Activities of Matteo SALVINI related to 2012/0011(COD)
Shadow opinions (1)
OPINION on the proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)
Amendments (17)
Amendment 103 #
Proposal for a regulation
Recital 25
Recital 25
(25) Consent should be given explicitly by any appropriate method enabling a freely given, specific and informed indication of the data subject's wishes,. Consent can be given either by a statement or by a clear affirmative action by the data subject, ensuring that individuals are aware that they give their consent to the processing of personal data, including by ticking a box when visiting an Internet website or by any other statement or conduct such as selecting default settings, which clearly indicates in thise specific context the data subject's acceptance of the proposed processing of their personal datagreement. Silence or inactivity should therefore not constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. If the data subject's consent is to be given following an electronic request, the requestAny request to give consent electronically must be clear, concise and not unnecessarily disruptive or burdensome to the data subject and to the use of the service for which it is provided, and should facilitate clear choice.
Amendment 112 #
Proposal for a regulation
Recital 31
Recital 31
(31) In order for processing to be lawful, personal data shouldmust be processed on the basis of the consent of the person concerned or some otherone of the legitimate basis,es laid down by law, either in this Regulation or in other Union or Member State law as referred to in this Regulation.
Amendment 114 #
Proposal for a regulation
Recital 33 a (new)
Recital 33 a (new)
Amendment 121 #
Proposal for a regulation
Recital 40
Recital 40
(40) The processing of personal data for other purposes should be only allowed where the processing is compatible with those purposes for which the data have been initially collected, in particular where the processing is necessary for historical, statistical or scientific research purposes. Where the other purpose is not compatible with the initial one for which the data are collected, the controller should obtain the consent of the data subject for this other purpose or should base the processing on another legitimate ground for lawful processing, in particular where provided by Union law or the law of the Member State to which the controller is subject. In any case, the application of the principles set out by this Regulation and in particular the information of the data subject on those other purposes should be ensured.
Amendment 130 #
Proposal for a regulation
Recital 61 a (new)
Recital 61 a (new)
(61 a) This Regulation encourages enterprises to develop internal programmes that will identify the processing operations likely to present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes, and to put in place appropriate privacy safeguards and develop innovative privacy-by-design solutions and privacy enhancing techniques. Enterprises that can publicly demonstrate that they have embedded privacy accountability do not also require the application of the additional oversight mechanisms of prior consultation and prior authorisation.
Amendment 136 #
Proposal for a regulation
Recital 67
Recital 67
(67) A personal data breach may, if not addressed in an adequate and timely manner, result in substantial economic loss and social harm, including identity fraud, to the individual concerned. Therefore, as soon as the controller becomes aware that such a breach has occurred, the controller should notify the breach to the supervisory authority without undue delay and, where feasible, within 24 hours. Where this cannot achieved within 24 hours, an explanation of the reasons for the delay should accompany the notification. The individuals whose personal data could be adversely affected by the breach should be notified without undue delay in order to allow them to take the necessary precautions. A breach should be considered as adversely affecting the personal data or privacy of a data subject where it could result in, for example, identity theft or fraud, physical harm, significant humiliation or damage to reputation. The notification should describe the nature of the personal data breach as well as recommendations as well as recommendations for the individual concerned to mitigate potential adverse effects. Notifications to data subjects should be made as soon as reasonably feasible, and in close cooperation with the supervisory authority and respecting guidance provided by it or other relevant authorities (e.g. law enforcement authorities). For example, the chance for data subjects to mitigate an immediate risk of harm would call for a prompt notification of data subjects whereas the need to implement appropriate measures against continuing or similar data breaches may justify a longer delay.
Amendment 139 #
Proposal for a regulation
Recital 70 a (new)
Recital 70 a (new)
(70 a) Directive 2002/58/EC (as amended by Directive 2009/136/EC) sets out personal data breach notification obligations for the processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks in the Union. Where providers of publicly available electronic communications services also provide other services, they continue to be subject to the breach notification obligations of the ePrivacy Directive, not this Regulation. Such providers should be subject to a single personal data breach notification regime for both personal data processed in connection with the provision of a publicly available electronic communications service and for any other personal data for which they are a controller.
Amendment 173 #
Proposal for a regulation
Article 4 – paragraph 1 – point 8
Article 4 – paragraph 1 – point 8
(8) ‘'the data subject's consent’' means any freely given specific, and informed and explicit indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed;
Amendment 200 #
Proposal for a regulation
Article 6 – paragraph 4
Article 6 – paragraph 4
4. Where the purpose of further processing is not compatible with the one for which the personal data have been collected, the processing must have a legal basis at least in one of the grounds referred to in points (a) to (e) of paragraph 1. This shall in particular apply to any change of terms and general conditions of a contract.
Amendment 203 #
Proposal for a regulation
Article 7 – paragraph 1
Article 7 – paragraph 1
1. ThWhere controller shall bear the burden of proof for the data subject's consent to the processing of their personal data for specified purposessent is required, the form of consent captured for the processing of a data subject's personal data shall be proportionate to the type of data processed, the purpose for the processing and any identified risks, as determined through a data protection impact assessment.
Amendment 204 #
Proposal for a regulation
Article 7 – paragraph 2
Article 7 – paragraph 2
Amendment 208 #
Proposal for a regulation
Article 7 – paragraph 3 a (new)
Article 7 – paragraph 3 a (new)
3 a. For the processing of special categories of personal data described in Article 9, consent shall be captured by a freely given, informed and explicit statement or other clear and affirmative action, by which the data subject signifies their agreement.
Amendment 209 #
Proposal for a regulation
Article 7 – paragraph 3 b (new)
Article 7 – paragraph 3 b (new)
3 b. Consents captured before the coming into effect of this Regulation shall remain valid after such coming into effect.
Amendment 355 #
Proposal for a regulation
Article 31 – paragraph 1
Article 31 – paragraph 1
1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 24 hours after having become aware of it, notify the personal data breach to the supervisory authority. The notification to the supervisory authority shall be accompanied by a reasoned justification in cases where it is not made within 24 hoursnotify the personal data breach to the supervisory authority.
Amendment 410 #
Proposal for a regulation
Article 74 – paragraph 1
Article 74 – paragraph 1
1. Each natural or legal person, including each data controller and data processor, shall have the right to a judicial remedy against decisions of a supervisory authority concerning or affecting them.
Amendment 457 #
Proposal for a regulation
Article 89 – paragraph 1 a (new)
Article 89 – paragraph 1 a (new)
1 a. In relation to natural or legal persons who are under obligations to report personal data breaches under Directive 2002/58/EC as amended by Directive 2009/136/EC in relation to the processing of personal data in connection with the provision of publicly available electronic communications services, this Regulation shall not impose additional obligations in relation to the process of notifying a personal data breach to the supervisory authority and in relation to the process of communicating a personal data breach to the data subjects. Such a natural or legal person shall notify personal data breaches affecting all personal data for which it is a controller in accordance with the personal data breach notification process set out in Directive 2002/58/EC as amended by Directive 2009/136/EC.
Amendment 458 #
Proposal for a regulation
Article 89 – paragraph 2
Article 89 – paragraph 2
2. Article 1(2), Article 2(c) and Article 9 of Directive 2002/58/EC shall be deleted.