JURI
Amendment 344 #
Proposal for a regulation
Article 44 – paragraph 7
7. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying 'important grounds of public interest' within the meaning of point (d) of paragraph 1 as well as the criteria and requirements for appropriate safeguards referred to in point (h) of paragraph 1.
2012/11/29
Committee: JURI
Amendment 346 #
Proposal for a regulation
Article 45 – paragraph 2 – subparagraph 1 a (new)
For the purposes of paragraph 1(a) and (b), the supervisory authorities shall be able to exchange information and cooperate in activities related to the exercise of their powers and defence of the rights regulated in this Regulation.
2012/11/29
Committee: JURI
Amendment 347 #
Proposal for a regulation
Article 45 – paragraph 2 a (new)
2a. Cooperation may take place provided that: (a) the competent authorities of third countries have competence for the protection of personal data in the context of matters of which they possess knowledge in accordance with existing legislation, (b) there are working arrangements on the basis of reciprocity agreed between the competent authorities concerned, (c) the transfer of personal data to the third country is in accordance with Chapter V of this Directive.
2012/11/29
Committee: JURI
Amendment 348 #
Proposal for a regulation
Article 45 – paragraph 2 b (new)
2b. The working arrangements referred to in paragraph 2a, point (b), shall ensure that: (a) justification as to the purpose of the request for cooperation is provided by the competent authorities; (b) the persons employed or formerly employed by the competent authorities of the third country that receive the information are subject to obligations of professional secrecy; (c) the competent authorities of the third country may use the results of cooperation only for the exercise of functions relating to the protection of personal data; (d) in the event of the competent authority of the third country intending to transfer the information received by means of cooperation to a third party, prior, specific and written consent must be obtained from the authority which provided the information, unless such transfer is required by national law or ordered by a court of law and constitutes a necessary measure to safeguard relevant public interests relating to: the prevention, investigation or prosecution of criminal offences, the monitoring, inspection or regulation connected, even occasionally, with the exercise of official authority within the scope of the agreement. In such cases, prior notice shall be given to the authority that provided the information; (e) the appropriate technical and organisational security measures are adopted to protect personal data against accidental or unlawful destruction, accidental loss, alteration, unauthorised disclosure or access, and against all other unlawful forms of processing personal data; (f) the request for cooperation from the competent authority of the third country should be refused: where it would adversely affect the sovereignty, security or public order of the Community or of the requested Member State, or where judicial proceedings have already been initiated in respect of the same actions and against the same persons before the authorities of the requested Member State.
2012/11/29
Committee: JURI
Amendment 349 #
Proposal for a regulation
Article 45 – paragraph 2 c (new)
2c. Member States shall communicate to the Commission the working arrangements referred to in paragraphs 2a and 2b.
2012/11/29
Committee: JURI
Amendment 350 #
Proposal for a regulation
Article 47 – paragraph 1
1. The supervisory authorityies shall act with complete independence in exercising the duties and powers entrusted to ithem.
2012/11/29
Committee: JURI
Amendment 351 #
Proposal for a regulation
Article 47 – paragraph 2
2. The members of the supervisory authorityies shall, in the performance of their duties, neither seek nor take instructions from anybody.
2012/11/29
Committee: JURI
Amendment 352 #
Proposal for a regulation
Article 47 – paragraph 5
5. Each Member State shall, in line with its internal distribution of competencies, ensure that the supervisory authority isies are provided with the adequate human, technical and financial resources, premises and infrastructure necessary for the effective performance of its duties and powers, including those to be carried out in the context of mutual assistance, co- operation and participation in the European Data Protection Board.
2012/11/29
Committee: JURI
Amendment 353 #
Proposal for a regulation
Article 47 – paragraph 6
6. Each Member State shall, in line with its internal distribution of competencies, ensure that the supervisory authority has itsies have their own staff which shall be appointed by and be subject to the direction of the head of the supervisory authority.
2012/11/29
Committee: JURI
Amendment 354 #
Proposal for a regulation
Article 47 – paragraph 7
7. Member States shall, in line with their internal distribution of competencies, ensure that the supervisory authority isies are subject to financial control which shall not affect itstheir independence. Member States shall, in line with their internal distribution of competencies, ensure that the supervisory authorityies hasve separate annual budgets. The budgets shall be made public.
2012/11/29
Committee: JURI
Amendment 355 #
Proposal for a regulation
Article 48 – paragraph 1
1. Member States shall provide that the members of the supervisory authority or authorities must be appointed either by the parliament or the government bodies of the Member State concerned.
2012/11/29
Committee: JURI
Amendment 356 #
Proposal for a regulation
Article 48 – paragraph 3
3. The duties of a member shall end in the event of the expiry of the term of office, resignation or compulsory retirement in accordance with paragraph 5 or in the event of incapacity to hold office, incompatibility, resignation, dismissal, final conviction of an intentional crime or compulsory retirement.
2012/11/29
Committee: JURI
Amendment 357 #
Proposal for a regulation
Article 48 – paragraph 4
4. A member may be dismissed or deprived of the right to a pension or other benefits in its shis appointment terminatead by the competent national courtbody which appointed him, if the member no longer fulfils the conditions required for the performance of the duties or is guilty of serious misconductfailure to discharge the obligations relating to his office.
2012/11/29
Committee: JURI
Amendment 358 #
Proposal for a regulation
Article 49 – point a
a) the establishment and status of the supervisory authorityies;
2012/11/29
Committee: JURI
Amendment 359 #
Proposal for a regulation
Article 49 – point b
b) the qualifications, experience and skills required to perform the duties of the members of the supervisory authorityies;
2012/11/29
Committee: JURI
Amendment 360 #
Proposal for a regulation
Article 49 – point c
(c) the rules and procedures for the appointment of the members of the supervisory authorityies, as well as the rules on actions or occupations incompatible with the duties of the office;
2012/11/29
Committee: JURI
Amendment 361 #
Proposal for a regulation
Article 49 – point d
(d) the duration of the term of the members of the supervisory authorityies which shall be no less than four years, except for the first appointment after entry into force of this Regulation, part of which may take place for a shorter period where this is necessary to protect the independence of the supervisory authorityies by means of a staggered appointment procedure;
2012/11/29
Committee: JURI
Amendment 362 #
Proposal for a regulation
Article 49 – point e
(e) whether the members of the supervisory authorityies shall be eligible for reappointment;
2012/11/29
Committee: JURI
Amendment 363 #
Proposal for a regulation
Article 49 – point f
(f) the regulations and common conditions governing the duties of the members and staff of the supervisory authorityies;
2012/11/29
Committee: JURI
Amendment 364 #
Proposal for a regulation
Article 49 – point g
(g) the rules and procedures on the termination of the duties of the members of the supervisory authorityies, including in case that they no longer fulfil the conditions required for the performance of their duties or if they are guilty of serious misconduct.
2012/11/29
Committee: JURI
Amendment 365 #
Proposal for a regulation
Article 50
The members and the staff of the supervisory authorityies shall be subject, both during and after their term of office, to a duty of professional secrecy with regard to any confidential information which has come to their knowledge in the course of the performance of their official duties.
2012/11/29
Committee: JURI
Amendment 367 #
Proposal for a regulation
Article 51 – paragraph 2
2. Where the processing of personal data takes place in the context of the activities of an establishment of a controller or a processor in the Union, and the controller or processor is established in more than one Member State, the supervisory authority of the main establishment of the controller or processor shall be competent for the supervision of the processing activities of the controller or the processor in all Member States, except with regard to decisions in response to the complaints referred to in Article 73, in which case it shall coordinate the actions of the supervisory authorities concerned, without prejudice to the provisions of Chapter VII of this Regulation.
2012/11/29
Committee: JURI
Amendment 368 #
Proposal for a regulation
Article 52 – paragraph 1 – point d
(d) conduct investigations either on its own initiative or, on the basis of a complaint or, on request of another supervisory authority or following a police complaint, and inform the data subject concerned, if the data subject has addressed a complaint to this supervisory authority, of the outcome of the investigations within a reasonable period;
2012/11/29
Committee: JURI
Amendment 369 #
Proposal for a regulation
Article 52 – paragraph 1 – point j a (new)
(ja) coordinate certification policies in the territory for which it is responsible, in accordance with the provisions of Article 39.
2012/11/29
Committee: JURI
Amendment 370 #
Proposal for a regulation
Article 53 – paragraph 1 – point j b (new)
(jb) carry out personal data protection audits or audit plans.
2012/11/29
Committee: JURI
Amendment 371 #
Proposal for a regulation
Article 54
Each supervisory authority must draw up an annual report on its activities. The report shall be presented to the national parliament concerned and/or the other authorities specified under national legislation and shall be made be available to the public, the Commission and the European Data Protection Board.
2012/11/29
Committee: JURI
Amendment 372 #
Proposal for a regulation
Article 55 – paragraph 2
2. Each supervisory authority shall take all appropriate measures required to reply to the request of another supervisory authority without delay and no later than one monthtwo weeks after having received the request. Such measures may include, in particular, the transmission of relevant information on the course of an investigation or enforcement measures to bring about the cessation or prohibition of processing operations contrary to this Regulation.
2012/11/29
Committee: JURI
Amendment 373 #
Proposal for a regulation
Article 55 – paragraph 8
8. Where a supervisory authority does not act within one monthtwo weeks on request of another supervisory authority, the requesting supervisory authorities shall be competent to take a provisional measure on the territory of its Member State in accordance with Article 51(1) and shall submit the matter to the European Data Protection Board in accordance with the procedure referred to in Article 57.
2012/11/29
Committee: JURI
Amendment 374 #
Proposal for a regulation
Article 56 – paragraph 5
5. Where a supervisory authority does not comply within one monthtwo weeks with the obligation laid down in paragraph 2, the other supervisory authorities shall be competent to take a provisional measure on the territory of its Member State in accordance with Article 51(1).
2012/11/29
Committee: JURI
Amendment 375 #
Proposal for a regulation
Article 58 – paragraph 7
7. The European Data Protection Board shall issue an opinion on the matter, if the European Data Protection Board so decides by simple majority of its members or any supervisory authority or the Commission so requests within one week after the relevant information has been provided according to paragraph 5. The opinion shall be adopted within one month by simple majority of the members of the European Data Protection Board. The chair of the European Data Protection Board shall inform, without undue delay, the supervisory authority referred to, as the case may be, in paragraphs 1 and 3, the Commission and the supervisory authority competent under Article 51 of the opinion and make it public.
2012/11/29
Committee: JURI
Amendment 376 #
Proposal for a regulation
Article 59
1. Within ten weeks after a matter has been raised under Article 58, or at the latest within six weeks in the case of Article 61, the Commission may adopt, in order to ensure correct and consistent application of this Regulation, an opinion in relation to matters raised pursuant to Articles 58 or 61. 2. Where the Commission has adopted an opinion in accordance with paragraph 1, the supervisory authority concerned shall take utmost account of the Commission’s opinion and inform the Commission and the European Data Protection Board whether it intends to maintain or amend its draft measure. 3. During the period referred to in paragraph 1, the draft measure shall not be adopted by the supervisory authority. 4. Where the supervisory authority concerned intends not to follow the opinion of the Commission, it shall inform the Commission and the European Data Protection Board thereof within the period referred to in paragraph 1 and provide a justification. In this case the draft measure shall not be adopted for one further month.Article 59 deleted Opinion by the Commission
2012/11/29
Committee: JURI
Amendment 377 #
Proposal for a regulation
Article 60
Suspension of a draft measure 1. Within one month after the communication referred to in Article 59(4), and where the Commission has serious doubts as to whether the draft measure would ensure the correct application of this Regulation or would otherwise result in its inconsistent application, the Commission may adopt a reasoned decision requiring the supervisory authority to suspend the adoption of the draft measure, taking into account the opinion issued by the European Data Protection Board pursuant to Article 58(7) or Article 61(2), where it appears necessary in order to: a) reconcile the diverging positions of the supervisory authority and the European Data Protection Board, if this still appears to be possible; or b) adopt a measure pursuant to point (a) of Article 62(1). 2. The Commission shall specify the duration of the suspension which shall not exceed 12 months. 3. During the period referred to in paragraph 2, the supervisory authority may not adopt the draft measure.Article 60 deleted
2012/11/29
Committee: JURI
Amendment 378 #
Proposal for a regulation
Article 62 – paragraph 1 – subparagraph 1 – point a
a) deciding on the correct application of this Regulation in accordance with its objectives and requirements in relation to matters communicated by supervisory authorities pursuant to Article 58 or 61, concerning a matter in relation to which a reasoned decision has been adopted pursuant to Article 60(1), or concerning a matter in relation to which a supervisory authority does not submit a draft measure and that supervisory authority has indicated that it does not intend to follow the opinion of the Commission adopted pursuant to Article 59;deleted
2012/11/29
Committee: JURI
Amendment 379 #
Proposal for a regulation
Article 62 – paragraph 1 – subparagraph 1 – point b
b) deciding, within the period referred to in Article 59(1), whether it declares draft standard data protection clauses referred to in point (d) of Article 58(2), as having general validity;deleted
2012/11/29
Committee: JURI
Amendment 380 #
Proposal for a regulation
Article 62 – paragraph 2
2. On duly justified imperative grounds of urgency relating to the interests of data subjects in the cases referred to in point (a) of paragraph 1, the Commission shall adopt immediately applicable implementing acts in accordance with the procedure referred to in Article 87(3). Those acts shall remain in force for a period not exceeding 12 months.deleted
2012/11/29
Committee: JURI
Amendment 381 #
Proposal for a regulation
Article 66 – paragraph 1 – point g a (new)
(ga) propose the concepts on which European certification policy should be based, monitor and assess implementation, and submit its conclusions to the Commission.
2012/11/29
Committee: JURI
Amendment 382 #
Proposal for a regulation
Article 69 – paragraph 1
1. The European Data Protection Board shall elect a chair and two deputy chairpersons from amongst its members. One deputy chairperson shall be the European Data Protection Supervisor, unless he or she has been elected chair.
2012/11/29
Committee: JURI
Amendment 383 #
Proposal for a regulation
Article 71 – paragraph 1
1. The European Data Protection Board shall have a secretariat. The European Data Protection Supervisor shall provide that secretariatCommission shall ensure that the Board secretariat has everything it needs to carry out its work.
2012/11/29
Committee: JURI
Amendment 384 #
Proposal for a regulation
Article 73 – paragraph 1
1. Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with athe supervisory authority in anythe Member State in which they live if they consider that the processing of personal data relating to them does not comply with this Regulation, or their rights under the latter have not been duly upheld.
2012/11/29
Committee: JURI
Amendment 387 #
Proposal for a regulation
Article 73 – paragraph 2
2. Any body, organisation or association which aims to protect data subjects’ rights and interests concerning the protection of their personal data and has been properly constituted according to the law of a Member State shall have the right tomay lodge a complaint with a supervisory authority in anythat Member State on behalf of one or more data subjects if it considers that a data subject’s rights under this Regulation have been infringed as a result of the processing of personal dataif it considers that rights covered under this Regulation have been infringed. It may also, on behalf of one or more data subjects living in that Member State, exercise the rights conferred on those subjects by the Regulation, provided it has sufficient authority to do so.
2012/11/29
Committee: JURI
Amendment 388 #
Proposal for a regulation
Article 73 – paragraph 3
3. Independently of a data subject's complaint, any body, organisation or association referred to in paragraph 2 shall have the right to lodge a complaint with a supervisory authority in any Member State, if it considers that a personal data breach has occurred.deleted
2012/11/29
Committee: JURI
Amendment 389 #
Proposal for a regulation
Article 74 – paragraph 1
1. Each natural or legal person shall have the right to a judicial remedy againsttake legal action to challenge decisions of a supervisory authority concerning them or affecting them in any way.
2012/11/29
Committee: JURI
Amendment 391 #
Proposal for a regulation
Article 74 – paragraph 2
2. Each data subject shall have the right to a judicial remedy obliging the supervisory authority to act on a complaint in the absence of a decision necessary to protect their rights, or whereThe claim shall be understood to have been rejected if, three months after the complaint was lodged by the subject, the supervisory authority doehas not informed the data subject within three months on the progress or outcome of the complaint pursuant to point (b) of Article 52(1)of the progress of the complaint. The claim shall also be understood to have been rejected if, six months after the complaint was lodged, the authority has not definitively resolved the complaint.
2012/11/29
Committee: JURI
Amendment 392 #
Proposal for a regulation
Article 74 – paragraph 4
4. A data subject which is concerned by a decision of a supervisory authority in another Member State than where the data subject has its habitual residence, may request the supervisory authority of the Member State where it has its habitual residence to bring proceedings on its behalf against the competent supervisory authority in the other Member State.deleted
2012/11/29
Committee: JURI
Amendment 393 #
Proposal for a regulation
Article 75 – paragraph 1
1. Without prejudice to any available administrative remedy, including the right to lodge a complaint with a supervisory authority as referred to in Article 73, every natural person shall have the right to a judicial remedy if they consider that their rights under this Regulation have been infringed as a result of the processing of their personal data in non-compliance with this Regulation.
2012/11/29
Committee: JURI
Amendment 395 #
Proposal for a regulation
Article 75 – paragraph 3
3. Where proceedings are pending in the consistency mechanism referred to in Article 58, which concern the same measure, decision or practice, a court may, at the request of any of the parties and after hearing all the parties, suspend the proceedings brought before it, except where the urgency of the matter for the protection of the data subject's rights does not allow to wait for the outcome of the procedure in the consistency mechanism.
2012/11/29
Committee: JURI
Amendment 397 #
Proposal for a regulation
Article 76 – paragraph 1
1. Any body, organisation or association referred to in Article 73(2) shall have the right to exercise the rights referred to in Articles 74 and 75 on behalf of one or more data subjects, having been suitably empowered to do so.
2012/11/29
Committee: JURI
Amendment 398 #
Proposal for a regulation
Article 76 – paragraph 3
3. Where a competent court of a Member State has reasonable grounds to believe that parallel proceedings are being conducted in another Member State, it shall contact the competent court in the other Member State to confirm the existence of such parallel proceedings.deleted
2012/11/29
Committee: JURI
Amendment 399 #
Proposal for a regulation
Article 76 – paragraph 4
4. Where such parallel proceedings in another Member State concern the same measure, decision or practice, the court may suspend the proceedings.deleted
2012/11/29
Committee: JURI
Amendment 402 #
Proposal for a regulation
Article 78 – paragraph 2
2. Where the controller has established a representative, any penalties shall be applied to the representative in this specific capacity and the representative shall be required to comply with them, without prejudice to any penalties which could be initiated against the controller.
2012/11/29
Committee: JURI
Amendment 406 #
Proposal for a regulation
Article 79 – paragraph 2
2. The administrative sanction shall be in each individual case effective, proportionate and dissuasive. The amount of the administrative fine shall be fixed with due regard to the nature, gravity and duration of the breach, the intentional or negligent character of the infringement or the type of negligence leading to it, the degree of responsibility of the natural or legal person and of previous breaches by this person, the technical and organisational measures and procedures implemented pursuant to Article 23 and the degree of co-operation with the supervisory authority in order to remedy the breach, as well as the true economic situation of those penalised.
2012/11/29
Committee: JURI
Amendment 410 #
Proposal for a regulation
Article 79 – paragraph 3 – introductory wording
3. In case of a first and non-intentional non- compliance with this Regulation, in the absence of any record of previous unappealable instances or where the record has been expunged, a warning in writing may be given and, in such an instance, no sanction imposed, whereith the sole exception of alternative corrective measures, which may only be imposed if the circumstances so require, in the following cases and in the following form:
2012/11/29
Committee: JURI
Amendment 412 #
Proposal for a regulation
Article 79 – paragraph 3 – point b
(b) an enterprise or an organisation employing fewer than 250 persons is processing personal data only as an activity ancillary to its main activitieswilling to cooperate with the supervisory authority for the introduction of corrective measures designed to avoid similar cases of non-compliance in future. Cooperation in this area shall be governed by binding agreements with the supervisory authority. Failure to collaborate with the duly accredited supervisory authority within six months from the beginning of the proceedings shall incur the fine which would originally have been imposed.
2012/11/29
Committee: JURI
Amendment 413 #
Proposal for a regulation
Article 79 – paragraph 3 – point b a (new)
(ba) a public administration collaborates with a supervisory authority to establish ways of avoiding similar infringements in future. Collaboration in this area shall be determined on the basis of the agreements or decisions adopted by the administration concerned, which shall be referred to at the outset with regard to the measures taken. Failure to collaborate with the duly accredited supervisory authority within one year from the beginning of the proceedings shall incur the fine which would originally have been imposed. For the purpose of this article, the record of previous unappealable sanctions for infringements through negligence shall be expunged within the following periods: two years if the sanctions are accompanied by any of the fines specified under paragraph 4; four years if the sanctions are accompanied by any of the fines specified under paragraph 5; six years if the sanctions are accompanied by any of the fines specified under paragraph 6. For the purpose of this article, the record of previous unappealable sanctions for infringements committed through serious negligence or with intent shall be expunged within the following periods: five years if the sanctions are accompanied by any of the fines specified under paragraph 4; ten years if the sanctions are accompanied by any of the fines specified under paragraph 5; fifteen years if the sanctions are accompanied by any of the fines specified under paragraph 6.
2012/11/29
Committee: JURI
Amendment 415 #
Proposal for a regulation
Article 79 – paragraph 5 – introductory wording
5. The supervisory authority shall impose a fine up to 500 000 EUR or, in case of an enterprise up to 1 % of its average annual worldwide turnover,profits to anyone who, intentionally or negligently:
2012/11/29
Committee: JURI
Amendment 417 #
Proposal for a regulation
Article 79 – paragraph 5 – point a
(a) does not provide the information, or does provide manifestly incomplete information, or does not provide the information in a sufficiently transparent manner, to the data subject pursuant to Article 11, Article 12(3) and Article 14;
2012/11/29
Committee: JURI
Amendment 418 #
Proposal for a regulation
Article 79 – paragraph 5 – point c
(c) does not comply with the right to be forgotten or to erasure, or fails to put mechanisms in place to ensure that the time limits are observed or does not take all necessary steps to inform third parties that a data subjects requests to erase any links to, or copy or replication of the personal data pursuant Article 17, in accordance with this Regulation, reply to a request concerning the right to be forgotten or erasure;
2012/11/29
Committee: JURI
Amendment 419 #
Proposal for a regulation
Article 79 – paragraph 5 – point d
(d) does not provide a copy of the personal data in electronic format or for no legitimate reason hinders the data subject to transmit the personal data to another application in violation of Article 18;
2012/11/29
Committee: JURI
Amendment 420 #
Proposal for a regulation
Article 79 – paragraph 5 – point f
(f) does not or not sufficiently maintain the documentation pursuant to Article 28, Article 31(4), and Article 44(3)report or ensure that it is able to report to the supervisory authority where required to do so and in the manner stipulated in this Regulation, except in the case of serious misconduct under the terms of this Regulation or the implementing legislation of the Member States;
2012/11/29
Committee: JURI
Amendment 422 #
Proposal for a regulation
Article 79 – paragraph 6 – introductory wording
6. The supervisory authority shall impose a fine up to 1 000 000 EUR or, in case of an enterprise up to 2 % of its average annual worldwide turnover,profits to anyone who, intentionally or negligently:
2012/11/29
Committee: JURI
Amendment 425 #
Proposal for a regulation
Article 79 – paragraph 6 – point c
(c) does not comply with an objection or the requirement pursuant to Article 19 unless duly justified by real and legitimate grounds or reasons in accordance with this Regulation;
2012/11/29
Committee: JURI
Amendment 426 #
Proposal for a regulation
Article 79 – paragraph 6 – point d
(d) does not comply with the conditions in relation to measures based on profiling pursuant to Article 20;deleted
2012/11/29
Committee: JURI
Amendment 427 #
Proposal for a regulation
Article 79 – paragraph 6 – point e
(e) does not adopt internal policies or does not implement appropriate measures for ensuring and demonstrating compliance pursuant to Articles 22, 23 and 30;deleted
2012/11/29
Committee: JURI
Amendment 428 #
Proposal for a regulation
Article 79 – paragraph 6 – point h
(h) does not alert on or notify a personal data breach or does not timely or completely notify the data breach to the supervisory authority or to the data subject where mandatory pursuant to Articles 31 and 32;
2012/11/29
Committee: JURI
Amendment 429 #
Proposal for a regulation
Article 79 – paragraph 6 – point i
(i) does not carry out a data protection impact assessment pursuant or processes personal data without prior authorisation or prior consultation of the supervisory authority where mandatory pursuant to Articles 33 and 34;
2012/11/29
Committee: JURI
Amendment 430 #
Proposal for a regulation
Article 79 – paragraph 6 – point j
(j) does not designate a data protection officer or does not ensure the conditions forensure that the conditions are met to enable the Data Protection Officer to fulfilling the tasks pursuant to Articles 35, 36 and 37;
2012/11/29
Committee: JURI
Amendment 431 #
Proposal for a regulation
Article 79 – paragraph 6 – point k
(k) misuses a data protection seal or mark, mark or certification in the meaning of Article 39;
2012/11/29
Committee: JURI
Amendment 432 #
Proposal for a regulation
Article 79 – paragraph 7 a (new)
7a. The Commission shall compile an electronic record of previous instances accessible to all national supervisory authorities. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of managing the electronic record of previous instances in accordance with this article.
2012/11/29
Committee: JURI
Amendment 440 #
Proposal for a regulation
Article 81 – paragraph 3
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 87 for the purpose of further specifying other reasons of public interest in the area of public health as referred to in point (b) of paragraph 1, as well as criteria and requirements for the safeguards for the processing of personal data for the purposes referred to in paragraph 1.
2012/11/29
Committee: JURI
Amendment 442 #
Proposal for a regulation
Article 82 – paragraph 3
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the safeguards for the processing of personal data for the purposes referred to in paragraph 1.
2012/11/29
Committee: JURI
Amendment 443 #
Proposal for a regulation
Article 83 – paragraph 1 – introductory wording
1. Within the limits of this Regulation, personal data may be processed for historical, statistical or scientific research purposes, as well as for preliminary official or administrative investigations to determine natural filiation only if:
2012/11/29
Committee: JURI
Amendment 446 #
Proposal for a regulation
Article 83 – paragraph 1 – point b
(b) data enabling the attribution of information to an identified or identifiable data subject is kept separately from the other information as long as these purposes can be fulfilled in this manner. Personal date processed as part of a preliminary official or administrative investigation for the determination of natural filiation shall only be disclosed to those concerned as and when appropriate and without prejudice to any statutory criminal proceedings.
2012/11/29
Committee: JURI
Amendment 449 #
Proposal for a regulation
Article 83 – paragraph 3
3. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and requirements for the processing of personal data for the purposes referred to in paragraph 1 and 2 as well as any necessary limitations on the rights of information to and access by the data subject and detailing the conditions and safeguards for the rights of the data subject under these circumstances.
2012/11/29
Committee: JURI
Amendment 450 #
Proposal for a regulation
Article 85 – paragraph 1
1. Where in a Member State, churches and religious associations or communities apply, at the time of entry into force of this Regulation, comprehensive rules relating to the protection of individuals with regard to the processing of personal data, such rules may continue to apply and may if necessary be amended, provided that they are brought in line with the provisions of this Regulation.
2012/11/29
Committee: JURI
Amendment 451 #
Proposal for a regulation
Article 85 – paragraph 2
2. Churches and religious associations which apply comprehensive rules in accordance with paragraph 1 shall provide for the establishment of an independent supervisory authority in accordance with Chapter VI of this Regulation or alternatively obtain the certification necessary for the procedures required under Article 39.
2012/11/29
Committee: JURI